What are the important parts of the mobile device which used in digital forensic?
|
The term “mobile devices” encompasses a wide array of gadgets ranging from mobile phones, smartphones, tablets, and GPS units to wearables and PDAs. What they all have in common is the fact that they can contain a lot of user information. Show Mobile devices are right in the middle of three booming technological trends: Internet of Things, Cloud Computing, and Big Data. The proliferation of mobile technology is perhaps the main reason, or at least one of the main reasons, for these trends to occur in the first place. In 2015, 377.9 million wireless subscriber connections of smartphones, tablets, and feature phones occurred in the United States. Nowadays, mobile device use is as pervasive as it is helpful, especially in the context of digital forensics, because these small-sized machines amass huge quantities of data on a daily basis, which can be extracted to facilitate the investigation. Being something like a digital extension of ourselves, these machines allow digital forensic investigators to glean a lot of information. Information that resides on mobile devices (a non-exhaustive list):
What is the Mobile Forensics
Process? Most people do not realize how complicated the mobile forensics process can be in reality. As the mobile devices increasingly continue to gravitate between professional and personal use, the streams of data pouring into them will continue to grow exponentially as well. Did you know that 33,500 reams of paper are the equivalent of 64 gigabytes if printed? Storage capacity of 64 GB is common for today’s smartphones. The mobile forensics process aims to recover digital evidence or relevant data from a mobile device in a way that will preserve the evidence in a forensically sound condition. To achieve that, the mobile forensic process needs to set out precise rules that will seize, isolate, transport, store for analysis and proof digital evidence safely originating from mobile devices. Usually, the mobile forensics process is similar to the ones in other branches of digital forensics. Nevertheless, one should know that the mobile forensics process has its own particularities that need to be considered. Following correct methodology and guidelines is a vital precondition for the examination of mobile devices to yield good results. Among the figures most likely to be entrusted with the performance of the following tasks are Forensic Examiners, Incident Responders, and Corporate Investigators. During the inquiry into a given crime involving mobile technology, the individuals in charge of the mobile forensic process need to acquire every piece of information that may help them later – for instance, device’s passwords, pattern locks or PIN codes. What are the Steps in the Mobile Forensics Process?
Digital forensics operates on the principle that evidence should always be adequately preserved, processed, and admissible in a court of law. Some legal considerations go hand in hand with the confiscation of mobile devices. There are two major risks concerning this phase of the mobile forensic process: Lock activation (by user/suspect/inadvertent third party) and Network / Cellular connection. Network isolation is always advisable, and it could be achieved either through 1) Airplane Mode + Disabling Wi-Fi and Hotspots, or 2) Cloning the device SIM card. Airplane Mode Mobile devices are often seized switched on; and since the purpose of their confiscation is to preserve evidence, the best way to transport them is to attempt to keep them turned on to avoid a shutdown, which would inevitably alter files. Phone Jammer A Faraday box/bag and external power supply are common types of equipment for conducting mobile forensics. While the former is a container specifically designed to isolate mobile devices from network communications and, at the same time, help with the safe transportation of evidence to the laboratory, the latter, is a power source embedded inside the Faraday box/bag. Before putting the phone in the Faraday bag, disconnect it from the network, disable all network connections (Wi-Fi, GPS, Hotspots, etc.), and activate the flight mode to protect the integrity of the evidence. 2. Acquisition /Identification + Extraction/ It is hard to be in control of data on mobile devices because the data is mobile as well. Once communications or files are sent from a smartphone, control is lost. Although there are different devices having the capability to store considerable amounts of data, the data in itself may physically be in another location. To give an example, data synchronization among devices and applications can take place directly but also via the cloud. Services such as Apple’s iCloud and Microsoft’s One Drive are prevalent among mobile device users, which leave open the possibility for data acquisition from there. For that reason, investigators should be attentive to any indications that data may transcend the mobile device as a physical object, because such an occurrence may affect the collection and even preservation process. Since data is constantly being synchronized, hardware and software may be able to bridge the data gap. Consider Uber – it has both an app and a fully functional website. All the information that can be accessed through the Uber app on a phone may be pulled off the Uber website instead, or even the Uber software program installed on a computer. Regardless of the type of the device, identifying the location of the data can be further impeded due to the fragmentation of operating systems and item specifications. The open-source Android operating system alone comes in several different versions, and even Apple’s iOS may vary from version to version. Another challenge that forensic experts need to overcome is the abundant and ever-changing landscape of mobile apps. Create a full list of all installed apps. Some apps archive and backup data. After one identifies the data sources, the next step is to collect the information properly. There are certain unique challenges concerning gathering information in the context of mobile technology. Many mobile devices cannot be collected by creating an image and instead they may have to undergo a process called acquisition of data. Thera are various protocols for collecting data from mobile devices as certain design specifications may only allow one type of acquisition. The forensic examiner should make a use of SIM Card imagining – a procedure that recreates a replica image of the SIM Card content. As with other replicas, the original evidence will remain intact while the replica image is being used for analysis. All image files should be hashed to ensure data remains accurate and unchanged. Feel free to contact E-SPIN for end to end comprehensive digital forensics solution, from computer, mobile, database, live and network forensics. What devices are used in digital forensics?This list outlines some of the most common and widely used tools for accomplishing different parts of a computer forensics investigation.. Disk analysis: Autopsy/the Sleuth Kit. ... . Image creation: FTK imager. ... . Memory forensics: volatility. ... . Windows registry analysis: Registry recon. ... . Mobile forensics: Cellebrite UFED.. What are the 3 main categories of mobile forensics?Mobile Forensics Phase 2: Acquisition
Mobile data falls into three main types: internal memory, external memory, and system logs.
Why is mobile device forensics important?Mobile devices are a goldmine of data. These small-sized gadgets amass huge amounts of qualitative and quantitative data that can be helpful in investigations. That's why mobile forensics is becoming important for court proceedings and civil or criminal investigations.
What can forensic analysis provide from mobile devices?Mobile forensics tools and methods focus on the collection of data from cellphones and tablets. This includes deleted text messages, apps, social media, call logs, internet search history and more. Mobile forensic professionals can aid a court case by extracting and preserving data available on a mobile device.
|
