Information Technology Reference
In-Depth Information
Mobile forensics
Digital forensics
is a branch of forensic science focusing on the recovery and investigation
of raw data residing in electronic or digital devices. Mobile forensics is a branch of digital
forensics related to the recovery of digital evidence from mobile devices.
Forensically
sound
is a term used extensively in the digital forensics community to qualify and justify
the use of particular forensic technology or methodology. The main principle for a sound
forensic examination of digital evidence is that the original evidence must not be modified.
This is extremely difficult with mobile devices. Some forensic tools require a communica-
tion vector with the mobile device, thus standard
write
protection will not work during
forensic acquisition. Other forensic acquisition methods may involve removing a chip or
installing a bootloader on the mobile device prior to extracting data for forensic examina-
tion. In cases where the examination or data acquisition is not possible without changing
the configuration of the device, the procedure and the changes must be tested, validated,
and documented. Following proper methodology and guidelines is crucial in examining
mobile devices as it yields the most valuable data. As with any evidence gathering, not fol-
lowing the proper procedure during the examination can result in loss or damage of eviden-
ce or render it inadmissible in court.
The mobile forensics process is broken into three main categories:
seizure
,
acquisition
,
and
examination
/
analysis
. Forensic examiners face some challenges while seizing the mo-
bile device as a source of evidence. At the crime scene, if the mobile device is found
switched off, the examiner should place the device in a
faraday bag
to prevent changes
should the device automatically power on. Faraday bags are specifically designed to isolate
the phone from the network. If the phone is found switched on, switching it off has a lot of
concerns attached to it. If the phone is locked by a PIN or password or encrypted, the ex-
aminer will be required to bypass the lock or determine the PIN to access the device.
Mobile phones are networked devices and can send and receive data through different
sources, such as telecommunication systems, Wi-Fi access points, and Bluetooth. So if the
phone is in a running state, a criminal can securely erase the data stored on the phone by
executing a remote wipe command. When a phone is switched on, it should be placed in a
faraday bag. If possible, prior to placing the mobile device in the faraday bag, disconnect it
from the network to protect the evidence by enabling the flight mode and disabling all net-
work connections (Wi-Fi, GPS, Hotspots, and so on). This will also preserve the battery,
which will drain while in a faraday bag and protect against leaks in the faraday bag. Once
the mobile device is seized properly, the examiner may need several forensic tools to ac-
quire and analyze the data stored on the phone.
