What is Mobile Forensics Investigation Process and Techniques – How To Do

By LuciferDigital Forensics
mobile-forensics

Mobile forensic medicine is the branch of digital forensics or forensics that deals with the collection (acquisition) of data from cell phones or similar electronic devices such as tablets, Personal Digital Assistant (PDAs) or handheld PCs and GPS devices for investigative purposes.

Today, most people own mobile devices for communication through calling, messaging, and MMS services. Several apps and application-based tools are available in all Android and iOS mobile devices to communicate and share information in the form such as text messages, audio files, video files, GPS locations, photos, etc. Also, the number of crimes using mobile technologies is increasing day by day as criminals see mobile devices as the most convenient way to switch, share their plans and engage in digital fraud.

Keep all digital data from confiscated mobile devices, such as deleted files and folders, deleted chats, deleted messages, call history, location history, MMS, photos, videos, app Data, contact lists, etc. as these data can play a crucial role in investigations through the analysis of digital data. This is especially true for digital forensic scientists and detectives dealing with digital fraud or digital crime. Various mobile forensic tools like UFED, Oxygen Forensic, XRY are used for data extraction, data analysis and reporting.

It is an exciting and very rewarding career to work behind the scenes. For those who are tech-savvy, want to make a difference in their daily life and for victims of crime, this is an excellent and growing career option.

Information that Resides on Mobile Devices (A Non-Exhaustive List)

The following is a partial list of the data that can be found on mobile devices:

  • Call history (incoming, outgoing, missed)
  • Contact or phonebooks list
  • Text-based SMS, application-based SMS, and multimedia messaging content
  • Images, audio files, video and occasionally voicemail messages
  • Content, cookies, search history, analytics data, and internet surfing history
  • Calendar entries, notes, to-do lists, and ringtones
  • Files made by users, including documents such as spreadsheets, presentations, and other types of data
  • User account credentials, passwords, swipe codes, and passcodes
  • Geolocation history, location information for mobile towers, and Wi-Fi connection details
  • Content from user dictionaries
  • Information from different installed apps
  • Use logs, error messages, and system files
  • Deleted/formatted all of the aforementioned data.

Mobile Forensic Investigation Processes

  1. Device Seizure
  2. Data Acquisition
  3. Data Analysis

Mobile Forensics Phase 1: Seizure

The mobile devices are generally confiscat to secure the digital evidence and keep the device in the same state to avoid having the device turn off or turned off by the investigator or digital forensics expert. Usually, when a mobile device is seize, it needs to be disconnect from the network to stop new data from overwriting existing data. Then, a customized Faraday bag or Faraday cage can be used to transport it. The mobile device is kept in Faraday bags or cases because they block future cellular connections and communication with the device. To stop additional manipulation or activities, the mobile device remains in airplane mode. The investigator would run the danger of user lock turning on. The confiscated device may also be placed in airplane mode (with Wi-Fi turned off) or the SIM card may be duplicated(cloned), depending on the circumstances.

Ideally, the device should be seize while awake and unlocked, and remain on at all times. In the event of a locked device, it’s important to remember that while PIN codes are protecte by the 5th amendment, your fingerprints may not.

Airplane Mode

Mobile devices are often confiscat while they are turn on; and since the purpose of confiscating them is to preserve evidence, the best way to transport them is to try to leave them on to avoid an arrest that would inevitably alter the files.

Phone Jammer

Jammer or cell phone blocker is a device that intentionally transmits signals on the same radio frequencies as cell phones, disrupting the communication between the phone and cell phone base station, effectively disabling cell phones within range of the jammer and preventing them from receiving and transmitting signals to you.

Faraday Bag

A Faraday box/bag and an external power supply are common equipment types for conducting mobile forensic investigations. While the former is a container specifically design to isolate mobile devices from network communications while helping to safely transport the tests to the lab, the latter is a power source built into the Faraday box/bag. Before you put your phone in Faraday’s bag, disconnect it from the network, turn off all network connections (Wi-Fi, GPS, hotspot, etc.) and turn on Airplane mode to protect the integrity of the evidence.

Mobile Forensics Phase 2: Data Acquisition (Identification & Extraction)

The process of acquiring information from mobile devices and the media they are connected to is known as data acquisition. Data loss due to breakage or battery drain during storage and transportation is less likely as a result of this method. The forensic investigation must begin with mobile device identification.

/Identification + extraction/

There are several techniques to get data from mobile devices:

Manual Acquisition in Mobile Forensics

In manual acquisition, a mobile forensics specialist manually uses the phone’s user interface while taking screenshots of the screen as they go. This is not much different from just using the phone, except that the purpose is investigative. Manual collection takes a lot of time and can only access data that is already on the operating system.

Physical Acquisition in Mobile Forensics

Physical memory dump is another name for physical acquisition. It is a method for extracting all the data from the mobile device’s flash memory chips. It enables forensic tools to gather all traces of erased data, including call history, contacts, media files, GPS coordinates, passwords, and more. Since the data was first receive in raw format, it cannot be read. The unread material is then put through several processes to make it readable.

Logical Acquisition in Mobile Forensics

Bitwise copies of data from predetermin directories and files on the file system partition are called logical acquisitions. It is a technique to extract files and folders from a mobile phone without the data deleted. However, some particular information like pictures, call history, text messages, calendar and videos. A software tool is use to make a copy of the files.

Brute Force Acquisition in Mobile Forensics

Some investigators can utilise brute force, which typically includes third-party technologies, to get bypass lock screens and passcodes. In their early iterations, these gadgets physically tested every potential PIN code variation on a user’s phone. The most recent security measures and lock screens have rendered this technique outdated; today’s brute force acquisition techniques are more advanced than their name might imply.

Mobile Forensics Phase 3: Examination and Analysis

Mobile forensic scientists need to do an analysis of the data after it has been gathered. The internal capacity of a normal smartphone, however, is 64GB, which equates to almost 33,500 reams of paper. The essential evidence could be small and innocuous inside this vast volume of data: missed calls can be just as significant as delivered texts, and email draughts can be just as significant as selfies.

According to Cyber Expert Anuraag Singh, Depending on the nature of the case, we may only be interested in a single category of data. For instance, we are highly interested in the history and visuals of web searches in situations of child abuse. We can filter out the items we don’t need to look at if we simply consider a few categories.”

However, in large cases where many different categories of data are potentially of interest – chats, images, contacts – the process can take much longer. To combat this swamp of data, several technical solutions are needed.

Each forensic tool has different analytical capabilities, some in the form of timeline visualization and link analysis, to aid in visualizing data for the forensic investigator. Another keyword research and targeted filtering can make the murky waters of analytics a little more transparent and superficial.

In any case, a mobile forensic investigator will likely need to be well versed in more than one analytical tool and well trained to maintain an adequate chain of evidence.

What Type of Digital Evidence can be Extracted from the Devices

1. Call Detail Record (CDRs)
  • Time/date of start and end of the call
  • Final and original towers
  • Whether the call was outgoing or incoming
  • Call duration

Who was called and who called?

However, the collection of this information depends on the policies of the countries concerned.

2. Global Positioning System (GPS)

It is an excellent source of empirical evidence. If the suspect is an active mobile device at the crime scene, the GPS can pinpoint or pinpoint their location and crime. The GPS also tracks the suspect’s movement from the crime scene to the hideout. Also, it helps to find phone call logs, pictures and SMS.

3. App Data

Many apps require permission to access data during the installation process. Example: A photo or video editing app needs media, camera, and GPS permissions to navigate. It is possible to extract database and cache memory of applications like WhatsApp, Facebook, Instagram, Twitter, Google Maps, Calendar, etc.

4. SMS

Text or MMS messages leave an electronic record of dialogue that can be presented in court.

5. Photos and Videos (Gallery)

All photos and videos including deleted files can be extracted using the tools.

6. Contacts

The entire contact list can be extracted using forensic tools.5. Contacts: – The entire contact list can be extracted using forensic tools.

Mobile Forensic Tools and Techniques

The following cables or connectors are used to connect the mobile device to the workstation:

  1. JTAG or cable connection used in physical extraction
  2. Bluetooth or wired connection is used in logic extraction

Forensic Tool Classification System: Forensic specialists or forensic analysts need to understand the different types of forensic tools. The classification gives forensic analysts a framework to compare the collection techniques used by different forensic tools to collect data.

1. Manual Extraction

It allows you to extract and view data using the touch screen or the keyboard of the device. These data will subsequently be documented photographically. Furthermore, it is time-consuming and carries a high probability of human error.

Tools: –

  • Project A phone
  • EDEC Eclipse

2. Logical and Physical Extraction

Investigators connect the mobile device to a forensic or hardware workstation using Bluetooth, an RJ-45 cable, or a USB cable. The computer, using a logical and physical extraction tool, sends a series of commands to the mobile device. As a result, the request data is collect from the phone’s memory and sent back to the forensic workstation for analysis.

List of Forensic Tools: –

  • XRY
  • Oxygen Forensic suite
  • Lantern
  • Cellebrite UFED

3. Hex Dump

Extract the raw image in binary format from mobile devices. Forensic scientists connect the device to the forensic workstation and slide the boot ladder into the device to transfer its memory to the computer. This provides more information and recovery of deleted phone files and unallocated space.

Tools: –

  • XACT
  • Pandora’s Box

4. Chip – Off

This technique allows the examiner to extract data directly from flash memory on a cellular device. They remove the phone’s memory chip and create its binary image. This process is expensive and requires extensive hardware knowledge. Improper handling of the chip can cause physical damage and restore information.

Tools: –

  • iSeasamo phone opening tool
  • FEITA digital inspection station
  • Chip epoxy glue remover

5. Micro Read

Data on memory chips must be interpret and seen in this situation. The researchers examine the physical gates on the chip using a high-power electron microscope before converting the gate level into 1s and 0s and deciphering the resulting ASCII code. Actually, there is no utility available for micro read.

Our organization deals with cases related to mobile forensics, such as: Extracting data from mobile devices, memory cards and cloud data for personal or legal purposes related to the judiciary or police, etc. Our forensic organization also offers mobile forensics training using the UFED digital forensic tool. SysTools Forensic Services are available in all states of India especially in metropolitan cities like Delhi NCR, Pune, Mumbai, Bengaluru Kolkata, Chennai, Hyderabad, Ahmedabad, Jaipur, etc.

The Future of Mobile Forensics

Mobile forensics is a rapidly evolving industry that needs to keep up with innovations in the technology sector in general. The market share of certain hardware, as well as certain operating systems, can vary significantly over a short period of time, changing the tools and processes mobile forensics must use to collect and analyze data from a smartphone.

Additional security measures, such as two-factor authentication for data stored in the cloud and increasing levels of entry-level encryption, add additional layers of complexity. The new generations of analysis toolkits and overlapping laws in the jurisdiction require expert training for today’s mobile forensic investigator.

You might also like:

importance-of-data-destruction

Importance of Data Destruction in the Age of Data Breaches

email-header-analysis

Secrets of Email Header Analysis in Digital Forensics

difference-between-data-wiping-and-data-deletion

What is the Difference Between Data Wiping and Data Deletion?

One thought on “What is Mobile Forensics Investigation Process and Techniques – How To Do

Leave a Reply

Your email address will not be published. Required fields are marked *