Mobile Forensics

Introduction

This paper will discuss the concept of mobile forensics and how it might differ from traditional computer forensics. The prevalence of attacks on networks originating from mobile devices will also be examined. Various tools for mobile forensics will be introduced alongside different mobile operating systems. Finally, the challenges that are currently present in the domain of mobile forensics will be examined.

Mobile Forensics

In their 2024 Mobile Security Index, Verizon surveyed a broad range of stakeholders responsible for their organization’s security and reported that 53% of survey respondents reported experiencing “a security incident involving a mobile or IoT device that resulted in data loss or downtime” (Verizon, 2024, p. 26). This staggering statistic emphasizes the growing relevance of mobile forensics as a sub-field of digital forensics (Barmpatsalou et al., 2018). Mobile forensics differs from traditional computer forensics in several ways (Bommisetty et al., 2014). Forensic investigators face challenges that are unique to mobile computing devices as they are carrying out investigations, including (but not limited to) the broad range of hardware options for mobile computers, the broad range of software options for mobile computers, mobile-specific security features, mobile-specific legal issues, accidental factory resets, etc. (Bommisetty et al., 2014).

Researchers have suggested that “one of the biggest forensic challenges when it comes to the mobile platform is the fact that data can be accessed, stored, and synchronized across multiple devices” (Bommisetty et al., 2014, p. 9). Bommisetty et al. (2014) suggest that the ease with which data can be modified on mobile platforms requires investigators to take additional precautions that wouldn’t be required in traditional digital forensics investigations. An example of such precautions could be investigators placing mobile devices into Faraday bags to prevent remote access (Bommisetty et al., 2014).

Evidence can take several different forms when performing forensic investigations on mobile computing platforms (Bommisetty et al., 2014). Examiners may want to analyze address books, communication logs (call, text, or e-mail history), browsing history, photos, videos, music, documents, scheduling data, network communication logs, map data, application data (including social networking apps), or even deleted data (Bommisetty et al., 2014). There are various rules that investigators need to be aware of to effectively steward evidence obtained from mobile forensic investigations (Bommisetty et al., 2014). In order for evidence to be legally useful, Bommisetty et al. (2014) outline five characteristics the evidence should have: admissible, authentic, complete, reliable, and believable. In addition to legal usefulness, Bommisetty et al. (2014) also outline general guidelines that serve as best practices for stewarding forensic evidence. Bommisetty et al. (2014) claim that evidence should be secured, preserved, and documented, and all changes should be documented.

Mobile Forensics Tools

Tools for extracting forensic data from mobile computing platforms can be broadly classified into one of the following five categories: manual extraction, logical analysis, hex dump, chip-off, or micro read (Bommisetty et al., 2014). These categories are not necessarily mutually exclusive- a tool could potentially be classified into more than one category (Bommisetty et al., 2014).

Manual extraction involves using the device’s usual user interface to extract the desired data (Bommisetty et al., 2014). Logical extraction requires forensic investigators to connect the computing device to a purpose-built forensic workstation and letting the device extract the desired data on the investigator’s behalf through communication between the device and the workstation (Bommisetty et al., 2014). Many mobile forensics tools leverage logical extraction (Bommisetty et al., 2014). Hex dumps are sometimes referred to as physical extraction and also involve connecting the mobile device to a forensic workstation; however, this process instructs the device to dump its memory into the workstation (Bommisetty et al., 2014). Chip-off requires forensic investigators to physically remove the chip from the mobile computing device and retrieve the data from that chip using separate hardware (Bommisetty et al., 2014).

Operating Systems

The analysis methodology will likely vary between disparate operating systems like iOS or Android due to the intricacies of how those operating systems work. One example is how these operating systems store data. Various operating systems will store data through different file systems (Hummert & Pawlaszczyk, 2022). Apple, for example, developed a custom file system named APFS (Apple File System) that is deployed in many iOS devices (Nordvik et al., 2022). In contrast, many Android mobile devices (and Linux-based) systems use a file system named Ext4 (Nordvik et al., 2022).

Different operating systems may also dictate the type of data generated on devices (which would necessitate different analysis methodologies) (Bommisetty et al., 2014). Operating systems may enable different features such as photo storage, different data storage levels, different access to communications networks, and different metadata collection types (Bommisetty et al., 2014).

In addition to features and file systems, operating systems have unique architectures to navigate (Bommisetty et al., 2014). The iOS operating system architecture is made up of four layers: the Core OS layer, the Core Services layer, the Media layer, and the Cocoa Touch layer (Bommisetty et al., 2014). The Core OS layer is a low-level layer that interfaces directly with the device hardware (Bommisetty et al., 2014). The Core Services layer sits on top of the Core OS layer and provides the services that are fundamental to the operating system, such as location and iCloud (Bommisetty et al., 2014). The Media layer provides the operating system's graphics, audio, and video infrastructure (Bommisetty et al., 2014). Finally, the Cocoa Touch layer provides the high-level interface infrastructure for the operating system (Bommisetty et al., 2014).

In contrast, Android operating systems are made up of the following four layers: the Linux Kernel layer, the Library layer, the Application Framework layer, and the Applications layer (Bommisetty et al., 2014). The Linux Kernel layer manages the core infrastructure of the Android operating system, such as memory, processes, security, and networking (Bommisetty et al., 2014). The library layer is made up of native Android libraries such as SQLite, WebKit, and SSL (Bommisetty et al., 2014). The Application Framework layer handles basic device functionality (Bommisetty et al., 2014). Finally, the Applications layer handles the mobile computer's user interface through both user-installed and pre-installed applications (Bommisetty et al., 2014).

Conclusion

Mobile forensics is a specialized sub-field of digital forensics (Barmpatsalou et al., 2018) that has been established as a critical component due to the prevalence of security incidents that involve mobile computing devices (Verizon, 2024). While there are many similarities between mobile forensics and traditional computer forensics, mobile forensics has many unique challenges and methodologies that must be addressed. These challenges could include the range of operating systems and hardware that exist among mobile computing platforms, the unique steps that must be in place to effectively steward evidence, or even the ease with which criminals can manipulate data on mobile devices.

References

Barmpatsalou, K., Cruz, T., Monteiro, E., & Simoes, P. (2018). Current and future trends in mobile device Forensics. ACM Computing Surveys, 51(3), 1–31. https://doi.org/10.1145/3177847

Bommisetty, S., Tamma, R., Mahalik, H., & Sawant, A. (2014). Practical mobile forensics : dive into mobile forensics on iOS, Android, Windows, and BlackBerry devices with this action-packed, practical guide (1st ed.). Packt Publishing Ltd.

Hummert, C., & Pawlaszczyk, D. (2022). Mobile Forensics – The File Format Handbook. In Springer eBooks. https://doi.org/10.1007/978-3-030-98467-0

Nordvik, R., Hummert, C., & Pawlaszczyk, D. (2022). Mobile Forensics – The File Format Handbook. In Springer eBooks. https://doi.org/10.1007/978-3-030-98467-0

Verizon. (2024). 2024 Mobile Security Index Report. https://www.verizon.com/business/ja-jp/resources/reports/2024/2024-mobile-security-index.pdf