Introduction to forensic analysis for mobile devices

The mobile device ecosystem has developed dramatically in recent years, primarily due to the fact that such a massive number of people now use them, and since many people own a number of different terminals for different purposes: professional use, personal use, etc. It is estimated that more than 7.5 billion mobile devices now exist, more than the total number of people on the planet.

These devices store a vast range of information which can prove vital when resolving an incident, such as call history (both made and received calls), text and multimedia messages, emails, search history, photos, videos, documents, information on social media, information in cloud storage services, etc. Furthermore, information that has previously been deleted can sometimes by recovered.

This article primarily describes the methodology of the forensic process used for mobile devices; although this process shares many features with other types of forensic analysis, such as that of computers, there are also several differences to take into account.

Although no standardised methodology exists with a specific focus on the forensic analysis of mobile devices, there are a number of guides which can offer direction as to how to carry out the process correctly:

• Guidelines on Mobile Device Forensicsfrom NIST.
• Developing Process for Mobile Device Forensics from SANS.
• Best Practices for Mobile Phone Forensics from the Scientific Working Group on Digital Evidence (SWGDE).
• Good Practice Guide for Mobile Phone Seizure & Examination from Interpol.
• ISO/IEC 27037:2012, Guidelines for the identification, collection, acquisition and preservation of digital evidence.
• RFC 3227, Although no direct reference to mobile devices is made, this guide provides the standard factor in the forensic process for computers. Its basic guidelines are therefore globally applicable to the process, no matter what the device in question.

Various models exist highlighting the different phases of the forensic process, but in general the following phases apply:

In the same way, a continuous register of actions performed on the material must be kept so that the process remains legally valid, if applicable. A certifying officer must be present for this, whether a legal secretary or a notary, who can attest the chain of custody, meaning that they guarantee the physical and logical integrity of the evidence. This phase begins when the evidence is identified and obtained, and also encompasses the registration, storage, transfer and final analysis of the evidence and its handover to the authorities if applicable.

On the other hand, if the materials need to be transported, this must be done with extreme care, so that its information cannot be altered and it is not exposed to extreme temperatures or electromagnetic fields.

• Preservation: this phase consists of identifying the devices to analyse and ensuring that any evidence that could be collected for analysis is not lost. A lack of awareness could inadvertently render evidence invalid, for example if express written authorisation for carrying out the process is not obtained, or relevant information that might have proved vital in resolving the incident could be lost. Straightforward actions such as keeping the device in a Faraday cage in order to protect it from any kind of signals or activating flight mode help prevent things such as the terminal being wiped remotely.
• Acquisition: Evidence is defined as any piece of proof which could be used in the legal process. For this reason, it must meet the following criteria:
  • Authentic: it must be veracious and not have been altered in any way.
  • Complete: it must constitute proof from an objective and technical point of view, without personal considerations or prejudices.
  • Credible: it must be understandable.
  • Reliable: the methods used to obtain the evidence must not cast any doubt on its veracity or authenticity.
  • Admissible: it must have legal value.

  Examples of digital evidence include photos, videos, documents, call history, emails, WhatsApp messages, etc. It is important to bear in mind that the mobile device memory cards that are typically used could contain extremely significant information, and must therefore be kept in place during this phase.

• Analysis: when the collected information is being analysed, the type of incident in question must be taken into account, since, depending on the case, it may be necessary to carry out a more detailed analysis of certain aspects of the device.
• Documentation: documentation is a fundamental part of the forensic analysis process, and this phase must therefore be carried out methodically and in great detail. The following actions, among others, may be performed:
  • Photographing the mobile device and recording its brand and model, and identifying information such as its IMEI or IMSI and its original state: whether it was switched on or off, locked or not, etc.
  • Documenting all steps taken during the procedure, keeping a logbook of the date and time of each action performed concerning the evidence, and making a note of the tools used.
  • Creating two types of findings reports, one executive and one technical.

  For this, any template can be used, such as that proposed in the Guide to Evidence Gathering in Windows Environments.

• Presentation: the information presentation phase is just as, if not more, important than the previous phases, since the conclusions obtained in the forensic analysis procedure have to be both accessible and understandable.

  For this, it is recommended that these guidelines are followed:

  • Prepare an informative and easily understandable presentation.
  • Describe the conclusions reached.
  • Clearly explain the steps taken to obtain the evidence.
  • Avoid making value judgements or statements that cannot be justified.
  • Develop objective conclusions.

In terms of these phases, it must be remembered that they are not carried out in sequence, but are instead interlinked. For example, the documentation phase begins during the preservation phase.

Just as in the forensic analysis of any other device, once the process has concluded answers must be sought for the following questions: what, who, when, why and how?

• What? - This involves concentrating clearly and objectively on what exactly happened.
• Who? - This involves collecting and recording information on those involved in the incident.
• When? - It is essential to establish a timeline of everything that occurred during the process.
• Why? - Although this can sometimes be complicated, an attempt must be made to identify the motives of those responsible for the incident.
• How? - It is essential to answer this question. This involves identifying, for example, how a terminal has been compromised or used to steal information, which is extremely important in resolving the incident.

When dealing with a process like this, a number of complications can arise. It is therefore very important to consider the difficulties inherent in the forensic analysis of mobile devices, including:

• Many different models: a report developed by the company OpenSignal asserts that more than 24,000 different terminal models use the Android operating system, representing a 30% increase on the figure for 2014. In addition, many different models of devices are manufactured for other operating systems. Most of these use different hardware and technology, significantly complicating the work of forensic analysts and meaning that they must constantly adapt in response to new techniques and procedures.
• Different operating systems: although Android is the most widely used operating system, others have a very important presence in the market, including iOS, Windows Phone and BlackBerry OS. An in-depth knowledge of these operating systems is therefore necessary when collecting evidence.
• All these operating systems have their own security features, which can sometimes make things more difficult. For example, they might be locked with a pattern, PIN or password, and it is important to understand their mechanisms in order to successfully navigate these protective features.
• Installed applications: users typically install many applications, including: social networks, instant messengers, games, applications relating to health and wellbeing, etc.
• Legal considerations: during this process, it is essential to always comply with current legislation so that the proof remains legally valid. As previously noted, it is essential that a certifying officer is present when evidence is being collected for analysis, and that the chain of custody is maintained.
• Anti-forensic techniques: as is the case with other devices, such as computers, actions can be taken to make it harder for forensic procedure to identify evidence. These actions include the destroying, concealing and falsifying evidence.