There is a procedure to complete mobile device forensic activity. These processes are as follows:
- Seizure: The seizure of the mobile device is crucial in forensics. An examiner should use the best way to seize the mobile device and make sure changing, manipulating, overwriting the memory does not take place.
The mobile device is taken as it is from the site. If the examiner allows it to be connected to a network or the internet, then there is a chance the evidence from memory may be overwritten. To avoid this, the seizure is done in Faraday cage or a bag where the mobile device cannot make any connection to a network. It is highly recommended for an examiner to get the device in Airplane Mode at the time of seizure.
- Acquisition: To perform acquisition efficiently, identification of the mobile make and manufacturer is important. This can be identified just by having a look at the front and back of the mobile or by removing the cover and looking near battery area. Then comes the acquisition part, which is a process of collecting data from the mobile device. An examiner has to make sure that none of the components that possess data are left uncovered. The acquisition is not possible if the mobile device has drained battery, also it is not the best practice to charge the phone when still it is in Faraday cage or bag as the phone may detect network unreachability and it may change the status of some elements or overwrite the evidence, triggering memory manager to write data.
Acquisition can be done in the following ways:
- Manual acquisition: In this type of acquisition the forensic examiner collects the evidence from the mobile device manually by using it just as the normal user. This forensic scenario is rare as many mobile devices have a passcode or other security. There is a high chance of data getting lost if this method is used for the device in question.
- Physical acquisition: In this type of acquisition, the forensic examiner tries to copy the entire physical storage (Flash memory) of the mobile device. This acquisition allows the examiner to uncover the deleted files and data, obviously with the help of some tools. The manufacturer prevents the direct access and reading of physical memory, so the forensic tools have to overwrite the bootloader to get access.
- Logical acquisition: In this type of acquisition, the forensic examiner tries to extract all the logical storage that deals with the file system, data structures, etc. Logical acquisition can be achieved with the help of Manufacturers provided API in most of the cases. Synchronizing the mobile and forensic workstation with manufacturer’s API is what exactly examiner has to do. The API or forensic tools extract the data structure and data efficiently and organize the data to be presented to the examiner. However, the API is not a forensic tool hence there is a chance all the data is not acquired. To overcome this disadvantage and loss of evidence forensic tool manufacturing companies use an agent which is installed in the mobile and which helps to obtain forensically important data.
- File system acquisition: The logical extraction does not fetch the deleted information. In the case of IOS and Android, databases are in the format of SQLite. When a database is deleted, it is just marked deleted in the memory and not removed. This part of the memory is then available for overwriting. In file system acquisition, even those deleted databases can be retrieved from the memory.
- Bruteforce acquisition: In this method of acquisition the forensic examiner tries a “trial and error” method where series of passcodes are sent to the mobile device from 0000 to 9999 to get the correct password. There are some commercial tools and python scripts that help us getting the passcodes of the mobile device. Once the passcode is cracked then mobile is easily available for further forensic investigation.
After the acquisition of a mobile device, a hash value is generated to maintain the integrity of evidence. This hash value is important in analysis and examination part when these processes are done on the acquisition; the image is likely to be tampered. Therefore, the hash value is used to determine whether the data from the mobile acquisition is manipulated or not.
- Examination and analysis: As the mobile devices are getting toward a smart phone generation most of them use a high-level file system as that of those used in computers. FAT file system is used in NAND memory, so basically, a forensic tool that is used to perform acquisition of computers can be reused with a bit of upgrade.