Historically, back in 1984, the FBI and many other law enforcement agencies began modeling the examination of digital evidences based on the earlier versions of computers, and the first digital forensic process model was Computer Forensic Investigation Process (CFIP). CFIP was first presented in 1995 by M. M. Pollitt (M. M. Pollitt. (1995). Computer Forensics: An Approach to Evidence in Cyberspace), and this model focuses exclusively on the result, in other words the model focuses principally on data acquisition and how reliable and legally acceptable this data is.

The Computer Forensic Investigation Process model is conducted in 4 stages:

CFIP model

Acquisition is a technical problem, which is not free from the legal aspect, and data acquired must answer three main questions: what can be sized, from whom, and from where can it be sized. This means that digital evidence must be acquired in an acceptable manner with the necessary approvals from concerned authorities. This stage is followed by the Identification phase; as in this model, this phase is subdivided in to a three step process: defining the physical form of data, defining the data's logical position, and then placing this data (evidence) in its correct context. Digital evidence follows the path shown here:

Digital evidence Identification process

The Evaluation stage consists of placing the gathered data in its proper context and this is as legal as a technical task. At this point of the forensic process, we can determine if the acquired information is relevant and can be described as legitimate evidence in the case being investigated or not. Finally, the Admitting process includes admitting the extracted data as legal evidence and presenting it in the court of law.

In 2001, the first Digital Forensic Research Workshop (DFRWS) (http://www.dfrws.org/2001/dfrws-rm-final.pdf) was held to produce and define a scientific methodology to drive digital forensics to produce a reliable framework (it's dubbed as Investigative Process for Digital Forensic Science) to drive the majority of digital investigation cases, and the result was a six stage linear process. Each step or stage is defined as a category or class and each class has candidate methods belonging to that category.

Investigative Process for Digital Forensic Science (DFRWS)

As seen in the preceding diagram, the DFRWS model starts with the Identification stage, which is subdivided to tasks such as event detection, signature resolving, profile detection, anomalous detection, complaints, system monitoring, and audit analysis. This stage is followed by Preservation, which is a candidate for four tasks; they are setting up case management, managing technologies, ensuring a chain of custody, and time synchronization. Collection comes next, as the third phase in which data is collected according to approved methods, using approved software/hardware and under legal authority; this phase is also based on lossless compression, sampling, data reduction, and data recovery techniques. After collection, comes Examination, which is directly followed by the Analysis phase, where very important tasks are performed and evidences are traced, validated, and filtered. Data mining and timeline analyses are done as well. At this stage, the hidden and encrypted data is discovered and extracted. The stage that comes after this is Presentation, in which documentation, clarification, expert testimony, mission impact statement, and recommended countermeasures are presented. However, this model is open to criticism regarding the use of the collection and preservation stages and if one is an actual subcategory of the other.

Being a more generic framework, DFRWS inspired researchers in the US Air Force in 2002 to present the Abstract Model of the Digital Forensic Process (M. Reith, C. Carr & G. Gunsh. 2002. An Examination of Digital Forensics Models) or Abstract Digital Forensics Model (ADFM), which is meant to be an enhanced DFRWS model with adding three more stages added to the existing process: Preparation, Approach Strategy, and Returning Evidence, leading to the following nine phases:

Abstract Digital Forensics Model

The actual added value of this model is the introduction of the pre/post-investigation approaches, before any exercise and after identifying the type of the incident: preparing tools, techniques and searching warrants, and securing management support, followed by the approach strategy, which is meant to dynamically establish an approach to collect the maximum amount of evidence without impacting the victim. However, this phase is criticized for being a duplicate of the second stage, since preparing to respond to an incident will likely end with preparing for an "approach strategy". Lastly, returning evidence shows the importance of safely storing evidence removed from the scene in order to return it back to the owner.

The Abstract Digital Forensics Model ignored the importance of chain of custody, but authors of this model assumed that a chain of custody is obviously maintained through an investigation process and is implied in any forensic model.

In 2003, Brian Carrier and Eugene H. Spafford (Carrier, B., & Spafford, E. H. 2003. Getting Physical with the Digital Investigation Process. The International Journal of Digital Evidence) introduced an Integrated Digital Investigation Process (IDIP), which is an integration of digital forensics to physical investigation; it's a framework based on the available processes of physical crime scene investigation.

The main idea of this model is to consider a digital crime scene as a "virtual crime scene" and to apply adapted crime scene investigation techniques. This model is macroscopically composed of five stages, consisting microscopically of 17 stages.

The following diagram shows the five macroscopic stages of an IDIP model:

The five macroscopic stage of IDIP model

Physical and digital crime scenes are processed together and digital forensics are fed into a physical investigation.

The Readiness Phase ensures that human competences and technical infrastructures are able to fully carry the whole investigation process; this stage is subdivided into two phases:

The first stage is followed by Deployment phase, the goal of this stage is to provide a mechanism to detect and confirm an incident, and this stage is also subdivided in to two phases:

The Physical Crime Scene Investigation Phase which come after the first phase, is when the investigation itself begins with the goal of collecting and analyzing the physical evidences to reconstruct actions that first took place. This stage is subdivided into six phases that are typical to real cases' post-physical crime investigation process and are described in the following diagram:

Physical Crime Scene Investigation

This stage is followed by a similar stage of a digital context focusing on digital evidence within a "virtual" digital environment. The Digital Crime Scene Investigation Phases follows the previously presented path by considering any smartphone (or other digital device) as a separate crime scene.

Digital Crime Scene Investigation

It is subdivided into the following phases:

The final stage of the whole model is the Review Phase, and it is a kind of self-criticism in which the whole process is reviewed to determine how well the investigation process went right or wrong and to detect the improvement points.

This model presents many similarities with the previously presented models and can easily be considered as an enhanced model of both; nevertheless, the IDIP model is way too abstract and the interaction between physical and digital investigations may not be applicable in many cases.

By the same year, that is, 2003, Peter Stephenson (Stephenson, P. 2003. A Comprehensive Approach to Digital Incident Investigation) reviewed the DFRWS framework and translated it into a "more" practical investigative process dubbed as the End-To-End Digital Investigation (EEDI) process by extending the existing process into nine stages. It's called end-to-end because in his model, Stephenson considers that "every digital crime has a source point, a destination point, and a path between those two points".

The model itself is schematized as follows:

The basic End-to-End Digital Investigation process

EEDI can be considered as a layer applied to the DFRWS model. Depending on the cases, the whole EEDI process is applied to each class of the DRFWS model (refer to the diagram in the Digital Forensic Research Workshop section). This model defines the critical steps to be performed in order to correctly preserve, collect, and analyze digital evidence. In the Collecting Evidence phase, primary and secondary evidence is collected and taken in their respective contexts. The context here is related to an event's time sensitivity, which brings us to the second step of this process, Analysis of Individual events, where each individual event is isolated and analyzed separately to determine how it can be tied with other events and to consider the potential value it can add, or they can add, to the overall investigation. This is followed by the Preliminary Correlation step, in which individual events are linked with each other to determinate a primary chain of evidence in order to determine what happened, when, and which devices were involved.

Event normalization is a step that mainly aims to remove redundancy in evidentiary data assuming that the same events can be reported separately from different sources using multiple vocabularies. As an extension to the normalization, irrespective of how and from where they were reported, the same evidentiary events are combined into one evidentiary event in the Event deconfliction step; at this stage, all the events and evidentiary events are refined and a Second level correlation can be performed. The previously outlined steps result in a timeline, which is defined in the Timeline analysis step. The timeline analysis is an iterative task, which lasts as long as the investigation lasts. The Chain of evidence construction can begin based on the result of the timeline of events; theoretically, a coherent chain is developed when each evident will lead to the other and this is what is meant to be done in this step. The last phase of this model is Corroboration, where digital investigators support, strengthen, and confirm each evidence, within the chain of evidences previously developed, with other independent or traditional events and evidence collected in the case of a digital forensic investigation being conducted with the support of a group of investigators outside the digital forensic unit.

In 2004, four models were developed: the Enhanced Integrated Digital Investigation Process, invented by Baryamureeba and Tushabe containing 21 phases; Séamus Ó Ciardhuáin presented an Extended Model of Cybercrime Investigation with 13 activities to follow; followed by a six phase Hierarchical, Objective-based Framework that was invented by Beebe and Clark. The same year, Carrier and Spafford announced the Event-based Digital Forensic Investigation Framework and detailed the 16 phases to follow.

Approximately each year, at least one new forensic model is developed and according to the pace at which the digital world rises, researchers keep trying to give birth to "the perfect" forensic model.

Considering the space allocated to this chapter, I will jump directly to 2011; A. Agarwal, M. Gupta, S. Gupta, and S. C. Gupta came up with the Systemic Digital Forensic Investigation (SRDIFM) model (A. Agarwal, M. Gupta, S. Gupta, and S. C. Gupta. Systematic digital forensic investigation model). This model is similar to most of the previously presented models; it has common phases and some specific phases adapted to the model requirement. SRDIFM is composed of 11 phases: preparation, securing the scene, survey and recognition, documentation of the scene, shielding, volatile and non-volatile evidence collection, preservation, examination, analysis, presentation, result, and review.

The following diagram schematizes the model:

Phases of Systematic Digital Forensic Investigation Model (SRDFIM)

The first step of this model is Preparation, which is before the process of investigation and involves obtaining prior legal authorization. An initial understanding of the case will be investigated in order to prepare the adequate human and technical resources before going any further in the process of investigation. It's followed by Securing the Scene this phase aims principally to keep data integrity intact and to minimize possible data corruption. The Survey and Recognition phase comprises of tasks to elaborate an initial plan to collect and analyze evidence where, potential sources of evidences must be identified, including sources other than the main smart device itself; for example the presence of a personal computer in the scene means that there is a chance to find smartphone related data synchronized with it.

The next phase is known as Documentation of Scene, in which crime scene mapping is done and every electronic device within the scene is documented; this includes the device itself, its power adaptor, external memory cards, cradle, and everything else related to the device. Before starting evidence collection, Communication Shielding is important in order to be sure that there is no risk of damaging the current evidence; RF isolation, Faraday shielding, or cellular jammers are usually used to isolate devices from interacting with the environment. Now Evidence Collection comes into the picture; differentiating volatile and non-volatile collection is important and requires proper guidelines. At this phase, for example, investigators must maintain the device if it's turned on and running out of battery, otherwise imaging the device memory must be done quickly and properly using appropriate tools.

Next is the Preservation phase, wherein the evidence is securely stored and the device is properly packaged and transported. The collected evidence is analyzed and filtered; the integrity of data must also be guaranteed and the use of the hashing function to confirm this is conducted in the Examination step. The Analysis phase comes just after and is kind of an examination extension. In this phase, a more technical review is conducted based on the results of the previous phase; at this stage, the more advanced research is done, such as hidden data analysis, data recovery, and file decryption. The results of this phase must be documented to help in the achievement of the final reports that will summarize the whole process in the Presentation phase. Finally, the Result phase, just like in the IDIP model, is meant to be an open door to review the result of the whole process in order to find any points for improvements.

The SRDIFM model is interesting as it's more practical and presents some flexibility, which is not necessarily found within the other models; however, by adding more phases, the model increases the timeline of the process and its complexities.

In contrast to computers, major smartphone operating systems can vary significantly from one smartphone to another; each Android, iOS, WP, or Blackberry version can be found in any smartphone and tablet on the market. Operating system updates are very frequent among vendors and major updates are usually released every quarter. The main issue regarding this is keeping up with these environment changes; this issue is accentuated by the fact that major OS and forensic tools developers consider their respective developments trade secret and do not release information regarding the low-level working of their codes.

In addition to this, the growth of "less common" operating systems, such as Windows Phone requires lot of forensic experience.

By definition, a smartphone is a portable device and is meant to have a wide set of functionalities. The hardware architecture of smartphones is significantly different from computers and it also varies from one mobile manufacturer to another.

A smartphone device is typically composed of a microprocessor, main board, ROM and RAM memories, touch screen and/or keyboard, radio module and/or antenna, display unit, microphone and speakers, digital camera, and GPS device. The operating system is stored in general in a ROM and can be flashed or updated according to the hardware or operating system.

The same manufacturer usually produces highly customized operating systems to fit hardware specifications. Depending on phone providers, manufacturers may customize the same device to suit the demand. The replacement cycle for smartphones and customers' smartphone upgrades are the shortest relative to other devices, thus forensic examiners must have hundreds of adapters and power cords based on the type of hardware.

Different operating systems and different hardware means different ways of storing data and running different filesystems. The same application running under Android, for example, is way different from its similar application running under iOS.

A variety of file formats and data structures are adopted depending on the manufacturer; this fact significantly complicates the decoding, parsing, and carving of information.

This difference in filesystems means that forensic tools are not able to process some files and must be updated very frequently in order to assume OS updates, otherwise forensic examiners might have to process data and device images manually.

A smartphone's built-in security features are present at many levels to protect user data and privacy. User locks in today's smartphones can vary from simple four-digit PINs to more complex and long passcodes, as it may consist of pattern-locks; the newest smartphone models can even have fingerprint locks and use biometrics to identify the user. It's true that some commercially available tools offer password extraction or lock screen bypassing, but this is not available for every device. Some smartphones (with or without the help of third-party applications) can offer password protection to individual files, file types, or directories; in this case, sensitive data such as SMS, e-mails, and photos can be individually protected. Newer OS versions offer full-disk encryption, which can be a real pain to decrypt in a scenario of data acquisition. Smartphone operating systems also offer application sandboxing, meaning that every individual application cannot directly access the space allocated to another application or to system resources, thus each application is installed in its own sandbox directory; this way, data within the sandbox is guaranteed some level of protection.

Data wiping is not data deletion; wiped data cannot be recovered or be recovered easily. Encrypted data can be wiped with a variety of methods depending on the smartphone configuration; data can be wiped via desktop managers or after entering a wrong password for a predefined number of times. Encrypted data can be wiped remotely in most modern smartphones: Blackberry devices can be remotely wiped via BlackBerry Enterprise Server, iPhone devices via iCloud, Android devices can be wiped via Google Sync, and Windows Phone devices via the Find My Phone service. At this point, the isolation phase of mobile forensics is important.

A lot of important evidentiary data resides within a smartphone in a volatile way, which adds an important consideration while seizing a device. Smartphones add this constraint to forensic examiners; seized devices must be kept turned on and isolated to prevent data loss or overwriting present data.

For the sake of memory, storage space saving, or for back-up purposes, today's devices store lot of important data on the cloud; e-mails, photos, videos, files, notes, and so on are not necessarily preserved within the internal memory of the device, especially relatively old data.

Most vendors offer some GBs free of charge in order to achieve this and data, in most cases, is automatically synchronized with some account in the cloud. Android data is sent to Google, iPhone data is sent to iCloud, and Windows Phone data is synchronized with OneDrive. In addition to this, some third-party services are also offered to a certain point free of charge, such as Dropbox. In some cases, gathering evidence is not necessarily a technical task but also, and above all, a legal one, as demands must be addressed by cloud storage services for us to receive the desired data.

Today's climbing necessity of advanced smartphone forensic skills is indisputable, and smartphone investigation has become more challenging, tools are rapidly outdated, and the scope they cover in each case is smaller. Analysis, coding, and understanding and handling low level techniques are now "must have" skills for today's smartphone investigators and are, nowadays, more important than ever.