IA 316: Computer and Mobile Forensic

Analysis

Introduction to Mobile Forensics

02/02/23 09:58 IA316 1

 Lecture Outline
 The Lecture covers:
 Mobile Forensics: definition and uses
 The need for Mobile Forensics
 Understanding Mobile Forensics
 Challenges in Mobile Forensics

02/02/23 09:58 IA316 2

 Mobile Forensics
 Mobile Forensics: definition
 Subset of Digital Forensics
 Deals with recovery of evidence from mobile devices
such as Smartphones and Tablets

02/02/23 09:58 IA316 3

 Mobile Forensics
 Mobile Forensics: uses
 Law enforcement: Police, PCCB, DPP, Immigration
 Solve a lot of crime: fraud, homicide
 Military: espionage, counterterrorism
 Businesses: intellectual property theft, authorized and
unauthorized use of resources.

02/02/23 09:58 IA316 4

 The Need for Mobile Forensics
 Growing demand for Mobile Devices
 By 2021, it was estimated that there are around 15
Billion Mobile Devices.
 Technology and users migrating from Desktop to
Mobile Phones
 Demand for Smartphones is quite high.

02/02/23 09:58 IA316 5

 The Need for Mobile Forensics
 Smartphones are becoming compact forms of
computers.
 High performance, huge storage, and enhanced
functionality.

02/02/23 09:58 IA316 6

 The Need for Mobile Forensics
 Mobile phones are the most personal electronic device
that a user accesses.
 Perform simple communication tasks, such as calling
and texting.
 Internet browsing, email, taking photos and videos,
creating and storing documents
 Identifying locations with GPS services, and
managing business tasks.

02/02/23 09:58 IA316 7

 The Need for Mobile Forensics
 Mobile phones have become portable data carriers,
keeping track of all our movements.
 Increasing prevalence of mobile phones makes then in
invaluable source of evidence.
 Evidence acquired from mobile phones is used in both
criminal and civil cases.
 It is now rare to conduct a digital forensic
investigation that does not include a phone.

02/02/23 09:58 IA316 8

 The Need for Mobile Forensics
 Mobile device call logs and GPS data were used to
help solve the attempted bombing in Times Square,
New York, in 2010
 Read more about the investigation at:
https://www.forensicon.com/forensics-blotter/cell-pho
ne-email-forensics-investigation-cracks-nyc-times-squ
are-car-bombing-case/

02/02/23 09:58 IA316 9

 Understanding Mobile Forensics
 Digital forensics is a branch of forensic science
focusing on the recovery and investigation of raw
data residing in electronic or digital devices.
 Intends to extract and recover any information from a
digital device without altering the data present on the
device.

02/02/23 09:58 IA316 10

 Understanding Mobile Forensics
 Over the years, digital forensics has grown along with
the rapid growth of computers and various other
digital devices.
 There are various branches of digital forensics based
on the type of digital device involved, such as:
 Computer forensics
 Network forensics
 Mobile forensics.

02/02/23 09:58 IA316 11

 Understanding Mobile Forensics
 Forensically sound
 It is a term used in the digital forensics community to
qualify and justify the use of a particular forensic
technology or methodology.
 Core principle for Forensic Sound technology or
methodology:
 The original evidence must not be altered in any
form.
 This is extremely difficult with mobile devices.

02/02/23 09:58 IA316 12

 Understanding Mobile Forensics
 Some forensic tools require a communication vector
with the mobile device.
 Thus standard write protection will not work during
forensic acquisition.

02/02/23 09:58 IA316 13

 Understanding Mobile Forensics
 Prior to extracting data for forensic examination,
some of the forensic acquisition methods may
involve:
 Detaching a chip
 Installing a custom bootloader on the mobile device.

 In such cases, the procedure and the changes must be

carefully tested and documented for later reference.
 This is where examination or data acquisition is not
possible without changing the configuration of the
device.
02/02/23 09:58 IA316 14
 Understanding Mobile Forensics
 Following proper methodology and guidelines is
crucial in examining mobile devices.
 Yields the most valuable data.
 Not following the proper procedure during the
examination can result in loss or damage of evidence
or render it inadmissible in court.

02/02/23 09:58 IA316 15

 Understanding Mobile Forensics
 Main categories of mobile forensic process:
 Seizure
 Acquisition
 Examination/Analysis

02/02/23 09:58 IA316 16

 Understanding Mobile Forensics
 Challenges when seizing devices-If the mobile device
is found switched off,
 Place the device in a Faraday bag to prevent changes
should the device automatically power on.
 Faraday bags are specifically designed to isolate a phone
from a network.

02/02/23 09:58 IA316 17

 Understanding Mobile Forensics
 Challenges when seizing devices-If the mobile device
is found switched on,
 Switching it off has a lot of concerns attached to it.
 If the phone is locked by a PIN or password, or encrypted,
you will be required to bypass the lock or determine the
PIN to access the device.

02/02/23 09:58 IA316 18

 Understanding Mobile Forensics
 Challenges when seizing devices-if the mobile
device is found switched on
 Mobile phones are networked devices and can send
and receive data through different sources, such as:
 Telecommunication systems.
 Wi-Fi access points
 Bluetooth.

02/02/23 09:58 IA316 19

 Understanding Mobile Forensics
 Challenges when seizing devices-if the mobile
device is found switched on
 So, if the phone is in a running state, a criminal could
securely erase the data stored on the phone by
executing a remote wipe command.
 When a phone is switched on, it should be placed in
a Faraday bag.

02/02/23 09:58 IA316 20

 Understanding Mobile Forensics
 Challenges when seizing devices-if the mobile
device is found switched on
 If possible, prior to placing a mobile device in a
Faraday bag, you should disconnect it from the
network to protect the evidence by:
 Enabling flight mode/Airplane mode
 Disabling all network connections (Wi-Fi, GPS,
hotspots, and so on).

02/02/23 09:58 IA316 21

 Understanding Mobile Forensics
 Challenges when seizing devices-if the mobile
device is found switched on
 Disconnecting from the network also helps to:
 Preserve the battery, which will drain while in a
Faraday bag.
 Protect against leaks in the Faraday bag.

02/02/23 09:58 IA316 22

 Understanding Mobile Forensics
 Mobile device forensic acquisition can be performed
using multiple methods.
 Each of these methods affects the amount of analysis
required.
 Should one method fail, another must be attempted.
 Multiple attempts and tools may be necessary in order
to acquire the maximum amount of data from the
mobile device.

02/02/23 09:58 IA316 23

 Understanding Mobile Forensics
 Mobile phones are dynamic systems
 Present a lot of challenges in extracting and analyzing
digital evidence.
 There is a rapid increase in the number of different
kinds of mobile phones from different manufacturers.
 Makes it difficult to develop a single process or tool
to examine all types of devices.

02/02/23 09:58 IA316 24

 Understanding Mobile Forensics
 Mobile phones are continuously evolving:
 Existing technologies progress and new technologies
are introduced.
 Furthermore, each mobile is designed with a variety
of embedded operating systems.
 Hence, special knowledge and skills are required from
forensic experts to acquire and analyze the devices.

02/02/23 09:58 IA316 25

 Challenges in Mobile Forensics
 Hardware differences
 The market is flooded with different models of
mobile phones from different manufacturers.
 Forensic examiners may come across different types of
mobile models that differ in:
 Size
 Hardware
 Features
 Operating system.

02/02/23 09:58 IA316 26

 Challenges in Mobile Forensics
 Hardware differences
 Short product development cycle -new models emerge
very frequently.
 It is critical for forensic investigators to adapt to all
challenges and remain updated on mobile device
forensic techniques across various devices.

02/02/23 09:58 IA316 27

 Challenges in Mobile Forensics
 Mobile operating systems
 In Personal computers, MS Windows has dominated
the market for years.
 With mobile devices, several Operating Systems are
used frequently.
 Apple's iOS
 Google's Android,
 RIM's BlackBerry OS
 Microsoft's Windows Phone OS,
 HP's webOS,

..
02/02/23 09:58 IA316 28
 Challenges in Mobile Forensics
 Mobile operating systems
 Even within these operating systems, there are
several versions, which makes your task even
more difficult.

02/02/23 09:58 IA316 29

 Challenges in Mobile Forensics
 Mobile platform security features:
 Modern mobile platforms contain built-in security
features to protect user data and privacy.
 The features act as a hurdle during forensic
acquisition and examination.
 E.g. encryption mechanisms from the hardware
layer to the software layer.

02/02/23 09:58 IA316 30

 Challenges in Mobile Forensics
 Mobile platform security features:
 Need to break through these encryption
mechanisms to extract data from the devices.
 Refer: FBI versus Apple encryption dispute.

02/02/23 09:58 IA316 31

 Challenges in Mobile Forensics
 Preventing data modification
 Fundamental rule in forensics is to make sure that
data on the device is not modified.
 Any attempt to extract data from the device should
not alter the data present on that device.
 This is not practically possible with mobiles.
 Just switching on a device can change the data on
that device.

02/02/23 09:58 IA316 32

 Challenges in Mobile Forensics
 Preventing data modification
 Even if a device appears to be in an off state,
background processes may still run.
 E.g, in most mobiles, the alarm clock still works
even when the phone is switched off.
 A sudden transition from one state to another may
result in the loss or modification of data.

02/02/23 09:58 IA316 33

 Challenges in Mobile Forensics
 Anti-forensic techniques makes investigations on
digital media more difficult. Techniques used include:
 Data hiding
 Data obfuscation
 Data forgery
 Secure wiping

02/02/23 09:58 IA316 34

 Challenges in Mobile Forensics
 Passcode recovery:
 A forensic examiner needs to gain access to
passcode protected device.
 Has to be done without damaging data on the
device.
 While there are techniques to bypass the screen
lock, they may not always work on all versions
of the OS.

02/02/23 09:58 IA316 35

 Challenges in Mobile Forensics
 Lack of resources
 The growing number of mobile phones means the
amount of tools required by a forensic examiner
also increases.
 Forensic acquisition accessories, such as USB
cables, batteries, and chargers for different
mobile phones, have to be maintained.

02/02/23 09:58 IA316 36

 Challenges in Mobile Forensics
 Dynamic nature of evidence
 Digital evidence may be easily altered either
intentionally or unintentionally.
 E.g: browsing an application on a phone might
alter the data stored by that application on the
device.

02/02/23 09:58 IA316 37

 Challenges in Mobile Forensics
 Accidental reset
 Mobile phones provide features to reset
everything.
 Resetting a device accidentally while examining it
may result in the loss of data.

02/02/23 09:58 IA316 38

 Challenges in Mobile Forensics
 Device alteration
 The possible ways to alter devices include:
 Moving application data
 Renaming files
 Modifying the manufacturer's operating system.
 The expertise of the suspect should be taken into
account.

02/02/23 09:58 IA316 39

 Challenges in Mobile Forensics
 Communication shielding
 Mobile devices communicate over:
 Cellular networks
 Wi-Fi networks
 Bluetooth
 Infrared.
 Since communication might alter the device data, the
possibility of further communication should be
eliminated after seizing the device.

02/02/23 09:58 IA316 40

 Challenges in Mobile Forensics
 Lack of availability of tools
 There is a wide range of mobile devices.
 A combination of tools needs to be used.
 A single tool may not support all the devices or
perform all the necessary functions.
 So, choosing the right tool for a particular phone might
be difficult.

02/02/23 09:58 IA316 41

 Challenges in Mobile Forensics
 Malicious programs
 The device might contain malware or malicious
software, such as a virus or a Trojan.
 These programs may try to spread over other devices
over either a wired interface or a wireless one.

02/02/23 09:58 IA316 42

 Challenges in Mobile Forensics
 Legal issues
 Mobile devices might be involved in crimes that cross
geographical boundaries.
 The forensic examiner should be familiar with the
nature of the crime and the regional laws.

02/02/23 09:58 IA316 43

 IA 316: Computer and Mobile
Forensic Analysis

02/02/23 09:58 IA316 44