Mobile Forensics is a branch of Digital Forensics and it is about the acquisition and the analysis of mobile devices to recover digital evidence of investigative interest. Technology today provides immense possibilities and scope, which play an important role in benefitting human life. Mobile phone technology is one such technology that has rapidly evolved and is still evolving. Over the years, its uses have become diverse. Mobile technology has advanced from a simple device used for making phone calls into a multi-functional device used for web browsing, entertainment, banking, online shopping, instant messaging, gaming, navigation, and many more things. Smartphones have undoubtedly become an integral part of our lives. Not only have smartphones replaced landlines but also in some cases, smartphones have replaced the need for a computer or a laptop. There are many features now offered by a smartphone that can perform several tasks computers could earlier do that.
Although mobile phones have become a helpful gadget in an individual’s life, yet it additionally has turned into a device for crimes. With the colossal growth of the mobile device market, the possibility of using them in committing crimes has also increased significantly. When it comes to unmasking, testing, and submitting evidence in criminal investigations today, mobile phones play a vital role. The data we store on our smartphones include photos, call logs, videos, contact details, messages, chats, notes, calendar events, etc. This data in the digital world provides a means of useful evidence to the investigators to reach the perpetrator. Mobile Forensics (subdomain of Digital Forensics), ‘deals with the acquisition, analysis, and recovery of digital evidence or data from mobile devices that is of investigative importance.’
According to Lutes and Mislan [1], there are four ways in which a mobile phone can be tied to crime:
- As a communication tool in the process of committing a crime.
- As a storage device providing evidence of a crime.
- As a container of victim information.
- As a means of committing a crime.
Potential Evidence Stored in Mobile Device
It can store the data on a mobile phone in major three locations i.e. SIM card, internal phone memory, and external storage card.
Evidence in SIM card
- Integrated Circuit Card Identifier (ICCID): Each SIM is recognized by a unique coordinated circuit card identifier globally. ICCID length is 20 digits.
- International Mobile Subscriber Identity (IMSI): Each SIM has a one-of-a-kind identifier on every individual system supplier. IMSI measure is 15 digits. It comprises three sections, including the Mobile Country Code, Mobile Network Code, and Mobile Station Identification Number.
- The Mobile Station International Subscriber Directory Number (MSISDN) is the telephone’s 15-digit unique number comprising three sections, namely, Country Code, National Destination Code, and Subscriber Number.
- Contacts saved on the SIM last dialed numbers
- SMS information.
Evidence in internal phone memory
- Mobile Device Data: such as detected maker, detected model, IMEI, phone date/time, and so forth.
- Address book: contains the contact names, numbers, email addresses, etc.
- Call logs: calls made, received, missed, and the duration of the calls.
- SMS and MMS
- Photos and videos: pictures and videos that are captured, downloaded, and transferred from other devices.
- Audio: downloaded or transferred from other devices.
- Documents: created using the device’s applications, those downloaded from the Internet and transferred from other devices.
- Calendar: calendar events and appointments.
- Social networking data: contains data stored by social media apps such as Facebook, Twitter, WhatsApp, etc
- Uncategorized data files
- Cloud data sources
External storage card (such as SD card)
- User-created files and documents
- Applications
- Backup data
Mobile Phone Data Extraction Techniques / Methods
Source- ScienceDirect.com
The above figure represents the “cellular phone tool leveling pyramid” developed by Sam Brothers with the objective to enable an examiner to categorize the forensic tools based upon the examination methodology of the tool. Starting at the bottom and moving upward into the pyramid, the methods become more technical, complex, and require longer analysis times. There are pros and cons of performing an analysis at each layer. The forensic examiner should be aware of it and should only proceed with the level of extraction that is required. Evidence can be destroyed completely if the given method or tool is not properly used. This risk increases as we move up into the pyramid.
The following are the ways available in a forensic tool for mobile device data extraction.
- Manual Acquisition
The investigator manually performs the acquisition by directly looking and browsing the contents of the mobile device to find potential evidence. Manual extraction introduces a greater degree of risk in the form of human error and there is a chance of deleting the evidence. It is easy to perform and only acquires the data that appears on a mobile phone.
- Logical Acquisition
It is a process of bit-by-bit copying of logical storage objects (e.g., directories and files). Logical acquisition is performed using the device manufacturer application–a programming interface for synchronizing the contents of the phone with a computer. It extracts allocated data and is typically achieved by accessing the file system. Allocated data means that the data is not deleted and still accessible in the file system. This method does not recover data in unallocated space.
- File System Acquisition
It gains data by relying on software to access the device’s memory; however, rather than obtaining a comprehensive bit-for-bit image that includes unallocated space, the software extracts only the device’s file system contents. This will extract everything from the logical acquisition, plus system files or hidden files that are invisible to the user but maintained within the file system.
- Physical Acquisition
In this method, a bit-by-bit copy of the entire file system is made. It extracts the data directly from the mobile device’s flash memory. After the data is extracted, the memory dump is decoded. This type of extraction enables the maximum amount of deleted data to be recovered. It is usually the most difficult extraction type to achieve, as the manufacturers of mobile devices secure against the arbitrary reading of the device’s memory. The process is also called Hex Dump.
Types of Physical Acquisitions: Most of the devices in the market don’t support physical extraction unless the user has root privileges. To overcome such challenges, extraction is performed by using techniques such as:
- JTAG – Joint Test Action Group: JTAG (Joint Test Action Group) involves using advanced data acquisition methods at the hardware level, which is done by connecting to specific ports on the device and transferring the data. The device may be damaged if handled improperly. JTAG method is generally used with devices that are operational but are inaccessible using standard tools.
- Chip-off: It refers to the acquisition of data directly from the device’s memory chip. At this level, the chip is physically removed from the device and a chip reader or a second phone is used to extract data stored on it. This method is more technically challenging as a wide variety of chip types are used in mobiles. The process is expensive and requires hardware-level knowledge as it involves the de-soldering and heating of the memory chip. Improper procedures may damage the memory chip and render all data unsalvageable. This type of acquisition usually damages the device.
- Micro Read: It involves manually viewing and interpreting data seen on the memory chip. The examiner uses an electron microscope and analyzes the physical gates on the chip and then translates the gate status to 0s and 1s to determine the resulting ASCII characters. The whole process is time-consuming, and requires extensive knowledge and training on flash memory and the file system. This method can extract data from physically damaged chips also but is very expensive.
Comparison of above data acquisition types is given below:
Comparison of Logical, File System and Physical Acquisition Methods [2]
Conclusion
Methods for data acquisition from mobile phones mainly depend upon the condition, model, time, and nature of the case. Hence, there is no such thing as ‘one universal technique’ applicable to all mobile device investigations. One must adopt the techniques after assessing the situation and type of evidence asked for. All the mobile forensic tools are available in the market work based on the above techniques. To decide which tool to use and which extraction method to apply may vary from one device to another (based on its operating system or model). A good forensic examiner is one who will try a combination of tools and methods to extract the maximum amount of data and not rely on just one tool/technique for evidence extraction.
References
- Lutes, K.D. and Mislan, R.P., 2008. Challenges in mobile phone forensics. In Proceeding of the 5th International Conference on Cybernetics and Information Technologies, Systems and Applications (CITSA).
- Venkateswara Rao, V. and Chakravarthy, A.S.N., 2016. Survey on android forensic tools and methodologies. International Journal of Computer Applications, 154(8), pp.17-21
- https://www.sciencedirect.com/topics/computer-science/mobile-forensics
- https://www.connectel.in/importance-of-mobile-forensics/