Basic Concepts in Mobile Device Forensics - Part 2

To continue lesson 1 we are discussing the Forensics Process and have detailed 5 stages. In the first article, we discussed the Preparation and Collection stages. In this article, we will cover the Examination, Analysis, and Reporting stages. If you missed part 1 of the lesson I recommend reading it first.

Stage 3: Examination

After successfully collecting the digital evidence, the next stage is examining the contents of the device. Because there are such a wide variety of mobile devices on the market, each examination will be different. Creating an investigative plan for your examination can be extremely helpful and can save you time.?I recommend developing standard operating procedures to help with a consistent forensic examination approach while examining the device's contents.?

During the examination stage, the examiner will be extracting data from the physical or logical images and convert the data into a readable form that is easy to understand during the analysis stage. This processing of the data is often taken for granted today because it is done automatically through forensics software. Oftentimes, examiners will need to manually extract data from applications on the device that were not processed by the forensic software. The data from these applications are typically stored in SQLite databases, XML files, and property lists. This is one of the many reasons you as the examiner need to understand how data is being stored on the device and don't solely rely on the software to do the work for you.

SQLite is a database management system that is widely used to store and manage data. A property list is used to store, access, and organize standard types of data. We will cover SQLite and property lists in detail in later lessons.

There are many forensic software tools available for the examination (processing) of mobile devices. Tools used to examine the mobile device need to be tested and widely accepted within the forensics community. As the examiner, you are responsible for ensuring the forensic software used is reliable and does not alter, manipulate or damage the forensically imaged data.

Opensource untested software

I was working on a civil case where the victim requested images be extracted from the mobile device to be presented in court. In most cases, this would be very straightforward. I knew where the image files were located on the device and I was using the latest forensic software at the time to properly collect the evidence and extract the images. As I started reviewing the data I noticed the image numbers were out of order and some of the images were corrupted. The requested images were no longer stored on the device. I asked the user if they tried to remove them before contacting me. They said yes, and we searched google for free software that would allow us to export the images with all the metadata. Unfortunately the untested software they used modified their device and in doing so destroyed the evidence they needed.

Note Taking at the Examination Stage

Copious notes are also required during the examination stage. These notes will allow other examiners to reproduce your findings and help you recall what you did when you did it, and the results of that action during a trial.

Stage 4: Analysis??

The analysis stage is closely related to the examination stage. An analysis is a process of interpreting extracted data to determine relevancy to the case. Some examples of analysis include:

·?Timeline analysis – Arranging events into a chronological order to tell a story of the activity that took place on the device

·?Link analysis – Provides an immediate visual picture of communication methods to understand the relationships between entities. This method identifies and visualizes relationships between key objects. Link analysis allows examiners to turn large amounts of raw data into actionable intelligence.

·?Deleted data – Identifies information that was deleted from the device. This can include data that is dereferenced in an SQLite database on the device or data that is salvaged from unallocated space.

· Third-party application analysis – Analyzes the applications installed by the user. Examiners may have to extract the data manually as many automated forensics tools might not be capable of analyzing the data within the application.

·?File analysis – File analysis identifies the time a file was created, accessed, or modified. File analysis may also include looking for hidden data within the file known as steganography. Also, examining the file content to determine relevance to the case.

?Analysis requires understanding legal restrictions, and the objectives of the examination such as civil, corporate, or criminal incidents, which need to be identified before the examination begins.

Analysis of the data is key to proving or disproving elements of the civil, corporate, or criminal incident. Examiners must clearly define the objective of the examination before starting and remain non-biased and focus on finding the facts. In this stage, the examiner will analyze text messages, e-mails, calendar events, notes, photos, videos, and third-party application data. An analysis is more than just dumping data off a mobile device. Analysis is putting the pieces of the puzzle together and building a sequence of events to locate evidence that may prove an activity took place or critical information that may in fact prove a suspect is innocent.

?Note Taking at the Analysis Phase

As with earlier stages, copious notes are required during the analysis stage. These notes will allow other examiners to reproduce your findings and help you recall what you did when you did it and the results of that action during a trial.

Stage 5: Reporting

The final stage of the forensics process is reporting your findings. A report is mandatory for each examination conducted and will clearly communicate all relevant findings from your examination and analysis. Reports should contain information regarding the initial request for analysis, the initial requestor, a description of the physical and/or logical evidence analyzed, and the location of relevant items of evidentiary value. Examiners can utilize the internal reporting feature of most forensic software tools on the market to generate a final report.

?As expert witnesses, examiners will be able to express an opinion in the report. Opinions should be confined to your expertise and supported by facts. Reports should be written for a non-technical audience and easily understood by someone who knows very little about mobile devices.

Report Components

Items to include in your report are:

·?????Reporting agency, examiner, contact information

·?????Case identification number, investigator

·?????Where the relevant data was located on the device

·?????Metadata associated with all files as well as hash values

·?????Descriptive list of items submitted for examination

·?????Include serial number

·?????Make and model

·?????Brief description of steps taken during the examination

·?????Search terms used

·?????Recovering deleted files

·?????Results/conclusions

There are also common pitfalls in reporting. Items to exclude in your report are:

·?????Making assumptions in your report

·?????Using non-relevant data in the report

·?????Not linking the data to the elements of the crime or incident

?Note-taking vs. Reporting

It is important to differentiate between taking notes and forensic reporting. The forensic report generated by the examiner is the final result of the analysis. The forensic report will only include relevant items that directly support the request. Copious note-taking will include references to all steps taken by the examiner during the examination. Notes will include both positive and negative results, regardless of relevance. The goal of note-taking is to document steps taken as well as to serve as a timeline of events of the examination.

Now that you know the five stages of the forensics process which one do you find to be the most difficult?