[Maarten Van Horenbeeck] [Information Security] [Resources]
Key constraints in forensic mobile device acquisition
When investigating potential policy breaches or during criminal investigations, mobile devices such as cell phones and PDAs can provide data to confirm, disconfirm or generate hypotheses on the incident. Obtaining access to this information in a trustworthy manner is of prime importance to being able to use it as evidence. This short paper serves as a brief introduction to some of the key constraints regarding the acquisition of forensic data from mobile devices.
The acquisition environment
The physical environment
In general, computer hardware is costly. People attempt to protect it as much as possible from theft and physical harm by placing it in a reasonably secure location (such as a living room). This location is physically shielded from intruders, and if an intrusion takes place, and computer data may have been changed by an intruder instead of the data.s owner, in general this could likely be proven using physical evidence.
While the cost of mobile equipment often exceeds that of fixed computer hardware, people are not in the ability to use similar controls to protect this hardware. It is taken along in a volatile and potentially dangerous environment: there is a high risk of theft, loss or physical tampering.
Under certain legal jurisprudence, such as the United States, it is the goal of experts to convince a jury of the validity of evidence with respect to the case. However, this also means that other experts may attempt to discredit this account by presenting comprehensive and possible scenarios in which the mobile device may have been tampered with. A lack of physical protection and shielding, combined with the built-in ability of the device to communicate with others, adds to the complexity of discounting these scenarios.
Storing and transporting evidence
Physical hardware can usually be categorized as being in an .on. and .off. state. Mobile devices however, can be in a number of different states, in which certain modes of interaction (Bluetooth, RF, touch-screen) can be enabled or disabled. However, they are usually never off, as this would mean no power is supplied to the device components . leading to data loss, as application data is often stored in RAM.
In order to retain important data, it may thus be necessary to keep the device powered on and to ensure continuous supply of power during transport to the lab. During transport, the investigator will need to ensure that the device remains does not automatically shut down, no buttons are accidentally pushed and that a mobile power supply is foreseen. Another issue is the availability of RF connectivity. During transport, the device may still send or receive data, and could as such receive remote commands to execute certain activities. Transport will need to take this into account and may involve the use of an RF jammer (illegal in many countries) or an RF shielding bag.
The imaging process
Acquiring the image
Acquisition is complicated by the sheer diversity of devices. While imaging computer hardware has become fairly easy due to the high level of standardization (Windows / Unix boxes using ATA/SCSI/IDE hard drives and RAM memory), this trend has not yet continued in the wireless world. While three major types of PDAs exist - Palm, PocketPC and Linux - the mobile phone world remains very customized, with every vendor using a different type of operating system (with Symbian emerging as a potential standard) or at least a modified interface with the outside world, such as a proprietary type of USB cable. This makes that the way data is acquired from the mobile devices is unique to each individual type of device, or at least at the vendor level.
This diversity also leads to a lack of stock software to retrieve data. While forensic acquisition software is available for the most common platforms, an investigator may need to use non-standard or self-developed tools to access the device. These tools may not be developed for forensic purposes and could unexpectedly write to the device. This would significantly interfere with one of the basic tenets of digital forensics (Kruse and Heiser, 2002) that acquisition of evidence should occur 'without altering or damaging the original'.
There is also a wide range of memory devices that are used in conjunction with the mobile equipment. As external storage, a device could use a wide range of available memory cards (MicroDrive, SD Card). This concern is alleviated a bit as in order to enable communications, most mobile phone networks enforce the use of a standardized SIM card. However, newer smartphones tend to store less forensically relevant information, such as text messages and calls made, on this card due to memory constraints.
Verifying the data
During forensic investigation of computer hardware, images are usually made when the device is powered off. The image then reflects the machine with all data at rest. With mobile equipment, this is often not possible. In general, these devices cannot be powered off without data loss. While powered on, they continuously alter their own operating environment, for example by updating the clock timer or doing process accounting.
As such, a device that is subsequently imaged twice will show two different images with different hash values. This may cause significant issues when the forensic investigation is contested in court. The forensic investigator needs to be aware of this issue and be ready to investigate and explain those differences in detail.
Note that some of the data from a phone, such as data stored purely on a memory or SIM card, may still be investigated .at rest.. Indirectly however, this type of investigation could pose significant issues with the validity of the evidence. Merely removing the SIM card in many models requires the battery to be removed, which likely changes data in other storage (RAM).
Analysis and synthesis efforts
One more issue is dominant during the actual analysis and synthesis efforts. With computer hardware, a limited set of well known filesystems, such as FAT32, NTFS, HPFS, ext2fs, XFS are used to order data in a form readable by the different operating systems available. The fact that these filesystems are well document enables a forensic investigator to easily identify and locate information on the drive. It also allows the forensic investigator to make a logical backup of the filesystem (which identifies files and attributes) in addition to a physical copy.
With the exception of modern smartphones that run a specific OS such as Symbian, most of the data stored on mobile devices is stored in a unique format that is typical for the vendor. Software needs to be created that supports each unique format in order to retrieve basic information, such as text messages and dialled number lists and make them readable to the investigator. This is a much higher effort than creating software for a limited set of open filesystems used across platforms. Where such software is lacking, the forensic analyst may be forced to acquire data by using the graphical user interface of the device. This once again poses a major conflict with acquiring evidence without altering the original.
Some of the components of the mobile station, such as the SIM card, can only be accessed and investigated through the mobile phone without removing the battery (and as such losing data). This poses additional problems as we can not be certain that this data is not changed through the use of the phone.s operating system. The operating system may be modified to only pass selected data to the analyst, or could make changes on the card when data is accessed - 'read' flags, for instance.
The mere nature of these devices being mobile and enabling communication opens these devices up to a whole Pandora.s box of issues that applies much less to fixed hardware and as such forces a forensic investigator to consider illicit third party tampering with the device.
The other dominant issues with imaging of mobile phone data as evidence are related to the multitude of applicable standards, not only on a software or technology but also network-level. To add to complexity, many of the constraints that limit functionality on these devices - such as the necessity for a low power profile do not enable designers to spend much effort in building in security features that could be of use during forensic data acquisition.
Date: April 9th, 2007