Practical Mobile Forensics
上QQ阅读APP看书,第一时间看更新

Challenges in mobile forensics

One of the biggest forensic challenges when it comes to the mobile platform is the fact that data can be accessed, stored, and synchronized across multiple devices. As data is volatile and can be quickly transformed or deleted remotely, more effort is required for the preservation of this data. Mobile forensics is different from computer forensics and presents unique challenges to forensic examiners.

Law enforcement and forensic examiners often struggle to obtain digital evidence from mobile devices. The following are some of the reasons for this:

  • Hardware differences: The market is flooded with different models of mobile phones from different manufacturers. Forensic examiners may come across different types of mobile models that differ in size, hardware, features, and operating system. Also, with a short product development cycle, new models emerge very frequently. As the mobile landscape changes with each passing day, it is critical for you to adapt to all challenges and remain updated on mobile device forensic techniques across various devices.
  • Mobile operating systems: Unlike personal computers, where Windows has dominated the market for years, mobile devices widely use more operating systems, including Apple's iOS, Google's Android, RIM's BlackBerry OS, Microsoft's Windows Phone OS, HP's webOS, and many others. Even within these operating systems, there are several versions, which makes your task even more difficult.
  • Mobile platform security features: Modern mobile platforms contain built-in security features to protect user data and privacy. These features act as a hurdle during forensic acquisition and examination. For example, modern mobile devices come with default encryption mechanisms from the hardware layer to the software layer. You might need to break through these encryption mechanisms to extract data from the devices. The FBI versus Apple encryption dispute was a watershed moment in this regard, where the security implementation of Apple prevented the FBI from breaking into an iPhone seized from an attacker in the San Bernardino case.
  • Preventing data modification: One of the fundamental rules in forensics is to make sure that data on the device is not modified. In other words, any attempt to extract data from the device should not alter the data present on that device. But this is not practically possible with mobiles, because just switching on a device can change the data on that device. Even if a device appears to be in an off state, background processes may still run. For example, in most mobiles, the alarm clock still works even when the phone is switched off. A sudden transition from one state to another may result in the loss or modification of data.
  • Anti-forensic techniques: Anti-forensic techniques, such as data hiding, data obfuscation, data forgery, and secure wiping, make investigations on digital media more difficult.
  • Passcode recovery: If the device is protected with a passcode, the forensic examiner needs to gain access to the device without damaging the data on the device. While there are techniques to bypass the screen lock, they may not always work on all versions of the OS.
  • Lack of resources: As mentioned earlier, with the growing number of mobile phones, the amount of tools required by a forensic examiner also increases. Forensic acquisition accessories, such as USB cables, batteries, and chargers for different mobile phones, have to be maintained in order to acquire those devices.
  • Dynamic nature of evidence: Digital evidence may be easily altered either intentionally or unintentionally. For example, browsing an application on a phone might alter the data stored by that application on the device.
  • Accidental reset: Mobile phones provide features to reset everything. Resetting a device accidentally while examining it may result in the loss of data.
  • Device alteration: The possible ways to alter devices may range from moving application data or renaming files to modifying the manufacturer's operating system. In this case, the expertise of the suspect should be taken into account.
  • Communication shielding: Mobile devices communicate over cellular networks, Wi-Fi networks, Bluetooth, and infrared. As device communication might alter the device data, the possibility of further communication should be eliminated after seizing the device.
  • Lack of availability of tools: There is a wide range of mobile devices. A combination of tools needs to be used, because a single tool may not support all the devices or perform all the necessary functions. So, choosing the right tool for a particular phone might be difficult.
  • Malicious programs: The device might contain malware or malicious software, such as a virus or a Trojan. These programs may try to spread over other devices over either a wired interface or a wireless one.
  • Legal issues: Mobile devices might be involved in crimes that cross geographical boundaries. In order to tackle these multi-jurisdictional issues, the forensic examiner should be familiar with the nature of the crime and the regional laws.

Let's have a look at the process of evidence extraction in the next section.