As discussed previously in this book, the concept of digital forensics readiness is focused primarily on reducing costs and minimizing business interruptions when performing investigations. From significant technology advancements made over the last decade, business has transformed into a much more dynamic and mobile workforce.
Since its inception, the world of mobile technologies has evolved quickly where new devices, operating systems, and threats are emerging every day. With mobile devices, achieving a state of digital forensics readiness is important because of the dynamic and portable nature by which these devices are used to interconnect and interface both business and personal information.
Mobile devices present unique challenges to an organization’s digital forensics capabilities because of how quickly these technologies are changing and the shifting of traditional concepts, such as establishing a perimeter around systems and data. This leads to the inherent challenge of maintaining best practices for mobile device usage while continuing to enable digital forensics capabilities.
Brief History of Mobile Devices
Possibly the first documented existence of a mobile phone was a device released by Motorola in the early 1970s. Being the 1970s, these mobile devices were quite basic in that they only provided users with simple telephony features and did not support the multi-purpose “smartphone” features that are currently available in today’s marketplace. And, to users’ delight, these devices only allowed for thirty minutes of talk time and took around ten hours to charge.
Moving forward to 1983, the first mobile phone was released with the intended audience being business users who could afford them, not the everyday consumer. In the early 1990s, manufacturers started to change the design and portability of mobile phones to draw the attention of consumers so that, by the late-1990s, these devices started to become commonplace. However, mobile phones were still limited to simple telephony features and did not offer much to the digital forensics community in terms of gathering or processing digital evidence. Early efforts to examine mobile devices involved analyzing content directly via the display screen and photographing important content.
1999 saw a major advancement for mobile devices when the first Blackberry handset was released, providing consumers with more features than simple telephony, such as email and messaging. This technology was a breakthrough that established a foundation for future mobile devices that would be released through into the early-2000s. By this time, not only could these mobile devices be used to make telephone calls, but they could contain email, web browsing information, location data, contacts, and messaging records. It was during this time that organizations started to pay attention to the mobile device market and began leveraging them to provide their workforce with the flexibility of shifting between personal and work use from anywhere at any time.
Now that mobile devices were blurring the lines between business and personal use, these devices started to be used as part of criminal activities and the digital forensics community recognized the potential for digital evidence to exist in these technologies. As the number of mobile devices began to increase, it was quickly discovered that gathering and processing digital evidence from these devices could not be done using existing methodologies and techniques. At first, like the early days of computer forensics, digital forensics practitioners used common system administration tools, such as synchronization tools, to gather and process electronically stored information (ESI). Following suit, commercial solutions providing mobile forensics capabilities started emerging which allowed digital forensics practitioners to consistently apply the same methodologies and technique to gathering and processing digital evidence from mobile devices.
Perhaps the most significant advancement in mobile device technology came in 2008 when Apple releases the iPhone device which proved to be a momentous evolution in changing the face of the mobile device marketplace forever. Not only did this device provide consumers with the features found in early “smart” devices, but the iPhone’s expanded capability that allowed uses to install and use applications of all sorts meant that ESI could move beyond the commonly referenced evidence sources, such as phone logs, email messages, and instant messaging records.
When organizations came to the realization that their data could be—and most likely was already being—accessed and stored on mobile devices that they (potentially) had little to no control over, manufacturers and vendors capitalized on the opportunity and mobile device management (MDM) solutions were brought to market. Since 2008, other manufacturers have released their own versions of mobile devices that also provide organizations with challenges related to controlling how, when, why, with whom, and under what circumstance their data can(not) be used on mobile devices.
Challenges with Mobile Devices
Before mobile devices became a technology for conducting business, there was a definitive perimeter around their networks and systems, and security best practices and methodologies were traditionally within this boundary. However, knowing that today’s workforce is increasingly mobile, organizations must accept the reality that it is commonplace for mobile devices to allow for multiple connections to different networks simultaneously. This means that the idea that there was once a logical perimeter that protected corporate networks and systems from outsiders has eroded, introducing a certain level of unknown hostility into what was previously a controlled and managed environment.
Furthermore, with a workforce that is always connected from any place at any time, it is quite common for mobile devices to be used for both personal and business purposes. Staying ahead of the curve in an ever-evolving landscape, the digital forensics community is constantly faced with challenges of gathering and processing evidence from all sorts of technology.
With some exception, most mobile devices have smaller form factors, making them more prone to being lost. The probability of losing a mobile device—as compared to a traditional computer system—is higher considering how easy it is for these small devices to accidentally slide out of a pocket or unintentionally be left somewhere.
When lost, mobile devices are like ticking time bombs until they have been wiped or deactivated to mitigate any risk of other persons accessing applications and data on the device. Fortunately, most mobile device manufacturers and vendors provide capabilities to locate and deactivate their technologies, but this is still essentially a race to the finish line in terms of who gets access to the device first. Within an enterprise environment, there are solutions that allow for remote management of mobile devices, a topic that is discussed later in this chapter.
Mobile devices have quite an appeal about them because of their popularity amongst consumers and the potential resale value they have. Understandably, there are people who wouldn’t think twice about getting their hands on your device if you turn your head for a minute or happen to misplace it.
As when a device is lost, they are like landmines in the hands of the wrong person, and it’s a race to have the device wiped or deactivated to mitigate the potential for unauthorized access to the device and content. As stated above, most mobile device manufacturers and vendors provide capabilities to locate and deactivate their technologies, and third-party solutions are available to organizations.
Mobile devices are constantly in a state of technology advancement. Because of this, these technologies are frequently being upgraded because newer technologies are released with new features and capabilities which come with a certain appeal. When this happens, there can be times when standard operating procedures (SOP) are not followed, resulting in the old mobile devices not being wiped or deactivated. Much like being lost or stolen, until the potential for unauthorized access to the organization’s data and applications on the device has been mitigated, in the wrong hands this can lead to data loss or exposure.
One technology advancement made with mobile devices was to allow for increased storage capacity that rivaled that of traditional computer systems. The expanded storage on these devices presents a growing possibility for an organization’s—confidential or sensitive—data to persistent beyond the scope of control an organization commonly employs. An organization’s capability to manage data when in use, in transit, or at rest is essential in mitigating data loss or exposure when these devices have been lost or stolen, or are being replaced.
Realistically, the local storage capacity available on mobile devices is limited. Alternatively, mobile device manufacturers and vendors have turned to cloud computing as a means of addressing storage capacity limitations because of the ways in which the cloud environment can quickly increase to accommodate growing volumes of information, and be readily accessible to users across multiple device types. Unsurprisingly, this creates increased concerns about data security when it is further beyond the scope of an organization’s control.
Perhaps the biggest desire of any digital forensics practitioner when encountering a mobile device is that is has no passcodes. However, after the National Security Agency (NSA) breach in 2013 mobile device manufacturers and vendors implemented stronger and more stringent encryption standards that rendered most bypass techniques obsolete. Subsequently, using digital forensics technologies to gather and process digital evidence became more difficult.
Within an enterprise environment, there are third-party solutions available that allow for remote management of mobile devices so that organizations can remotely reset the passcodes to allow digital forensics practitioner access. However, it is important to note that performing a remote passcode change can result in potential evidence on the mobile device being modified, deleted, or lost and should be done with caution and performed only by knowledgeable individuals with direct supervision of the digital forensics practitioner.
The term “burner” refers to a low-cost mobile device that is either used for a short time or for a specific purpose and is then disposed of. For the most part, the data ports present on these devices are disabled and they do not come with application programming interface (API) support, both of which are required for digital forensics technologies to gather and process digital evidence.
Burners are extremely troublesome for the digital forensics community because there is almost no potential for accessing the content on these devices. The only option that exists is using advanced techniques such as the following:
• Joint Test Action Group (JTAG) analysis is the common name given to the technique of connecting to the standard test access port (TAP) on a mobile device and instructing the processor to transfer raw data. Using this technique requires both a high level of knowledge and training as well as specialized equipment, which makes it somewhat of a difficult and time-consuming technique to gather and process digital evidence from mobile devices. This technique has been standardized as the Institute of Electrical and Electronics Engineers (IEEE) 1149.1 Standard Test Access Port and Boundary-Scan Architecture.
• Chip-off analysis involves physically removing the flash memory chip(s) from a mobile device and gathering raw data using specialized equipment. While this technique allows digital forensics practitioners to gather a complete physical image of a mobile device, it is destructive and can render the device inoperable. Much like the JTAG technique above, chip-off analysis also requires a high level of knowledge and training that makes it a difficult and time-consuming technique.
Refer to Chapter 3, “Digital Evidence Management,” for further discussion about data-centric security.
Refer to Chapter 18, “Forensics Readiness in Cloud Environments,” for further details about enabling proactive digital forensics capabilities within cloud computing environments.
Forensics Readiness Methodology
Following traditional methodologies, as illustrated in Figure 19.1 and discussed further in Chapter 2, “Investigative Process Methodology,” digital forensics investigations normally follow an approach whereby evidence is searched for (identified), seized (collected and preserved), and analyzed (processed). However, traditional investigative methodologies were not designed with mobile devices in mind and, given the dynamic nature and portability of these devices, following this traditional approach to digital forensics investigations may not be suitable.
Thus, organizations need to optimize their investigative process by taking proactive steps to guarantee that evidence will be readily available if (and when) needed from mobile devices. Throughout the sections below, each step outlined for implementing digital forensics readiness will be discussed as it relates to improving investigative capabilities with mobile devices.
As a reference, several publications on the technical execution of mobile device forensics have been provided in the Resources chapter at the end of this book.
Step #1: Define Business Risk Scenarios
Digital forensics investigations of mobile devices require organizations to follow a proactive approach whereby controls and measures have been implemented to guarantee digital evidence will be available if (and when) needed.
Figure 19.1 High-level digital forensics process model.
Regardless of how an organization decides to enable mobile devices for enterprise use, the business risk scenarios where digital forensics readiness demonstrates positive benefits are similar, including:
1. Reducing the impact of cybercrime
2. Validating the impact of cybercrime
3. Producing evidence to support organizational disciplinary issues
4. Demonstrate compliance with regulatory or legal requirements
5. Effectively managing the release of court-ordered data
6. Supporting contractual and commercial agreements
Rather than assuming the use of mobile devices will limit the span of business risk scenarios, it is recommended to ensure all six scenarios are included right from the offset of enabling mobile device technologies. By doing so, organizations will have established a wide scope of risk that allows them to be better positioned for focusing on specifics, rather than establishing a narrow scope and having to expand after having identified missed evidence.
Refer to Chapter 7, “Defining Business Risk Scenarios,” for further discussion on the six business risk scenarios as they apply to digital forensics readiness.
Step #2: Identify Potential Data Sources
Mobile devices contain types of ESI that are similar to ESI found on other devices and that can be used as potential digital evidence. Primarily, evidence sources from mobile devices are extracted from contact data, call data, text messaging, multimedia, application-related logs, and OS information. Additionally, the following are examples of other data sources where digital evidence can be found on mobile devices:
• SIM data objects:
• Service provider name (SPN)
• Integrated circuit card identifier (ICCID)
• Location information (LOCI)
• Short message service (SMS)
• General packet radio service (GPRS)
• Internal memory data objects:
• International mobile equipment identifier (IMEI)
• Personal information management (PIM) data (e.g., address book, calendar entries, to-do list, memos)
• Call logs
• SMS text messages
• Electronic mail
• Web browsing information
• Unstructured documents (e.g., word processing)
• Multimedia content (i.e., images, videos, graphics)
Like traditional computer systems, the order of volatility, as discussed in Chapter 2, “Investigative Process Methodology,” also applies to mobile devices. Therefore, it is important that gathering volatile evidence from mobile devices follows the same methodology as for traditional computer systems. For example, in today’s smartphones there can be three types of memory storage used:
• NAND flash memory is non-volatile and offers higher storage capacity but is less stable and only allows for sequential access to data. Types of data located in NAND memory include:
• PIM data
• Multimedia (video, audio, images)
• User files
• NOR flash memory is non-volatile and has faster read times but slower write times than NAND, and this memory is nearly immune to data corruption. Types of data located in NOR memory include:
• Operating system (OS) code
• Kernel and device drivers
• OS and user application execution instructions
• Random access memory (RAM) is volatile and typically used to temporarily store program execution data. Types of data located in RAM include:
• OS and user credentials (username and passcodes)
• OS and application configuration files
It is important to remember that with every mobile device there are different features, capabilities, applications, etc. available which determine the nature to which potential digital evidence will exist. Having completed preliminary work to prepare for mobile device examination, consideration should be given to prioritizing the order in which tools will be used to process digital evidence. In doing so, digital forensics practitioners will benefit by applying a consistent and repeatable methodology to their investigative technique.
Also, depending on the device management methodology used, such as COBO or CYOD, the scope of potential data sources for digital evidence can vary. For example, where mobile devices are personally owned by a person (BYOD), the ability to gather and process potential evidence is challenging because the organization does not own the device and is not legally entitled to seize it—without the involvement of law enforcement—to facilitate investigations.
Step #3: Determine Collection Requirements
With mobile devices, gathering and processing evidence is not as straightforward as it is with ESI located within an organization’s traditional computer systems and technologies. For example, a common challenge occurs when the organization’s mobile device management strategy permits employees to use their personal devices (i.e., BYOD). This introduces a potential “grey area” wherein the boundaries of what is considered reasonable in terms of personal privacy and what is business/personal use rights can be complicated.
Understandably, BYOD is becoming a top strategy of many organizations because of the financial and operational benefits it provides. However, BYOD gets complicated when digital evidence from a mobile device (belonging to the employee) needs to be gathered and processed for an investigation. Generally, the organization does not legally own the mobile device and can’t seize it as they would for any other technology considered their property (e.g., laptop, desktop). In this case, the organization must request permission to access any information that falls outside of the scope of business-enabled data, which in some instances could require the involvement of law enforcement.
Enterprise Management Strategies
Even if a mobile device is personally owned, the organization’s data is still being accessed and potentially stored on it. The reality is that many organizations still struggle to define how, when, why, with whom, and under what circumstance mobile devices access and use their data. Also, there are some organizations that are not adequately equipped to ensure that when an incident happens, they have the capabilities to gather and process digital evidence.
Organizations providing their employees with the flexibility of conducting business using mobile devices must have strategies in place to manage not only the device and business content, but also the expectations of the employees in terms of usage. Developing and implementing a mobile device management strategy is a topic unto itself that requires organizations to have a strong understanding of the administrative, technical, and physical requirements that make it successful. The intention of this section is not to provide readers with a comprehensive guide so that they go and implement a mobile device management strategy; rather this chapter is designed to provide readers with the components of mobile device management that should be generally known to digital forensics practitioners.
Mobile Device Governance Before digital forensics capabilities can be realized, there needs to be approved documentation that establishes the requirements for (un)acceptable use of mobile devices to securely access corporate networks and data. Combined with the documentation created via the organization’s overall enterprise governance framework, standard operating procedures (SOP) are the backbone for performing digital forensics on mobile devices.
Acceptable Use Policy (AUP) As mobile devices continue to become more prominent as the technology of choice for an ever-growing mobile workforce, authorized (and unauthorized) use to conduct business continues to expand. Following the same approach of establishing governance for compliance purposes, best practices call for the same establishment and enforcement of formalized policies to minimize business risk and maximize compliance.
Not considering size, geographic location, or industry, all organizations need to enforce an AUP that governs the use of mobile devices to conduct business on their behalf. Regardless of whether a mobile device is personally or corporately owned, it is being used to access and store the organization’s data and as such must comply with the requirements set forth in the AUP.
If there are no rules in place, employees will not have a clear understanding of what the organization deems acceptable, which could result in activities such as transmitting confidential customer data that violate specific laws or regulations. Given the potential risk that exists for both acceptable and unacceptable use of mobile devices, it is essential that organizations formally establish and enforce an AUP that defines how, when, why, with whom, and under what circumstance employees can—and cannot—use mobile devices.
User acknowledgment and agreement: As a supplementary to the AUP, as part of the onboarding process before employees are permitted to use mobile devices for business purposes, they must be required to sign an agreement that acknowledges their responsibilities for doing so.
Generally, the purpose of these documents is to set forth the terms and conditions by which organizations make available, to their employees, information technology (IT) resources that have been deemed authorized. These IT resources may include software, networks, email services, and data storage capabilities accessible using mobile devices that have met the required security and configuration standards. It is important for employees understand that their use of mobile devices for business purposes is a privilege, not a right, and that their acknowledgement makes them responsible for the following terms and conditions found in these agreements:
• Abide by all organizational policies, standards, and guidelines relating to IT.
• Agree to have mobile device security and configuration settings pushed to this mobile device(s).
• Make appropriate backups of personal information to mitigate loss of information should the device be lost, stolen, or replaced.
• Do not make backups of any data belonging to the organization on any storage medium that has not been authorized for use.
• Allow the organization to wipe the device at their decision for the purposes of securing data belonging to the organization.
• Report the device lost or stolen immediately to the organization’s IT support helpdesk.
Also, it must be clearly defined that employees’ failure to follow these terms and conditions will be handled as a disciplinary action with results such as:
• Suspension, blocking, or restriction of access to the organization’s IT resources
• Financial liability for costs incurred due to data breach, loss, or illegal disclosure
Security and Configuration Standards As discussed in Chapter 5, “Digital Forensics as a Business,” standards are used as the drivers for policies by defining a baseline by which it is necessary to meet applicable policy requirements. When it comes to mobile devices, these standards can be used to establish a minimum level of configuration or specification that must be achieved to meet the boundaries of acceptable action, behavior, or communication when using mobile devices.
See Table 19.1 for examples of recommended safeguards and controls for mobile devices, both personally and corporately owned, that can help organizations establish baseline security and configuration standards.
Device Management Methodologies Generally, there are four approaches organizations can follow when deciding what level of freedom they will allow their employees to have when using mobile devices for business purposes, including corporate-owned business only (COBO), corporate-owned personally enabled (COPE), bring your own device (BYOD), and choose your own device (CYOD). Each of these deployment models comes with its own benefits and drawbacks with respect to enabling digital forensics capabilities.
Table 19.1 Safeguards and Controls for Mobile Devices
Required Controls (Minimum Level) | Recommended Controls |
Mobile Device Management (MDM) Third-party solutions that enforce configuration and security policies. Refer to section below for additional details. | Mobile Application Management (MAM) Third-party solutions that control the installation and execution of applications. Refer to section below for additional details. |
Encryption Implemented to maintain confidentiality of data at rest, in transit, and in use. Commonly enforced through third-party MDM solutions. | Data Loss Prevention (DLP) Monitors, filters, and protects the loss or exposure of data at rest, in transit, and in use. Availability of these solutions depends on supported capabilities on different types of devices. |
Virtual Private Networking (VPN) Establish secure communication channels for transmitting data. Commonly applied on an application-by-application basis through third-party MDM solutions. | Network Access Control (NAC) Permits only trusted and authorized devices to gain access to networks, systems, applications, and data. Availability of these solutions depends on supported capabilities on different types of devices. |
Authentication Enforcement of acceptable passcodes to mitigate unauthorized access. Commonly enforced through third-party MDM solutions. | Multi-Factor Authentication (MFA) Use of two or more types of authentication mechanisms (i.e., passcode, biometric, token) to access devices. |
Anti-Malware Restrict known malicious applications from being installed or executed. Availability of these solutions depends on supported capabilities on different types of devices. | Application Whitelisting Permit known trusted and authorized applications to be installed or executed. Some mobile device manufacturers and vendors natively provide this capability. Otherwise, availability of these solutions depends on supported capabilities on different types of devices. |
Remote Wipe Permits remote wiping or resetting of devices to mitigate data loss or exposure if the device has been lost, stolen, or replaced. Commonly enforced through third-party MDM solutions. | Compliance Monitoring Supervising usage trends, device configurations, and the user’s overall compliance with the organization’s governance framework. This information can be used to facilitate investigative capabilities. Refer to section below for additional details. |
Audit Logs Provide information to facilitate investigative capabilities. Refer to section below for additional details. | Web Browsing Filtering Internet browsing activity through dynamic content analysis. Use of proxy server commonly enforced through third-party MDM solutions. |
• Corporate-owned, business only (COBO) is one of the traditional methods of mobile device deployment where organizations choose and pay for the device then apply their most restrictive security policies. Essentially, mobile devices provisioned following COBO are limited to business use only and do not permit any personal use. In the digital forensics community, COBO is the preferred model because it eliminates the potential for interactions between personal and business activities, thus reducing the scope of digital evidence to sources under control by the organization.
• Corporate-owned, personally enabled (COPE) is where employees are supplied with mobile devices, chosen and paid for by the organization, but can also use these devices for personal activities. Under this model, organizations control how much freedom employees have in terms of what actions, behaviors, or communications they can perform. With COPE, this means digital forensics practitioners have a broader scope of potential digital evidence at their disposal—in comparison to COBO—as well as increased concerns over privacy related to what visibility they have into the employee’s “personally enabled” components.
• Bring your own device (BYOD) is where employees are granted full responsibility for choosing and supporting the mobile device they use because it is their personal device. While this model is most popular in small and medium business environment, largely because of the cost savings, more enterprise environments are exploring it as an option because it reduces the technology overhead and expenditures associated with lost, stolen, or replaced devices. Even though BYOD is considered a way of pleasing employees, because they get to use their device of choice, it can become a disaster because of the extent to which there is no control over security, reliability, or compatibility with the organization. In terms of digital forensics, BYOD further complicates gathering and processing potential digital evidence because the organization does not own the device and is not legally entitled to seize it—without the involvement of law enforcement—to facilitate investigations.
• Choose your own device (CYOD) provides organizations with a solution in terms of getting the best of both COPE and BYOD. With this model, employees are offered a suite of technology choices but the organization retains control over security, reliability, and durability. This means that organizations maintain a list of pre-approved mobile devices and do not have to deal with variability while still allowing employees to have some degree of flexibility and privacy. For digital forensics practitioners, depending on the restriction enforced by the organization, there is potential for this flexibility to allow “personally enabled” components to be available and a broad scope of digital evidence along with complications over privacy.
Within the enterprise governance framework, there needs to be a series of documents that specifically addresses mobile device use and access with respect to the organization’s network, systems, and data. These documents provide the organization with a foundation for planning the eventual implementation of mobile device management capabilities, guidelines for user behavior and conduct, as well as a driver for enabling digital forensics capabilities. Detailed discussion about digital forensics processes, procedures, and how an organization’s enterprise governance framework complements digital forensics can be found in Chapter 5, “Digital Forensics as a Business.”
Step #4: Establish Legal Admissibility
As with all digital evidence, maintaining authenticity and integrity is essential to guaranteeing a forensically sound and legally admissible investigation. Largely, the tools and equipment used to investigate mobile devices provide capabilities to generate, validate, and verify the authenticity and integrity of evidence using a one-way cryptographic hash algorithm.
Generally, electronic evidence has been legally admissible based on the inherent reliability of computer systems, such as within U.S. Federal Rules of Evidence (FRE) section 901(a). Now, with mobile devices, digital evidence is quite different from traditional computer systems where the creation and transmission of substantial amounts of information occur through a variety of devices (e.g., laptops, smartphones, tablets) so quickly and, in a lot of cases, without the verification of who did so.
Although the legal requirement for establishing the admissibility of evidence is well-established, the widespread use of mobile devices has created challenges in legal proceedings because most judicial systems have yet to decide how to authenticate ESI under current rules and procedures. Ultimately, the admissibility of mobile forensics evidence comes down to the ability to guarantee that the digital forensics practitioner has used a forensically sound and scientifically proven methodology that encompasses the following:
• Forensics tools and equipment are verified and validated to be forensically sound.
• Processes followed can be repeated by objective parties.
• Integrity and authenticity of evidence can be demonstrated through the creation and validation of one-way hash algorithms.
For further discussion about validation and verifying the tools and equipment used to gather and process digital evidence, refer to Addendum A, “Tool and Equipment Validation Program.”
Step #5: Establish Secure Storage and Handling
Generally, the same forensics principles that apply to traditional computer systems also apply to mobile devices to guarantee the authenticity and integrity of potential evidence. However, with mobile devices, it is important to remember that some devices can receive data through wireless networks, which can introduce new evidence and tamper with, destroy, or alter existing evidence.
As discussed in Chapter 1, “Understanding Digital Forensics,” the purpose of a forensically sound process is to document that evidence is what practitioners claim it to be and that it has not been altered or replaced since its collection. The same requirement for establishing the meaningfulness, relevancy, and legal admissibility of digital evidence applies for mobile devices; however, given the use of cellular hardware with this technology, there are additional activities and tasks that need to be performed.
As a best practice, when an inactive mobile device is encountered at a crime scene, meaning that it is powered off, it is important that it be left powered off and seized following documented SOPs. Also, all associated cables and media must also be seized with the mobile device, such as subscriber identity module (SIM) cards or secure digital (SD) cards.
Alternatively, when encountering an active mobile device at a crime scene, meaning that it is still powered on, it is important to take the necessary steps to isolate the device from other devices and technologies to mitigate the potential for digital evidence to be contaminated. As a best practice, digital forensics practitioners can use the following three basic methods for isolating mobile devices that are active:
• Place the device in airplane mode. This method requires interaction with the mobile device’s keyboard, which poses potential risk whereby if the individual is not familiar with the device, or the device has been pre-configured with a logic bomb, this can result in potential contamination or loss of digital evidence. It is important to note that with some devices, enabling airplane mode does not disable all cellular communications (e.g., Global Positioning System [GPS]).
• Turn the device off. This method may also require interaction with the mobile device’s keyboard and can activate authentication mechanisms (e.g., passcodes) to gain access later. In addition to risks that are similar to those posed to digital evidence, this method introduces complications and delays when it comes to acquiring and processing evidence from the mobile device.
• Keep the device on. This method does not require interaction with the mobile device but does require consideration of the need to prolong battery life. With this method, mobile devices are placed in a Faraday bag to reduce cellular and wireless communications. It is important to note that Faraday bags do not completely eliminate the potential for cellular and wireless communications to occur. Also, if the Faraday bag is not properly sealed, mobile devices may unknowingly be allowed to access cellular or wireless networks. Several techniques exist to support this method and can be found in the Resources chapter at the end of this book.
Step #6: Enable Targeted Monitoring
Because mobile devices are portable, organizations cannot always guarantee the level of security will be equivalent to the security of those technologies that have connections that are hard-wired to their controlled network environment(s). Therefore, to ensure that both background and foreground evidence on mobile devices is available if (or when) needed, as discussed further in Chapter 3, “Digital Evidence Management,” organizations need to employ a strategy that follows a defense-in-depth methodology.
Depending on which device management methodology is used, there will be varying degrees of monitoring that can be enforced on a mobile device. For example, COBO implementations provide organizations with the authority necessary to enforce monitoring on any combination of device or application components, in addition to user activity, of the mobile devices. However, BYOD implementations introduce a level of complexity because there are boundaries around what an organization can and cannot legally monitor, as these devices are not their assets.
As illustrated previously in Table 19.1, examples of recommended safeguards and controls for mobile devices, both personally and corporately owned, can help organizations establish a baseline of security and configuration standards. Additionally, the following are examples of software-based solutions that can be implemented to enhance targeted monitoring with mobile device management capabilities:
• Mobile device management (MDM), sometimes referred to as mobile security management (MSM), is designed to manage a mobile device, or a segregated part of it, by enforcing security and configuration policies. Generally, these solutions don’t increase the security of a mobile device, but instead facilitate security with device-level controls by allowing organizations to determine what amount of control they want to enforce. Examples of settings and configurations that can be applied include the following:
• Security settings are made to improve device-level security that helps to mitigate unauthorized access (e.g., passcodes specifications).
• Encryption settings are made to require the use of encryption standards to mitigate exposure or loss of data when in use, in transit, or at rest.
• Malware settings are made to restrict known malicious applications from being installed or executed. The availability of these solutions depends on supported capabilities on different types of devices (i.e., Android, iOS, Windows).
• System settings are made to control specific features available throughout the operating system (e.g., screen capture, user account control).
• Cloud settings are made to restrict the use and transmission of data within a cloud computing environment.
• Email settings are made to control the transmission and use of email-based resources.
• Application settings are made to enforce the feature availability of native system applications (e.g., web browser, application store).
• Device capability settings are made to enforce the feature availability of device-level components (e.g., camera, Bluetooth)
• Mobile application management (MAM) is designed to provision, secure, and manage the access and actions of mobile applications rather than the entire device. Generally, while MAM solutions can be bundled together as a complementary capability to MDM solutions, they are used where organizations are exploring more flexibility and a relaxed approach to mobile device management. MAM solutions provide organizations with a way of getting a handle on which applications are being installed and run on the mobile devices that use and access their corporate networks and resources. However, MAM solutions don’t provide the same level of security offered through MDM solutions, which allow organizations to lock down or limit features or capabilities of actual mobile devices.
• Mobile content management (MCM) is designed to securely grant access and manage the access to and use of data through the enforcement of multi-factor authentication, authorization, and access controls, such as usernames, passcodes, internet protocol (IP) addresses, or tokens. MCM focuses primarily on securing corporate data without placing restrictions on the mobile device or applications. These solutions differ from MDM and MAM, where a single specific application is delivered to mobile devices and functions as a “container” to securely grant and manage access to and use of data. While MCM solutions are perhaps the least intrusive form of mobile device management capabilities, because they don’t impose any device or application restrictions, they follow a data-centric security model that enforces elevated levels of protection to the organization’s data.
Refer to Chapter 3, ”Digital Evidence Management,” for further discussion about data-centric security.
Step #7: Map Investigative Workflows
The process of gathering and processing digital evidence from mobile devices can differ depending on manufacturer and vendors. With these potential variations, it is understandable that there is not a well-established methodology by which mobile device forensics is performed. However, with the intricacy involved in performing mobile device forensics, it is necessary for organizations to implement guidelines and process by which their digital forensics practitioners can gather and process potential digital evidence.
Knowing that there are potential limitations on conducting mobile forensics, it is necessary to implement guidelines and processes by which the digital forensics practitioner can gather and process potential digital evidence. The high-level digital forensics process model, as illustrated previously in Table 19.1, will be applied to the activities and tasks involved in conducting mobile forensics.
As discussed in Chapter 2, “Investigative Process Methodology,” the activities and tasks performed in this first phase are essential in successfully executing all subsequent phases of the investigative workflow. As a component of the preparation phase, organizations can proactively align their people, processes, and technologies to support their cloud forensics capabilities.
Processes and Procedures With mobile device forensics being a sub-discipline of digital forensics, the existing baseline of standards, guidelines, and techniques discussed in Chapter 5, “Digital Forensics as a Business,” become the foundation for creating new documentation specific to mobile devices.
Largely, digital forensics standard operating procedures (SOP) still apply to mobile device forensics when gathering and processing digital evidence. However, given that mobile devices differ in that they use cellular technology, there is a need to develop specific SOPs so that digital forensics practitioners know how to handle them. These considerations related to gathering and processing digital evidence from mobile devices will be discussed further in the phase below.
Education, Training, and Awareness Like digital forensics, an individual’s role with respect to mobile device forensics determines the level of knowledge they are provided. Further discussion about the different levels of education, training, and awareness is found in the section below.
Technology and Toolsets Within the dedicated lab environment, organizations will need to acquire specific software and hardware to support their mobile device forensics capabilities. However, the extent to which an organization invests in their “toolkit” is entirely subjective to their environment and the degree to which they want to gather and process digital evidence from these mobile devices.
Considerations related to technologies and tools used to gather and process digital evidence from mobile devices will be discussed further in the phase below where applicable to the investigative workflow.
Further discussion about digital forensics tools and technologies can be found in Chapter 5, “Digital Forensics as a Business.”
As discussed in Chapter 2, “Investigative Process Methodology,” the second phase of the investigative workflow consists of the activities and tasks involved in the identification, collection, and preservation of digital evidence. The same requirement for establishing the meaningfulness, relevancy, and legal admissibility of digital evidence applies to mobile devices; however, given the use of cellular hardware with this technology, there are additional activities and tasks that need to be performed.
Identification Regardless of the evidence that has been identified, both physical and logical, digital forensics practitioners must follow consistent and repeatable processes to secure, document, and search the crime scene. Sample templates that can be used in the process of securing, documenting, and searching crime scenes have been provided in the Templates section of this book.
As a best practice, organizations should develop a scoring mechanism that can be used to decide whether on-site triage is required. Illustrated in Figure 19.2 is a decision tree that can be used by organizations as a guide when deciding whether on-site triage is required. The following list describes the decision points contained within the decision tree:
• Urgent: Do the circumstances warrant on-site triage and extraction of evidence?
• Unlocked or undamaged: Is the device in an unlocked and functional state for evidence to be extracted?
• Battery life: Does the device show more than 50% battery life remaining?
• Lab distance: Can the device be transported to the forensics lab in less than 2 hours?
• Tools: Does the forensics “toolkit” support on-site triage and extraction of evidence?
Figure 19.2 On-site triage decision tree.
• Training: Are trained individuals available to conduct on-site triage and extraction of evidence?
• Need additional evidence: After on-site triage is completed, is additional evidence required?
When the path taken through the decision tree results in on-site triage, forensics acquisition of the mobile device is the most common technique performed. Performing an acquisition during on-site triage does have an advantage whereby the potential loss of volatile data can be avoided. However, unlike a lab environment, performing acquisitions during on-site triage may be challenging vis a vis finding a controlled environment in which the work can be completed. Tools used to perform forensics acquisitions of mobile devices will be discussed in the next section of the investigative workflow.
Collection and Preservation Where activities and tasks differ is when it comes time to collect and preserve digital evidence from a mobile device. As previously outlined in Step #2: Identify Potential Data Sources, the order of volatility also applies to mobile devices. Therefore, it is important that gathering volatile evidence from mobile devices follows the same methodology as for traditional computer systems.
Where possible, mobile devices that support data-at-rest encryption capabilities should be triaged at the crime scene, as volatile data may no longer exist if the screen is locked or power is lost. Depending on the context of the investigation, it may be required to conduct an on-site triage to collect and preserve volatile data. When determining whether to conduct on-site triage, organizations should consider the following benefits to the overall investigation:
• Work being performed in a digital forensics lab may be reduced because potential evidence sources can be ruled out beforehand.
• Investigative activities and tasks can be focused or prioritized based on the immediate results of findings.
• Existing resources, including people and technologies, can be enhanced by intelligence gained from the results.
• Triage tools are typically designed to require less knowledge and experience as compared to in-depth analysis tools.
• Triage tools typically are more affordable as compared to in-depth analysis tools.
Within this third phase is the examination and analysis of gathered evidence for relevancy. Throughout, maintaining the authenticity and integrity of evidence is essential to guaranteeing a forensically sound and legally admissible investigation. For the most part, the tools and equipment used provide automated capabilities to validate and verify the one-way cryptographic hash algorithm created when the digital evidence was seized, allowing practitioners to prove beyond a doubt that their interactions did not impact the integrity and authenticity of evidence.
The selection of appropriate tools for examining and analyzing mobile devices depends on several factors, such as the goal(s) of the investigation, the type of mobile device, and practitioner knowledge and experience. Ultimately, there is no one single tool that can process all data from every make and model of mobile device, largely because of the difference in the way digital evidence needs to be extracted from each technology. As a strategy, the following set of criteria can be used as guidance when considering which tool is best suited to a particular situation:
• Usability: The presentation of data is in a format that is easy for users to navigate and understand.
• Comprehensive: All available data is presented so factual conclusions can be drawn.
• Deterministic: The output of data from the tool is reproducible when provided with identical instructions and input data.
• Accuracy: The quality of outputted data from the tool has been verified.
• Verifiable: The accuracy of outputted data through presentation of results is ensured.
• Tested: A determination is made as to whether the data contained within mobile devices remains authentic and is accurately reported by the tool.
After leveraging the above criteria to identify the appropriate tools, consideration now needs to be given to the potential digital evidence sources that exist within mobile devices. The data present on any mobile device depends not only on its features and capabilities, but also on the cellular (voice and data) services used by the device. As previous outlined in Step #2: Identify Potential Data Sources, there are many data sources where digital evidence can be extracted from mobile devices.
As discussed in Chapter 2, “Investigative Process Methodology,” documentation is a critical element of every investigation and needs to start at the beginning of the investigation and be carried out to the end. In this last phase of the investigative workflow, the final investigative report will be created to communicate factual conclusions by demonstrating the processes, techniques, tools, equipment, and interactions used to maintain the authenticity, reliability, and trustworthiness of the digital evidence. Some things to consider when writing a final investigative report include:
• The structure and layout should flow naturally and logically; like how we speak.
• The content should be clear and concise to accurately demonstrate a chronology of events.
• Use of jargon, slang, and technical terminology should be limited or avoided, and where used a glossary should be included to define terms in natural language.
• Where acronyms and abbreviations are used, they must be written out in full expression on first use.
• Because final reports are written after the fact, that is, after an investigation, content should be communicated in the past tense. However, tenses can change where conclusions or recommendations are being made.
• Format the final report not only for distribution within the organization, but also with the mindset that it may be used as testimony in a court of law.
A template for creating written formal reports has been provided as a reference in the Templates section of this book.
Step #8: Establish Continuing Education
Like digital forensics, an individual’s role with respect to mobile forensics determines the level of knowledge they are provided. Detailed discussion about the diverse levels of education, training, and awareness an organization should require of their people in support of digital forensics can be found in Chapter 14, “Establish Continuing Education.”
As the lowest type of education, this is a generalized level of training and awareness that is intended to provide people with foundational knowledge without getting too specialized related to mobile device forensics. Leveraging the education and training that has already been put in place for digital forensics, this education provides people with the competencies they need related to organizational policies, standards, and guidelines so that they indirectly contribute, through some form of behavior or action, to the organization’s digital forensics program.
Examples of topics and subjects that should be included as part of a mobile device forensics awareness program include:
• Business code of conduct
• Mobile device acceptable use policy
• Data protection and privacy
Essentially, the difference between this training and the previous awareness is that the knowledge gained here is intended to teach people the skills necessary to directly support the organization’s digital forensics program as relates to how, where, and to what extent mobile devices are used for business purposes.
Information communicated at this level is more detailed than the previous type of education because it must provide people with the knowledge required to support a specific role or function, such as administering the MDM solution.
For example, as part of basic mobile device forensics training, information about audit logging and retention should be covered. Generally, this topic relates to the practice of recording events and preserving them, as per the organizational governance framework, to facilitate digital forensics investigations.
A working and practical knowledge of mobile device forensics requires people to first and foremost have the skills and competencies necessary to ensure that all digital forensics principles, methodologies, and techniques are understood. Once the fundamental knowledge is gained, practitioners can then start pursuing a specialization in mobile device forensics.
However, unlike digital forensics education programs, the availability of curriculum dedicated entirely to mobile devices is still limited. Most commonly, mobile device forensics is taught as a specific course in higher/post-secondary institutions or as a professional education module led by an industry-recognized training institute.
Refer to Appendix B, “Education and Professional Certifications,” for a list of higher/post-secondary institutions that offer formal education programs.
Step #9: Maintain Evidence-Based Presentation
Regardless of how mobile devices are deployed in an enterprise, the systems and ESI present can be used to commit or be the target of criminal activity. However, perhaps the biggest challenge to a digital forensics investigation where mobile device technologies are within scope is the dynamic nature of determining the “who, where, what, when, why, and how” of criminal activity. Some things to consider when writing a final investigative report include:
• The structure and layout should flow naturally and logically; like how we speak.
• The content should be clear and concise to accurately demonstrate a chronology of events.
• Use of jargon, slang, and technical terminology should be limited or avoided. Where used, a glossary should be included to define terms in natural language.
• Where acronyms and abbreviations are used, they must be written out in full expression on first use.
• Because final reports are written after the fact, that is, after an investigation, content should be communicated in the past tense; but tenses can change where conclusions or recommendations are being made.
• Format the final report not only for distribution within the organization, but also with the mindset that it may be used as testimony in a court of law.
A template for creating written formal reports has been provided as a reference in the Templates section of this book.
There are different laws and regulations around the world that govern the types of information that can be accessed on mobile devices. Although these different jurisdictions and regulators try to address matters of what access and control must be imposed to protect information, they do not address—from a corporate perspective—what access and control organizations should not have. This can lead to somewhat of a gray area in that there is no definitive boundary in place, allowing for subjectivity and best judgment to determine what is believed to be reasonable.
Establishing a governance framework that contains clear and concise language that is easy to understand and readily accessible to all parties—employer and employees—is extremely important. Not only does this help organizations to secure and manage their data regardless of the selected mobile device management strategy, it also guarantees employees’ consent and co-operation when an incident involving their personal technology occurs. Equally important is ensuring employees who will be using these devices to access corporate data have read, fully understand, and agreed (in writing) with what is expected of them.
Further discussion about laws, standards, and regulations can be referenced in Chapter 16, “Ensuring Legal Review.”
Mobile device technology really started to proliferate, both for business and personal use, in the 1990s. With the way we conduct business continuing to evolve into a more dynamic and mobile workforce, the appropriate use of mobile devices to conduct business needs to be clearly articulated and controlled to mitigate any potential data security risks. However, when an incident involving mobile devices occurs, it is important that organizations have adopted an investigative process methodology to support the work of digital forensics practitioners.