Challenges in mobile forensics
With the increased usage of Android devices and the wider array of communication platforms that they support, demand for forensic examination has automatically grown. While working with mobile devices, forensic analysts face a number of challenges. The following points shed light on some of the mobile forensics challenges faced today:
- Preventing data alteration on the device: One of the fundamental rules to remember in forensics is to not modify the evidence. In other words, the forensic techniques that are applied to a device to extract any information, should not alter the data present on the device. But this is not practical with respect to mobile forensics because simply switching ON a device might also change certain state variables that are present on the device. With mobile devices, background processes always run and a sudden transition from one state to another can result in the loss or modification of data. Therefore, there is a chance that data may be altered either intentionally or unintentionally by the forensic analyst. In addition to this, there is a high possibility that an attacker can remotely change or delete the content present on the device. As mobile phones use different communication channels (cellular, Wi-Fi, Bluetooth, infrared, and so on) the possibility of communicating through them should be eliminated. Features such as remote data wiping would enable an attacker to remotely wipe the entire device just by sending an SMS or by simply pressing a button that sends a wipe request to the Android device. Unlike computer forensics, mobile device forensics requires more than just isolating the device from the network.
- Wide range of operating systems and device models: The wide range of mobile operating systems available in the market makes the life of a forensic analyst more difficult. Although Android is the most dominant operating system in the mobile world, there are mobile devices which run on other operating systems, including iOS, Blackberry, Windows, and so on, which are often encountered during investigations. Also for a given operating system, there are millions of mobile devices available that differ in OS versions, hardware, and various other features. For example, within the Android operating system, there are around 10 versions, and for each version, there are different customizations made by different manufacturers. Based on the manufacturer, the approach to acquiring forensic artifacts changes. To remain competitive, manufacturers release new models and updates so rapidly that it's hard to keep track of all of them. Sometimes within the same operating system the data storage options and file structures also change, making it even more difficult. There is no single tool that can work on all the available types of mobile operating systems. Therefore, it is crucial for forensic analysts to remain updated on all the latest changes and techniques.
- Inherent security features: As the concept of "privacy" is increasingly gaining importance, mobile manufacturers are moving towards implementing robust security controls on devices, which complicates the process of gaining access to the data. For example, if the device is passcode protected, the forensic investigator has to first find a way to bypass the passcode. Similarly, full disk encryption mechanisms that are implemented on some of the latest devices prevent law enforcement agencies and forensic analysts from accessing the information on the device. Apple's iPhone encrypts all the data present on the device by default, using hardware keys built into the device. It is very difficult for an examiner to break these encryption mechanisms using techniques such as brute force.
- Legal issues: Mobile devices can be involved in crimes that span across the globe and can cross geographical boundaries. In order to tackle these multijurisdictional issues, the forensic examiner needs to be aware of the nature of the crime and also regional laws.