Practical mobile forensic approaches
Similar to any forensic investigation, there are several approaches that can be used for the acquisition and examination/analysis of data from mobile phones. The type of mobile device, the operating system, and the security setting generally dictate the procedure to be followed in a forensic process. Every investigation is distinct with its own circumstances, so it is not possible to design a single definitive procedural approach for all the cases. The following details outline the general approaches followed in extracting data from mobile devices.
Mobile operating systems overview
One of the major factors in the data acquisition and examination/analysis of a mobile phone is the operating system. Starting from low-end mobile phones to smartphones, mobile operating systems have come a long way with a lot of features. Mobile operating systems directly affect how the examiner can access the mobile device. For example, Android OS gives terminal-level access whereas iOS does not give such an option. A comprehensive understanding of the mobile platform helps the forensic examiner make sound forensic decisions and conduct a conclusive investigation. While there is a large range of smart mobile devices, four main operating systems dominate the market, namely, Google Android, Apple iOS, RIM BlackBerry OS, and Windows Phone. More information can be found at http://www.idc.com/getdoc.jsp?containerId=prUS23946013. This book covers forensic analysis of these four mobile platforms. The following is a brief overview of leading mobile operating systems.
Android
Android is a Linux-based operating system, and it's a Google open source platform for mobile phones. Android is the world's most widely used smartphone operating system. Sources show that Apple's iOS is a close second (http://www.forbes.com/sites/tonybradley/2013/11/15/android-dominates-market-share-but-apple-makes-all-the-money/). Android has been developed by Google as an open and free option for hardware manufacturers and phone carriers. This makes Android the software of choice for companies who require a low-cost, customizable, lightweight operating system for their smart devices without developing a new OS from scratch. Android's open nature has further encouraged the developers to build a large number of applications and upload them onto Android Market. Later, end users can download the application from Android Market, which makes Android a powerful operating system. More details on Android are covered in Chapter 7, Understanding Android.
iOS
iOS, formerly known as the iPhone operating system, is a mobile operating system developed and distributed solely by Apple Inc. iOS is evolving into a universal operating system for all Apple mobile devices, such as iPad, iPod touch, and iPhone. iOS is derived from OS X, with which it shares the Darwin foundation, and is therefore a Unix-like operating system. iOS manages the device hardware and provides the technologies required to implement native applications. iOS also ships with various system applications, such as Mail and Safari, which provide standard system services to the user. iOS native applications are distributed through AppStore, which is closely monitored by Apple. More details about iOS are covered in Chapter 2, Understanding the Internals of iOS Devices.
Windows phone
Windows phone is a proprietary mobile operating system developed by Microsoft for smartphones and pocket PCs. It is the successor to Windows mobile and primarily aimed at the consumer market rather than the enterprise market. The Windows Phone OS is similar to the Windows desktop OS, but it is optimized for devices with a small amount of storage. Windows Phone basics and forensic techniques are discussed in Chapter 12, Windows Phone Forensics.
BlackBerry OS
BlackBerry OS is a proprietary mobile operating system developed by BlackBerry Ltd., known as Research in Motion (RIM), exclusively for its BlackBerry line of smartphones and mobile devices. BlackBerry mobiles are widely used in corporate companies and offer native support for corporate mail via MIDP, which enables wireless sync with Microsoft Exchange, e-mail, contacts, calendar, and so on, while used along with the BlackBerry Enterprise server. These devices are known for their security. BlackBerry OS basics and forensic techniques are covered in Chapter 13, BlackBerry Forensics.
Mobile forensic tool leveling system
Mobile phone forensic acquisition and analysis involves manual effort and the use of automated tools. There are a variety of tools that are available for performing mobile forensics. All the tools have their pros and cons, and it is fundamental that you understand that no single tool is sufficient for all purposes. So understanding the various types of mobile forensic tools is important for forensic examiners. When identifying the appropriate tools for the forensic acquisition and analysis of mobile phones, a mobile device forensic tool classification system (shown in the following figure) developed by Sam Brothers comes in handy for the examiners.
The objective of the mobile device forensic tool classification system is to enable an examiner to categorize the forensic tools based upon the examination methodology of the tool. Starting at the bottom of the classification and working upward, the methods and the tools generally become more technical, complex, and forensically sound, and require longer analysis times. There are pros and cons of performing an analysis at each layer. The forensic examiner should be aware of these issues and should only proceed with the level of extraction that is required. Evidence can be destroyed completely if the given method or tool is not properly utilized. This risk increases as you move up in the pyramid. Thus, proper training is required to obtain the highest success rate in data extraction from mobile devices.
Each existing mobile forensic tool can be classified under one or more of the five levels. The following sections contain a detailed description of each level.
Manual extraction
This method involves simply scrolling through the data on the device and viewing the data on the phone directly through the use of the device's keypad or touchscreen. The information discovered is then photographically documented. The extraction process is fast and easy to use, and will work on almost every phone. This method is prone to human error, such as missing certain data due to unfamiliarity with the interface. At this level, it is not possible to recover deleted information and grab all the data. There are some tools that have been developed to aid an examiner to easily document a manual extraction.
Logical extraction
Logical extraction involves connecting the mobile device to forensic hardware or to a forensic workstation via a USB cable, RJ-45 cable, Infrared, or Bluetooth. Once connected, the computer initiates a command and sends it to the device, which is then interpreted by the device processor. Next, the requested data is received from the device's memory and sent back to the forensic workstation. Later, the examiner can review the data. Most of the forensic tools currently available work at this level of the classification system. The extraction process is fast, easy to use, and requires little training for the examiners. On the flip side, the process may write data to the mobile and might change the integrity of the evidence. In addition, deleted data is almost never accessible.
Hex dump
A hex dump, also referred to as a physical extraction, is achieved by connecting the device to the forensic workstation and pushing unsigned code or a bootloader into the phone and instructing the phone to dump memory from the phone to the computer. Since the resulting raw image is in binary format, technical expertise is required to analyze it. The process is inexpensive, provides more data to the examiner, and allows the recovering of the deleted files from the device-unallocated space on most devices.
Chip-off
Chip-off refers to the acquisition of data directly from the device's memory chip. At this level, the chip is physically removed from the device and a chip reader or a second phone is used to extract data stored on it. This method is more technically challenging as a wide variety of chip types are used in mobiles. The process is expensive and requires hardware level knowledge as it involves the de-soldering and heating of the memory chip. Training is required to successfully perform a chip-off extraction. Improper procedures may damage the memory chip and render all data unsalvageable. When possible, it is recommended that the other levels of extraction are attempted prior to chip-off since this method is destructive in nature. Also, the information that comes out of memory is in a raw format and has to be parsed, decoded, and interpreted. The chip-off method is preferred in situations where it is important to preserve the state of memory exactly as it exists on the device. It is also the only option when a device is damaged but the memory chip is intact.
The chips on the device are often read using the Joint Test Action Group (JTAG) method. The JTAG method involves connecting to Test Access Ports (TAPs) on a device and instructing the processor to transfer the raw data stored on memory chips. The JTAG method is generally used with devices that are operational but inaccessible using standard tools.
Micro read
The process involves manually viewing and interpreting data seen on the memory chip. The examiner uses an electron microscope and analyzes the physical gates on the chip and then translates the gate status to 0's and 1's to determine the resulting ASCII characters. The whole process is time consuming and costly, and it requires extensive knowledge and training on flash memory and the file system. Due to the extreme technicalities involved in micro read, it would be only attempted for high-profile cases equivalent to a national security crisis after all other level extraction techniques have been exhausted. The process is rarely performed and is not well documented at this time. Also, there are currently no commercial tools available to perform a micro read.
Data acquisition methods
Data acquisition is the process of imaging or otherwise extracting information from a digital device and its peripheral equipment and media. Acquiring data from a mobile phone is not as simple as a standard hard drive forensic acquisition. The following points break down the three types of forensic acquisition methods for mobile phones: physical, logical, and manual. These methods may have some overlap with a couple of levels discussed in the mobile forensics tool leveling system. The amount and type of data that can be collected will vary depending on the type of acquisition method being used.
Physical acquisition
Physical acquisition of mobile phones is performed using mobile forensic tools and methods. Physical extraction acquires information from the device by direct access to the flash memory. The process creates a bit-for-bit copy of an entire file system, similar to the approach taken in computer forensic investigations. A physical acquisition is able to acquire all of the data present on a device including the deleted data and access to unallocated space on most devices.
Logical acquisition
Logical acquisition of mobile phones is performed using the device manufacturer application-programming interface for synchronizing the phones contents with a computer. Many of the forensic tools perform a logical acquisition. However, the forensic analyst must understand how the acquisition occurs and whether the mobile is modified in any way during the process. Depending on the phone and forensic tools used, all or some of the data is acquired. A logical acquisition is easy to perform and only recovers the files on a mobile phone and does not recover data contained in unallocated space.
Manual acquisition
With mobile phones, physical acquisition is usually the best option, and logical acquisition is the second-best option. Manual extraction should be the last option when performing the forensic acquisition of a mobile phone. Both logical and manual acquisition can be used to validate findings in the physical data. During manual acquisition, the examiner utilizes the user interface to investigate the contents of the phone's memory. The device is used normally through a keypad or touchscreen and menu navigation, and the examiner takes pictures of each screen's contents. Manual extraction introduces a greater degree of risk in the form of human error, and there is a chance of deleting the evidence. Manual acquisition is easy to perform and only acquires the data that appears on a mobile phone.