The term “mobile devices” refers to a wide range of devices, including smartphones and tablets, as well as smartwatches, cameras, GPS systems, and drones. When it comes to mobile forensics investigations, the device is the most vital item here. With approximately 340 million mobile phone users in India today, it’s becoming increasingly rare for a modern investigation to exclude mobile forensics.
When we talk about Mobile Forensics, we are basically talking about the process of obtaining and analyzing digital evidence saved on both the mobile device’s internal memory and connected accounts across the internet in a systematic and organized way.
Mobile device use is as common as it is useful nowadays, especially in the context of digital forensics, because these small gadgets gather large amounts of data, which can be extracted to aid the investigation. As a result, today’s mobile forensics experts must not only be trained in best practices in mobile forensics and investigative procedures, but they must also stay up to date on the latest advancements in cutting-edge technology.
Mobile devices store a variety of different types of data, including:
- SMS & MMS
- Emails
- Call history and voicemails
- Photographs and videos
- Internet history and bookmarks
- WiFi history
- Social media history
- App installation history
As mobile usage and crime through mobiles have increased, mobile device forensics has become a decisive factor in major investigations. The goal of mobile forensics is to recover and analyse digital evidence in a forensically sound manner. There is no one-size-fits-all way of accomplishing this because each investigator has their own distinct qualities. However, there is a fairly uniform procedure. This guarantees that evidence is not tampered with or compromised.
Process 01: Seizure
When a mobile device is seized, it is normally isolated from the network in order to prevent new data from overwriting the previous data. The Faraday cage or a specific Faraday bag can then be used to transport it. As needed, the seized device can also be put into airplane mode (with Wi-Fi disabled) or have the SIM card cloned.
The device should ideally be grabbed when open and unlocked, and kept ON at all times. When dealing with a locked device, keep in mind that it requires a different approach.
Process 02: Acquisition
After a device is seized, it’s ready for data extraction. There are four main common forms of data extraction.
- Logical Extraction: A logical extraction is a polite data request in the language of the device operating system. The device can only give you data that is available to the device operating system.
- Advanced Logical Extraction: For iOS and Android devices, the new Advanced Logical extraction method integrates both logical and file system extractions into a single extraction method. This new feature alleviates the burden of prolonged and intricate extractions, saving time and effort while retaining forensically sound data.
- File System Extraction: A File System extraction is a type of logical extraction that allows the examiner to look at the entire file system rather than just a few data snippets. If the manner of storing such data was selected to be a database or logs within the file system, this can include some hidden and erased data.
- Physical Extraction: Forensic professionals ‘flash’ all of the contents of a phone onto a different device during physical acquisition. This is a bit-for-bit copy of the mobile device’s flash memory that may allow an examiner to look at data that has been deleted or partially removed. A physical extraction is particularly useful when extracting devices that are security locked by the user
Process 03: Analysis
Mobile forensics experts will need to analyze the data after it has been acquired. However, the average smartphone has 64GB of internal storage, which is equivalent to 33,500 blank pages. The essential piece of evidence could be a minor one in that massive amount of data. However, the analysis also depends on the type of case. In the case of online abuse, there is no necessity to analyse all the data, rather to filter out the things that are not necessary to analyse.
Process 04: Reporting
The results of the mobile forensics investigation are detailed in the report. This phase also explains why a certain step was taken and what happened as a result. The final report also includes all of the gathered paperwork, such as Chain of Custody forms, photographs, and so on.
Bottom Line:
With the increased demand for the inspection of cellular phones and other mobile devices, the formulation of standard operating procedure has become necessary. While the specifics of each device’s inspection may vary, using similar examination techniques will help the examiner ensure that the evidence recovered from each phone is well documented and that the results are admissible in court.