What is mobile device forensics?

Mobile Phone Forensics or Mobile Forensics deals with recovering and analysing digital evidences
from a mobile phone, such as, call logs, text messages, multimedia, browsing history, etc., under
forensically sound conditions.
Evidences present in mobile phones
Data present in mobile devices mainly originate from three sources, namely, SIM card, external
memory and phone memory or internal memory. The following are the most common evidences
found in a mobile device:

 Contacts: Contains the names and phone numbers, e-mail addresses; stored on device as
well as the SIM card.
 Call Logs: Contains the dialled, received and missed calls, date and time of the call, call
duration; stored on device as well as the SIM card.
 Messages: Containes the incoming and outgoing text messages; stored on the device as well
as the SIM card.
 Images/Audio/Video: Contains audio, images or video, captured using the phone camera or
transferred from other devices or downloaded from the internet; stored on internal/external
memory.
 Documents: Contains documents created using the phone’s applications or transferred from
other devices or downloaded from the internet; stored on phone memory/external memory.
 Calendar/ Notes: Contains calendar entries, reminders, notes, to-do lists, etc.; stored on
phone memory.
 Third party installed apps: Contains alternate messaging and communication applications,
chat logs; stored on internal/external memory.
 Internet-related evidence: web browsing history, social media accounts, e-mails, etc.; stored
on phone memory.
 International Mobile Equipment Identity (IMEI): 15-digit number; stored as well as printed
on the device.
 International Mobile Subscriber Identity (IMSI): 15-digit number; stored on SIM card.
 Integrated Circuit Card Identifier (ICCID): 20-digit number; stored on SIM card.
 Service Provider: Printed on SIM card.
Mobile Device Tool Classification System
The acquisition of data from mobile devices involves the use of automated tools. Therefore,
understanding the various types of acquisition tools and the data they are capable of recovering is
important for a mobile forensic examiner. Based on the various extraction methods, the tools
available may be classified under one of the following levels:
Manual Extraction
Manual extraction method involves viewing the data content stored on a mobile device through the
manual manipulation of the buttons, keyboard or touchscreen. Data of evidentiary value should be
recorded using an external digital camera. One of the biggest disadvantages at this level is that it is
impossible to recover deleted information. Moreover, it may become impossible to gather evidence
when dealing with a broken or missing LCD screen or a damaged keyboard interface.

Popular tools for manual extractions include:

 Project-A-Phone
 Fernico ZRT
 EDEC Eclipse

Logical Extraction
Logical extraction involves connecting the mobile device to a forensic workstation either using a
wired (e.g., USB) or wireless (e.g.,WiFi, or Bluetooth) connection. Once the connection is
established, the tools send a series of commands over the established interface from the computer to
the mobile device. The mobile device then, responds with the requested data and is sent back to the
workstation and presented to the forensics examiner for reporting purposes.

The tools used for logical extraction include:

 XRY Logical
 Oxygen Forensic Suite
 Lantern

HexDumping and JTAG

Hex dumping, also known as Physical extraction gives the examiner direct access to the raw data
stored in the flash memory. Hex dumping involves uploading an unsigned code or a modified boot
loader into the phone’s memory, by connecting it to a flasher box which in turn, is connected to the
forensic workstation. A series of commands are then executed, instructing the phone to dump its
memory on the destination selected by the examiner.
The common tools used for hex dump include:

 XACT
 Cellebrite UFED Physical Analyzer
 Pandora’s Box

JTAG (Joint Test Action Group) method involves connecting to Test Access Ports (TAPs) on a
device, which is a common test interface for processor, memory, and other semiconductor chips.
Special programmer devices are used to instruct the processor to transfer the data stored on the
memory. JTAG method comes in handy while dealing with locked devices or devices that have
minor logical damages, which are inaccessible through other methods.
Chip-Off
Chip-Off methods refer to the acquisition of data directly from a mobile device’s flash memory.
This extraction requires the physical removal of flash memory and connecting it to a chip reader to
create a binary image of the removed chip. This method requires extensive training as they can be
extremely challenging and has the risk of causing physical damage to the chip during the process.
The popular tools and equipment used for chip-off include:

 iSeasamo Phone Opening Tool

 Xytronic 988D Solder Rework Station
 FEITA Digital inspection station
 Chip Epoxy Glue Remover
 Circuit Board Holder

Micro Read
A Micro read involves analysing the physical gates on a NAND or NOR chip with the use of an
electron microscope. This process is not only time consuming and costly, but also involves extreme
technicalities. Therefore, this method is carries out only for high profile cases equivalent to a
national security crisis, when all the other extraction methods have been exhausted.
Mobile Device Forensic Process
Identification: It is the process of identifying the mobile device and other relevant details such as
the goals of the examination; the make, model or IMEI of the device; any removable external
memory; or other potential evidence such as fingerprints.
Isolation: Isolation of the mobile device from the network is extremely important to avoid
modification of the evidence on the phone after seizure. This can be done by placing the device in
faraday bags and placing the phone in airplane mode.
Acquisition: Once the phone is isolated, data from the device can be acquired using the appropriate
extraction methods. Physical acquisition is preferred as it extracts the raw data directly from the
memory of the device and recovers deleted data as well as data from unallocated space.
Examination and Analysis: After the data has been acquired, the examination process uncovers
digital evidence, including that which may be hidden or deleted. The process begins with a copy of
the evidence acquired from the mobile device and the results are gained by applying scientifically
based methods. Data reduction, that is, separating relevant from irrelevant information, occurs once
the data is exposed.
Documentation: The forensic examiner should document the entire procedure and steps taken by
him during the acquisition and examination. It should include the date and time of the examination,
condition and status (on/off) of the phone, tools used and data found.
Presentation: A report of the data extracted from the device should be created, including the opinion
of the examiner. The findings of the case should then be presented in a clear and easy to understand
manner in the court of law.
Challenges

 Hardware Differences: The examiner may come across different types of models, which
differ in operating systems, size, features or hardware.
 Encryption: Modern phones come with security features such as encryption, which has to be
decrypted in order for the examiner to proceed with the examination.
 Lack of a single compound tool: Due to the varied nature of mobile devices, a single tool
may not support all the devices or perform all the necessary functions.
 Anti-forensic Techniques: Anti forensic techniques such as data hiding, data obfuscation or
wiping makes the investigation process more difficult.
https://forensicsdigest.com/introduction-to-mobile-device-forensics/

How Mobile becomes a part of crime?

 A target or victim: Crime in which the computing device is the target of offense. Example:
subjected to physical damage or theft.
 As a weapon: Crime related to fraud or online transactions adopted mobile devices as the
weapon.
 As a witness of crime: A mobile phone may act as the witness of various data and entries.
Example: Save data on illegal activities like online frauds.

Mobile Seizure Warrants

Before the seizure of a mobile device, a warrant may or may not be required based on:

 In case of no search warrant issued, then the seizing of a mobile phone depends on the
consent of the owner but it may vary from case to case.
 If the warrant issued, then search whether the mobile device included in the warrant or
not?
 In the case of a corporate company or office, first, inquire that which individuals and
employees have access to the questionable digital device.
Interpreting each of these issues is key to an effective seizure of the evidence at the scene. The
inability to answer these essential queries could prompt the exile of evidence recovered at the crime
scene.

Parts of the warrants of Mobile Device Forensic

Part 1: Physical location to be Search
A mobile device warrants should include:
Before the seizure, or search for a mobile device, the property and the place to be searched should
be defined. While creating a legal document to search for a physical place, the officer must define:

 Physical place
 The address, and
 What searching for?
The source of all these data is from prior investigation and probable place where it can be found.
This procedure ensures the person and place to be searched and saves time from unnecessary
searches and seizures.

Part 2: Items to Seize

If investigators have information related to the device that is to be searched, can be mentioned in the
warrant, which includes:
a. The color of the mobile device.
b. The cell phone manufacturer,
c. Model name,
d. The serial number (not the device’s phone number)
e. The type of cover used for the device—even if not unique.
f. Some other descriptions of the mobile phone include cameras (front or back camera, or both),
the position of audio jacks, etc.
g. Description of any unique specific details like scratches, broken screens, etc.

Procedure for Seizing Mobile devices Forensic

1. Securing the Scene
 Data Volatility at the Scene: Use of jammers
 Questions to be Asked
 Device and Data Security
 Backups
2. Exploring the Scene for Evidence
 Photographing the Mobile forensic evidence
 Other items at the crime scene
3. The collection, Processing, and Packaging of Mobile Device Evidence
 Prior to Collection
 Bagging Sensitive Evidence
 Types of Bagging Equipment
 Properly Bagging Mobile Device Evidence
4. Documentation Of Evidences: Tags and label
5. Transporting Mobile Device Evidence

A. Securing the Scene

The safety of the people at a crime scene is paramount, no matter where the crime scene is located.
Ensure that the location of collecting digital evidence is free at any risk and free from any
distractions.
The officer-in-charge must ask and conduct a guided inquiry to the authority about the digital
evidence or mobile devices, and any other details that might assist the case.
A.1. Data Volatility at the Scene: Use of Jammers
Digital data, especially on a mobile phone, is extremely volatile.
With the majority of the newly developed mobile phones, the user can quickly wipe the mobile’s
data by a few clicks or even by sending a remote signal to the device.
Cellular transmissions occur via radio signals, and data transmissions can originate and terminate at
the device via the cellular signal or a Wi-Fi network.
And inhibiting the total communication access of the signal can ensure that

 The device will not be remotely wiped

 not to wipe the device to protect the data
 And also, ensure that the device cannot receive any extra additional transmissions such as
calls, texts, and other data-related contents from the cellular network as well.
So, the very first step is to isolate the scene that redistricts access to any network communication.

A.2. Questions to be asked

The officer-in-charge must ask and conduct a guided inquiry to the authority about the digital
evidence or mobile devices, and any other details that might assist the case.
Questions asked by the forensic examiner (officer-in-charge) may include, but not limited to:
1. Any security authentication system used or not: locked with passcodes, patterns, and
biometrics
2. Daily usage patterns: light user or heavy user.
3. Which applications does a person use daily?
4. How often uses of text messaging?
5. Who the person often speaks?
6. How many other mobile devices that person have?
7. And who other person is assessable to that device?

A.3. Device and Data Security

Mobile device security can be a real problem during the collection of electronically stored data.
There are two major issues in the analysis the electronic data, these are:
1. User authentication security keys: passcodes, patterns, and biometrics
2. Data security: encrypted, which made it difficult to extract data.
It is the duty of the officer in charge (whenever possible) to obtain the security keys from the owner.
If possible, any authentications and encrypted keys should be unlocked by the device owner at the
time of seizing the mobile phone.
After unlocking and removing any encryption, he or she should make the setting permanent so that
the device can be successfully examined at a later stage.
A.4. Backups
Sometimes the mobile cells are not physically available but their backups. In that case, fruitful
information can be extracted from the backups of a mobile device.
A smart device, such as an android, windows, and iOS device, can create a data backup of a
mobile device onto a computer, or a cloud storage platform, or any storage device.
But a key thing is that many backups are encrypted. This adds another level of difficulty while
analyzing the information from it.B. Exploring the Scene for Evidence

After gathering information from the occupants or the people at the scene, the agent should search
the area systematically.
Searching can occur in a pattern, by working from the outside to the center of the location, by using
a back-and-forth search, or by dividing the location into several smaller portions.
Photographs and Sketching: Prior to the search, photographs of the area from all angles should
be taken for documentation. In addition, a sketch should be constructed at the crime scene,
highlighting the dimensions and locations of various evidence.

B.1. Photographing the Mobile forensic evidence

Photographing the device is forensically important for many reasons. Without this, questions could
arise about mobile device validation.

 When a mobile device is located, it should be photographed at the scene of occurrence as it

was found. It includes its conditions and its keyboard and screen, and also any noticeable
scratches or other anomalies.
 Before taking close up photographs, mobile devices or its artifacts should assign an
evidence number and evidence tag.
 If the device is on, close up photographs should include information like time and date that
appears on the screen. Screen saver or wallpaper that appears on the screen might provide
information of interest.
 After proper photographing one side of the device, the device turned over to capture details
of the opposite side too.

B.2. Other items at the Crime Scene

Many items related to a mobile device can be found at a scene. These electronic storage devices and
accessories are essential to your investigation’s overall success.
The other items along with mobile cells that are found in a crime scene:

 Removable USB drives and SD Cards. Any USB devices at the crime scene should collect
for mobile forensic examination. As mobile phones have limited storage onboard and using
removable media such as a USB drive can be used to expand storage space and useful
information can be saved on USB and SD cards.
 Chargers and USB Cables: Sometimes the obtaining the power cable and USB cables of
the device can help in lowering the cost associated with purchasing power cables.
  SIM Cards: SIM cards are small chips that function to connect to the respective network
operator. The portability of SIM cards increases the difficulty of searching. SIM cards
portability was one of the features that GSM (Global Systems for Mobile Communications)
devices apart from CDMA (Code Division Multiple Access) phones. Old SIM cards
belonging to different mobile devices can also be located and collected during the search.
 Older Mobile Devices: Often, during a search for a particular device, older devices
neglected. But older mobile devices can contain critical data that might be relevant to the
current case being investigated.
 Personal Computers: Sometimes, computers can have backups and information on a
mobile device. Additionally, conducting a forensic analysis of the system can also yield
passcodes for the device, synched data like media, documents, settings, spreadsheets, etc.

C. The Collection, Processing, and Packaging of Mobile Device Evidence

C.1. Prior to Collection
After the device is found, the next step is to collect it. But before packaging the digital evidence,
some following questions and their answer should be established.
Questions asked prior to collection?

 Are there any biological concerns related to the device?

 Will the device require to be analyzed at the scene?
 Is there are any device’s authentication is enabled or not?
 Is there are any power issues to mobile device power?
SIM Card: The location of each card should be indicated along with its integrated circuit card
identifier (ICCID) number, type (standard, micro, nano, as shown next), color, condition, and the
telecom company.
Memory Cards: The location of the card at the scene should be documented along with the size
(512 MB, 32 GB, and so on), type, color, condition, and brand, as shown next. Any numbering on
the exterior must be documented.
Dealing with Power Issues (The Device State): After you locate a mobile device, it’s critical that
you determine whether the device is powered on or off and whether or not the device is password
protected.

C.2. Bagging Sensitive Evidence

The electronic devices are packed into a special evidence bag. These evidence bags serve two chief
functions as signal blocking and anti-static. And protects the mobile device from any electrostatic
discharge (ESD).
Each mobile phone and its peripherals such as memory cards, SD cards, SIM cards, etc. should be
placed in separate anti-static bags.
Paper bags or Cardboard prefers over plastic bags because sealed plastic containers can produce
humidity and condensation which undoubtedly has the capability to damage electronic evidence.
Note: While handling mobile artifacts, the collectors should wear gloves. And artifacts such as
memory cards or SIM cards, the collectors avoid touching their gold parts.

C.2.1. Types of Bagging Equipment

 Anti-static bags: These bags usually used for shipping purposes of computer parts which
have the ability to protect the static sensitive parts from electrostatic discharge ESD.
 ESD bags with rods: They offer both an anti-static and ESD protection. These have rods
beds that facilitate electrostatic discharge travel safely to the ground just like electric rods
used in high buildings to protect a building from lightning. These bags typically are a
mirrored or metal look which is basically due to the coating of the aluminum film. They
offer both an anti-static and ESD protection.
 Signal isolation bags: These are also called Faraday bags, a handy accessory that shields
the device from cellular signals. But its ability to protecting a network device from signals is
challenged by many studies.

C.3.Properly Bagging Mobile Device Evidence

After documentation and photographs of findings, all evidentiary devices or artifacts should be
protected using one of the following methods:

 Exterior switches: Some mobile devices have exterior toggle switches that turn the sound
on and off or up or down. Cover these switches with evidence tape to maintain the position
at the time of seizure.
 The device can have fingerprints on it. Then, the device first treated for latent fingerprints,
document and photograph the position of these switches.
 USB port: Exterior ports should be covered using evidence tape.
 Headphone port: Headphone jacks should be covered using evidence tape.
 Camera lens: By taping the camera lens with evidence tape, the device unable to capture
any photos or video after device seizure.
 Battery compartment: Nowadays many devices have inbuilt or non-removable battery b
there are also some devices that give access to the battery and also the SIM card and
memory card slots. So, in all cases, all the slots and battery should be taped.

D. Documentation Of Evidences: Tags and label

The information that must be listed on each of the evidence bags and box which include but not
limited to:

 Date and time of collecting mobile forensic evidence.

 Item number: This is a unique value assigned to the seized property.
 Quantity: This will indicate the number of items for a single item type (for example, micro
USB cables, chargers, and so on).
 Location of collection
 Property Description: This should include serial numbers, State of the device (on/off and
locked/unlocked), markings, and so on.
  Processing: Whether or not the live acquisition of mobile devices or not. (at scene/at the
lab)
 Owner name (if known)
 Collector’s information (their initials)
 Transporting to (laboratory or storage)
 Special Comments (immediate process, phone on and charging, biohazard, and so on).

E. Transporting Mobile Device Evidence

The transportation of mobile device evidence can be similarly as vital as proper seizure, bagging,
and tagging the artifacts. The key points to remember while transporting the mobile device
evidence, which is as follows:

 Avoid placing evidence in a region that had recently transported materials that contained
caustic fluids or other wet materials.
 Mobile device evidence can be susceptible to shock and vibration, so make certain that the
proof is secured prior to transport.
 Mobile device evidence can be harmed by electrostatic discharges and magnetic fields
produced by speakers, radios, and large electronics mounted using magnets.
 Electronic evidence ought not to be transported or stored in close proximity to these devices.
 Temperature such as extreme hot and cold can damage mobile device evidence. And
prolonged exposure to extreme temperatures must be avoided.
 The electronic evidence must not be placed in a patrol vehicle where the radio transmission
system is installed because it serves to be disastrous for electronic evidence. The police
radio transmitter and receiver in a patrol car have an ability to create an electromagnetic
field that might destroy the useful information of mobile devices.
https://forensicreader.com/mobile-forensic-collection/

These are some of the tools available for mobile forensics. Some are free while the rest are
paid.

Generic Free tools

AFLogical OSE
AFLogical OSE is a Open Source android forensic app. It is available in APK format. It must be
installed before hand in the Android terminal.
Information is extracted to the SD card (call log, contact list and list of applications installed, text
messages and multimedia), which must subsequently be recovered either by connecting the card to
an external device or through the ADB.
Andriller
Andriller is a software utility for Windows Operating System with a collection of forensic tools for
smartphones. It performs read-only, forensically sound, non-destructive acquisition from Android
devices. It has other features, such as powerful Lockscreen cracking for Pattern, PIN code, or
Password; custom decoders for apps data from Android (and some Apple iOS) databases for
decoding communications.

LIME
LiMe is a Loadable Kernel Module (LKM) Linux memory extractor which allows for volatile
memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME
unique as it is the first tool that allows for full memory captures on Android devices. It also
minimizes its interaction between user and kernel space processes during acquisition, which allows
it to produce memory captures that are more forensically sound than those of other tools designed
for Linux memory acquisition.
It supports Full Android memory acquisition and Acquisition over network interface also.

Specific Free Tools

Android Data Extractor Lite (ADEL)
Android Data Extractor Lite (ADEL) is a tool developed in Python. It allows a forensic flowchart to
be obtained from the databases of the mobile devices. Mobile phones must be rooted or have a
personalized recovery tool installed.

WhatsApp Xtract
WhatsApp Xtract allows WhatsApp conversations to be viewed on the computer in a simple and
user-friendly way.
Note : The different databases that store information corresponding to messages should be obtained
beforehand.

Skype Xtractor
Skype xtractor for Linux and Windows is a python tool developed for the Forensics distro DEFT
Linux 8. Extracts data from the Skype’s main.db, including contacts, chats, calls, file transfers, and
deleted/modified messages from chatsync databases.
Paid Tools
Cellebrite Touch
Cellebrite Touch is one of the well known and complete evidence extraction device. Work can be
done across 6300 different terminals with the main operating system. It is also very simple and
intuitive.

Encase Forensics
EnCase is the shared technology within a suite of digital investigations products by Guidance
Software (now acquired by OpenText). The software comes in several products designed for
forensic, cyber security, security analytics, and e-discovery use. Encase is traditionally used in
forensics to recover evidence from seized hard drives. Encase allows the investigator to conduct in
depth analysis of user files to collect evidence such as documents, pictures, internet history and
Windows Registry information.

Oxygen Forensics
Oxygen Forensic is a powerful mobile forensic tool with built-in analytics and cloud extractor. It is
very easy to use, it has a user-friendly interface to search, browse, filter and analyze the extracted
data. It has Built-in Cloud data recovery using the Oxygen Forensic® Cloud Extractor. It is capable
of obtaining information from more than 10,000 different mobile device models.

MOBILedit
MOBILedit is a platform that works with a variety of phones and smartphones (a complete list of
supported handsets is available on the manufacturer’s website) and explores contents of the phone
through a MS Outlook-like folder structure. This allows backup of the information stored on the
phone, storing it on a PC or copy data to another phone via Phone Copier feature.
MOBILedit connects to cell phone devices via an Infrared (IR) port, a Bluetooth link, Wi-Fi, or a
cable interface. After connectivity has been established, the phone model is identified by its
manufacturer, model number, and serial number (IMEI) and with a corresponding picture of the
phone.
Data acquired from cell phone devices are stored in the .med file format. After a successful logical
acquisition, the following fields are populated with data: subscriber information, device specifics,
Phonebook, SIM Phonebook, Missed Calls, Last Numbers Dialed, Received Calls, Inbox, Sent
Items, Drafts, Files folder. Items present in the Files folder, ranging from Graphics files to Camera
Photos and Tones, depend on the phone’s capabilities. Additional features include the
myPhoneSafe.com service, which provides access to the IMEI database to register and check for
stolen phones.
Elcomsoft
Elcomsoft is a iOS Forensic Toolkit allows for physical acquisition on iOS devices such as iPhone,
iPad or iPod. It also includes other utility features such as that of deciphering the keychain that
stores user passwords in the terminal analyzed or registering each action that is performed during
the whole process to keep a record of them.
Note : To carry out the evidence-gathering process in an Android mobile device, many of the tools
require enabling of the “USB debugging” option, preferably the “Stay awake” option and disabling
of any time-out screen lock option. In the event that the terminal has any screen lock option
configured, it is necessary to circumvent it.
https://enosjeba.medium.com/tools-for-mobile-forensics-7517e755ff93