Mobile Investigation Process¶
Mobile Investigation Process¶
Covered here
(Add points from ppt)
Considerations
- The evidence is usually transported using anti-static bags(Faraday bags) which are designed to protect electronic components against damage produced by static electricity.
- As soon as the device is seized, care should be taken to make sure that our actions don't result in any data modification on the device.
- At the same time, any opportunity that can aid the investigation should also not be missed.
- Disabling the network to prevent further communications
Things to do once you acquire the mobile:
If mobile is unlocked
- If there is a chance disable passcode.
- If the device in unlocked, change settings to allow greater access to the device.
- Enable USB debugging: Enabling this option gives greater access to the device through Android debug bridge (adb) connection – aids in data extraction process
- this option is usually found under Settings | Developer options,
- In later Android versions starting from 4.2, the developer options are hidden by default. To enable them, navigate to Settings | About Phone and tap on Build number 7 times.
- Enable Stay awake settings
- Turn on airplane mode
- need to prevent the device from interacting with wireless radio networks
- high probability that an attacker can issue remote wipe commands to delete all data, including emails, applications, photos, contacts, and other files on the device.
- The Android Device Manager (ADM) and several other third-party apps allow the phone to be remotely wiped or locked.
- This can be done by signing into the Google account that is configured on the mobile device.
- Turn off location data
- An attacker can also locate the device, which could pose a security risk. For all these reasons, isolating the device from all communication sources is very important.
[Diagram — add to assets/ if available]
If mobile is locked:
Isolating the mobile from the network directly may not always be possible on devices that are screen-locked. Also, as Wi-Fi is now available in aeroplanes, some devices now allow Wi-Fi access in Airplane mode.
- Alternate solution would be to use a Faraday bag or RF isolation box, as both effectively block signals to and from the mobile phone.
- isolation methods make it is difficult to work with the phone because you cannot see through them to use the touch screen or keypad.
- For this reason, Faraday tents and rooms exist
Mobile Investigation Process¶
Reporting¶
Documentation of the examination should be done throughout the process, noting down what was done in each phase. The following points might be documented by an examiner:
- Date and time the examination started
- Physical condition of the phone
- The status of the phone when received (ON/OFF)
- Make, model, and operating system of the phone
- Pictures of the phone and individual components
- Tools used during the investigation and examination
- Data documented during the examination
The data extracted from the mobile device should be clearly presented to the recipient so that it can be imported into other software for further analysis.
In the case of civil or criminal cases, wherever possible, pictures of data, as it existed on the cellular phone, should be collected, as they can be visually compelling to a jury
PC v/s Mobile Forensics¶
Use of write blockers is not effective. Why?
- In mobile forensics, since we need to interact with the device to pull the data (requires a communication vector, agent), write blockers are not of any use
- Even after taking all precautions (disconnecting, Faraday bags, etc.), certain automatic functions, such as alarms, can trigger.
- If such a situation is encountered, it must be properly documented
Unlike traditional disk forensics - where you can image a powered-off drive and get a bit-for-bit identical copy - mobile forensics involves active, live systems that
- Are constantly writing logs and other data
- app background sync happening
- clock-based changes
Hash the Extracted Image or Files, Not the Live Device
- Example: If you extract the WhatsApp database using AXIOM or UFED, the tool hashes the msgstore.db file. That hash can be independently verified and used in court — even if the underlying device log files changed.