THE CHALLENGES OF MOBILE FORENSICS

mobfor1

Mobile devices are a staple of our lives. They keep us connected and do far more. It is not unusual for a smart phone to be an entertainment center, social tool and mobile office rolled up into one small package. We marvel when we hear about a home that has two computers for one family, but most family members of high school age or older have a smart phone. For this reason, data is more closely associated with individuals than ever before. Data storage has become a minor issue with mobile devices. Smart phones today have as much storage capacity as did business laptops just a few years ago. This combination of storage space and functionality requires smart phones to be a focus of attention for mobile forensics investigators.

DATA TYPICALLY ASSOCIATED WITH SMART PHONES.

  • Maps
  • e-books
  • applications
  • call history
  • Web history
  • audio
  • video
  • photos
  • text messaging
  • e-mail

All this additional functionality and data represents a fast-changing environment. Users add and subtract from it on a daily or hourly basis. This situation presents significant challenges to forensic investigators.

Operating system changes.
Frequent changes in mobile operating systems present significant challenge to forensic investigators. Windows XP was sold from 2001 through the end of 2009 and its use is still widespread. On the other hand, the iPhone operating system has had major annual releases. One smart phone or another upgrades its operating system nearly every quarter.

Proprietary hardware.
In the forensic world of personal computers, one can connect to hard drives with the minimum number of adapters. Smart phones may require you to have special data or power cords for everyone, plus the specific drivers for the particular phone. In addition, some of these devices allow access to logical information but may limit access to system databases or unallocated space.

Frequent hardware changes.
Mobile hardware tends to change quickly. Most people expect to receive a new phone when their plan renews which is generally every two years as well, mobile phones have to be replaced due to damage or loss much more frequently than computers do.

Data volatility.
A seized device may have to be powered up until a mobile forensics analysis is completed to prevent losing critical information that can be overwritten or changed whenever the power is shut off or the phone is rebooted. It may also be necessary to store the phone in a faraday bag, which is a bag that blocks mobile phone signals, in order to prevent deleted evidence from overwriting by the device.

Other potential locations for mobile phone data.
It is often possible to find important mobile phone data on the computers that have been used to synchronize the phone. Most synchronization programs produce a backup of the data on a device when they update the operating system. Such backups can provide a snapshot of the contents of the cell phone at some point in the past. Thereā€˜s providers provide a process by which call history information can be obtained. It is often possible to obtain more information, as well. For example, some cell phones back up to a provider fileserver, so that it can be retrieved in case of emergency. When a mobile forensics investigator wishes to access such information from a provider, the starting point is typically in their legal or security departments.