MOBILE

FO R E N S I C S
SINGH (2 2 03 370 025 )
MADE BY: KAVYA
DEFINITION….
oMobile device forensics is a branch of digital forensics relating to recovery of digital
evidences or data from a mobile device under forensically sound conditions. It can also relate to
any digital device that has both internal memory and communication ability,
including PDA devices, GPS devices and tablet computers.

oMobile forensics is the process of acquisition and analysis of electronically stored information to
support or contest a premise in court proceedings and civil or criminal investigations.
APPLICATIONS….
oThe military uses mobile devices to gather intelligence when planning military operations or
terrorist attacks.
oA corporation may use mobile evidence if it fears its intellectual property is being stolen or an
employee is committing fraud.
oBusinesses have been known to track employees’ personal usage of business devices in order to
uncover evidence of illegal activity.
oLaw enforcement may be able to take advantage of mobile forensics by using electronic
discovery to gather evidence in cases ranging from identity theft to homicide.
 TYPES OF EVIDENCES….
1) LOGS: include events pertaining to system access, security alerts, the duration of a user’s
login session, when the device was shut down, etc.
2) VIDEO FOOTAGE AND IMAGES:there are many types of digital evidence that fall into
this category, including CCTV footage, videos recorded on a mobile device, digital camera
footage, voice recordings, etc.
3) ARCHIVES: these can serve as a vital source of evidence that could contain data that is in
one or more ways relevant to cracking the case at hand.
4) ACTIVE DATA: information stored on the direct access storage media of computer systems,
which is readily perceptible to the operating system and/or application software with which it
was created and directly available to users.
5) METADATA: defined as the data providing information about one or more aspects of the data.
6) RESIDUAL DATA: residual data is deleted or overwritten data that may contain digital
evidence if successfully recovered. Since it’s not typically visible through a file browser, it’s
classified as an invisible data type.
7) VOLATILE DATA: volatile data is the kind of data that is not being written to the disk itself,
hence belonging to the invisible data type category.
8) REPLICANT DATA: various types of software or system processes will leave temporary
backup files or directories behind to prevent the unfortunate scenario of losing data.
FORENSIC PROCESS….
When we look at the bigger picture, there are mainly six steps in which a digital forensic
examiner performs mobile forensics for criminal investigation or legal proceedings:
Identification: the first step of mobile forensics is identifying the device that was involved in
the criminal act.

Preservation: once the device is identified, it’s isolated. With advanced technology, it’s easier
to contaminate the data in mobile devices – criminals are usually good at this. So, it’s best to cut
off any connection it has to the outside world.
Data acquisition: it is the most critical process in mobile forensics. If digital evidence isn’t
collected properly, it can be rendered useless in court. Meanwhile, data acquisition can provide
investigators with valuable information that can be used as evidence while the data is acquired
from SIM card, memory locations, etc.
Analysis: now that the data is acquired, it can be examined to get insights into criminal activity.
Documentation: documentation is prepared for all the insights gathered from the evidence
collected from mobile devices.
Presentation: the information acquired from mobile forensics is prepared to be accepted by the
judiciary as a piece of evidence.
 DATA ACQUISITION....
The gathering and recovery of sensitive data during a digital forensic investigation is known as data
acquisition.
Logical acquisition : acquires bit-by-bit copies of logical storage objects from their allocated
space. It works best on unrooted mobile phones. To start with logical data acquisition, the USB
debugging mode needs to be enabled.
Physical acquisition: is done by creating bit-by-bit copies of the physical storage. It helps in
extracting the deleted data along with the other content present on the phone.
Manual acquisition: the examiner utilizes the user interface to investigate the content of the
phone's memory. Therefore, the device is used as normal, with the examiner taking pictures of
each screen's contents.
COMMERCIAL FORENSIC TOOLS….

 Some current tools include Belkasoft evidence center, Cellebrite UFED, Oxygen Forensic
Detective, Elcomsoft Mobile forensic bundle, Susteen secure view, Mobiledit forensic express,
and Micro Systemation XRY.
 Some tools have additionally been developed to address increasing criminal usage of phones
manufactured with Chinese chipsets, which include Mediatek (MTK), Spreadtrum and MSTAR.
Such tools include Cellebrite's CHINEX, and XRY pinpoint.