Mastering Mobile Forensics
上QQ阅读APP看书,第一时间看更新

Smartphone forensics challenges

Unlike a traditional computer forensics investigation, mobile forensics skills become much solicited in today's investigations because of many facts that make gathering digital evidence from a smartphone a painful task. This can be due to the changes occurring in mobile-based operating systems, the diversity of standards, technology of data storage, and procedures of data protection. In contrast to a computer investigation, a mobile investigation can hardly be standardized. Per each single device model, and according to services it makes available to its owner, a very big range of evidence categories is distinguished in mobile forensics.

Storage and the wide range of daily growing functionalities make today's smartphones a rapidly changing and challenging environment for forensic investigators.

The most challenging aspects of smartphone forensics are discussed in the following sections.

Operating systems' variety and changeability

In contrast to computers, major smartphone operating systems can vary significantly from one smartphone to another; each Android, iOS, WP, or Blackberry version can be found in any smartphone and tablet on the market. Operating system updates are very frequent among vendors and major updates are usually released every quarter. The main issue regarding this is keeping up with these environment changes; this issue is accentuated by the fact that major OS and forensic tools developers consider their respective developments trade secret and do not release information regarding the low-level working of their codes.

In addition to this, the growth of "less common" operating systems, such as Windows Phone requires lot of forensic experience.

Important hardware variations

By definition, a smartphone is a portable device and is meant to have a wide set of functionalities. The hardware architecture of smartphones is significantly different from computers and it also varies from one mobile manufacturer to another.

A smartphone device is typically composed of a microprocessor, main board, ROM and RAM memories, touch screen and/or keyboard, radio module and/or antenna, display unit, microphone and speakers, digital camera, and GPS device. The operating system is stored in general in a ROM and can be flashed or updated according to the hardware or operating system.

The same manufacturer usually produces highly customized operating systems to fit hardware specifications. Depending on phone providers, manufacturers may customize the same device to suit the demand. The replacement cycle for smartphones and customers' smartphone upgrades are the shortest relative to other devices, thus forensic examiners must have hundreds of adapters and power cords based on the type of hardware.

Different filesystems

Different operating systems and different hardware means different ways of storing data and running different filesystems. The same application running under Android, for example, is way different from its similar application running under iOS.

A variety of file formats and data structures are adopted depending on the manufacturer; this fact significantly complicates the decoding, parsing, and carving of information.

This difference in filesystems means that forensic tools are not able to process some files and must be updated very frequently in order to assume OS updates, otherwise forensic examiners might have to process data and device images manually.

Built-in security

A smartphone's built-in security features are present at many levels to protect user data and privacy. User locks in today's smartphones can vary from simple four-digit PINs to more complex and long passcodes, as it may consist of pattern-locks; the newest smartphone models can even have fingerprint locks and use biometrics to identify the user. It's true that some commercially available tools offer password extraction or lock screen bypassing, but this is not available for every device. Some smartphones (with or without the help of third-party applications) can offer password protection to individual files, file types, or directories; in this case, sensitive data such as SMS, e-mails, and photos can be individually protected. Newer OS versions offer full-disk encryption, which can be a real pain to decrypt in a scenario of data acquisition. Smartphone operating systems also offer application sandboxing, meaning that every individual application cannot directly access the space allocated to another application or to system resources, thus each application is installed in its own sandbox directory; this way, data within the sandbox is guaranteed some level of protection.

Encrypted data wiping

Data wiping is not data deletion; wiped data cannot be recovered or be recovered easily. Encrypted data can be wiped with a variety of methods depending on the smartphone configuration; data can be wiped via desktop managers or after entering a wrong password for a predefined number of times. Encrypted data can be wiped remotely in most modern smartphones: Blackberry devices can be remotely wiped via BlackBerry Enterprise Server, iPhone devices via iCloud, Android devices can be wiped via Google Sync, and Windows Phone devices via the Find My Phone service. At this point, the isolation phase of mobile forensics is important.

Data volatility

A lot of important evidentiary data resides within a smartphone in a volatile way, which adds an important consideration while seizing a device. Smartphones add this constraint to forensic examiners; seized devices must be kept turned on and isolated to prevent data loss or overwriting present data.

The cloud

For the sake of memory, storage space saving, or for back-up purposes, today's devices store lot of important data on the cloud; e-mails, photos, videos, files, notes, and so on are not necessarily preserved within the internal memory of the device, especially relatively old data.

Most vendors offer some GBs free of charge in order to achieve this and data, in most cases, is automatically synchronized with some account in the cloud. Android data is sent to Google, iPhone data is sent to iCloud, and Windows Phone data is synchronized with OneDrive. In addition to this, some third-party services are also offered to a certain point free of charge, such as Dropbox. In some cases, gathering evidence is not necessarily a technical task but also, and above all, a legal one, as demands must be addressed by cloud storage services for us to receive the desired data.

Today's climbing necessity of advanced smartphone forensic skills is indisputable, and smartphone investigation has become more challenging, tools are rapidly outdated, and the scope they cover in each case is smaller. Analysis, coding, and understanding and handling low level techniques are now "must have" skills for today's smartphone investigators and are, nowadays, more important than ever.