Digital forensics

The concept of mobile phone

Hashim Shaikh
July 28, 2017 by
Hashim Shaikh

The digital forensic community is striving hard to stay abreast of the current state of the art in the constantly changing technologies which we use to expose relevant clues in a probe. Mobile devices are used by almost every person today for both personal and professional means, hence carry a significant value. All sorts of mobile devices are being used by individuals, varying in design and technology, but still undergoing technological enhancements. However, when a mobile device is first encountered in an investigation, questions arise. How do we preserve the evidence? Which methods should we use? How do we handle the mobile device to keep the evidence safe? How do we extract valuable and relevant data from the device? These questions are scarier than they sound. Therefore the person dealing with the mobile device in such cases should be proficient in the hardware and software characteristics of the device. In this document, we discuss the preservation, acquisition, examination, analysis, and reporting of the mobile device/ digital evidence. We also address the issue of increasing backlogs of digital forensics labs, along with guidance while handling the on-site triage casework. This document also focuses on brushing up on the basics related to mobile forensics tools and the procedures followed. The information is relevant and important to various investigations, law enforcement, and incident response. Additionally, it focuses on the different types and characteristics of cellular mobile devices, such as feature phones (which are barely in use now), smartphones, and tablets with cellular voice capabilities. Apart from this, the provisions that need to be considered during the investigation are covered.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Chapter-1 anatomy of a mobile device

An array of functions is performed on a mobile device –ranging from a simple telephone device to personal computers that are designed for mobility, relatively compact in size, lightweight and battery-powered. Mobile devices can be differentiated on a basic, comparable set of features and capabilities. They include the microprocessor, ROM, RAM, radio module, digital signal processor, microphone, speaker, the various hardware keys, interfaces, and LCD. The mobile operating system can either be stored in NAND or NOR memory. Meanwhile, the code execution occurs in RAM.

Today, mobile devices are equipped with the system level microprocessors, which reduce the count of supporting chips and increase the considerable internal memory capacity. Currently, this is up to 128GB (e.g., Stacked NAND). The Built-in Secure Digital (SD) memory card slots, includes micro Secure Digital eXtended Capacity (microSDXC), may support removable memory with different capacities from 64GB to 2TB of storage. All non-cellular wireless communications including infrared (i.e., IrDA), Bluetooth, Near Field Communication (NFC), and Wi-Fi used to exchange other data can be built into both the device and support synchronization protocols.

Mobile devices have altogether different technical and physical characteristics. They vary in size, weight, processor speed, and capacity of the memory. Mobile devices may likewise use diverse sorts of extension capacities to give extra usefulness. Also, mobile device capacities occasionally incorporate extra features –for example, handheld Global Positioning Systems (GPS), cameras (still and video), or computers. Generally speaking, mobile devices can be anything from simple feature phones that are essentially straightforward voice, up to specialized gadgets or smartphones that offer extended capabilities and administrations for interactive media, such as those of a computer. Table 1 highlights the generic equipment attributes of feature and smartphones which underscore these qualities.

This illustration should give a feeling of the scope of the equipment on the commercial market. After some time, qualities found in smartphones tend to show up in feature phones as smart phones develop innovations. In spite of the fact that the lines of depiction are fairly dynamic, the table is filled a general guide.

Hardware in-depth

  Smartphone Feature Phone

Display Large size color, 16.7 million (~24-bit) Small size color, 4k – 260k (12-bit to 18-bit)

Memory Superior capacity (~128GB) Limited capacity (~5MB)

Camera Still, Panoramic, and Video (HD) Still, Video

Processor Superior speed (~1.5- 2.5 GHz octa-core) Limited speed (~52Mhz)

Text Input Touch Screen, Handwriting Recognition, QWERTY-style keyboard Numeric Keypad, QWERTY-style keyboard

Card Slots MicroSDXC None, Micro/Mini SD

Voice Input Voice Recognition (Dialing and Control) None

Positioning GPS receiver None, GPS receiver

Battery Fixed/Removable, Rechargeable Li-Ion Polymer Fixed/Removable, Rechargeable Li-Ion Polymer

Display Large size color, 16.7 million (~24-bit) Small size color, 4k – 260k (12-bit to 18-bit)

Cell Interface Voice and High-Speed Data (4G LTE) Voice and Limited Data

Feature phones and smartphones both support voice, messaging, and an arrangement of essential Personal Information Management (PIM) sort of applications, including phonebook and logbook applications. Smartphones include PC-like capacity for running a wide assortment of general and unique applications. Smartphones are relatively bigger than any feature phone, and can bolster higher video resolutions (e.g., ~300 PPI). Smartphones may also have a QWERTY keyboard or touch screen. Smartphones support numerous applications available.

Software in-depth

  Smartphone Feature Phone

Call Voice, Video, VoLte Voice

Web Direct HTTP Via WAP Gateway

Chat Enhanced Instant Messaging Instant Messaging

Messaging Text, Enhanced Text, Full Multimedia Messaging Text Messaging, MMS

Pim (Personal Information Management) Enhanced Phonebook, Calendar, and Reminder List Phonebook, Calendar, and Reminder Lis


Applications (e.g., games, office productivity and social media) Minimal (e.g., games, notepad)

OS Android, BlackBerry OS, iOS, Symbian, WebOS, Ubuntu, Chrom OS and Windows Phone Closed

Email Via text messaging Via POP or IMAP Server

Feature phones normally operate on a closed OS with no documentation. Various organizations specialize in embedded software offering real-time operating system solutions to their manufacturers dealing in mobile devices. Smartphones largely use either an exclusive or an open source operating system. Almost all Smartphones operate on these operating systems: Android, BlackBerry OS, iOS, Symbian, WebOS, Ubuntu, Chrome OS or Windows Phone. Unlike feature phones that operate on kernels, these OS can multitask and are designed particularly to organize the capabilities of top of the line mobile devices. Numerous Smartphones OS makers offer a Software Development Kit (SDK) (e.g., the Android1 or iOS2 SDKs).

Memory in these mobiles devices

Mobile devices contain both non-volatile and volatile memory. Volatile memory (RAM) is occupied for dynamic storage, and its contents are lost when power is drained from the mobile device. Non-volatile memory is persistent as its contents are not affected by the loss of power or overwriting data upon reboot. For example, solid-state drives (SSD) store persistent data on solid-state flash memory.

Mobile devices typically contain one or two different types of non-volatile flash memory. These types are NAND and NOR. NOR flash has faster read times and slower write times than NAND. NOR is nearly immune to corruption and bad blocks while allowing random access to any memory location. NAND flash offers higher memory storage capacities, is less stable, and only allows sequential access.

Memories configurations evolved over time

Feature phones were among the primary type of devices, which contained NOR flash and RAM. System and user data are stored in NOR and replicated to RAM on booting for faster and quicker code execution and access. This is called first generation mobile device memory configuration.

Initially, when smartphones were released, memory configuration evolved, including NAND flash memory. This development of NOR, NAND and RAM memory is considered second generation. This generation of memory configuration stores system files in NOR flash, user files in NAND and RAM is utilized for code execution.

The recent smartphones contain just NAND and RAM memory which is known to be part of third generation, because of increasing transaction speed, more storage density, and lower cost. To encourage the miniaturization on mobile device motherboards and the interest for higher density in storage space (i.e., 2GB – 128GB) the new Embedded MultiMedia Cards (eMMC) style chips are available in almost each smartphone. The figure beneath depicts a variety of memory configurations across mobile devices.

RAM is hardest to capture accurately because of its volatile nature. Since RAM is ordinarily utilized for program execution, information or data might be valuable to the examiner, for instance, configuration files or passwords, etc. RAM acquisition tools for mobile devices are starting to be accessible.

NOR flash memory incorporates system data; for example, operating system code, kernel, drivers, system libraries, memory used in the execution of an application running on the operating system and the user application execution instructions. In data accumulation for first generation memory configuration devices, NOR flash is the best location.

NAND flash memory contains the following: PIM data, graphics, audio files, video files, and other user files. This kind of memory in most cases gives the examiner the most valuable data or information. NAND flash memory may forgo various duplicates of transaction based files like logs and database, because of wear leveling algorithms and garbage collection routines. However, NAND flash memory cells can be re-utilized for just a restricted time period before becoming unreliable, wear leveling algorithms are utilized to expand the life expectancy of Flash memory storage, by organizing data so that re-writes are disseminated equally over the SSD.

Garbage collection happens because, NAND flash memory cannot overwrite existing data, the data should first be deleted before writing in the similar cell.

Identity module in mobile phones

Subscriber Identity Modules (generally known as SIM cards) are linked to mobile devices that are interoperated with GSM cellular networks. Under the GSM structure, a mobile device is alluded to as a Mobile Station and is divided into two parts: first, the Universal Integrated Circuit Card (UICC) and the Mobile Equipment (ME). A UICC, generally known as an identity module such as, Subscriber Identity Module [SIM], Universal Subscriber Identity Module [USIM], CDMA Subscriber Identity Module [CSIM]), which is a removable part that contains fundamental data about the subscriber. The ME and the radio handset part cannot work completely without a UICC. The UICC's fundamental purpose involves authentication of a user of the mobile device, to give the network access to subscribed services. The UICC likewise offers storage for personal data, for example, phonebook, messages, last number dialed (LND) and data related to service.

The UICC apportioning a mobile device stipulated in the GSM models has realized a type of portability. Moving a UICC between good and compatible mobile devices automatically transfers the subscriber's identity and related data such as SMS messages and contacts. Interestingly, most 2G and 3G CDMA mobile devices do not contain a UICC card. Similar to UICC, functionality is specifically joined inside the device. However, the newer versions of CDMA devices (i.e., 4G/LTE) employs a CDMA subscriber Identity Module(CSIM) for the application running on a UICC.

A UICC may contain up to three applications, which are SIM, USIM, and CSIM. UICCs are used in GSM and UMTS mobile devices and the SIM and UMTS SIM (USIM) applications, whereas CDMA devices run through on the CSIM application. A UICC with these three applications gives users extra additional portability through the expulsion of the UICC from one mobile device and inclusion into another. Since the SIM application was initially synonymous with the physical card itself, the term SIM is mostly used while referring to the physical card instead of UICC. Essentially, the terms USIM and CSIM refers to physical card and the applications supported on the UICC.

A UICC is a unique smart card that commonly contains a processor and an EEPROM (persistent electronically erasable, programmable read only memory) lying between 16 to 128 KB. It likewise incorporates RAM for program execution and ROM for OS, and user authentication and data encryption algorithms, and other applications. The UICC's file system dwells in persistent memory and stores information, for example, as entries in the phonebook, texts, last numbers dialed (LND) and information related to service. Contingent upon the mobile device used, some data overseen by applications on the UICC may exist together in the mobile device memory. Data may likewise live completely in the memory of the mobile device rather than accessible memory held in UICC file system.

The OS of UICC controls access to components of the file system. Activities, for example, reading and updating might be allowed or denied unconditionally, or permit to certain access rights is contingent upon the application. These rights are assigned to a subscriber through Personal Identification Number (PIN) codes containing 4-8 digits. PINs ensure information related to subscriber and some discretionary information.

The number of pre-set attempts are allowed (normally three) for giving the correct PIN code to the UICC before upcoming attempts are blocked, rendering communications out of commission. Just by giving a correct PIN Unblocking Key (PUK) the PIN value and its counter may be reset on the UICC. The PUK limit on incorrect attempts is normally set to ten. After that, the card will be permanently blocked. The PIN Unblocking Key (PUK) for a UICC may be obtained from the service provider (SP) or network operator by providing the identifier of the UICC (i.e., Integrated Circuit Chip Identifier or ICCID). The ICCID is regularly engraved on the front of UICC, yet may likewise be read from an element of the file system.

UICCs are available in three distinctive sizes: Mini SIM (2FF), Micro SIM (3FF), and Nano SIM (4FF). The Mini SIM contains a width, height, and thickness of 25 mm, 15 mm, .76 mm respectively gives the impression of a postage stamp and is as of now the most widely recognized and used format across the world. The Micro SIM (12mm x 15mm x .76mm) and Nano SIM (8.8mm x 12.3mm x .67mm) are found in mobile devices such as the iPhone 5. Windows uses the 4FF.

Their pin connectors are not adjusted to the bottom edge as with removable media cards, rather shape a contact pad indispensable to the card chip, which is installed in a plastic casing, as appeared in the image. UICCs additionally use a wide scope of altering resistance procedures to ensure the data they contain.

The slot of a UICC card is ordinarily not accessible from the outside of the mobile device. This is intended to protect and ensure smooth insertion and removal of memory card. Normally it is found underneath the battery compartment. At the point when a UICC is embedded into a mobile device handset, and pin contact is made, a serial interface is utilized for communication between them.

Much of the time, the UICC should be removed from the handset first and read while using a Personal Computer/Smart Card (PC/SC) reader. Evacuation of the UICC gives the examiner the ability to read additional information that might be recouped, for example, erased text messages.

A secure authentication of the device to a network is an essential function performed through the UICC. Cryptographic key data and algorithms within the purview of network resistant module let the mobile device take part in a challenge-response dialogue with the network and respond appropriately, without uncovering key material and other data that could be utilized to clone the UICC and access to services of a subscriber. Additionally, cryptographic key data in the UICC underpins stream cipher encryption to secure against overhearing on the air interface.

A UICC is like a mobile device as it has both volatile and non-volatile memory that may contain a general classification of information found on a mobile device. It can be accepted as a trusted sub-processor which interfaces to a device and pulls control from it. The file system dwells in the non-volatile memory of a UICC and is organized in a hierarchical tree structure.

For instance, the SIM applications File System is made out of three elements: first, Master File (MF), subordinate directory file (DF), and elementary file (EF). The figure below demonstrates the structure of the file system. The EFs under DFGSM and DFDCS1800 largely contain network related data for various frequency bands of operation. Moreover, the EFs under DFTELECOM is comprised of service related data.

Different sorts of digital evidence may exist in elementary files dispersed all through the file system and can be recouped from a UICC. A portion of a similar data held in the UICC might be kept up in the memory of the mobile device and encountered there well. Other than the standard files characterized in the GSM specifications, a UICC contains non-standard files built up by the network operator.

Data evidence present in standard elementary files of a UICC:

  • Service-related Information consists of (UICC) unique identifiers for the (ICCID) Integrated Circuit Card Identification and the International Mobile Subscriber Identity (IMSI)
  • Phonebook and call data referred as Abbreviated Dialing Numbers (ADN) and Last Numbers Dialed (LND).
  • Messaging data containing Short Message Service (SMS), instant messages, and Enhanced Messaging Service (EMS), a basic interactive media messages.
  • The USIM application underpins the capacity of links to approach (EFICI) and active (EFOCI) calls. The EFICI and EFOCI are each stored just by using two bytes. The former byte focuses on a particular phonebook, and the latter indicates a shortened dialing number (EFADN) entry3
  • Location data comprising Location Area Information (LAI) in case of voice communications and Routing Area Information (RAI) for information communications.

Cellular network defined

Every MSC controls RNCs sets and oversees complete communication all through the cellular network, including registration, authentication, location updating, handovers, and call directing. An MSC interfaces with public switch telephone network (PSTN) through a Gateway MSC (GMSC). To carry out its tasks, an MSC accesses numerous databases. A fundamental database is the central repository system for subscriber information and service information, termed as the Home Location Register (HLR). Another database used as a part of conjunction with the HLR is the Visitor Location Register (VLR) that is used for mobile devices wandering outside of their service region. An SGSN (Serving GPRS Support Node) plays an analogous part as that of MSC/VLR, however, underpins General Packet Radio Service (GPRS) to the Internet. In the same manner, GGSN (Gateway GPRS Support Node) performance is closely related to GMSC, yet only for packet-switched services.

Account information, such as information about the subscriber, billing address, the subscribed services, and the updates on the location where it last accessed the network, are upheld at the HLR and used by the MSC to produce usage records known as Call Detail Records (CDR), route messages and calls. The account information of the subscriber, CDRs, and other technical data attained from the network carrier are often a profitable source of proof in a probe.

Chapter 2: Mobile forensics tools and techniques

The accessibility of forensic software tools for mobile devices is significantly dissimilar to PCs. While PCs may contrast from mobile devices in both hardware and software, their usefulness has turned out to be progressively comparable. Despite the fact that the OS of many mobile devices are open source, such as Android, feature phones OSs are usually closed. Closed OSs make deciphering their allied files system as well as structure troublesome. Numerous mobile devices with the same applications working on the same OS may widely differ in implementation, bringing about numerous file system and structure variations. These structure variations create difficulties for manufacturers and examiners of mobile forensic tools.

The sorts of software accessible for mobile device examination incorporates both commercial and open source forensic tools. These are planned for device management, testing, and diagnostics. Forensic tools are commonly intended to gain information from the internal memory of handsets and UICCs without changing their content and ascertaining integrity hashes for the information gained. Both the forensic and non-forensic software tools frequently use same techniques and protocols while communicating to a device. Nevertheless, non-forensics tools may permit unrestricted two-way flow of information and exclude information integrity hash functions. Mobile devices examiners accumulate both forensic and non-forensic tools for their toolbox. The range of devices over which they work is ordinarily limited to unmatched platforms, a particular OS family, or even a solitary sort of hardware architecture. Short product release cycles are the standard for mobile devices, demanding tool manufacturers consistently upgrade their tools and provide forensic solutions to forensic examiners. The task is formidable and tool manufacturers' support for newer models to help for more up to date models which may lag behind the introduction of a mobile device into the commercial market. Mobile devices of older models can remain in use for years. Mobile device models brought into one national market may likewise be used in other areas by making a shift in the UICC from one cellular carrier to another. The present state is probably remaining the same, keeping the cost of examination higher in effect than if a couple of standard OS and hardware configurations succeeded.

Works of a tool classification system

Understanding the different sorts of mobile acquisition tools and the information they are fit for recovering is critical for a mobile forensic examiner. The grouping system used in this area gives a framework for forensic examiners to look at the extraction techniques operated by various tools to obtain information. The primary goal of the tool classification system is to empower an examiner to effectively categorize and analyze the tools used for different methods of extraction. The tool classification system, as shown in the above figure, is a pyramid navigated from the bottommost, Level 1, to the topmost, Level 5. The methods required in acquisition turn out to be more technical, invasive, tedious, time-consuming and costly.

Level 1: Manual Extraction techniques include recording data raised on a mobile device screen while using the UI.

Level 2: Logical Extraction techniques are used most habitually at present and are fairly technical, requiring novice training.

Levels 3 to 5: Entail extricating and recording a duplicate or picture of a physical store such as a memory chip, contrasted with the logical acquisitions used earlier at Level 2, including capturing a duplicate of logical storage objects (for instance directories and files) that exist in logical store as a file system partition.

Level 3: Hex Dumping/JTAG Extraction methodologies, involve executing a "physical acquisition" of the mobile device memory in state and require radical or advanced training.

Level 4: Chip-Off techniques include the physical expulsion of memory from a mobile device to remove information. That needs wide-ranging training in electronic engineering and file system forensics.

Level 5: Micro Read techniques include the use of a powerful microscope to see the physical condition of entryways. Level 5 strategies are the most obtrusive, complex, technical, costly, and tedious of the methodologies.

Manual extraction

A manual extraction technique includes observing the information content stored on a mobile device. The content presented on the LCD screen needs manual control of the buttons, keyboard, or touchscreen to see the contents of the device. Data found might be recorded with the use of an advanced outside camera. At this level, it is difficult to recoup erased data. A small number of tools have been created to give the forensic examiner the ability to document and sort the data recorded more rapidly. Incidentally, if there is a lot of information to be seized, a manual extraction can be extremely tedious, and the information on the device might be incidentally changed, erased, or overwritten because of the examination. Manual extractions turn out to be progressively troublesome and may be unachievable while experiencing a broken/missing LCD screen or a harmed/missing keyboard interface. Additional difficulties happen when the device is designed to show a dialect obscure to the investigator, this may cause trouble in effective menu navigation.

Logical extraction

Integration between a mobile device and the forensic workstation is accomplished with either by wired (e.g., USB or RS-232) or wireless (e.g., IrDA, Wi-Fi, or Bluetooth) connections. The examiner should know the issues related to choosing a particular connectivity method, as various types connection and related protocols may bring about information being changed (e.g., new SMS) or distinctive sums or sorts of information being mined. Logical extraction tools start by sending a progression of commands over the set-up interface from the PC to the mobile device. The mobile device reacts on a command request basis. The response to the mobile device information is sent back to the workstation and introduced to the forensics examiner for detailing purposes.

Hex dumping and JTAG

Hex Dumping and Joint Test Action Group (JTAG) extraction techniques make the forensics examiner capable of getting more straightforward access to the raw data stored in flash memory. One challenge with these extraction approaches is the capacity of a provided tool to parse and interpret the gathered information. Giving the forensics examiner a consistent perspective of the file system, and reporting other information leftovers outside the file system that might be available are perplexing. For instance, all information contained on a given flash memory chip may not be gained, the same number of tools, for example, flasher boxes, may just have the capacity to extricate particular areas of memory. Strategies used at this level involve availability (e.g., link or Wi-Fi) between the mobile device and the forensic workstation.

Hex dumping

This method is the more commonly used technique by tools at this level. This includes uploading a modified boot loader (or other software) into a secured range of memory such as RAM on the device. This uploading procedure is refined by associating the mobile device's information port to a flasher box and the flasher box associated with the forensic workstation. A chain of commands is sent from the flasher box to the mobile device to put it in a diagnostic mode. Once the flasher box catches all areas of flash memory in diagnostic mode, it then sends it to the forensic workstation over the same communications link used for the prior upload. Some flasher boxes work this way, or they might use an exclusive/proprietary interface for memory extractions. It is more uncommon for the extractions to be refined by using Wi-Fi.


Many manufacturers bolster the JTAG standard, which defines a common test interface for the processor, memory, and other semiconductor chips. Forensic examiners can converse with a JTAG-compliant part by using a special purpose independent programmer device to probe characterized test points. The JTAG testing unit can be used while requesting memory addresses from the JTAG compliant part and acknowledging the response for storage and rendition. JTAG gives experts another method for imaging devices that are locked or devices that may have a minor impairment and can't be appropriately interfaced. This technique includes appending a link (or wiring bridle) from a workstation to the mobile device's JTAG interface and get to memory using the device's microprocessor to create an image. JTAG extractions contrast principally from Hex Dumping in that it is obtrusive as access to the connections often require that the examiner disassembles a few (or most) of a mobile device to acquire access to build up the wiring connection.

Flasher boxes are typically small devices initially outlined the plan to service or update mobile devices. Physical acquisitions often require the utilization of a flasher box to facilitate the extraction of information from a mobile device. The flasher box assists the examiner by communicating with the mobile device by making use of diagnostic protocols to communicate with the memory chip. This communication may use the mobile device's OS or may dodge it overall and communicate directly to the chip. Flasher boxes are frequently joined by software to facilitate the information extraction process working in combination with the hardware. Numerous flasher box software packages give the additional functionality of recouping passwords from mobile device memory also in some configuration. However, acquisition methods vary between flasher boxes. Flasher boxes constraints are as follow:

  • Rebooting the mobile device is often required to start the extraction process. This may make authentication systems enact, forestalling further investigation.
  • Many flasher boxes recoup the information in an encrypted format requiring the examiner to either use the software given by the flasher box manufacturer to decrypt the information or may entail reverse engineering the information's encryption scheme by the analyst.
  • Several phone models do not give the acquisition of the whole memory range inside a given mobile device. Fairly certain scopes might be accessible for certain mobile devices.
  • The flasher box service software commonly has many buttons that are marked with nearly identical names. This perplexity may effectively lead even a proficient examiner to select the wrong button, deleting the contents of the mobile device as opposed to dumping the memory.
  • Lack of documentation on the use of the flasher box tool is usual. Extraction strategies are often shared on discussions forums upheld by the vendor and directed by more seasoned users. Alerts should be accepted when the instruction is given, as not all the information provided is accurate.
  • Forensic Use: Most flasher boxes were not composed with a forensic use as its expected purpose. Examiners must be knowledgeable about the operation of flasher boxes and must comprehend the correct use of functions under flasher boxes.
  • Notwithstanding these restrictions, use of a flasher box is a suitable alternative for some forensics cases. Suitable training, experience and downplaying of how the tools function as the keys to progress.

An extensive variety of technical mastery and proper training are needed for extricating and investigating binary images with these strategies, including finding and associating with JTAG ports, making modified boot loaders, and reproducing file systems.


Chip-Off strategies allude to the acquisition of information straightforwardly from a mobile device flash memory. This extraction requires the physical expulsion of flash memory. Chip-Off gives analysts the ability to make a binary picture of the expelled chip. Keeping in mind the end goal to give the analyst information in a contiguous binary format, the wear-leveling algorithm should be reverse engineered. Once it completes, the binary image may then be examined. This kind of acquisition is most firmly identified with physical imaging a hard drive as in conventional digital forensics. Wide-ranging training is needed with a specific end goal to perform extractions at this level effectively. Chip-Off extractions are challenging based on a wide assortment of chip type, a bunch of crude information designs, and the risk of causing physical harm to the chip amid the extraction procedure. Because of the complexities identified with Chip-Off, JTAG extraction is more common.

Micro read

A Micro Read includes recording the physical observation of the gates on a NAND or NOR chip with the use of an electron microscope. Because of the outrageous detailing of technicalities when playing out a Micro Read, this level of acquisition would just endeavor for prominent cases identical to a national security emergency after all other acquisitions methods have been exhausted. Effective acquisition at this level would involve a group of specialists, appropriate equipment, time, and top to bottom learning of proprietary data.

The devices recorded in the beneath table are gathered by level beginning with Level 1 (Manual Extraction) through Level 4 (Chip-Off) according to the above figure.


Network Type



Acquisition Level




Forensic Tool





































Final Mobile
















Oxygen Forensic

Suite (Analyst)



SD iPhone

Recovery 12



Secure View+







Network Type



Acquisition Level




Forensic Tool










UFED Classic




UFED Touch




USIM Detective+





XRY Logical‡














Device Seizure‡


















UFED Classic





UFED Touch





XRY Complele‡




Network Type



Acquisation Level




Forensic Tool




CDMA Workshop


Cell Phone








NFI Memory



PC 3000 Flash



SD FlashDoctor




NAND Flash





MISC: 3rd Party Tool Image Analysis (3PIA), Chinese Chipset Support (CCS), Cables/Hardware Available (C/HW)

Table heading descriptions:

  • Tool – tool name
  • † Denotes a tool that supports the logical acquisition of a UICC
  • ‡ Denotes a tool that supports the logical acquisition of a UICC and the creation of a Cellular Network Isolation Card (CNIC)
  • Acquisition Level – level(s) at which the tool performs data extractions: 1- Manual extraction, 2 - Logical extraction, 3 - Physical extraction, 4 - Chip-off, 5 - Micro Read
  • Network Type – acquisition of devices operating over specified networks
  • Forensic Tool – is the tool specifically designed for forensic acquisition
  • Examination/Analysis – enable the examiner with the ability to perform examination or analysis of acquired data
  • Reporting – provides the examiner with the ability to generate reports
  • 3rd Party Tool Image Analysis (3PIA) – supports importing of raw data produced by another manufacturer's tool
  • Chinese Chipset Support (CCS) – mobile devices containing Chinese chipsets are increasing as they continue to flood the international market. Some mobile forensic tools provide either a logical and/or physical extraction solution.
  • Cables/Hardware Available (C/HW) – cables are provided

Universal integrated circuit card tools

A couple of mobile forensic tools deal solely with UICCs. These tools perform a direct read of a UICC's internal contents through a Personal Computer/Smart Card (PC/SC) reader, rather than an indirect read using the mobile device. The profligacy and extent of information acquired differ with the abilities and components of the tool. The greater part of UICC selective tools obtains the following information: International Mobile Subscriber Identity (IMSI), Integrated Circuit Card ID (ICCID), Abbreviated Dialing Numbers (ADN), Last Numbers Dialed (LND), SMS messages, and Location Information (LOCI). Most of the tools give additional information, for example, erased SMS messages, correctly rendered foreign dialect SMS and EMS messages. They likewise make an attempt to interpret certain information, for example, country and network operator codes into meaningful names, and give other facilities, for example, PIN administration. CSIM partitions are being used on UICCs with expanding recurrence for LTE empowered mobile devices. As of now, a small number of tools supports the extraction of CSIM partitions information as most just help extraction of GSM and USIM partitions. CSIM information may turn out to be of expanding forensic significance as this technology develops.

Obstructed devices

The accompanying segments examine methods for bypassing an obstructed mobile device, which requires successful authentication with the use of a password or some different ways to get access to the mobile device. Various ways exist to recuperate data from obstructed mobile device. These techniques can be categorized as one of three classes: software based, hardware based and investigative. A basic obstructed device incorporates those with missing identity modules, PIN-empowered UICCs, or an enabled mobile device lock. Password locked, and encrypted memory cards give a user extra means to ensure information. This security may make recovery of such information more mind boggling. Content encryption capabilities are offered as a standard component in numerous mobile devices or might be accessible through added applications. Both software and hardware based techniques are frequently coordinated at a specific device or tapered class of device. As mobile forensic tools have advanced, they have started to give automated functions enabling examiners to sidestep abundant security mechanisms as a piece of their items. For example, a small number of tools have an automated function to recover passwords from locked mobile device. When building up a toolbox, the following topics will help the forensics investigator decide on the appropriate approach.

Hardware and software based methods

Software based methods are generally used to break or sidestep authentication mechanisms that have started to show up. For example, a few tools have an automated function to recuperate passwords from locked mobile device. This kind of process differs enormously between supported mobile forensic tools and the devices models. Hardware based techniques include a mix of software and hardware to break or avoid authentication mechanisms and obtain access to the device. For instance, the value of a mobile device lock may promptly be recouped from a memory dump of specific devices, taking into consideration a take after on logical acquisition. JTAG and flasher boxes are regularly used along this way to dodge authentication mechanisms. Device specific attacks, for example, cold boot attacks, exist to sidestep authentication mechanisms. Cold boot attacks can recoup passwords from locked Android based device by cooling the device 10 degrees lower Celsius taken after by detaching and reconnecting the battery in 500ms intervals. Barely any broadly useful hardware based techniques apply to a general class of mobile devices. A large portion of the methods are custom fitted for a particular model in class.

Investigative methods

Investigative techniques are methods the investigative group can apply, which require no forensic software or hardware tool. The most obvious methods are as follows:

Ask the owner– If a device is secured with a password, PIN or another authentication mechanism including knowledge-based authentication, the owner might be questioned for this data during an interview.

Review seized material – Passwords or PINs might be written down on a sheet of paper and kept with or close to the phone, at a desktop PC used to synchronize with the mobile device, or with the owner, for example, in a wallet, and might be recuperated through visual examination. Packaging material for a UICC or a mobile device may reveal a PIN Unlocking Key (PUK) that might be utilized to reset the value of the PIN. Device related vulnerabilities may likewise be exploited, for example, Smudge attacks. Smudge attacks included a watchful examination of the surface of a touch screen device to decide the latest gesture lock applied.

Asked the Service Provider – If a GSM mobile device is secured with a PIN-empowered UICC, the identifier (i.e., the ICCID) might be acquired from it and used to ask for the PUK from the service provider and reset the PIN. Some of the service providers offer the ability to recover the PUK online, by entering the phone number of the mobile device and particular subscriber data into open web pages set up for this reason. Moreover, data might be acquired by reaching the device manufacturer.

Mobile device users may pick poor passwords to secure their device, for example, 1-1-1-1, 0-0-0-0 or 1-2-3-4. Some of these numeric blends are device default passwords given by the manufacturer. Due to risk factors, it is not recommended that these methods be attempted unilaterally. They may trigger the complete wipe of the mobile device memory, empower extra security mechanisms (e.g., PIN/PUK) or initialize destructive applications. Mobile devices, by and large, have a defined number of attempts before initializing further security insurances. Before making any attempts at opening a mobile device, it is recommended considering the quantity of attempts left. There might be an instance where an analyst may acknowledge these dangers in situations where this is the main alternative for information extraction.

Forensic tools

Forensic software tools endeavor to deal with ordinary investigative needs by tending to an extensive variety of appropriate devices. More troublesome circumstances, for example, the recuperation of erased information from the memory of a device, may require more specific tools and aptitude and dismantling of the device. The scope of help provided, including mobile devices and drivers, item documentation, PC/SC readers, and the recurrence of updates, may change fundamentally among products. The components offered, for example, searching, bookmarking, and revealing abilities may likewise fluctuate considerably. Disparities in recuperating and reporting the information present on a device have been noted in the previous testing of tools. Discrepancies in recovering and reporting the data residing on a device have been noted in the previous testing of tools. They include the inability to recover resident data, inconsistencies between the data displayed on the workstation and that generated in output reports, truncated information in detailed or presented output, mistakes in the unraveling and interpretation of recuperated information, and the failure to recuperate every single significant datum. Once in a while, updates or the latest versions of a tool were likewise observed to be less fit in a few instances than a past adaptation was.

Tools should be approved to guarantee their adequacy and reapplied when updates or latest versions of the tool become available. These outcomes are the reason for choosing the appropriate instrument, how to adjust for any prominent inadequacies, and whether to consider the use of alternate version or update of the tool. Validation of the tool involves characterizing and distinguishing a complete arrangement of test information, following obtaining techniques to recoup the test information and evaluating the results. Today, tools seldom provide the means to obtain detailed logs of data extraction and other transactions that would aid in validation. An examiner can contrast the result of many tools to check the consistency of output. While tool validation is time-consuming, it is a fundamental practice to take after. As a quality measure, forensic experts should likewise get satisfactory cutting-edge training in the tools and process they follow. A critical characteristic of a forensic tool is its capability to preserve the integrity of the original information source being obtained and also that of the extracted data. The preceding is finished by blocking or generally taking out a write request to the device containing the information. The latter is finished by computing a cryptographic hash over the content of the evidence files made and recurrently checking that this value stays unaltered all through the lifetime of those files. Preserving integrity not only maintains credibility from a legal perspective, as well as enables any ensuing examination to utilize a similar benchmark for recreating the investigation.

Hash validation

A forensic hash is used to keep up the integrity of an acquisition by computing a cryptographically solid, non-reversible value over the procured information. After obtaining, any progressions made to the information might be recognized, since another hash values registered in the information will be conflicting with the old esteem. For non-forensic tools, hash values must be made using a tool, for example, sha1sum and held for integrity check. Indeed, even forensic tools may not process a cryptographic hash, and in these cases, an integrity hash should be computed independently.

Note that mobile devices are always dynamic and update data consistently such as the device clock. In this manner, consecutive acquisitions of a device will be somewhat different and create diverse hash values when processed over every one of the information. Although, hash values computed over selected information items, for example, individual files and directories, for the most part, stay consistent. Hash inconsistencies may take place requiring the examiner to perform an element-by-element check guaranteeing data integrity. Hash validation over different tools is perplexing because of proprietary reporting formats.


Preservation includes the pursuit, acknowledgment, documentation, and gathering of electronic-based evidence. To utilize evidence effectively, regardless of whether in an official courtroom or a less formal proceeding, it must be preserved. Inability to preserve evidence in its unique state could risk a whole examination, potentially losing significant case-related data.

Securing and evaluating the scene

Off base systems and procedures or ill-advised treatment of a mobile device amid seizure may cause loss of digital information. Traditional forensic measures, for example, fingerprints or DNA testing, need to be connected to set up a connection between a mobile device and its owner or user. If that the device is not taken care of properly, physical evidence might be tainted and rendered of no use. The examiner has to be very alert to mobile device characteristics and issues like memory volatility and with tangential equipment such as media, links, and power connectors are fundamental. For mobile devices, sources of evidence incorporate the device, UICC, and related media. Device related peripherals, cables, power adapters, and associated accessories are likewise of interest. All zones of the scene should be sought completely guaranteeing related proof is not disregarded. Equipment related to the mobile device, for example, removable media, UICCs, or PCs, may demonstrate more significant than the mobile device itself. Detachable media differs in size and can be effortlessly covered up and hard to discover. Frequently, detachable memory cards are identifiable by their distinctive shape and the immediacy of electrical contacts situated on their bodies that are used to build up an interface with the device. PCs might be especially valuable in later while accessing to a locked mobile device if the PC has built up a confined in association with it. For instance, Apple incorporates a pairing procedure whereby a current pairing record document file can be utilized by some tools to get to the mobile device while it is still locked. When meeting or interacting with the owner or user of a mobile device, consider asking for any security codes, passwords or gestures needed to get the access to its content. For instance, GSM devices may have authentication codes set for the inner memory as well as the UICC. While securing a mobile device, be alert if allowing the suspect to handle the device. Numerous mobile devices have reset codes that clear the content of the device to default factory conditions. Master resets might be performed remotely requiring appropriate safety measures, for example, network isolation to guarantee that evidence is not modified or demolished.

Mobile devices might be found in a compromised state that may confound seizure. For example, a device may be submerged in a liquid. In these circumstances, examiners should stick to agency specific procedures. One technique includes evacuation of the battery anticipating electrical shorting. The rest of the device should be sealed with a liquid in the appropriate container for transport to the lab, presuming that the liquid is not caustic. Some other compromised states are blood tainting or use with explosives such as a bomb component. This can represent a risk to the technician gathering evidence. In such circumstances, a specialist should be consulted for particular assistance. Mobile devices and related media might be found in a damaged state, caused by the coincidental or intentional attempt. Devices or media with visible external damage do not prevent the extraction of information. Damaged equipment should be reclaimed to the lab for closer investigation. Repairing damaged segments on a mobile device and re-establishing the device to working order for examination and investigation might be conceivable. Undamaged memory parts may likewise be expelled from a damaged device and their contents recovered independently. This strategy should be utilized with care, as it is impractical with all devices.

Documenting the scene

Evidence should be precisely identified and represented. Non-electronic materials, for example, invoices, manuals, and bundling material may give helpful data about the abilities of the device, the network utilized, account data, and opening codes for the PIN. Capturing the crime scene in conjunction with report gives an account of the condition of each computerized device and all PCs encountered might be useful in the examination if in case questions emerge later about the environment. A record of every single instance data should be made. Every computerized device, including mobile devices which may store information, should be photographed alongside all peripherals cables, power connectors, removable media, and connections. Abstain from touching or contaminating the mobile device while capturing and photographing it and the environment where found. If the device's display is in a visible state, the screen's contents should be photographed and, if vital, recorded manually, capturing the time, service status, battery level, and other displayed symbols.


It is important to disable network connectivity. Numerous mobile devices offer the user the capacity to perform either a remote lock or remote wipe simply by sending the command, for example, a text message, to the mobile device. Another reason for disabling network connectivity includes incoming data (e.g., calls or text messages) that may modify the current state of the data stored on the mobile device. Outgoing information may likewise be undesirable as the present GPS area might be sent to an advisory giving the geographic area of the forensic examiner. Accordingly, the forensic examiner should know and be cautious while securing mobile devices mitigating the possibility of information alteration. The Scientific Working Group on Digital Evidence's (SWGDE) "Best Practices for Mobile Phone Forensics" are the documents that cover best practice for the best possible seclusion of Mobile devices. Some key ramifications for proper collection are outlined underneath.

Separating the mobile device from other devices which are used for information synchronization is imperative to shield new information from contaminating existing information. If the device is found in a cradle or associated with a PC, pulling the plug from the back of the PC takes out information exchange or synchronization overwrites. It is prescribed that a capture of the PC's memory be extracted before "pulling the plug" as memory obtained turns out to be of imperative forensic value. Caution must be used while ejecting a device that is performing a software update or backup is capable to corrupt the file system of the mobile device. The use of memory forensic tools for the capture of a PC's memory should be done by a qualified digital forensic professional. The mobile device must be seized alongside related hardware. Media cards, UICCs, and other equipment present in the mobile device ought not to be evacuated. Likewise, seizing the PC that was associated with the mobile device gives the ability to get synchronized information from the hard disk that is impossible to be acquired from the device. Any related hardware, for example, media cards, UICCs, power adapters, device sleeves, or peripherals, have to be seized alongside related materials, for example, product manuals, bundling/ packaging, and software.

Isolating a mobile device from single radio network such as Wi-Fi, Cellular and Bluetooth is imperative to prevent new traffic, for example, SMS, from overwriting existing information. Besides the risk of overwriting potential evidence, the question may arise whether information received on the mobile device after the seizure is within the extent of the original authority granted. Vulnerabilities may exist that may exploit weaknesses identified with software vulnerabilities from the web browser and OS, SMS, MMS, external (3rd party) applications and Wi-Fi networks. The likelihood of such vulnerabilities being exploited may allow the contention that information may have been modified amid the forensic examination.

Three essential techniques for isolating the mobile device from radio correspondence and keeping these issues are: put the device in airplane mode, switch the device off, or put the device in a protected container. However, every technique has certain downsides.

  • Enabling "Airplane Mode" requires interaction with the mobile device and its keypad, which has some risk involved, less though, if the technician knows about the device being referred to and records the steps taken may be on paper or video. Note: flight mode does not keep the system from connecting to other services, for example, GPS in all cases.
  • Turning off the mobile device may activate authentication codes such as UICC PIN as well as handset security code, which are then needed to access the device, complicating acquisition and postponing examination.
  • Keeping the mobile device on, but radio isolated abbreviates battery life many devices increase power consumption in an attempt to lock on to a valid signal. After some time, failure in connecting to the network may cause reset in certain mobile devices or clear the network data that generally would be valuable if recovered. Faraday containers may constrict the radio signal, however not dispose of it totally, permitting the likelihood of communication being set up with a cell tower, if in its immediate vicinity. The risk of improperly sealing the Faraday container, for instance, bag improperly sealed, exposed cables associated with the forensic workstation may go about as antenna) and unconsciously enabling access to the cell network likewise exists.

To conserve power, some mobile devices are ordinarily configured to enter energy savings mode and shut off the display after a brief time of latency. A few devices additionally shut themselves off if the battery level dips under a specific threshold to protect information stored in volatile memory, which nullifies the main purpose of keeping it turned on. Keeping such a device active is troublesome, requiring periodic interaction with the device. Of that extra power cannot be supplied to a device and it will turn off to conserve power and preserve memory contents. The risk of experiencing an authentication mechanism is very likely if it is to be turned on again. Authentication mechanisms, for example, passwords, ordinarily can't be deactivated without first supplying the correct password.

The time upheld on the mobile device might be set independently of that from the network. Continuously, record the date and time appeared on the handset, if that turned on, and compare them with a reference clock, noticing any inconsistencies. If the screen gets diminished because of energy management, it might be important to press an "irrelevant" key, for example, the volume key, to light the screen.

Security mechanisms, key remapping, and suspicious programs might be present on mobile devices. Certain sorts of alterations to the software applications and OS of the device may influence the way it has taken care of. The following list of cases of a few of alterations to consider:

  • Security Enhancements – Organizations and individuals may improve their handheld device with add-on security mechanisms. A variety of login, biometric, and other validation systems are accessible for mobile devices might be as substitutions or supplements to password mechanisms. Improper interaction with a mechanism could make the device lock down and even destroy its contents. This especially is a concern with a mechanism that makes use of security tokens whose presence is continually checked and whose disconnection from a card slot or other device interface is promptly acted upon.
  • Malicious Programs – A mobile device may contain a virus or different other types of malicious software. Such malware13 may endeavor to spread it to other devices over wired or wireless interfaces, including cross-platform hops to different platforms. Basic utilities or functions may likewise be deliberately supplanted with versions of software intended to change or damage information exhibit on a mobile device. Such programs could restrictively be activated or suppressed depending on conditions, for example, input parameters or hardware key interrupts. Watchdog applications could likewise be written to tune in for particular occasions like key chords or over the air messages and carry out the activities, for example, erasing the contents of the device.
  • Key Remapping – Hardware keys might be remapped to play out a different function in comparison to the default. A key press or blend of key presses expected for one reason could launch a self-arbitrary program.
  • Geo Fencing – Some devices might be configured to naturally wipe out all information when the GPS in the device verifies that it has left (or entered) a particular foreordained geographic zone. This strategy may likewise utilize Wi-Fi towers for location determination too.
  • Explosives and Booby Traps – Mobile devices may be fixed to explode bombs remotely or explode themselves if a particular activity is completed on the device such as getting an incoming call, message or pressing a particular key chord sequence, and so forth.)
  • Alarms – Many mobile devices consist of an audible alarm feature. The alert capacity is equipped for powering on a latent device, setting up network connectivity and the potential for a remote wipe.

Cell network isolation techniques

Various methods exist for detaching a mobile device from cell tower communication. The device must be completely charged preceding the examination and consideration should be given to having a fixed or portable power source attached. The following gives a review of different cellular network isolation techniques.

  • Cellular Network Isolation Card (CNIC) - A CNIC copies the identity of the original UICC and averts network access to/from the handset. Such cards prevent the handset from deleting call log information due to a remote SIM being inserted. This system grants acquisition without worry of wireless impedance.
  • Shielded Containers - A portable and shielded container may enable examinations to be directed securely once the telephone is situated inside. Cable associated with the container must be completely isolated to keep network communications from happening. This technique is a standout amongst the most.
  • Shielded Work Areas – Shielding a whole work range can be a costly yet successful approach to lead examinations securely in a fixed location. A "Faraday tent" is a less expensive option that additionally permits portability. Feeding cables into the tent is risky, nevertheless, since without appropriate isolation they can carry on behaving like an antenna, nullifying the point of the tent. The workspace may likewise be extremely prohibitive.
  • Disabling Network Service - The cellular carrier giving service to the mobile device may have the capacity to disable the service anytime. The service provider or network operator must be resolved and reached with subtle details distinguishing the service to be incapacitated, for instance, the equipment identifier, subscriber identifier, phone number. Such data is generally not accessible promptly, nonetheless, and the coordination and affirmation process may likewise force delays.
  • Jamming/Spoofing Devices - Emitting a signal stronger than a mobile device or interfering with the signal rendering communication is futile. Another method includes deceiving the phone into thinking a "no service" signal is originating from the closest cell tower. Since such devices may influence communication in the encompassing open airspace outside the examination zone, unlicensed utilize might be unlawful in a few jurisdictions.

On location triage processing

At present numerous organizations are experiencing a challenge with excess backlogs of digital forensic casework. An on-location triage arrangement is being used worldwide increasingly to accommodate for this exponential development in digital forensic caseload. Triaging includes performing a manual or logical information extraction on-scene to be followed instantly by a preliminary investigation of the extracted information. Logical extraction tools are giving extra abilities to utilize keywords and particular known hashes alarming the on-scene examiner quickly to potential issues that should be triage to. Where probably, devices supporting encryption, for example, Android and iOS devices, should be triage prepared at the scene if that they are found in an opened state, as the information may never be accessible again to an examiner once the device's screen is locked, or if the battery depletes. Deploying the utilization of field forensic tools to either acquire the device or set up an association with the device, will guarantee that the information can be accessible to the examiner at a later time after the device is locked.

On location Triage is particularly valuable in recognizing:

  • Media determined to contain evidence.
  • Those examinations that require a more comprehensive and technical examination
  • The examinations that could be subject to restricted examination by qualified practitioners
  • Material requiring critical examination
  • Examinations reasonable for outsourcing
  • The degree of the help the unit should need to an examination

On location Triage handling benefits include:

  • Reduced research facility workload - Digital scientific lab entries might be reduced when nothing of intrigue is found on-scene, and the level of doubt is low.
  • Exigency - On-scene examiners have significant outcomes quickly.
  • Better utilizing of existing assets - Intelligence assets are upgraded using catch phrases/hash records.
  • Reduced training costs - Triage tools are commonly intended to require less training than more profound examination tools and procedures.
  • Reduced unit cost – Triage tools are very frequent and again more reasonable than more profound investigation proficient partners.
  • Live gathering opportunity – Devices are regularly exhibited in an unlocked state bearing the on-location examiner the ability to separate more information before the locking process is started.

Agencies may wish to build up some kind of "scoring" technique to help with the prioritization of an on-site triage examinations. This should be produced on the pre-organization basis and should be reviewed and updated to include changes.

Generic On-Site Decision Steps

The following are the on –site decision strides that might be used as a common rule for organizations. This gives a beginning stage proposed to customization permitting alignment with existing approaches and policies. The following steps depict a portion of the activities and choice focuses which should be taken.

Unlocked/Undamaged – Is the device unlocked and functional and did it allow a manual or logical information extraction?

Urgent – Do conditions exist where on-site extraction of the data is required?

Lab under 2 hours away – Is there a possibility of the mobile device be transported to a forensic lab in under 2 hours?

Tool/Training – Has the examiner undergone proper training and the device support tools?

Contact Expert – Does the on-site examiner have to contact a proficient person for needed help and direction?

Battery More than half – Does the device demonstrate power with half outstanding battery?

Need More Data – If the extraction is successful and the examiner has checked on the outcomes, is extra data or investigation required?

Chapter 3: Acquisition

The acquisition may be defined as imaging or generally acquiring data from a mobile device and its related media. Performing an acquisition at the scene has the benefit that loss of data because of battery consumption, damage, and so forth amid transportation and storage is avoided. Off-site acquisitions, unlike a laboratory facility setting, might be difficult in finding a controlled setting in which to work with the appropriate gear while fulfilling additional prerequisites. Thus, a lab situation is expected all through this segment.

The measurable examination starts with the Identifying a mobile device. The kind of mobile device, its OS, and different attributes decide the route to take in making a forensic copy of the contents of the device. The kind of mobile device and information to be separated by and large direct which tools and methods should be used as a part of an examination.

Mobile device identification

To continue adequately, mobile devices should be distinguished by the make, model, and specialist organization. If the mobile device is not identifiable, photographing, back and sides of the device might be helpful in recognizing the make, model, and current state like screen lock, at a later time. An individual may try to thwart experts by changing the mobile device to hide its original identity. Device alteration may extend from removing the manufacturer labels to documenting off logos. Also, the OS and applications might be familiar or in uncommon circumstances supplanted, and operate differently than expected. These alterations should be reviewed on a case-by-case basis.

If the mobile device is powered on, the data showing up on the display may help in mobile device ID. For instance, the manufacturer's or service provider's name may show up on the display, or the screen design may demonstrate the group of OSs being used. Data such as the manufacturer's label might be found in the battery hollow (e.g., make, show, IMEI, MEID). Expelling the battery from the hollow of a mobile device, notwithstanding when powered off, may influence its state, especially the contents of volatile memory. Most mobile devices keep users' information in non-volatile memory (NAND). If the mobile device is powered on, battery expulsion will power it off, perhaps making an authentication process trigger when power is back on.

Different clues that permit recognizable proof of a mobile device to incorporate things such as manufacturer logos, serial numbers, or design characteristics such as candy bar, clam shell. Overall, knowing the make and model confines the potential service providers, by differentiating the type of network the device operates over both GSM, non-GSM, and the other way around. Synchronization software found on a related PC may differentiate among OS families. Additionally, methods for identification are as follows:

Device Characteristics –The make and manufacturer of a mobile device, might be recognized by its discernible qualities like weight, dimensions, and form factor, especially as unique design components exist. Different sites contain databases of a mobile device that might be queried based on selected ascribes to recognize a specific device and acquire its features and specifications. The scope is significant, yet neither broad nor complete, and may require consulting more than one repository before matching.

  • Device Interface – The power connector can be unique to a manufacturer and may give clues of information to device identification. With familiarization and experience, the manufacturers of certain mobile devices can be distinguished promptly. Additionally, the size, number of contacts, and shape of the information cable interface are regularly particular to a specific manufacturer and may aid in identification.
  • Device Label – For mobile devices that are inactive, information received inside the battery hole might be of help, especially when combined with a relevant database. The manufacturers label regularly records the make and model number of the mobile device and furthermore unique identifiers, for example, the Federal Communications Commission Identification Number (FCC ID) and an equipment identifier (IMEI or MEID). The FCC and equipment identifiers which are found on mobile devices sold in the countries domestic market. For a single mobile device that uses a UICC, the identity module is positioned under the battery and engraved with a unique identifier called the Integrated Circuit Card Identification (ICCID). To be powered on GSM and UMTS mobile devices, the International Mobile Equipment Identifier (IMEI) might be identified by entering in *#06#. Similar codes exist for acquiring the Electronic Serial Number (ESN) or Mobile Equipment Identifier (MEID) from powered on CDMA phones. Different websites on the Internet offer databases that give data about the mobile device given an identifier, below are some of them:
    • The IMEI number consists 15-digit that shows the manufacturer, model type, and country of approval for GSM devices. The first 8-digit part of the IMEI, known as the Type Allocation Code (TAC), gives the details of model and origin. The rest of the IMEI is manufacturer concerned, with a check digit toward the end. A database lookup service is accessible from the GSM numbering design website.
    • The ESN is a 32-bit identifier recorded on a protected chip on a mobile device by the manufacturer. The initial 8-14 bits recognize the manufacturer, and the rest of the bits signify the allotted serial number. Several mobile devices have codes that can be placed on the handset to show the ESN. Concealed menus may likewise be activated on certain mobile devices by putting them in "test mode" through the input of a code. Other than the ESN, additional useful data, for example, the phone number of the device might be acquired. Manufacturer codes might be checked online at the Telecommunications Industry Association Website.

Carrier Identification – The carrier logos are imprinted outside of the for a mobile device. This is generally shown in advertisement and promotion. This may show the examiner on which carrier the mobile device functions. Mobile devices might get unlocked and conceivably re-flashed to work using a competing carrier. One technique to ensure this is to scan the UICC if exists. Most carriers engrave their logo on the front of the UICC. Also, extraction and examination of the ICCID gives advance affirmation.

Reverse Lookup – The Number Portability Administration Centre (NPAC) gives an automated phone system to law enforcement agencies to decide the present service provider allocated to a number and get contact data. This service covers only well as the Canadian phone numbers. If the phone number of the mobile device is recognized, an inverted query (reverse lookup) can be used to ascertain the network operator along with the city and state details where it has originated from. For instance, FoneFinder is a service used to get such data. The network operator's site ordinarily contains a list of upheld devices that might be of use to limit and perhaps recognize the mobile device being enquired. Since telephone numbers might be ported among service providers, as a rule, more breakthrough data is required.

Expectations and tool selection

Once the make and model of the mobile device are known, accessible manuals should be retrieved and studied. The manufacturer's site is a decent place to start from. Typing the model number into a search engine may uncover a lot of data about the mobile device. The device being examined significantly drives the choice of forensic tools. The succeeding criteria have been proposed as necessary for the choice of forensic tools.

  • Usability – the capability to exhibit information in a form that is valuable to an examiner
  • Comprehensive – the capability to exhibit all information to an examiner so that both internal and external evidence can be recognized
  • Accuracy – the nature of the output of the tool has been checked
  • Deterministic – the capability for the tool to deliver the same output when given same instructions and input
  • Verifiable – the capability to guarantee exactness of the output by approaching intermediate translation and presentation outcome
  • Tested – the capability to decide whether known information introduced inside the mobile device internal memory is not adjusted and reported precisely by the tool

Exploring the different tools on test devices to determine which acquisition tools work proficiently with a particular mobile device type is strongly advised. Other than picking up commonality with the capabilities of the tool, experimentation permits unique reason of search filters and custom designs to be setup before use in a genuine case. Furthermore, any required software updates from the manufacturer can be installed on the device.

Established procedures should direct the technical process of acquisition, and also the examination of evidence. New conditions may emerge periodically that expect a change by existing systems, and in a few circumstances, require new techniques and procedures to be considered. A few cases include: UICCs being permanently reinforced into a mobile device, mobile devices equipped for supporting various UICCs and mobile devices that block logical acquisition ports until the connection is made with a cell tower. The procedure must be verified to safeguard that the acquired results are substantial and freely reproducible. Testing should happen on a similar model of the mobile device before attempting the procedures inside the device. The advancement and consensus of the procedure should be reported and incorporate the below steps:

  • Identifying the errand or issue
  • Proposing prospective measures
  • Testing every measure on a matching test device and under known control conditions
  • Evaluating the consequences of the test
  • Finalizing the process

Mobile device memory acquisition

Mobile devices are submitted for laboratory processing with only certain items required for recovery such as logs or graphics. If any uncertainty or concerns exist about the requested information, contact the requestor for clarification. However, it is not important to recoup every single accessible datum. A full acquisition negates the necessity of redoing the procedure later if extra information is required. For examinations including limited scope search warrant such as texts messages, a full memory information extraction might be completed, yet care should be taken to just report items required by the warrant.

To obtain information from a mobile device, a connection must be built up to the device from the forensic workstation. Before executing an acquisition, the version of the tool/ device which is being used should be reported, alongside any appropriate patches or errata from the manufacturer applied to the tool. As specified before, an alert should be taken to refrain from adjusting the condition of a mobile device when dealing with it, for instance, by pressing keys that may corrupt or delete information. Once the connection has been built up, the forensic software suite or device may continue to obtain information from the mobile device.

The date and time kept on the mobile device is a critical part of data. The date and time may have been acquired from the network or manually setup by the user. Owners can manually set the day or time to various values obscuring the genuine ones, yielding misleading values in the call and message records found on the mobile device. If the device was on when detained, the date and time kept and difference from a reference clock must be recorded. However, affirmation at the time acquisition may prove helpful. If the mobile device was off when detained, the date and time kept and contrasts from a reference clock has to be recorded promptly during initial power on. Actions made in the middle of acquisition, for example, removing the battery to see the device label, may influence the time and date values.

Mobile devices give the user an interface for a memory card. Mobile device forensic tools that obtain the contents of an occupant memory card ordinarily make a logical acquisition. If the device is set up in an active state, the mobile device internal memory should be acquired before removing and performing a physical acquisition of the related media like micro SD Card. If not, the device is found in power off state, a physical acquisition of the detachable media should be performed before the internal handset memory of the mobile device is procured. With either kind of acquisition, the forensic tool might have the ability to decode recouped information stored on the card such as SMS, require extra manual steps to be taken.

Once the process of acquisition is finished, the forensic expert is obliged to confirm that the contents of a device were captured accurately. Sometimes, a tool may nose-dive without any error and require the examiner to reattempt acquisition. It is prudent to have various tools accessible and be set to change to another if troubles happen with the primary tool.

However, not every single significant data viewable on a mobile device which uses the accessible menus can be acquired and decoded with a logical acquisition. Manually examining the contents via the device interface menu while video recording, the procedure not only enables such things to be apprehended and described, additionally confirms that the contents exposed by the tool are consistent with evident information. Manual extraction should be finished with attention, maintaining the integrity of the device in the occurrence further, more intricate acquisitions are vital.

The contents of a mobile device's memory frequently contain data such as erased information that is not recoverable through either a logical or manual extraction. Without a software tool ready to perform a physical acquisition, it is important to shift to hardware based techniques. Two techniques generally used are acquisition through a uniform JTAG test interface, if supported on the device, and acquisition by directly reading memory which has been expelled from the device.

GSM mobile device specific considerations

Mobile devices that don't involve a UICC are relatively straightforward as the acquisition involves a single device. Mobile devices needing UICCs are more mind perplexing. Two things must be inspected: the handset and the UICC. Contingent upon both active and inactive condition of the mobile device the handset and UICC can be acquired together or independently. It is usually accepted first to prepare the UICC while the device is in an inactive state.

The joint acquisition of a handset and UICC contents must be acquired first if the mobile device is in an active state. An immediate obtaining recuperates erased messages exist on a UICC, while an indirect acquisition through the handset does not. The UICC must be expelled from the mobile device and inserted into a suitable reader for direct acquisition.

Often a forensic issue that emerges when carrying out a joint acquisition is that the status of unread messages changes amid acquisitions. The primary acquisition may modify the status flag of a new message to read. Reading a new message from a UICC in an indirect way through the handset makes the OS of the device change the status flag. UICCs that are read straightforwardly by a tool does not make these changes. One approach to staying away from this issue is to discard choosing the recuperation of UICC memory when performing the joint acquisition (if the tool permits such an alternative).

A well-known forensic issue that arises when performing a joint acquisition is that the status of unread text messages changes between acquisitions. The first acquisition may alter the status flag of an unread message to read. Reading an unread text message from a UICC indirectly through the handset causes the operating system of the device to change the status flags. UICCs that are read directly by a tool does not make these modifications. One way to avoid this issue is to omit selecting the recovery of UICC memory when performing the joint acquisition (if the tool allows such an option).

When the mobile device is inactive, the contents of the UICC might be gained separately before that of the handset. The UICC acquisition should be finished specifically through a PC/SC reader. The handset acquisition must be attempted without the UICC presence. Numerous devices allow an acquisition under such conditions, permitting PIN section for the UICC to be bypassed if it was enabled. However, if the acquisition attempt becomes unsuccessful, the UICC might be reinserted and another attempt to be made. Performing separate independent acquisitions such as acquiring the UICC first and then acquiring the contents of the handset. This maintains a strategic distance from any OS related forensic issues related with an indirect read of UICC information. In any case, removing the SIM can allegedly make information be erased on some mobile devices.

iOS device specific considerations

Since mid-2009, starting with the arrival of the iPhone 3Gs, Apple has dispatched all iOS devices with a committed cryptographic chip, making hardware accelerated encryption possible. Apple has consolidated this quickened cryptography into the OS, showcased as an element named Data Protection. Data Protection is the mix of hardware accelerated encryption and an authenticated cryptographic scheme, permitting any document or snippet of data to be encrypted or decrypted with a separate key.

Files secured with data protection are encrypted with a random file key, which is then encrypted by making use of a higher-level class key, and stored as a file tag with the file. Passwords and other sensitive small data are stored on the device are encrypted by using a similar approach, and are stored in the iOS keychain, a device key escrow mechanism incorporated with the OS.

Files and keychain components are both protected by various numbers of access control keys, which are likewise encrypted in a way that consolidates the user's device password. The password should be well-known to decrypt the key hierarchy protecting these nominated files and keychain components, and furthermore to disable the device's GUI lock.

The execution of Data Protection has been condemned for various design flaws and was initially exploited by Zdziarski in 2009. Because of the effortlessness of 4-digit PINs or short passwords, brute forcing the device password is sometimes computationally achievable assignment. Much of the time, brute forcing a four-digit PIN has appeared to take at most 20 minutes.

This encryption scheme poses huge difficulties to the forensic examiner. The forensic examiner must know about these issues, and also, the effect that this encryption has on any iOS based device exhibited for examination. Supported devices incorporate iPhone 3GS and iPhone 4 including GSM and CDMA models, first-gen iPad, and most recent arrivals of iPod Touch both third and fourth generation. These devices have the choice to do a remote wipe of information contained inside them. Whenever activated, the UID is destroyed, and 256 bits of the key are ruined and leaves the examiner with very complex decryption issue. To maintain a strategic distance from such situations, it is prescribed that radio communications are blocked or impaired before an examination and also amid transportation to the lab for examination. At the point when data protection is active, the file key is obliterated when the file is erased, leaving encrypted and unrecoverable files in unallocated space, which reduce conventional carving methods for deleted files futile. Information, however, can frequently be discovered dwelling inside assigned information containers such as SQLite Tables and ought not to be marked down or disregarded as a major aspect of any examination. Recuperation of such information can be challenging as SQLite information recuperation might be to some degree can be automated for example epilog, sometimes manual recuperation might be the only alternative. Luckily for the forensic examiner, a huge part of user information is stored inside allotted information containers, and garbage collection is not often performed on these containers.

Apple likewise offers a feature to users to encrypt all backup information even when using iTunes iOS 4 and later. This choice, when used will just present encrypted records from some forensic extraction tools. The backups could be decrypted by making use of a brute force attack. Tools exist to play out this attack by using GPU speeding up to encourage a faster brute force attack. The backup encryption feature is just applied to information sent through the device's backup service; however various services keep running on the device that gives clear text duplicates of information, regardless of the possibility that backup encryption is active. If the acquisition tool is fit for communicating to these different services, a lot of clear content information can be recuperated, besides that the backup password is unknown.

Android device specific considerations

Android is a Google designed OS mainly for mobile devices such as smartphones and some tablet PCs. Android was first introduced in 2007, and the primary Android-based mobile device was introduced in October 2008. The Android OS is open source, and Google mostly releases a significant version about once every year.

Every one of the diverse versions of the OS needs slight reformation for every group of devices for complete support. This has prompted hundreds of various distributions in the wild. Much like Apple's iTunes Store, Android has a main application repository known as Google Play Store. Examination of submitted applications for accuracy in the repository is much inferior and have carried about numerous rogue applications advancing into the mainstream application pool. Many other Android application stores exist too. This has prompted a large number of applications that might be encountered by the investigator.

The major part of the Android user and application information will be found in SQLite tables situated in discrete folders for each application installed on it. This requires the investigator to dump all information contained in all SQLite tables and execute an inquiry of the resultant information searching for pertinent material as under 5% of the applications are supported by the majority of mobile forensic tools.

Since the OS is intended for using the touch screen, the default protection scheme for the device is a gesture password lock. The lock exhibits a 3X3 grid to followed by user's finger connecting with few cells of the grid to frame a pattern. Once the right pattern is followed, the phone is unlocked. The forensic tools do exist to acquire the gesture key file to unlock the device.

The vast majority of the techniques for a locked Android device majorly depends on debug mode to remain active on the device to start the forensic extraction process. A couple of devices that have been released may activate debug mode from a locked device, though, there are few of these models.

Many Android based mobile devices support removable Micro SD memory cards. The information enclosed in the micro SD Card must not be disregarded as they often hold a lot of unencrypted and unprotected information. The micro SD card should be write-blocked and imaged utilizing standard digital forensic methods. The image may then be analyzed employing conventional digital forensic tools because the media is usually a solitary partition formatted using exFAT.

While opening a locked device, it is additionally likely with JTAG techniques and tools to get the majority of the information from the memory of the handset. This sidesteps the locked USB port when USB Debugging turned off and investigates Test Access Ports between the USB Port and the CPU. JTAG gives communication to NAND memory via the CPU enabling memory to be read.

Several tools can parse a great part of the data exhibited in the Android OS yet all tools ensure the same issue from iOS based devices. Many applications are included each week. Understanding and reverse engineering every one of them each one, in turn, is a tedious procedure. Numerous sellers have concentrated on parsing the information from the more prevalent communication applications, for example, WhatsApp, FaceBook, and so on. The more driven investigator must know about this deficiency and be set up to perform testing and reverse engineering for situations where support for particular applications may not occur.

UICC considerations

Like a mobile device, to obtain information from a UICC, an association must be built up from the forensic workstation to the UICC, with using a PC/SC reader. The variant of the tool being utilized has to be reported, alongside any substantial patches or errata from the manufacturer applied to the tool. Once the association has been set up, the forensic software tool may continue to obtain information from the UICC. Capturing a direct UICC image of information is impractical, on account of the security protection incorporated into the module. Rather, forensic tools send command directives known as Application Protocol Data Units (APDUs) to the UICC to extract information logically, without alteration, from each basic information record of the file system. The APDU protocol is a basic command-response exchange. Every component of the file system characterized in the GSM guidelines has a unique numeric identifier allocated, which can be utilized to stroll through the file system and recuperate information by referencing a component and performing some operation, for example, reading its contents.

Since UICCs are exceptionally standardized devices, few issues exist concerning a logical acquisition. The primary thought is choosing a tool that reports the status of any PINs and recoups the information of intrigue. Immense contrasts exist in the information recuperated by UICC tools, with some recouping just the information should have the most elevated significance in a normal examination, and others to perform an entire recuperation of all information, despite the fact that a lot of it is network related with minimal investigative value.

Memory cards

The storage capacity of memory cards varies from 128MB and up. As innovative advances are made, such media turns out to be physically tinier and offers more storage densities. Removable media broadens the storage limit of mobile devices enabling people to store extra records past the device is worked in limit and to share information between compatible devices.

Few forensic tools can get the contents of memory cards; many most certainly cannot. If the acquisition is logical, deleted information is not recovered. Luckily, such media can be dealt with likewise to a removable circle drive and imaged and examined by using regular forensic tools with the utilization of an external media reader.

A physical acquisition of information visible on removable media gives the inspector the possibility to look for the contents of the media and potentially recoup deleted files. One downside is that mobile device information, for example, SMS may necessitate manual decoding or a different decoding tool to decipher. A more difficult issue is that content protection features linked to the card may hinder the recuperation of information. For example, BlackBerry devices furnish the user with the capability to encrypt information contained on the removable media related to the mobile device. Table 4 gives a short diagram of different storage media being used today.

Name Characteristics

MMCmicro Dime size (length-14 mm, Width-12 mm, and thickness-1.1 mm) 10-pin connector and a 1 or 4-bit data bus Requires a mechanical adapter to be used in a full-size MMCplus slot

Memory Stick Micro Dime size (length-12.5 mm, Width-15 mm, and thickness-1.2 mm) 11-pin connector, 4-bit data bus

Secure Digital (SD) Card Postage stamp size (length-32 mm, Width-24 mm, and thickness2.1mm) 9-pin connector, 1 or 4-bit data bus Features a mechanical erasure-prevention switch

MiniSD Card Thumbnail size (length-21.5 mm, Width-20 mm, and thickness-1.4 mm) 9-pin connector, 1 or 4-bit data bus Requires a mechanical adapter to be used in a full-size SD slot

MicroSD (formerly Transflash) and microSDXC

Transflash) and microSDXC

Dime size (length-15 mm, Width-11 mm, and thickness-1 mm) 6-pin connector, 1 or 4-bit data bus


Cloud-based services for mobile devices

Mobile cloud computing is the mix of mobile networks and distributed computing permitting user applications and information to be saved in the cloud such as on web servers as opposed to the mobile device memory. This information might be saved in diverse locations. Cloud computing environments are unpredictable in their outline and often geographically scatter. Frequently, storage locations for distributed computing are picked up because of most reduced cost and information access prerequisites. One issue might be location identification of the information. This is a rising field.

Cloud storage opens various potential outcomes for mobile device application developers past mobile device memory constraints. As mobile applications, advance information retrieval becomes seamless to the user and not evident if the information is saved in the cloud or inside the internal memory of the mobile device.

There are a few factors inside cloud computing environments that challenge forensic examiners to need a hybrid approach to incorporate both live and "dead box" forensic methods. Also, recuperation of user information stored in the cloud may turn out to be more dangerous given laws and directions. Recovery and investigation of cloud based information must take after pertinent agency rules on cloud forensics.

The mobile device forensics analyst must not risk cloud based information deserted such as, browser cache and related forensics artifacts which might be available on peripheral hardware empowering an examiner to sort out what has happened on a device.

Chapter 4: Analysis and examination

The examination procedure reveals digital evidence, comprising what might be concealed. The outcomes are increased through applying built up logically based techniques and should depict the content and condition of the information completely, considering the source and the potential significance. Information reduction, differentiating from important from irrelevant data, happens once the information is uncovered. The investigation procedure varies from examination in that it takes a look at the consequences of the examination for its direct significance and probative value of the case. The examination is a technical procedure that is the area of a forensic specialist. Nonetheless, the examination might be finished by roles rather than an expert, for example, the investigator or the forensic examiner.

The examination procedure starts with a duplicate of the evidence obtained from the mobile device. Luckily, compared with conventional examination of PCs or network servers, the sum of acquired information to examine is significantly lesser with mobile devices. As a result of the predominance of proprietary case file formats, the forensic toolbox applied for the acquisition will normally be the one being used for examination. While interoperability between the acquisition and examination services of various devices is feasible, though this feature is supported by a couple of tools. Examination via making use of third party tools are mostly fulfilled by importing a mobile device memory dump into a mobile forensic tool that supports external mobile device images.

The forensic examiner would be demanding data about the case and the parties required to give a beginning point to potential evidence that may be found. Leading the examination is an association between the forensic examiner and the investigator. The investigator gives knowledge into the sorts of data looked for, while the forensic examiner gives the way to discover important data that may be on the system.

The understanding picked up by concentrating on the case gives strategies regarding the kind of information to target and particular keywords or phrases to be used while looking for the acquired information. Contingent upon the sort of case, the technique shifts. For instance, child pornography case may start with browsing the majority of the realistic pictures on the system, while a case around an Internet-related offense may start with browsing of all Internet history documents.

Sources of potential evidence

Mobile device producers majorly propose a comparable arrangement of data supervising the features and capabilities, including Personal Information Management (PIM) applications, messages and email, and web browsing. The number of features and abilities fluctuate in the time when the device was made, the variant of firmware running, changes made to a specific service provider, and any adjustments or applications introduced by the user. The prospective evidence on these devices may incorporate the below things:

  • Subscriber and hardware identifiers
  • Date/time, dialect, and different settings
  • Phonebook/Contact data
  • Calendar data
  • Messages
  • Outgoing, approaching, and missed call logs
  • Electronic mail
  • Photos
  • Audio and video recordings
  • Multimedia messages
  • Instant messaging
  • Web browsing activities
  • Electronic reports
  • Social media related information
  • Application related information
  • Location data
  • Geolocation information

Indeed, esoteric network data found on a UICC may demonstrate valuable in an examination. For instance, if a network rejects a location update from a phone attempting to register itself, the forbidden network entries in the Forbidden PLMNs (Public Land Mobile Networks) rudimentary file is updated with the country code and the involved network. This list is kept up on the UICC and is because of administration being declined by a foreign provider. The mobile device of a suspect individual who is traveling to a neighboring country may be checked for this data.

The items showed on a device are not just reliant on the features and capabilities of the mobile device, additionally on the voice and data services the user has subscribed to. For instance, prepaid phone service might discount the likelihood for multi-media messaging, electronic mail, and web browsing. Also, a contract subscription may specifically avoid certain sorts of service. However, the telephone itself may support them.

Two sorts of PC forensic examinations usually happen. The first type is the location an incident has happened. However, the identity of the guilty party is obscure such as a hacking incident. The second is the place the suspect and the event are both known such a kid porn examination. Prepared with the foundation of the incident, the forensic examiner and analyst may continue toward finishing the below targets:

  • Collect data about the individual or individuals involved {who}.
  • Define the correct nature of the events that happened {what}.
  • Build a timeline of events {when}.
  • Reveal data that describes the motivation for the offense {why}.
  • Determine what tools are utilized {how}.

In several cases, the information is fringe to an examination or valuable in substantiating or disproving the cases of a person about some occurrence. Once in a while, coordinate information motivation, and purpose might be built up. A major part of the evidence sources from mobile devices are: contact information, call information, informing, pictures, video, social media, or Internet-related data. User applications possibly give other evidence sources. User documents put on the device for rendering, review, or altering are other imperative evidence sources. Other than graphic files, relevant file content incorporates both audio and video recordings, spreadsheets, presentation slides, and other similar electronic files.

Installed executable projects may likewise have significance in specific circumstances. In many cases, the most critical information recuperated is what connects to data held by the service provider. Service provider keeps up databases for billing and debiting accounts given call logs, which can be questioned with the use of the subscriber or hardware identifiers. Additionally, undelivered SMS instant messages, multimedia, or voice messages may likewise be recoverable. This may enable an analyst to approve their discoveries as the information gotten from the device might be confirmed with the information acquired from the service provider.

Putting mobile device forensic tools into picture

Once a copy of the acquisition results is available, the next steps involve searching the data, identifying evidence, creating bookmarks, and developing the contents of a final report. Knowledge and experience with the tools used for examination are extremely valuable since the proficient use of the available features and capabilities of a forensic tool can greatly speed the examination process.

It is important to note that forensic tools have the potential to contain some degree of error in their operation. For example, the implementation of the tool may have a programming error; the specification of a file structure used by the tool to translate bits into data comprehensible by the examiner may be inaccurate or out of date; or the file structure generated by another program as input may be incorrect, causing the tool to function improperly. Experiments conducted with mobile device forensic tools indicate a prevalence of errors in the formatting and display of data. Therefore, having a high degree of trust and understanding of the tool's ability to perform its function properly is essential. The Computer Forensics Tool Testing (CFTT) project at the National Institute of Standards and Technology (NIST) produces a specification, test methods and test reports that provide a foundation for toolmakers to improve tools, users to make informed choices and provide interested parties with an overview of any anomalies found. CFTT has spent several years researching and testing forensic tools capable of acquiring data from the internal memory of mobile devices and Subscriber Identity Modules (SIMs).

A knowledgeable individual may tamper with device information, such as purposefully modifying a file extension to foil the workings of a tool, altering the date/time of the mobile device to falsify timestamps associated with logged activities, creating false transactions in the memory of the mobile device or its UICC or utilizing a wiping tool to remove or eliminate data from memory. Seasoned experience with a tool provides an understanding of its limitations, allowing an examiner to compensate for them and minimize errors to achieve the best possible results.

To uncover evidence, specialists should gain a background of the suspect, offense and determine a set of terms for the examination. Search expressions should be developed systematically, such as using contact names that may be relevant. By proceeding systematically, the specialist creates a profile for potential leads that may unveil valuable findings.

Following are the suggestions for the analysis of the extracted data

  • Ownership and possession – Identify the individuals who created, modified, or accessed a file, and the ownership and possession of questioned data by placing the subject with the device at a particular time and date, locating files of interest in nondefault locations, recovering passwords that indicate possession or ownership, and identifying contents of files that are specific to a user.
  • Application and file analysis – Identify information relevant to the investigation by examining file content, correlating files to installed applications, identifying relationships between files (e.g., email files to e-mail attachments), determining the significance of unknown file types, examining system configuration settings, and examining file metadata (e.g., documents containing authorship identification).
  • Timeframe analysis – Determine when events occurred on the system to associate usage with an individual by reviewing any logs present and the date/time stamps in the file system, such as the last modified time. Besides call logs, the date/time and content of messages and email can prove useful. Such data can also be corroborated with billing and subscriber records kept by the service provider.
  • Data hiding analysis – Detect and recover hidden data that may indicate knowledge, ownership, or intent by correlating file headers to file extensions to show intentional obfuscation; gaining access to password-protected, encrypted, and compressed files; gaining access to steganographic information detected in images; and gaining access to reserved areas of data storage outside the normal file system.

The capabilities of the tool and the richness of its features, versus the operating system and type of device under examination, determines what information can be recovered, identified, and reported, and the amount of effort needed. The search engine plays a significant role in the discovery of information used for the creation of bookmarks and final reporting. For example, some tools used to search for textual evidence identify and categorize files based on file extension, where others use a file signature database. The latter feature is preferable since it eliminates the possibility of missing data because of an inconsistent file name extension (e.g., eliminating a text file whose extension was changed to that of a graphics or image file). Similarly, the ability for the tool to find and gather images automatically into a common graphics library for examination is extremely useful.

Searching data for information on incriminating or exculpatory evidence takes patience and can be time-consuming. Some tools have a simple search engine that matches an input text string exactly, allowing only for elementary searches to be performed. Other tools incorporate more intelligent and feature rich search engines, allowing for generalized regular expression patterns (grep) type searches, including wildcard matches, filtering of files by extension, directory and batch scripts that search for specific types of content (e.g., e-mail addresses, URLs). The greater the tool's capabilities, the more the forensic examiner benefits from experience with and knowledge of the tool.

Chapter 5: Reporting

Reporting is the way of setting up a complete outline of the considerable number of steps taken, and conclusions come to in the examination of a case. Reporting relies upon keeping up an alert record of all activities and perceptions, depicting the consequences of tests and examinations, and clarifying the deductions drawn from the information. A decent report depends on robust documentation, notes, photos and tool-generated content.

Reporting happens once the information has been altogether looked and pertinent items bookmarked. Numerous forensic tools accompanied an implicit reporting facility that ordinarily takes after predefined formats and may permit customization of the report structure. Allowed customizations take into consideration organization logos and report headers and choice of styles and structure to give a more expert look personalized to the organization's needs. Reports created by forensic tools normally incorporate items from the case document; for example, the specialist's name, a case number, a date and title, the classifications of evidence, and the valid evidence found. Report generation normally yields either the majority of the information acquired or enables examiners to choose significant information such as bookmarked items for the end report. Counting just important findings in the report limits its size and decreases disarray for the reader.

The software generated contents are just a single piece of the final report. The final report encompasses the software generated contents alongside information aggregated all through the examination that compresses the moves made, the investigation done, and the importance of the evidence revealed. Preferably, the supporting documentation is in electronic shape and ready to be consolidated straightforwardly into the report.

Reporting facilities shift essentially crosswise over mobile device acquisition applications. Report generation may render a full report in one of a few basic formats such as, txt, .csv, .doc, .html, .pdf or if nothing else give a way to export individual information items to form a report physically. A couple of tools incorporate no methods for report generation or information send out and rather expect analysts to capture individual screenshots of the tool interface for later assembling into a report format. Notwithstanding how reports are created, making sure that the final report is consistent with the information introduced in the UI representation is crucial to recognize and kill any conceivable irregularities that may show up. The ability to adjust a prior report and adjoining information like pictures, video stills which are captured by elective means are irreplaceable. Auxiliary acquisition techniques are at some point required to recuperate particular information sorts. For instance, video recording a manual examination file the recuperation of information that the automated forensic tool might not have acquired. Video altering programming enables still pictures to be captured for consideration into the report. Pictures could likewise be taken off the manual exam with the use of a digital camera. However, this procedure is less effective and may not record the whole procedure; it might be the only technique accessible.

The kind of information decides if it is adequate in a printed version format. Today, numerous well known mobile phones are adept at capturing audio and video. Such evidentiary information cannot effortlessly be exhibited in a printed format and rather have to be incorporated with the final details for removable media some good examples are CD-R, DVD-R, or flash drive alongside the suitable application for appropriate display.

Reports for forensic examination results must incorporate all the data important to recognize the case and its source, outlining the test outcomes and findings, and bear the signature of the individual in-charge of its content. When all is said in done, the report may incorporate the listed data.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

  • Identity of the reporting organization
  • Case identifier or submission number
  • Case specialist
  • Identity of the submitter
  • Date of evidence receipt
  • Date of report
  • Descriptive list of items being submitted for examination, including serial number, make, and model
  • Identity and mark of the analyst
  • The hardware and set up being used as a part of the examination
  • Brief portrayal of steps taken amid examination, for example, string seeks graphic picture searches and recuperating eradicated records.
  • Supporting materials, for example, printouts of specific item of evidence, digital duplicates of evidence, and chain of custody documentation
  • Particulars of findings:
    • Specific file identified on demand
    • Other records, including erased documents, that aid in the findings
    • String searches, keyword searches, and text string searches
    • Internet-related evidence, for example, website traffic investigation, chat logs, cache files, email, and news group action
    • Graphic picture investigation
    • Indicators of possession, which could incorporate program registration information
    • Data investigation
    • Description of significant programs on the examined items
    • Techniques used to cover up or veil information, for example, encryption, steganography, hidden attributes, hidden partitions and document name irregularities
    • Report conclusions

Digital evidence, and also the tools, methods utilized as a part of an examination is liable to be tested in a courtroom or other formal procedures. Legitimate documentation is basic in giving people the capacity to re-make the procedure from start to finish. As a major aspect of the reporting procedure, making a duplicate of the software being used and incorporating it with the result created is recommended when custom tools are also utilized for examination or investigation, should it end up plainly important to recreate forensic processing result.

Acronyms Used

  • APDU – Application Protocol Data Unit
  • API – Application Programming Interface
  • ASCII – American Standard Code for Information Interchange
  • BCD – Binary Coded Decimal
  • BSC – Base Station Controller
  • BTS – Base Transceiver Station
  • CDMA – Code Division Multiple Access
  • CDR – Call Detail Record
  • CF – Compact Flash
  • CNIC – Cellular Network Isolation Card
  • CSIM – CDMA Subscriber Identity Module
  • EDGE – Enhanced Data for GSM Evolution
  • EMS – Enhanced Messaging Service
  • ESN – Electronic Serial Number
  • ETSI – European Telecommunications Standards Institute
  • eUICC – Embedded Universal Integrated Circuit Card
  • FCC ID – Federal Communications Commission Identification Number
  • GPRS – General Packet Radio Service
  • GPS – Global Positioning System
  • GSM – Global System for Mobile Communications
  • HTTP – HyperText Transfer Protocol
  • ICCID – Integrated Circuit Card Identification
  • IDE – Integrated Drive Electronics
  • IM – Instant Messaging
  • IMAP – Internet Message Access Protocol
  • IMEI – International Mobile Equipment Identity
  • IMSI – International Mobile Subscriber Identity
  • IrDA – Infra Red Data Association
  • JTAG – Joint Test Action Group
  • LCD – Liquid Crystal Display
  • LED – Light Emitting Diode
  • LND – Last Numbers Dialed
  • MD5 – Message Digest 5
  • MEID – Mobile Equipment Identifier
  • MMC – Multi-Media Card
  • MMS – Multimedia Messaging Service
  • MSC – Mobile Switching Center
  • MSISDN – Mobile Subscriber Integrated Services Digital Network
  • NFC – Near Field Communication
  • OS – Operating System
  • PC – Personal Computer
  • PC/SC – Personal Computer/Smart Card
  • PDA – Personal Digital Assistant
  • PIM – Personal Information Management
  • PIN – Personal Identification Number
  • RAM – Random Access Memory
  • ROM – Read Only Memory
  • SD – Secure Digital
  • SDK – Software Development Kit
  • SHA1 – Secure Hash Algorithm, rendition 1
  • SIM – Subscriber Identity Module
  • SMS – Short Message Service
  • SSD – Solid State Drive
  • TDMA – Time Division Multiple Access
  • UICC – Universal Integrated Circuit Card
  • UMTS – Universal Mobile Telecommunications System
  • URL – Uniform Resource Locator
  • USB – Universal Serial Bus
  • USIM – UMTS Subscriber Identity Module
  • WAP – Wireless Application Protocol
  • Wi-Fi – Wireless Fidelity
Hashim Shaikh
Hashim Shaikh

Hashim Shaikh currently works with Aujas Networks. Possessing a both OSCP and CEH, he likes exploring Kali Linux. Interests include offensive security, exploitation, privilege escalation and learning new things. His blog can be found here: and his LinkedIn Profile here: