Smartphone and tablet technology has changed dramatically and quickly within the last many years and continues to do so at an astounding pace. These smaller computing devices are so common, with the flexibility to replace their desktop counterparts in human-to-computer interactions. Sit in any restaurant, airport, or public place that provides Wi-Fi and you may see humans with their faces apparently glued to their device screens, interacting on their device with such focus, seemingly oblivious to their own physical surroundings.
Today’s smartphones are used less for calling and a lot for socializing; this has resulted in smartphones holding plenty of sensitive information about their users. Mobile devices keep the user’s contacts from a variety of sources (including the phone, social networks, instant electronic messaging, and communication applications), data about phone calls, sent and received text messages, and e-mails and attachments. There are also browser logs and cached geolocation information; photos and videos taken with the phone’s camera; passwords to cloud services, forums, social networks, online portals, and shopping websites; stored payment data; and plenty of other information that may be important for an investigation
With such massive audience engaging daily with their smartphones and other its accessories, Mobile forensics plays a major and huge role in determining how these so called “Secure” smartphones devices gets exploited and how user’s data is being used for many great attacks on Mobile infrastructure.
We will not get into any technical detail, like that hex code at what address means what, or the way to calculate UDID, or how to use ADB to break through passcode protection on android 2.1. we believe this stuff is insignificant for a law enforcement officer, and should solely interest technicians operating in an acquisition lab
Stages of mobile forensics
This section will briefly discuss the overall stages of mobile forensics and isn’t meant to provide an in depth clarification of every stage. There are more-than-sufficient documentation that can be simply accessed on the internet that has an intimate level of detail regarding
the stages of mobile forensics.
Stage 1 : Device Seizure
This stage pertains to the physical seizure of the device so it comes under the management and custody of the investigator/examiner. consideration should also be given to the legal authority or written consent to seize, extract, and search this information.
The physical condition of the device at the time of seizure ought to be noted, ideally through digital photographic documentation and written notes, such as:
- Is the device damaged? If, yes, then document the type of damage.
- Is the device switched on or off at the time of seizure?
- What is the date and time on the device if the device is on?
- If the device is on, what apps are running in background on the device?
- If the device is on, is the device screen accessible to check for passcode and
Several different aspects of device seizure are described in the following as they’re going to have an effect on post-seizure analysis: radio isolation, turning the device off if it’s on, remote wipe, and anti-forensics
Seizing – what and how should we seize?
When it comes to properly acquiring a mobile device, one should remember of the various differences in how computers and mobile devices operate. Seizing, handling, storing, and extracting mobile devices should follow a special route compared to desktop and even laptop computers. Unlike PCs which will be either online or offline (which includes energy-saving states of sleep and hibernation), smartphones and tablets use a distinct, always-connected modus operandi. Tremendous amounts of activities are running in the background, even while the device is seemingly sleeping. Activities can be scheduled or triggered by a large number of events, as well as push events from online services and events that are initiated remotely by the user. Another factor to think about when acquiring a mobile device is security. Mobile devices are carried around a lot, and that they are designed to be inherently safer than desktop PCs. Non removable storage and soldered RAM chips, optional or enforced encryption, remote kill switches, secure lock screens, and locked bootloaders are simply a few security measures to be mentioned.
Faraday bags : Storage tool for Mobile Forensics
Faraday bags are accustomed to temporarily store seized devices without powering them down. A Faraday bag blocks wireless connection to cellular networks, Wi-Fi, Bluetooth, satellite navigation, and the other radios employed in mobile devices. Faraday bags are commonly designed to protect the range of radio frequencies used by local cellular carriers and satellite navigation (typically the 700-2,600 MHz), also the 2.4-5 ghz range used by Wi-Fi networks and Bluetooth. Several Faraday are manufactured from specially-coated metallic
shielding material that blocks a large range of radio frequencies
Keeping the device power on
When handling a seized device, it’s essential to prevent the device from powering off. Never powering off a operating device is one thing, preventing it from powering down is another. Since mobile devices consume power even while the display is off, the quality practice is to attach the device to a charger and place it into a wireless-blocking Faraday bag. this may stop the mobile device from shutting down after reaching the low-power state.
Modern Faraday Bad equipped with charging port
Why specifically do we need this procedure? The thing is, you’ll be able to extract additional information from a device that was used or unlocked at least once after the last boot cycle compared to a device that boots up in your laboratory and for which you do not know the passcode. To illustrate the potential outcome, let’s say you seized an iPhone locked with an unknown passcode. The iPhone happens to be jailbroken, thus you can attempt to use Elcomsoft iOS forensic Toolkit to extract data.
If the device is locked and you don’t know the passcode, you’ll have access to a very limited set of data:
- Recent geolocation information: Since the location database remains encrypted, it’s only possible to extract limited location data. This limited location data is only accessible if the device was unlocked a minimum of once after the boot has completed. As a result, if you keep the device powered on, you’ll pull recent geolocation history from this device. If, however, the device shuts down and is only powered on in the laboratory, the geolocation information will stay inaccessible till the device is unlocked.
- Incoming calls (numbers only) and text messages: Incoming text messages are temporarily maintained unencrypted before the first unlock after cold boot. Once the device is unlocked for the first time after cold boot, the messages are transferred into the main encrypted database. This implies that acquiring a device that was never unlocked after a cold start can only permit access to text messages received by the device throughout the time it remained locked after the boot.
If the iPhone being acquired was unlocked a minimum of once after it had been booted
(for example, if the device was seized during a turned-on state), you’ll be ready
to access significantly additional data. The SMS information is decrypted on
first unlock, permitting you to pull all text messages and not just those that
were received while the device remained locked.
- App and system logs (installs and updates, internet access logs, and so on).
- SQLite temp files, as well as write-ahead logs (WAL): These WAL might include messages received by applications like Skype, Viber, Facebook courier, and so on. Once the device is unlocked, the data is merged with the corresponding apps main databases. When extracting a device after a cold boot (never unlocked), you may only have access to notifications received after the boot. If, however, you’re extracting a device that was unlocked a minimum of once after booting up, you’ll be able to extract information with all messages (depending on the information protection class selected by the developer of a particular application).
Stage 2 – data acquisition
This stage refers to various methods of extracting information from the device. The ways of data extraction that may be used are influenced by the following:
- Type of mobile device: The make, model, hardware, software, and vendor configuration.
- Availability of a various set of hardware and code extraction/analysis tools at the examiner’s disposal: there’s no tool that does it all; an examiner has to have access to variety of tools which will assist with data extraction.
- Physical state of device: Has the device been exposed to damage, such as physical, water, or biological fluids like blood? Usually the sort of injury will dictate the information extraction measures employed on the device.
There are many differing kinds of data extraction that determine how much data is obtained from the device:
- Physical : Binary image of the device has the foremost potential to recover deleted data and obtains the largest quantity of information} from the device. This could be the most challenging type of extraction to get.
- File system : this is a illustration of the files and folders from the user area of the device, and might contain deleted information specific to databases. This technique will contain less information than a physical data extraction.
- Logical : This acquires the least amount of data from the device. examples of this are call history, messages, contacts, pictures, movies, audio files, and so on. This is mentioned as low-hanging fruit. No deleted data or source files are obtained. Often the resulting output are a series of reports created by the extraction tool. This is usually the simplest and fastest type of extraction.
- Photographic documentation : This method is usually used when all other data extraction methods are exhausted. During this procedure, the examiner uses a digital camera to photographically document the content being displayed by the device. This is a long method when there’s an extensive quantity of information to photograph.
Stage 3 – Data analysis
This stage of mobile device forensics entails analysis of the acquired information from the device and its components (SIM card and memory card if present). Most mobile forensic acquisition tools that acquire the information from the device memory can even analyze the extracted data and provide the examiner functionality inside the tool to perform analysis. This entails review of any non-deleted and deleted data. When reviewing non-deleted data, it might be prudent to additionally perform a manual review of the device to make sure that the extracted and parsed data matches what’s displayed by the device. As mobile device storage capacities have magnified, it’s advised that a limited subset of data records from the relevant areas be reviewed. So, as an example, if a mobile device has over 200 call records, reviewing many call records from missed calls, incoming calls, and outgoing calls will be checked on the device in relation to the similar records in the extracted data. By doing this manual review, it’s then possible to find any discrepancies within the extracted data.
Manual device review will solely be completed when the device continues to be within the custody of the examiner. There are situations where, when the information extraction has been completed, the device is released back to the investigator or owner. In situations like this, the examiner should document that very limited or no manual verification will be performed due to these
circumstances. Finally, the reader ought to be keenly aware that more than one analysis tool will be used to analyze the acquired information. Multiple analysis tools ought to be considered, particularly when a specific form of data cannot be parsed by one.