Mobile Forensics
Mobile forensics is a branch of digital forensics related to the recovery of digital evidence from a mobile device under forensically sound conditions.
Forensically sound is an extensively used term in the digital forensics community to qualify and justify the use of a particular forensic technology or methodology. The main principle for a forensically sound examination of a digital evidence is that the original evidence must not be modified.
This is extremely difficult with mobile devices. Some forensic tools require a communication vector with the mobile device, and thus a standard write protection will not work during forensic acquisition. This means that in cases where the examination or data acquisition is not possible without changing the configuration of the device, the procedure and the changes must be tested, validated, and documented.
Challenges of Mobile Forensics
Market fragmentation
New devices
New OS
Passcode/Pattern Lock/Touch/Face ID -> Protection mechanisms present challenges
Millions of application ->For some of those apps there are automatic data parser, for other you need to manually extract data from the app's sandbox.
Gigabytes of data Data stored on the Cloud -> often content is stored remotely, which meakes harder to recover data from devices
The first three points highlight the dinamicity of the mobile world and the challenges it carries: forensics tools and techniques need to constantly catch up.
Phases of Investigation of Mobile Forensics
Collection
E.g. user leaves company and gives phone back to them, policeman finds a mobile device on the crime scene. Typically law enforcement is involved -> important to document the device state and what is being done. For example if it was on/off, if it has a passcode, if the user consented to provide the passcode, etc.
It is also important to look for peripherals and to work also with them (e.g. smartwatch, tablet, IoT devices).
Evidence Handling
Traditional forensics (DNA, fingerprints, etc.) are the priority. If the device is powered on it is important to keep it awake by using the least invasive methods possible (to avoid contamination), such as manually interacting with the screen.
Identification
First we need to check the IMEI of the smartphone, from which we can deduce a wide range of information such as:
Device warranty status: the manifacturer may have some information, for example an Apple repair shop may have made a backup during a warranty service.
Chipset: Knowing which chipset a device is running can be really useful because it may have vulnerabilties that can be exploited. This is important because for example to perform physical acquisition we need root access on the device because of device encryption.
Acquisition
Logical Acquisition
Simple and fast, good for a preview/quick look. Typically:
requires the passcode/pattern lock
requires the installation of an agent
doesnβt recover deleted data
File System Acquisition
Exploits Device backup features (for e.g. done via MTP/AFC protocols). Typically:
Can be partial or full
Requires the passcode/pattern lock
Allows recovering deleted data stored in other files (e.g. deleted record in SQLite databases).
Physical Acquisition
It exploits vulnerability for specific hardware/software (e.g. Rooting/Jailbreaking). Typically accomplished via Engineering Bootloaders or Flasher Boxes. It generates a traditional bitstream image and it allows to recover:
Deleted data stored in other files (es. deleted record in SQLite databases)
Deleted files (unlessβ¦FDE/FBE) (e.g. iOS / Oreo)
Last updated