A great number of the mobile phones used worldwide every second require special knowledge and skills from forensic experts. More often it is not enough to be an experienced expert in computer forensics to understand all the peculiarities and difficulties of the mobile forensics. This article describes technical problems encountered by specialists in mobile forensics.
Operating systems and manufacturers
Market share of the end user desktop systems is divided between three majors – MS Windows, OS X form Apple Inc and OS Linux variations. That’s the opposite way round for the mobile devices OS systems. Each year brings to life a new major while the previous year leaders can easily lose their positions under a swift thrust. At the moment mobile OS market share shows the following casting: Android OS – 52,5%, Apple iOS – 16,9%, BlackBerry OS – 11%, Symbian – 16,9%, Microsoft – 8,7. We can easily track the fundamental changes in comparison with the market allocation settled two years ago: Android OS – 3,9%, Apple iOS – 14,4%, BlackBerry OS – 19,9%, Symbian – 46,9%, Microsoft – 1,5. Despite the fact that all OS offer (approximately) the same functions and options, they differ considerably in the ways of the data storing and access rights as well as security and other settings and characteristics. For example, Microsoft Company produces two OS – Windows Mobile and Windows Phone. These two operational systems can be even rated separately. Both OS are the work of the one developer, and Windows Phone OS is actually a successor of the first one, but that is where the pattern similarity ends.
Among the above-listed iOS and BlackBerry OS only can be marked as proprietary operational systems, and Apple Company – the only one who uses the same OS for all the produced devices (BlackBerry released their new Playbook based on QNX and is planning to use it in all its brand-new smartphones in the nearest future). That means that mobile phones produced by other manufactures can be based on almost all existing OS. For example, Samsung Company, one of the world market leaders, produced and is still producing mobile devices based on Android, Symbian, Windows Mobile, Windows Phone operational systems as well as on proprietary Bada platform. Another market leader – Nokia – has also produced millions of the devices based on their proprietary operational system in addition to an old favorite – Symbian OS and a new one – Windows Phone. Besides one cannot but pay attention to the unestimated Chinese market with its dozen of operational systems, hundreds of manufactures and thousand of models.
All this turns the world of mobile phones into a huge diverse zoo, where it is really hard to identify its individual representatives. Sometimes you cannot even trust the manufacturer’s name marked on the phone. Devices from the Chinese company Nokla replicate the look and even the name of the models from Nokia, but have nothing to do with the originals in their OS. For Samsung and LG companies it becomes a common practice to produce models that are virtually indistinguishable in appearance, but use different operating systems.
So, to connect the phone an expert has to choose the right model from the long list of thousands names. The most smart software tools are ready to make life easier for the expert and determine the plug-in model type. Alas, this will work for the USB connection only (the most popular though). It is worth noting that most of the popular mobile forensics tools work under Windows OS only, and in this case the effect is smoothed over by the fact that before connecting the phone one must install the appropriate USB-driver. Searching this driver can be a real headache as the expert receives the phone not in a new box with a CD attached. Visiting the manufacture’s site cannot always be a solution, especially when the phone model has been already taken out of production. It is not so hard to connect mobile devices produced by Apple, Nokia or Motorola In most cases to be able to work with all phones manufactured by the company only one driver should be installed. The opposite situation is with phones based on Android OS. On Google site, developer of the operating system, you can download the official driver (also included in the Android SDK). This driver works with phones branded by Google only (Nexus, Nexus S, Nexus 3), as well as made available to developers as a reference (eg, T-Mobile G1). Drivers for all other devices have to be found on the Internet. Fortunately many forensic tools usually include a driver pack for all supported models. If one computer has several mobile forensics products installed, the expert must be careful as the driver packs from different vendors can have older versions of drivers which can interfere with each other. In addition, Windows x64 will most likely need a separate version of the drivers.
Some words should be also said about the software products designed for Mac OS. Despite the fact that there is no Windows-like problems with drivers for Mac OS, almost all products (Lantern, BlackBag) supports Apple devices only and are not of any help with other phones. Therefore, the choice of universal products is limited by Windows software only.
Along with searching for a appropriate driver comes another problem – searching for a appropriate cable. Most modern phones use miniUSB/microUSB connectors for the cable connection. Relatively old models as well as devices without official cable connection require custom cables. Most manufacturers include a set of cables in the package. Usually this cables cover over 90% of the supported phone models. Besides these cables are usually interchangeable and it is possible to use particular software with cables that are included into the other software package.
Most modern phones are also equipped with Bluetooth and WiFi modules, providing a wireless connection. If a USB connection is impossible (connector is damaged, it is impossible to find a cable or a driver) Bluetooth/WiFi connection is the only way to retrieve data from the phone. Unfortunately, no software is able to read data via Bluetooth from devices based on Apple iOS or Android OS. None of the tools uses WiFi as a data transfer.
Logical vs Physical
Nowadays common classification of the data extraction distinguishes two approaches: physical and logical. The physical approach performs data extraction at a low level (often with the help of special hardware equipment). The logical approach uses communication protocols offered by the phone at a higher level. Advantages and disadvantages of each method are quite clear. The physical method allows to obtain the contents of the entire phone memory as is. But usually it is time-consuming and requires complex and expensive equipment. As a result we receive the “raw” image which is encrypted in most cases. Even if you are lucky to decrypt an image (nobody has been able to do this with BlackBerry, f.ex.), further analysis can be made by means of special sophisticated software tools only. Using a logical method allows to obtain data in a human readable form immediately. Unfortunately the amount of acquired data is much lower. This is because the API provided by the phone were not developed for forensic purposes but to operate the phone as a modem, as well as to synchronize data with desktop PIM.
In 2004, Oxygen Software Company introduced a new method which allowed to highly improve the quality of data extracted with the logical method. The method consists of installing a specially designed application (so called Agent) into the device which uses all the possibilities offered by the operating system and returns information not available through standard API, but really forensically important – logs, temporary files, cache, deleted data, etc. Sometimes the Agent helps to simplify as well as to accelerate the process of the device connection and data exchange.
Several years ago this method raises serious doubts about the forensic compliance. Indeed, the main principle the phone data invariability is violated. In fact the user data remains unchanged (with specially designed agent). Actually the phone can’t be “frozen” if the phone is turned on. Modern smartphones are mini PC-like with a fully functional OS with dozens of processes launched at the same time (even if they were not started manually) and all of them use the device’s RAM and file system constantly. For example, the Symbian OS system process is responsible for the calls log, and even if you put the phone based on Symbian OS into a Faraday bag and close all running applications, then after some period of time all the old log entries will be deleted.
Indeed the use of standard logical methods for data retrieval even more dangerous than reading it with an agent. The fact of the matter is that the appropriate process controls the data exchange from the phone – in fact, the same agent. But in contrast to “our” agent, we do not know about its side effects. The source code is usually unavailable, and data reading is often performed through the synchronization process (which potentially threatens major change in the user data). Moreover, the phone may be based on an old OS version which does not allow to read all available information, and the solution will require all software updating in the phone. Forensic agent lacks these drawbacks.
As a result, mobile forensics world has recognized this method as trusted and now it is used by almost all mobile forensic tools developers – Cellebrite, .XRY, Paraben, etc. It should be noted that this approach is only one possibility for the logical data retrieval from Android OS devices. Such applications are widely used for Symbian OS and Windows Mobile devices.
Software assessment. Which tool?
Nowadays market is represented by more than a dozen software and hardware solutions for the mobile devices data extraction and analysis. For data reading many of them combine physical and logical approaches. So, the obvious question – which one to use?
Unfortunately, the analysis of the product descriptions given on the developers’ sites does not give a clear understanding of the software functions and features. First of all, there is a confusion of terms, and “support for more than seven thousand profiles” actually means support for the 3000 models (taking into account the different ways of data extraction from the same model and identical models under different brands). Secondly, the stated support for the certain manufacturers’ products does not imply the support for _all_ the models produced by them. Often, a detailed description of what can be read from a device is not indicated for each model, but for the entire range of models. Investigators must not forget that support for a particular function can be implemented at different levels. For example, MMS messages can be just read as container files. After that an expert must find (it is necessary to know file system specifics of the particular model) and decode them (there are several common as well as proprietary formats for MMS encoding). Usually the support level is not specified in the description.
Reviews and tests conducted by NIST as well as various independent experts (for example, viaforensics.com) come to the experts rescue. It is not hard to find the detailed comparison of the results of the software interaction with Apple devices. But one should be lucky enough to find a review on a specific model while talking about mobile phones produced by Samsung or Nokia companies which released more than a hundred models (compared with ten from Apple).
Which one to choose? Forensic practitioners experience shows that it is impossible to apply just one product for all occasions. Taking into account the budget, experts have to use a set of several means and choose the most appropriate product in each very case according to their own experience and community advices. The image taken from a modern device can measure tens of gigabytes (for example, iPad 64 GB). As a result software features on the analysis of the extracted data become the major priority. Today, all software products use more or less the same methods of data extraction from devices, and no less important are the speed, completeness and depth of analysis of extracted information.
In addition to issues of forensic examination purity, the examiners have to deal with absolutely technical problems starting with identifying the manufacturer and operating system of the specific phone. Great variety of the modern phones makes this a real challenge. When choosing a software for the investigations it is important not only to be fully aware of what data is available and not available for extraction from the device in principle, but also how much of these data can be retrieved and processed by the specific software.