The Challenges of the Forensic Recovery and Examination of Data from Mobile Devices - Research Proposal Example

? THE CHALLENGES OF THE FORENSIC RECOVERY AND EXAMINATION OF DATA FROM MOBILE DEVICES Table of Contents Introduction 4 2. Evidence items 4 3. Challenges of the forensic recovery and examination of data from mobile devices 5 3.1 Laws governing of electronic evidence and regulation standards 5 3.2 Process challenges 6 3.3 Operating systems and communication protocols 7 3.4 Forensic tools 8 3.5 Manufacturers and network providers 9 3.6 Proprietary Hardware (Power and data cables) 9 3.7 Preservation of evidence data 10 3.8 Mobile devices have radically distinctive data formats 10 3.9 Mobile device security measures 11 4. The cross over between computers forensics and mobile device forensics 12 5. Conclusion 13 Abstract By the end of the 1st decade of the new millennium mobile device usage increased tremendously; an indication that technology is advancing at very high rate. The capability of mobile devices has increased as a result of advance in computing ability contributed by advancement of semiconductor technology used in these devices. Due to their size and portability mobile devices have become the vessels of storing, processing and transmitting information. This remarkable development of mobile technology is origin of current security challenges. The involvement of these devices in criminal activities calls for mobile device forensics and data recovery. This paper summarizes the challenges faced in forensic recovery and examination of data from mobile devices. The scope will bring into light challenges associated while carrying forensic analysis of mobile phones and elaborate various analysis techniques. It will also depict the weaknesses of mobile forensic toolkits and procedures and the crossover between phone and computer forensics 1. Introduction Mobile devices have revolutionized communications on every group in the social structure by making connection to the internet hence global information is available at touch of a button. There are slightly above 4 billion users of mobile devices users and the use of these devices in criminal activities is quite widespread and increasing rapidly. The increased usage of mobile devices particularly the mobile phones is entirely attributed to the reduced cost, the introduction of text messaging, multimedia potentialities, custom ring tones, internet connection, and games features among others. Civil and criminal investigations in the day today life and business involve digital mobile devices forensics. These devices can be connected to crime if they are: used as a communication tool in the act of crime, means of committing crime, they contain information and a data warehouse device providing evidence. Mobile devices forensics can be defined as the science of retrieval of digital evidence from mobile devices and entails methods that show how this evidence is retrieved. Mobile devices forensics is achieved through acquiring and analysing data in devices, memory cards and SIM cards. 2. Evidence items Evidence items that can be obtained by forensically examining a mobile device include the following; Name of Service Provider and Unique Id Number that are printed on back of SIM card. International Mobile Equipment Identity (IMEI) and can be retrieved by keying in some commands such as *#06#. Network operators give facility to dial some code for finding it Location Area Identity (LAI) which is stored inside SIM Integrated Circuit Card Identifier (ICCID) is Stored inside SIM and matches the number printed on SIM. International Mobile Subscriber Identity (IMSI), a unique id for every network subscriber and is stored inside SIM. Text messages data (SMS), contacts and call logs are stored on both the SIM and mobile device handset. Multimedia messages (MMS), images, sound, videos, WAP/Browser history, emails, calendar items and notes are all stored in mobile phone memory. Some mobile devices retain information of SIM cards used at earlier times. This feature is very limited in mobile devices. MSISDN (Mobile Subscriber Integrated Services Digital Network) / Telephone Number is available in SIM memory. 3. Challenges of the forensic recovery and examination of data from mobile devices In mobile device forensics it is of great importance to comprehend the current challenges that investigators face in gathering evidence to support their case in legal proceedings. These challenges can be divided into several broad categories as follows; 3.1 Laws governing of electronic evidence and regulation standards Mobile device forensics is faced with the challenge of conflicting protocols of evidence collection that do not support their efforts. In UK the ACPO guidelines for evidence from electronic devices that are computer oriented state that data used in court proceeding should not be changed by investigators. This is normally not possible with data in mobile devices due to its unique nature of continuous change. The guidelines further state that the investigators have to be competent enough to provide results this can be challenging in that there is possibility of not retrieving any significant data, yet the expectation is very high thereby bringing conflict with court proceeding. There are no reliable standards that govern device manufacturers who are adamant in complying with any standards and the current standards are not consistently followed. Therefore reliable mobile forensics standards have to be established by the forensics community to bring order in the field. The investigators face challenge from laws that accord the right to privacy. The right to privacy laws protects people from searches and limits the power of forensic investigators by requiring a warrant in order to perform digital forensics of their mobile devices. International law, ACPO protocols and human rights ensure that evidence collection methodologies are internationally sanctioned and can hold waters when presented in a court of law. Not all the evidence presented in court proceeding is taken into account. In some cases the investigator is challenged in a court hearing where the accused claim his or her constitutional right of privacy. The use of many forensic tools to recover evidence from a single device as required by authorities is tedious. The reliability of some forensic tools is questionable therefore; the protocols require an investigator to use numerous forensic tools for effective retrieval of data. ACPO protocols require proper documentation of the process of acquiring evidence in such extend that it can be replicated by another party and produce same results. Lastly International Organization on Computer Evidence (IOCE) gives guidelines in digital technology forensic examination. These guidelines include; laws of that govern digital evidence and action to be taken in recovering evidence. It also guides on who can performs forensics. 3.2 Process challenges Mobile device forensics encompasses several phases of data extraction that include, preserving, acquiring, examining, analysing and report generating activities. The initial phases are the most important in providing credible evidence to support court proceeding. This is evident in later stages where their efficiency is relied. Application of techniques and forensic tools to retrieve data occurs in the examination and analysis phases. One of the challenges that the investigator faces at this point is the diversity challenge prominent in mobile forensics. There are different processes that are used for the different mobile devices. The processes are mobile device specific. During the preservation process which properly searches, collects and documents evidence several challenges arise. The sole goal of an investigator at this stage is to preserve original state of electronic evidence. There are challenges of identification of mobile device especially the Chinese manufactured devices, mobile device on – off status, physically broken or damaged devices. The acquisition process requires to be done at the scene but lack of right environment hinders this activity. Blocking of signals is required in this process so to prevent the device from switching off due to depletion of charge hence the need of this process to be done in a lab. As a consequence there is possibility of loss of data in the process of transporting this evidence to the laboratories for examination. In the lab another challenge of selecting the right tool for acquisition process becomes evident considering the wide variety of mobile devices, password protection and existence of unstandardized mobile devices. 3.3 Operating systems and communication protocols. Getting a smartphone has been a smart move among many people. This device combines the capabilities of a cell phone, an e-mail device and a PDA thereby making it efficient to carry around. Its technology is being improved every now and then posing a major challenge to the forensic investigator. One particular smartphone slogan reverberates “The possibilities are endless” and to the criminal mind this statement is not taken lightly. Having a forensic tool that is compatible with mobile device’s operating system is a one step closer to credible mobile device forensics, but the compatibility is short lived due to the challenge of rapidly advancing technology. There are many operating systems both open-source and as proprietary with each having radically distinctive and unequal features. The most common mobile device operating systems are; Android used in many smartphones, iPhone, Blackberry OS in Blackberry phones, Windows Mobile OS and Symbian. Mobile device operating systems, versions and device drivers can have compatibility issues causing conflicts during forensics requiring the use of many computers for each of the forensic application programs. This drives the cost of mobile device forensics to unimaginable levels. The use of Virtual Machine that incorporates multiple operating system environments is a remedy. The mobile device investigator faces the challenge of determining what particular data communication protocol to use in connecting the mobile device to the host computer that contains installed forensic application programs. Some of the operating systems’ specific communication protocols that are being used currently include; OBEX, AT and IrMC and are exclusively reliant to the operating system. Majority of these protocols lack proper documentation hence the investigators lack reference backing in problem solving situations. The usage of communication protocols facilitates retrieval of important evidence such as application data, multimedia files, call and web history, device name and model, phonebook contacts and text messages. Some of the operating systems of mobile devices require the installation of forensic software in the device so as to retrieve data or allow communication with the forensic computer. Installing programs on the mobile device could cause loss of evidence through accidental deletion. Lastly in some cases data can be changed by the communication protocol during the retrieval process. Such altered data can bring controversy in presenting evidence in court proceedings. 3.4 Forensic tools Basically forensic tools are categorized according to the examination level capability. As you dig deeper to recover data the tools become more valuable, methodology become complex, more time is required and further training becomes a must. Forensic tools both the hardware and the software development is at snail pace compared to the advances in mobile device technology. The developers of such tools face the challenge of keeping pace with the new devices from the highly competitive market circles of smartphones. There are few forensic tools that are available and are device manufacturer specific hence the number of supported mobile devices is very small. A majority number of the available open –source forensic tools lack the capability retrieve evidence from damaged or broken mobile devices. In such a situation the forensic examiner has to be very careful not to lose data therefore proper training and reliable equipment are required. Forensic tools have limited connectivity. Some tools are limited to only wired connection despite the existence of other ways such as Infrared and blue tooth. 3.5 Manufacturers and network providers The first step in mobile device forensics that an investigator should not miss is, establishing the identity of the device. This is a major challenge due to the fact that manufacturing companies develop a quite large collection of models. At any given time the number and type of mobile devices that hit the market is very high. This is caused by the factor that people are replacing mobile devices at rapid rate. Probability of losing or damaging a mobile device is much higher than in computers. Without close examination an investigator cannot be able to identify a mobile device. Mobile devices brand marketers extensively use completely different names from the multiple network providers. Therefore an investigator is forced by circumstances to uncover the mobile devices and possibly remove the battery to get the model number or identity and this may cause loss of evidence or in worst scenarios the device can lock upon booting. In almost every region there are multiple network hosts. Communications in these devices occur through these network carriers that in many cases archive the contents. There are volumes of data accumulating from such activities together with call and billing records really form oceans of data. Therefore the process of obtaining a specific item is quite rigorous, normally the network service providers require clearance from authority (legal and security) and account owner. 3.6 Proprietary Hardware (Power and Data Cables) There is lack of power and data cable standards. Unlike the situation in Microsoft windows forensics where most peripheral device interconnection is standardized, the smartphone world is very diverse. Existence of wide variety of proprietary hardware poses a challenging task to an investigator who has to identify and possess hundreds of data and power cords in their toolkits. A documentation containing a list of the mobile device models and their respective cables would greatly make an impact. Means of preserving power in mobile device is challenging. Mobile device batteries don not power long upon charging hence the devices loose power with time causing loss of evidence (information) due to the volatility nature of the memory. It is recommended that the devices remain plugged to a power source in order to obtain better results. Some efforts have been made in developing standards that the manufacturing mobile industry can follow. For instance standard like the micro-USB would be of great benefit to the consumers and the investigators, but the strategic goals of hardware manufacturers to have competitive edge in the market force them to develop new designs. 3.7 Preservation of evidence data During the investigation preservation of data is the driving motive. Technology sophistications in criminal world have the capacity to remotely alter confiscated mobile devices, hence the need of shielding. The investigator has to ensure that the mobile device no longer communicates to avoid overwriting of data. This is common in text messaging features where an incoming text replaces the oldest text in the inbox. Most of the text messaging features of majority if not all uses the FIFO algorithm. This is also replicated in call log features where limited number of call logs is maintained. Upon acquiring the devices, shielding these devices from communication without switching them off is quite challenging. Electromagnetic waves pass through media therefore; these evidence loaded devices are put in special containers such as the Faraday bag that block all communication. Wrapping the mobile devices with good conductor material such as copper or sliver also works though with varying degrees of blocking the signals. 3.8 Mobile devices have radically distinctive data formats Upon satisfying the other requirements for forensically sound exercise, the investigator faces another challenge of data storage. Mobile devices such as smartphone devices from the Chinese market lack standardized ways of storing data. The manufacturers of do not specify a standard location to look for data thereby making the investigators task difficult. There several locations in mobile devices where data can be stored. Some information is stored in the mobile device SIM memory or removable flash memory (micro-SD technology). Due to the different types of memory, different devices will use memory types that best suite them. There is RAM (Random access memory) that is divided into DRAM (Dynamic random access Memory) which requires constant refreshing to retain data and SRAM (Static random access memory) that requires no refreshing. RAM constitutes the main memory of these devices. Mobile devices also utilise ROM (Read only memory) which is built in and contains configuration setting of the device. Data in ROM is not important to the investigator reason being that the device user cannot make changes to it. File formats for phonebook, web and text messages are device specific while those of multimedia files are cross platform. Forensic software developers have to create forensic application programs that convert the different mobile device data formats into formats that the investigators can comprehend. 3.9 Mobile device security measures Upon restarting a mobile device the user is prompted to enter security details. These details are set by either the manufacturer or the user. Authentication and identification mechanisms secure data. There are handful security mechanisms that limit the accessibility of data to only the rightful user who has can access PIN (Personal Identification Number), PUK (phone unlock key) and device and memory passwords. Bypassing this security checks is difficult and entirely depends on the model of the device. Global Systems for Mobile Communication (GSM) is a commonly used worldwide network technology. The SIM card store data relating to the network subscriber and settings that restrict the usage of mobile device internal memory. During the process of forensic examination data is read from the SIM using a card reader. Forensic software that initiates access mechanism is required to access the contents of the SIM upon proper authentication. The investigator has to put into consideration that the SIM cards have a limit of three login attempts of which exceeded may cause blocking of the SIM. Loss of data may occur upon putting another SIM card. With the appropriate authority documents the right PIN can be requested from the network provider. The user has exclusive rights and therefore can change the PIN whereas the PUK cannot be altered. The GSM network operators closely guard the PUK and provide limits to the number of entry code attempts that can be made after blocking the SIM card. All the capabilities of the computer system as we know it has been transformed into miniaturised gadgets; the smartphone. A mobile device forensic investigator faces the challenge of overcoming data encryption. Smartphones have data encryption capacity just like the normal computer that protects data by use of encryption keys. The use of software to decipher encrypted data and assistance from the respective proprietary hardware, software and operating system product support is required in such a situation. IMEI (International Mobile Equipment Identity) is a number that uniquely identifies a mobile device. The emergence of tools such as Universal Flasher has led to changing of device IMEI numbers resulting to a sea of unidentified mobile devices. This is very common with Chinese manufactured phones. It is difficult to perform forensic examination on a mobile device manufactured in china because the mobile devices lack IMEI number making it difficult to trace a call or its location. This lack of proper monitoring serves as a safe haven for criminals and possibly terrorists who use these devices as detonators. 4. Cross over between computers forensics and mobile device forensics The field of computer forensics is closely related to mobile device forensics but differs significantly on some areas. These crossovers are evident from several aspects. Computer forensics is less complex compared to mobile device forensics which is more challenging considering the fact that developing industry standard forensic tools is difficult. The on/off forensics requirement in is quite problematic in mobile device forensics compared to computer forensics. Mobile devices remain active even after switching off. In computer forensics the computer is switched off enabling the process of imaging to take place. All the data in the hard drive is converted to image form which is analysed in forensic lab a process known as offline forensic analysis. This is not normally the case in mobile forensics where stored data keep on automatically changing due to the atomic clock features in mobile devices. The computer world experiences a slower technological advancement in the operating system realm in comparison with mobile technology. Evidence volatility is low and imaging process is easier in computer forensics compared to mobile device forensics. Computer forensics field is endowed with more proprietary forensic tools whereas mobile forensics has more open source forensic tools. In both types of forensics computer systems are used in analysing of data. Mobile device forensic analysis uses both computers and mobile devices whereas computer forensics requires only computer system. The availability of computer operating systems gives computer forensic investigators an added advantage and in that they are quite used to them. On the other hand the developers of operating systems and forensic tools of mobile devices are unwilling to divulge information about their products in fear of losing market share. They regard such information as trade secrets. The data storage media in computers is largely the hard drives whereas mobile devices use volatile memory; therefore it becomes easier for mobile devices to lose data. Finally computers have limited connections compared to mobile devices. 5. Conclusion Mobile device forensics is a dynamic field. There are challenges and opportunities faced by investigators in their effort of analysing mobile devices for crucial data required in backing up their investigation reports. The particular course of action intended to achieve concrete mobile device evidence is highly sophisticated as compared to the conventional computer forensics. This is so because the data in mobile devices is very liable to sudden changes; for instance such it can be corrupted or erased. Examination of mobile devices therefore requires proper identification of manufacturer and operating system of the specific device. Modern mobile devices come in huge variety and this poses a major challenge, when choosing software for investigations. The software programs used for mobile forensics are in most cases are not fully capable of retrieving and processing data. There is no full data recovery due to the quicksilver character nature of electronic evidence in mobile devices Digital forensics for mobile devices is far much behind the rapid Mobile phone technology advancement. Although mobile devices technology is becoming better and better every day to the user, it is associated with high level of sophistication in examiners view. More resources in terms of time and money are therefore required for proper training of law enforcers and investigators together with development and evaluation of new better forensic tools and methods. Work cited 1) Ayers, R., Jansen, W., Cilleros, N., Daniellou, R., 2006. Cell Phone Forensic Tools: An Overview and Analysis, [online] Available at: http://csrc.nist.gov/publications/nistir/nistir-7250.pdf [Accessed 24 April 2013]. 2) Ayers, R., Jansen, R., Moenner, L., Delaitre, A. (2007). Cell Phone Forensic Tools: An Overview and Analysis Update, [online] Available at: http://csrc.nist.gov/publications/nistir/nistir-7387.pdf [Accessed 24 April 2013]. 3) Bill. Nelson (2010). Guide to computer forensics and investigations: Cengage Learning. 4) Breeuwsma, M. (2006). Forensic imaging of embedded systems using JTAG. Digital Investigation. 5) Breeuwsma, M., de Jongh, M., Klaver, C., van der Knjiff, R., & Roeloffs, M. (2007). Forensic data recovery from flash memory. Small Scale Digital Device Forensics Journal, 1(1), [online] Available at: www.ssddfj.org/papers/SSDDFJ_V1_1_Breeuwsma_et_al.pdf [Accessed 24 April 2013]. 6) Casey, E., Bann, M., & Doyle, J. (2009). Introduction to windows mobile forensics. Digital Investigation, 6(3–4). 7) Gerald L. Kovacich (2000). High-technology-crime investigator's handbook: working in the global information environment, Boston: Butterworth-Heinemann. 8) Graham, Paul (2004). Hackers & painters: big ideas from the computer age, Sebastopol, CA: O'Reilly. 9) Greg Gogolin (2012). Digital Forensics Explained: CRC Press. 10) International Organization on Computer Evidence (2000). Good Practices for Seizing Electronic Devices - Mobile Telephones, [online] Available at: http://www.ioce.org/fileadmin/user_upload/2000/ioce%202000%20electronic%20devices%20good%20practices.doc [Accessed 24 April 2013]. 11) Losif I. Androulidakis (2012). Mobile Phone Security and Forensics: A Practical Approach: Springer. 12) Jones, A. (2008, January 21–23). Keynote speech. In: First International Conference on Forensic Applications and Techniques in Telecommunications, Information and Multimedia, Adelaide, Australia. 13) John Sammons (2012). The basics of digital forensics: the primer for getting started in digital forensics, Waltham, MA: Syngress. 14) Jonathan Zdziarski (2008). IPhone Forensics: Recovering Evidence, Personal Data, and Corporate Assets: O'Reilly Media, Inc. 15) Lewis, Don L. (2009) “Examining Cellular Phones and Handheld Devices”. Forensics magazine, August/September 2009. 16) McCarthy, P. (2005). Forensic Analysis of Mobile Phones, [online] Available at: http://esm.cis.unisa.edu.au/new_esml/resources/publications/forensic%20analysis%20of%20mobile%20phones.pdf [Accessed 24 April 2013]. 17) McKemmish, Rodney (2008). “Advances in Digital Forensics IV”. International Federation for Information Processing. 18) Mislan, Richard P. “Cellphone Crime Solvers”. IEEE Organization, [online] Available at: http://spectrum.ieee.org/computing/software/cellphone-crime-solvers [Accessed 24 April 2013]. 19) Mislan, R.P., Casey, E., & Kessler, G.C. (2010). The Growing Need for On-Scene Triage of Mobile Devices. Digital Investigation, 6(3-4), 112-124 20) Punja, S & Mislan, R. (2008). Mobile Device Analysis. Small Scale Digital Device Forensics Journal, Vol. 2, No. 1, 2-4. 21) Rehault, F. (2010). “Windows mobile advanced forensics: An alternative to existing tools”, Journal of Digital Investigation, 7(1–2). 22) Robinson, G., Smith, G. (2001). Evidence from mobile phones. The Legal Executive. Journal of the Institute of Legal Executives, [online] Available at: http://www.ilexjournal.com/special_features/article.asp?th eid=284&themode=2 [Accessed 24 April 2013]. 23) Willassen S. (2003). “Forensics and the GSM mobile telephone system”, International Journal on Digital Evidence, 2(1) Read More