Mobile Forensics

Mobile devices have become an integral part of peoples’ daily lives, and as such, they are prone to facilitating criminal activity or otherwise being involved when crimes occur. Whereas computers, laptops, servers, and gaming devices might have many users, in the vast majority of cases, mobile devices generally belong to an individual.

Mobile devices present many challenges from a forensic perspective. With new models being developed each day, it is extremely difficult to develop a single process or tool to address all the possibilities an examiner may face. Court cases such as Riley v. California also need to be taken into consideration as mobile devices are being seized and analyzed.

On Scene

As the first responding officer, the collection and preservation of digital evidence begins with you.

Once the scene has been secured and legal authority to seize the evidence has been confirmed, devices can be collected. First responders must be cautious when handling digital devices in addition to normal evidence collection procedures the preventing the exposure to extreme temperatures, static electricity and moisture are a must.

The Frequently seized devices are from Massachusetts Digital Evidence Consortium: ” Digital Evidence Guide for First Responders”

Frequently seized devices – Smartphones and other mobile devices

This document focuses on the proper collection and preservation of  smartphones and other mobile devices. The information found in this document comes from the Digital Evidence Guide for First Responders developed by the Massachusetts Digital Evidence Consortium.

Call Detail Records

“Call detail records” (“CDRs”) are the official billing records maintained by the service provider about call activity — the incoming and outgoing messages and calls made and received by each subscriber.

For cellular phones, CDRs will typically also identify the local cellular tower that serviced the call which can potentially tell you the location of the subscriber at the time the call occurred. CDR’s generally require legal process to be obtained. NW3C PerpHound, a specialized tool that assists in plotting historical cell site locations is free to law enforcement and can assist them in reviewing and analyzing CDR records.

Mobile Device Forensic Processing:

Mobile devices are challenging from a data recovery and analysis standpoint as well. With their increasing functionality and growing data storage, mobile devices have become pocket size computers.  With password protection and encryption now the norm for many of these devices, law enforcement continues to struggle to find ways to extract and analyze information from these devices.  The National Institute for Standards and Technology (NIST) and the Scientific Group on Digital Evidence (SWGDE) provide an in-depth look at mobile forensics outlining the benefits and the challenges these devices present to Law enforcement.

NIST: Guidelines on Mobile Device Forensics

SWGDE: Best Practices for Mobile Device Forensic Analysis

Popular Acquisition Tool Vendors

Computer Forensics Tool Testing

The Computer Forensics Tool Testing (CFTT) program is a joint project of the Department of Homeland Security (DHS), the National Institute of Justice (NIJ), and the National Institute of Standards and Technology Special Program Office (SPO) and Information Technology Laboratory (ITL). CFTT is supported by other organizations, including the Federal Bureau of Investigation, the U.S. Department of Defense Cyber Crime Center, U.S. Internal Revenue Service Criminal Investigation Division Electronic Crimes Program, and the U.S. Department of Homeland Security’s Bureau of Immigration and Customs Enforcement, U.S. Customs and Border Protection and U.S. Secret Service. The objective of the CFTT program is to provide measurable assurance to practitioners, researchers, and other applicable users that the tools used in computer forensics investigations provide accurate results. Accomplishing this requires the development of specifications and test methods for computer forensics tools and subsequent testing of specific tools against those specifications. The below link provides a detailed study of the many popular tools being used today for mobile device acquisition.

https://www.dhs.gov/publication/mobile-device-acquisition

 Advanced Mobile Forensic Processing

In the field of mobile-device forensics, techniques such as “chip-off” and “JTAG” analysis have become topics of growing interest among the law enforcement community. As mobile devices continue to bring new challenges, advanced acquisition techniques are important for law enforcement as they offer examiners deeper data access, the potential to bypass lock codes, and a way to recover data from damaged devices.