INTRODUCTION TO MOBILE FORENSICS

mf

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability. The use of phones in crime was widely recognized for some years, but the forensic study of mobile devices is a relatively new field, dating from the early 2000s. A proliferation of phones (particularly smart phones) on the consumer market caused a demand for forensic examination of the devices, which could not be met by existing computer forensics techniques.

The mobile phone has revolutionized communications for nearly every demographic, especially teenagers and young adults, connecting them to the Internet and to each other in South Asia no less than they do in the US or Europe. The use of these phones in criminal activities is therefore increasing by the day. The Mumbai terrorist attack in November 2008 is one of the many examples of mobiles being used as a terror weapon. The most extraordinary part of this attack was the extent to which the terrorists showed themselves to be part of the mobile phone generation, connected electronically to each other and to their controllers during every phase of the operation, from start to finish. The Mumbai attack is certainly not the first time terrorists have used cell phones, but the way they were used is significant and revealing, as well as unique. In such cases there is a large amount of data that can be extracted from these devices and used as forensic evidence.

The entire process is broadly divided into five stages: Preservation, Acquisition, Examination, Analysis and Reporting. The Preservation stage is the first stage in digital evidence recovery and is the process of seizing and securing suspect property without altering the contents of data that reside in the devices. Acquisition is the process of imaging or otherwise obtaining information from a digital device and its peripheral equipment and media .Examination and analysis involves applying tools to uncover digital evidence including that which may be hidden or obscured. Reporting is the process of preparing a detailed summary of all the steps taken and conclusions reached in the investigation of a case. Reporting depends on maintaining a careful record of all actions and observations, describing the results of tests and examinations, and explaining the inferences drawn from the evidence.

Of all the stages in mobile forensics, namely Preservation, Acquisition, Examination, Analysis and Reporting, the first two are considered as the most important stages. Preservation and Acquisition of mobile phones can provide critical evidence and productive leads for follow up investigations. These stages must be performed efficiently and each step taken with caution as the next stages of Examination, Analysis and Reporting entirely depends on how well the first two stages have been performed. Hence the process of retrieval of evidence begins in Preservation and Acquisition.

Preservation
Preservation involves the search, recognition, documentation, and collection of electronic-based evidence. In order to use evidence successfully, whether in a court of law or a less formal proceeding, it must be preserved. Failure to preserve evidence in its original state could jeopardize an entire investigation potentially losing valuable case-related information .This stage is performed by the first responders who first arrive at the scene. Their first task is to secure and cordon off the scene and ensure the security of all individuals. Next, the entire scene is documented using camera/video. This is done to create a permanent record of the scene. The team then determines whether there is a need for any kind of DNA analysis to be conducted. A number of challenges, as mentioned below, can come up during this stage:

  • Phone found in a liquid.
  • Identification of Phones
  • On – Off State Challenge
  • Isolation

The steps taken to meet these challenges are extremely critical for forensic investigators as a small mistake in performing them can lead to loss of crucial evidence. Our full paper illustrates the stage of preservation in the form of an informative flowchart and discusses all the challenges mentioned. In this extended abstract a major issue in Preservation is described below: On – Off State: When a mobile is found at crime scene, it may be in an On or Off state. Depending on the power state.

GENERAL PHONES (NOKIA, SAMSUNG, LG)

The USSS (United States Secret Service) document lists a set of rules on whether to turn on or off the device:

  •  If the device is turned ―on do not turn it ―off.
  •  Turning the device off may activate the lockout feature.
  •  If the device is turned ―off leave the device ―off.
  •  Turning it on could alter evidence on device

BLACKBERRY DEVICES

The Blackberry is an always on push messaging device. Information can be pushed through the radio antenna at any point of time. The following are the steps to be followed when a blackberry is found on scene:

  •  If the Blackberry is ―off, leave it ―off.
  •  If the Blackberry is ―on, turn the radio ―off.

If the unit is off at the time of acquisition, it should be taken it to a shielded location to turn it on and the radio immediately shut down before examination.

ANDROID DEVICES

The following are the steps to be followed when an android device is found on scene:

  •  If the android is ―off, leave it ―off.
  •  If the android is ―on, turn the radio ―off.

CHINESE DEVICES

The Chinese phones pose a big challenge for forensic investigators. The Chinese manufacturers do not follow any standards and therefore it is unclear how the device will behave in different scenarios. Analysis of a few Chinese phones, like the Sciphone i68 (clone of Iphone), clone of N95, clone of Moto Razr has revealed that in case the battery is removed from the cavity of the phone (for 5-10 minutes), no temporary data such as the date, time and call logs get erased (This could probably be due to some amount of charge left in the phone). However, on keeping the phone off for a considerable period of time erased the call logs and temporary data from the Sciphone i68.