KEMBAR78
Mobile Forensics challenges and Extraction process | PPTX
SG
Uploaded bySwapnil Gharat
383 views

Mobile Forensics challenges and Extraction process

Mobile forensics involves the collection, analysis, and preservation of digital evidence from mobile devices to aid in cybercrime investigations. Given the ubiquity of mobile devices, this field addresses various challenges such as legal compliance, data integrity, and device security features. Key processes include evidence intake, identification, isolation, processing, verification, documentation, and archiving of digital data from these devices.

Download to read offline
Mobile Forensics • Mobile forensics is the process of collecting, analyzing, and preserving digital evidence from mobile devices to investigate and prevent cybercrime. • The need for mobile forensics arises from various factors, including the widespread use of mobile devices and the valuable information they contain.  Proliferation of Mobile Devices:  The widespread use of smartphones and other mobile devices has led to an increase in criminal activities involving these devices.  Criminals often use mobile devices to communicate, plan, and execute various illegal activities.  Digital Evidence: • Mobile devices store a wealth of digital evidence, including call logs, text messages, emails, photos, videos, and location data. • This digital evidence is crucial in investigations related to cybercrime, fraud, theft, terrorism, and other criminal activities.
Mobile Forensics  Communication and Social Media: • Mobile devices are commonly used for communication through calls, texts, emails, and social media platforms. • Investigations often involve extracting and analyzing communication records to understand relationships, motives, and intentions.  Data Storage and Applications: • Mobile devices store data locally, and users install numerous applications that store sensitive information. • Analyzing data stored in applications can reveal details about a user's behavior, preferences, and interactions.
Mobile Forensics  Internet of Things (IoT) Devices: • Mobile devices are often used to control and interact with IoT devices, such as smart home devices, wearables, and connected appliances. • Forensics may extend to investigating interactions between mobile devices and IoT devices.  Location-Based Services: • Mobile devices continuously track and record location data, providing a timeline of a user's movements. • Location-based information is crucial in criminal investigations, missing person cases, and incidents where geographic data is relevant.
Mobile Forensics  Cybersecurity Incidents: • Mobile devices are susceptible to cybersecurity threats, including malware, phishing attacks, and unauthorized access. • Mobile forensics helps identify the extent of a security breach, trace the origin, and recover compromised data.  Employee Misconduct and Insider Threats: • Organizations may need mobile forensics to investigate employee misconduct, data breaches, or instances of intellectual property theft. • Insider threats and unauthorized access to sensitive information can be addressed through mobile forensics.
Mobile Forensics  Legal and Regulatory Compliance: • Mobile forensics is often necessary to comply with legal requirements and regulations related to digital evidence in court. • Proper handling and documentation of digital evidence are critical to maintaining the integrity of the investigation.  Incident Response: • Mobile forensics plays a vital role in incident response by identifying the cause of security incidents and developing strategies to mitigate future risks.
Mobile Forensics • Mobile forensics is a branch of digital forensics that involves the investigation, analysis, and recovery of digital evidence from mobile devices such as smartphones, tablets, and other portable gadgets. • The primary goal of mobile forensics is to uncover and examine electronic data that may be relevant to a legal or investigative proceeding. • This field has become increasingly crucial due to the prevalence of mobile devices and their role in both personal and professional communication.
Mobile Forensics • Key aspects of mobile forensics include: Data Extraction: Mobile forensic experts use specialized tools and techniques to extract data from mobile devices. This includes call logs, text messages, emails, photos, videos, application data, and more. Device Imaging: Creating a forensic image of the mobile device ensures the preservation of its current state for analysis. This image can be used for further investigation without altering the original data. Analysis of Communication Data: Examination of call logs, text messages, and communication applications to reconstruct conversations and identify patterns of communication.
Mobile Forensics Application Analysis: Investigating data stored within mobile applications to uncover information related to user activities, preferences, and interactions. Location-Based Services (LBS) Analysis: Analyzing GPS and location data to trace the movements and activities of the device owner. Cloud-Based Data Analysis: Investigating data stored in cloud services associated with the mobile device, such as cloud backups, synchronization, and storage services. Recovery of Deleted Data: Employing forensic tools to recover deleted or hidden data that might be relevant to the investigation.
Mobile Forensics Malware and Security Analysis: Detecting and analyzing potential malware, viruses, or security threats on the mobile device. Authentication and Access Control Bypass: If necessary and legally permissible, experts may attempt to bypass authentication mechanisms to gain access to locked devices. Expert Testimony: Mobile forensic experts may provide expert testimony in legal proceedings to explain their findings and the relevance of the digital evidence. Chain of Custody Documentation: Maintaining a documented chain of custody for the digital evidence to ensure its admissibility in court.
Challenges in mobile forensics Hardware differences: The market is flooded with different models of mobile phones from different manufacturers. Forensic examiners may come across different types of mobile models, which differ in size, hardware, features, and operating system. Also, with a short product development cycle, new models emerge very frequently. As the mobile landscape is changing each passing day, it is critical for the examiner to adapt to all the challenges and remain updated on mobile device forensic techniques across various devices. Mobile operating systems: Unlike personal computers, where Windows has dominated the market for years, mobile devices widely use more operating systems, including Apple's iOS, Google's Android, RIM's BlackBerry OS, Microsoft's Windows Phone OS, HP's webOS, and many others. Even within these operating systems, there are several versions, which makes the task of the forensic investigator even more difficult.
Challenges in mobile forensics Mobile platform security features: • Modern mobile platforms contain built-in security features to protect user data and privacy. • These features act as a hurdle during forensic acquisition and examination. • For example, modern mobile devices come with default encryption mechanisms from the hardware layer to the software layer. • The examiner might need to break through these encryption mechanisms to extract data from the devices. • The FBI versus Apple encryption dispute was a watershed moment in this regard, where the security implementation of Apple prevented the FBI from breaking into the iPhone seized from an attacker in the San Bernardino case.
Challenges in mobile forensics Preventing data modification: • One of the fundamental rules in forensics is to make sure that data on the device is not modified. • In other words, any attempt to extract data from the device should not alter the data present on that device. • But this is not practically possible with mobiles because just switching on a device can change the data on that device. • Even if a device appears to be in an off state, background processes may still run. • For example, in most mobiles, the alarm clock still works even when the phone is switched off. • A sudden transition from one state to another may result in the loss or modification of data.
Challenges in mobile forensics Anti-forensic techniques: • Anti-forensic techniques, such as data hiding, data obfuscation, data forgery, and secure wiping, make investigations on digital media more difficult. Passcode recovery: • If the device is protected with a passcode, the forensic examiner needs to gain access to the device without damaging the data on the device. • While there are techniques to bypass the screen lock, they may not always work on all the versions. Lack of resources: • As mentioned earlier, with the growing number of mobile phones, the tools required by a forensic examiner would also increase. • Forensic acquisition accessories, such as USB cables, batteries, and chargers for different mobile phones, have to be maintained in order to acquire those devices.
Challenges in mobile forensics Dynamic nature of evidence: • Digital evidence may be easily altered either intentionally or unintentionally. • For example, browsing an application on the phone might alter the data stored by that application on the device. Accidental reset: • Mobile phones provide features to reset everything. • Resetting the device accidentally while examining it may result in the loss of data. Device alteration: • The possible ways to alter devices may range from moving application data or renaming files, to modifying the manufacturer's operating system. • In this case, the expertise of the suspect should be taken into account.
Challenges in mobile forensics Communication shielding: • Mobile devices communicate over cellular networks,Wi-Fi networks, Bluetooth, and infrared. • As device communication might alter the device data, the possibility of further communication should be eliminated after seizing the device. Lack of availability of tools: • There is a wide range of mobile devices. • A single tool may not support all the devices or perform all the necessary functions, so a combination of tools needs to be used. • Choosing the right tool for a particular phone might be difficult. Malicious programs: • The device might contain malicious software or malware, such as a virus or a Trojan. • Such malicious programs may attempt to spread over other devices over either a wired interface or a wireless one.
Challenges in mobile forensics Legal issues: • Mobile devices might be involved in crimes, which can cross geographical boundaries. • In order to tackle these multijurisdictional issues, the forensic examiner should be aware of the nature of the crime and the regional laws.
mobile phone evidence extraction process
The evidence intake phase • The evidence intake phase is the starting phase and entails request forms and paperwork to document ownership information and the type of incident the mobile device was involved in, and it outlines the type of data or information the requester is seeking. • Developing specific objectives for each examination is the critical part of this phase. • It serves to clarify the examiner's goals. • Also, while seizing the device, care should be taken not to modify any data present on the device. • At the same time, any opportunity that might help the investigation should not be missed. • For example, at the time of seizing the device, if the device is unlocked, then try to disable the passcode.
The identification phase • The forensic examiner should identify the following details for every examination of a mobile device: 1. The legal authority 2. The goals of the examination 3. The make, model, and identifying information for the device 4. Removable and external data storage 5. Other sources of potential evidence
The identification phase 1. The legal authority • It is important for the forensic examiner to determine and document what legal authority exists for the acquisition and examination of the device, as well as any limitations placed on the media prior to the examination of the device. • For example, if the mobile device is being searched pursuant to a warrant, the examiner should be mindful of confining the search to the limitations of the warrant
The identification phase 1. The legal authority • It is important for the forensic examiner to determine and document what legal authority exists for the acquisition and examination of the device, as well as any limitations placed on the media prior to the examination of the device. • For example, if the mobile device is being searched pursuant to a warrant, the examiner should be mindful of confining the search to the limitations of the warrant 2. The goals of the examination • The examiner will identify how in-depth the examination needs to be based upon the data requested. • The goal of the examination makes a significant difference in selecting the tools and techniques to examine the phone and increases the efficiency of the examination process.
The identification phase 3. The make, model, and identifying information for the device • As part of the examination, identifying the make and model of the phone assists in determining what tools would work with the phone. • For all phones, the manufacturer , model number, carrier, and the current phone number associated with the cellular phone should be identified and documented. 4. Removable and external data storage • Many mobile phones provide an option to extend the memory with removable storage devices, such as the Trans Flash Micro SD memory expansion card. • In cases when such a card is found in a mobile phone that is submitted for examination, the card should be removed and processed using traditional digital forensic techniques. • It is wise to also acquire the card while in the mobile device to ensure that data stored on both the handset memory and card are linked for easier analysis.
The identification phase 5. Other sources of potential evidence • Mobile phones act as good sources of fingerprint and other biological evidence. • Such evidence should be collected prior to the examination of the mobile phone to avoid contamination issues, unless the collection method will damage the device. • Examiners should wear gloves when handling the evidence.
The preparation phase • Once the mobile phone model is identified, the preparation phase involves research regarding the particular mobile phone to be examined and the appropriate methods and tools to be used for acquisition and examination. • This is generally done based on the device model, underlying operating system, its version, and so on. • Also, choosing tools for examination of a mobile device will be determined by factors such as the goal of the examination, resources available, the type of cellular phone to be examined, and the presence of any external storage capabilities.
The isolation phase • Mobile phones are, by design, intended to communicate via cellular phone networks, Bluetooth, infrared, and wireless (Wi-Fi) network capabilities. • When the phone is connected to a network, new data is added to the phone through incoming calls, messages, and application data, which modifies the evidence on the phone. • Complete destruction of data is also possible through remote access or remote wiping commands. • For this reason, isolation of the device from communication sources is important prior to the acquisition and examination of the device. • Network isolation can be done by placing the phone in radio frequency shielding cloth and then putting the phone in airplane or flight mode. • The airplane mode disables a device's communication channels, such as cellular radio, Wi-Fi,and Bluetooth.
The isolation phase • Also, since Wi-Fi is now available in airplanes, some devices now have Wi-Fi access enabled in airplane mode. • An alternate solution is isolation of the phone through the use of Faraday bags, which block radio signals to or from the phone. • Faraday bags contain materials that block external static electrical fields (including radio waves). • Thus, Faraday bags shield seized mobile devices from external interference to prevent wiping and tracking. • To work more conveniently with the seized devices, Faraday tents and rooms also exist.
The processing phase • Once the phone has been isolated from communication networks, the actual processing of the mobile phone begins. • The phone should be acquired using a tested method that is repeatable and is as forensically sound as possible. • Physical acquisition is the preferred method as it extracts the raw memory data and the device is commonly powered off during the acquisition process. • On most devices, the smallest number of changes occur to the device during physical acquisition. • If physical acquisition is not possible or fails, an attempt should be made to acquire the filesystem of the mobile device. • A logical acquisition should always be obtained as it may contain only the parsed data and provide pointers to examine the raw memory image.
The verification phase • Once the phone has been isolated from communication networks, the actual processing of the mobile phone begins. • The phone should be acquired using a tested method that is repeatable and is as forensically sound as possible. • Physical acquisition is the preferred method as it extracts the raw memory data and the device is commonly powered off during the acquisition process. • On most devices, the smallest number of changes occur to the device during physical acquisition. • If physical acquisition is not possible or fails, an attempt should be made to acquire the filesystem of the mobile device. • A logical acquisition should always be obtained as it may contain only the parsed data and provide pointers to examine the raw memory image.
The verification phase 1. Comparing extracted data to the handset data • Check whether the data extracted from the device matches the data displayed by the device. • The data extracted can be compared to the device itself or a logical report, whichever is preferred. • Remember, handling the original device may make changes to the only evidence—the device itself. 2. Using multiple tools and comparing the results 3. Using hash values • All image files should be hashed after acquisition to ensure that data remains unchanged. • If filesystem extraction is supported, the examiner extracts the filesystem and then computes hashes for the extracted files.
The verification phase 3. Using hash values • All image files should be hashed after acquisition to ensure that data remains unchanged. • If filesystem extraction is supported, the examiner extracts the filesystem and then computes hashes for the extracted files. • Later, any individually extracted file hash is calculated and checked against the original value to verify the integrity of it. • Any discrepancy in a hash value must be explainable (for example, the device was powered on and then acquired again, thus the hash values are different).
The documenting and reporting phase • The forensic examiner is required to document throughout the examination process in the form of contemporaneous notes relating to what was done during the acquisition and examination. • Once the examiner completes the investigation, the results must go through some form of peer review to ensure that the data is checked and the investigation is complete. • The examiner's notes and documentation may include information such as the following:
The presentation phase • Throughout the investigation, it is important to make sure that the information extracted and documented from a mobile device can be clearly presented to any other examiner or to a court. • Creating a forensic report of data extracted from the mobile device during acquisition and analysis is important. • This may include data in both paper and electronic formats. • The findings must be documented and presented in a manner that the evidence speaks for itself when in court. • The findings should be clear, concise, and repeatable. • Timeline and link analysis, features offered by many commercial mobile forensic tools, will aid in reporting and explaining findings across multiple mobile devices. • These tools allow the examiner to tie together the methods behind the communication of multiple devices.
The archiving phase • Preserving the data extracted from the mobile phone is an important part of the overall process. • It is also important that the data is retained in a usable format for the ongoing court process, for future reference, should the current evidence file become corrupt, and for record-keeping requirements. • Court cases may continue for many years before the final judgment is arrived at, and most jurisdictions require that data be retained for long periods of time for the purposes of appeals. • As the field and methods advance, new methods for pulling data out of a raw, physical image may surface, and then the examiner can revisit the data by pulling a copy from the archives.
Mobile forensic tool leveling system • Mobile phone forensic acquisition and analysis involves manual effort and the use of automated tools. • There are a variety of tools that are available for performing mobile forensics. • All the tools have their pros and cons, and it is fundamental that you understand that no single tool is sufficient for all purposes. • So, understanding various types of mobile forensic tools is important for forensic examiners.
Mobile forensic tool leveling system • When identifying the appropriate tools for the forensic acquisition and analysis of mobile phones, a mobile device forensic tool classification system developed by Sam Brothers (shown in the following figure)
Mobile forensic tool leveling system • The objective of the mobile device forensic tool classification system is to enable an examiner to categorize forensic tools based on the examination methodology of the tool. • Starting at the bottom of the classification and working upward, the methods and the tools generally become more technical, complex, and forensically sound, and require longer analysis times. • There are pros and cons of performing an analysis at each layer. • The forensic examiner should be aware of these issues and should only proceed with the level of extraction that is required. • Evidence can be destroyed completely if the given method or tool is not properly utilized. • This risk increases as you move up in the pyramid. • Thus, proper training is required to obtain the highest success rate in data extraction from mobile devices.
Mobile forensic tool leveling system • Each existing mobile forensic tool can be classified under one or more of the five levels. • The following sections contain a detailed description of each level. Manual extraction • The manual extraction method involves simply scrolling through the data on the device and viewing the data on the phone directly through the use of the device's keypad or touchscreen. • The information discovered is then photographically documented. • The extraction process is fast and easy to use, and it will work on almost every phone. • This method is prone to human error, such as missing certain data due to unfamiliarity with the interface. • At this level, it is not possible to recover deleted information and grab all the data.
Mobile forensic tool levelling system Manual extraction • There are some tools, such as Project-A-Phone, that have been developed to aid an examiner to easily document a manual extraction. • However, this might also result in the modification of data. • For example, viewing an unread SMS can mark it as read.
Mobile forensic tool levelling system Logical extraction • Logical extraction involves connecting the mobile device to forensic hardware or to a forensic workstation via a USB cable, a RJ-45 cable, infrared, or Bluetooth. • Once connected,the computer initiates a command and sends it to the device, which is then interpreted by the device processor. • Next, the requested data is received from the device's memory and sent back to the forensic workstation. • Later, the examiner can review the data. • Most of the forensic tools currently available work at this level of the classification system.
Mobile forensic tool levelling system Logical extraction • The extraction process is fast, easy to use, and requires little training for the examiners. • On the flip side, the process may write data to the mobile and might change the integrity of the evidence. • In addition, deleted data is not generally accessible with this procedure.
Mobile forensic tool levelling system Hex dump • A hex dump, also referred to as a physical extraction, is achieved by connecting the device to the forensic workstation and pushing unsigned code or a bootloader into the phone and instructing the phone to dump memory from the phone to the computer. • Since the resulting raw image is in binary format, technical expertise is required to analyze it. • The process is inexpensive, provides more data to the examiner, and allows the recovery of deleted files from the device-unallocated space on most devices.
Mobile forensic tool levelling system Chip-off • Chip-off refers to the acquisition of data directly from the device's memory chip. • At this level, the chip is physically removed from the device and a chip reader or a second phone is used to extract data stored on it. • This method is more technically challenging, as a wide variety of chip types are used in mobiles. • The process is expensive and requires hardware level knowledge as it involves the desoldering and heating of the memory chip. • Training is required to successfully perform a chip-off extraction. • Improper procedures may damage the memory chip and render all data unsalvageable. • When possible, it is recommended that the other levels of extraction are attempted prior to chip-off, since this method is destructive in nature.
Mobile forensic tool levelling system Chip-off • Also, the information that comes out of memory is in a raw format and has to be parsed, decoded, and interpreted. • The chip-off method is preferred in situations where it is important to preserve the state of memory exactly as it exists on the device. • It is also the only option when a device is damaged but the memory chip is intact. • The chips on the device are often read using the Joint Test Action Group (JTAG) method. • The JTAG method involves connecting to Test Access Ports (TAPs) on a device and instructing the processor to transfer the raw data stored on memory chips. • The JTAG method is generally used with devices that are operational but inaccessible using standard tools. Both of these techniques also work even when the device is screen-locked.
Mobile forensic tool levelling system Micro read • The micro read process involves manually viewing and interpreting data seen on the memory chip. • The examiner uses an electron microscope and analyzes the physical gates on the chip and then translates the gate status to 0s and 1s to determine the resulting ASCII characters. • The whole process is time-consuming and costly, and it requires extensive knowledge and training on memory and the filesystem. • Due to the extreme technicalities involved in micro read, it would be only attempted for high-profile cases equivalent to a national security crisis after all other level extraction techniques have been exhausted. • The process is rarely performed and is not well-documented at this time.

More Related Content

PPTX
Digital Forensic ppt
bySuchita Rawat
 
PPTX
Mobile Phone Seizure Guide by Raghu Khimani
byDr Raghu Khimani
 
PDF
CS6004 Cyber Forensics
byKathirvel Ayyaswamy
 
PPTX
Mobile protection
bypreetpatel72
 
PPT
Module 10 Physical Security
byleminhvuong
 
PDF
Cybersecurity: Dos and Dont's
byMartina F. Ferracane
 
PPTX
mobile forensic.pptx
byAmbuj Kumar
 
PPTX
Ethical hacking - Footprinting.pptx
byNargis Parveen
 
Digital Forensic ppt
bySuchita Rawat
 
Mobile Phone Seizure Guide by Raghu Khimani
byDr Raghu Khimani
 
CS6004 Cyber Forensics
byKathirvel Ayyaswamy
 
Mobile protection
bypreetpatel72
 
Module 10 Physical Security
byleminhvuong
 
Cybersecurity: Dos and Dont's
byMartina F. Ferracane
 
mobile forensic.pptx
byAmbuj Kumar
 
Ethical hacking - Footprinting.pptx
byNargis Parveen
 

What's hot

PPT
Qr codes
byRonan Dunne, CEH, SSCP
 
PPT
Computer Forensic
byTawhidur Rahman
 
PDF
Mobile Security
byMarketingArrowECS_CZ
 
PDF
Incident response methodology
byPiyush Jain
 
PPTX
Digital Forensics
byMithileysh Sathiyanarayanan
 
PPTX
Physical access control
byAhsin Yousaf
 
PPTX
Computer forensics toolkit
byMilap Oza
 
PDF
Database forensics
byDenys A. Flores, PhD
 
PPTX
Guideline for Call Data Record Analysis by Raghu Khimani
byDr Raghu Khimani
 
PPT
Computer crimes and criminals
byOnline
 
PPTX
E mail Investigation
byDr Raghu Khimani
 
ODT
Operating System Forensics
byArunJS5
 
PPTX
IT Security DOs and DON'Ts
bySophos
 
PPTX
Mobile Forensics
byprimeteacher32
 
PPS
Physical security.ppt
byFaheem Ul Hasan
 
PDF
Social Media Forensics
byJohn J. Carney, Esq.
 
PDF
Search & Seizure of Electronic Evidence by Pelorus Technologies
byurjarathi
 
PPTX
First Responder Officer in Cyber Crime
byApplied Forensic Research Sciences
 
PDF
EC-Council Certification Roadmap and Course Catalog
byNetCom Learning
 
PPTX
Mobile security
bypriyanka pandey
 
Qr codes
byRonan Dunne, CEH, SSCP
 
Computer Forensic
byTawhidur Rahman
 
Mobile Security
byMarketingArrowECS_CZ
 
Incident response methodology
byPiyush Jain
 
Digital Forensics
byMithileysh Sathiyanarayanan
 
Physical access control
byAhsin Yousaf
 
Computer forensics toolkit
byMilap Oza
 
Database forensics
byDenys A. Flores, PhD
 
Guideline for Call Data Record Analysis by Raghu Khimani
byDr Raghu Khimani
 
Computer crimes and criminals
byOnline
 
E mail Investigation
byDr Raghu Khimani
 
Operating System Forensics
byArunJS5
 
IT Security DOs and DON'Ts
bySophos
 
Mobile Forensics
byprimeteacher32
 
Physical security.ppt
byFaheem Ul Hasan
 
Social Media Forensics
byJohn J. Carney, Esq.
 
Search & Seizure of Electronic Evidence by Pelorus Technologies
byurjarathi
 
First Responder Officer in Cyber Crime
byApplied Forensic Research Sciences
 
EC-Council Certification Roadmap and Course Catalog
byNetCom Learning
 
Mobile security
bypriyanka pandey
 

Similar to Mobile Forensics challenges and Extraction process

PDF
776 s0005
byoscarh1986
 
DOCX
ContentsMobile Forensic3Introduction3What It Is3How I.docx
byrichardnorman90310
 
PDF
digital forensic examination of mobile phone data
byINFOGAIN PUBLICATION
 
PPTX
Mobile Phone Forensics.pptx with infrastructure security topics and review
byanshumanpandey841
 
PPTX
Mobile Forensics-Unlocking Digital Evidence.pptx
byNaeemAijazYousfani
 
PDF
Conceptual Study of Mobile Forensics
byijtsrd
 
PDF
Shelton mobile forensics
byi4box Anon
 
PPTX
Mobile_Forensics- General Introduction & Software.pptx
bygouriuplenchwar63
 
PDF
IRJET - Android based Mobile Forensic and Comparison using Various Tools
byIRJET Journal
 
PDF
Smartphone Forensic Challenges
byCSCJournals
 
PPT
Computer and Mobile Forensic Analysis
byGol D Roger
 
PDF
2018 - Mobile Fojjjjjjjhhhjjjjjrensics.pdf
byMoussaFatah
 
PDF
Smartphone Forensic Investigation Process Model
byCSCJournals
 
PPT
Mobile forensics
bynoorashams
 
PDF
AN ANALYSIS OF CHALLENGES ENCOUNTERED WHEN PERFORMING MOBILE FORENSICS ON EME...
byRaymond Gonzales
 
PDF
To get round to the heart of fortress
bySTO STRATEGY
 
PDF
Cell Phone Forensics Research
byHouston Rickard
 
PPT
Digital forensics Computer and mobile forensic
bySyedaHira10
 
PDF
New research directions in the area of
byIJCNCJournal
 
PDF
On the Availability of Anti-Forensic Tools for Smartphones
byCSCJournals
 
776 s0005
byoscarh1986
 
ContentsMobile Forensic3Introduction3What It Is3How I.docx
byrichardnorman90310
 
digital forensic examination of mobile phone data
byINFOGAIN PUBLICATION
 
Mobile Phone Forensics.pptx with infrastructure security topics and review
byanshumanpandey841
 
Mobile Forensics-Unlocking Digital Evidence.pptx
byNaeemAijazYousfani
 
Conceptual Study of Mobile Forensics
byijtsrd
 
Shelton mobile forensics
byi4box Anon
 
Mobile_Forensics- General Introduction & Software.pptx
bygouriuplenchwar63
 
IRJET - Android based Mobile Forensic and Comparison using Various Tools
byIRJET Journal
 
Smartphone Forensic Challenges
byCSCJournals
 
Computer and Mobile Forensic Analysis
byGol D Roger
 
2018 - Mobile Fojjjjjjjhhhjjjjjrensics.pdf
byMoussaFatah
 
Smartphone Forensic Investigation Process Model
byCSCJournals
 
Mobile forensics
bynoorashams
 
AN ANALYSIS OF CHALLENGES ENCOUNTERED WHEN PERFORMING MOBILE FORENSICS ON EME...
byRaymond Gonzales
 
To get round to the heart of fortress
bySTO STRATEGY
 
Cell Phone Forensics Research
byHouston Rickard
 
Digital forensics Computer and mobile forensic
bySyedaHira10
 
New research directions in the area of
byIJCNCJournal
 
On the Availability of Anti-Forensic Tools for Smartphones
byCSCJournals
 

Recently uploaded

PPTX
GEMM tiling for weight stationary NCKU AISlab
bye24111071
 
PDF
Scenario-based WLAN Planning Design for Warehouse.pdf
byomarlameda1
 
PPT
GSM concepts_Slide with frame structure.ppt
byATULJOSHI721117
 
PDF
mariadbwebinardr07301000156458558219.pdf
byEduardo154255
 
PPTX
Basic presentation - architecture pics.pptx
byMelsonJohnDalabajan
 
PDF
alireza payravi-resume english 1404-07-24.pdf
byAlireza Payravi
 
PPT
Basic electronics concepts like what is resistor , inductor capacitor
byibrahimshaikh112026
 
PPTX
Heat Transfer Power Point presentation 1.1.pptx
bySolomon Raj
 
PDF
Introduction to Machine Learning: Foundations and Applications
byremoved_2838c0f85dcbdf1a3b55b256d9455357
 
PPTX
COLLAGE PLACEMENT MANAGEMENT SYSTEM.pptx
bychaitanyachopade08
 
DOCX
material selection for preparation of glider
bybityasteraye
 
PPTX
Chapter 4 Geosynthetics materials for soil improvement .pptx
byFanastic
 
PDF
(36-50)ANCIENT INGENUITY A REAPPRAISAL OF THE ARCHITECTURAL (3 files merged).pdf
byDharmsinh Desai of University
 
PDF
How Are Learning-Based Methods Reshaping Trajectory Planning in Autonomous D...
byimagnejane
 
PPTX
Blockchain for Digital identity security
bysamirsarar2
 
PPT
lec0_Introduction_to_cmos_vlsi_design.ppt
bysrijeett
 
PDF
Performance analysis of recycled PET composites reinforced with waste slate d...
byADITYA CHAUHAN
 
PDF
【EN】Accelerating Flutter UI Development with 
Figma Dev Mode MCP × Claude Code
byYuta Asada
 
PPT
23 EL PGS Sec-I (Shared).ppt power generation systems
byMehran university of engineering technology Pakistan
 
PPTX
An improved feature extraction algorithm of EEG signals
byAnirban Nath
 
GEMM tiling for weight stationary NCKU AISlab
bye24111071
 
Scenario-based WLAN Planning Design for Warehouse.pdf
byomarlameda1
 
GSM concepts_Slide with frame structure.ppt
byATULJOSHI721117
 
mariadbwebinardr07301000156458558219.pdf
byEduardo154255
 
Basic presentation - architecture pics.pptx
byMelsonJohnDalabajan
 
alireza payravi-resume english 1404-07-24.pdf
byAlireza Payravi
 
Basic electronics concepts like what is resistor , inductor capacitor
byibrahimshaikh112026
 
Heat Transfer Power Point presentation 1.1.pptx
bySolomon Raj
 
Introduction to Machine Learning: Foundations and Applications
byremoved_2838c0f85dcbdf1a3b55b256d9455357
 
COLLAGE PLACEMENT MANAGEMENT SYSTEM.pptx
bychaitanyachopade08
 
material selection for preparation of glider
bybityasteraye
 
Chapter 4 Geosynthetics materials for soil improvement .pptx
byFanastic
 
(36-50)ANCIENT INGENUITY A REAPPRAISAL OF THE ARCHITECTURAL (3 files merged).pdf
byDharmsinh Desai of University
 
How Are Learning-Based Methods Reshaping Trajectory Planning in Autonomous D...
byimagnejane
 
Blockchain for Digital identity security
bysamirsarar2
 
lec0_Introduction_to_cmos_vlsi_design.ppt
bysrijeett
 
Performance analysis of recycled PET composites reinforced with waste slate d...
byADITYA CHAUHAN
 
【EN】Accelerating Flutter UI Development with 
Figma Dev Mode MCP × Claude Code
byYuta Asada
 
23 EL PGS Sec-I (Shared).ppt power generation systems
byMehran university of engineering technology Pakistan
 
An improved feature extraction algorithm of EEG signals
byAnirban Nath
 

Mobile Forensics challenges and Extraction process

  • 1.
    Mobile Forensics • Mobileforensics is the process of collecting, analyzing, and preserving digital evidence from mobile devices to investigate and prevent cybercrime. • The need for mobile forensics arises from various factors, including the widespread use of mobile devices and the valuable information they contain.  Proliferation of Mobile Devices:  The widespread use of smartphones and other mobile devices has led to an increase in criminal activities involving these devices.  Criminals often use mobile devices to communicate, plan, and execute various illegal activities.  Digital Evidence: • Mobile devices store a wealth of digital evidence, including call logs, text messages, emails, photos, videos, and location data. • This digital evidence is crucial in investigations related to cybercrime, fraud, theft, terrorism, and other criminal activities.
  • 2.
    Mobile Forensics  Communicationand Social Media: • Mobile devices are commonly used for communication through calls, texts, emails, and social media platforms. • Investigations often involve extracting and analyzing communication records to understand relationships, motives, and intentions.  Data Storage and Applications: • Mobile devices store data locally, and users install numerous applications that store sensitive information. • Analyzing data stored in applications can reveal details about a user's behavior, preferences, and interactions.
  • 3.
    Mobile Forensics  Internetof Things (IoT) Devices: • Mobile devices are often used to control and interact with IoT devices, such as smart home devices, wearables, and connected appliances. • Forensics may extend to investigating interactions between mobile devices and IoT devices.  Location-Based Services: • Mobile devices continuously track and record location data, providing a timeline of a user's movements. • Location-based information is crucial in criminal investigations, missing person cases, and incidents where geographic data is relevant.
  • 4.
    Mobile Forensics  CybersecurityIncidents: • Mobile devices are susceptible to cybersecurity threats, including malware, phishing attacks, and unauthorized access. • Mobile forensics helps identify the extent of a security breach, trace the origin, and recover compromised data.  Employee Misconduct and Insider Threats: • Organizations may need mobile forensics to investigate employee misconduct, data breaches, or instances of intellectual property theft. • Insider threats and unauthorized access to sensitive information can be addressed through mobile forensics.
  • 5.
    Mobile Forensics  Legaland Regulatory Compliance: • Mobile forensics is often necessary to comply with legal requirements and regulations related to digital evidence in court. • Proper handling and documentation of digital evidence are critical to maintaining the integrity of the investigation.  Incident Response: • Mobile forensics plays a vital role in incident response by identifying the cause of security incidents and developing strategies to mitigate future risks.
  • 6.
    Mobile Forensics • Mobileforensics is a branch of digital forensics that involves the investigation, analysis, and recovery of digital evidence from mobile devices such as smartphones, tablets, and other portable gadgets. • The primary goal of mobile forensics is to uncover and examine electronic data that may be relevant to a legal or investigative proceeding. • This field has become increasingly crucial due to the prevalence of mobile devices and their role in both personal and professional communication.
  • 7.
    Mobile Forensics • Keyaspects of mobile forensics include: Data Extraction: Mobile forensic experts use specialized tools and techniques to extract data from mobile devices. This includes call logs, text messages, emails, photos, videos, application data, and more. Device Imaging: Creating a forensic image of the mobile device ensures the preservation of its current state for analysis. This image can be used for further investigation without altering the original data. Analysis of Communication Data: Examination of call logs, text messages, and communication applications to reconstruct conversations and identify patterns of communication.
  • 8.
    Mobile Forensics Application Analysis: Investigatingdata stored within mobile applications to uncover information related to user activities, preferences, and interactions. Location-Based Services (LBS) Analysis: Analyzing GPS and location data to trace the movements and activities of the device owner. Cloud-Based Data Analysis: Investigating data stored in cloud services associated with the mobile device, such as cloud backups, synchronization, and storage services. Recovery of Deleted Data: Employing forensic tools to recover deleted or hidden data that might be relevant to the investigation.
  • 9.
    Mobile Forensics Malware andSecurity Analysis: Detecting and analyzing potential malware, viruses, or security threats on the mobile device. Authentication and Access Control Bypass: If necessary and legally permissible, experts may attempt to bypass authentication mechanisms to gain access to locked devices. Expert Testimony: Mobile forensic experts may provide expert testimony in legal proceedings to explain their findings and the relevance of the digital evidence. Chain of Custody Documentation: Maintaining a documented chain of custody for the digital evidence to ensure its admissibility in court.
  • 10.
    Challenges in mobileforensics Hardware differences: The market is flooded with different models of mobile phones from different manufacturers. Forensic examiners may come across different types of mobile models, which differ in size, hardware, features, and operating system. Also, with a short product development cycle, new models emerge very frequently. As the mobile landscape is changing each passing day, it is critical for the examiner to adapt to all the challenges and remain updated on mobile device forensic techniques across various devices. Mobile operating systems: Unlike personal computers, where Windows has dominated the market for years, mobile devices widely use more operating systems, including Apple's iOS, Google's Android, RIM's BlackBerry OS, Microsoft's Windows Phone OS, HP's webOS, and many others. Even within these operating systems, there are several versions, which makes the task of the forensic investigator even more difficult.
  • 11.
    Challenges in mobileforensics Mobile platform security features: • Modern mobile platforms contain built-in security features to protect user data and privacy. • These features act as a hurdle during forensic acquisition and examination. • For example, modern mobile devices come with default encryption mechanisms from the hardware layer to the software layer. • The examiner might need to break through these encryption mechanisms to extract data from the devices. • The FBI versus Apple encryption dispute was a watershed moment in this regard, where the security implementation of Apple prevented the FBI from breaking into the iPhone seized from an attacker in the San Bernardino case.
  • 12.
    Challenges in mobileforensics Preventing data modification: • One of the fundamental rules in forensics is to make sure that data on the device is not modified. • In other words, any attempt to extract data from the device should not alter the data present on that device. • But this is not practically possible with mobiles because just switching on a device can change the data on that device. • Even if a device appears to be in an off state, background processes may still run. • For example, in most mobiles, the alarm clock still works even when the phone is switched off. • A sudden transition from one state to another may result in the loss or modification of data.
  • 13.
    Challenges in mobileforensics Anti-forensic techniques: • Anti-forensic techniques, such as data hiding, data obfuscation, data forgery, and secure wiping, make investigations on digital media more difficult. Passcode recovery: • If the device is protected with a passcode, the forensic examiner needs to gain access to the device without damaging the data on the device. • While there are techniques to bypass the screen lock, they may not always work on all the versions. Lack of resources: • As mentioned earlier, with the growing number of mobile phones, the tools required by a forensic examiner would also increase. • Forensic acquisition accessories, such as USB cables, batteries, and chargers for different mobile phones, have to be maintained in order to acquire those devices.
  • 14.
    Challenges in mobileforensics Dynamic nature of evidence: • Digital evidence may be easily altered either intentionally or unintentionally. • For example, browsing an application on the phone might alter the data stored by that application on the device. Accidental reset: • Mobile phones provide features to reset everything. • Resetting the device accidentally while examining it may result in the loss of data. Device alteration: • The possible ways to alter devices may range from moving application data or renaming files, to modifying the manufacturer's operating system. • In this case, the expertise of the suspect should be taken into account.
  • 15.
    Challenges in mobileforensics Communication shielding: • Mobile devices communicate over cellular networks,Wi-Fi networks, Bluetooth, and infrared. • As device communication might alter the device data, the possibility of further communication should be eliminated after seizing the device. Lack of availability of tools: • There is a wide range of mobile devices. • A single tool may not support all the devices or perform all the necessary functions, so a combination of tools needs to be used. • Choosing the right tool for a particular phone might be difficult. Malicious programs: • The device might contain malicious software or malware, such as a virus or a Trojan. • Such malicious programs may attempt to spread over other devices over either a wired interface or a wireless one.
  • 16.
    Challenges in mobileforensics Legal issues: • Mobile devices might be involved in crimes, which can cross geographical boundaries. • In order to tackle these multijurisdictional issues, the forensic examiner should be aware of the nature of the crime and the regional laws.
  • 17.
    mobile phone evidenceextraction process
  • 18.
    The evidence intakephase • The evidence intake phase is the starting phase and entails request forms and paperwork to document ownership information and the type of incident the mobile device was involved in, and it outlines the type of data or information the requester is seeking. • Developing specific objectives for each examination is the critical part of this phase. • It serves to clarify the examiner's goals. • Also, while seizing the device, care should be taken not to modify any data present on the device. • At the same time, any opportunity that might help the investigation should not be missed. • For example, at the time of seizing the device, if the device is unlocked, then try to disable the passcode.
  • 19.
    The identification phase •The forensic examiner should identify the following details for every examination of a mobile device: 1. The legal authority 2. The goals of the examination 3. The make, model, and identifying information for the device 4. Removable and external data storage 5. Other sources of potential evidence
  • 20.
    The identification phase 1.The legal authority • It is important for the forensic examiner to determine and document what legal authority exists for the acquisition and examination of the device, as well as any limitations placed on the media prior to the examination of the device. • For example, if the mobile device is being searched pursuant to a warrant, the examiner should be mindful of confining the search to the limitations of the warrant
  • 21.
    The identification phase 1.The legal authority • It is important for the forensic examiner to determine and document what legal authority exists for the acquisition and examination of the device, as well as any limitations placed on the media prior to the examination of the device. • For example, if the mobile device is being searched pursuant to a warrant, the examiner should be mindful of confining the search to the limitations of the warrant 2. The goals of the examination • The examiner will identify how in-depth the examination needs to be based upon the data requested. • The goal of the examination makes a significant difference in selecting the tools and techniques to examine the phone and increases the efficiency of the examination process.
  • 22.
    The identification phase 3.The make, model, and identifying information for the device • As part of the examination, identifying the make and model of the phone assists in determining what tools would work with the phone. • For all phones, the manufacturer , model number, carrier, and the current phone number associated with the cellular phone should be identified and documented. 4. Removable and external data storage • Many mobile phones provide an option to extend the memory with removable storage devices, such as the Trans Flash Micro SD memory expansion card. • In cases when such a card is found in a mobile phone that is submitted for examination, the card should be removed and processed using traditional digital forensic techniques. • It is wise to also acquire the card while in the mobile device to ensure that data stored on both the handset memory and card are linked for easier analysis.
  • 23.
    The identification phase 5.Other sources of potential evidence • Mobile phones act as good sources of fingerprint and other biological evidence. • Such evidence should be collected prior to the examination of the mobile phone to avoid contamination issues, unless the collection method will damage the device. • Examiners should wear gloves when handling the evidence.
  • 24.
    The preparation phase •Once the mobile phone model is identified, the preparation phase involves research regarding the particular mobile phone to be examined and the appropriate methods and tools to be used for acquisition and examination. • This is generally done based on the device model, underlying operating system, its version, and so on. • Also, choosing tools for examination of a mobile device will be determined by factors such as the goal of the examination, resources available, the type of cellular phone to be examined, and the presence of any external storage capabilities.
  • 25.
    The isolation phase •Mobile phones are, by design, intended to communicate via cellular phone networks, Bluetooth, infrared, and wireless (Wi-Fi) network capabilities. • When the phone is connected to a network, new data is added to the phone through incoming calls, messages, and application data, which modifies the evidence on the phone. • Complete destruction of data is also possible through remote access or remote wiping commands. • For this reason, isolation of the device from communication sources is important prior to the acquisition and examination of the device. • Network isolation can be done by placing the phone in radio frequency shielding cloth and then putting the phone in airplane or flight mode. • The airplane mode disables a device's communication channels, such as cellular radio, Wi-Fi,and Bluetooth.
  • 26.
    The isolation phase •Also, since Wi-Fi is now available in airplanes, some devices now have Wi-Fi access enabled in airplane mode. • An alternate solution is isolation of the phone through the use of Faraday bags, which block radio signals to or from the phone. • Faraday bags contain materials that block external static electrical fields (including radio waves). • Thus, Faraday bags shield seized mobile devices from external interference to prevent wiping and tracking. • To work more conveniently with the seized devices, Faraday tents and rooms also exist.
  • 27.
    The processing phase •Once the phone has been isolated from communication networks, the actual processing of the mobile phone begins. • The phone should be acquired using a tested method that is repeatable and is as forensically sound as possible. • Physical acquisition is the preferred method as it extracts the raw memory data and the device is commonly powered off during the acquisition process. • On most devices, the smallest number of changes occur to the device during physical acquisition. • If physical acquisition is not possible or fails, an attempt should be made to acquire the filesystem of the mobile device. • A logical acquisition should always be obtained as it may contain only the parsed data and provide pointers to examine the raw memory image.
  • 28.
    The verification phase •Once the phone has been isolated from communication networks, the actual processing of the mobile phone begins. • The phone should be acquired using a tested method that is repeatable and is as forensically sound as possible. • Physical acquisition is the preferred method as it extracts the raw memory data and the device is commonly powered off during the acquisition process. • On most devices, the smallest number of changes occur to the device during physical acquisition. • If physical acquisition is not possible or fails, an attempt should be made to acquire the filesystem of the mobile device. • A logical acquisition should always be obtained as it may contain only the parsed data and provide pointers to examine the raw memory image.
  • 29.
    The verification phase 1.Comparing extracted data to the handset data • Check whether the data extracted from the device matches the data displayed by the device. • The data extracted can be compared to the device itself or a logical report, whichever is preferred. • Remember, handling the original device may make changes to the only evidence—the device itself. 2. Using multiple tools and comparing the results 3. Using hash values • All image files should be hashed after acquisition to ensure that data remains unchanged. • If filesystem extraction is supported, the examiner extracts the filesystem and then computes hashes for the extracted files.
  • 30.
    The verification phase 3.Using hash values • All image files should be hashed after acquisition to ensure that data remains unchanged. • If filesystem extraction is supported, the examiner extracts the filesystem and then computes hashes for the extracted files. • Later, any individually extracted file hash is calculated and checked against the original value to verify the integrity of it. • Any discrepancy in a hash value must be explainable (for example, the device was powered on and then acquired again, thus the hash values are different).
  • 31.
    The documenting andreporting phase • The forensic examiner is required to document throughout the examination process in the form of contemporaneous notes relating to what was done during the acquisition and examination. • Once the examiner completes the investigation, the results must go through some form of peer review to ensure that the data is checked and the investigation is complete. • The examiner's notes and documentation may include information such as the following:
  • 32.
    The presentation phase •Throughout the investigation, it is important to make sure that the information extracted and documented from a mobile device can be clearly presented to any other examiner or to a court. • Creating a forensic report of data extracted from the mobile device during acquisition and analysis is important. • This may include data in both paper and electronic formats. • The findings must be documented and presented in a manner that the evidence speaks for itself when in court. • The findings should be clear, concise, and repeatable. • Timeline and link analysis, features offered by many commercial mobile forensic tools, will aid in reporting and explaining findings across multiple mobile devices. • These tools allow the examiner to tie together the methods behind the communication of multiple devices.
  • 33.
    The archiving phase •Preserving the data extracted from the mobile phone is an important part of the overall process. • It is also important that the data is retained in a usable format for the ongoing court process, for future reference, should the current evidence file become corrupt, and for record-keeping requirements. • Court cases may continue for many years before the final judgment is arrived at, and most jurisdictions require that data be retained for long periods of time for the purposes of appeals. • As the field and methods advance, new methods for pulling data out of a raw, physical image may surface, and then the examiner can revisit the data by pulling a copy from the archives.
  • 34.
    Mobile forensic toolleveling system • Mobile phone forensic acquisition and analysis involves manual effort and the use of automated tools. • There are a variety of tools that are available for performing mobile forensics. • All the tools have their pros and cons, and it is fundamental that you understand that no single tool is sufficient for all purposes. • So, understanding various types of mobile forensic tools is important for forensic examiners.
  • 35.
    Mobile forensic toolleveling system • When identifying the appropriate tools for the forensic acquisition and analysis of mobile phones, a mobile device forensic tool classification system developed by Sam Brothers (shown in the following figure)
  • 36.
    Mobile forensic toolleveling system • The objective of the mobile device forensic tool classification system is to enable an examiner to categorize forensic tools based on the examination methodology of the tool. • Starting at the bottom of the classification and working upward, the methods and the tools generally become more technical, complex, and forensically sound, and require longer analysis times. • There are pros and cons of performing an analysis at each layer. • The forensic examiner should be aware of these issues and should only proceed with the level of extraction that is required. • Evidence can be destroyed completely if the given method or tool is not properly utilized. • This risk increases as you move up in the pyramid. • Thus, proper training is required to obtain the highest success rate in data extraction from mobile devices.
  • 37.
    Mobile forensic toolleveling system • Each existing mobile forensic tool can be classified under one or more of the five levels. • The following sections contain a detailed description of each level. Manual extraction • The manual extraction method involves simply scrolling through the data on the device and viewing the data on the phone directly through the use of the device's keypad or touchscreen. • The information discovered is then photographically documented. • The extraction process is fast and easy to use, and it will work on almost every phone. • This method is prone to human error, such as missing certain data due to unfamiliarity with the interface. • At this level, it is not possible to recover deleted information and grab all the data.
  • 38.
    Mobile forensic toollevelling system Manual extraction • There are some tools, such as Project-A-Phone, that have been developed to aid an examiner to easily document a manual extraction. • However, this might also result in the modification of data. • For example, viewing an unread SMS can mark it as read.
  • 39.
    Mobile forensic toollevelling system Logical extraction • Logical extraction involves connecting the mobile device to forensic hardware or to a forensic workstation via a USB cable, a RJ-45 cable, infrared, or Bluetooth. • Once connected,the computer initiates a command and sends it to the device, which is then interpreted by the device processor. • Next, the requested data is received from the device's memory and sent back to the forensic workstation. • Later, the examiner can review the data. • Most of the forensic tools currently available work at this level of the classification system.
  • 40.
    Mobile forensic toollevelling system Logical extraction • The extraction process is fast, easy to use, and requires little training for the examiners. • On the flip side, the process may write data to the mobile and might change the integrity of the evidence. • In addition, deleted data is not generally accessible with this procedure.
  • 41.
    Mobile forensic toollevelling system Hex dump • A hex dump, also referred to as a physical extraction, is achieved by connecting the device to the forensic workstation and pushing unsigned code or a bootloader into the phone and instructing the phone to dump memory from the phone to the computer. • Since the resulting raw image is in binary format, technical expertise is required to analyze it. • The process is inexpensive, provides more data to the examiner, and allows the recovery of deleted files from the device-unallocated space on most devices.
  • 42.
    Mobile forensic toollevelling system Chip-off • Chip-off refers to the acquisition of data directly from the device's memory chip. • At this level, the chip is physically removed from the device and a chip reader or a second phone is used to extract data stored on it. • This method is more technically challenging, as a wide variety of chip types are used in mobiles. • The process is expensive and requires hardware level knowledge as it involves the desoldering and heating of the memory chip. • Training is required to successfully perform a chip-off extraction. • Improper procedures may damage the memory chip and render all data unsalvageable. • When possible, it is recommended that the other levels of extraction are attempted prior to chip-off, since this method is destructive in nature.
  • 43.
    Mobile forensic toollevelling system Chip-off • Also, the information that comes out of memory is in a raw format and has to be parsed, decoded, and interpreted. • The chip-off method is preferred in situations where it is important to preserve the state of memory exactly as it exists on the device. • It is also the only option when a device is damaged but the memory chip is intact. • The chips on the device are often read using the Joint Test Action Group (JTAG) method. • The JTAG method involves connecting to Test Access Ports (TAPs) on a device and instructing the processor to transfer the raw data stored on memory chips. • The JTAG method is generally used with devices that are operational but inaccessible using standard tools. Both of these techniques also work even when the device is screen-locked.
  • 44.
    Mobile forensic toollevelling system Micro read • The micro read process involves manually viewing and interpreting data seen on the memory chip. • The examiner uses an electron microscope and analyzes the physical gates on the chip and then translates the gate status to 0s and 1s to determine the resulting ASCII characters. • The whole process is time-consuming and costly, and it requires extensive knowledge and training on memory and the filesystem. • Due to the extreme technicalities involved in micro read, it would be only attempted for high-profile cases equivalent to a national security crisis after all other level extraction techniques have been exhausted. • The process is rarely performed and is not well-documented at this time.