Mobile Forensic Computing can be seen as a valuable spectrum of scientific methodologies used by forensic researchers to extract data and other digital evidence from mobile devices. These include mobile computing devices such as cell phones, smartphones, PDAs and tablets. Once the evidence has been collected from these devices, it must be acceptable in court; this means that the envisaged protocols should always be followed by researchers at all stages of the investigation model.
Mobile Forensic IT briefly Mobile device forensic review is the science of recovering digital evidence from a mobile device in forensic conditions. This process includes obtaining and analyzing data from a mobile device and SIM card. Forensic computing on mobile devices aims to find the crime of the person, including the mobile device.
Generally Accepted Model of the Forensic Investigation Process
- Collecting Evidence
- Investigation of Evidence
- Analysis and Evaluation
- Accepted as evidence
Mobile Forensic courses are the perfect starting point for anyone who wants to start their journey as a digital forensic expert. Thanks to these training, by acquiring the necessary skills to investigate real-world computer and mobile threats and computer crime, we have gained knowledge to take CCFE and CMFE certification exams.
In Mobile Forensic IT courses, various approaches that the researcher can choose to use when working on a case are taught, and in order to better understand the processes involved, each of these methods is studied in detail.
Constraints Encountered in Mobile Forensic Computing
- Hardware differences
- Mobile operating systems
- Mobile platform security features
- Insufficient resources
- The general condition of the device
- The dynamic nature of evidence
- Device change
- Communication shield
- Lack of access to vehicles
- Malicious programs
- Legal issues
What are the Different Types of Evidence / Data Collection in Mobile Forensic Computing?
While it is important to understand the techniques and methods of acquisition with Mobile Forensic Software, a forensic expert needs various tools to complete the task on time. Forensic tools not only save time but also make the process easier. Today, many tools such as Elcomsoft iOS Forensic Toolkit, Cellebrite UFED, BlackLight, Oxygen Forensic Suite, AccessData MPE +, iXAM, Lantern, MSAB (XRY), SecureView, Paraben iRecovery Stick are used for the examination of their mobile devices.
All of these software supports the following features.
- It supports logical acquisition.
- It provides the opportunity to get a password.
- Can read backed up data.
- With the timeline, data can be accessed in a single region.
- It does not leave a trace or change after the procedure.
- It automatically recovers deleted data.
- Provides access to raw files for manual analysis.
- Provides user-friendly interface.
- It has keyword lists and library features for searching.
- It can present the report in various formats (Microsoft Excel, PDF, HTML, etc.).
There are several methods that can be used by forensic experts when trying to collect evidence from a device, but the most obvious methods of data collection are:
- File system
- Brute force
Each of these data collection types has its own advantages and disadvantages, as well as the conditions to be used. We will look at each of these methods separately and give a brief explanation of when a forensic expert is likely to use a particular type of acquisition method.
Manual Data Collection
Manual data collection is used when a mobile device is functional and not encrypted or physically damaged, and no special software or software tool is required as the device can be navigated through the graphical user interface (GUI). Content such as pictures, documents, call logs or other data and features that the user can access can be viewed by the researcher. In most cases, screenshots are captured from the device via the digital camera or video adapter to an external display with the image capture software.
This is not necessarily a comprehensive detection method, since data that cannot be read into the operating system of the device will not be accessible to the researcher during this process. Deleted items also cannot be recovered at this level, which means that if there is a need, more technical methods should be used. When the researcher uses the mobile device in this way, there is a risk of compromising data security by accidentally deleting files or changing timestamps.
Another critical factor is the time-consuming nature of manual data collection. The reason for this is that a researcher must manually jump between potentially large data stores and manually take screenshots of each piece of evidence entered. It turns out that a large amount of time will be required to complete a meaningful investigation when there are several hundred pictures, emails or messages. For these reasons, a forensic researcher can only use this method as a last resort, while all other ways have already been exhausted.
Logical Data Collection
This method involves connecting a mobile device to the forensic investigator’s workstation with a wired USB, Lan or RS 232 connection. Wireless connections such as Wi-Fi, IrDA (infrared) or Bluetooth may also be used, depending on the researcher’s needs and the capabilities or limitations of the device under examination. Each method uses its own communication protocol and can pack the data differently to transfer the data of the mobile device at the bit level.
Each mobile operating system has an associated SDK (software development kit) that forensic researchers can install on workstations. The SDK provides manufacturer-level access to the hardware and software of the mobile device because it interacts naturally with the mobile device’s API (application programming interface) and means that it will respond to commands remotely from the forensic workstation.
This method is especially useful when SMS, MMS and call histories need to be examined. The researcher can remotely install operating-system-specific forensic tools and run queries that do not affect the file structure of the mobile device by sending forensic reports in many different formats, such as CSV or XLS format documents. These are human-readable documents and are excellent sources of information. Where SMS or text messaging data needs to be examined, document fields can include sent time, received time, status (read or unread), message size, message content (what is said in the message), protocol and more. Forensic application installed on the device can be removed without affecting the integrity of the mobile device after the examination and evaluation are completed.
File System Data Collection
This method is an excellent way to recover deleted files from a mobile device. In many digital systems, a deleted file is usually not deleted at all; on the contrary, a flag is assigned to the system stating that this file can be safely overwritten. When this overwrite occurs, depending on many factors, the actual file varies depending on how much data is copied to the device after the file is deleted and the writing activity of the marked data.
Android and IOS devices share a common database structure based on the SQLite scheme. The sync interface determines whether a file is ready to overwrite and whether it is responsible for marking deleted items. If forensic researchers can access successfully, they can potentially copy these “deleted” files, such as browser history, images, messages, and many other items of interest to investigate further from the mobile device.
Physical Data Collection
Bit by bit copy or clone of a mobile device’s file system and directory structure. We can think of it as a hard disk copy of a normal computer system. Once this data has been copied, it can be indexed by expert judicial tools. For example, if instant messages are a researcher’s area of interest, these tools can compile all messages in different instant messaging applications into a regular, logical list for the researcher to start searching.
This method is advantageous because the risks associated with data integrity are compromised and can be completely avoided by using a write blocker in the interface used for the copy. However, some details need to be mentioned when using logical data collection. When the status of a message needs to be determined (read or unread), the researcher should ensure that the copy method used does not change the marked state of the message and that the forensic tool used for compilation and display is used. message can also keep this message status.
Another critical factor is the timestamps of those files. They should all comply with the timestamp of the mobile device and should not be regulated by the forensic tools used in the copying process or investigation. Problems that occur when the date and time of the copying process change the original timestamps of the mobile device that is under review and this can seriously hinder the progress of a judicial investigation.
Brute Force Data Collection
This method refers more to an act of enforcing a password or password and is highly successful where relatively small combinations of digits are required. Many phones have a four-digit PIN, ranging from 0000 to 9999. This means that there are 10,000 possible combinations that should be estimated by the forensic investigator, and most mobile devices have a security feature that locks the phone completely after the threshold. The vulgar behaviour that forces a phone’s password can be successful in some cases, but a researcher should only use tools that are identified as legal and acceptable in court.
A device must be connected to the researcher’s workstation and started in bootloader or equivalent mode. An application on the workstation then binds the file system of the mobile device, finds the encrypted password file and starts the attack, or temporarily loads a mobile boot itself a custom boot ROM and uses the mobile device’s CPU to perform the attack. In either case, this doesn’t take too long, as the CPU can run multiple attempts per second and can be as fast as a few minutes or up to several hours, depending on several factors.
Once the correct combination has been found, the four-digit pin brute force application will be displayed on-screen prompt and the researcher can try to unlock the phone, provided it is safe.