Douglas Smith | CFDI 450 | July 8, 2015 Mobile Device Forensics CHAMPLAIN COLLEGE
Table of Contents
Abstract ...................................................................................................... 0
Introduction ............................................................................................... 1
The History and Evolution of Mobile Devices ......................................... 3
Legal Challenges Pertaining to Investigations of Mobile Devices and
Digital Evidence ........................................................................................ 8
Technical Challenges Pertaining to Investigations of Mobile Devices
and Digital Evidence ............................................................................... 16
iOS Devices ........................................................................................ 17
Android Devices ................................................................................. 18
Windows Phone and Blackberry Devices .......................................... 19
Types of Artifacts and Data on Various Mobile Devices and Storage
Locations ................................................................................................. 19
iOS Devices ........................................................................................ 20
Android Devices ................................................................................. 21
Windows Phone and Blackberry Devices .......................................... 25
Forensic Concepts and Practices ............................................................. 27
iOS Devices ........................................................................................ 27
Android Devices ................................................................................. 32
Windows Phone and Blackberry Devices .......................................... 33
Third-Party Applications.................................................................... 38
Conclusions ............................................................................................. 39
Works Cited ............................................................................................. 39
Mobile Device Forensics
PAGE 1
1
Abstract
The goal of this document was to research targeted aspects of the forensic practices
involving various mobile devices. Legal obligations that are followed when conducting an
investigation are discussed. Factors such as the rules of search and seizure and admissibility of
evidence in a court of law. There are varying laws depending on the jurisdiction, but they are
consistent in that the admissibility of evidence must meet requirements dictated by the Daubert
challenge. Testimony must establish that the digital evidence has remained under responsible
control of law enforcement through chain of custody and that the evidence is original in nature.
That is, the evidence has not been changed from its original state. Digital evidence must also be
authenticated and should satisfy the Best Evidence Rule. Many technical challenges associated
with mobile forensics were also discovered. One of the biggest challenges has been the diversity
of mobile devices and their operating systems. It is important for a forensic examiner to have a
solid understanding of the various devices’ functionality, file systems, operating systems, and
encryption algorithms. An in depth explanation of the challenges associated with mobile phone
encryption and security, and the workarounds for retrieving artifacts from these devices is
discussed.
Introduction Mobile devices have come a long way since being first introduced. They have evolved
from being mobile devices for sending and receiving calls, to fully functional computers or
Mobile Device Forensics
PAGE 2
2
“smartphones”. There are legal parameters that an examiner is obligated to abide by when
conducting an investigation involving a mobile device. It is important for an investigator to
follow the rules of Search and Seizure. There are varying laws depending on the jurisdiction that
the case resides, but they are consistent in that the admissibility of evidence in a court of law
must meet certain requirements dictated by the Daubert challenge. Testimony must also establish
that the digital evidence is original in nature. That is, the evidence has not been altered from its
original state. Any digital evidence presented must also be authenticated and should satisfy the
Best Evidence Rule. All data extraction methods, whether it be a physical or logical extraction,
should be tested, validated, and well documented to ensure the integrity of the evidence. In
addition to the legal challenges associated with conducting an investigation involving a mobile
device, there are many trending technical challenges that an examiner will face. Mobile devices
and their associated operating systems have become very diverse. No longer are they only used
for telephony communication. Modern smartphones have many of the capabilities that a
standalone desktop computer has. The types of data that can be found on these devices vary from
not only call logs and contacts lists, but to email, SMS text messages, media, web browsing
activity, network information, GPS data, social networking data, and much more. Third party
applications installed on mobile devices can also contain a vast amount of information and can
even change where data is stored. Therefore, it is important for a forensic examiner to have a
solid understanding of the various devices’ functionality, file systems, operating systems, and
encryption algorithms. Many cloud based services are available for mobile platforms which can
also have a lot of relevant data stored on them. Accessing cloud based servers also has legal
parameters that an examiner must abide by in an investigation. There are several phases of an
investigation from obtaining a valid search warrant, which dictates the scope of the search and
Mobile Device Forensics
PAGE 3
3
seizure, to presenting processed evidence in a court of law. Maintaining forensic soundness
throughout each phase is necessary in meeting the legal and technical challenges associated.
The History and Evolution of Mobile Devices Tim Brookes, writer for the “Make Use Of” newsletter, does well to describe the history
and evolution of mobile devices by saying, “Mobile phones evolved over five different
generations…” (Brookes, 2012). In the beginning, or the pre-standardization generation (0G),
mobile devices used a half-duplex system that required the caller to release a button to hear the
recipient speak. According to Brookes, it was introduced by AT&T in 1947 and it was known as
“Mobile Telephone Service” (MTS). MTS relied on an operator that would connect the incoming
and outgoing calls. In 1965, AT&T introduced “Improves Mobile Telephone Service” (IMTS),
which featured user dialing and removed the necessity for a third-person operator. This however,
according to Brookes, was still only mobile telephony (analog) and the amount of subscribers
was limited. It wasn’t until 1977 that the first generation (1G) of cellular networks emerged. It
involved the use of multiple cellular towers that were connected via networks. Brookes states
that the first was built in Chicago (Brookes, 2012). The towers allowed users to travel and
maintain communication by switching cellular towers. In the early 1990s, the second generation
(2G) mobile network was introduced. In this era, the European GSM standard and the North
American CDMA standard were born. 2G utilized digital signaling for transmissions, rather than
analog as its predecessors utilized. Demand for mobile communication grew and as a result,
more cellular towers were built. Improvements in device hardware were also made such as
battery life and internal components. According to Brookes, these improvements allowed for the
manufacture of smaller mobile devices (Brookes, 2012). Other advancements included the
Mobile Device Forensics
PAGE 4
4
introduction of SMS (text) messaging, media content, and the ability to be used as a method of
payment. Brookes explains that in 1999, the first mobile internet service for the 2G network was
introduced by NTT DoCoMo, but was replaced by the launch of the 3G network in October of
2001 (Brookes, 2012). The internet service for the 2G network suffered from low bandwidth
speeds. The 3G technology addressed this with an average of 2Mbps and eventually offered up to
14 Mbps. Transmission services such as television and radio broadcasts were made possible. In
2009, the fourth generation (4G) was introduced. 4G eliminated circuit switching, implemented
the use of IP networks, as well as LAN and WAN technologies, while having a major speed
advantage over the 3G technologies. Brookes does well to describe the use of the 4G network by
stating, “4G marks the switch to native IP networks, bringing mobile internet more in-line with
wired home internet connections.” (Brookes, 2012).
With the evolution of the cellular network, mobile devices’ functionality evolved from
having simple telephony capabilities, to fully functional computing capabilities. According to
Rob Wright, a writer for CRN Tech News, The first device that was considered a “smartphone”
was IBM’s Simon Personal Communicator (Wright, 2013). IBM’s Simon consisted of a 4.5 inch
monochrome touchscreen, a stylus, and a charging base station. The battery, according to Wright
would hold a charge of just one hour (Wright, 2013). It contained 1 MB of memory and 1 MB of
storage. Despite the Simon’s lack of memory and data storage, it was capable of sending and
receiving email and fax.
Mobile Device Forensics
PAGE 5
5
In 1996, Nokia introduced the Nokia 9000 Communicator. It was the first smartphone that
featured a QWERTY keyboard. In addition, it had a monochrome display and a more efficient
battery lifespan of 3 hours. The smartphone came with 8 MB of memory, but no storage. The
device was able to send and receive email, fax, and had web browsing, word processing, and
spreadsheet capabilities.
Five years later, the Palm Kyocera 6035 became the “first modern, mass-marketed smartphone.”
(Wright, 2013). It featured a flip screen with dial pad, 8 MB of memory but no storage, and ran
the Palm 3.5 operating system. It had web browsing and email capabilities, an address book,
scheduler, memo pad, and voice recorder. The Kyocera introduced the idea of installable
software and applications for mobile devices.
IBM Simon (1993)
Dimensions: 8” x 2.5” x 1.5” thick Weight: 18 ounces Processor: 16 MHz Vadem processor Memory: 1 MB Storage: 1 MB Battery Life: 1 hour
Courtesy of CRN Tech News
Nokia 9000 Communicator (1996)
Dimensions: 6.8” x 2.5” x 1.5” thick Weight: 14 ounces Processor: 24 MHz Intel 386EX processor Memory: 8 MB Storage: none Battery Life: 3 hours
Courtesy of CRN Tech News
Mobile Device Forensics
PAGE 6
6
In 2003, Blackberry introduced the Blackberry 6210. It featured everything that the Palm offered
two years prior, as well as a QWERTY keyboard and 16 MB of data storage. Perhaps the most
noticeable improvements from its predecessor are its size and processor. The Blackberry 6210
featured a 75-100 MHz ARM7EJ-S core processor.
In 2007, Apple unveiled the first generation iPhone. It featured a touchscreen that would become
popular among users. Wright does well in describing the iPhone as a milestone among
smartphones when he explains that the iPhone had set a, “trend that would require faster
processors, more memory, and higher storage capacity.” (Wright, 2013). The first generation
iPhone featured a 412 MHz ARM processor, 128 MB of memory, and options of either 4, 8, or
16 GB of storage. It was small and lightweight, had a significantly improved battery life, a
camera, and offered the same capabilities as a standalone desktop computer.
Palm Kyocera 6035 (2001)
Dimensions: 5.6” x 2.5” x .86” thick Weight: 7.34 ounces Processor: 33 MHz Freescale Dragonball processor Memory: 8 MB Storage: none Battery Life: 5 hours
Courtesy of CRN Tech News
Blackberry 6210 (2003)
Dimensions: 4.4” x 2.9” x .80” thick Weight: 7.34 ounces Processor: 75-100 MHz ARM7EJ-S Core processor Memory: 2 MB Storage: 16 MB Battery Life: 5 hours
Courtesy of CRN Tech News
Mobile Device Forensics
PAGE 7
7
After Apple’s release of the iPhone, many other smartphones were released raising the bar for
desired technical specifications in mobile devices. In 2011, LG released their Optimus X2. This
was the first smartphone to feature a dual-core processor. It also featured 512 MB of memory,
and supported 1080p HD video playback.
The release of the Samsung Galaxy S4 in 2013, marked the first release of a smartphone that
featured an octo-core processor. The S4 also featured 2 GB of memory, and had the options of
either 16, 32, or 64 GB of storage. Wright compares the S4 to modern laptops and states that the
specs are comparable (Wright, 2013).
Apple iPhone (2007)
Dimensions: 4.5” x 2.4” x .46” thick Weight: 4.75 ounces Processor: 412 MHz Samsung RISC ARM processor Memory: 128 MB Storage: 4, 8, or 16 GB Battery Life: 8 hours
Courtesy of CRN Tech News
LG Optimus X2 (2011)
Dimensions: 4.88” x 2.49” x .43” thick Weight: 4.9 ounces Processor: 1 GHz Nvidia Tegra 2 (dual-core) processor Memory: 512 MB Storage: 8 GB Battery Life: 8 hours
Courtesy of CRN Tech News
Mobile Device Forensics
PAGE 8
8
From a forensic point of view, the vast diversity of mobile devices has created many challenges
for examiners. It is important for a forensic examiner to have a solid understanding of the various
devices’ hardware, functionality, file systems, operating systems, and encryption algorithms.
There are both legal obligations and technical challenges associated with investigations
involving mobile devices.
Legal Challenges Pertaining to Investigations of
Mobile Devices and Digital Evidence It is essential for prosecutors and law enforcement to understand how to lawfully obtain
electronic evidence, and understand the legal issues that can arise during an investigation. There
are two primary sources of law that govern the processes associated with digital evidence in a
criminal investigation. The first being the Fourth Amendment to the U.S. Constitution, and the
second source are the statutory privacy laws codified at 18 U.S.C. §§ 2510-22 (The Wiretap
Act), 18 U.S.C. §§ 2701- 12, and 18 U.S.C. §§ 3121-27.
Under the Fourth Amendment, the ability to search and seize evidence without a warrant
is limited. This also applies to electronic evidence. In the Department of Justice Manual,
Samsung Galaxy S4 (2013)
Dimensions: 5.38” x 2.75” x .31” thick Weight: 4.6 ounces Processor: 1 GHz Nvidia Tegra 2 (dual-core) processor Memory: 2 GB Storage: 16, 32, or 64 GB Battery Life: 8 hours
Courtesy of CRN Tech News
Mobile Device Forensics
PAGE 9
9
“Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal
Investigations,” by Marshall Jarrett, Michael Bailie, Ed Hagen, and Nathan Judish, the authors
explain the Supreme Court’s ruling that “a “seizure of property occurs when there is some
meaningful interference with an individual’s possessory interests in that property,” United States
v. Jacobsen, 466 U.S. 109, 113 (1984), (Jarrett, Bailie, Hagen, & Judish, 2015. Page 1) The
Court has also characterized the interception of intangible communications as a seizure. See
Berger v. New York, 388 U.S. 41, 59-60 (1967). Furthermore, the Court has held that a “search”
occurs when an expectation of privacy that society is prepared to consider reasonable is
infringed.” Jacobsen, 466 U.S. at 113. (Jarrett, Bailie, Hagen, & Judish, 2015. Page 1). If the
government’s conduct does not violate a person’s “reasonable expectation of privacy,” then
formally it does not constitute a Fourth Amendment “search” and no warrant is required. See
Illinois v. Andreas, 463 U.S. 765, 771 (1983). In addition, a warrantless search that violates a
person’s reasonable expectation of privacy will nonetheless be constitutional if it falls within an
established exception to the warrant requirement. See Illinois v. Rodriguez, 497 U.S. 177, 185-86
(1990).” (Jarrett, Bailie, Hagen, & Judish, 2015. Page 1) With the Supreme Court’s ruling
considered, an investigator needs to determine if the search will violate a reasonable expectation
of privacy (REP). If it does, the investigator should then determine if an exception to the warrant
requirement exists, rendering the search permissible despite violating REP. In terms of electronic
evidence, computers and electronic media such as mobile devices should be thought of as closed
containers. According to Jarrett, “courts have analogized the expectation of privacy in a
computer to the expectation of privacy in closed containers such as suitcases, footlockers, or
briefcases. Because individuals generally retain a reasonable expectation of privacy in the
contents of closed containers, see United States v. Ross, 456 U.S. 798, 822-23 (1982), they also
Mobile Device Forensics
PAGE 10
10
generally retain a reasonable expectation of privacy in data held within electronic storage
devices.” (Jarrett, Bailie, Hagen, & Judish, 2015. Page 3) Therefore, the owner has a reasonable
expectation of privacy in the information contained in said devices and the investigator is
obligated to either obtain a valid search warrant, or determine if there is an exception to the
search warrant requirement. The inconsistencies associated with the exceptions to the search
warrant requirement are also a prevalent legal challenge.
There are numerous exceptions to the search warrant requirement. If a person with
authority, the owner of the electronic device for instance, has voluntarily given his or her consent
to search the device, then law enforcement may search that device without a warrant, see
Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973). The government however, must prove that
consent was voluntary, see United States v. Matlock, 415 U.S. 164, 177 (1974); Buckner, 473
F.3d at 554.
The second exception to the search warrant requirement is exigent circumstances. For
exigent circumstances to be used as reason for a warrantless search, the evidence must be in
imminent danger of being destroyed, a threat to the police or public must be present, the police
must be in “hot pursuit” of a suspect, or the suspect is likely to flee before the officer can obtain
a search warrant. Jarrett does well to describe exigent circumstances by referencing the following
cases, “Georgia v. Randolph, 547 U.S. 103, 117 n.6 (2006) (collecting cases); Brigham City v.
Stuart, 547 U.S. 398, 403-06 (2006) (police appropriately entered house to stop assault when
occupants did not respond to the officers’ verbal directions); Illinois v. McArthur, 531 U.S. 326,
331-33 (2001) (police appropriately seized house for two hours while warrant was obtained);
Cupp v. Murphy, 412 U.S. 291, 294-96 (1973) (murder suspect was temporarily seized and his
fingernails scraped to prevent destruction of evidence).” (Jarrett, Bailie, Hagen, & Judish, 2015.
Mobile Device Forensics
PAGE 11
11
Page 28). Exigent circumstances often arise in cases involving digital evidence due to the fact
that electronic data is perishable. Factors such as moisture, high temperature, and physical
destruction of hardware can destroy electronic evidence. There are also powerful encryption
algorithms that can be put into place very easily that will ultimately make evidence unobtainable
by law enforcement. These factors will be discussed in further detail under the technical
challenges section.
Another exception to the search warrant requirement is search incident to a lawful arrest.
Under this exception, law enforcement agents may conduct a full search of the person that is
under arrest, as well as his or her immediate area. Courts have consistently agreed that this
exception to a search warrant applies to mobile electronic devices as well. More specifically,
Brookes, 2005 WL 1940124, at *3 compares a pager and cell phone to a wallet and address book.
In Cote, 2005 WL 1323343, at *6, a valid search of a cell phone two and a half hours after a
lawful arrest was upheld as an exception to the search warrant requirement. There have been
cases however, where the courts ruled that searches of cell phones are not valid under the search
incident to a lawful arrest. In United States v. Chadwick, the suspect’s cell phone was searched
one and a half hours after arrest. The court analogized the cell phone to a footlocker and ruled
that law enforcement had not obtained a warrant to open the “footlocker.” The synopsis of the
rule of law was that once the property, in this case the cell phone, cannot be accessed by the
arrestee, it cannot be searched without a warrant.
Another exception to the search warrant requirement is the plain view exception. In terms
of electronic evidence, Jarrett explains that the most common use of this exception occurs when
an investigator is examining electronic media pursuant to a valid search warrant, and finds
evidence of a crime unaffiliated with the crime being investigated. In this scenario, the evidence
Mobile Device Forensics
PAGE 12
12
of the new crime can be seized and admissible under the Plain View doctrine. However, it has
also been ruled that the Plain View doctrine is not grounds to open individual files that are not
associated with the crime being investigated, see United States v. Carey, 172 F.3d 1268. For
instance the examiner may see files labeled “child_pornography”, while investigating a murder
case. Jarrett explains that in “United States v. Runyan, 275 F.3d 449, 464-65 (5th Cir. 2001), and
United States v. Slanina, 283 F.3d 670, 680 (5th Cir. 2002), vacated on other grounds, 537 U.S.
802 (2002), aff’d, 359 F.3d 356, 358 (5th Cir. 2004), suggest that plain view of a single file on a
computer or storage device could provide a basis for a more extensive search.” (Jarrett, Bailie,
Hagen, & Judish, 2015. Page 35). So, in the case that the examiner came across those files
labeled “child_pornogrophy”, a new search warrant would be applied for with the goal of
expanding the scope of search. Jarrett also explains that, the plain view doctrine arises frequently
in the search warrant context because it is usually necessary to review all files on a computer to
find evidence that falls within the scope of a warrant.” (Jarrett, Bailie, Hagen, & Judish, 2015.
Page 79) In, United States v. Adjani, 452 F.3d 1140, 1150 (9th Cir. 2006), the court explained
that, “[c]omputer files are easy to disguise or rename, and were we to limit the warrant to such a
specific search protocol [e.g., key word searches], much evidence could escape discovery simply
because of [the defendants’] labeling of the files.” So again, examiners might find evidence of
other crimes when searching an electronic device for evidence pursuant to a valid search warrant,
and will be able to seize it under the plain view doctrine. It is worth noting however, that court
rulings can be inconsistent in regards to expanding a search. Therefore, it is good practice to
obtain a new search warrant for evidence of the additional crime.
Another legal challenge that has risen in terms of obtaining electronic evidence pursuant
to a Fourth Amendment search, is whether an electronic device should be classified as a single
Mobile Device Forensics
PAGE 13
13
closed container, or if each file on that device should be thought of as a separate closed
container. In the case United States v. Runyan, private parties had searched for certain files on
the suspect’s electronic device and found evidence of child pornography. The court ruled that the
police did not exceed the scope of the private search when they had examined other files,
because they had been previously searched by a private party, see United States v. Runyan, 275
F.3d 449, 464-65 (5th Cir. 2001), However, in some cases it has been ruled that these searches
exceed the scope of the relevant search warrants. The ruling in the case United States v. Carey,
stated that the investigator “exceeded the scope of a warrant to search for evidence of drug sales
when he “abandoned that search” and instead searched for evidence of child pornography for
five hours.” See United States v. Carey, 172 F.3d 1268, 1273-75 (10th Cir. 1999). Jarrett
explains that, in the case United States v. Walser, 275 F.3d 981, 986 (10th Cir. 2001), the court
ruled that, “[b]ecause computers can hold so much information touching on many different areas
of a person’s life, there is greater potential for the ‘intermingling’ of documents and a consequent
invasion of privacy when police execute a search for evidence on a computer.” (Jarrett, Bailie,
Hagen, & Judish, 2015. Page 5).
As defined at the beginning of this section, the second primary source of law for
governing the processes associated with digital evidence, are the statutory laws codified at 18
U.S.C. §§ 2510-22 (The Wiretap Act), 18 U.S.C. §§ 2701- 12, and 18 U.S.C. §§ 3121-27. Agents
and prosecutors that violate these laws can be subject to criminal penalties, civil liability, and
evidence obtained can be subject to suppression. Therefore, it is very important for investigators
to comply with these laws as well. The Wiretap Act governs how electronic surveillance of
communications content is conducted. It also broadly prohibits the interception of “oral
communications” (telephone conversations), “wire communications” (aural or human voice
Mobile Device Forensics
PAGE 14
14
transfer, sent via wire, cable, or other similar connection), and “electronic communications”
(other communications including any transfer of signs, signals, writing, images, data, internet
communication, transferred by wire, radio, electronic system). As for investigations involving
digital evidence, the electronic communications category has been most relevant. There have
been many inconsistencies when determining what is and is not electronic communication. In the
case United States v. Herring, it was ruled that “As a rule, a communication is an electronic
communication if it is neither carried by sound waves nor can fairly be characterized as one
containing the human voice (carried in part by wire).” However in the case United States v.
Ropp, the defendant had placed hardware between the victim’s computer and keyboard for the
purpose of recording transmissions between the two. The court ruled that these were not
electronic communications because they were merely preparations of communication. They were
not actually being sent at the point of interception. Due to litigation inconsistencies, it is
important for investigators to comply with the statutory laws and understand what is meant by
“interception”. the term “intercept”, in its application to these statutory laws, is defined by 18
U.S.C. § 2510(4) as, “the aural or other acquisition of the contents of any wire, electronic, or oral
communication through the use of any electronic, mechanical, or other device.” This is important
knowledge for an investigator when considering compliance with statutory law. Jarrett explains
that most courts tend to rule that electronic communications can only be “intercepted” when they
are acquired during transmission. To further support that ruling, in Steve Jackson Games, Inc. v.
United States Secret Service, it was ruled that if an individual gains access to a stored copy of the
communication, then it is not considered an “interception” as defined in the statutory law.
Jurisdictional law is also important when considering the admissibility of evidence. Many
states still apply the Frye test, which allow scientific techniques used in an investigation to be
Mobile Device Forensics
PAGE 15
15
admitted in court if the process is generally accepted within the relevant scientific community.
However, the law in regard to expert testimony is continuously evolving, and many jurisdictions,
including federal, have adopted the Daubert test. According to the special report, “Digital
Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors”, by Alberto
Gonzales, Regina Schofield, and David Hagy, the Daubert test is, “a test where the trial judge
determines the admissibility of expert opinion testimony based on its relevance and the reliability
of the underlying scientific techniques. The U.S. Supreme Court suggested that whether
scientific expert opinion evidence will be helpful to the trier of fact may turn on whether: (1) the
scientific technique can be— and has been—tested; (2) the technique has been subjected to peer
review and publication; (3) there is a known or potential rate of error; and (4) the technique has
been generally accepted by the relevant scientific community.” (Gonzalez, Schofield, & Hagy,
2015. Page 37). With this in mind, the investigator needs to have all data extraction methods
regularly tested, validated, and well documented.
There are many legal obligations and considerations when conducting an investigation
involving digital evidence. As a result, it is essential for prosecutors and law enforcement to
understand how to lawfully obtain electronic evidence, and understand the legal issues that can
arise during an investigation. In addition to consideration for the legal ramifications in an
investigation involving digital evidence, especially that of “smartphones”, an investigator will
also be faced with many technical challenges.
Mobile Device Forensics
PAGE 16
16
Technical Challenges Pertaining to
Investigations of Mobile Devices and Digital
Evidence As stated earlier, the wide variety of mobile devices and operating systems has resulted in
a significant challenge for forensic examiners. The fact that these mobile devices can be
password-protected and/or encrypted raises an entirely new level of concern in regard to
conducting a forensic analysis. Retrieving data from prepaid phones is also a great challenge
because when their port is disabled, they cannot be enabled again. The vendors of these phones
do not make the devices’ APIs, which is the normal mode in which extractions are conducted.
Mobile device applications are very diverse and forensic software support for them is limited.
Some applications will even change the default storage location of certain data. Physical
extraction of these applications’ data requires more decoding and file system reconstruction
which can be hard to do when trying to avoid deleting any data. The authors of this article
explain that boot loaders are the most forensically sound physical data extraction method, one
reason being that they enable (extraction) is read only. However, boot loader use is not supported
with some smartphones, mainly Android devices. This leaves the option of rooting these devices
for the purpose of obtaining a physical data extraction. The process is not forensically sound
which makes documentation and process very important. Locked smartphone data extraction is
still relatively unsupported, which make methods such as Flasher box, JTAGs, or chip-off
necessary. These methods of extraction are targeted and device-specific, which means that the
examiner must be well trained. As smartphones continue to evolve, so will the challenges
associated with forensic examination. Many of the analysis skills will continue to be necessary to
Mobile Device Forensics
PAGE 17
17
address these technical challenges. The forensic concepts and practices are discussed in a later
section of this document.
iOS Devices
As a forensic examiner, it is important to understand the components of the iOS device
being examined and how they work. Gaining an understanding of the device at hand will help
during the analysis process. Not only is it essential, but according to the textbook, “Practical
Mobile Forensics” by Satish Bommisetty, Rohit Tamma, and Heather Mahalik, it is “necessary
to know the different models that exist and their internals” (Bommisetty, Tamma, & Mahalik,
2014. Page 28), before conducting an investigation on an iOS device. Once a solid understanding
of the iOS device is gained, the examiner should know what items of ‘potential’ evidentiary
value can be found as well as where those items can be found. Once the examiner knows what
type of evidence they are looking for and where that evidence is located, the question becomes
‘how’ the examiner gets that information. So, in addition to understanding the internals of the
iOS device, knowing what kind of data can be acquired, where it can be acquired, and how it can
be acquired is necessary for a successful examination. Previously mentioned, the encryption
algorithms on mobile devices have become very secure and from a forensic standpoint, has
raised significant challenges. Using the iPhone as an example, the passcode extraction process
will allow for the extraction and decryption of all data including protected files. However,
passcode extraction and bypass are not yet supported by forensic software on newer versions of
the iPhone due to Apple’s improved security measures. To get the newer complex iPhone
passcode, an investigator needs to have the passcode to retrieve this data. Keychains, which are
vaults that store passwords on these devices, are encrypted but may be possible to decrypt using
certain forensic tools.
Mobile Device Forensics
PAGE 18
18
Android Devices
Android is the most popular mobile phone operating system. It is a Linux based operating
system developed by Google and is open-source. The fact that it is open-source has resulted in a
wide variety of hardware devices that use it which has created many challenges from a forensic
perspective. As a forensic examiner, it is important to understand the customized versions of the
Linux file hierarchy and SQL databases that Android utilizes, as well as how to access them and
where certain artifacts might be located. There are a number of methods and tools that can be
used for data extraction of an Android device. However, it is important for the examiner to first
not only understand the Android OS, but to also understand the process behind the method or
extraction tool being used. . Android mobile devices are also difficult to retrieve data from if
security measures are in place. Android has a debug utility, which must be enabled if the
examiner has any hope of rooting the device. However, there are alternatives to retrieving the
passcode such as data carving the PIN lock, but this requires a certain level of expertise. Third-
party applications have become commonplace among smartphone users, especially those with
Android. Where and how data is stored for these applications can be modified and can even
prevent some data from being retrieved. Therefore, it is important that the examiner manually
analyze the data for these applications. Due to the vast array of different Android devices, there
are many different configurations resulting in a very challenging task in terms of Android
forensics. Android is currently the most popular operating system on mobile devices. According
to OpenSignal, there were 18,796 different types of Android devices in 2014. (OpenSignal, 2014.
Paragraph 3). The Android OS uses the Linux kernel, which has allowed for the development of
several different versions of the Android operating system. Carriers have also taken advantage of
the Android design being based on the Linux kernel by compiling their own software and using
Mobile Device Forensics
PAGE 19
19
their own hardware with their Android devices. Android phones can be easily rooted, allowing
anyone to write to the operating system. All of these factors result in many different
configurations in use by Android devices which means that, as a forensic examiner, more than
one tool will be needed to extract and analyze data on these devices. While one tool might
successfully extract data from one Android device, it could fail on another device.
Windows Phone and Blackberry Devices
Perhaps one of the most difficult parts of an investigation involving a Windows Phone is
gaining access to the device, acquiring the data on that device, and extracting the raw files/data
for analysis. There are a number of tools, methods, and techniques that can be utilized in order to
achieve these tasks. For Blackberry devices, the tools and techniques used for data extraction on
other mobile device platforms generally will not work. The most successful data extraction of
Blackberry devices has usually come from its file system image or its backup file. Acquisition
methods and forensic practices for devices will be discussed in a later section of this document.
Similar t investigations involving Windows phones and other mobile device platforms, it is
important for the examiner to have an understanding of the Blackberry operating system in order
to conduct a successful analysis of its contents.
Types of Artifacts and Data on Various Mobile
Devices and Storage Locations There are many different types of data on the various mobile device platforms that may
be of evidentiary value. In this section, they are identified with their respective locations and
type of device.
Mobile Device Forensics
PAGE 20
20
iOS Devices
Once a solid understanding of the iOS device is gained, the examiner should know what
items of ‘potential’ evidentiary value can be found as well as where those items can be found.
So, the first step would be to know what it is that you are looking for. In most cases, the search
warrant (where applicable) specifies what is needed and what should be searched. The iOS
device uses SQLite databases for storing data which are forensic treasure chests in terms of
evidence. Applications such as “Contacts”, “Phone”, “Messages”, “Mail”, “Calendar”, and
“Notes” all store data using SQLite databases and have file extensions of .sqlitedb or .db. A ton
of potential evidence can be found from these .sqlitedb files such as call logs, SMS Messages,
Email, pictures, web history, et cetera. According to the textbook “Practical Mobile Forensics”,
by Satish Bommisetty, Rohit Tamma, and Heather Mahalik, “The address book database is
a HomeDomain file and can be found
at private/var/mobile/Library/AddressBook/AddressBook.sqlitedb.” (Bommisetty, Tamma, &
Mahalik, 2014. Page 96). The file itself (AddressBook.sqlitedb) contains data on each contact
such as name, organization, and notes entered by the device owner. Other data from the file
consists of e-mail addresses, website URLs, phone numbers, and images associated with specific
contacts. However, it should be noted that if there are any third-party applications installed then
some of the data in the folders will need to be examined manually to be sure that a contact is not
overlooked. The examiner can also see who the device owner has been in contact with by
examining the call history. The call history .db files (call_history.db) will show phone and
Facetime calls that were made, missed, and received. The .db files also contain metadata that the
examiner can use to determine call duration and the date and times of the call. Much like the call
history, SMS messages .db shows text messages that were sent and received as well as their
Mobile Device Forensics
PAGE 21
21
respective metadata. Safari is the default web browser used on iOS devices. The browser also
utilizes SQLite databases and evidence such as web caches (visited URLs along with their
timestamps) and bookmarks saved by the device owner can be found by examining this database.
The metadata of the photos that are in the device’s photo album can also provide valuable
evidence. Every time a picture is taken using the device, EXIF data or, Exchangeable Image File
Format data, is also recorded. The EXIF data includes “date, time, camera settings, and possible
copyright information” pertaining to the device’s camera and the image itself (How-To Geek,
2015. Paragraph 2). This is great information in terms of showing where the owner of the device
was at the time the picture was taken.
Android Devices As a forensic examiner of Android devices, it is important to first gain an understanding
of the layers associated with the Android operating system, Android’s use of SQLite databases,
as well as an understanding of the directories associated with the file system. Getting a handle on
these crucial elements will help the examiner to understand what types of data can be found, and
where that data can be located. According to the textbook “Practical Mobile Forensics”, “the
Android OS is built on top of the Linux kernel with some architectural changes made by
Google.” (Bommisetty, Tamma, & Mahalik, 2014. Page 162). The following image illustrates
how the Android operating system is built:
Mobile Device Forensics
PAGE 22
22
Each layer performs tasks and provides services to the layers above it. For instance, the Linux
kernel contains the drivers that carry out the instruction to the hardware of the device. The
textbook “Practical Mobile Forensics”, uses the example of clicking the camera button. When
the button is pushed, it sends the instruction to the camera driver which then sends the instruction
to the camera software to take a picture and store it. The layer that contains Android’s libraries
enables the device to read different types of data. The Surface Manager library manages the
display of 2D and 3D graphics from applications, the Media Framework library manages audio
and video recording and playback, the Webkit library deals with rendering web pages in the web
browser (Chrome), and the SQLite library is a database engine that Android uses for storing data,
similar to iOS. (Bommisetty, Tamma, & Mahalik, 2014. Page 162). Data stored on the Android
device from applications is commonly stored in SQLite format also. The SQLite databases are
heavily used by Android and a lot of data can be found within them. For instance, the textbook
“Practical Mobile Forensics” also explains that “SQLite databases can store deleted data within
the database itself.” (Bommisetty, Tamma, & Mahalik, 2014. Page 229). Because of this, an
The Linux kernel layer
Android’s libraries
Dalvik virtual machine (DVM)
Image courtesy of Android App Market
Mobile Device Forensics
PAGE 23
23
examiner might be able to recover deleted data such as text messages or contacts from the
unallocated blocks or free blocks of data. Methods on data extraction will be discussed later. The
Application Framework layer contains the blocks of data that the applications interact with
directly. The Activity Manager block manages the activity life/kill cycle of applications. It is also
a good source of information on memory, tasks that have been most recently started or visited,
and running processes. The Telephony Block manages data for voice calls and data such as
messaging services (MMS, SMS, SMS text). According to Maria DeGrazia, a certified computer
forensics examiner, an examiner can find data on text messages (deleted messages as well)
stored in a SQLite database at this location:
(/Root/data/com.android.providers.telephony/databases/mmssms.db) (DeGrazia, 2013.
Paragraph 9). The Content Providers block, within the Application Framework layer, manages
the accessing and sharing of application data. The Resource Manager block, also within the
Application Framework layer, manages the external resources that are required by applications
such as graphics and external strings. The topmost layer of the Android Model is the
Applications layer. It is here that the user is able to interact with the applications on the device
both preinstalled (i.e. SMS client app, Dialer, Web browser, Contact manager) and user-installed.
As previously stated, the Android operating system is a Linux based operating system.
Therefore, Android follows the Filesystem Hierarchy System (FHS) and everything is located
under the root (/) directory. It helps to understand the file hierarchy if you illustrate it is a tree,
with the root directory at the top. The /boot partition contains the kernel and RAM disk which
are necessary for the device to boot. RAM disk contains valuable data that should be extracted
before the device powers off. The /system partition contains system related files and is needed
for the device to be bootable. The /data partition is a forensic treasure chest. It contains the
Mobile Device Forensics
PAGE 24
24
user’s data such as contacts, SMS and MMS, email, dialed numbers, settings and data for all the
applications installed on the device. The /cache partition stores logs and data that is frequently
accessed for fast retrieval. This partition should be manually examined because it can contain
data that is no longer located in the /data partition. This partition also holds information
pertaining to “hardware settings, USB settings, and so on.” (Bommisetty, Tamma, & Mahalik,
2014. Page 169). The following image will help to put the partitions in perspective:
An examiner needs to understand the file system on the Android device so that the file systems
that are relevant to an investigation can be identified. Android utilizes mount points rather than
drives like with Windows so determining which file system the device supports can be done by
viewing the file systems folder located in the proc folder. From the shell, use the command: cat
/proc/filesystems. This command will display (concatenate or cat) the contents of the file
“filesystems” at which point the filesystem can be mounted. Once mounted, file systems such as
the tmpfs file system can be accessed. The tmpfs file system contains RAM. As stated earlier,
RAM should be examined or extracted before the device reboots.
Courtesy of Google Images
URL: Android File Hierarchy
Mobile Device Forensics
PAGE 25
25
Windows Phone and Blackberry Devices
Again, it is important as an examiner to first understand the operating system and file
system of the device being examined. The Windows Phone has a proprietary operating system
developed by Microsoft, which means that it is similar to the Windows operating system. The
smartphone uses what Microsoft has coined as “tiles” which serve as the interface for application
icons. It utilizes what is known as “chambers” which isolates privileges providing security.
There are four types of security chambers. The Trusted Computing Base (TCB) chamber is
where the kernel runs. It is here that the “secure boot process” is carried out. Secure boot
validates firmware on the device before they execute. The Windows Phone Developer Center
explains that it “validates the digital signature of all boot components, from the pre-UEFI boot
loaders, to the UEFI environment, and finally to the main OS and all components that run in it
(such as drivers and applications).” (Win Phone Dev Center, 2015. Paragraph 2). This prevents
malicious code from executing before the operating system loads. The illustration below will
help in illustrating the process:
Mobile Device Forensics
PAGE 26
26
The next security chamber, Elevated Rights Chamber (ERC), provides use for services and user-
mode drivers that are for functionality of applications on the phone. The third chamber is the
Standard Rights Chamber (SRC) and is the default chamber for applications that come already
installed on the phone. The last security chamber, Least Privileged Chamber (LPC) is the
chamber for all the 3rd party applications that are installed on the device. Applications on the
Windows phone run within their own chamber, which means they are isolated from each other
and cannot access data of other applications. The Windows Phone is similar to Windows XP,
Vista, and Windows 7 in terms of its file system. With root access, files and folders can be
accessed. For instance, the Application Data directory contains data of preinstalled applications,
the Applications directory is where files for applications installed by the user are located, the
familiar My Documents directory contains files on Office documents (Word, Excel, Powerpoint)
and multimedia, and the Windows directory holds files pertaining to the operating system. The
Courtesy of Windows Phone Dev
Center
Mobile Device Forensics
PAGE 27
27
Windows Phone also utilizes the Windows Registry, which can be a potential forensic treasure
chest.
The Blackberry operating system was developed by Research in Motion (RIM) of Waterloo,
Ontario. There are two variants of the Blackberry – Blackberry Enterprise Server (BES) and
Blackberry Internet Service (BIS). BES utilizes software that allows syncing e-mail with a user’s
device and is usually managed by a BES administrator within an organization. BIS is a service
that allows the device user to configure e-mail syncing. BES is usually provided by employers
for enterprise purposes, while BIS is utilized more by consumers. Data sent between BES and
the device is encrypted using Blackberry transport layer encryption. It uses AES or Triple DES
as the symmetric key cryptographic algorithm to encrypt data (Bommisetty, Tamma, & Mahalik,
2014. Page 274). The device can also be configured to encrypt data that is stored on the device. It
utilizes AES-256 encryption for encrypting stored data, and ECC public keys to encrypt data that
is sent to the device. Even the encryption keys stored on the device are encrypted when the
device is locked making a locked Blackberry device extremely difficult to extract readable data
from. A device with BES can be remotely wiped by the administrator. Blackberry, like other
mobile platforms, has its own third party application environment – Blackberry World.
Forensic Concepts and Practices
iOS Devices
As mentioned, gaining an understanding of the iOS device is the first step toward a
successful examination. There are several variances of iOS devices all having different hardware
and firmware. So before examining the device, the examiner has to identify the model and
version. To identify the hardware, one way is to simply look at the model number which is
Mobile Device Forensics
PAGE 28
28
displayed on the back of the device. The device’s memory capacity is also displayed on the back.
This image is an example of what it looks like on the back of an iPhone:
Also, if the etching on the iOS device is unreadable, then the examiner can utilize Apple’s
informative database which can be found here: http://support.apple.com/en-us/HT201296. It
describes each iPhone’s physical traits and capacity matched with their corresponding model
number. The examiner can access the Settings option to determine the firmware version of the
device. This is done by going to Settings > General > About which is where information such as
memory capacity, carrier, and the firmware version are displayed. However, not every device
will be accessible as iOS devices have the capability of utilizing a passcode to gain access. If this
is the case, there are still steps that can be taken to gain access to the device. One method is to
utilize the Mac OS X command-line tool, ideviceinfo. According to the textbook “Practical
Mobile Forensics”, the tool can be installed (along with several other cmd line tools) from
http://www.libimobiledevice.org/. As said before, it is a Mac OS X command-line tool.
Therefore, you must have the Mac OS X environment to utilize it. If you are using Windows
primarily, any virtual environment (such as VMWare) will suffice. Once the Mac OS X has been
installed, along with the ideviceinfo command-line tool (download the cmd-line tool by entering
the command libimobiledevice-macosx.git), the iOS device can be accessed and the model and
firmware version can be viewed by following these steps via terminal:
Courtesy of “Practical Mobile Forensics”,
Chapter 2
Mobile Device Forensics
PAGE 29
29
1. git clone https://github.com/benvium/libimobiledevice-macosx.git
~/Desktop/libimobiledevice-macosx/
“This command creates the libimobiledevice-macosx directory on the user’s desktop and places
the libimobiledevice command-line tools onto it.” (Bommisetty, Tamma, & Mahalik, 2014. Page
31). Also note that in a Unix/Mac terminal (unlike Windows terminal), the commands are
usually case-sensitive unless formatted differently. After navigating to the newly created
libimobiledevice-macosx directory, the examiner should then create and edit the .bash_profile
so that when the command ./ideviceinfo is ran with the –s option, the output will display the
model/version information of the connected iOS device. Here is a sample output of the
ideviceinfo command:
So, knowing the model and firmware version of the iOS device is necessary to understand what
device you are examining. This information dictates the type of hardware and software the
device uses. In addition to knowing where these potential forensic artifacts can be found, the
examiner must also know how to actually retrieve them. There are numerous ways to acquire the
Mobile Device Forensics
PAGE 30
30
data depending on its type. Overall however, a physical data extraction will always yield a bit-
by-bit copy of the original data and is therefore the best method. According to the textbook
“Practical Mobile Forensics”, “there is no method or tool available to acquire the RAM memory
from a live iPhone” (Bommisetty, Tamma, & Mahalik, 2014. Page 59). The iOS devices have
NAND Flash memory, which is non-volatile memory that stores system files and user data. If a
physical extraction is possible, the NAND flash memory is what you will have a bit-by-bit copy
of. One way of acquiring a physical image of the device is to place it in DFU mode. In fact, the
textbook “Practical Mobile Forensics”, states that “most forensic acquisition methods require the
iOS device to be successfully entered in DFU mode.” (Bommisetty, Tamma, & Mahalik, 2014.
Page 57). It also explains that DFU mode is recognized as a forensically sound action in
preparation for acquisition. This is an important fact when considering admissibility in court.
DFU mode is a state that the iOS device can be put into for purpose of upgrading (or
downgrading) the firmware version of the device. Note that the examiner must have access to the
phone to do this. However, as of late it has become very difficult if not impossible to acquire a
physical image of the original data on iOS devices. This is because Apple has made
customer/user privacy a priority over assisting law enforcement in their investigative requests.
An article by Craig Timberg in the Washington Post points out that, “Rather than comply with
binding court orders, Apple has reworked its latest encryption in a way that prevents the
company — or anyone but the device’s owner — from gaining access to the vast troves of user
data typically stored on smartphones or tablet computers.” (Timberg, 2014. Paragraph 2). While
this is respectable, it creates new challenges from a forensic standpoint. As mentioned in the
“Technical Challenges” section, it is much more difficult to gain access to an iOS device that has
been set with a passcode. A still viable solution to gain access to data from these devices is to
Mobile Device Forensics
PAGE 31
31
turn to the Cloud based servers provided by Apple. Timberg explains that “Apple will still have
the ability — and the legal responsibility — to turn over user data stored elsewhere, such as in its
iCloud service, which typically includes backups of photos, videos, e-mail communications,
music collections and more. Users who want to prevent all forms of police access to their
information will have to adjust settings in a way that blocks data from flowing to iCloud.”
(Timberg, 2014. Paragraph 6). So, the examiner can potentially get a lot of information about the
device’s owner by getting his/her Apple ID and password from Apple. With the credentials, the
examiner can extract the iCloud backup. Also, if there was no potential evidence from the iCloud
backup, the examiner can utilize the iTunes backup. The textbook “Practical Mobile Forensics”
explains that when an iOS device is synchronized with a host computer, “backup files can be
created using the iTunes software” (Bommisetty, Tamma, & Mahalik, 2014. Page 86). The
iTunes backup makes a copy of everything on the iOS device. It also contains device details such
as “the serial number, UDID, SIM details, and phone number” which can be used in court to
show relationship between the owner’s computer and the iOS device itself.
To perform a successful examination of an iOS device, the examiner must first have an
understanding of the device itself. There is a wide variety of iOS devices each having different
hardware and firmware. These differences in hardware and firmware dictate where an examiner
might find potential evidence of the crime being investigated. So, understanding the device will
be necessary in order for the examiner to know where to find certain files that could contain the
potential evidence defined in a search warrant. The examiner must also know what method will
be necessary to retrieve these files. In a court of law, an examiner may be asked to demonstrate
that he or she was fluently qualified when the acquisition, analysis, and reporting of evidence
was performed and is therefore necessary for any successful forensic examiner.
Mobile Device Forensics
PAGE 32
32
Android Devices As previously stated, there are several different configurations in use by Android devices.
Therefore, more than one tool, method, or technique will be needed to extract and analyze the
data. Analysis should be done on the forensic image. Therefore, the device must be imaged first.
It is preferred to obtain a physical image of the device if possible. A physical image is a bit-by-
bit copy of the memory and will capture all of the data including deleted files. The textbook
explains that there are two methods for physically extracting data from an Android device. The
first, Joint Test Action Group (JTAG), involves physically connecting to the device’s Test
Access Ports (TAPs) to access the device’s CPU. This is done by either soldering wire leads to
the connector pins and the device that will communicate with the CPU, or by using JTAG
jigs/adaptors. JTAG jigs are hardware that are used for boot repair of damaged devices,
unbricking locked devices, and can be used also for memory dump. Using JTAG jigs, the
examiner can connect the TAPS to the CPU. Once properly connected, the CPU can be given
instruction to transfer the raw data from the device, to the sanitized forensic drive for analysis.
The second method for physical data extraction of an Android device is the Chip-off technique.
This involves physically removing the NAND flash memory chip. This method will also work
with devices that are passcode protected. The textbook states, however, that this method can
result in destruction of the original evidence (device) because it is “difficult to reattach the
NAND flash to the device after examination” (Bommisetty, Tamma, & Mahalik, 2014. Page
219). To perform the Chip-off technique, the examiner should first conduct research to determine
which chip contains the user data. Then, that chip is physically removed by carefully applying
heat to the solder that is holding the chip in place. Once removed, the chip is then inserted into a
sanitized hardware device that is capable of reading the NAND flash memory. A .bin file will be
created for analysis. Again, a physical extraction will provide you with a bit-by-bit copy of the
Mobile Device Forensics
PAGE 33
33
data. However, a logical extraction is much easier and should be attempted first. Using command
line tool adb, the examiner can pull (extract) files from the Android device to the local
(sanitized) forensic device/machine. For this to work however, USB debugging must be enabled
on the device. If the examiner has root access, then he/she will be able to extract the file
partitions. With root access, the command adb pull <partition> <local> will copy the file or
folder to the local forensic device/machine for analysis. Another method of logical extraction is
through the use of content providers. Content providers allow external applications to access and
share data with other applications. With that said, the examiner can create an application that
grabs data from the content providers on the device such as the contacts and SMS/MMS
applications. AFLogical is a tool that utilizes content providers to extract the data and saves it to
an SD card in CSV format for analysis. “Andriller”, (software) is an acquisition tool that features
lock screen PIN code cracking, lock screen password cracking (and brute force attack methods),
decryption for encrypted SQLite databases, and report generation.
Windows Phone and Blackberry Devices
Acquisition and examination of data on a Windows Phone is difficult. Due to the security
chambers previously discussed, some files that contain usage artifacts are locked by the
operating system. Therefore, the physical and logical acquisition methods that you would
otherwise use on other mobile platforms will not work. The chip-off and JTAG techniques for
acquiring the device data can however. The chip-off technique involves physically removing the
NAND flash memory chip. The textbook states that this method can result in destruction of the
original evidence (device) because it is “difficult to reattach the NAND flash to the device after
examination” (Bommisetty, Tamma, & Mahalik, 2014. Page 219). To perform the Chip-off
technique, the examiner should first conduct research to determine which chip contains the user
Mobile Device Forensics
PAGE 34
34
data. Then, that chip is physically removed by carefully applying heat to the solder that is
holding the chip in place. Once removed, the chip is then inserted into a sanitized hardware
device that is capable of reading the NAND flash memory. A .bin file will be created for
analysis. The JTAG or Joint Test Action Group technique, involves physically connecting to the
device’s Test Access Ports (TAPs) to access the device’s CPU. This is done by either soldering
wire leads to the connector pins and the device that will communicate with the CPU, or by using
JTAG jigs/adaptors. JTAG jigs are hardware that are used for boot repair of damaged devices,
unbricking locked devices, and can be used also for memory dump. Using JTAG jigs, the
examiner can connect the TAPS to the CPU. Once properly connected, the CPU can be given
instruction to transfer the raw data from the device, to the sanitized forensic drive for analysis.
To install and run an application for data acquisition, of a Windows Phone, the device must be
unlocked. The tool ChevrolWP7 can unlock the device by allowing the examiner to run an
unsigned application unrestricted. Once the device is unlocked, the application TouchXperience
can be utilized in hand with WPDM to extract the user data that is on the device. Like with any
mobile device, there are many file locations and directories that contain potential evidence.
TouchXperience will extract the data, and WPDM will convert the data into a readable format.
The following illustration shows the interface for WPDM:
Mobile Device Forensics
PAGE 35
35
From here, a lot of the files pertaining to system and application data that were on the device
can be accessed. The application data is user created data, and will contain a lot of valuable
evidence. For instance, SMS data (text messages) is stored in the file named store.vol which is
located under the directory \ApplicationData\Microsoft\Outlook\Stores\DeviceStore. To view the
actual content, a copy of the file needs to be made by renaming the file extension. This creates a
copy, and allows its contents to be viewed in a text editor. Files pertaining to e-mail, can be
extracted for analysis at the directory, Data\Microsoft\Outlook\Stores\DeviceStore\data.
Courtesy of Bommisetty, Satish; Tamma, Rohit; and Mahalik, Heather. Practical Mobile Forensics, page 263
Mobile Device Forensics
PAGE 36
36
Similarly to renaming the file extensions for SMS messages, files for e-mail can also be
viewed this way. For instance the files containing e-mail messages can be renamed with the
HTML file extension for view, and files pertaining to pictures of contacts can be viewed by
renaming their extensions with the .jpg file extension. Application data can also provide a vast
amount of relevant evidence in an investigation. Each app holds its own directory with its own
folders. Using the Facebook application as an example, within its IsolatedStore directory, any
pictures associated with the Facebook account on the device can be found. Any pictures
uploaded, viewed, and even pictures of Facebook contacts. Again, simply renaming the file
extension with a .jpg extension will render the file viewable.
The tools and techniques used for data extraction of most mobile platforms generally will not
work for a Blackberry device. However there are tools that make a physical or logical extraction
possible. The Cellebrite UFED Touch can acquire a physical or logical image of the device
depending on its model. To acquire a physical image, the device must be powered off. Then,
Courtesy of Casey Eoghan; Bann Michael; Doyle, John. Introduction to Windows Mobile Forensics. Page 138
Mobile Device Forensics
PAGE 37
37
before the device boots, data is intercepted. However, if that data is encrypted then it will not be
readable. A better option would be to utilize Blackberry Desktop Manager (BDM) to create a
backup of the Blackberry device. Still, this method also requires the examiner to know the device
passcode. If known, the logical backup acquired can provide a form of validation for the data
acquired. In this case, a BBB or IPD backup file is created. A BBB file or, BlackBerry Backup
file, is the backup file created if BDM v7.0 (and later) was used to create the file. An IPD file or,
Interactive Pager Backup file, is the backup file that is created if BDM v6.0 (and earlier) was
used to create the backup file. The textbook “Practical Mobile Forensics”, explains that
Blackberry backup files can often be found on hard drives and other storage media (Bommisetty,
Tamma, & Mahalik, 2014. Page 281). Therefore, making the location of these backup files a
great place to search for evidence in the case of deleted or missing data on the device. They can
be found in the My Documents directory on an associated Windows machine for instance.
Amber ABC Converter is a text converter that can be used to view files that are stored in the IPD
format.
Courtesy of “Digital Evidence on Mobile
Devices”
Mobile Device Forensics
PAGE 38
38
In the book, “Digital Evidence and Computer Crime” by Eoghan Casey and Benjamin Turnbull,
it states that “when a mobile device is synchronized with a desktop computer, data are stored in
backup files indefinitely. Items that have been erased from the device may still exist on the
desktop including e-mail messages and private data. These files may be stored in a proprietary
format and it may be necessary to obtain specialized tools to interpret these backup files on the
desktop.” (Casey & Turnbull, 2011. Chapter 20, Page 14). Evidence items such as information
pertaining to accounts for cloud-based services such as e-mail accounts (i.e. Gmail), documents
and multimedia transferred to cloud-based services, social networking profiles (i.e. Facebook),
and as said before, any deleted files that were once on the device can also be found on the IPD
backup files.
Third-Party Applications
In order to analyze applications on an Android device, the examiner must reverse
engineer the application to retrieve its source code. In doing this, an understanding of the
application will be gained in terms of how and where it stores its data, vulnerabilities associated
with the application, and any security measures that may or may not be in place. For instance in
the case of a malware attack, the examiner might want to manually examine the application that
initiated the attack. In doing this, an understanding of the circumstances that allowed the attack
would be gained. The examiner might try to access files on an Android device and realize that
they are locked by an app locker. In this situation, reverse engineering the application to learn
how the application stores passwords would be necessary. Once the examiner has access to the
application’s source code, how it stores values and permissions can be determined which will
help in bypassing restrictions.
Mobile Device Forensics
PAGE 39
39
Conclusions Forensic examiners investigating cases involving mobile devices must be knowledgeable
of the legal obligations and requirements dictated by jurisdictional and federal law. It is essential
to any investigation that responsible chain of custody has been established and maintained
throughout all phases of an investigation and presentation of evidence. Mobile devices have
evolved into fully functional handheld computers that contain a vast amount of data. As a result,
there are many technical challenges associated with investigations involving mobile devices.
Mobile devices have become very diverse, with many different types of hardware, operating
systems, file systems, encryption algorithms, and data storage methods. For an investigation to
be successful, it is necessary for forensic examiners to understand the mobile device being
examined, in order to avoid the potential for evidence destruction and/or inadmissibility of that
evidence. With mobile devices continuing to evolve, professional forensic examiners will be
obligated to stay up-to-date on the technical and legal changes, as well as the forensic practices
necessary for a successful examination of said devices.
Works Cited Android-App-Market. (2012, February). Android Architecture – The Key Concepts of Android
OS. Retrieved from:
http://scisweb.ulster.ac.uk/~jose/COM555/Resources/Useful%20REading%20and%20Reference
s/Android%20Architecture%20-%20The%20Key%20Concepts%20of%20Android%20OS.pdf
Apple. (2015, January). Identifying iPhone Models. Retrieved from:
https://support.apple.com/en-us/HT201296
Bommisetty, Satish; Tamma, Rohit; and Mahalik, Heather. (2014). Practical Mobile Forensics.
Burmingham, Mumbai. Packt Publishing.
Brookes, Tim. (2012, May). A Brief History of Mobile Phones. Retrieved from:
http://www.makeuseof.com/tag/history-mobile-phones/
Mobile Device Forensics
PAGE 40
40
Casey Eoghan., Bann Michael., Doyle, John. (2015). Introduction to Windows Mobile Forensics.
Retrieved from:
http://www.academia.edu/2983818/Introduction_to_Windows_Mobile_Forensics
Casey, Eoghan; Turnbull, Benjamin. (2011). Digital Evidence and Computer Crime. Retrieved
from: http://booksite.elsevier.com/9780123742681/Chapter_20_Final.pdf.
Degrazia, Maria. (2013, February). Finding and Reverse Engineering Deleted SMS Messages.
Retrieved from: http://az4n6.blogspot.com/2013/02/finding-and-reverse-engineering-
deleted_1865.html
Gonzalez, Alberto., Schofield, Regina., Hagy, David. (2015). Digital Evidence in the
Courtroom: A Guide for Law Enforcement and Prosecutors. Retrieved from:
https://www.ncjrs.gov/pdffiles1/nij/211314.pdf
How-To Geek. (2015, January). What is EXIF Data and How Do You Remove it From Your
Photos?. Retrieved from: http://www.howtogeek.com/203592/what-is-exif-data-and-how-to-
remove-it/
Jarrett, Marshall., Bailie, Michael., Hagen, Ed., Judish, Nathan. (2015). Searching and Seizing
Computers and Obtaining Electronic Evidence in Criminal Investigations. Retrieved from:
http://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ssmanual2009.pdf
OpenSignal. (2014 August). Android Fragmentation Visualized. Retrieved from:
http://opensignal.com/reports/2014/android-fragmentation/
Scientific Working Group on Digital Evidence. (2015, June). SWGDE Best Practices for
Examining Mobile Phones Using JTAG. Retrieved from:
https://www.swgde.org/documents/Released%20For%20Public%20Comment/2015-06-
20%20SWGDE%20Best%20Practices%20for%20Examining%20Mobile%20Phones%20Using
%20JTAG
Timberg, Craig. (2015, January). Apple will no longer unlock most iPhones, iPads for police,
even with search warrants. Retrieved from:
http://www.washingtonpost.com/business/technology/2014/09/17/2612af58-3ed2-11e4-b03f-
de718edeb92f_story.html
Windows Phone | Dev Center. https://sysdev.microsoft.com/en-
us/Hardware/oem/docs/Phone_Bring-Up/Secure_boot_and_device_encryption_overview
Wright, Rob. (2013, April). The Evolution of the Smartphone in 7 Releases. Retrieved from:
http://www.crn.com/slide-shows/mobility/240152197/the-evolution-of-the-smartphone-in-7-
releases.htm/pgno/0/1