2 Mobile Devices vs. Computer Devices in the World of Forensics
Mobile device forensics is a very specialized, and at times frustrating, discipline, especially for a new mobile forensic examiner crossing over to the discipline after years of service as a computer forensic examiner. With typical file system formats and well-documented operating systems and system processes, understanding a computer and its relevant artifacts is straightforward. With a legacy Nokia Series 40 (S40) mobile device, however, with its S40 operating system and no official documentation outside of Nokia, uncovering structure and artifacts may not be so straightforward. Mobile device storage media or internal flash is similar to the solid state drives (SSDs) in today’s computers, but the file formats and, most importantly, the way to access this data as an examiner is much different. Additionally, the ability to create and obtain a physical image of a mobile device is much different from, and at times extremely more difficult than, creating a physical image of a mass storage device or traditional hard drive.
When speaking about a physical image of a hard drive or mass storage device, most practitioners refer to obtaining every bit and byte from the first sector (or start of the hard drive) to the last sector (or end of the hard drive). Obtaining an exact copy of the media is the truest form for a computer forensic examiner.
Most seasoned computer forensic examiners struggle with the limitation of obtaining an exact, unaltered form of a mobile device’s internal storage media. For this reason, many examiners say they will not conduct a collection or an examination of a mobile device and cannot refer to it as a “forensic exam.” Some have even refused to refer to this as “mobile device forensics,” instead calling it “mobile device collection or extraction.” This mentality will last only so long, however, especially when an examiner conducting a mobile forensic exam becomes an expert. As soon as an examiner is held to be an expert in the field, his or her testimony will be weighed against the Daubert or Frye standard, depending upon the current jurisdiction.
Frye is based upon Frye v. United States, 293 F. 1013 (www.law.ufl.edu/_pdf/faculty/little/topic8.pdf), which states that expert testimony must be based upon scientific methods that are sufficiently established and accepted. Daubert is based upon Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (https://supreme.justia.com/cases/federal/us/509/579/case.html), which states, among other things, that scientific knowledge can be established if it can demonstrate that the conclusion is the product of sound “scientific methodology” derived from the scientific method, and the decision as to scientific knowledge laid out by Federal Rule of Evidence 702 will rest on the shoulders of the trial judge.
The world is quickly moving to mobility, and mobile devices are becoming more like small computers, with no end in sight. Examiners must begin to understand that the forensic process is more important for the examination of a mobile device than for traditional computer forensics, based upon the many differences and hurdles that currently exist with these devices.
The forensic process is important in the examination of a mobile device for several reasons. The greatest impedance to the forensic process is overcoming and recognizing that write-protected devices are ineffective in protecting the integrity of mobile device evidence. When corners are cut, training is insufficient, and a full understanding of the process is relegated to pushing a button, case law and precedence are often set. If the examiner has a concrete understanding of the process and follows it and understands the theory behind mobile device communication via software, then the evidence recovered will stand up to challenge. The flip side is uncovering a significant amount of useful information by not following or understanding the process and then being informed in court that recovered data cannot be used. What could be worse is that the evidence is used in the proceeding, but during the proceeding the validity is disputed because the practitioner used improper collection methods or did not follow a formulated scientific process. This concept is difficult to accept for examiners with many years in the computer forensic discipline.
Computer Forensics Defined
The examination of digital data from a computer’s storage medium, either the traditional hard drive or the SSD, is a discipline familiar not only to law enforcement but also to enterprise and academia. In every vocation, digital data from computers has been examined to verify, confirm, and attempt to determine users’ intentions by investigating their actions and history. Processes and procedures govern the way a computer forensic examination and, more importantly, an examiner should proceed throughout the investigation. When you understand how prominent organizations define computer forensics and know the minimum requirements for a successful digital investigation, you can establish proper processes and procedures, implement plans, and establish a structure to facilitate mobile forensics.
International Association of Computer Investigative Specialists (IACIS)
IACIS is an international volunteer-based nonprofit corporation that provides training and education in forensic computer science and grants the Certified Forensic Computer Examiner (CFCE) certification. The organization membership was originally limited to law enforcement but is now open to computer forensic practitioners who qualify. The CFCE core competencies document describes computer forensics as the acquisition, reconstruction, examination, and analysis of data stored on electronic media. To become certified, the examiner must address seven competency areas in the CFCE program, obtain peer review, conduct practical examinations, and pass a written examination. The seven areas are pre-examination and legal issues, computer fundamentals, partitioning schemes, Windows file systems, data recovery, Windows artifacts, and the presentation of findings.
International Society of Forensic Computer Examiners (ISFCE)
ISFCE is a private organization that conducts research and development of new and emerging technologies in the science of computer forensics. ISFCE grants the Certified Computer Examiner (CCE) certification, which also requires that core competencies be met in the certification process. These competencies include ethics, law, software, hardware identification, networks, operating systems, seizure process, forensic examination procedures, file systems, other media, media geometry, preparing media for imaging, forensic boot disks, low-level analysis, processing issues, and practical examination skills. To be accepted into the CCE testing process, a candidate must have completed at least one of three requirements: attended a CCE Boot Camp from an authorized training outlet, possess at least 18 months of verifiable digital forensic work, or have documented self-study in the field of digital forensics deemed appropriate by the CCE board. Once this requirement is fulfilled, the candidate can apply to the CCE testing process and must pass both an online written assessment and practical examinations.
Applying Forensic Processes and Procedures
Both IACIS and ISFCE follow similar processes and procedures in their competency requirements before a candidate can become certified to examine computer digital evidence. The following sections cover specific parts of both organizations’ competencies along with supplemental information obtained from the U.S. Department of Justice (DOJ) on electronic evidence. By understanding the following areas of concentration as outlined for computer forensics methods, you can formulate strategies to build the best approach for a mobile forensic examination. Having a competent examination process that is repeatable and that subscribes to the scientific method at the onset of the journey will help you create a firm foundation and reliable process. This foundation and process must hold the weight of the facts when you testify to the results of any examination. Many certifications in today’s mobile forensic community are from tool vendors. Having a tool-specific vendor certification may be important for testimony that competency in the tools is vetted. However, having an overall understanding, competence, and firm foundation in general and advanced mobile forensics is essential, and this is seldom offered by a tool vendor.
Seizure
Any investigation into electronic evidence must start with the legal seizure of the device that is holding, was holding, received, or transmitted the electronically stored information (ESI). The proper legal steps will be determined by the situation. Is the ESI in a place that requires a search warrant to be obtained, that is corporately owned, or that requires permission be given by the owner? If the seizure of the device and subsequent data are tainted by questions on the legality of how the data was obtained, the information collected will be dismissed in subsequent proceedings. You must exercise extreme care at the onset.
Collection
You must extract data from a digital device in a manner that enables you to show that the ESI did not change, was not altered, and is the same as when it was collected. The collected data typically contains an electronic fingerprint. If any data is changed, added, or removed from the collected data container, the electronic fingerprint will change. The integrity of the collection of digital data and the validation and verification of the software that collected the device are the responsibility of the person conducting the collection.
Analysis/Examination
Analyzing the data that has been collected from the seized device is often the most tedious part of an examination. Looking into many gigabytes of information is labor intensive even with automated tools. Because of the volume of data, typical digital examinations are predicated by the type of investigation the data will be used to support. Using the DOJ’s “Electronic Crime Scene Investigation” document as a guide, the examiner can steer the examination of digital evidence by the crime or incident being investigated. By using this type of direction, an examiner’s time can be better used in the analysis of pertinent information on a case-by-case basis. For example, the guide states that for crimes against persons, investigations and electronic data examinations should focus on the recovery and analysis of images (pictures), Internet activity logs, legal documents, and wills, along with any research the suspect conducted on the victim. The analysis and examination of the digital data can take significant time, but if the examiner has a clear picture of what information might be required for a particular investigation, the time can be minimized.
Presentation
Once the analysis is completed on the seized and collected data, the examiner must present the information, typically via a written report. The presentation is the most important piece for those who will review and most likely act on the information that has been recovered and analyzed. The presentation must outline the entire process, including any problems encountered, from the seizure to the analysis. The analysis portion must be clearly documented as to the request, the methodology, and findings. The examiner may have the most difficulty at this stage because technical examiners often do not communicate well with nontechnical people. The presentation stage defines the entire examination, however, since those who review the process will use this information to determine the validity of the examination and its results.
Approach to Mobile Device Forensics
Using well-tested and clearly defined forensic procedures can be a great start to creating a process and procedure for mobile device forensics. First, however, you need to understand several items that are at the heart of the scientific debate over the validity of mobile forensics.
One of the major debates by seasoned computer forensic examiners has to do with the integrity of image creation. Because a write-protect device cannot be used in the examination of a mobile device, the image cannot be substantiated as a true representative of best evidence—or can it? Most computer forensic examiners consider mobile device forensics nonscientific because of this single limitation. As discussed previously, a write blocker stops writes to a mass storage device, thus maintaining the integrity of the device from which the image is being created. The hardware device or software switch inhibits writes to ensure that data is not overwritten and allows for a duplicate image of the storage device. Thus, the examiner can obtain a hash, or mathematical fingerprint, of all the data on the device. Because a mobile device is not recognized as a mass storage device and a write blocker cannot be used, some examiners believe the image must be labeled unreliable. However, when you fully understand the nature of the software used to connect to and collect data from the mobile device, you realize that the image can be reliably captured, even without involving a write-protect device.
When plugged into a computer, mobile devices initiate a change in the computer’s operating system, which recognizes that a mobile device has been plugged into the system. Furthermore, the mobile device also makes changes to its operation to allow for communication with the computer. Mobile devices can be tethered to a computer using several means: infrared (IR), Bluetooth, Wi-Fi, serial cable, and USB cable. Connection with the device will always need a way to communicate, and this requires a driver—a conduit, command set, or program for a particular device or device set that allows communication between the device and the computer. In essence, a driver “bridges the gap” between the devices. Drivers are used not only for mobile devices but also for any hardware attached to a computer system. If a driver is not installed properly, communication cannot occur. Drivers are the primary “pain points” when it comes to processing a mobile device. The correct driver must be installed correctly for communication to work while processing a mobile device. The communication between a mobile device and a computer system could involve the transfer of data to and from the device to the computer, creating an Internet hotspot, installation of applications, and many other things.
The word communication is important. For the mobile device to be recognized and communicate with the system via the driver, the mobile device typically must be powered on, and this fact brings up another point of contention with computer forensic examiners. If the device is powered on, then it is possible that data is constantly changing on the device from the cellular network or Wi-Fi network to which it is connected. Would not the clock on the device continue to update along with various other running processes on the mobile device? Invariably, the data is in constant flux, but ultimately it is the responsibility of the examiner to determine what data has changed, if any. Isolation techniques will be covered in later chapters, but for now you can assume that data will change on the device when it is powered on. This is an incredibly difficult concept to comprehend for a computer forensic examiner coming into mobile forensics. Both IACIS and ISFCE specifically state that nothing should change on a device during the collection process, and if it does, the recovered data cannot possibly be used as best evidence.
In today’s modern world, however, we have software tools that recover volatile memory from a running computer. Volatile memory, memory that goes away if a computer is powered off, includes Random Access Memory (RAM). RAM can contain very valuable information such as passwords, keywords, media, and files, along with many other great forensic items. Because RAM is volatile, if the computer is shut down, the data would cease to exist, would be purged from the system, and recovery would be impossible. So before you could collect this data, the computer must be live and powered on, and you would run a forensic application to target the machine, capturing the volatile data.
This live technique is in fact much like mobile device data collection. Files are changed on the mobile device just as the files on the computer change during a live collection. It is up to the examiner to understand and comprehend what is taking place from start to finish, and most importantly, to ensure that no user data is altered by the software during the collection.
Communication between the mobile device and mobile forensic software occurs via the driver connection using the device’s protocols, and the communication must first be in the language (protocol) accepted by the device. Different protocols are used for different devices, and sometimes multiple protocols are used, depending upon the access needed to the device. Some devices must even have small applications installed via their operating system onto their internal storage to collect the required data during the forensic examination. When you consider the many different devices available to the consumer and the various protocols used, it is apparent why some mobile devices cannot be examined using communication via a USB cable, serial cable, Bluetooth, or Wi-Fi. It is important that the examiner develop a thorough understanding as to what communication is occurring between the software and the mobile device so that he or she can maintain the integrity of the image and the mobile device’s contents can be verified as best evidence and untainted during the mobile forensic examination.
In 2008, NIST published a document entitled “Forensic Filtering of Cell Phone Protocols” (NISTIR 7516), which describes ways to use phone manager software tools believed to be non-forensic in forensic examinations. The document describes a protocol filter that can be applied to the software to intercept communication that poses a risk to the integrity of the investigation. The document, although dated, contains valuable information as to how forensic tools of today combat the limitation imposed when a write-protection feature cannot be used. The document explains that the underlying functionality of forensic mobile device tools is based upon the same protocols used by the manufacturer’s phone management tools. Furthermore, the forensic software tools inhibit or restrict the protocols used to issue commands or instructions that will read data from the device, along with other functions that impose little risk to the integrity of the evidence. This is done, as NIST explains, using a filter between the software and the device—much like how hardware and software write blockers work.
Validating the mobile forensic software and verifying that it uses forensic filtering of common mobile device protocols are the responsibility of the examiner. The ability to add, remove, or change records on a mobile device during or after a collection and subsequent analysis of the device should not be available to the examiner or in the software available today. Of course, as will be explained later, there are certain instances in which writes do occur to the connected device. These writes are not indiscriminate to the device, but targeted writes to temporary storage in the form of an application that assists with the extraction of the user data.
After the examiner collects the data from the mobile device, the analysis of the data, much like in computer forensics, is the most time-consuming part of the process. At this phase, some examiners and examinations falter. A lack of knowledge on the structure of a device’s internal file system, critical artifact locations, system values, and critical file types means most examinations target the “lowest hanging fruit.” WYSIWYG data typically satisfies the majority of examiners, not because of lack of motivation, but because of a misunderstanding of the device’s storage areas and operating system characteristics. Know the device, its capabilities, and its file system, and you can substantiate any challenge to the examination.
Unlike computer forensics examiners, those who conduct mobile device forensic investigations have no globally recognized standards, as outlined earlier in the chapter. Simply put, as long as the data from the mobile device is included in a report, there is no regard as to how that data was collected from the mobile device. It is because of this “Wild West” approach that most computer forensic examiners see mobile device forensics as mobile device extraction, which is inherently wrong if you understand what it really means to be forensic. Mobile forensics do, indeed, have processes, like computer forensics, but typically they are seldom adhered to by those conducting examinations.
This disparity is one of the main reasons the Mobile Forensic Certified Examiner (MFCE) curriculum was created and formulated by the training company Mobile Forensic, Inc. (MFI). The MFCE requires that a candidate receive training on mobile forensic practices or have verifiable work in mobile forensics to apply for certification. If accepted, the candidate then undergoes six practical exercises and a written test to receive certification. The MFCE has not been widely accepted, however, primarily due to its limited reach and resources. For that reason, in late 2014, the MFCE was incorporated into the IACIS advanced mobile device training as a certification process, where it will be maintained and governed by a board of examiners.
Most software vendors also provide training on the software that they develop and sell. This type of training is important because the examiner must fully understand the tool to use it correctly during mobile forensic examinations. Training also provides credibility when examiners testify in court. These vendors also provide certification, which typically involves showing competence via written examinations, practical experience, or both.
If you are unsure about whether to receive a mobile forensic certification on your overall understanding of the process or based on a particular tool, my best recommendation is to work toward a cumulative certification on overall processes and procedures.
As shown in Figure 2-1, the current approach to mobile forensics and the analysis of a mobile device is a bit upside-down. The foundation shown in the figure is the tool, which is supporting the weight of the procedure, process, and training. But having only a tool-based foundation in mobile forensics will never support your conclusions. A foundation based on training, however, which represents the largest area of the pyramid, along with a core centered on processes and procedures, will support a tool-based approach. To be successful in the mobile forensic field, you will invert the current examination pyramid and rest your knowledge foundation on what will support the approach covered throughout this book.
FIGURE 2-1 The backward approach to mobile forensics
Tool Understanding: Should It Be Painful?
When I first began in forensics, I attended several training courses. The most prominent other than my two-week IACIS training course was Basic Data Recovery and Analysis (BDRA) conducted by the National White Collar Crime Center (NW3C). In the week-long BDRA course, students started at the hard drive disk level. We learned about disk geometry, how the aperture arm worked, how the platters are configured, how the 30-pin ribbon cable worked, and the jumpers used to make one a master or a slave. We also learned how to create an image of a 3.5-inch floppy drive containing possible evidence. We then examined the image using a tool called a disk editor. The disk editor enabled students to examine the information at the data level, which helped us identify files by the file header and the file footer to determine the actual file type. The following screenshot shows what I was exposed to during the initial training phase and using a disk editor to examine the data on digital media.
Using the disk editor, we were instructed to find a JPG by identifying its header and footer. We would then take the first byte and move to the last byte, copying the data from the disk to its own file, assigning it a .jpg extension. Clicking the file we just created, we immediately saw the product of our labors—a picture of a cat. It was amazing, carving an image from a blob of hexadecimal data, to produce an actual file! It was not until the last day of the course that we were allowed to use automated tools again to carve the data from the floppy disk. What!? Automation? Why was this tool not given to us the first day of the course? This would have saved a tremendous amount of time and shortened the five-day course into two. I was beginning to think that the instructor was a masochist and was questioning his intentions, but then the epiphany came.
The countless hours of explaining the architecture of the media, the structure of the file system, and formation of files finally made sense to me. We, in simple terms, were the tool—first finding the header of the file and carving from the header to the footer—just as an automated tool was doing. So when we are requested during testimony to qualify what carving is and how a tool can find and extract the forensic file data, we fully comprehend and can explain how this process takes place within a software solution.
The foundation of a mobile forensic exam should be a sound understanding of the operation and output of any automated tool used. Organizations and academia have now changed the “computer forensic” label to include digital forensics in an effort to cover small-scale devices such as mobile phones and tablets. As discussed, there are inherent differences in the way information is obtained from a mobile device, but the examination of the collected data should be complementary.
NIST and Mobile Forensics
In its executive summary on mobile forensics (NIST Special Publication 800-101 Revision 1, May 2014: “Guidelines on Mobile Device Forensics”), NIST clearly explains that the digital forensic community faces the biggest challenges when it comes to mobile devices and investigations. Mobile devices are constantly changing to improve technologies, and investigative techniques must evolve with each new introduction. As stated, the key to understanding and answering the questions of today’s investigator is having a firm understanding of the mobile device’s software and hardware. A clear understanding of the limitations and the functions of forensic tools is important, but a clear and documented process and procedure are paramount.
Process and Procedure
Every job or discipline requires a set of processes and procedures that clearly define what is expected of the work and that aid in the workflow and ultimately a successful outcome. Procedures in forensics should never comprise a mere list of items to accomplish, starting at A and ending at Z. Adhering to a list and simply missing a step between A and Z would mean the entire process would fail. In forensics, and in technology investigations in general, the process-and-procedure document should be used only as a guide. There will be many different variables to consider, ranging from the actual physical device, to the type of software used, to the type of investigation the mobile device evidence will support. Processes used for one device might not be relevant to another or to a particular type of examination. What is important is that a clear set of procedures for conducting a mobile forensic collection and examination be established prior to the first examination to be used as a guide.
Even before a set of processes and procedures can be created, however, you must consider several objections to the notion of a process in conducting mobile device collections and thorough examinations. Following are two of the more prominent objections.
Lack of Time
To complicate the process further, examiners began to incorporate a four-letter word in forensics: T-I-M-E. Time is the excuse that is typically used in the mobile forensic community when it comes to undergoing a full examination of the extracted data from a mobile device. “We do not have enough time in our job to look at every application or file system file.” The person conducting the collection has to move on to another case, another device, or another responsibility. But conducting the examination with this attitude is a critical deficiency in mobile device forensics, especially in the age of the smart phone, and can prove to be detrimental and costly in the long run. A hasty examination of digital data is like reading the first and last chapters of a book and then trying to write a review. The overall premise and how it might fit together could be garnered from the pages read, but without reading the entire book, the opinion is based upon 20 percent of the overall information contained therein. The examination is without substance. Although mission-critical data is often needed in the shortest time possible, the examiner should never ignore an opportunity to examine every byte, if given the chance.
Simplicity of the Tool Equates to No Training Needed
Mobile forensic software and hardware tools have been designed and marketed to express to the purchaser that little to no training is needed to conduct a mobile forensic examination. Simply push this button and out comes the evidence; no need to add training or comprehend what is actually occurring when the button is pushed. The inverse is true, however, because the simpler the tool, the more training the examiner will need in order to testify about what is really occurring. Did the software on the device, once the button was pushed, query a database to retrieve the contacts and SMS? If that is the case, what database did it query? If the examiner can answer these questions, then using an automated tool for mobile device collections will stand up to scrutiny.
Standard Operating Procedure Document
What should be a part of the mobile forensic process? Much like the computer forensic process, it must start with a written document outlining the mission—a standard operating procedure (SOP) document. An SOP covers not only the person or persons conducting the examination of data but also those who are collecting and seizing the device or devices holding the digital data. The SOP should outline the process and procedures to be followed, from the seizure to the reporting of the data.
When you’re starting a forensic lab or beginning to examine mobile devices, creating this document should be your first step. SOP processes and procedures for mobile forensics are much like those for computer forensics. The Scientific Working Group on Digital Evidence (SWGDE) maintains that a proper SOP (such as its template, version 3.1) will assist you in maintaining the best practices for collecting, acquiring, analyzing, and documenting data in digital forensic examinations. Using the outline, suggestions, and information in the following sections, you can develop an SOP that will be specific to the enterprise, agency, or company.
Purpose and Scope
A mobile device forensic SOP should outline the purpose and scope of each possible location at which a mobile forensic device or collection could occur. The purpose explains why the section or SOP is being used and identifies the goal of the SOP or section, and it should be detailed enough so that the reader will recognize what the document or section will cover. Several purpose statements can exist in a single SOP, with only one purpose statement per SOP section. The scope identifies who will be following this procedure and what the procedure covers. The scope can also explain what will be needed or covered in the SOP or the section. The scope should be very clear and identify areas that are and are not going to be covered or that are outside the scope of the document. The writer of the SOP should not assume that the reader will understand that something is or is not part of the document or procedure; this must be implicitly stated. Here are examples of both purpose and scope for a mobile forensic off-site request.
Purpose: The purpose of this procedure is to seize, secure, and collect digital data from a mobile device at an off-site location to maintain the integrity of the device and contents for further analysis and processing.
Scope: This SOP outlines the process and procedures to follow when you are conducting mobile forensic assistance at an off-site location. This SOP is not a training document, but a set of procedures to follow at an off-site location.
After listing the purpose and scope, the SOP will continue with the actual equipment, specific knowledge data, and procedural items. Recommended areas to cover include definitions, materials and equipment, general information, procedures, and references and related documents.
Definitions
The definitions paragraph should list and define all acronyms and technical words included in the procedural part of the SOP. When creating an SOP, the writer must understand that the reader might not understand the technology—for example, assuming the reader knows what WCDMA or UICC means could cause on-site problems if these are unfamiliar terms. Defining any term that is related to the technology is recommended. Here is a sample definitions paragraph that could be used for an on-site or lab SOP.
Definitions:
Mobile device: Portable devices that use network communication (cellular or Wi-Fi) and have digital storage capabilities. Examples can include a cellular phone, tablet, or wearable.
Mobile device external media: Digital storage media. Examples include microSD cards and SD cards.
Mobile device internal media: Digital storage media that is part of the actual mobile device, typically soldered to the internal components of the device and not removable.
Cloud mobile device data: Digital data that is stored on remote servers and accessed by the mobile device transactionally.
Equipment/Materials
The equipment statement should include all the items that are needed to accomplish the listed procedure successfully. This should cover every contingency and should be broad enough so that the reader will not have to return to pick up additional items not listed in the SOP. An example of an equipment statement is listed next.
Equipment: The equipment that will be needed includes the following items:
• Digital camera
• Sterilized portable USB hard drive
• Media card write-blocking tools
• Radiofrequency (RF) shielding device
• Mobile device collection tools
• Mobile device cables and SIM card readers
• Evidence packaging materials
General Information
Include general information to define limitations or background information regarding performing the duties outlined in the SOP. Important limitations should be explained directly and clearly to the reader. In a mobile forensic examination, limitations could include information regarding on-site and off-site seizures and collections. This paragraph should set the stage for any contingency the reader may encounter. This area of the SOP can often continue to grow because of constant change in both mobile device and software technology. An example of a section outlining limitations on an off-site seizure of mobile device data is shown here.
General Information – Limitations:
• If a mobile device has network access, data destruction can occur.
• If a mobile device is shut down or loses power, it may lock, essentially eliminating further access.
• If a mobile device is locked upon seizure, further access might not be possible unless a passcode is obtained from the owner or computer with which the device was last synched.
• Some software tools do not collect all of the data on a device.
Procedure
In the procedure portion of the SOP, the reader is walked through the performance of the task. This should include enough detail to enable the reader to perform the duty, but it should not be so detailed that the reader feels compelled to perform each step for success. An SOP is not the exact process that must be used in every instance, but a guide as to the best practices to conduct a mobile forensic examination from start to finish. For example, the following procedure is too detailed to be used in every case:
Place the device into airplane mode by navigating to Settings > Tools > Network > Airplane mode.
Clearly, this would not work in every instance and would cause confusion. Simply stating, “Place the device into Airplane mode,” would suffice. An example of a procedure you could use for an off-site response to a mobile forensic scene is shown next.
General:
• The scene should be secure and safe for all individuals.
• Protect devices and the evidence contained on the devices.
• Identify the areas of the scene to be searched.
• Photograph the area and each potential item of evidentiary value.
Mobile Devices:
• Photograph the device and any data on the screen.
• Block the mobile device from receiving RF signals either by placing the device in airplane mode or using an RF-shielding device.
• If the device cannot be shielded from RF, the device should be turned off.
• The device should be packaged and submitted for processing as soon as possible.
References/Documents
The final category included in an SOP will be references or related documents. The reference area should include other SOPs that are related to the current SOP, such as the SOP for the “Collection of Mobile Device Data On-Site” included within the SOP for the “Seizure of Mobile Device Evidence On-Site.” This enables the reader to transition immediately to the SOP to learn how to handle an actual collection of the data if needed. Also, any documents that might aid the reader in performing a task should be included, such as published documents, web sites, or manuals.
Successful SOP Creation and Execution
For mobile forensic SOPs to be successful, they must be categorized in sections or modules according to specific operations. The following sections discuss the recommended modules and content that should be contained within a mobile forensics SOP document. You can add more specifics to these modules after establishing a clear understanding of proper procedures for conducting the seizure, image creation, and analysis. These processes are covered in depth in later chapters.
Mobile Forensic Seizure On-Site Procedures
This module should cover the procedures users will take when preparing for and arriving to a site or scene where mobile devices and evidence relating to a mobile device will be encountered. This module should cover equipment needed, scene safety, identification of a mobile device, SIM cards, external storage media (SD cards and microSD cards), USB cables, manuals, location of passwords or PIN numbers for a mobile device, and devices that may hold backups of mobile devices such as a computer or laptop. The proper methods to inhibit a mobile device’s network connections, what to photograph, how to package a mobile device upon removal from the site, and the transportation of mobile device evidence should also be included in this module.
Mobile Forensic Image Collection On-Site Procedures
This module should cover the necessary procedures if a mobile device image is to be collected using mobile forensic tools while the user is on the site or scene. Items covered should include, but are not limited to, equipment needed to create a forensic image of a mobile device, SIM card, or removable media, and procedures for proper isolation of a mobile device from network connections. Proper procedures for the recovery of a mobile device image should include determining the type of mobile device and its functions, determining the correct software for the type of device, and conducting an extraction and subsequently verifying that the data extracted can be manually located on the device.
Mobile Forensic Image Collection at Lab Procedures
This module should cover the procedures users should take for forensically processing and analyzing a mobile device in a lab setting. Included should be the steps required to complete the isolation of a mobile device, depending upon the state in which the device was received, with specifications for how device information should be obtained and how to gain a thorough understanding on the device capabilities prior to beginning the extraction. It should include guidance on what to do if the device supports a SIM card and what software will be needed to conduct a forensic examination of the SIM card. If a media card is also located, the appropriate software should be used to create a forensic image of the media card and should be described here. Any software that will be needed to complete an extraction of the mobile device should be identified. Once the correct software for extraction has been determined, the process should be determined by the state of the device. If the device is powered off, this procedure will instruct the lab examiners to begin with data from the SIM and media cards and conclude with the mobile device. If the device is powered on, the reverse process should occur: handset, media card, and then SIM. This information is covered extensively in the processing section.
Mobile Forensic Image Collection from Cloud Procedures
This module should cover the procedures users should take for obtaining and analyzing the data from a mobile device that is transactionally stored within a remote server (Cloud). Included should be the steps required to obtain the necessary credentials, which could include a username/password combination or security token. It should reference how to obtain the information legally from the Cloud and should include why it is necessary to obtain the data remotely. Furthermore, the data extracted from a Cloud extraction should be compared, if possible, to the data from the mobile device extraction. This way, a determination can be made on the redundancy of the data, as well as unique properties from the off-device storage medium.
Creation of a Workflow
The creation of a workflow or flowchart can be of great benefit both to the first responder and forensic examiner to guide them from the seizure to the examination of a mobile device. In 2007, MFI produced a flowchart to assist in processing mobile devices when they come into the lab. During Mobile Forensics World 2008, this flowchart was introduced to students in the MFI Crash Course to Mobile Forensics class that was held at the Chicago Police Department’s training facility in downtown Chicago. The workflow shown in Figure 2-2 was outlined in 2008 and is still applicable with today’s mobile devices. In chapters to come, additional steps will be added to the flowchart to help expand on different scenarios.
FIGURE 2-2 Processing a mobile device
Specialty Mobile Forensic Units
Mobile device forensics can be much more involved than traditional computer forensics. Successful mobile device forensics can be a time-consuming process. Because of the many applications, files, logs, and constantly changing technologies involved, a special unit or a specially trained individual should be in charge of conducting mobile device investigations. With the proliferation of mobile devices and their involvement in every aspect of today’s world, the challenge of finding someone who can juggle multiple disciplines could encumber the ability to conduct a thorough examination.
Forensic Software
The U.S. Computer Emergency Readiness Team (US-CERT) defines computer forensics as “the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.” So mobile forensic software, to somewhat paraphrase US-CERT’s definition, would be software that is used to collect and analyze data from a mobile device in a way that is admissible as evidence in a court of law.
A software application is a generic set of instructions for a computer. Software used by practitioners is defined by two classes: system software and operational or application software. System software is used by the computer system itself and does not involve the user; it is designed to accomplish specific tasks that keep the computer or system running as expected—such as writing of data to a disk drive or displaying a graphic on a computer screen. Application software facilitates tasks the user needs to perform his or her work—such as word processing, image creation, and mobile forensic examinations. All mobile forensics tools are application software. They are not magical things that conduct massive investigation feats with the click of a mouse or that autonomously process a device and output a report. You must understand your application software and interact with it in a way that is admissible in a court of law and to produce a product that can be used to substantiate the entire investigation.
Many different types of mobile forensic software can be used for today’s examinations. Mobile forensic software typically differs in functionality and complexity, but it also differs as to the types of devices that are supported. With the many different types of mobile devices that vary not only by manufacturer but also by communication protocols in use, no single mobile forensic software tool supports all mobile devices. What it really comes down to is the type of examination, the goal of the examination, and how the produced evidence might be later used.
Common Misconceptions
With mobile forensics and examiners, many misconceptions must be dealt with—not only when explaining the produced work to the requestor but also when answering questions during testimony. Being prepared to combat common misconceptions and head them off before they proliferate will be important to the ultimate success of the examiner.
Seasoned Computer Forensics Examiners’ Misconceptions
Examiners who have been conducting only computer forensic exams for many years make up the largest group that misunderstands the validity and value of the scientific examination of a mobile device. These examiners have undergone training that dictates that they must obtain a full duplicate copy of the digital media using a write blocker and ensure that the operating system obtaining the image did not perform any inadvertent writes to the evidence. This produces a copy of the evidence that they later analyze, and they must be able to conclude unequivocally that the data was not tampered with during the collection and analysis.
On mobile devices, writes do occur, simply because the devices are powered on during extraction, with the simple change of the clock or other internal processes. Concurrently, the extraction takes place without a write blocker, and because of this, a mobile device is not viewed as a mass storage device. Also, because a mobile device cannot be imaged as a hard drive, computer forensic examiners have relegated mobile device forensics as merely mobile device extraction.
To combat this misconception, the mobile device examiner must recognize that although data does change on the device during the investigation, user data should never change or be altered by software. This can be shown by locating the actual files from which the data was collected and by verifying the software’s results. You must understand that the protocols to communicate with a mobile device limit the collection of the device’s internal memory, and that proprietary hardware and software limitations imposed by the hardware manufacturers make it difficult to capture a full image. What makes the examination forensic, however, is not the software, but the process the examiner takes during the extraction and subsequent analysis of the data.
First Responders’ Misconceptions
Unfortunately, the majority of mobile device seizures and extractions are conducted by individuals who have not received formal training on forensic processes, but who have received tool-specific training. Most extractions take place at the scene or on-site. Because the majority of the training involves how to conduct the collection of the mobile device, any deviation from the training course material typically means that the mobile device forensic tool will fail. If first responders do not receive training on the software tool, the percentage of failures of that particular device grows dramatically. This does not just have to do with a software tool failing to connect to a particular device, but with the data that is collected. A common misconception is that the software tool did not work if the data is not immediately presented to the user. This is far from the truth, however. Since the majority of today’s tools use database files to store data and use common file types, would it not behoove the user to analyze the data rather than the output? This is the conundrum of today’s mobile device examiner.
Chapter Summary
The principles of examination are no different between the disciplines of computer forensics and mobile device forensics. To be successful in the discipline of mobile device forensics, the examiner must understand that the process from seizure to analysis is no different from examining anything containing 0’s or 1’s—in other words, the same process used for a computer forensic examination should be followed and conformed to in mobile device forensic examination.
The user must seize the device legally, collect the device, and conform to common evidence best practices to extract the best evidence image, verify the output and image, and conduct a thorough analysis of the collected data. That information then has to be presented in a way that conforms to industry standards.
IACIS, ISFCE, and SWGDE contend that processes and procedures must be adhered to during the complete evolution of a digital device examination. Furthermore, processes and procedures should be part of a set of SOPs for all facets of the mobile forensic life cycle and location. These SOPs can be successful only if the entire company, department, or agency fully supports them, from top to bottom. With successful implementation of SOPs, along with complementary training, success can be guaranteed.
The many misconceptions of users—from seasoned examiners to first responders—can be circumvented with training and knowledge regarding not only the small differences in mobile device forensics but also regarding the similarities of successfully gathering and analyzing any digital data.
Now you understand the similarities of mobile forensics to computer forensics and the importance of the SOP for mobile forensics. The next chapter will explain how to begin a mobile forensic examination correctly by properly seizing evidence from the scene.