What Is Mobile Forensics?

The Definition of Mobile Forensics

Mobile forensics is the process of acquisition and analysis of electronically stored information to support or contest a premise in court proceedings and civil or criminal investigations. The proliferation of mobile devices and the amount of data they hold has made mobile forensics an indispensable resource for digital forensic investigators.

Mobile phone forensics overlaps with digital forensics but has many features of its own. However, using this wealth of data to unearth the truth without compromising its integrity requires you to handle and process the evidence very carefully.

What Information Should Be Looked for on Mobile Forensics?

Before discussing the process of mobile forensics, let’s ask ourselves an important question: what kind of information can we extract from a mobile device and what are the possibilities?

Knowing the possibilities will make your mobile devices forensics process a lot more fruitful.
Here, we will examine the complete process so that you can take full advantage of the available mobile evidence.

• Media: Common media types include videos, pictures, and audio. Mobile devices are capable of both generating and receiving media. A mobile device uses its camera and microphone to generate media while it can receive media through the internet or a variety of other sources. Many apps save media in a way that is accessible to all other apps on the phone. On the other hand, some apps may save media in their proprietary format or even in an encrypted form.
• Call Record: Call record information shows the contact information, time, and duration of the calls made and received by a device. A user can also install a call recording app on the device. In this case, the conversation between the parties can also be accessed through saved audio files.
• Messages: There is a wide range of messaging apps, and they are capable of sending and receiving almost all types of files as attachments. When looking for messages, you must analyze all pre-installed and user-installed apps and collect relevant evidence.
• Contacts: Every mobile has one or more pre-installed apps to store contacts, but user-installed apps may maintain their own database of contact. Analyzing contacts may offer useful insights.
• Browsing Data: Web browsers save a lot of information about the websites you visit. They store the web address along with media, and in many cases, login information of the websites.
• Task-Management Apps: Calendar entries, to-do lists, and notes can also offer useful information to investigators.
• Location Data: Almost all modern smartphone and tablet devices have built-in GPS, and depending on the user settings, many apps might be recording this data. Examining the apps may enable you to correctly identify the time and location of the device at the time of your interest. In addition to GPS, devices store location data based on the Wi-Fi networks and cellphone towers they connect to.
• Other Data: Other useful data may include data generated by other apps, a word processor or a spreadsheet for example. Useful data may be found in system files and logs as well.

Please note that these are the examples of the most common data types, but there are many other data types, which should be based on each mobile forensic case as unique and look for the data that is most relevant to the case at hand.

Now that you know what to look for, let’s discuss the three steps of Mobile Forensics.

Seizure and Isolation

If you are the first one to lay hands on the device, proper seizure and isolation is the first mobile forensics step that you should take. Seizure and isolation are not as simple as taking a device into custody.

Knowing and carefully taking these points into account will make sure that the device remains as accessible as possible.

• Preserving Lock State
  If you have the device in an unlocked state, you should try your best to keep it that way. Extracting data from an unlocked device is far easier and reliable compared to a locked device. Most devices have a timeout period that dictates when the display will be turned off and the device will be locked. You must access the device and change the lock setting before the timeout period expires.

Extra precaution: in addition to the device’s default screen lock, look for other apps that might lock or encrypt the device.

• Preserving Power State
  You may find a device in a powered-on or powered-off state, and you should try to keep it in the same power state. When a device is powered off and then turned on again, data stored in the memory is lost and many system files are changed. You might need to attach the device to a charger to keep it turned on for longer periods.
• Disconnecting From the Internet
  Mobile phones keep working in the background even if the screen is locked. With an internet connection, the activity of apps can change the files on the device even more. In most cases, the data on a device can be erased permanently through a simple command sent through the internet—not something you would like to happen. The most common method to disconnect a device is to put it into airplane mode.
  Faraday bags are another effective method to isolate and transport mobile devices to the laboratory. Phone jammers are also used to block mobile signals, but if you have physical access to the device, phone jammers might not be the best option.

Extraction & Recovery

The method of extracting and recovering mobile device data depends on the device and its state. Let us discuss some common data extraction & recovery scenarios.

• When a device is unlocked
  Data extraction and recovery are far easier and reliable if you find a device unlocked. You can use the device’s own operating system and apps to view and export data. You can also attach it to a PC and use a range of tools to extract current as well as deleted data from the device. Mobile Forensic Tools like SPF Pro (SmartPhone Forensic System Professional) can not only extract but recover data in a forensically sound manner, which would be a perfect fit under this circumstance.
• When the device is locked
  When a device is locked, you need to either break the passcode or use mobile forensics tools that bypasses the lock and gives you access to the device data. The ability of software to extract data from a locked device depends on the device and its settings.
• When a device is powered off
  If a device is merely powered off, you can just turn it on and try to extract data. In many cases, however, the device might be damaged and cannot be powered on. In such cases, you might need to remove memory chips from the device and use specifically designed software and hardware tools to extract data. Please note that this is an invasive process and must be performed by trained professionals in a properly equipped digital forensics lab.

Levels of Data Extraction

• Manual Extraction:Opening apps and analyzing data on an unlocked device

• Logical Extraction: Copying files from the target mobile device to another device for examination

• Hex Dumping / JTAG: A process where the debug interface of mobile devices is used to extract raw data. This data needs further processing to be usable)

• Chip-off:Attaching memory chips of the target mobile device to specifically designed hardware to extract data

• Micro Read: Micro read is a very technical process that requires examination of memory chips through powerful microscopes. This method is not generally an option to extract data due to its complexity)

Source:  CITATION Aya21 \l 1033 (Aya, Radina , & Zeno , 2021)

Extraction and Integrity
Keeping the integrity of the evidence is one of the major concerns for an investigator so that you want to keep the original evidence as unchanged as possible, though most modern digital forensic investigation tools like SPF Pro should be able to extract and recover the required information without affecting the integrity of the original evidence.
Meanwhile, complete device imaging is another technique where you create an exact replica of the mobile device’s storage on your computer. This gives you the ability to experiment with data extraction without the fear of losing original evidence.

Analysis

The analysis is the process of separating the relevant pieces of information from the jumble and deducing inferences. The analysis part of the mobile forensics process tries to answer the W questions: who, what, when, where, and why. To separate useful data, ask yourself the following questions.

1. What is the general nature of the matter?
2. What is the focus of the examination?
3. What is the timeframe when the chain of events occurred?
4. What kind of possible evidence may support or contest the hypothesis?
5. How does the mobile forensic data relate to the other digital and non-digital evidence?

In an ideal situation with unlimited resources, you should be able to analyze all extracted data and find relevant evidence. With a large amount of data extracted from modern mobile devices, however, it is often not feasible to pay equal attention to every piece of information. Thus, the answers to the above questions will help you focus on what matters the most. 

By looking into SalvationDATA’s training center, you could learn an all-round analysis thinking model after getting through the overall BASIC MOBILE FORENSICS INVESTIGATOR course.

Summary

Mobile forensics is a part of digital forensics but has some important features of its own, which include: seizure and isolation of the mobile device, extraction & recovery and analysis of the extracted data. Though modern mobile devices hold large amounts of data, which makes it very difficult to know the type of data that is most likely to aid your investigation, we could also mainly focus on Common data like media, calls & messages, contacts, browsing, and location to look for the primary clues.

Mobile devices are one of the fastest evolving things today, which is also the field what mobile forensics covers the most. Though the technology used in mobile devices may evolve rapidly, the concepts of the mobile forensic investigation remain the same, which is to identify and collect relevant evidence in the form that helps you uncover the truth and remains admissible in the court of law.