Mobile Device Digital Forensics
*Note: This article was originally published by the author on November 26, 2018.
It is the twenty-first century and cell phones have become ubiquitous. Most of the citizens residing in first-world developed nations have relatively inexpensive access to cell phone technology and rate plans. Tech companies like Apple, Microsoft, Google, and Samsung rule the burgeoning cell phone market and continue to develop new versions of their products on almost an annual basis. This practice makes it practically impossible for the average middle-class American to keep up with the proverbial “Joneses” and have the latest iPhone or Samsung Galaxy model. Developers have refined nanotechnology and nano-memory to the point where modern smartphones are incredibly powerful and can do nearly everything that a desktop or laptop computer is capable of performing.
Long gone are the days where mainframe computers took up entire warehouses to perform complex computing tasks. Some tech experts have even gone as far as to predict that in the not-so-distant future people will not even need desktop or laptop computers. Whether that happens or not is irrelevant as the ‘proof-is-in-the-pudding’ with clear and present reminders that practically everything can be done now from mobile devices. Of course, with more cell phone usage follows cybercriminal efforts to manipulate users into downloading malware onto their smartphones or trick them into downloading malicious smartphone apps from the Google Play Store or the Apple App Store.
This paper will delve into the history of mobile device technology, the digital forensics process, the tools used by investigators as well as legal controversies surrounding mobile device digital forensics. The ubiquity of mobile devices coupled with ever-expanding technological capability has a direct correlation to the increasing quantity of cyber crimes committed using mobile devices which serves to highlight the importance of digital forensics and of having a well-funded and qualified Digital Forensics Incident Response (DFIR) professional workforce.
In 1983, Motorola marketed the very first cell phone model, the Motorola DynaTAC 8000x (Ray, 2015). The DynaTAC was too large and clunky to fit in a back pocket, but it was portable which is the major underpinning technology of how those sleek and powerful smartphones came to be. Cell phone manufacturers found innovative methods of cramming more capability into smaller versions of their products yet still being affordable to the average consumer (Ray, 2015). In the beginning, cell phones were designed for one purpose and one purpose only, mobile talk. Later on, system engineers figured out ways of incorporating other services into cell phones like voicemail, audio/video/email data (Internet), mini High Definition (HD) cameras, pager, fax, and address books (Ray, 2015).
Modern smartphones have transcended what a traditional phone, even a cell phone, was capable of. Now, these devices are referred to as mobile devices because of their multimedia capabilities with many users practically living a virtual online existence through their mobile device (Ray, 2015). Today, there is a seemingly unending quest by cell phone manufacturers to improve screen resolution; increase screen size; improve graphical user interfaces (GUI); cram more capacity into nano-memory capacity SD memory cards and internal Hard Disk Drive (HDD); and create more functional mobile device apps (Ray, 2015). In fact, mobile devices have begun replacing other portable technologies such as cameras, video cameras, digital voice recorders, and so much more (Ray, 2015). Security is usually a missing feature in many of the newer apps designed for mobile device user interoperability making it is very easy for cybercriminals to exploit mobile devices on each of the seven layers of the Open Systems Interconnection (OSI) stack: application (layer 7), presentation (layer 6), session (layer 5), transport (layer 4), network (layer 3), data link (layer 2), and the physical (layer 1) (Mitchell, 2017).
As mobile devices become increasingly more sophisticated, capable of monitoring heart rates, exercise, sleep duration, mobile device services are moving towards the Cloud which will free up more HDD space on mobile devices to use for other processes while simultaneously increasing reliance upon a steady, high-speed Internet connection. Mobile device designs will also continue to evolve becoming sleeker and simpler with fewer buttons and larger screen sizes with higher pixel resolution (Ray, 2015). With all of these capabilities and features mobile devices possess and all of the various types of data they generate, it is not difficult to understand the complexities of mobile device digital forensics.
Mobile Device Characteristics
Mobile devices have many different characteristics and features, but all of them require communication with some type of cellular network service provider transceiver or base station that functions using digital radio frequency (RF) signals which are connected to the public switched telephone network (PSTN) so that calls can be made to any type of phone number (Cross & Shinder, 2008, p. 366). Each mobile device comes equipped with a unique but interchangeable Subscriber Identity Module (SIM) card that is installed in order to be able to authenticate the user to the cellular provider network that can later be swapped from smartphone to smartphone for an upgrade or changing phones (Cross & Shinder, 2008, p. 366).
Mobile devices typically have ports for USB-enabled battery power chargers, headphones/earbuds, and also flash media storage cards such as SD cards, Compact Flash, Smart Media, and Memory Stick cards (Cross & Shinder, 2008, p. 366). Additionally, mobile devices come equipped with standard features and messaging protocols such as video calling apps; address book; email; Web browsers; Short Message Service (SMS) text messaging; Multimedia Message Service (MMS) used for sending photos and videos; a High-Definition (HD) camera for both photo and video capturing; and audio apps such as Mp3 players; video games and much more (Cross & Shinder, 2008, p. 366). Each type of phone has an operating system (OS) such as Android (most common), Apple OS version, or other types of OS.
A Need for Mobile Device Digital Forensics
According to a Pew Research Center survey, 95% of Americans own a mobile device of which 77% of those people own a smartphone (2017). According to the demographics of mobile device users, Americans ages 18–29 who live in urban areas are the most likely group to own smartphones with 100% of that age group owning a cell phone of some type (Pew Research Center, 2017). According to the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) most recent Internet Crime Report, there were 2,673 victims of ransomware; 10,850 victims of tech support fraud; 17,146 victims of extortion/sextortion; 15,895 victims of credit card fraud; 16,878 victims of identity theft; and 19,465 victims of phishing-vishing-smishing-pharming (IC3, 2016, p. 17). It may shock some people to learn that all of these types of Internet crimes can be perpetrated by or against mobile devices. The financial cost of these types of Internet crimes is staggering. Consider that in twelve months’ time, credit card fraud alone (i.e., just one category of crime) cost companies and American taxpayers $48 million in losses which in turn are passed onto consumers in the form of higher costs for goods sold by the company and potentially higher government taxes (IC3, 2016, p. 18).
Types of Evidence
Mobile devices are capable of storing several different types of evidence. For instance, common types of evidence retrievable from mobile devices may include digital photographs; videos; SMS text messages; phone call logs that show numbers called, calls received, call durations; phone contact names and numbers; Web browser history; downloaded media, etc. (Easttom & Taylor, 2011, pp. 313–314). Imagine a case where police arrest a suspect for allegedly selling drugs or distributing child pornography via their mobile device. The digital forensics investigator will definitely want to examine the phone contacts and call logs to determine who the other clients and perpetrators may be as they often work in drug or sex trafficker rings and that contact information could potentially yield further criminal arrests (Easttom & Taylor, 2011, p. 314). Arrests involving gang members or organized crime mobsters can also yield very valuable criminal intelligence and contact information from mobile devices carried and used by suspects.
Digital Forensics Investigation Process
The process used to preserve, acquire, and examine digital forensics evidence during an investigation is very important because if it is not properly followed the evidence will likely be deemed inadmissible in a court of law. The methods used by digital forensics investigators to assess, acquire, examine, document, and report mobile device evidence is the same as for a typical personal computer (PC) aside from some minor technical hardware and software differences. A crime first has to be committed before any type of forensic investigation can be conducted. The crime also needs to be reported by someone whether that is performed by a witness, a victim, a law enforcement officer, or just someone who happened upon the scene. Different law enforcement agencies have different terminology for conducting a computer forensic investigation, but despite the different terms, the steps are relatively similar. The Department of Justice has published its own version of the process which consists of four phases: evidence assessment, evidence acquisition (or collection), evidence examination (or analysis), and documenting and reporting (NIJ, 2004, p. 2).
In the evidence assessment initial step, a thorough review is conducted of the search warrant that provides the legal authority to conduct the forensic examination, the case details provided to law enforcement during the reporting of the crime, the nature of the hardware and/or software involved in the case, what evidence is being sought, and any notable circumstances surrounding how the evidence was acquired by law enforcement officials (NIJ, 2004, p. 7). The digital forensics investigator must also ensure that a proper request for assistance was completed and document the chain of custody for the evidence once it is turned over to the digital forensics lab (NIJ, 2004, p. 7).
Additionally, during the evidence assessment step, the investigator needs to determine from the case investigator if there are any special requirements for forensics processes such as fingerprint analysis, DNA analysis, etc. (NIJ, 2004, p. 7). If the case involves evidence that may be stored remotely by an Internet Service Provider (ISP), then the digital forensics investigator will need to send a preservation order to the ISP so that any data that is applicable to the suspect or the case is not deleted (NIJ, 2004, p. 7). Other technology possibly used in the commission of the crime will be assessed to determine the relevancy to the case as well as specific types of digital evidence that is being sought like image files, database files, etc. (NIJ, 2004, p. 7).
Information such as which ISP the suspect used will be gathered during the evidence assessment step also, as well as other information such as alias account names, system audit logs, network configuration, offsite storage areas, removable storage media, other users of the system, usernames and passwords from the system administrator or acquired from other users, employees or associates of the suspect (NIJ, 2004, p. 7). The digital forensics investigator must also determine how skilled the suspect was on the system in question. For instance, the suspect may have used advanced data concealment techniques like steganography applications which hide messages or image/video/audio files within other innocuous-looking files, encryption that renders the data unreadable with a decryption key, or even pitfall booby traps where if the computer is not shut down in a certain sequence it automatically erases all HDD contents.
Performing this pre-work assessment of the evidence involved will help investigators determine what tools they will need to perform the evidence acquisition and examination (later steps), which evidence should be examined first, as well as if the investigator will need assistance due to the scope of the job (NIJ, 2004, p. 8). The investigator will use the information gathered during the Evidence Assessment step to determine approximately how much time will be needed onsite to acquire evidence, any logistic and/or personnel concerns that may arise, any business impacts to the organization should the investigation be rather lengthy, and how suitable the site is for the necessary forensics equipment and resources to actually perform the evidence acquisition (NIJ, 2004, p. 9).
In step 2, the evidence acquisition involves the careful collection of digital evidence from the crime scene computer(s) or other storage media/technology involved in the case. The digital forensics investigator must be careful not to alter or modify the evidence data in any way during acquisition. It is important to take copious notes of details such as the hardware and software configuration of the examiner’s system (NIJ, 2004, p. 11). The digital forensics investigator should disassemble the computer case (desktop tower or laptop) to have unrestricted physical access to the HDD while simultaneously ensuring that it is “…protected from static electricity and magnetic fields” (NIJ, 2004, p. 11). If the search warrant allows it, the digital forensics investigator must identify and acquire any removable storage media or devices that may have been used by the suspect as well as document the internal storage device (e.g., HDD) hardware configuration, serial number, make/model, storage capacity size, jumper cable settings, drive slot, connection type (e.g., IDE or SATA), etc. (NIJ, 2004, p. 11). The investigator must also detail other aspects of the suspect’s computer such as if it has a sound card, video card, network interface card (NIC), what the Media Access Control (MAC) address was; printer connections, etc. (NIJ, 2004, p. 11).
Typically, an investigator will use a digital forensics software application such as EnCase that contains pre-formatted checklists/worksheets that have blank fields for an investigator to type in all of these details and remind investigators of what to look for since there are a plethora of computer details to be acquired. The software tools will be covered later in the article, but it is also important to note here that this forensics software is immensely important in assisting investigators in building the evidence case. It is also important for digital forensics investigators to disconnect the suspect’s computer from the Internet if it is connected via Ethernet cable or disable Wi-Fi access if it is connected to the Internet or other WLAN/WAN remotely (NIJ, 2004, p. 11). The investigator will forensically capture the boot-up settings from the CMOS/BIOS, physically remove any internal HDDs, and connect them to the investigator’s computer for examination (NIJ, 2004, p. 12). In certain situations, it may not be feasible to remove storage devices. The investigator may then need to perform the evidence acquisition directly on the network using network infrastructure equipment (NIJ, 2004, p. 12). The HDDs and external storage media devices must be examined to ensure that all disk space is properly accounted for including partition tables, any slack space, etc. (NIJ, 2004, p. 13).
Before any modifications are made to the suspect’s computer, a data write blocker should be installed which is normally performed by a hardware device but may also be done using software (NIJ, 2004, p. 13). The digital forensics investigator will make bitstream (binary sequence) copies of any internal or removable media storage drives and compare file hash values once complete to ensure that the bitstream copy is the same as the original set of data. The original evidence should not be examined if possible, it is preferable to perform the examination on a bitstream copy of the acquired evidence.
During the examination step, the evidence is physically extracted using various techniques such as keyword searching, file carving, and logical extraction of the partition table and slack space on the physical drive to recover deleted files (NIJ, 2004, p. 15). Additionally, unallocated space and password-protected, encrypted, and compressed data are also extracted (NIJ, 2004, p. 15). Keyword searches may hit on metadata, header/footer, content, date/timestamps, or file location on a particular drive (Cross & Shinder, 2008, p. 236). If a digital forensics investigator finds evidence during the examination in the registry files that steganography applications were installed on the computer, mobile device, or if there is evidence that data hiding techniques were employed then that will warrant much deeper analysis. Investigators will examine file types and their associated applications while looking for details such as abnormal file extensions, file sizes, Internet browser history, cache files, emails, and email file attachments (NIJ, 2004, p. 17). Certain operating systems and Web browsers such as the Tails OS and the Tor, Freenet, or I2P Web browsers are specifically designed for anonymous browsing and not to save Internet browsing history or cache files. These anti-forensics types of software make the difficult task of conducting the investigation more difficult but not impossible.
The ultimate goal of any digital forensics investigation is to put the user behind the keyboard or mobile device in this case, at the time and/or location that the crime was committed. This is referred to as timeframe analysis (NIJ, 2004, p. 18). This goal is not always realized or possible depending on the circumstances, but it remains the ultimate goal to get as close as possible to this end state for an air-tight forensic case. The investigator will attempt to prove ownership and possession of the illegal material or evidence of the crime by demonstrating that it was the suspect who was in fact authenticated as the user who performed said actions on the device.
Documenting and Reporting
The documenting of details about how the evidence was assessed, acquired, and examined is very important to the case investigator and potentially the defense attorney, district attorney, judge, and jury in determining guilt beyond the shadow of a doubt as is the litmus test in a criminal trial. In a criminal trial, often someone’s life is on the line, and accordingly, the importance of thorough analysis grounded in scientific forensic processes is paramount. Documenting throughout the investigation will include handwritten evidence tags to show the chain-of-custody, digital notes taken by the digital forensics investigator during acquisition and examination of the evidence using forensics software applications such as the Forensics Toolkit (FTK) or EnCase, photographs of the computer equipment or mobile device that include date/timestamps, descriptions of what the evidence is, where it was collected from, by whom, etc.
Much like the scientific process, the goal of documenting evidence is so that if necessary, the entire process is repeatable and different investigators could follow the same steps and arrive at the same conclusions (NIJ, 2004, p. 19). The end result of the entire digital forensics investigation is an examiner’s report that details every aspect of the digital forensics investigation which is provided to the case investigator (e.g., a police detective or FBI agent). The examiner’s report details who the examiner was that conducted the investigation, the date of receipt of the evidence for examination, date of the report, detailed descriptions of what was examined and what processes were used, as well as what was found and conclusions (NIJ, 2004, p. 20).
Forensic Tool Capabilities
Forensic tools are either hardware or software application tools that aid digital forensics investigators in the performance of their duties. Tools such as data write blockers, Faraday bags that block radio frequency (RF) signal transmissions, mobile device power cables, USB cables, special tools to remove mobile device casings, and soldering irons to detach memory from mobile devices all help forensics investigators to be able to access the evidence and perform a thorough examination of the data stored on the device.
Computer forensics tools can be grouped by category as disk and data capture tools, file viewers, file analysis tools, registry analysis tools, Internet analysis tools, email analysis tools, mobile device analysis tools, MAC OS analysis tools, network forensics tools, and database forensics tools (Shankdhar, 2017). For just about every type of OS, there is at least one or more digital forensics tools that are capable of forensically analyzing it. Listing every single digital forensics tool available is beyond the scope of this paper, rather a few prominent tools are highlighted that pertain to mobile device forensics. Paraben’s P2 eXplorer is another great mobile device forensics tool available for $199 or a free limited-feature version.
P2 eXplorer allows investigators to mount several forensic images simultaneously in different formats in read-only local and physical disc and view deleted data and unallocated space (Shankdhar, 2017). It’s important to remember, however, that it is not just the forensic tools that make the criminal case, it is also how well the case and digital forensics investigators follow the forensics process that will determine if the evidence will stand up in trial, how strong their case is against the suspect, and ultimately if the criminal will be convicted by the jury.
Commercial Forensic Software Tools
X-Ways Forensics is a commercially available digital forensics product that works on all versions of the Windows OS. X-Ways offers a great many forensic capabilities such as registry analysis, bulk hash analysis, complete case management, memory and RAM analysis, metadata extraction, as well as several different data recovery techniques including file carving (Shankdhar, 2017). EnCase is one of the biggest names in the industry with its popular forensics suite that is used by many different law enforcement agencies and is a full-package deal offering complete case management from beginning to end. It should also be noted that EnCase is one of the most, if the most, widely respected forensics tools accepted by courts across the nation. The EnCase tool is not free or open-source, individual licenses cost $995 per user to start and increase upwards from there for multiple licenses (Shankdhar, 2017).
Open Source Forensic Software Tools
Some of the best digital forensics tools are open-source and completely free to download and use. All that is required is the knowledge of how to use the tool which can be learned by reading the how-to self-tutorial manuals that come with the software applications or learned from website forums. One popular open-source digital forensics tool used by professionals and hobbyists alike is Digital Forensics Framework and it’s useful for both the Windows and Linux OS (Shankdhar, 2017). Additionally, Open Computer Forensics Architecture (OCFA) is another open-source forensics application that works for multiple OS (Shankdhar, 2017).
The Computer-Aided Investigative Environment or CAINE as it is more commonly referred to as is another very good open-source digital forensics application that is a Linux OS distribution (Shankdhar, 2017). Another open-source digital forensics tool is the SANS Investigative Forensics Toolkit (SIFT) which was built on the Ubuntu (Linux) OS. SIFT is open-source, chock-full of capabilities, and free to download from the SANS website (Shankdhar, 2017). The Sleuth Kit is another open-source forensics tool that is a collection of command-line tools as well as the Graphics User Interface (GUI)-based Autopsy program that is capable of forensically analyzing mobile devices (Carrier, 2017). There are also Linux and Unix forensics tools such as LTools, MTools, The Coroner’s Toolkit, and Tctutils (Cross & Shinder, 2008, pp. 256–257).
Anti-Forensics Software Tools
Just as there are developers who program digital forensics software applications, there are also developers who program anti-forensics software tools because there is a demand for this type of software also. Anti-forensics software tools are specially designed to thwart forensic efforts to recover data enough so that the evidence will not be legally admissible in court (Littlefield, 2017). The theory is that digital forensics is heavily reliant on software application tools used by an investigator to perform the acquisition and analysis which could be compromised and negatively impact the results of an investigation (Littlefield, 2017). It is already next to impossible for law enforcement digital forensics investigators who are usually very backlogged to attempt to keep up with the ever-changing newer technology that cyber criminals use, factor in anti-forensic tools employed by criminals during that can affect the collection phase of the investigation and the chances of successful investigation drop considerably.
Offenders often use anti-forensics techniques such as data obfuscation and encryption. “According to the Open Rights Group, in 2012 to 2013 there [were] a total of 19 refusals to disclose encryption keys that resulted in only 3 prosecutions (Littlefield, 2017). Some offenders have also resorted to hiding a small amount of legally safe data within an encrypted partition that is located within a secondary encrypted partition with the larger stash of hidden files using anti-forensics software such as “Slacker” (Littlefield, 2017). This is a tactic that admittedly could fool even a more experienced investigator if they did not know to check for it or have the key to the first encrypted container.
Of course, steganography is an old favorite of cybercriminals, especially pedophiles, who use steganography applications to compress, encrypt, and hide their illicit data within cover medium files such as other images, audio, and video files (Littlefield, 2017). Other anti-forensics techniques involve using Live CDs and virtual disks that can be run off of CDs, DVDs, or USB devices and that leave little-to-no trace on the OS (Littlefield, 2017). Some offenders also skirt around the U.S. or other international laws by committing their cyber crimes from countries that do not participate in legal treaties, that do not have extradition, or that have even stricter data privacy laws than the U.S., thus making it very difficult for U.S. LE authorities to track down and prosecute these criminals. On certain occasions for the more notably egregious cyber crimes, the Department of Justice (DOJ) has issued indictments of cybercriminals from other nations due to the fact that the particular nation in question does not legally cooperate with the U.S. such as Russia, China, North Korea, and Iran.
In conclusion, as mobile device technology gravitates towards Cloud services and more streamlined user interface technology, the importance of Cloud digital forensics will manifest itself. These are times in which the ownership and use of mobile devices are at an all-time high. These are times where the U.S. Customs and Border Patrol (CBP) has the authority to search American citizens’ mobile devices at border entry points without a search warrant regardless of protections afforded by the Fourth Amendment of the Constitution. These are times in which law enforcement agencies around the nation freely use sophisticated intelligence-gathering Stingray International Mobile Subscriber Identity (IMSI)-catching technology and social media open-source intelligence (OSINT) software applications to collect information on everyday ordinary citizens, and where law enforcement authorities can subpoena ISPs for private data stored on their networks belonging to American citizens in the name of “national security.”
Never has there been a time in U.S. history where Americans have been so heavily surveilled by their government and police that are supposed to protect them but instead violate their privacy rights time after time, trounced upon like a puddle of water. It is a disturbing trend, to say the least, that will take Congressional-level legal actions to reverse. The bottom line is that mobile device digital forensics will continue to explode in the near future and the demand for qualified digital forensics experts will be extremely high driving up the salary potential for those wanting to pursue digital forensics as a career. As technology continues to evolve, the level of sophistication in the digital forensics field of study will be increasingly more difficult to master.
Carrier, B. (2017). Open Source Digital Forensics. Retrieved on from
Cross, M., & Shinder, D. L. (2008). Scene of the Cybercrime. Burlington, MA: Syngress.
Easttom, C., & Taylor, J. (2011). Computer crime, investigation, and the law. Boston, MA: Course Technology.
Internet Crime Complaint Center (IC3). (2016). Internet Crime Report. Retrieved from https://www.ic3.gov/media/annualreport/2016_IC3Report.pdf
Littlefield, R. (2017, August 9). Anti-forensics and cryptography: An insight into how offenders disrupt cyber crime investigations. Retrieved from https://littlefield.co/anti-forensics-and-cryptography-an-insight-into-how-offenders-disrupt-cyber-crime-investigations-e44637513709
Mitchell, B. (2017, June 9). Understanding the Open Systems Interconnection Model? Retrieved from https://www.lifewire.com/open-systems-interconnection-model-816290
National Institute of Justice. (2004, April). Forensic examination of digital evidence: A guide for law enforcement. Retrieved on November 25, 2017, from https://www.ncjrs.gov/pdffiles1/nij/199408.pdf
Pew Research Center: Internet & Technology. (2017, January 12). Mobile fact sheet. Retrieved from http://www.pewinternet.org/fact-sheet/mobile/
Ray, A. (2015, January 22). The history and evolution of cell phones. Retrieved from https://www.artinstitutes.edu/about/blog/the-history-and-evolution-of-cell-phones
Shankdhar, P. (2017, May 26). 22 popular computer forensics tools [Updated for 2017]. Retrieved from http://resources.infosecinstitute.com/computer-forensics-tools/