Smartphone forensics is a relatively new and quickly emerging field of interest within the digital forensic and law enforcement community. Today's mobile devices are getting smarter, cheaper, and easily available to the common man for daily use.
Mobile forensics are a set of scientific methodologies with the goal of extracting digital evidence (in general) in a legal context. Extracting digital evidence means recovering, gathering, and analyzing the data stored within the internal memory of a mobile phone. Mobile forensics is a continuously evolving science, which involves permanently evolving techniques; it presents a real challenge to the forensic community and law enforcement due to the fast and unstoppable changes in technology.
To investigate the growing number of digital crimes and complaints, researchers have put in a lot of effort to develop the most affordable investigative model; in this chapter, we will place emphasis on the importance of paying real attention to the growing market of smartphones and the effort put in this area from a digital forensic point of view in order to bring about the most comprehensive investigation process.
This chapter will be oriented towards the importance of smartphone forensics in our continuously growing digital world; then, we will describe some smartphone forensic models and how they evolved through history. We will also be pointing out the challenges that today's investigators face in the smartphone forensics evidence acquisition process.
This chapter will cover the following topics:
Why mobile forensics?
Smartphone forensics models
Smartphone forensics challenges
The promptly evolving mobile phone industry has reached an unimaginable peak and smartphones will definitely replace computers, since a lot of those tiny devices are becoming as powerful as personal computers.
On a daily use basis, each smartphone is a huge repository of sensitive data related to its owner. Nowadays, smartphones are used to perform almost any task that we need to do, starting from the "traditional" tasks involving sending and receiving of calls, short text messages, and e-mails to more complex ones, such as geolocation, balance checking, making bank transactions, and managing tasks and reminders. Given the pace at which development is progressing, the need for forensic examination is as well. Data contained within modern devices is continuously becoming richer and more relevant, which is partly due to the exploding growth and the use of mobile applications and social networks. In addition to this, all mobile phones are now capable of storing all kinds of personal information and usually even unintentionally.
According to ABI research (https://www.abiresearch.com/market-research/product/1004938-smartphone-technologies-and-markets/), which is a technology market intelligence company, at the time of writing this book there are more than 1.4 billion smartphones that are in use; more than 798 million of them are running on Android, more than 294 million are running Apple's iOS, and more than 45 million are running Windows Phone, which represents a growth rate of 44% for 2013 according to the same source.
In its report, Cisco states (http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/white_paper_c11-520862.html) that an average smartphone user will make five video calls and download 15 applications each month.
If we refer to data given by Nielsen Informate Mobile Insights, (http://www.nielsen.com/us/en/insights/news/2014/smartphones-so-many-apps--so-much-time.html) in the US, Android and iPhone users spent 30 hours and 15 minutes using apps on their smartphones in Q4 2013, and this amount of time is not decreasing, as shown in the following chart:
All this advancement has a lot of benefits for sure, but without any doubt it represents new challenges to law enforcement as cybercrime and digital complaints continue to grow. This issue was raised by the Federal Bureau of Investigation (FBI) and the Internet Crime Complain Center (http://www.ic3.gov/media/annualreport/2014_IC3Report.pdf). In 2014, the total number of complaints received is 269,244 and all statistics are huge, as shown here:
So, why is mobile forensics important? Simply because acquiring a smartphone means acquiring a person's everyday life in terms of data. Some proactive acquisition approaches are gaining place in a criminal context not only after a crime, but also when people violate regulations and laws, such as preventing terrorist attempts, crimes against states, and pedophilia.
Today's smartphones contain all kinds of evidence stored as heterogeneous data generated from the hardware and the software constituting the device. Categorizing this data is quite important; in order to produce some kind of evidence classification, only a well-driven mobile forensic approach can help us make the correct correlation between data, data type, and evidence type. (refer to Chapter 6, Mobile Forensics – Best Practices, for more details)
The importance of mobile forensics is established and cannot be denied in this age of information where every single byte matters.
Given the pace at which mobile technology is growing and the variety of complexities that are produced by today's mobile data, forensics examiners face serious adaptation problems, so developing and adopting standards makes sense.
The reliability of evidence depends directly on the adopted investigative processes; choosing to bypass or bypassing a step accidentally may (and will certainly) lead to incomplete evidence and increases the risk of rejection in the court of law.
Today, there is no standard or unified model adapted to acquire evidence from smartphones. The dramatic development of smart devices suggests that any forensic examiner will have to apply as many independent models as necessary in order to collect and preserve data. There are a lot of proposed forensic models and reviewing each one of them will be a colossal task. In the following paragraphs, I'll be presenting some of them without pretending that the selected models are the best. The following models are sorted chronologically, starting from the earliest model established.
Historically, back in 1984, the FBI and many other law enforcement agencies began modeling the examination of digital evidences based on the earlier versions of computers, and the first digital forensic process model was Computer Forensic Investigation Process (CFIP). CFIP was first presented in 1995 by M. M. Pollitt (M. M. Pollitt. (1995). Computer Forensics: An Approach to Evidence in Cyberspace), and this model focuses exclusively on the result, in other words the model focuses principally on data acquisition and how reliable and legally acceptable this data is.
Acquisition is a technical problem, which is not free from the legal aspect, and data acquired must answer three main questions: what can be sized, from whom, and from where can it be sized. This means that digital evidence must be acquired in an acceptable manner with the necessary approvals from concerned authorities. This stage is followed by the Identification phase; as in this model, this phase is subdivided in to a three step process: defining the physical form of data, defining the data's logical position, and then placing this data (evidence) in its correct context. Digital evidence follows the path shown here:
The Evaluation stage consists of placing the gathered data in its proper context and this is as legal as a technical task. At this point of the forensic process, we can determine if the acquired information is relevant and can be described as legitimate evidence in the case being investigated or not. Finally, the Admitting process includes admitting the extracted data as legal evidence and presenting it in the court of law.
In 2001, the first Digital Forensic Research Workshop (DFRWS) (http://www.dfrws.org/2001/dfrws-rm-final.pdf) was held to produce and define a scientific methodology to drive digital forensics to produce a reliable framework (it's dubbed as Investigative Process for Digital Forensic Science) to drive the majority of digital investigation cases, and the result was a six stage linear process. Each step or stage is defined as a category or class and each class has candidate methods belonging to that category.
As seen in the preceding diagram, the DFRWS model starts with the Identification stage, which is subdivided to tasks such as event detection, signature resolving, profile detection, anomalous detection, complaints, system monitoring, and audit analysis. This stage is followed by Preservation, which is a candidate for four tasks; they are setting up case management, managing technologies, ensuring a chain of custody, and time synchronization. Collection comes next, as the third phase in which data is collected according to approved methods, using approved software/hardware and under legal authority; this phase is also based on lossless compression, sampling, data reduction, and data recovery techniques. After collection, comes Examination, which is directly followed by the Analysis phase, where very important tasks are performed and evidences are traced, validated, and filtered. Data mining and timeline analyses are done as well. At this stage, the hidden and encrypted data is discovered and extracted. The stage that comes after this is Presentation, in which documentation, clarification, expert testimony, mission impact statement, and recommended countermeasures are presented. However, this model is open to criticism regarding the use of the collection and preservation stages and if one is an actual subcategory of the other.
Being a more generic framework, DFRWS inspired researchers in the US Air Force in 2002 to present the Abstract Model of the Digital Forensic Process (M. Reith, C. Carr & G. Gunsh. 2002. An Examination of Digital Forensics Models) or Abstract Digital Forensics Model (ADFM), which is meant to be an enhanced DFRWS model with adding three more stages added to the existing process: Preparation, Approach Strategy, and Returning Evidence, leading to the following nine phases:
The actual added value of this model is the introduction of the pre/post-investigation approaches, before any exercise and after identifying the type of the incident: preparing tools, techniques and searching warrants, and securing management support, followed by the approach strategy, which is meant to dynamically establish an approach to collect the maximum amount of evidence without impacting the victim. However, this phase is criticized for being a duplicate of the second stage, since preparing to respond to an incident will likely end with preparing for an "approach strategy". Lastly, returning evidence shows the importance of safely storing evidence removed from the scene in order to return it back to the owner.
The Abstract Digital Forensics Model ignored the importance of chain of custody, but authors of this model assumed that a chain of custody is obviously maintained through an investigation process and is implied in any forensic model.
In 2003, Brian Carrier and Eugene H. Spafford (Carrier, B., & Spafford, E. H. 2003. Getting Physical with the Digital Investigation Process. The International Journal of Digital Evidence) introduced an Integrated Digital Investigation Process (IDIP), which is an integration of digital forensics to physical investigation; it's a framework based on the available processes of physical crime scene investigation.
The main idea of this model is to consider a digital crime scene as a "virtual crime scene" and to apply adapted crime scene investigation techniques. This model is macroscopically composed of five stages, consisting microscopically of 17 stages.
The following diagram shows the five macroscopic stages of an IDIP model:
Physical and digital crime scenes are processed together and digital forensics are fed into a physical investigation.
Infrastructure Readiness: This phase aims to ensure data stability and integrity, for as long as the investigation process takes. This phase may include, for example, hashing files, securely storing evidence, and maintaining a change management database.
The Physical Crime Scene Investigation Phase which come after the first phase, is when the investigation itself begins with the goal of collecting and analyzing the physical evidences to reconstruct actions that first took place. This stage is subdivided into six phases that are typical to real cases' post-physical crime investigation process and are described in the following diagram:
This stage is followed by a similar stage of a digital context focusing on digital evidence within a "virtual" digital environment. The Digital Crime Scene Investigation Phases follows the previously presented path by considering any smartphone (or other digital device) as a separate crime scene.
It is subdivided into the following phases:
Preservation of Digital Scene: In this phase, the investigator must pay attention to maintaining data integrity, meaning that at this level, the digital scene must be secured in order to avoid any external interference that could alter the evidence.
Survey For Digital Evidence: Depending on the case being investigated, this phase aims to collect the obvious evidence related to that case, and it should occur in a controlled environment (a forensic lab, for instance) using a replica of the original crime scene.
Document Evidence and Scene: The documentation phase involves documenting every acquired evidence during the conducted analysis, and using cryptographic hashing techniques such as MD5 or SHA-1 is recommended to keep a trace of evidence integrity. This phase does not substitute the final forensic report.
Search for Digital Evidence: The collection phase involves a deeper digging and more in-depth analysis of what was found in the previous phase and focuses on a more specific and low-level analysis of the digital device activities. Deleted file recovering, file carving, reverse engineering, and encrypted file analysis are some examples of techniques that can be applied at this stage.
Digital Crime Scene Reconstruction: All digital evidence acquired is put together in order to define at what point we can trust or reject the collected evidence and to determine if further analysis is required and if a search for digital evidence should be resumed in the case of any missing parts of the whole puzzle.
The final stage of the whole model is the Review Phase, and it is a kind of self-criticism in which the whole process is reviewed to determine how well the investigation process went right or wrong and to detect the improvement points.
This model presents many similarities with the previously presented models and can easily be considered as an enhanced model of both; nevertheless, the IDIP model is way too abstract and the interaction between physical and digital investigations may not be applicable in many cases.
By the same year, that is, 2003, Peter Stephenson (Stephenson, P. 2003. A Comprehensive Approach to Digital Incident Investigation) reviewed the DFRWS framework and translated it into a "more" practical investigative process dubbed as the End-To-End Digital Investigation (EEDI) process by extending the existing process into nine stages. It's called end-to-end because in his model, Stephenson considers that "every digital crime has a source point, a destination point, and a path between those two points".
The model itself is schematized as follows:
EEDI can be considered as a layer applied to the DFRWS model. Depending on the cases, the whole EEDI process is applied to each class of the DRFWS model (refer to the diagram in the Digital Forensic Research Workshop section). This model defines the critical steps to be performed in order to correctly preserve, collect, and analyze digital evidence. In the Collecting Evidence phase, primary and secondary evidence is collected and taken in their respective contexts. The context here is related to an event's time sensitivity, which brings us to the second step of this process, Analysis of Individual events, where each individual event is isolated and analyzed separately to determine how it can be tied with other events and to consider the potential value it can add, or they can add, to the overall investigation. This is followed by the Preliminary Correlation step, in which individual events are linked with each other to determinate a primary chain of evidence in order to determine what happened, when, and which devices were involved.
Event normalization is a step that mainly aims to remove redundancy in evidentiary data assuming that the same events can be reported separately from different sources using multiple vocabularies. As an extension to the normalization, irrespective of how and from where they were reported, the same evidentiary events are combined into one evidentiary event in the Event deconfliction step; at this stage, all the events and evidentiary events are refined and a Second level correlation can be performed. The previously outlined steps result in a timeline, which is defined in the Timeline analysis step. The timeline analysis is an iterative task, which lasts as long as the investigation lasts. The Chain of evidence construction can begin based on the result of the timeline of events; theoretically, a coherent chain is developed when each evident will lead to the other and this is what is meant to be done in this step. The last phase of this model is Corroboration, where digital investigators support, strengthen, and confirm each evidence, within the chain of evidences previously developed, with other independent or traditional events and evidence collected in the case of a digital forensic investigation being conducted with the support of a group of investigators outside the digital forensic unit.
In 2004, four models were developed: the Enhanced Integrated Digital Investigation Process, invented by Baryamureeba and Tushabe containing 21 phases; Séamus Ó Ciardhuáin presented an Extended Model of Cybercrime Investigation with 13 activities to follow; followed by a six phase Hierarchical, Objective-based Framework that was invented by Beebe and Clark. The same year, Carrier and Spafford announced the Event-based Digital Forensic Investigation Framework and detailed the 16 phases to follow.
Approximately each year, at least one new forensic model is developed and according to the pace at which the digital world rises, researchers keep trying to give birth to "the perfect" forensic model.
Considering the space allocated to this chapter, I will jump directly to 2011; A. Agarwal, M. Gupta, S. Gupta, and S. C. Gupta came up with the Systemic Digital Forensic Investigation (SRDIFM) model (A. Agarwal, M. Gupta, S. Gupta, and S. C. Gupta. Systematic digital forensic investigation model). This model is similar to most of the previously presented models; it has common phases and some specific phases adapted to the model requirement. SRDIFM is composed of 11 phases: preparation, securing the scene, survey and recognition, documentation of the scene, shielding, volatile and non-volatile evidence collection, preservation, examination, analysis, presentation, result, and review.
The following diagram schematizes the model:
The first step of this model is Preparation, which is before the process of investigation and involves obtaining prior legal authorization. An initial understanding of the case will be investigated in order to prepare the adequate human and technical resources before going any further in the process of investigation. It's followed by Securing the Scene this phase aims principally to keep data integrity intact and to minimize possible data corruption. The Survey and Recognition phase comprises of tasks to elaborate an initial plan to collect and analyze evidence where, potential sources of evidences must be identified, including sources other than the main smart device itself; for example the presence of a personal computer in the scene means that there is a chance to find smartphone related data synchronized with it.
The next phase is known as Documentation of Scene, in which crime scene mapping is done and every electronic device within the scene is documented; this includes the device itself, its power adaptor, external memory cards, cradle, and everything else related to the device. Before starting evidence collection, Communication Shielding is important in order to be sure that there is no risk of damaging the current evidence; RF isolation, Faraday shielding, or cellular jammers are usually used to isolate devices from interacting with the environment. Now Evidence Collection comes into the picture; differentiating volatile and non-volatile collection is important and requires proper guidelines. At this phase, for example, investigators must maintain the device if it's turned on and running out of battery, otherwise imaging the device memory must be done quickly and properly using appropriate tools.
Next is the Preservation phase, wherein the evidence is securely stored and the device is properly packaged and transported. The collected evidence is analyzed and filtered; the integrity of data must also be guaranteed and the use of the hashing function to confirm this is conducted in the Examination step. The Analysis phase comes just after and is kind of an examination extension. In this phase, a more technical review is conducted based on the results of the previous phase; at this stage, the more advanced research is done, such as hidden data analysis, data recovery, and file decryption. The results of this phase must be documented to help in the achievement of the final reports that will summarize the whole process in the Presentation phase. Finally, the Result phase, just like in the IDIP model, is meant to be an open door to review the result of the whole process in order to find any points for improvements.
The SRDIFM model is interesting as it's more practical and presents some flexibility, which is not necessarily found within the other models; however, by adding more phases, the model increases the timeline of the process and its complexities.
Unlike a traditional computer forensics investigation, mobile forensics skills become much solicited in today's investigations because of many facts that make gathering digital evidence from a smartphone a painful task. This can be due to the changes occurring in mobile-based operating systems, the diversity of standards, technology of data storage, and procedures of data protection. In contrast to a computer investigation, a mobile investigation can hardly be standardized. Per each single device model, and according to services it makes available to its owner, a very big range of evidence categories is distinguished in mobile forensics.
Storage and the wide range of daily growing functionalities make today's smartphones a rapidly changing and challenging environment for forensic investigators.
The most challenging aspects of smartphone forensics are discussed in the following sections.
In contrast to computers, major smartphone operating systems can vary significantly from one smartphone to another; each Android, iOS, WP, or Blackberry version can be found in any smartphone and tablet on the market. Operating system updates are very frequent among vendors and major updates are usually released every quarter. The main issue regarding this is keeping up with these environment changes; this issue is accentuated by the fact that major OS and forensic tools developers consider their respective developments trade secret and do not release information regarding the low-level working of their codes.
In addition to this, the growth of "less common" operating systems, such as Windows Phone requires lot of forensic experience.
By definition, a smartphone is a portable device and is meant to have a wide set of functionalities. The hardware architecture of smartphones is significantly different from computers and it also varies from one mobile manufacturer to another.
A smartphone device is typically composed of a microprocessor, main board, ROM and RAM memories, touch screen and/or keyboard, radio module and/or antenna, display unit, microphone and speakers, digital camera, and GPS device. The operating system is stored in general in a ROM and can be flashed or updated according to the hardware or operating system.
The same manufacturer usually produces highly customized operating systems to fit hardware specifications. Depending on phone providers, manufacturers may customize the same device to suit the demand. The replacement cycle for smartphones and customers' smartphone upgrades are the shortest relative to other devices, thus forensic examiners must have hundreds of adapters and power cords based on the type of hardware.
Different operating systems and different hardware means different ways of storing data and running different filesystems. The same application running under Android, for example, is way different from its similar application running under iOS.
A variety of file formats and data structures are adopted depending on the manufacturer; this fact significantly complicates the decoding, parsing, and carving of information.
This difference in filesystems means that forensic tools are not able to process some files and must be updated very frequently in order to assume OS updates, otherwise forensic examiners might have to process data and device images manually.
A smartphone's built-in security features are present at many levels to protect user data and privacy. User locks in today's smartphones can vary from simple four-digit PINs to more complex and long passcodes, as it may consist of pattern-locks; the newest smartphone models can even have fingerprint locks and use biometrics to identify the user. It's true that some commercially available tools offer password extraction or lock screen bypassing, but this is not available for every device. Some smartphones (with or without the help of third-party applications) can offer password protection to individual files, file types, or directories; in this case, sensitive data such as SMS, e-mails, and photos can be individually protected. Newer OS versions offer full-disk encryption, which can be a real pain to decrypt in a scenario of data acquisition. Smartphone operating systems also offer application sandboxing, meaning that every individual application cannot directly access the space allocated to another application or to system resources, thus each application is installed in its own sandbox directory; this way, data within the sandbox is guaranteed some level of protection.
Data wiping is not data deletion; wiped data cannot be recovered or be recovered easily. Encrypted data can be wiped with a variety of methods depending on the smartphone configuration; data can be wiped via desktop managers or after entering a wrong password for a predefined number of times. Encrypted data can be wiped remotely in most modern smartphones: Blackberry devices can be remotely wiped via BlackBerry Enterprise Server, iPhone devices via iCloud, Android devices can be wiped via Google Sync, and Windows Phone devices via the Find My Phone service. At this point, the isolation phase of mobile forensics is important.
A lot of important evidentiary data resides within a smartphone in a volatile way, which adds an important consideration while seizing a device. Smartphones add this constraint to forensic examiners; seized devices must be kept turned on and isolated to prevent data loss or overwriting present data.
For the sake of memory, storage space saving, or for back-up purposes, today's devices store lot of important data on the cloud; e-mails, photos, videos, files, notes, and so on are not necessarily preserved within the internal memory of the device, especially relatively old data.
Most vendors offer some GBs free of charge in order to achieve this and data, in most cases, is automatically synchronized with some account in the cloud. Android data is sent to Google, iPhone data is sent to iCloud, and Windows Phone data is synchronized with OneDrive. In addition to this, some third-party services are also offered to a certain point free of charge, such as Dropbox. In some cases, gathering evidence is not necessarily a technical task but also, and above all, a legal one, as demands must be addressed by cloud storage services for us to receive the desired data.
Today's climbing necessity of advanced smartphone forensic skills is indisputable, and smartphone investigation has become more challenging, tools are rapidly outdated, and the scope they cover in each case is smaller. Analysis, coding, and understanding and handling low level techniques are now "must have" skills for today's smartphone investigators and are, nowadays, more important than ever.
There are a huge number of mobile device models in use today, and almost every five months new models are manufactured, and most of them use closed operating systems, making forensic process difficult. Our goal is to bridge the gap by giving to the forensic community an in-depth look at mobile forensics techniques by detailing methods on how to gather evidence from mobile devices with different operating systems and how to use the appropriate model.
Seeing the daily increase in the use of smartphone, the unwilling-to-stop development of today's smartphone capabilities, and given the pace at which this development occurs, the forensics professionals, law enforcement, and researchers were and still are in need of producing a standardized framework to follow to assure a well driven investigation. Researches in this scope are not yet done, thus improvement is continually done to keep responding to permanent challenges offered by smartphone manufacturers and mobile operating systems vendors. In this chapter, we showed the importance of smartphone forensic field and discussed some models and frameworks applied in order to correctly lead forensic investigation cases. This chapter also discussed major smartphone forensic challenges, in an effort to help bypass some of the previously presented challenges when commercially available forensic tools cannot deal with some files or file types.
In the next chapter, we will see some low-level techniques that can be applied to gather forensically important evidences independently of the available forensics tools, operating systems, or device subjects of the eventual investigation.