Book Image

Mastering Mobile Forensics

By : Soufiane Tahiri
Book Image

Mastering Mobile Forensics

By: Soufiane Tahiri

Overview of this book

Mobile forensics presents a real challenge to the forensic community due to the fast and unstoppable changes in technology. This book aims to provide the forensic community an in-depth insight into mobile forensic techniques when it comes to deal with recent smartphones operating systems Starting with a brief overview of forensic strategies and investigation procedures, you will understand the concepts of file carving, GPS analysis, and string analyzing. You will also see the difference between encryption, encoding, and hashing methods and get to grips with the fundamentals of reverse code engineering. Next, the book will walk you through the iOS, Android and Windows Phone architectures and filesystem, followed by showing you various forensic approaches and data gathering techniques. You will also explore advanced forensic techniques and find out how to deal with third-applications using case studies. The book will help you master data acquisition on Windows Phone 8. By the end of this book, you will be acquainted with best practices and the different models used in mobile forensics.
Table of Contents (14 chapters)
Mastering Mobile Forensics
About the Author
About the Reviewer
Preparing a Mobile Forensic Workstation

Smartphone forensics models

Given the pace at which mobile technology is growing and the variety of complexities that are produced by today's mobile data, forensics examiners face serious adaptation problems, so developing and adopting standards makes sense.

The reliability of evidence depends directly on the adopted investigative processes; choosing to bypass or bypassing a step accidentally may (and will certainly) lead to incomplete evidence and increases the risk of rejection in the court of law.

Today, there is no standard or unified model adapted to acquire evidence from smartphones. The dramatic development of smart devices suggests that any forensic examiner will have to apply as many independent models as necessary in order to collect and preserve data. There are a lot of proposed forensic models and reviewing each one of them will be a colossal task. In the following paragraphs, I'll be presenting some of them without pretending that the selected models are the best. The following models are sorted chronologically, starting from the earliest model established.

Computer Forensic Investigation Process

Historically, back in 1984, the FBI and many other law enforcement agencies began modeling the examination of digital evidences based on the earlier versions of computers, and the first digital forensic process model was Computer Forensic Investigation Process (CFIP). CFIP was first presented in 1995 by M. M. Pollitt (M. M. Pollitt. (1995). Computer Forensics: An Approach to Evidence in Cyberspace), and this model focuses exclusively on the result, in other words the model focuses principally on data acquisition and how reliable and legally acceptable this data is.

The Computer Forensic Investigation Process model is conducted in 4 stages:

CFIP model

Acquisition is a technical problem, which is not free from the legal aspect, and data acquired must answer three main questions: what can be sized, from whom, and from where can it be sized. This means that digital evidence must be acquired in an acceptable manner with the necessary approvals from concerned authorities. This stage is followed by the Identification phase; as in this model, this phase is subdivided in to a three step process: defining the physical form of data, defining the data's logical position, and then placing this data (evidence) in its correct context. Digital evidence follows the path shown here:

Digital evidence Identification process

The Evaluation stage consists of placing the gathered data in its proper context and this is as legal as a technical task. At this point of the forensic process, we can determine if the acquired information is relevant and can be described as legitimate evidence in the case being investigated or not. Finally, the Admitting process includes admitting the extracted data as legal evidence and presenting it in the court of law.

Digital Forensic Research Workshop

In 2001, the first Digital Forensic Research Workshop (DFRWS) ( was held to produce and define a scientific methodology to drive digital forensics to produce a reliable framework (it's dubbed as Investigative Process for Digital Forensic Science) to drive the majority of digital investigation cases, and the result was a six stage linear process. Each step or stage is defined as a category or class and each class has candidate methods belonging to that category.

Investigative Process for Digital Forensic Science (DFRWS)

As seen in the preceding diagram, the DFRWS model starts with the Identification stage, which is subdivided to tasks such as event detection, signature resolving, profile detection, anomalous detection, complaints, system monitoring, and audit analysis. This stage is followed by Preservation, which is a candidate for four tasks; they are setting up case management, managing technologies, ensuring a chain of custody, and time synchronization. Collection comes next, as the third phase in which data is collected according to approved methods, using approved software/hardware and under legal authority; this phase is also based on lossless compression, sampling, data reduction, and data recovery techniques. After collection, comes Examination, which is directly followed by the Analysis phase, where very important tasks are performed and evidences are traced, validated, and filtered. Data mining and timeline analyses are done as well. At this stage, the hidden and encrypted data is discovered and extracted. The stage that comes after this is Presentation, in which documentation, clarification, expert testimony, mission impact statement, and recommended countermeasures are presented. However, this model is open to criticism regarding the use of the collection and preservation stages and if one is an actual subcategory of the other.

Abstract Digital Forensics Model

Being a more generic framework, DFRWS inspired researchers in the US Air Force in 2002 to present the Abstract Model of the Digital Forensic Process (M. Reith, C. Carr & G. Gunsh. 2002. An Examination of Digital Forensics Models) or Abstract Digital Forensics Model (ADFM), which is meant to be an enhanced DFRWS model with adding three more stages added to the existing process: Preparation, Approach Strategy, and Returning Evidence, leading to the following nine phases:

Abstract Digital Forensics Model

The actual added value of this model is the introduction of the pre/post-investigation approaches, before any exercise and after identifying the type of the incident: preparing tools, techniques and searching warrants, and securing management support, followed by the approach strategy, which is meant to dynamically establish an approach to collect the maximum amount of evidence without impacting the victim. However, this phase is criticized for being a duplicate of the second stage, since preparing to respond to an incident will likely end with preparing for an "approach strategy". Lastly, returning evidence shows the importance of safely storing evidence removed from the scene in order to return it back to the owner.

The Abstract Digital Forensics Model ignored the importance of chain of custody, but authors of this model assumed that a chain of custody is obviously maintained through an investigation process and is implied in any forensic model.

Integrated Digital Investigation Process

In 2003, Brian Carrier and Eugene H. Spafford (Carrier, B., & Spafford, E. H. 2003. Getting Physical with the Digital Investigation Process. The International Journal of Digital Evidence) introduced an Integrated Digital Investigation Process (IDIP), which is an integration of digital forensics to physical investigation; it's a framework based on the available processes of physical crime scene investigation.

The main idea of this model is to consider a digital crime scene as a "virtual crime scene" and to apply adapted crime scene investigation techniques. This model is macroscopically composed of five stages, consisting microscopically of 17 stages.

The following diagram shows the five macroscopic stages of an IDIP model:

The five macroscopic stage of IDIP model

Physical and digital crime scenes are processed together and digital forensics are fed into a physical investigation.

The Readiness Phase ensures that human competences and technical infrastructures are able to fully carry the whole investigation process; this stage is subdivided into two phases:

  • Operation Readiness: This involves the preparation of adequate training and equipment for the personnel who will investigate the crime scene.

  • Infrastructure Readiness: This phase aims to ensure data stability and integrity, for as long as the investigation process takes. This phase may include, for example, hashing files, securely storing evidence, and maintaining a change management database.

The first stage is followed by Deployment phase, the goal of this stage is to provide a mechanism to detect and confirm an incident, and this stage is also subdivided in to two phases:

  • Detection and notification: Concretely, this phase triggers the start of the investigation process where the incident is detected and the appropriate people are notified.

  • Confirmation and authorization: Once a crime or incident is confirmed, in this phase, authorization must be received to fully investigate the digital crime scene.

The Physical Crime Scene Investigation Phase which come after the first phase, is when the investigation itself begins with the goal of collecting and analyzing the physical evidences to reconstruct actions that first took place. This stage is subdivided into six phases that are typical to real cases' post-physical crime investigation process and are described in the following diagram:

Physical Crime Scene Investigation

This stage is followed by a similar stage of a digital context focusing on digital evidence within a "virtual" digital environment. The Digital Crime Scene Investigation Phases follows the previously presented path by considering any smartphone (or other digital device) as a separate crime scene.

Digital Crime Scene Investigation

It is subdivided into the following phases:

  • Preservation of Digital Scene: In this phase, the investigator must pay attention to maintaining data integrity, meaning that at this level, the digital scene must be secured in order to avoid any external interference that could alter the evidence.

  • Survey For Digital Evidence: Depending on the case being investigated, this phase aims to collect the obvious evidence related to that case, and it should occur in a controlled environment (a forensic lab, for instance) using a replica of the original crime scene.

  • Document Evidence and Scene: The documentation phase involves documenting every acquired evidence during the conducted analysis, and using cryptographic hashing techniques such as MD5 or SHA-1 is recommended to keep a trace of evidence integrity. This phase does not substitute the final forensic report.

  • Search for Digital Evidence: The collection phase involves a deeper digging and more in-depth analysis of what was found in the previous phase and focuses on a more specific and low-level analysis of the digital device activities. Deleted file recovering, file carving, reverse engineering, and encrypted file analysis are some examples of techniques that can be applied at this stage.

  • Digital Crime Scene Reconstruction: All digital evidence acquired is put together in order to define at what point we can trust or reject the collected evidence and to determine if further analysis is required and if a search for digital evidence should be resumed in the case of any missing parts of the whole puzzle.

  • Presentation of Digital Scene Theory: This phase documents and presents the findings of the physical investigation team in the case the investigation was not performed by the same team.

The final stage of the whole model is the Review Phase, and it is a kind of self-criticism in which the whole process is reviewed to determine how well the investigation process went right or wrong and to detect the improvement points.

This model presents many similarities with the previously presented models and can easily be considered as an enhanced model of both; nevertheless, the IDIP model is way too abstract and the interaction between physical and digital investigations may not be applicable in many cases.

End-to-end digital investigation process

By the same year, that is, 2003, Peter Stephenson (Stephenson, P. 2003. A Comprehensive Approach to Digital Incident Investigation) reviewed the DFRWS framework and translated it into a "more" practical investigative process dubbed as the End-To-End Digital Investigation (EEDI) process by extending the existing process into nine stages. It's called end-to-end because in his model, Stephenson considers that "every digital crime has a source point, a destination point, and a path between those two points".

The model itself is schematized as follows:

The basic End-to-End Digital Investigation process

EEDI can be considered as a layer applied to the DFRWS model. Depending on the cases, the whole EEDI process is applied to each class of the DRFWS model (refer to the diagram in the Digital Forensic Research Workshop section). This model defines the critical steps to be performed in order to correctly preserve, collect, and analyze digital evidence. In the Collecting Evidence phase, primary and secondary evidence is collected and taken in their respective contexts. The context here is related to an event's time sensitivity, which brings us to the second step of this process, Analysis of Individual events, where each individual event is isolated and analyzed separately to determine how it can be tied with other events and to consider the potential value it can add, or they can add, to the overall investigation. This is followed by the Preliminary Correlation step, in which individual events are linked with each other to determinate a primary chain of evidence in order to determine what happened, when, and which devices were involved.

Event normalization is a step that mainly aims to remove redundancy in evidentiary data assuming that the same events can be reported separately from different sources using multiple vocabularies. As an extension to the normalization, irrespective of how and from where they were reported, the same evidentiary events are combined into one evidentiary event in the Event deconfliction step; at this stage, all the events and evidentiary events are refined and a Second level correlation can be performed. The previously outlined steps result in a timeline, which is defined in the Timeline analysis step. The timeline analysis is an iterative task, which lasts as long as the investigation lasts. The Chain of evidence construction can begin based on the result of the timeline of events; theoretically, a coherent chain is developed when each evident will lead to the other and this is what is meant to be done in this step. The last phase of this model is Corroboration, where digital investigators support, strengthen, and confirm each evidence, within the chain of evidences previously developed, with other independent or traditional events and evidence collected in the case of a digital forensic investigation being conducted with the support of a group of investigators outside the digital forensic unit.

Systemic Digital Forensic Investigation

In 2004, four models were developed: the Enhanced Integrated Digital Investigation Process, invented by Baryamureeba and Tushabe containing 21 phases; Séamus Ó Ciardhuáin presented an Extended Model of Cybercrime Investigation with 13 activities to follow; followed by a six phase Hierarchical, Objective-based Framework that was invented by Beebe and Clark. The same year, Carrier and Spafford announced the Event-based Digital Forensic Investigation Framework and detailed the 16 phases to follow.

Approximately each year, at least one new forensic model is developed and according to the pace at which the digital world rises, researchers keep trying to give birth to "the perfect" forensic model.

Considering the space allocated to this chapter, I will jump directly to 2011; A. Agarwal, M. Gupta, S. Gupta, and S. C. Gupta came up with the Systemic Digital Forensic Investigation (SRDIFM) model (A. Agarwal, M. Gupta, S. Gupta, and S. C. Gupta. Systematic digital forensic investigation model). This model is similar to most of the previously presented models; it has common phases and some specific phases adapted to the model requirement. SRDIFM is composed of 11 phases: preparation, securing the scene, survey and recognition, documentation of the scene, shielding, volatile and non-volatile evidence collection, preservation, examination, analysis, presentation, result, and review.

The following diagram schematizes the model:

Phases of Systematic Digital Forensic Investigation Model (SRDFIM)

The first step of this model is Preparation, which is before the process of investigation and involves obtaining prior legal authorization. An initial understanding of the case will be investigated in order to prepare the adequate human and technical resources before going any further in the process of investigation. It's followed by Securing the Scene this phase aims principally to keep data integrity intact and to minimize possible data corruption. The Survey and Recognition phase comprises of tasks to elaborate an initial plan to collect and analyze evidence where, potential sources of evidences must be identified, including sources other than the main smart device itself; for example the presence of a personal computer in the scene means that there is a chance to find smartphone related data synchronized with it.

The next phase is known as Documentation of Scene, in which crime scene mapping is done and every electronic device within the scene is documented; this includes the device itself, its power adaptor, external memory cards, cradle, and everything else related to the device. Before starting evidence collection, Communication Shielding is important in order to be sure that there is no risk of damaging the current evidence; RF isolation, Faraday shielding, or cellular jammers are usually used to isolate devices from interacting with the environment. Now Evidence Collection comes into the picture; differentiating volatile and non-volatile collection is important and requires proper guidelines. At this phase, for example, investigators must maintain the device if it's turned on and running out of battery, otherwise imaging the device memory must be done quickly and properly using appropriate tools.

Next is the Preservation phase, wherein the evidence is securely stored and the device is properly packaged and transported. The collected evidence is analyzed and filtered; the integrity of data must also be guaranteed and the use of the hashing function to confirm this is conducted in the Examination step. The Analysis phase comes just after and is kind of an examination extension. In this phase, a more technical review is conducted based on the results of the previous phase; at this stage, the more advanced research is done, such as hidden data analysis, data recovery, and file decryption. The results of this phase must be documented to help in the achievement of the final reports that will summarize the whole process in the Presentation phase. Finally, the Result phase, just like in the IDIP model, is meant to be an open door to review the result of the whole process in order to find any points for improvements.

The SRDIFM model is interesting as it's more practical and presents some flexibility, which is not necessarily found within the other models; however, by adding more phases, the model increases the timeline of the process and its complexities.