Similar to any forensic investigation, there are several approaches that can be used for the acquisition and examination/analysis of data from mobile phones. The type of mobile device, the operating system, and the security setting generally dictate the procedure to be followed in a forensic process. Every investigation is distinct with its own circumstances, so it is not possible to design a single definitive procedural approach for all cases. The following details outline the general approaches followed in extracting data from mobile devices.
One of the major factors in the data acquisition and examination/analysis of a mobile phone is the operating system. From low-end mobile phones to smartphones, mobile operating systems have come a long way with a lot of features. Mobile operating systems directly affect how the examiner can access the mobile device. For example, Android OS gives terminal-level access whereas iOS does not give such an option. A comprehensive understanding of the mobile platform helps the forensic examiner make sound forensic decisions and conduct a conclusive investigation. While there is a large range of smart mobile devices, with the demise of Blackberry, currently two main operating systems dominate the market, namely Google Android and Apple iOS (followed by Windows Phone at a distant third). More information can be found at: https://www.idc.com/promo/smartphone-market-share/os. This book covers forensic analysis of these three mobile platforms. We will provide a brief overview of the leading mobile operating systems.
Android is a Linux-based operating system, and it's a Google open source platform for mobile phones. Android is the world's most widely used smartphone operating system. Sources show that Apple's iOS stands second (https://www.idc.com/promo/smartphone-market-share/os). Android has been developed by Google as an open and free option for hardware manufacturers and phone carriers. This makes Android the software of choice for companies who require a low-cost, customizable, lightweight operating system for their smart devices without developing a new OS from scratch. Android's open nature has further encouraged developers to build a large number of applications and upload them onto Google Play. Later, end users can download the application from Android Market, which makes Android a powerful operating system. It is estimated that Google Play Store has 3.3 million apps at the time of writing this book. More details on Android are covered in Chapter 7, Understanding Android.
iOS, formerly known as the iPhone operating system, is a mobile operating system developed and distributed solely by Apple Inc. iOS is evolving into a universal operating system for all Apple mobile devices, such as iPad, iPod touch, and iPhone. iOS is derived from OS X, with which it shares the Darwin foundation, and is therefore a Unix-like operating system. iOS manages the device hardware and provides the technologies required to implement native applications. iOS also ships with various system applications, such as Mail and Safari, which provide standard system services to the user. iOS native applications are distributed through AppStore, which is closely monitored by Apple. More details about iOS are covered in Chapter 2, Understanding the Internals of iOS Devices.
Windows Phone is a proprietary mobile operating system developed by Microsoft for smartphones and pocket PCs. It is the successor to Windows Mobile and primarily aimed at the consumer market rather than the enterprise market. The Windows Phone OS is similar to the Windows desktop OS, but it is optimized for devices with a small amount of storage. Windows Phone basics and forensic techniques are discussed in Chapter 12, Windows Phone Forensics.
Mobile phone forensic acquisition and analysis involves manual effort and the use of automated tools. There are a variety of tools that are available for performing mobile forensics. All the tools have their pros and cons, and it is fundamental that you understand that no single tool is sufficient for all purposes. So, understanding various types of mobile forensic tools is important for forensic examiners.
When identifying the appropriate tools for the forensic acquisition and analysis of mobile phones, a mobile device forensic tool classification system developed by Sam Brothers (shown in the following figure) comes in handy for examiners:
Cellular phone tool leveling pyramid (Sam Brothers, 2009)
The objective of the mobile device forensic tool classification system is to enable an examiner to categorize forensic tools based on the examination methodology of the tool. Starting at the bottom of the classification and working upward, the methods and the tools generally become more technical, complex, and forensically sound, and require longer analysis times. There are pros and cons of performing an analysis at each layer. The forensic examiner should be aware of these issues and should only proceed with the level of extraction that is required. Evidence can be destroyed completely if the given method or tool is not properly utilized. This risk increases as you move up in the pyramid. Thus, proper training is required to obtain the highest success rate in data extraction from mobile devices.
Each existing mobile forensic tool can be classified under one or more of the five levels. The following sections contain a detailed description of each level.
The manual extraction method involves simply scrolling through the data on the device and viewing the data on the phone directly through the use of the device's keypad or touchscreen. The information discovered is then photographically documented. The extraction process is fast and easy to use, and it will work on almost every phone. This method is prone to human error, such as missing certain data due to unfamiliarity with the interface. At this level, it is not possible to recover deleted information and grab all the data. There are some tools, such as Project-A-Phone, that have been developed to aid an examiner to easily document a manual extraction. However, this might also result in the modification of data. For example, viewing an unread SMS can mark it as read.
Logical extraction involves connecting the mobile device to forensic hardware or to a forensic workstation via a USB cable, a RJ-45 cable, infrared, or Bluetooth. Once connected, the computer initiates a command and sends it to the device, which is then interpreted by the device processor. Next, the requested data is received from the device's memory and sent back to the forensic workstation. Later, the examiner can review the data. Most of the forensic tools currently available work at this level of the classification system. The extraction process is fast, easy to use, and requires little training for the examiners. On the flip side, the process may write data to the mobile and might change the integrity of the evidence. In addition, deleted data is not generally accessible with this procedure.
A hex dump, also referred to as a physical extraction, is achieved by connecting the device to the forensic workstation and pushing unsigned code or a bootloader into the phone and instructing the phone to dump memory from the phone to the computer. Since the resulting raw image is in binary format, technical expertise is required to analyze it. The process is inexpensive, provides more data to the examiner, and allows the recovery of deleted files from the device-unallocated space on most devices.
Chip-off refers to the acquisition of data directly from the device's memory chip. At this level, the chip is physically removed from the device and a chip reader or a second phone is used to extract data stored on it. This method is more technically challenging, as a wide variety of chip types are used in mobiles. The process is expensive and requires hardware-level knowledge as it involves the desoldering and heating of the memory chip. Training is required to successfully perform a chip-off extraction. Improper procedures may damage the memory chip and render all data unsalvageable. When possible, it is recommended that the other levels of extraction are attempted prior to chip-off, since this method is destructive in nature. Also, the information that comes out of memory is in a raw format and has to be parsed, decoded, and interpreted. The chip-off method is preferred in situations where it is important to preserve the state of memory exactly as it exists on the device. It is also the only option when a device is damaged but the memory chip is intact.
The chips on the device are often read using the Joint Test Action Group (JTAG) method. The JTAG method involves connecting to Test Access Ports (TAPs) on a device and instructing the processor to transfer the raw data stored on memory chips. The JTAG method is generally used with devices that are operational but inaccessible using standard tools. Both of these techniques also work even when the device is screen-locked.
The micro read process involves manually viewing and interpreting data seen on the memory chip. The examiner uses an electron microscope and analyzes the physical gates on the chip and then translates the gate status to 0s and 1s to determine the resulting ASCII characters. The whole process is time-consuming and costly, and it requires extensive knowledge and training on memory and the filesystem. Due to the extreme technicalities involved in micro read, it would be only attempted for high-profile cases equivalent to a national security crisis after all other level extraction techniques have been exhausted. The process is rarely performed and is not well-documented at this time. Also, there are currently no commercial tools available to perform a micro read.
Data acquisition is the process of imaging or otherwise extracting information from a digital device and its peripheral equipment and media. Acquiring data from a mobile phone is not as simple as a standard hard drive forensic acquisition. The following points break down the three types of forensic acquisition methods for mobile phones—physical, logical, and manual. These methods may have some overlap with a couple of levels discussed in the mobile forensics tool leveling system. The amount and type of data that can be collected will vary depending on the type of acquisition method being used. While we cover these methods in detail in the upcoming chapters, the following is a brief description of them.
Physical acquisition of a mobile device is nothing but a bit-by-bit copy of the physical storage. Physical extraction acquires information from the device by direct access to the flash memory. Flash memory is a non-volatile memory and is primarily used in memory cards and USB flash drives as solid-state storage. The process creates a bit-for-bit copy of an entire filesystem, similar to the approach taken in computer forensic investigations. A physical acquisition is able to acquire all of the data present on a device, including the deleted data and access to unallocated space on most devices.
Logical acquisition is about extracting the logical storage objects, such as files and directories, that reside on the filesystem. Logical acquisition of mobile phones is performed using the device manufacturer application programming interface to synchronize the phone's contents with a computer. Many of the forensic tools perform a logical acquisition. It is much easier for a forensic tool to organize and present the data extracted through logical acquisition. However, the forensic analyst must understand how the acquisition occurs and whether the mobile is modified in any way during the process. Depending on the phone and forensic tools used, all or some of the data is acquired. A logical acquisition is easy to perform and only recovers the files on a mobile phone and does not recover data contained in unallocated space.
With mobile phones, physical acquisition is usually the best option, and logical acquisition is the second-best option. Manual extraction should be the last option when performing the forensic acquisition of a mobile phone. Both logical and manual acquisition can be used to validate findings in the physical data. During manual acquisition, the examiner utilizes the user interface to investigate the contents of the phone's memory. The device is used normally through keypad or touchscreen and menu navigation, and the examiner takes pictures of each screen's contents. Manual extraction introduces a greater degree of risk in the form of human error, and there is a chance of deleting the evidence. Manual acquisition is easy to perform and only acquires the data that appears on a mobile phone.