Data Acquisition in Mobile Forensics: The Critical Process to Collect Mobile Evidence
Knowledge
2022-01-28
In the last couple of decades, mobile phones have greatly influenced people’s lives. Every person owns a mobile device that has unique information about their identity, location, routine, and much more that helps to investigate the criminal activity by analyzing their patterns from the data. Hence, in this day and age, the need for Mobile Forensics emerged in Digital Forensics as a separate branch.
Mobile forensics is the field of digital forensics that deals with mobile devices, obtaining evidence, and gaining data insights. The evidence obtained from a mobile phone may give a wealth of information and can be a valuable source of information in criminal investigations.
In this article, we will discuss the most important aspect of mobile forensics: data acquisition.
When we look at the bigger picture, there are mainly six steps in which a Digital forensic examiner performs mobile forensics for criminal investigation or legal proceedings:
Identification: The first step of mobile forensics is identifying the device that was involved in the criminal act.
Preservation: Once the device is identified, it’s isolated. With advanced technology, it’s easier to contaminate the data in mobile devices – criminals are usually good at this. So, it’s best to cut off any connection it has to the outside world.
Data Acquisition: It is the most critical process in mobile forensics. If digital evidence isn’t collected properly, it can be rendered useless in court. Meanwhile, data acquisition can provide investigators with valuable information that can be used as evidence while the data is acquired from SIM card, memory locations, etc.In today’s article, we’re going to elaborate the process in detail in the later sections.
Analysis: Now that the data is acquired, it can be examined to get insights into criminal activity.
Documentation: Documentation is prepared for all the insights gathered from the evidence collected from mobile devices.
Presentation: The information acquired from mobile forensics is prepared to be accepted by the judiciary as a piece of evidence.
Mobile Forensics: Data Acquisition
When we are dealing with data acquisition in mobile forensics, we are dealing with massive data. The data is in the form of call logs, files, chats, messages, GPS location, browser history, etc.
Data Acquisition Challenges
The real challenge is to maintain the integrity of this data while acquiring it for analysis.
Another challenge is to recover the deleted and obsolete data from a mobile device.
To combat the issues, we would dive into the trending techniques of data acquisition in mobile forensics.
Data Acquisition Techniques
1. Logical Acquisition
Logical acquisition acquires bit-by-bit copies of logical storage objects from their allocated space. The slack spaces cannot be acquired hence it’s not possible to overcome the challenge of obtaining deleted data from logical data acquisition.
It works best on unrooted mobile phones.
To start with logical data acquisition, the USB debugging mode needs to be enabled.
ADB Pull
The ADB daemon runs with the shell permissions on unrooted devices. The files containing evidence are not accessed easily. However, some data that are not encrypted and other files like browser history, device information, etc., can be extracted.
If you have root privileges, this method can be used to extract evidential files for Mobile Forensics.
For the operation process via this technique, you could check out our previous article for better understanding.
The backup analysis method makes use of the backup image obtained from the phone for the investigation. Some phones utilize backup options like SD Card and Cloud Storage.
AFLogical
AFLogical is an Android forensics logical technique that is free for law enforcement and government agencies. It’s open-source and available on GitHub. It can extract data from SMS, Contacts, and Calendar applications on your phone.
Among all these tricks, Automatic Logical Extraction is a feature provided by SPF Pro (SmartPhone Forensic System Professional) and it’s the easiest way to carry out logical data acquisition. The process is completely automatic and takes place in a few simple steps provided on the product page.
2. Physical Acquisition
Physical acquisition is done by creating bit-by-bit copies of the physical storage. It helps in extracting the deleted data along with the other content present on the phone.
Now that you need to have access to the root level of the device to have complete control, rooting a phone can be a little problematic since it modifies the data present in the device.
We don’t recommend those without deep mobile forensics knowledge to apply the technique.Instead, you’d better to request a mobile forensics service from an expert digital forensic solution provider when you do need to apply physical acquisition.
Hardware components are removed physically from the device.
Connected hardware is used with the device to extract data.
This method works on unrooted devices by a professional forensic examiner.
Following are the two methods of hardware-based data acquisition:
JTAG, Joint Test Action Group is a physical data acquisition method that connects to TAPs (Standard test access ports) on a device to transfer the raw data to the connected hardware directly from the memory chips.
CHIPOff, this is not a recommended procedure since it can result in damaged chips. ChipOff requires the physical removal of NAND chips to extract data.
The software-based acquisition doesn’t cause any physical harm to the device. However, root privilege is required along with USB Debugging enabled.
Hardware components are not removed; hence the device stays in its original condition.
As complicated as the process of acquiring data sounds, the market is flooded with various open-source and proprietary mobile forensics tools that help in the easier acquisition of mobile data for Forensic Investigators.
Mobile forensic tools like SPF Pro (Smart Phone Forensic System Professional) have made the process of data extraction easier than it has ever been. You can not only extract but recover data in a forensically sound manner without any hassle.
Automatic logical extraction is an excellent feature provided by the SPF Pro which doesn’t require an experienced forensic investigator to recover the data from a mobile device.
Summary
The branch of digital forensics – mobile forensics is becoming very popular in the current age of technology. The most important process involved in mobile forensics:data acquisition is a vast area that’s making the best use of the latest technology trends.
As big data is trending, data acquisition in mobile forensics will continue to evolve and become better with the fast-paced technological world. Technology will continue to strive.