Forensics is a well-known technique in current trends, it has different phases in its existence, and Digital forensics is one of them. Digital forensics is the process of uncovering electronic data. The goal of the process is to preserve any evidence in its most original form while performing a structured investigation by collecting, identifying and validating the digital evidence for the purpose of reconstructing past events. The context is most often for usage of data in a court of law, though digital forensics can be used in other instances.
The different branches of Digital forensics involves in dealing with Cyber forensics, Malware forensics, Incident Response, Mobile device forensics, and database forensics.
Majorly deals with the hand-held devices and smart devices to collect the digital evidence and to analyse the data and to fetch the results of various apps installed, user data, browser history and more. As per the Netmarketshare reports approximately Android covers 52% of the market globally followed by IOS with 40% then windows with 3%, blackberry with 2% and others with 3%.
Mobile Forensics involves the below process.
- Acquisition / Processing
Forensic artifacts varies from operating system to operating system as the architecture differs from device to device. To collect the digital evidence from a smart phone below are the commonly used types of extraction techniques used by major forensic tools.
- Physical Collection
- Logical Collection
- File System Extraction
Physical extraction extracts the information from the device by accessing its flash memory. It creates a bit-by-bit copy of the device. Physical collection supports deleted file extraction.
Types of Physical Acquisitions:
Most of the devices in the market doesn’t support physical extraction unless the user has the root privileges, to overcome such challenges extraction is performed by using two techniques:
JTAG - Joint Test Action Group
JTAG (Joint Test Action Group) involves using advanced data acquisition methods at the hardware level, which is done by connecting to specific ports on the device and transfer the data. Analyst must have proper training and experience prior to attempting JTAG as the device may be damaged if handled improperly.
Chip-off, is another type of physical acquisition where in the flash chips would be removed from the device to extract the data. This type of acquisition usually damages the device.
The best and preferred method is physical extraction, however due to the wide range of devices present in the market the second preferred method is logical extraction. Logical extraction extracts the information which is accessible and not from the unallocated space. It extracts data without root access however having root access on a device can allow examiner to acquire more data. The data is extracted based on the application programming interface.
Types of Logical Extraction:
i. Agent Based Extraction
In this extraction an agent will be pushed in to the device and extracts the data then uninstall the agent and its traces. The extraction method from device to device and operating system to operating system differs as the architecture is different.
ii. Data Extraction using ADB commands
ADB (Android Debug Bridge) is a command line tool which is used to communicate with the device to retrieve the information, it can extract the data which is on device having root access to the device provides you more information than as a normal user. ADB shell uses USB debugging mode. If the device is locked and USB debugging is not enabled ADB commands will not able to fetch the results. In most of the cases Application data is stored as a SQLite database. In any type of extraction these dBs are parsed altogether and report is generated.
File system Extraction
It is used to acquire the data stored in the allocated space, unlike physical extraction it only captures the application specific entries in the database to recover the deleted items.
Below table gives an overview of collection methods in mobile forensics.
As mentioned in the above extractions every operating system has their own architecture to store the artifacts below is the details of different artifacts these artifacts locations varies from device to device and version of the Operating System to Operating System.
Smart device is an important piece of evidence when it comes to corporate frauds, financial frauds, civil and criminal litigations. Any corporate having a BYOD policy provide users an flexibility to configure MDM (Mobile Device Management) services, and corporate policy defines that the asset can be seized if it is required in any investigation of the incident happened.
The major challenges in mobile forensics are:
- To acquire and analyse the digital data of a new device released in the market because of continuous changes or upgrades of the architecture.
- Cloud storage of phone memory in recent devices like One Drive, ICloud, Google Drive – JTAG / Chip-off as mentioned above can be used as an option to retrieve the data.
- Recent mobiles come with an option to encrypt the phone data which will not be able to decrypt by usin any of the former techniques
The BYOD Policy provides an opportunity for the users to configure corporate services on their devices, this extends the scope of mobile forensics .Forensic examiner should be able to understand the BYOD Policy, MDM solution of the corporate, type of evidence that has to be acquired and analysed.
Authored by Pardhasaradhi Chintalapati