REPRODUCIBILITY OF EVIDENCE IN THE CASE OF DEAD FORENSIC ANALYSIS
Digital investigations can involve dead and/or live analysis techniques. In dead forensic analysis, the target device is powered off and an image of the entire hard disk is made. A one-way-hash function is then used to compute a value for both, the entire contents of the original hard disk and the forensically acquired image of the entire hard disk. If the two values match, it means that the image acquired represents a bitwise copy of the entire hard disk. After that, the acquired image is analyzed in a lab using a trusted OS and sound forensic applications. This process is referred to as offline forensic analysis or offline forensic inspection.
One of the key differences between traditional computer forensics and mobile phone forensics is the reproducibility of evidence in the case of dead forensic analysis. This is due to the nature of mobile phone devices being constantly active and updating information on their memory. One of the causes of that is the device clock on mobile phones which constantly changes and by doing so alters the data on the memory of that device.
CONNECTIVITY OPTIONS AND THEIR IMPACT ON DEAD AND LIVE FORENSIC ANALYSIS
Live forensic analysis in this context refers to online analysis verses offline analysis. Online analysis means that the system is not taken offline neither physically nor logically. Connectivity options refer to the ways in which a system or device is connected to the outside world be it a wired or wireless connection. Even though built-in connectivity options for computers are limited when compared to the increasingly developing connectivity options on mobile phone devices, connectivity options are addressed in both live and dead computer forensics. On the other hand, live analysis is not even heard of yet when it comes to mobile phone handset forensics.
OPERATING SYSTEMS AND FILE SYSTEMS
Computer forensic investigators are very familiar with computer operating systems and are comfortable working with computer file systems but they are still not as familiar with working with the wide range of mobile OS and FS varieties. One of the main issues facing mobile forensics is the availability of proprietary OS versions in the market. Some of these OS versions are developed by well known manufacturers such as Nokia and Samsung while some are developed by little known Chinese, Korean and other regional manufacturers. Mobile phone operating systems are generally closed source with the exception of Linux based mobile phones. This makes developing forensics tools and testing them an onus task. Moreover, mobile phone manufacturers, OS developers and even forensic tool developers are reluctant to release information about the inner workings of their codes as they regard their source code as a trade secret.
A key difference between computers and mobile phones is the data storage medium. Volatile memory is used to store user data in mobile phones while computers use non-volatile hard disk drives as a storage medium. In mobile phones, this means that if the mobile phone is disconnected from a power source and the internal battery is depleted, user data can be lost.
On the contrary, with non-volatile drives, even if the power source is disconnected, user data is still saved on the hard disk surface and faces no risk of deletion due to the lack of a power source. From a forensics point of view, evidence on the mobile phone device can be lost if power is not maintained on it. This means that investigators must insure that the mobile device will have a power supply attached to it to make sure data on the device is maintained.
Mobile phones are portable devices that are made for a specific function rather than computers which are made for a more general application. Therefore, mobile phone hardware architecture is built with mobility, extended battery life, simple functionality and light weightiness in mind. This makes the general characteristics of a mobile phone very different from a computer in the way it stores the OS, how its processor behaves and how it handles its internal and external memory. The hardware architecture of a typical mobile phone usually consists of a microprocessor, main board, Read Only Memory (ROM), Random Access Memory (RAM), a radio module or antenna , a digital signal processor, a display unit, a microphone and speaker, an input interface device (i.e., keypad, keyboard, or touch screen) and a battery. The OS usually resides in ROM while RAM is generally used to store other data such as user data and general user modifiable settings. The ROM may be re-flashed and updated by the user of the phone by downloading a file from a web site and executing it on a personal computer that is connected to the phone device.