Successful examination of mobile devices requires special knowledge and skills of mobile forensics experts. Fast changes in the technology challenge experts in their daily business. It is not always sufficient to be experienced in computer forensics to fully understand all difficulties of mobile device forensics. The following text describes the 10 main challenges faced by mobile forensics experts in the investigational process:

#1 Platforms

The term “mobile device” includes a variety of devices, including:

  • Smartphones
  • Tablets
  • Smartwatches
  • Cameras
  • MP3-players
  • Navigation devices
  • Drones
  • and many more…

Dealing with different devices constitutes a challenge for the mobile forensics examiner, as he needs to know the specialities of each device to successfully extract as much data from it as possible. Additionally, when the examiner is familiar with a platform and how to extract and analyse it, manufacturers of operating systems make changes in their security concept and the vicious circle starts again.

#2 Manufacturers

The first step in the investigational process of a mobile device is the identification of the phone. That is not as easy as it sounds, as there are hundreds of device manufacturers, each one introducing on average 15 new versions of mobile devices per year. Mobile phones can sometimes be identified by removing the device´s battery, but that also indicates the risk of forcing a user lock or losing data of volatile memory. Identifying a smartphone only by looking at it can be extremely hard even for mobile forensics experts. Thus, mobile forensics toolkits offer the possibility to identify devices automatically when they are connected.

#3 Connectors

To connect a phone successfully, an expert must choose the appropriate plug. The next step is to find the appropriate driver to establish a connection to the computer. Common mobile forensics toolkits do the work automatically. If one computer has several mobile forensics toolkits installed, the examiner must be careful, as the driver packs from different vendors can interfere with each other. If the USB connection doesn’t work, there’s also the possibility of using wireless connection like Bluetooth to retrieve data from a mobile device.

#4 Operating systems

Quelle: statcounter Global Stats

Market shares of mobile OS manufacturers can change extremely fast as the following graph shows. Every year new mobile devices are released, which can easily change the constellation of the OS market shares. Operating systems offer mostly the same functions but differ extremely in terms of data storage, security concepts and other characteristics. For example, Android is used by different manufacturers, and it’s often customized. Furthermore, Smartphone OS receive frequent major updates nearly every month. New security policies, new features, or changes in data storage of the OS constitute immense challenges for mobile forensics experts.

#5 Apps

Apps often store most information in SQLite databases, so those databases will contain a major part of the case data. Mobile forensics toolkits decode databases automatically and display them in a structured way, however depending on the toolkit, only between a few dozen and a few hundred different apps are supported, which is a comparatively small number, as there were about 3.8 million apps available in the Google Play Store in Q1/2018.

Quelle: Statista

But what if you need to examine a certain app which is not supported by the toolkit? –  Right, you need to analyse it manually. In our L2B SQLite Forensics for Smartphones training you learn how to analyse and interpret those SQLite databases to get more information and find important evidence, as well as deleted data.

#6 Cloud data

An increasing amount of data containing information very valuable to forensic investigations, is never saved on mobile devices in the first place but in cloud storage instead – be it by the devices OS or third- party apps data. Cloud backups also offer the chance to recover data deleted by the user or the data of locked, broken or wiped devices. However, acquiring this data is not only difficult because of legal constraints – depending on the country the investigation takes place in – but also because of security mechanisms like separate passwords and 2-factor authentication methods. As a result, special software is required to acquire cloud data in a forensically way.

#7 Security mechanisms

Security mechanisms are used on mobile devices to protect data. These mechanisms range from handset user locks, to SIM card PINs and PUKs and device encryption. A device locked by PIN or Password might be unlocked either through an appropriate software program or by information from the owner of the device. Encryption goes deeper, securing data at a software and/or hardware level – and is usually very hard to decrypt.

Common security mechanisms, among others, are:

  • Password
  • PIN, PUK
  • Pattern
  • Biometrical lock (fingerprint)
  • Encryption of data

#8 Data preservations

When seizing a device, it is very important to prevent the device from receiving any further data communication. As a flash storage device stores data in a “first in, first out” order, older stored data could be deleted. For example, incoming calls could erase call history logs.  So before initial acquisition, mobile devices must be disconnected or blocked from further radio frequencies to avoid changes in data. Also, most device allow their users to wipe all data by issuing a remote command. If you do not block all incoming data traffic, you might lose all evidence.

#9 Extraction of all relevant data

Especially on Android phones, extracting data from all relevant Apps can be difficult. Acquiring a physical extraction has become more and more challenging and is currently not possible for many devices on the market. Therefore, utilizing an Android backup has become the go-to method for extracting data from those phones. However, app manufacturers may choose to exclude their apps data in Android backups or to have their apps databases encrypted in the backup. So additional steps have to be taken to secure those kinds of data. For iPhones the main extraction method is a device backup too. Here is also some data not included in those backups (e.g. emails or frequent locations) and has to be acquired with additional steps.

#10 Selection of the appropriate toolkit

The biggest challenge in mobile forensics is to know which tool is the best in different situations, and which tool ensures the extraction of the most data possible. There are a lot of tools in the mobile forensics market, but the one that suits the investigation best, is sometimes very hard to find. In practice, there is not a single tool, which can fulfil all requirements of an investigation, therefore it is very important to utilize the perfect mix of different mobile forensics toolkits.

Conclusio

Mobile Forensics is a substantial process in any modern crime investigation. In most cases, at least one type of mobile device is involved and can carry valuable information. A regular cell phone could provide call data and SMS information, however the rise of smartphones and their increasing number of functions can lead to much more valuable data.

Furthermore, the fast-changing field of mobile forensics forces experts to stay up-to-date. It is important to know which and how much data can be extracted by specific toolkits. Thus, continuous training of mobile forensics experts is important in order to be able to deal with the challenges in mobile forensics successfully.

T3K-Forensics is offering trainings in the field of mobile forensics from beginner to expert level.

T3K-Trainings information

Forschungs- und Förderungspartner: