Table of Contents
- Overview of Mobile Forensic Technology and the Associated Challenges
- Price for an Essay
- Challenges of Digital Evidence Collection Methodology
- Challenges of Mobile Forensic Preservation Methodology
- Challenges of Analyzing Digital Evidence in Mobile Forensics
- Related Free Technical Essays
Mobile forensics is a digital forensic branch that relates to how to recover digital evidence or certain data from mobile devices including PDA, GPS and tablet computer devices (Gonzalez & Hung, 2009). This branch of digital forensics was developed after the proliferation of mobile phones, especially smart phones, had resulted into crimes that could not be addressed with the current computer forensic technologies. However, mobile forensics, just like other digital forensic techniques, is presented with some potential challenges of obtaining, collecting, and using such digital evidence appropriately and sufficiently for prosecution. Additionally, the constantly changing mobile technology environment, as well as the associated legislation, has challenged not only the utilization of the technology itself, but its forensic methodology, examiner training, and the associated expenses. It is, in the regard, that this white paper addresses these challenges and proceeds to give a number of possible ways of mitigating them.
Overview of Mobile Forensic Technology and the Associated Challenges
The best way, in which one can understand mobile device forensic, as Gonzalez & Hung (2009) point out, is by contrasting how a standard personal computer based digital forensics operates. In PC-based digital forensics, methodological approach is usually the physical removal of hard drive from the computer, which is verified and analyzed. During this process, forensic software is used to obtain a mirrored image, which is then verified and analyzed for presentation and prosecution. This technique is usually robust and successful in PCs because these computers use Windows, Mac, or Linux operating systems, which are well-developed and easily compatible with forensic software.
However, this technological approach does not work in mobile devices. This is because the mobile device industry is now developing varying operating systems and communications protocols (Sommer, 2012). In addition, the data storage methods within such devices are usually on use with more being developed on a daily basis. For instance, while Windows and Apple’s Mac have effectively dominated the operating systems for various personal computers, in mobile phones, a lot of operating systems are widely-used with more being developed. These include: Apple’s iOS, HP’s webOS, Nokia’s Symbian OS, RIM’s Blackberry, and Google’s Android among others (Casey & Turnbull, 2010). This challenge on mobile devices makes it difficult not only in accessing important data, but developing universal and efficient digital forensic software that can help in sufficiently collecting, preserving, and analyzing digital evidence from mobile devices as well.
On the other hand, mobile forensic technology normally experiences certain challenges that affect forensic investigation because of the communication protocol it involves. According to Gonzalez & Hung (2009), communication via mobile devices is normally enhanced through cellular, Wi-Fi and Bluetooth. Cellular technology normally helps in dividing large geographical service regions into smaller units called cells located at the peaks of the tower transmitting radio signals to and from mobile devices (Gonzalez & Hung, 2009). Wi-Fi and Bluetooth can transmit communication via higher frequencies or by being physically paired to one another. It is this kind of communication protocols that at times makes it difficult in using mobile forensic technology in accessing important digital evidence that can be effectively used in prosecuting a given crime.
Consequently, mobile forensic technology normally encounters challenges in obtaining digital evidence because of different data storage methods that these mobile devices have. Generally, mobile devices store information in Random Access Memory (RAM), Read Only Memory (ROM), and Subscriber Identity Module (SIM) cards (Casey & Turnbull, 2010). RAM, being the memory space, where information can be stored temporarily in the mobile device, especially when the device is operating, normally leads to loss of important information in case the device is switched off. On the other hand, ROM is usually pre-programmed information installed onto computer chips in order to perform certain discrete tasks as the SIM authenticates user’s identity. Therefore, in a case, where important information is temporarily stored in a memory card, difficulty is normally experienced in any recovering of its content thereby making this particular technology to be ineffective.
Challenges of Digital Evidence Collection Methodology
In a forensic process model, digital evidence collection is referred to as a process that entails search for evidence, recognition of evidence, and ultimate gathering and documentation of evidence. It is, therefore, an important step in forensic investigation and thus, requires proper procedures or guidelines to enhance the process. This is due to the fact that a lot of challenges can be posed if this particular process is not well carried on. Digital evidence is highly volatile and can easily be compromised if poorly handled. As a result, it limits the chances of being successful in any litigation or criminal prosecution, especially that, which heavily depends on available strong evidence collected, analyzed, and presented in court by the law enforcement agencies.
In understanding the challenges associated with collecting digital evidence, it is essential to define digital evidence. I agree with Casey & Turnbull (2010) that digital evidence, also known as electronic evidence, is any form of probative information or data stored or transmitted in a digital form and is viable to court cases under trail. There are various types of digital evidence, such as log files, browser history, databases, calendars, audio files and voice recordings, e-mail messages and attachments, cookies, and bookmarks among others. However, before digital evidence is presented, the court has to establish whether it is admissible, authentic, accurate, and complete or whether it is a result of hearsay. All these depend on the manner, in which the digital evidence was first collected before being preserved. These challenges are associated with the two categories of evidence collection, namely: volatile evidence collection and non-volatile evidence collection.
Digital evidence collection involves collecting data or information from the ROM of the mobile devices (Raghav & Saxena, 2009). This process of collecting volatile evidence is normally related to problems of changing device status and memory content. It may thus interfere with the evidence. In forensic investigation, the decision made whether or not to collect particular evidence at the crime scene or later at a secured forensic laboratory is dependent on nature of the situation, especially current power status of the device. This is due to the fact that mobile devices can easily lose entire information as soon as the battery power of that particular device runs out. In order to maintain the power status of the device, adequate power should be supplied even through adapters, but if the battery power is not sustainable, appropriate tools should be used to image the memory content as soon as possible.
On the other hand, non-volatile evidence collection involves getting digital evidence from external storage media, such as MMC cards or secure digital (SD) cards that are supported by mobile devices (Raghav & Saxena, 2009). However, it should be noted that a problem normally arises while collecting evidence in this manner through synchronized computers of the mechanism is hash or breaches the write protection. It, therefore, requires care to be taken, especially when looking for digital evidence of non-electronic nature, such as written passwords that would help in accessing data or information. While some of solutions have been outlined for the current and previous challenges associated with collecting digital evidence, what is more important is to device a responsible plan and procedure that can effectively help in addressing the digital forensic situation.
Incident Response Plan and Procedure for Addressing Challenges of Collecting Digital Evidence in Mobile Forensics
It is obvious that performing acquisition of digital evidence is usually essential as it helps forensic investigators in avoiding loss of data or information due to depletion, damage, transportation or storage (Raghav & Saxena, 2009). However, due to the absence of the controlled environment at the crime scene, this kind of evidence acquisition is normally difficult to achieve. It should, however, be noted that with current forensic laboratory setting, it can be easily achieved. Now, let us take two scenarios, in which digital evidence is being collected from two mobile devices, one switched on, while the other switched off.
Procedurally, in case one, where the presented mobile phone is switched on and has been accurately identified, collecting related information is straight forward since there are a few minor issues, such as PIN/Password bypass that are required. In such a situation, digital evidence can be easily collected either from short messages, multimedia messages, photos, call history, videos, and web history accessed from the mobile devices. However, in a case where the mobile devices is found switched off, the following procedures must be followed in collecting digital evidence.
First, remove the Subscriber Identity Module (SIM) card from the mobile device and directly collect digital evidence from it. However, acquiring evidence from SIM cards incorporates various issues, such as selecting correct acquisition tool, PIN/Password bypass, and more significantly, issues related to Chinese phones, which are not incompatible with various acquisition tools. These issues can be addressed if proper tools are put in place. For instance, in order to address challenges of PIN/Password bypass, especially in the enabled identity module, a forensic investigator can use a set of codes. It may also use advanced decrypting and decoding technique in recovering both deleted and current data from the mobile device. After collecting the required data or information, they should be verified and analyzed and mirrored image presented into the court.
Challenges of Mobile Forensic Preservation Methodology
This phase of forensic investigation entails: packaging, transporting, and storing digital evidence obtained from mobile devices. Preservation is an important phase after digital evidence collection because it usually enhances the continuity of evidence. Continuity of evidence is the ability of any forensic process to report everything that has happened to the digital evidence item right from the time it was acquired to the moment it is being presented in the court as an exhibit (John, 2012). Thus, for audio calls or recordings collected from the mobile device, the continuity would be established from investigators’ notes, exhibit number of the audio recorded, witness statements from exhibit officers, and forensic scientists. This process is usually designed in order to avoid contamination or manipulation of the evidence.
One of the challenges associated with preserving digital data is that most of the electronic files are usually changed or overwritten in case the mobile device is switched on when it was previously off or had ran out of power (John, 2012). In addition, the manner, in which digital evidence is fragile, normally makes it easier to be manipulated, destroyed or even changed by hackers, who wish to contaminate the evidence. It, therefore, requires the party presenting the digital evidence in court, for its admissibility, to demonstrate beyond reasonable doubt that the evidence has not been tampered with or modified since it was acquired from the crime scene or from mobile devices. An incident response plan and procedure should be developed in addressing this forensic situation.
Incident Response Plan and Procedure for Addressing Challenges of Preserving Digital Evidence in Mobile Forensics
First, in a case where a mobile device is turned on, one should not turn it off. Similarly, if the mobile device is turned off, one must avoid turning it on. In the first instance, turning off mobile device may activate lockout features, such as PIN/Password bypasses, which may hinder easy accessibility and preservation of evidence. Consequently, turning on a mobile device can change or alter the evidence being obtained and preserved. Moreover, do not run any program in the mobile devices since this may affect the admissibility of the digital evidence.
Secondly, identify and label before placing mobile devices into anti-static packaging. This is due to the fact that placing mobile devices in ordinary plastic bags can cause static electricity, which may damage the device and its corresponding evidence. These evidence bags must also be radio frequency isolated to avoid this particular device connecting with other devices. In a case where data is being transferred from the mobile device, it should be done in small increments so as to avoid overwriting of the evidence. Significantly, in a situation where digital evidence is to be transferred from forensic investigators to lab physicians and eventually to the court, it should be transferred via Ethernet connection between the organizations. However, caution must be taken to ensure that before any transfer is done, replicates of original data and that of disk image are converted to interoperable files based on preservation guidelines. This is to avoid any breaching made by any hacker towards manipulating the digital evidence. Moreover, the digital evidence should be securely stored and transferred in an electromagnetic radiation free area and store, where it cannot be accessed by the unauthorized people.
Challenges of Analyzing Digital Evidence in Mobile Forensics
Analyzing digital evidence means the technical review conducted by forensic investigators on the account of examining evidence that had been collected. This phase helps in identifying the links among fragments of data collected, the significance of information obtained during examination, and reconstruction of event data with the extracted data. In so doing, it helps the investigators to arrive at proper conclusions. When dealing with active data from a mobile device, it is usually possible to analyze the acquired messages, call logs, and calendar entries among others that are stored in the device (Sommer, 2012). However, the challenge in analyzing digital evidence usually erupts where massive fragments of data have been collected while there are no enough tools for analyzing each data. This is due to the fact that mobile devices normally contain communications, movements, and online activities done by people. As a result, a lot of information can be present within the device, which if not carefully analyzed can potentially affect the evidence being presented. Therefore, there is a need to develop a strategy that can accurately address the situation as discussed below.
Incident Response Plan and Procedure for Addressing Challenges of Analyzing Digital Evidence in Mobile Forensics
In responding to massive and fragmented evidence collected from mobile devices for analysis, any forensic investigator must create a timeline of the events in order to understand what happened during the time of the crime. This would ensure that he or she looks through the data file or call history among others within the mobile devices. Through this, the investigator can accurate identify the patterns and gaps of the evidence and how it relates to the crime. Secondly, the investigator should also validate the results acquired by plotting the temporary data uncovered on tracking an event in a histogram in order to determine the period, during which the crime is highly participated. In so doing, location-based evidence as obtained from histogram can place a given suspect in the exact crime scene, thereby, helping in reconstructing persons involved, the time, and place.
On the other hand, a full relational analysis can be done in determining the geographical location and communication or transactions, which occurred between the associated users of the mobile device. For instance, in relational analysis, an analyst is able to provide answers to questions like: What particular mobile device was used in taking evidential digital photographs? Where were photographs taken? Was SIM card inserted in the mobile device? Therefore, when this type of analysis is coupled with functional analysis, that determines how particular programs work in mobile devices, it can effectively help in understanding the crime or particular pieces of digital evidence provided. By the end of the analysis, the forensic analysts must have analyzed metadata and content of evidence obtained from the mobile devices and created exploratory visualizations of the facts as related to the case. This would then result into the successful prosecution.
Appropriate Digital Forensic Techniques for Network, Internet, and Cloud-Based Environment
In order to address challenges associated with mobile forensic technology and examiner training, appropriate digital forensic techniques must be developed. In current networked environment, where services and systems are interlinked, data and services are being consumed either through internet or via cloud computing. This complicates any process of digital security investigation. In response to this, cloud computing requires change to the existing corporate and security policies that relate to remote accessing and data usage over internet. It requires a digital forensic technique that is able to report and analyze any breach of privacy and audit mechanisms incorporated by a given corporate enterprise.
Currently, digital forensic examiners have encountered challenges, especially in examining the content of mobile devices and digital devices obtained. This is because they have been unable to effectively understand how porous the network or internet has become and more significantly, how the traditional forensics do not completely fit within this distributed cloud computing environment (Parate & Nirkhi, 2012). As a result, digital forensic investigators have not fully understood what examination is required to be done, what kind of evidence should be obtained, and what legal issues must be adhered to in performing mobile forensic. For instance, low-tech technique has been used in manipulating the phone, especially by navigating data from e-mail, photographs, or contact list while videotaping the results at the same time (Parate & Nirkhi, 2012). In so doing, this kind of digital forensic examination not only manipulates, but as well, changes the content of the same evidence required. Importantly, failure to acquire legal regulations can affect the admissibility nature of the evidence presented. This can amount to potential payoff, an indication of more expenses in refunding a given vindicated suspect.
In addressing the above concerns, a digital forensic examiner can use network interface in accessing the mobile device, thereby obtaining essential data or information required. This technique ensures that all details of evidence accessed are documented through videotaping or photographing. Secondly, an examiner can use logical acquisition techniques, where he or she interacts with mobile devices via communication protocol, such as AT commands in order to extract data that can be accessed through the device’s operating system. Thirdly, forensic investigator can use firewalls and honeypots in tracking down the malicious activities being done by hackers. In doing so, it is possible to track the IP address and geographical location of the hackers, device used, and data being accessed. Any of the pieces of information may serve as important digital evidence in the court.
With the current emerging crimes from mobile devices, mobile forensics is an important discipline that should be enhanced. All the incidence response plan and procedures that are involved in this process should ensure that the credibility, admissibility, and authenticity of digital evidence being presented to the court are enhanced. Forensic examiners should understand that digital evidence is fragile and can be easily manipulated and, therefore, requires more care to be taken when handling the same.