Forensic Analysis of Smartphones Research Proposal

Forensic Analysis of Smartphones
1
2017-2018 All Rights Reserved, No part of this document should be modified/used without prior consent Tutors India -
Your trusted mentor since 2001 I www.tutorindia.com
UK: The Portergate, Ecclesall Road, Sheffield, S11 8NX I UK # +44-1143520021, Info@tutorsindia.com
Abstract
Smart phones, no doubt, are becoming ubiquitous because of their extended ability to
perform computing tasks instead of just making calls. These additional tasks include
sending/receiving electronic mail or multi-media message, chatting, creating different types
of documents and accessing social media networks. Apart from the network services and
basic Personal Information Management (PIM) tools such as phonebooks, the user can
manage wide-ranging contact and appointment information, give a presentation, and store
documents in Cloud.
With the increasing capabilities that allow dealing with more diverse types of data as
well as users, smart phones are proving to be a goldmine for the investigating team at the
sight of crime. It is obvious that these devices can hold potential evidence, which can be
recovered with the right procedures as well as tools.
The literature pertaining to forensic analysis of smartphones, as explored in this paper,

focuses on the role of smartphone systems in the proposed forensic process. It also discusses
about the different digital evidence that a smartphone can deliver along with the diverse tools
that can aid during the stages of acquisition, examination, and reporting of data found on
smart cellular devices. The objective of this literature or guide is to assist the involved
organisations in coming up with apt policies and procedures for tackling smartphones
efficiently. However, this guide is neither complete nor does it stipulates how law
enforcement and other authorised communities should handle gadgets during investigation. It
only acts as a starting point for the people involved in the forensic procedures.
2
Table of Contents
CHAPTER I: INTRODUCTION ............................................................................................... 5
1.1 Introduction ...................................................................................................................... 5
1.2 Outline of the Dissertation ............................................................................................... 7
Chapter II: Forensic Analysis Of Smart phones ........................................................................ 7
2.1 Introduction ...................................................................................................................... 9
2.2 Forensic Analysis ........................................................................................................... 10
2.2.1 Computer versus Smart phone Forensics ................................................................ 12
2.3 Background .................................................................................................................... 12
2.3.1 Cell Network Traits ................................................................................................. 13
2.3.2 Mobile Phone Characteristics .................................................................................. 18
2.3.2 Identity Module Characteristics............................................................................... 20
2.4 Potential Evidence in Smart phones ............................................................................... 21
2.5 Possible Crimes .............................................................................................................. 23
2.6 The Forensic Process ...................................................................................................... 27
2.6.1 Principles ................................................................................................................. 29
2.6.2 Schemes ................................................................................................................... 30
2.6.3 Roles ........................................................................................................................ 32
2.7 Preservation of Evidence ................................................................................................ 33
2.7.1 Investigating and Documenting the Scene .............................................................. 34

3
2.7.2 Gathering Evidence ................................................................................................. 36
2.7.3 Transmitting and Storing Evidence ......................................................................... 37
2.8 Acquisition ..................................................................................................................... 40
2.8.1 Identifying the Device ............................................................................................. 40
2.8.2 Selecting a Tool ....................................................................................................... 42
2.8.3 Memory Considerations and Acquisition ................................................................ 43
2.8.4 Obstructed and Unobstructed Gadgets .................................................................... 45
2.8.5 Tangential Equipment.............................................................................................. 46
2.9 Examination and Analysis .............................................................................................. 47
2.9.1 Potential Evidence ................................................................................................... 48
2.9.2 Using Tools with Experience .................................................................................. 49
2.9.3 Subscriber and Call Records.................................................................................... 50
2.10 Reports ......................................................................................................................... 51
2.11 Legal Considerations .................................................................................................... 52
2.12 Forensic Tools .............................................................................................................. 53
Source: Jansen and Ayers (2007) ..................................................................................... 56
2.12.1 USIM Tools ........................................................................................................... 56
2.12.2 Handset Tools ........................................................................................................ 57
2.12.3 Integrated Toolkits ................................................................................................. 58
2.13 Challenges .................................................................................................................... 60
2.14 Conclusion.................................................................................................................... 61
References ................................................................................................................................ 63
4
CHAPTER I: INTRODUCTION
1.1 Introduction
Beside traditional mobile phones, the uses of smart phones have considerably increased in
the last few years both in business and in the everyday life of the people. This can be ascribed
to their growing functionality, applicability and affordability. A growing number of mobile
phones, besides the usability to make and receive calls, have considerably added PFA
functionality and hence they are described to as smart phones. The added functionality and
unique feature of smart phones encompass personal information management, internet
surfing and multimedia potentialities.
This reflects in rising Smart phone sales, which have increased to 46.5 percent of from
the second quarter of 2012 (Gartner.com, 2014) [1] while accounted for 51.8 percent of
mobile phone sales in all regions including Asia/pacific, Latin America, and Eastern Europe.
Figure 1: Smart phone sales
5
Source: Adopted from Gartner. Com (2014)[1]
Typically, smart phones will also run a smartphone OS which includes Symbian,
Windows Mobile or Linux. This smartphone operating system of completely varies from the
inbuilt OS in that it permits the native third party application on the hardware (Mokhonoana
& Olivier, n. d) [2]. With the propagation of mobile phones, smart phones and PDAs global
wide for businesses and leisure, legal and illegal intentions, these high-end potentialities hold
a extensive influence on computer disputation because forensic investigators are highly
probable to come across handheld devices during their investigation process. The developing
storage size, embedded cameras and internet-access of handheld services make them an
enriched source of evidence (Lim, & Khoo, 2009) [3]. Especially, as a consequence of the
increasing popularity of smart phones, a rapid growth of malware designed to attack smart
phones can be observed. According to the report from MacAfee Lab, at the end of this
quarter, the actual amount of samples in the mobile malware zoo achieved 50,926, with
nearly 28% of that arriving in 2013 (McAfee, 2013a) [4]. The Android platform continues to
make up the bulk of malware targets, representing 97% of total mobile malware (McAfee,
2013b) [5].
Figure 2: Total Mobile Malware Attack 2004-2013
6
Source: Adopted from McAfee (2013a) [4]
Additionally to malware cases, there are also a large number of other criminal acts
whose solution depends on forensic analyses of a smart phones contents.
1.2 Outline of the Dissertation
The present dissertation explores the role of forensic analysis of smart phones by
using case analysis that are obtained through secondary data. Systematic analysis was carried
out to critically analyse the forensic process involved, their preservation, acquisitions, the
guidelines, tool kits and further evaluation procedures with specific reference to smart phones
are investigated. This dissertation is outlined as follows: In Chapter 2, a detailed literature
review was undertaken to investigate the role of forensic analysis in malware protection,
while section 1 details on smart phones. Section 2, 3, 4 of this dissertation will explore the
relationship of forensic analysis in smart phones, especially, guidelines, toolkit (chapter 5),
evaluation procedures (chapter 6) and finally concluded with a short summary and propose
opportunities for future research.
Chapter II: Forensic Analysis of Smartphones
Nowadays, more and more people have started using smartphones for their
multipurpose capabilities to make your personal and professional life, simpler and smoother.
In order to cater to the different communication needs of the users, these devices function by
storing different types of information about the owner along with his or her usage history. A
few instances of this information include call history, chat logs, media files, task lists,
7
browsing history and memos. This means that data storage, access, and transfer are the core
capabilities of any smartphone. Although this has been the main reason for the widespread
acceptance of these devices, playing a vital role all aspects of life, it also forms the basis for
committing several crimes. In several cases, the malicious users have unhesitatingly taken the
undue advantage of these devices (Hadadi & AlShidhani, 2013) [6].
Imagine a scenario wherein your client is accused of stealing a trade secret. In such a
case, wouldnt it be great if you could put forth the electronic evidence that, during the theft,
your client was talking to you on the phone or was taking texting miles away from the place
of crime? Similarly, if your loyal employee is charged of pilfering cash from the office, you
will find it helpful to prove that the concerned employee was talking to you via the
companys smartphone. If this sounds interesting, smart phone forensics is a topic that you
need to explore and understand(Gonzalez & Hung, 2011) [7].
Cybercrime is a grave challenge that poses potential harm on the confidential and
security-instilling government activities along with those of the individuals. According to a
recent report (Norton, 2011) [8], the annual cost of global cybercrimes is $114 billion and
affects over a million victims a day. This is perhaps due to fact that the widespread of
portable smart phones coupled with the swiftly evolving technology has invited innumerable
hackers. In reality, smart phones are almost mini versions of computers, whose evolving
technology has led to the gradual displacement of conventional PCs. According to
International Telecommunication Union (ITU, 2012) [9] statistics, the number of smart phone
users in 2011 was almost six billion users accessing to different Internet Service Providers
(ISPs). Moreover, the trend of Global Information and Communications Technology
development in the decade of 2001-2011 has led to more than considerable increase in
cellular phone subscriptions. While these consequences are admirable, they have
unfortunately become the reasons to spread several hacking based crimes occurring on smart
phones.
Indicating the usage of smart phones in criminal activities, a few examples of such
crimes include the Mumbai terrorist attack of 2008 and the London riots of 2011. Therefore,
a smart phone is an important facilitator of digital forensics that aims to gather digital
evidence under forensically sound conditions for proving a point or fact legally. The forensics
8
researchers are, at present, striving hard to discover acceptable methods for recovering digital
evidence about user activities from these devices (Alghafli, Jones & Martin, 2011)[10].
2.1 Introduction
Smart phones such as Android, iPhone, iPad and BlackBerry are used almost
everywhere. They are used to make calls, send and receive messages and e-mails,
take photographs, surf the Internet, update Facebook, view maps the list is just too long. As
a result, the mobile devices are actually recording the activities, which act as evidence. Either
for worsening or for improving the matters, these devices perhaps are the biggest source
of evidence about their owners (Gonzalez & Hung, 2011) [7].
Mobile device forensics refers to a branch of digital forensics, wherein the term
mobile device usually refers to mobile phones or although it can also indicate any digital
device with both internal memory and communication capability, such as tablets, PDAs and
GPS devices. Smart phone forensics is actually a new field within the computer or digital
forensics domain that conventionally target network servers and personal workstations. It is
an evolving form of accumulating digital evidence, which facilitates retrieving information
from a mobile phone. Smart phone forensics actually depends upon extracting evidence from
the phones internal memory when it is possible to access data (Mutawa, Baggili &
Marrington, 2012) [11]. The aim of smart phone forensics is to obtain digital evidence in a
forensically reliable manner so that the evidence can be submitted and accepted in a court.
This forensic process usually comprises of four phases namely, preservation, acquisition,
analysis and presentation.
Smart phones, as ubiquitous gadgets, are characterised by context awareness, mobility

and diversity on the data sources that they incorporate. In the context of crime investigation,
these traits or characteristics can prove to be useful for forensic purposes proactively as well
as after a crime. For example, in case of a few crimes that the legal context considers as
severe (e.g. crimes against government), proactive possession of smart phone data can be
essential. This is perhaps why the law agencies connect through the carriers infrastructure
for intercepting specific data, including messages and phone calls. (Mylonaset al., 2011) [12]
9
Besides legal context, other contexts also cater to the need of direct and timely access
of mobile data. For example, in the managerial (organisational) context, proactivity is
referred as creating or managing a situation instead of only responding to it (Grobler,
Louwrens & Von Solms, 2010) [13]. Herein, Proactive Digital Forensics (ProDF) is
implemented as a process to inquire enterprise systems efficiently to maximise the ability to
acquire reliable digital evidence as well as minimise forensics cost with the help of credible
tools and techniques for tracing criminal activity (Sutherland et al., 2008) [14].
In terms of conventional context, forensic triage is implemented, which relates to on-

site forensics wherein the investigator examines a crime scene directly and retrieves volatile
data from the devices memory (Mislan, Casey & Kessler, 2010) [15]. The main beneficial
features of such a forensic investigation are realistic assessment for the available digital
evidence, no delay in getting the results due to no later processes and easier focus on critical
matters such as the call activity of the suspect. In short, depending upon the various contexts,
smart phone forensics is useful in law enforcement investigations, criminal and civil defence,
military intelligence, public and private investigations, corporate investigations and electronic
advancements.
In this study, we look at the different types of crimes taking place along with their
associated digital evidence. We also explore the digital forensics process of smart phones in
detail, tools found to be useful in such a process, procedures of performing the different
phases of the forensic process on a smart phone and recommended guidelines. Finally, this
study reflects the possible challenges that this new field may face.
2.2 Forensic Analysis
Digital forensics, generally known as computer forensics, is defined as the collection,

preservation, analysis and presentation of computer-related evidence (Vacca, 2010) [16].
Smart phone forensics involves identifying, preserving, extracting, documenting and
analysing the data stored on the device. The investigators simply tend to follow well-defined
and effective methodologies as well as procedures that are adaptable to particular cases. Such
methodologies usually involve creating a forensic copy of the acquired digital medium
without affecting its integrity, assessing the copy to recover evidence in the form of
10
information and analysing the recovered details for creating a report recording any relevant
information found.
As of now, there is no universal approach to smartphone forensics due to which it is

vital to work with a certified and experienced investigator. Usually, a mobile device
investigator needs to consider the following aspects of mobile forensics:
How to Use the Phone: Although this sounds insignificant, it significantly influences
the type of data obtainable. A real issue that exists here is that the most relevant or
interested data such as messages and browsing history can get overwritten with the
latest activities in those areas, as the phone can communicate constantly (Gonzalez &
Hung, 2011) [7]. One way to deal with this issue is to turn the phone off but doing so
can have a few accidental consequences. For example, it may
activate password protection that may make it impossible to extract the data.
Moreover, if the device runs out of battery, it becomes important to use a charger as
well.
How to Analyse: There are several ways to analyse a smartphone forensically. The
initial way to analyse is navigating through the different data stored while videotaping
them. Although this technique is useful in some cases, the biggest risk is
manipulation, is that evidence can be easily changed. One more technique to use can
be the built-in backup or syncing feature (Iqbal et al., n.d) [17], which enables in
storing significant amount of data such as videos, e-mails and text. However,
the settings need to be modified carefully so that the data from the synced device
does not overwrite the data on the device. However, this also involves manipulation
of the evidence to some extent. Therefore, another technique is in use, which makes
use of commercial forensic tools that are increasingly proving to be more secure and
capable. This tool in use usually copies all files stored on the device (logical or bit-by-
bit physical copy of the entire memory), which helps in extracting the user-created as
well as deleted data, the latter being possible with the physical copy ability that is
somewhat difficult (Gonzalez & Hung, 2011) [7]. Forensic software tools have the
ability to deal with the wide variety of applicable devices for tackling the most
ordinary investigative cases efficiently. They usually facilitate logical abstraction
11
through universally known mechanisms for synchronisation, restoration and
communications.
How to Validate and Report: Irrespective of the method of analysis implemented, it
is vital to justify or validate it. As mentioned before, a few methods of gathering and
analysing includes the risk of changing the evidence, which results in authentication
issue in legal dealings (Gonzalez & Hung, 2011) [7]. Therefore, the examiner needs to
justify the technique fully in the documentation apart from recording the findings and
proving its relevancy.
2.2.1 Computer versus Smart phone Forensics
Although smart phone devices have many similarities in terms of functionality when
compared to computers, there are a few differences between the two when it comes to
performing digital forensics. Table 1 lists these differences as well as shows that the digital
forensics of smart phones is more complex than that of computers.
Table 1: Computer vs Smart phone Forensics
Point of Difference Computer Forensics Smart phone
Forensics
Evidence Source Hard disk, external memory, Internal memory,
RAM external memory, SIM
Operating System Limited in number More in number
Removable Internal Storage Hard disk None
Media
File System Standard ones such as FAT Varies drastically
and NTFS
Evading Authentication Yes No
Password during Acquisition
Power and Data Cables Standard ones Varies drastically
Source: Adopted from Alghafli, Jones & Martin (2011) [10]
2.3 Background
12
The digital forensic community tends to face the most persistent challenge of staying
abreast of the latest advancements that may play a vital role in digging out relevant clues
during an inspection. This is perhaps because the market is loaded with a diverse assortment
of mobile phones, each of which varying in design and that they are constantly evolving or
changing with the improvement in existing technologies as well as with the introduction of
new ones. While using a mobile phone during an investigation, an investigator is bound to
have several queries such as, how the phone maintains power, how to handle the phone for
extracting different types of data and how the promisingly relevant data on the device should
be assessed (Jansen & Ayers, 2007) [18]. In order to reply to these questions, the investigator
needs to have an understanding of the hardware and software aspects of the phones.
2.3.1 Cell Network Traits
In the United States, there are different types of cellular networks that implement
unique incompatible standards. Of these, the two leading cellular networks are Global System
for Mobile Communications (GSM) and Code Division Multiple Access (CDMA) (Mt. San
Antonio College, 2013) [19]. A few more common cellular networks include Integrated
Digital Enhanced Network (iDEN) using Motorola protocol and Time Division Multiple
Access (TDMA).
CDMA is the Qualcomm technology that features spread spectrum communication

via radio link. Instead of sharing a channel like several other network air interfaces, CDMA
extends the digitized data across the available bandwidth, discriminating several calls through
an assigned unique sequence code. Because the successive versions of IS-95 standard define
conventions, CDMA is often referred as IS-95 compliant network and its systems are termed
as CDMA One (Ahmed et al., 2009) [20]. Both Sprint and Verizon run CDMA networks in
the nation.
GSM is a popular system across the globe that was first surfaced in Europe, primarily
by Nokia and Ericsson. Today, even T-Mobile runs GSM networks in the United States. The
system utilises a TDMA air interface, wherein TDMA is a digital link technique, used for
enabling several phones to share a single hauler, radio frequency channel. This sharing
13
happens via turns wherein the channel is utilised exclusively during an allocated time slot. A
packet switching improvement in the wireless networks of GSM is termed as General Packet
Radio Service (GPRS), a standardised version to improve data transmission. 3G or third
generation is certainly the next generation of GSM (also termed as Universal Mobile
Telecommunications System (UMTS)), which aims at enhancing GSM networks through a
Wideband CDMA (W-CDMA) air interface. (Ayers, Brothers & Janson, 2013) [21]
TDMA also refers to the standard specifically covered in IS-136, which states a
particular kind of cellular network. Well, it is recommended to avoid using TDMA for
referring to a general technique or a specific network type because of the possibility of
confusion. For instance, although GSM implements a TDMA interface, it is incompatible
with the IS-136-based TDMA networks.
Any mobile phone operates with a few subsets of the types of networks explained
above, especially those related to the service provider offering the device as well as service
agreement organiser. For instance, a GSM network operator or a service provider having a
few older but active TDMA network segments may provide a device with GSM data and
voice as well as TDMA capabilities (Jansen & Ayers, 2007) [18]. However, this device will
be incompatible with a CDMA network. Moreover, the customer can obtain a mobile phone
without any service from a supplier or any other source and can then subscribe to a service of
a network operator separately, assuming that the device is compatible with the network.
For gaining a service during the usage, the device may contact with a compatible
network that another service provider runs. Data about the service contract and related
activities is fetched and maintained by the network for managing the system, offer subscribed
services and charge subscriber accounts precisely. Usually, a cellular network offers coverage
by splitting a large geographical area into smaller chunks called coverage cells that facilitate
reusing radio frequencies in the available but restricted spectrum for allowing an increasing
number of calls to take place (Hefny, 2012) [22]. This is shown in Figure 3.
14
Figure 3: Cells
Source: Adopted from Chen (2011) [23]
As a phone moves from cell to cell, a cellular arrangement employs active

connections to be passed along between cells for maintaining communication effectively.
15
Although there are technology differences, a mobile network is organised in almost similar
manner as shown in Figure 4.
Figure 4: Mobile Network Architecture
HLR VLR
BSC
SIM
M PSTN
BTS MSC ISDN,PSPDN
S C CSPDN
ME BSC
WE BTS MSC
S
Mobile station Base station substation Network Substation
SIM : Subscriber Identity module BSC: Base Station Controller MSC: Mobile
Switching Center
16
ME: Mobile 2017-2018 All Rights Reserved, No part of this document should be modified/used without prior consent Tutors India
Equipment HLR: Home Location Register -
BTS: Base Transceiver station VLR: Visitor Location Register
Source: Adopted from Polarsat (2014) [24]
As shown in Figure 2, the main components of a cellular network are the switching
system for the network, the controller for administering the transceiver equipment as well as
assigning channels and radio transceiver equipment that communicates with phones. The
technical terms for these components are the Mobile Switching Center (MSC), Base Station
Controller (BSC) and the Base Transceiver Station (BTS) to which cells are connected,
respectively. The BSC and BTS units collectively are termed as a Base StationSubsystem.
The mobile station (MS) comprises of the Subscriber Identity Module (SIM) or smart
card and mobile equipment (the terminal) identified by the International Mobile Equipment
Identity (IMEI). The Base Station Subsystem administers the radio link with Mobile Station,
while the Network Subsystem with MSC as the main part performs switching of calls
between users and handles mobility management. The Mobile Station and the Base Station
Subsystem interact via an interface that is known as the radio link or air interface. Similarly,
the Base Station Subsystem interacts with the MSC via an interface (Scourias, 1997) [25].
Although the transceivers at the BTS are configurable in several ways, a normal
configuration encompasses three unique sectors each covering 120 degrees: 0 North to 120
Southeast, 120 Southeast to 240 Southwest and 240 Southwest to 360 North (Jansen &
Ayers, 2007) [18].
The BTS comprises of radio transceivers that define a cell and tackles radio-link
protocols. In a big city, several BTSs are deployed and their requirements are portability,
reliability, ruggedness and minimum cost. The BSC manages the radio resources for BTS
units, deals with radio-channel setup and frequency hopping. MSC acts similar to a normal
switching node of PSTN, handles subscriber via services such as registration, location
updating and authentication and connects with the fixed networks such as ISDN or PSTN.
17
A cell identifier distinctly locates the sector as well as the BTS involved in facilitating
a call. The MSC manages an array of BSCs as well as administers overall communication in
the network, including contacting PSTN or Public Switch Telephone Network. For
performing well, an MSC needs many databases, of which the central repository system is the
Home Location Register (HLR) for subscriber data and service information. Along with this
repository, one more database is used known as Visitor Location Register (VLR) for roaming
outside the service area (Federal Office for Information Security (BSI)). HLR maintains
account information like subscriber data, subscribed services, network and the location last
registered; which the MSC utilises to direct calls and messages as well as to create usage or
call detail records. Of all, the call detail records and subscriber account information are often
useful source of evidence during investigation. The HLR and VLR along with MSC offer the
call-routing and roaming services. The HLR stores the administrative information of
registered subscribers in the network, along with the devices current location in the form of
the VLRs signalling address. (Jansen & Ayers, 2007) [18]
2.3.2 Mobile Phone Characteristics
Smart phones are highly portable devices of communication, which have the ability to
play diverse roles, ranging right from a simple call recorder to a mini computer. Developed
for on-the-go tasks, these devices are powered by battery, compact in size and are light in
weight. They usually utilise proprietary operating systems due to which they vary in terms of
unique hardware and software characteristics. Most phones offer an array of basic,
comparable capabilities but the various categories of devices differ in areas of advanced
features, software apps and hardware technology (Ayers, Brothers & Janson, 2013) [21].
Most phones have a microprocessor, Random Access Memory (RAM), Read Only
Memory (ROM), microphone, a radio module, a digital signal processor, a speaker, a screen
and several interfaces. Furthermore, the operating system is held in ROM, while RAM is kept
in action by batteries. The latest phones feature system-level microprocessors that are meant
for alleviating the supporting chips. Although many features are similar, there are differences
in terms of technical and physical characteristics, such as size, processor speed, keyboard
type, and battery type and memory capacity. Keeping this in mind, mobile phones are
classified as basic (messaging and call devices), advanced (multimedia services) and smart
18
phones or high-end phones (advanced + PDA capabilities) (Ayers et al., 2005) [26]. Figure 5
illustrates the hardware characteristics of these different phones for display, storage capacity,
memory and I/O expansion, communication medium and video and camera.
Figure 5: Hardware Components of Mobile Phones
16-bit Better Memory- Video & Removable,

Wi-Fi &
Smart Color Storage I/O Slot Still Rechargeable Lithium
Bluetooth
Display and Speed Camera Ion
12-bit More Removable,

Memory Still
Advanced Color Storage Bluetooth Rechargeable
Slot Camera
Display and Speed Lithium Ion Polymer
Limited No
Grayscale Fixed Rechargeable
Basic Storage Memory IrDA No Camera
Display Lithium Ion
and Speed Expansion
Source: Adopted from Ayers et al (2005) [26]
Figure 5 show that the more competent phones are able to capture and store more
diverse information through various sources, such as wireless and removable memory
modules. Just as hardware components, even software for communication tends to vary with
the type of phone. For example, a basic phone normally has an application for text
messaging, while the advanced phone allows sending lengthy text messages and that a smart
phone supports multimedia messages (Ayers et al., 2005) [26]. Kindly note that the features
in the figure may vary with advancements over time.
Along with hardware specifications, the mobile devices differ in terms of software
configurations as well. The smart phones usually support advanced e-mail and Web clients
using Post Office Protocol (POP) or Internet Message Access Protocol (IMAP) and Hypertext
Transfer Protocol (HTTP), while the basic ones will not support any of these clients (Jansen
& Ayers, 2007) [18]. Figure 4 shows the differences in software capabilities on different
phones.
Figure 6: Software Components of Mobile Devices
19
iOS, MS Office, Via
Phonebook, Calendar,
Smart Android, Mobile MMS POP/IMAP Direct HTTP
and Reminder List
Windows Monitoring Server
Text with Via

Phonebook and
Advanced Proprietory MP3 Player Sound and Network Via WAP
Calendar
Image SMS Operator
Basic Proprietory No Apps Text SMS No E-mail No Web Simple Phonebook
Source: Adopted fromAyers et al. (2005) [26]
2.3.2 Identity Module Characteristics
A Subscriber Identity Module (SIM) is identical with mobile phones that operate in a
GSM network wherein the device is the Mobile Station with two unique components: SIM
and ME (Ayerset al., 2007) [27]. SIM is removable, is essential for full functioning of the
phone and has essential subscriber information. Its main function is to authenticate the
phones user for gaining access to the subscribed services although it also stores personal
information, such as text messages and phone book entries. While a SIM is present in all
GSM phones, the current CDMA phones do not have it. Instead, similar SIM functionality is
directly incorporated in the device. Similarly, comparable modules are implemented in iDEN
phones. Nevertheless, because a SIM allows transferring user identity and service between
devices, eventually all phones are likely to include the following:
USIM-like capability
Special smart card containing a processor,
Persistent EEPROM (Electronically Erasable Programmable Read Only Memory) of
16 to 128 KB
ROM for the operating system
RAM for program execution
Encryption algorithms
User authentication and other applications (Ayers et al., 2005) [26]
The USIMs hierarchical file system stays in a persistent memory and stores names
and phone number entries, network settings and text messages. As per the phone model, a
20
few details on this special card may tend to coexist in the phones memory. The USIM
operating system regulates access to the file system by assigning rights to a subscriber via
changeable Personal Identification Number (PIN) codes of 4-8 digits (Ayers, Brothers
&Janson, 2013) [21]. Usually, the user gets three chances to submit the correct PIN code to
the USIM before the fourth attempt blocks the phone completely. In case of latter, only a
correct PIN Unblocking Key (PUK) obtained from the service provider can reset the USIM.
Any case, entering the correct PUK exceeds ten attempts, the card gets locked forever.
USIMs are approximately the size of the postage stamp print. Although they are
analogous to a MiniSD or a mobile removable memory card in dimension, USIMs features
different specifications. For instance, the pin connectors in them are not along a bottom edge
but rather exist as a circular contact pad connected to the card chip enclosed in a plastic
frame. Further, USIMs implements a variety of tamper resistance techniques to defend the
contained information. (Jansen & Delaitre, 2007) [27].
The slot for this special card is in the battery compartment under the battery. Inserting
an USIM into the phone handset and attaining a pin contact activate a serial interface for
communication. You can remove the card and read it with a dedicated reader (app) via the
same interface. You can even use smart card adapters for inserting into and reading with a
traditional smart card reader. (Jansen & Ayers, 2007) [18]
2.4 Potential Evidence in Smartphones
Digital evidence is referred as any data with the ability to ascertain that a crime has
occurred or reveal a link between a crime and its perpetrator or victim (Casey, 2004) [28].
Casey also defines the term in another way, any data stored or sent through a computer,
which bears or disproves a theory of how a crime was committed or that focuses on the vital
elements of the crime such as intention or explanation. Smart phones tend to store plenty of
heterogeneous data produced from its software and hardware components, which can act as
potential evidence to prove or refute a crime. According to these components, smart phone
data can be divided into (Mylonas et al., 2011) [12]:
Messaging Data from messaging service
21
Device Data stored on storage media but not associated to any application
SIM Card Data stored on SIM
Usage History Data stored in system and user logs
Application Data used during execution of an application such as databases
User Input Data generated from keystrokes
Sensor Data generated by sensors such as GPS and camera
These data sources are ordered within taxonomy of different types of evidence that are
obtained from an array of questions such as why, who, where and how (Zachman, 1987) [29]
used in evidence analysis. These evidence types are as follows:
Identity: Coversdata that recognise subjects involved in the incident.

Location: Covers data that shows the accurate location of the event.
Time: Covers data that helps in predicting the time of the event.
Context: Covers data that offers sufficient background such as event nature and user
activities to describe the incident.
Motivation: Covers data utilised to ascertain triggers that resulted in the event.
Means: Covers data that explains how the event occurred or which means were
utilised.
If it is assumed that the data is produced in an uninterrupted as well as deterministic

manner, and that its acquirement is realistic, it is not necessary that evidence will exist
always. Therefore, three levels of direct correlation or association between an evidence type
and data source are used (Mylonaset al., 2011) [12]: Strong indicating that data sources
provide possible evidence in most cases, Weak indicating that sources may provide evidence
as per their state and None meaning lack of association. The below list correlates the data
sources with the evidence types:
MessagingData: Includes SMS, MMS, chats and e-mails, which often act as potential
evidence. This data reveal the subjects and time due to which it is strongly associated
with identity and time evidence types. Moreover, it might also show location and
motive as well.
22
SIM Card Data: Contains distinct identifiers such as Integrated Circuit Card ID
(ICCID) (Jansen & Ayers, 2007) [18] serial number to identify the owner of the smart
phone, which means it is strongly correlated to identity evidence. It may also possess
data such as contacts and SMS that can help in inferring other evidence types through
a weak correlation.
DeviceData: Includes system identifiers to recognise a subject from the records of
service provider along with metadata of file system that can show time. Therefore, it
is strongly associated with identity and time evidence. Moreover, device data may
also contain user-created data such as multimedia files to reflect means or motive.
Further, it can also contain sensor data to show location, means and context.
Usage History Data: Shows time and reflects means, which means it is strongly
associated with the corresponding evidence types. In a few cases, wireless
communication logs such as MAC and Bluetooth pairing logs (Mylonas, 2008) [30]
tend to show device location and users identity, indicating a weak correlation with
location and identity evidence.
Sensor Data: Is weakly associated with the context evidence type, as the data is
utilised to deduce context. This is evident when a microphone is used remotely to
gather speech that can provide data of different evidence types. However, sensor data
is strongly associated with the location evidence due to GPS coordinates usually
stored in Exchangeable File Format of the produced image (Valli & Hannay, 2010)
[31].
ApplicationData: Contains cached maps and data generated by navigation and social
networking apps to show location and other details, thus, having a weak correlation
with the respective evidence type.
User Input Data: Is weakly linked to the identity evidence, as it may help in
recognising a subject through examination of keystrokes. In case a keystroke cache
reflects more relevant data related to the crime, it shows a weak correlation with other
corresponding evidence types.
2.5 Possible Crimes
23
According to the Department of Justice (Kunz & Wilson, 2004) [32] in the United
States, computer crime refers to any breach of criminal law, which entails the expertise of
computer technology for its execution, examination or prosecution. Reasonably, critics
quickly pointed out that although this definition might include computer crimes, it is not that
narrow enough to exclude other crime forms (Goodman, 2001) [46]. Later, many definitions
were established revealing different parameters forming a part of crime, but they all had
limitations. It was finally proposed that the definition must be uniform and flexible to be
applied to situations wherein a computer resource is the medium of the victim and doer.
Compiling these parameters, a working definition was proposed - Using or leading to the use
of a computer resource for obtaining goods or possessions illegally or harming another entity
(Kunz & Wilson, 2004)[32].
In a mobile scenario, several types of crimes exist. It is the responsibility of a forensic

investigator to gather evidence for these crimes, if they are committed. In a document called
Electronic Crime Scene Investigation of National Institute of Justice (Holder, Robinson &
Rose, 2009) [48], several digital crimes along with the correlated evidence sources are
specified, which are listed below.
Child Abuse or Exploitation: Refers to immoral manner in which a kid is treated or

used, which might influence their psychology as well as development. The possible
data sources acting as evidence for such crimes include Internet history logs, photos,
SMSs, MMSs, social media pages, videos, chat logs, Internet searches and notes.
Identity Theft: Includes crimes that extract personal details such as bank account
number or Facebook credentials for unauthorised purposes. The possible sources that
may support or disprove such crimes include electronic money transfer, e-mail in the
name of victim, online transaction records, financial records and forged signature or
document.
Threats or Harassments or Stalking: Refers to behaviours that upset or bother
someone. In this case, the evidence can come from call logs, maps, GPS co-ordinates,
e-mails, chats, legal documents, messaging service and notes. (Alghafli et al., 2011)
[10].
24
Murder:Indicates killing deliberately. The evidence of such a serious crime can be
gathered from calendars/notes, contacts, Internet history logs, images, medical
records, financial/asset records, will-making app, credit card information and online
banking software.
Counterfeiting:Refers to illegal activities for imitating the original. The useful data
sources for investigating such a crime include credit card information, forged digital
signature and financial records.
Intrusion: Refers to an action of gaining an authorised access for inflicting malicious
software such as those having virus. This crime can be investigated through the
relevant data sources such as GPS, camera, wireless connection logs, network
addresses and damaged part of a smart phone.
Drugs: Involves revealing and sharing illegal drugs that are known to relieve pain but
badly affect specific brain functionality. The possible evidence for such a crime can
be gathered from credit card information, online purchases, digital money transfers,
GPS, photos of drugs, videos of using drugs, e-mails, and browsed sites related to
drugs. (Alghafli et al., 2011) [10].
Terrorism: Involves any harmful activity against the public at large for
accomplishing political or any other stubborn goal. Evidence for such a crime can be
collected from VOIP app, big money transfers, credit card information, GPS, online
banking software, stolen phones, forged files, accounting software, e-mails, map of
the location and messaging service.
Cyberterrorism: Refers to attack on electronic resources to cause fear. Denning
(2004) [42] defines it as unlawful attacks against networks, devices and stored
information to frighten its users for gaining a political or social objective. Sources of
evidence include damaged hardware, non-responding software and denial of service.
Apart from these crimes, some more crimes are also found to occur whose evident can be
collected from a smartphone. These are discussed below.
Spam:Refers to bulk distribution of e-mails providing attractive deals but are false in
reality. Here, the main source of evidence is the e-mail. The Jeremy Jaynes case in
25
Virginia shows what an offender can do through such an activity. Jaynes was the first
to be convicted and found guilty of spam (Associated Press, 2005)[35].
Gambling: This is more common in the domain of sports. The smart phone data
sources that can be related to such a crime include accounting software, financial
records, online money transfers, surfing gambling sites, e-mails, recorded calls
through a monitoring app and messaging service.
Domestic Violence: It covers any cruel action that tends to harm someone in a home
or locality. For collecting evidence relevant to the crime occurred, the investigator
might rely on call logs, recorded environment through a monitoring app for smart
phones, chats, legal documents, financial records and e-mails or notes involving
experience of the victim.
Prostitution: This is another crime whose evidence can be collected through smart
phones. Sources of evidence include calendars, credit card information, online
banking software, photos, digital money transfers, financial documents, medical
records, browsed escort sites, chats and MMS (Kunz & Wilson, 2004)[32].
Online Pornography: Whether the target is kids or adults, this crime involves use of
digital resources to share sexually provoking media. The evidence of such a crime
usually exists in the form of photos, videos, MMSs, SMSs, surfed sites and chats.
Software Piracy: This refers to the use of software such that it infringes the exclusive
copyrights of the owner of holder. The evidence for such a crime can be collected
from software activation codes, software copy maker, chats or e-mails of duplicate
codes and surfed sites for code hacking.
Denial of Service: CERT (2001)[41] describes this crime as preventing or restricting
access to services through resource overloading, configuration changes and
connection disabling. Therefore, the potential sources of evidence for such a crime
can be setting options of phone or app and resource usage.
Telecommunication Fraud:This refers to the misuse of phone and its resources for
fulfilling a malicious goal. In the world of smartphones, it includes much more than
identity theft, such as fraud related to Internet and telemarketing. These crimes can be
tracked back through data sources such as call history, e-mails, chats, surfed
suspicious sites, blocked call list and SMSs.
26
2.6 The Forensic Process
Generally, the forensic process consists of the four phases as illustrated in Figure 7.
Figure 7: Digital Forensic Process
Examination
Preservation Acquisition Presentation
& Analysis
Source: Adopted from Alghafli et al. (2011) [10]
In thePreservation phase, the investigator needs to preserve the smart phone in its
actual state (Alghafli et al., 2011) [10]. This indicates that no data or part should be changed.
Logically, it is essential to protect the digital evidence source in its original condition. In case
of any kind of failure to protect the evidence in the phone, it will lead to failure of all the
subsequent stages of the forensics process.
In case the device is in its ON state, the investigator should use a portable power
source. This will help in keeping the devices original state intact to eliminate the risk of data
loss in case it falls short of battery power. Moreover, the phone needs to be packed in a
container that is isolated from radio frequency. This will help in averting the suspect to access
the device through wireless signals for removing the evidence.
The Acquisition stage begins when the device goes to the forensic lab post
preservation. Initially, the authorised examiner identifies the phones type as well as the
model (Jansen & Ayers, 2007) [18]. This is followed by selecting the most suitable
acquisition tool, a task that is a bit hard due to a plethora of models of devices available in the
market. Moreover, one cannot deny the wide range of duplicate devices that work in a
different manner as compared to the original ones. This makes the examiner to go through the
user manual wherein the devices working and compatible power/data cables are described
accurately.
27
Next, depending upon the kind of SIM and memory available, an imaging tool is
selected for memory as well as SIM imaging. When the image is ready, it is checked for
integrity. For this check, a hash function is used, which generates a hash digest of the
preserved data. In case the preserved data is changed, the hash digest also tends to change.
This indicates that the data preserved has been tampered. Likewise, the digest will not change
if the data preserved is intact right since the time the device was collected. Therefore, hash
digest via a hash function is an easy method to prove the integrity of the device. Usually, all
the steps taken in this stage of acquisition are documented (Alghafli et al., 2011) [10].
In the Examination and Analysis phase, the investigator needs to determine the tools
that can help support forensic scrutiny of a smart phone under investigation. The forensic
investigator can utilise a variety of tools such as Oxygen Phone manager (Phone manager II,
2011), XRY (What is XRY 2011) and Paraben Seizure (Device Seizure, 2011). However,
because these tools tend to work completely and precisely only with a few smart phones, the
investigator needs to identify the correct tool for the smart phone to be analysed.
What is even more important to keep in mind is that the size of storage is inversely
related to the speed of forensic process. The more the storage size, the slower is the forensic
process because of increasing volume to be analysed. There is no straightforward reply to the
query, where to seek evidence, as not all evidence tends to be unambiguous and easily
obtainable (Solomon, Barrett & Broom, 2005) [57]. The reply is dependent on the kind of
committed crime. For example, if the crime is child pornography, the examiner should look
for evidence in images and chats.
The fourth stage of Presentation deals with presenting the examined evidence, which
takes place once the results are found in the third phase. This means that presentation reveals
the results of analysis done in the above phase. In this stage, the investigator proves one or
multiple facts to the audience, with the help of the obtained evidence. Herein, the investigator
establishes a well prepared report of obtained results and explains the evidence in a simple
language so that the audience can comprehend despite having little or no knowledge of digital
technology. The investigator is required to know the entire background of the viewers or
listeners to whom she or he is going to prove the results, prior to creating the presentation
28
(Solomon et al., 2005) [57]. It should be noted that as per the background, expectations tend
to differ. Therefore, different groups of audience will tend to expect different. For instance,
the company managers will expect completely different from a jury panel. Therefore, a
presentation should be such that it meets the expectations of diverse groups present in the
audience so that they are convinced.
2.6.1 Principles
As per the occurred events circumstances as well as experience of the forensic team,
investigation can be tackled in different ways. One can compare the digital investigations to
law-breaking scenes wherein analytical techniques based on enforcing law are applied for
implementing actions and applying principles to deal with digital evidence. As a setting to the
digital investigation, a few principles are proposed for tackling digital evidence that is fragile,
particularly those present on a smart phone. Such evidence usually boasts two aspects:
Physical one, media and peripherals holding data

Data fetched from these sources (Jansen & Ayers, 2007)[18]
The Association of Chief Police Officers (ACPO) recommends four chief principles for
tackling digital evidence, which are listed below (Williams, 2012) [68].
None of the actions of an investigator should alter the data stored on any digital
device or any of its peripherals or components that may consequently be counted in
the court of law.
An audit trail or documentation of the implemented procedures, apt for reproducing
the findings by a self-governing third party, needs to be generated as well as
preserved. The overall records should precisely document each analytical step.
Individuals gaining access to the preserved or original data needs to be knowledgeable
to do so. Further, they should possess the aptitude to describe and justify their actions.
The person authorised for the investigation is responsible for ensuring the execution
of previously mentioned procedures in agreement with the prevailing laws. (Williams,
2012) [68].
29
2.6.2 Schemes
This section features proactive investigation wherein impromptu acquirement of smart

phone evidence occurs. Such investigation may occur for examining crimes that are severe
as per the legal context. Examples of such crimes include offenses against public and state.
The proposed scheme involves three key roles as shown in Figure 8 - Investigators
performing a proactive investigation, Independent Authority (IA) or Third Party and the
Suspects.
Figure 8: Proactive Forensics Scheme
Source: Adopted from Mylonas et al., (2011) [12]
In the Figure 2, the IA forms the basis of investigation, as it pools evidence from the
Software Agent (SA) contained in the suspects phone, stores the same for a period specified
by the prevailing law and sanctions investigators requests for investigation against the
concerned people. Apart from the assumption of investigating only severe crimes, the IA is
also assumed to preserve a database for storing and securing evidence data so that the
forensic reliability and confidentiality are assured. Such an alleged framework aims at
preventing the investigators or other involved entities from misusing the evidence gathering
procedure.
30
Herein, it is also assumed that the IA manages SA and that the latter is located in the
phone of suspect (Mylonas et al., 2011) [12]. Furthermore, the IA is capable of initiating the
process of collecting different evidence types from the chosen smartphone components.
In this architecture, the investigator is responsible to produce a hypothesis, a report

established on the inspection and analysis of acquired evidence acceptable to the court of law.
She or He might appeal to the IA for a proactive investigation when other means for
gathering data are either incompetent to acquire the necessary evidence or they gather less
precise data that is ineffective as evidence for presentation in the court of law. For instance,
the GPS location precision is much more than the estimated location that phone provider
offers. The scheme features six chief processes that are discussed below (Mylonas et al.,
2011) [12].
Investigation Commitment: Splits into Investigation Request (IR) to the IA by the

investigator and Investigation Session (IS) offered to the request maker on approval of
IR.
Type of Evidence Selection:Involves choosing the relevant evidence types by the
investigator as per the association between the evidence and smart phone data
sources. For example, a configuration request may be triggered for the purpose of
collecting SA evidence, wherein the preferred data sources (sensors and logs) are
stated, which is finally sent to the IA. The IA considers the request by collecting
evidence from SA, provided the configuration request details comply with the
permission level of IS. This is how the misuse of evidence gathering process is
averted (Mylonas et al., 2011) [12].
Evidence Gathering: Occurs whenever the configuration is changed. As per the
configuration attributes such as duration and data source, the SA yields promising
evidence and implements integrity checks for preparing the evidence for the next
process.
Transmission: Involves the use of Evidence Transmission Protocol (ETP) that
contains messages for gathering all data sources through different transport channels.
31
It also enforces security such as confidentiality, integrity and authenticity (Mylonaset
al., 2011) [12].
Storage: Involves storing promising evidence obtained from the SA in the database of
IA. With read-only access to the investigator, the preserved evidence is reused for
further analysis before being presented in court. Thus, limited access (e.g. read-only)
is provided to the investigator via an interface.
2.6.3 Roles
Regardless of the type of event, different roles contributing to the forensic process almost
remain the same. While planning, the experts focus on these roles along with their
responsibilities while being a part of an investigation. Listed below are the generic roles
involved in the forensic process of smartphones.
Initial Responders: Refer to the qualified professionals who first reach the destined
place of an incident, offer preliminary judgment and start with the apt reaction. Their
responsibilities include protecting the scene of incidence, claiming the required
support and helping in gathering evidence (Jansen & Ayers, 2007) [18].
Investigators: Are responsible for planning and supervising preservation, acquiring,
probing, evaluating and reporting the digital evidence. The Lead Investigator ensures
that activities at the sight are carried out in the correct order as well as at the precise
time. He or She may also develop the evidence, create a report, convey results and
purposes to the senior executives and discusses with the Examiner (Williams,
2012)[68] to ensure all evidence is present in the report.
Forensic Evidence Examiners: Refer to trained professionals who replicate images
gained as well as recover data from the held equipment. It is advised not to have a
single individual as an examiner as well as an investigator for investigation. The
Examiners also make related information on device visible, gain more subtle data
through special tools or methods such as rigorous reverse engineering, which are non-
accessible to the Technicians.
Technicians: Perform actions as directed by the Lead Investigator. Usually, there are
several technicians involved due to the need of diverse knowledge and skills. They are
32
qualified professionals who are responsible for recognising and gathering evidence,
documenting the scene, seizing digital equipment and gain images residing on the
memory (Jansen & Ayers, 2007) [18].
Custodians: Secure all the gathered evidence stored in an intermediate location,
acknowledge evidence that the Technicians gather, preserve a strict custody chain and
ensure apt tagging of the evidence.
Forensic Analysts: Assess the results of the Examiner for ensuring its probing
significance in the process.
As per the case, a single professional may be required to perform multiple roles or the
organisations may choose to mix these roles to complement their way of dealing. Even so, it
is useful to differentiate roles so that the corresponding responsibilities can be easily
identified for smooth functioning of the overall process.
2.7 Preservation of Evidence
It is essential to preserve the evidence in its original state so that it can be used
successfully, in a less formal trial or in a court of law. In case the relevant evidence is not
preserved well, it may render the entire investigation futile due to the loss of beneficial case-
related details. Therefore, preservation is indispensable in any forensic investigation.
Evidence preservation refers to the process of confiscating the property of a suspect

without modifying or altering the data stored on detachable media and devices (Xenofon, U.S
Department of Justice, 2001) [70]. Considered as the first move towards the digital evidence
recovery, preservation includes looking for, identifying, documenting and gathering
electronic evidence.
According to Good Practice Guide for Computer Based Electronic Evidence, the listed
below guidelines should be followed while dealing with smartphones:
Before investigating, think about the other evidence types, such as fingerprints and
DNA, which are required from the device. Accordingly, it makes sense to abide by
the suitable handling procedures.
33
Switch off the device or its network interfaces such as Wi-Fi and Bluetooth at least, to
prevent the risk of potential data loss due to expiry of battery or any network activity
that can overwrite any recoverable or pertinent data such as call logs. In case you
decide to keep the phone on until it gets transported to the lab, ensure that it is
charged regularly and is prevented from tampering.
Pack the device in a firm container secured with sustaining ties for keeping any
unintentional action in transit at bay. It is wise to place this container in a sealed sack
to limit access and complete all the tasks related to labelling for demonstration.
(Williams, 2012) [68].
2.7.1 Investigating and Documenting the Scene
This stage involves ensuring the peoples safety at the scene, safeguarding the
conventional as well as digital evidences integrity, assessing the scene and creating a search
plan, acknowledging potential evidence, conducting interviews and documenting, securing
and photographing the evidence.
Making sure that appropriate approvals such as owners consent or search warrant are
obtained is a prerequisite for starting an investigation. While searching on the event site, the
authorised team should progress carefully so that any kind of improper handling of the
smartphone or incorrect step during seizure does not result in loss of evidence. (Jansen &
Ayers, 2007) [18].
The team needs to be well versed with the phones characteristics and concerns along
with its associated accessories such as cables, media and adapters. This is because such
familiarity helps in searching the evidence with a full proof procedure targeting the different
evidence sources, including the media, SIM, and logs. Apart from the place of device, the
adjacent places such as rooms and ground should be searched so that the connected evidence
is not ignored. Moreover, the associated equipment such as removable media such as memory
cards and personal computers to which the phone is synced should not be overlooked. The
team must also keep in mind that removable media can be small in size to stay hidden, which
can make searching difficult. (Ayers, Brothers & Jansen, 2013) [21].
34
When it comes to interviewing the user of the found phone, it is wise to ask for any
passwords and security codes required to access the stored data (U.S. Department of Justice,
2008) [62]. For instance, the user might have set up a PIN, lock code or master reset code for
clearing the data on phone and restoring it to original factory state, which the investigation
team needs to know. Once the phone is found, neither the user nor the suspect should be
allowed to use the device. Similarly, the battery should not be removed because of the risk of
content loss.
It may so happen that the team may find the smartphone in a compromised state,
which can make seizure difficult. For example, the phone may be dipped in a liquid. In this
case, the team should remove the battery for averting electrical shock and then seal the phone
in a suitable non-caustic liquid-filled container for transporting to the lab (Jansen & Ayers,
2007)[18].
Other compromised or damaged states can be due to accident, use with volatile items
such as bomb or blood contamination. In such cases, a specialist must be consulted for safe
and smart assistance on seizing the device. However, media or devices that appear as
damaged do not indicate damage of data stored on them. Therefore, a closer inspection at the
lab can help in repairing as well as restoring the phones compromised components for deep
examination. If the memory parts are found undamaged, the team can remove them and
recover their contents separately.
If the need be, the team can also consult legal advisors for two legal considerations (U.S.
Department of Justice, 2008) [62]:
Identifying the extent of searching and additional legal procedures for proceeding, in
case the evidence found at a place is not endorsed by the actual search authority
Recognising potential concerns regarding the pertinent local laws and policies along
with the State, Federal and International decrees, such as the Cable Communications
Policy Act (CCPA)
35
Apart from digital evidence, non-digital evidence such as packaging material, manuals
and invoices may offer useful details about the features and abilities of the phone and its
network. Documenting focuses on both the types of evidence and includes:
Photographing the crime scene, digital devices, and their supporting equipment
storing data
Recording all visible data
Preparing a report about the state of each device and peripherals encountered,
including of a computer that later proves to be an useful source (Warren, Kruse &
Heiser, 2001) [64].
Noting the case number, date and time of gathering the evidence, signature and small
description of the case
While photographing, it is essential to avoid contaminating or touching the phone or its

surroundings. In case the display screen is viewable, it makes sense to photograph the
screens contents and even record the same manually for seizing the time, battery level, status
and other icons. Moreover, other visible identifiers such as physical connectivity, LED light
and physical condition should be photographed or noted. In order to collect invisible data,
much care should be taken because it can affect the state in an undesired manner. For
instance, opening an application may overwrite a specific memory area or activate a virus
code. (Warren, Kruse & Heiser, 2001) [64].
In short, the documentation should reply - Who collected, how and where, who took the
custody, how it was stored and safeguarded, who removed it out of storage and why it was
removed (Ayers, Brothers & Jansen, 2013) [21].
2.7.2 Gathering Evidence
This step involves handling and recovering physical and digital evidence in a way that
conserves its significant value in fighting the case legally. Recovering non-digital evidence
may include obtaining written passwords, manuals, notes, photos, calendars, printouts, and
literature. Below are a few guidelines on proper gathering of evidence.
36
Detaching the smartphone from other synchronised devices so that the existing data is
not corrupted through transfers or overwrites, such as through turning the phone off,
placing in stiff container and activating airplane mode (Burnette, 2002) [39].
Detaching the powered on smartphone from network interfaces to prevent transfers or
overwrites, such as placing it in shielded bag and shielding the work area
Maintaining the battery at an apt power level until acquisition occurs successfully via
diverse but compatible chargers, switching off with lower risk of authentication
mechanism when turned on, or activating power saving mode
Seizing synchronised devices and anyrelated hardware
Replacing alkaline and rechargeable batteries quickly, before transit (The mobile
phone forensics sub-group, 2006)[61].
Dealing with security mechanisms, malicious apps, geo fencing settings, alarm
settings for remote activation and key remapping options smartly for restoring default
function settings
2.7.3 Transmitting and Storing Evidence
When the smart phone is ready for confiscation, the expert who seized it seals it in a
static-proof evidence bag as well as signs the label or tag with date for commencing a chain
of custody. Assigning the duty of taking the custody of evidence to an individual apart from
documenting the evidence is beneficial. The custody chain procedure is simple and includes
documenting the complete expedition of evidence during the cases investigation. A careful
preservation of the chain ensures evidences integrity and keeps tampering at bay (Ayers,
Brothers & Jansen, 2013) [21].
The device should be placed safely such that the keys are not accidentally pressed
while in bag. Further, the devices radio signal needs to be attenuated. Therefore, the bag
needs to be a radio frequency isolation container that is sturdy. The expert may use a separate
external power charger in the bag, power adaptor connecting the device with volatile memory
through a hole in bag or a compatible adapter cable to retain full power level of battery
37
during transit. If a power adapter is used in the aforementioned bag, the cable needs apt
shielding for averting its role of an antenna (Jansen & Ayers, 2007) [18].
Because smart phones are fragile, they need to be transported with protection from
extreme temperature, moist weather, magnetic items, collision, breakage and shock. In case
the nature of the found phone is highly volatile, the custodian needs to know about it and that
the phone needs to be analysed instantly in a forensic lab.
Moreover, storing smartphones for over a few days are susceptible to data loss and
power depletion if there is no process to prevent the same. In short, all evidence must be
stored in secure containers amidst cool surroundings for preservation and controlled access as
well as for compliance with the departmental policies (U.S. Department of Justice, 2001)
[60]. The preservation phase can be summarised as shown in Figure 9.
38
Figure 9: Steps in Preservation Phase
Start
Cordon the crime scene
Exclude all unauthorized persons

from the crime scene
Document the scene (description

text, picture or video)
Have DNA traces Yes
Collected from the

scene
No
Do DNA analysis by the specialist people
Collect smart phone devices
No
Is the Device
state on?
Yes
Plug in portable power supply
Put the smart phone device in radio

isolated container
Transport the container to the

forensic lab
39
Document Yourall
trusted mentor that
the steps since 2001
wereI www.tutorindia.com
done
End
Source: Adopted from Alghafli, Jones and Martin (2011) [10]
2.8 Acquisition
This stage features the imaging process for gaining information from the preserved
smart phone along with its media and accessories. Although doing so at the scene eliminates
the risk of data loss due to damage during transit or storage and battery depletion, it is not
always possible to get a controlled setting, obtain suitable equipment and fulfil other
prerequisites at the scene (Jansen & Ayers, 2007) [18]. However, all of them are promptly
attainable in a forensic lab for successful acquisition. Therefore, acquisition occurs at a
forensics lab after checking the seized items in the evidence bag.
2.8.1 Identifying the Device
This step marks the beginning of forensic examination. The device type and its
characteristics along with its operating system identify the procedure to apply for making a
forensic replica of the devices content. The phone type usually signifies the imaging tools to
be used but only a few forensic tools exist for dealing with some phone types; no single tool
exists to deal with any kind of smart phone in the market (Ayers, Jansen, Cilleros &
Daniellou, 2005; Ayers, Jansen, Delaitre & Moenner, 2007) [26,27].
A smart phone can be identified through the model, make, manufacturer and service
provider. In case it is on, the information on the display can aid in identification. For instance,
the screen may display the name of service provider or manufacturer, or even the operating
system in use that can be otherwise found by the synchronization app found on the connected
computer. Other items that facilitate identification include manufacturer logos, power
adapter, cradle and serial numbers. Nevertheless, here are the sources that may reveal the
make, model and manufacturer.
40
Device Label: Shows the model number and distinct identifiers, such as the Federal
Communications Commission Identification Number (FCC ID) and equipment
identifier such as ESN or IMEI. This label exists in the battery cavity, which is useful
when the phone is switched off.
o IMEI: 15-digit number on GSM devices, of which the first 8 digits indicate
the country and model and the remaining digits are manufacturer specific and
end with a check digit at the end (GSM Association, 2013) [47].
o ESN: 32-bit identifier on a safe manufacturers chip, of which the initial 8-14
bits denote the manufacturer and the remaining digit set is the serial number.
Several phones have codes to display the ESN. Manufacturer codes are
available at the official site of Telecommunications Industry Association.
o USIMs ICCID: Up to 20 digits that denote an industry identifier as 89 in
case of telecommunication, country code, supplier identifier and personal
account identifier (ITU-T, 2006) [49]. If it is invisible, it is obtained through
one of the USIM acquisition tools.
o FCC ID: 17-digit identifier with initial three characters representing the
company code and the remaining showing the product code.
o MEID: 56-bit length character set with first three fields showing the regional
code followed by 24-bit manufacturer code as well as manufacturer-assigned
serial number. The MEID aimed at replacing all ESNs exhausted by 2008.
Device Interface: The power connector, data cable interface, and size are
manufacturer-specific, which help in identification. With more experience, it becomes
easy to identify the manufacturers of specific devices. However, the preserved
interface databases fall short of wider coverage for help.
Visible Smart phone Characteristics: Includes dimensions, weight, display screen
and form factor that can sometimes help in identifying the make and manufacturer.
There are even sites on which you can query as per these attributes to identify the
device and get more features. (Ayers, Brothers & Jansen, 2013) [21].
Carrier Identification: The phones exterior might have the logo of the carrier for
branding. A majority of carriers have their logo on the UICCs front.
41
Reverse Lookup: This is possible if the phone number is known, whose reverse
lookup can aid in ascertaining the network operator and original state or city. For
instance, the FoneFinder service allows fetching these details when you submit the
area code and the phone numbers seventh digit. Because it is possible to port the
dialling numbers among service suppliers, more in-depth details may be required in
some cases. (Jansen & Ayers, 2007) [18].
Once the model is known, it is recommended studying the handy manuals that are
available on the manufacturers site. Otherwise also, just searching in a search engine by
entering the model number reveal considerable amount of device details.
2.8.2 Selecting a Tool
Ayers, Brothers and Jansen (2013) [21] have described the listed below criteria as a
primary set of factors for choosing a forensic tool.
Usability: The knack of representing data in a useful manner way for the investigator
Precision: The feature that endorses the verification done of the tools generate
outcome
Comprehensive: The knack of representing data in a way that helps investigator to
identify exculpatory as well as inculpatory evidence
Confirmable: The knack of confirming the outputs accuracy by accessing
intermediate presentation as well as translation outcomes
Deterministic:The knack to generate the same output keeping the input data and
instructions same
Tested: The knack to determine if the recognised data in the internal memory is
shown precisely by the tool
Capability: The ability to encompass the desired features in terms of customisation
and versatility
Quality: The ability to ensure reliability, technical support and smooth upgrade
Affordability: The ability to ensure low cost with high productivity
42
It is recommended experimenting with different tools on sample smart phones to find out
the most efficient acquisition tools for specific smart phone types (Jansen & Ayers 2007)
[18]. Doing so has two benefits: Obtaining familiarity with the tools abilities, installing new
updates, and setting special purpose filters and configurations for dealing with actual case.
Although the established procedures tend to aid the acquisition process, novel situations
surfacing occasionally may trigger the need of changes in the former. At times, completely
new procedures may be formulated but they must be tested to ensure fulfilment of the above
criteria. In short, the formulation and validation of applied procedures should be documented
as well as encompass the following tasks (U.S. Department of Justice, 2008)[62]:
Identifying the problem

Suggesting probable solutions and testing all on a sample but similar test device under
recognised control conditions
Assessing the test outcomes
Finalising the procedure
2.8.3 Memory Considerations and Acquisition
A smart phone can have different types of non-volatile and volatile memory to store
various things, such as codes of operating system code and kernel, user files and memory for
loading OS applications. The memory can be structured into fixed regions for specific data
types such as call logs, contacts, SMSs and calendar entries or dynamic zones from a shared
pool. However, it should be noted that the memory type in which different things reside along
with the structure tend to differ amongst manufacturers as per the OS used. For a given
model, the storage allocation can differ amongst network carriers and firmware updates
(Vamosi, 2007) [63].
As a fact, most mobiles feature typical arrangement wherein non-volatile memory,

such as micro hard drive or Flash ROM stores user files and operating system code. Because
of persistent storage, the data remains unaltered by full power drainage. On the other hand,
volatile memory is dynamic whose data is lost upon power drainage.
A USIM also has non-volatile and volatile memory due to which it can be considered
as a reliable sub-processor interfacing the device for getting power. The non-volatile memory
43
stores the SIM file system and is structured as a hierarchical tree holding three different
elements: MF as the file system root, DF as the subordinate directory files and EF as files
having elementary data categorised under DFs (Jansen & Delaitre, 2009) [34].
The EFs contain network based as well as service related information. Therefore,
different digital evidence data might be present in these scattered EF files, which can be
recovered via the USIM, which can include ICCID, call details, phonebook, messages,
location information and routing area details. Moreover, some USIM information may reside
in the memory as well. Apart from standard files as described in the GSM plan, the USIM
can also have non-standard files recognised by the network operator (Casadei, Savoldi &
Gubian, 2006) [40].
Memory Acquisition
In most cases, a smartphone is transported to the lab only with requested items for
recovery, such as photos and call logs. Although it is not required to recover all the content
stored, a complete acquisition is a wise decision for keeping a redo of the procedure later in
case some more data is needed. Moreover, in case a search warrant limits the data to be
recovered (only chat messages), full data extraction from the memory might be done but only
messages are reported. For acquiring data, the forensic lab needs to establish a connection
with the device. However, before that, the devices or tools version needs to be documented
besides any valid manufacturer patches applied to the tool (Jansen & Ayers, 2007) [18]. Once
the connection is set with utmost care to preserve the state, the forensic software toolkit is
used for data acquisition.
The date and time can be a vital piece of information. Although this is recorded at the
time of seizing when the device is ON, it is essential to confirm at the time of acquisition. In
case the device was off, these details along with differences from a recommended clock
should be instantly noted after turning it ON. Moreover, note that acquisition actions such as
batter removal to see the label can change the date and time.
The forensic tools for acquiring data from a memory card usually carry out a logical
acquisition. In case the phone is activated, the internal memory should be obtained first
44
before detaching and conducting a physical acquisition of the allied media such as microSD
(Jansen & Ayers, 2007) [18]. In off mode, a physical acquisition of the detachable media
should be performed prior to acquiring the internal memory. Regardless of the acquisition
type, the tool might be unable to decipher the recovered data, which may call for more
manual steps. Moreover, due to the changing nature of mobile contents, an uninterrupted
acquisition with the same tool can generate varying outcomes, although much of information
does not change.
After acquisition, the forensic expert needs to confirm that the data was captured
precisely. It is recommended keeping more than one tool ready in case the tool in use
becomes problematic. Manually inspecting the contents through screen menus and recording
it visually allows precise capturing and consistent reporting. Even hardware-relevant
techniques can be considered: Via standardised JTAG interface if supported and by reading
the removed memory directly (Sam Brothers, 2008) [55]. However, there are times when
contents in the memory may contain deleted data that is irrecoverable even via manual or
logical acquisition.
2.8.4 Obstructed and Unobstructed Gadgets
A forensic expert may deal with an obstructed or unobstructed smartphone. An

unobstructed gadget, as the name suggests, does not require the user to pass an authentication
technique to access the device for acquisition. Anecdotally, several gadgets seized in real-life
investigations are unobstructed. This category usually includes CDMA, GSM with an USIM
and freestanding USIMs. According to phone type, relevant evidence like user data may exist
in volatile or non-volatile memory.
Although the USIMs memory is non-volatile and recoverable, its removal and
placing inside the phone has forensic consequences on the contents, which cannot be ignored.
For ensuring integrity through little access to original data, it is suggested forming a master
copy of the phone case file initially, which is then used to create extra mirror images for
45
analysis and examination of evidence (Gast, 2011) [44]. A powerful one-way hash function
such as SHA1 is further suggested for confirming that the additional images are identical.
An obstructed device, on the other hand, requires the user to pass the authentication
mechanism before gaining access. This category includes phones with enabled lock system
and those having PIN-enabled ID modules. PIN and password-protected gadgets usually need
a specially trained specialist for obtaining access in a forensically sound manner, in case the
traditional methods are exhausted. Moreover, trials with a seized obstructed device should be
avoided; rather should be done with a sample device of similar kind. For recovering contents
from these devices, several ways exist that are split into the following categories (Ayers,
Brothers & Jansen, 2013) [21]:
Software-relevant: Are applicable to specific mobile types for bypassing or breaking

the authentication method. Ways include exploiting the authentication weaknesses
such as master password to bypass the lock (Smith, 2006) [56], using a backdoor
mechanism such as debugging tool to bypass and exploiting system vulnerabilities for
access through a misconfigured network service and fault in networking protocol by
using USB, Wi-Fi, GPRS and Bluetooth.
Hardware-relevant: Encompass a mix of software and hardware techniques. Ways
include exploiting system weaknesses, using hardware backdoors or interfaces for
maintenance and debugging, examining memory separately monitoring physical
characteristics and brute force attack in case password entry has no limit for
submission.
Investigative: Are used without any tools and include asking the suspect and/or
service provider.
2.8.5 Tangential Equipment
Tangential equipment refers to devices containing memory, which are linked to the
smart phone. Chief examples include memory cards and synchronised computers. The
modern smart phones usually support removable media such as Multi Media Cards (MMC)
and Secure Digital (SD) cards that hold sizeable quantity of data (Jansen & Ayers, 2007)
[18]. Acquisition from these media can be done with a media reader and a tool for imaging
46
drives. Because of their small size, it is easy to overlook due to which investigators need to
spend enough time to search for them at the time of seizing.
In case of synched computers, the major challenge is to recover data from cloud-based
services, as the cloud mechanism is dispersed geographically and has a complex design.
Moreover, the recovery needs proper legal authority, which can make the task expensive.
Further, once retrieved, the forensic specialist has to decrypt the encrypted data stored in
cloud. Until now, little research exists on the available tools and methodologies to recover
legally valid digital evidence from cloud (Zimmerman & Glavach, 2011) [72].
2.9 Examination and Analysis
The process of examination, carried by forensic specialist, reveals the digital evidence
that may be visible or hidden. The outcome is obtained by implementing recognised scientific
techniques and that the data state along with the content, source and potential relevance are
described. After exposing data, data reduction is performed for distinguishing the relevant
information from the irrelevant one. During analysis that is performed by several roles such
as the analyst, examiner and investigator; the examination outcome is focused to know about
its direct implication and probative case value (Williams, 2012) [68].
Examination starts when the evidence copy is acquired from the smart phone. Unlike
servers or workstations, the quantity of acquired data is smaller for examination. Because the
data is present in the proprietary formats, the tools used in this stage will be same as those
used during acquisition. After knowing about the involved parties, evidence and factors of
offence, examiners are recommended examining along forensic investigator or analyst. Doing
so provides insight into the different items found from the analyst and means to locate
applicable information from the investigator (Wolfe, 2003) [69].
Examination not only gives potentially convicting data but also other important
details such as logon name and passwords that can unleash other sources of evidence
maintained somewhere else, especially by network providers. Prepared with the case
background, the examiner and analyst are responsible for achieving the below objectives
answering who, what, when, why and how questions (Jansen & Ayers, 2007) [18]:
47
Assemble information about the party (ies) involved (who).
Identify the precise nature of the occurred incident (what).
Find information that justifies the motive behind the crime (why).
Prepare the event timeline (when).
Determine tools used or manipulations done for committing offense (how).
After taking a replica of acquisition outcomes, the upcoming steps include searching
data, recognising evidence, forming bookmarks, and preparing details to be included in the
final report.
2.9.1 Potential Evidence
Smart phone manufacturers provide an analogous suite of information usage and

storage features, such as Internet browsing and Personal Information Management (PIM).
This suite differs as per the period when the gadget was modelled, firmware version, installed
apps and changes done for a specific service provider (Ayers, Brothers & Jansen, 2013) [21].
On these devices, the potential evidence include subscriber and equipment identifiers, date
and time, phonebook, messages, call logs, photos, videos, chats, mails, calendar, digital
documents, site browsed and location details. The means that evidence is not only dependent
on suite of features but also on data and voice services.
Other potential evidence can also come from obscure network information on UICC.
For instance, if the phone requests to register itself on a network, which gets rejected; the
record of forbidden entries in the elementary file called Forbidden PLMNs (Public Land
Mobile Networks) is updated with the network and country code (European
Telecommunications Standards Institute, 2005) [33]. Some more sources of evidence include
user applications, installed programs, databases of service providers and undelivered
messages that can help authenticate their findings by verifying data recovered from the phone
with that from the service provider. Table 1 gives a cross reference of potential evidence
sources on smart phones and their probable contribution toward fulfilling the aforementioned
objectives.
Table 1: Cross Reference of Objectives and Evidence Sources
48
Who What Where When Why How
Identifiers
Call Logs
Messages
Phonebook
Calendar
Location
Web
URL/Content
Multimedia
Digital Files
Source: Author (2014)
2.9.2 Using Tools with Experience
It is exceedingly valuable to have experience with the usage of capabilities of forensic

tools of evidence examination, as it can help accelerate the process of examination. However,
these tools are susceptible to making errors up to some extent while in use. For instance, the
tool might deliver inaccurate results while translating bits into readable data because of the
out-of-date file structure specification it used. (Jansen & Delaitre, 2009) [34].
Thus, it is essential to have complete understanding of the tools features and abilities
to operate as per the objectives. The National Institute of Standards and Technology (NIST)
has started CFTT project that generates specifications, test procedures and test reports for tool
developers to improve their creations, tool users for choosing the right tool and other
concerned parties to know about the possible errors the tools can make (Jansen & Ayers,
2007) [18].
The rich features and capabilities of a tool, besides the operating system and device
type, help determine the type of information to be recovered and the degree of effort required.
For example, some tools that search for text-based evidence classify files as per extension,
where a few do so based on file signature database that is more preferable due to no
49
likelihood of data misplaced due to conflicting extensions (e.g. a text file having an extension
of an image file).
The tools search engine facilitates detecting information required for bookmarking
and reporting. While some have plain search engine, others have more feature-rich search
engines that support wildcard matches, filtered search and expression patterns (Ayers,
Brothers & Jansen, 2013) [21]. Likewise, a tool can also detect and gather images to form a
graphics library, which makes examination easier. In short, the more the features and
abilities, the more are the benefits that a forensic examiner realises with increasing
experience.
2.9.3 Subscriber and Call Records
Service providers records have billing or balance information, which are known as
call detail records generated by a call or SMS message. In some cases, records might also
contain VoIP information and international gateway. The records help identify the
subscriber/device, numbers dialled along with duration, call type (voice and text), cell
identifier (BTS) and sector. The retention period for storing these records differs amongst
service providers but is usually restricted, which triggers the need to take instant steps to
avert data loss. Call detail records are fetched from service providers via legal point of
contact and along with suitable legal documentation. (Jansen & Ayers, 2007) [18].
Apart from call records, the service providers subscriber records can offer useful data
for examination. For instance, in case of GSM systems, the records can offer customers
name and address, users name and address, billing account, phone number, ICCID, IMSI,
PIN/PUK, services and credit card numbers (Willassen 2003) [67]. Both the records
preserved by the service provider can be fetched via subscriber or equipment identifier or
UICC. These records help comprehending the calling patterns, network performance and
locale of calls. The results of analysing this data can help in supporting or disproving
individual statements (OConnor, 2009) [53].
50
2.10 Reports
Occurring after the data is carefully searched and relevant matter is bookmarked,
reporting refers to creating a detailed summary of actions taken and inferences made while
investigating a case. It depends on preserving a meticulous account of all steps and
observations, test examination and results, and conclusions based on evidence. The reliability
of a report is actually dependent upon intact documentation, photos, notes, videos and tool-
generated matter.
Several tools have reporting capability that is evident through one of the predefined
templates and customisations of its layout, such as arranging logos and headers, and applying
different styles for a more professional look. Such a report include case files items such as
case number, investigators name, submitters identity, date of receipt and report, title,
evidence categories and pertinent evidence established (U.S. Department of Justice, 2008)
[62]. It also includes descriptive list of examined items, examination equipment, examiners
identity and signature, description of examination steps such as image searches and deleted
files recovery, supporting materials such as chain of custody documentation, details of
findings, and conclusions.
Details of findings include specific request files, other files supporting the findings,
searches made, Internet-related evidence, image analysis, ownership indicators, software-
generated matter, data analysis and data masking techniques. Even supporting documentation
incorporated directly because it is in electronic form. Reporting facilities differ notably across
acquisition tools. Report generation usually deliver a complete report in one of the commonly
known formats such as .txt, .doc, .pdf and .csv or allow exporting individual data items for
manual composition. Irrespective of how the report is produced, ensuring that the final
version is consistent is indispensable (Jansen & Delaitre, 2009) [34].
The ability to alter an existing report to include captured data of new case is
advantageous. This data can be captured by auxiliary acquisition techniques such as using
video editing software or a digital camera, when there is no option left for documenting the
process.
51
In short, a report of examination results needs to show all required information for
recognising the case along with its origin and delineating test results and conclusions. It
should be noted that the digital evidence along with examination tools and methods are
subject to being challenged in a formal proceeding or court. Therefore, suitable and reliable
documentation is vital, even for re-producing the results. While reporting, creating a replica
of the used custom tools and software and adding it to the produced outcome is a prudent
decision.
2.11 Legal Considerations
With the features of both a cell phone and computer, a smart phone saves various
types of apparent and hidden content. Whether in standalone or networking mode, the diverse
content of a smart phone can provide an informative picture of the users personality and
reflect her or his private life. This means the device stores even that information that no
person will carry in pocket, thus, triggering the need of law enforcement when it comes to
gaining access to such information (Gershowitz, 2008) [45]. Usually, user inputs and sensor-
related information provide sensitive or private data of the concerned individual. Therefore,
the device acts as a window for the law enforcement authorities to suspect based on not only
hard evidences but also on the habit and character details the phone may offer (Morrissey
2010) [51].
Searching, accessing, and reporting the smart phone data as evidence pose challenges
to legislators and courts, which are even beyond the privacy of telecommunications. As a
fact, neither regulatory rules for monitoring and documenting communication content nor the
laws for custody of traffic data are believed to be adequate or apt for evidence acquisition.
This is perhaps because of the communication surveillance occurring between the
communicating parties. Moreover, various legal standards apply to the endorsed capturing of
communications that law enforcement authorities perform than to the recovering data.
Especially, if the device data is searched from a remote location or is not stored within the
devices precincts, acquisition evidence seems to be analogous to a premise search (Wiebke,
2009) [66].
52
It is obvious to revise the existing regulatory system for dealing with the todays
converged communication systems in a consistent manner. Moreover, proactive, normal data
and conservation show the transformation from the traditional legitimate model of
assembling decisive evidence of offence of suspected people to a model of astute assembling
from all users at random. In 2008, the German Constitutional Court imposed stringent
restriction upon the freedom of law enforcement authorities to access cell phones and
computers remotely. The Court favoured the fundamental right of the users to unimpeded
development of personality in the current age of communication. It also endorsed the rights to
absolute protection of private conduct, informational self-determination and complete
security and integrity of communication systems (Wiebe, 2008) [66]. Contrary to this
decision of court, it is yet unclear whether the U.S. Constitutions Fourth Amendment
provides reasonable hope for protection and privacy from unfair forensic searches and
captures.
Evidence acquisition and investigation in the electronic world are supposed to be

tailored as per the technological progress. Therefore, legislators tend to struggle relentlessly
to be in line with technology without forgetting to deal with creeping threats and challenges.
The investigation scheme proposed in this literature is useful in fighting against security
threats and crimes via pro-activeness. However, the IT experts and legislators should avert
using the technology in a way that it considers all involved parties or users as probable
suspects or offenders without any apparent cause (Brown, 2009) [38]. Keeping this in mind,
the literatures forensic investigation scheme is designed with defensive methods that
obstruct investigators and malicious entities to misuse the technology as well as facilitate
acquisition and preservation without violating the citizens fundamental rights.
2.12 Forensic Tools
Smart phone manufacturers depend on various proprietary operating systems instead

of highly standardised methodology found in computers. Therefore, toolkits for smart phones
are diverse with a narrow range of devices that they support based on OS, product line, or
hardware design. Forensic tools tend to acquire data from smart phones in any of the two
mechanisms: Logical or Physical. The latter involves a bit-by-bit replica of the entire physical
53
medium such as a chip, whereas the former entails a bit-by-bit replica of logical items of
storage such as files on a logical medium like system partition (Ayers, Brothers & Jansen,
2013) [21].
Physical acquisition offers a crucial benefit over logical acquisition, in the sense that
it allows recovering deleted files and data leftovers in unallocated space, which otherwise
would be unrecorded. On the other hand, logical acquisition has the advantage in terms of
ease of application the tool extracts system data structures in an easier manner and offers a
more natural structure for quick comprehension for efficient examination. However, logical
acquisition is more restricted than a physical acquisition. Therefore, the best approach is to
conduct both acquisition types by performing the physical one first. The extracted device
images are parsed, deciphered and translated for retrieving data, which is a time-consuming
manual task. While the images of physical device are imported to a tool for programmed
examination and reporting, only handful of tools exist to fetch smart phone images (Jansen &
Ayers, 2007) [18].
Most forensic tools for USIMs and smartphones acquire data logically by
implementing common protocols for communication, synchronization and debugging, such
as Sync ML, AT commands and OBEX (McCarthy, 2005) [50]. A few of them might also
acquire data physically for some phones. Because smartphones can support a suite of
different protocols, a forensic tool might implement most of them consecutively to acquire
widest range of accessible data.
The types of examination tools include commercial, open source, device management,
diagnostic, self-developed and hacker tools. This set also includes non-forensic tools as well.
While forensic tools aim at acquiring data from the internal memory and removable ID
modules without modifying the device and applying integrity hashes on the obtained data,
non-forensic ones facilitate a two-way flow of data for customising the device by changing its
settings. Most forensic experts use both the types of tools for best results.
For acquisition, tools may support various interfaces such as Bluetooth and IrDA.
However, acquisition via a cable interface usually produces superior results. Nevertheless, in
54
some cases, a wireless interface may prove to be a justifiable alternative.Most forensic tools
deal with several devices; tackle the common investigative cases and need modest skill set to
function. Table 2 lists the most commonly used tools along with their applicability in
different phases of forensic investigation scheme (Jansen & Ayers, 2007) [18]. Kindly note
that the capabilities of these tools are subject to improvement, and therefore, may differ a bit
at present or in future from the specified description.
Table 2: Forensic Tools

Usability Devices Supported
Forensic Card Reader Acquisition, Reporting SIMs

ForensicSIM Acquisition, Examination, SIMs, USIMs
Reporting
SIMIS Acquisition, Examination, SIMs, USIMs
Reporting
SIMCon Acquisition, Examination, SIMs, USIMs
Reporting
USIMdetective Acquisition, Examination, SIMs, USIMs
Reporting
Oxygen PM (Forensic Acquisition, Examination, Nokia & Symbian
Version) Reporting
BitPIM Acquisition, Examination Some CDMA phones with
Qualcomm chips
PDA Seizure Acquisition, Examination, Palm, Blackberry,
Reporting Windows Mobile, Pocket
PC
55
Usability Devices Supported
Cell Seizure Acquisition, Examination, GSM, TDMA, CDMA,

Reporting SIMs, USIMs
Pilot-Link Acquisition Palm

CellDEK Acquisition, Examination, GSM, CDMA, SIMs,
Reporting USIMs
MobilEdit! Acquisition, Examination, GSM, SIMs
Reporting
Secure View Acquisition, Examination, TDMA, CDMA, GSM,
Reporting SIMs
GSM .XRY Acquisition, Examination, GSM, CDMA, SIMs,
Reporting USIMs
PhoneBase Acquisition, Examination, GSM, SIMs, USIMs
Reporting
TULP 2G Acquisition, Reporting GSM, SIMs
Source: Source adopted from Jansen and Ayers (2007) [18].
2.12.1 USIM Tools
These tools are designed to deal with USIMs by directly reading the contents of a module
through a USIM reader, unlike indirect reading through the handset. Most of them acquire
ICCID, SMSs, International Mobile Subscriber Identity (IMSI), Location (LOCI) and Last
Numbers Dialled (LND) (Ayers et al., 2005) [26]. Advanced tools in this category acquire
deleted SMSs, EMS messages and SMSs in foreign languages (Jansen & Ayers, 2007) [18],
translate some data like network operator codes into expressive names and facilitate PIN
administration. Listed below are some most commonly used tools for acquisition from SIMs.
Becker & Partners Forensic Card Reader (FCR): Works by creating an XML-
format to show the acquired data from SIMs with the USB reader, instead of
56
producing a case file. However, it does not offer integrity hash security or tailored
report features.
InsideOuts SIMCon: Prepares a case file by using a built-in proprietary layout
without using any extra hardware such as proprietary readers, for showing data
acquired from SIMs/USIMs. Acquisition occurs through a SC-compatible reader and
SHA1 hash protection. The tool allows importing case files and exporting the case
format to the ASCII one (Jansen & Ayers, 2007) [18].
Crownhills SIMIS: Generates a case file in HTML to show extracted data from
USIMs/SIMs by using a USB dongle for functioning on a desktop computer, SC-
compatible reader and MD5 and SHA2 hash security. Other features include SIM
dump for a detailed case file in ASCII, report notes, extracted data search, case files
importing and PIN administration.
Quantaqs USIMdetective: Acquires, allows examination and generates reports from
SIMs/USIMs via a SC compatible reader, internal SHA1 and MD5 hashing and Image
Integrity check files for preventing tampering. The tool shows the content in
hexadecimal or textual format and offers several reporting output options.
Radio Tactics Forensic SIM Toolkit (FST): Extracts data from SIMs/USIMs via
USB dongle protects through MD5 checksum and replicates data on several FST
storage cards via an acquisition terminal (Ayers et al., 2007) [27]. The tool stores the
case file in the proprietary format, which is exported in HTML or RTF. Analysis is
easily done by using the apt FST storage card with an SC compatible reader such as
ForensicSIM card reader, which is connected to a PC executing the ForensicSIM app.
Further, the tool facilitates importing case files and searching within the file having
acquired data.
2.12.2 Handset Tools
Some forensic tools tackle only handsets for acquiring data from internal memory. They
work with smart phones having Windows Mobile, RIM and Palm operating systems. Below
are some famous handset tools.
Parabens PDA Seizure Toolkit: Extracts data from USIMs and GSM/non-GSM
devices without any extra hardware and via a cable, Bluetooth or IrDA interface and
57
uses MD5 and SHA1 message digest for individual items and case file. The tool also
encrypts files for averting tampering and stores in case file featuring a proprietary
layout, which is exportable in ASCII or HTML format (Ayers et al., 2005) [26]. Other
features include for examiners, such as customised reports and notes, acquired data
search, case files importing and bookmark-based findings. Above all, the tool
performs both logical acquisition and, for a few gadgets, a physical acquisition.
Pilot-link (Non-forensic and Open Source Toolkit): Extracts physical content from
a Palm devices memory and files. Interesting apps for the examiners include pi-
getrom and pigetram for physical retrieval and plot-xfer for logical acquisition.
However, the tool does not offer a case file, custom reports and integrity hash facility.
Oxygen Phone Manager (OPM - Forensic Version for Nokia and Symbian):
Allows examiners to extract data from devices with GSM network without any kind
of data alteration. However, it does not allow exporting of case file and hashing. The
examiner, nevertheless, can store the acquired data in several files such as Gallery and
Phonebook (Jansen & Ayers, 2007) [18].
GNUs BitPIM (Open Source): Allows viewing and changing data from CDMA
devices of different manufacturers. It allows disabling writing to the phone but has no
hashing security. There is no option to save or export a case file but the data is stored
in several files just like in case of OPM and is exportable in different formats for
reporting.
2.12.3 Integrated Toolkits
These suites inherit the features of both handset and USIM tools within a cohesive
framework. This means that the results of USIM and handset examinations tend to be within
a single report. Here are the most famous toolkits in use.
Cell Seizure:Allows direct USIM data acquisition with the integrated RS-232 SIM
reader (Ayers et al., 2007) [27]. The toolkit comes with all drivers and cables along
with the application software required for acquisition and examination.
Logicubes CellDEK: Acquires data from devices working on GSM/non-GSM
networks, flash media and SIMs. It features a touch screen, PC/SC reader, diverse
58
data cables, write-protected card reader, MD5 hashing algorithm, customisable
HTML reports, and options to connect to the device via Bluetooth or IrDA.
Micro Systemations GSM .XRY: Extracts from GSM/non-GSM devices and from
SIMs/USIMs through an interface for the device cable and dongle as well as IrDA and
Bluetooth interface. It offers diverse cables and drivers, application software,
proprietary and non-alterable .XRY format for storing acquired data and encryption
for case data. The tool also generates customized reports, imports/exports case files
and allows acquired data searches (Jansen & Ayers, 2007) [18]
Compelson Labs MOBILedit!: Acquires data logically from SIMs and GSM/non-
GSM gadgets via cable, IrDA or Bluetooth and PC/SC reader and stores data in
proprietary case file that is exportable to XML without any hashing function. The tool
allows creating customised reports, searching some folders and importing case files.
Envisages PhoneBase2: Implements the acquisition engine of MOBILeditfor
devices but has its own engine for dealing with USIMs via USB dongle and
Bluetooth/IrDA, cable, or PC/SC reader. It stores data in a database that is secured
from tampering. The tool allows creating customised reports, searching some folders
and importing case files. (Ayers et al., 2007) [27]
NFIs TULP2G (Open Source): Acquires data from SIMs and cellular devices (Bos
& Knijf, 2005) [37] through cable or IrDA/Bluetooth interface or PC/SC reader. It
uses SHA1 and MD5 hashes over the file, generates raw XML format that can embed
XSL sheets, imports files and creates report over selected elements or full case file.
Susteens SecureView (Commercial): Allows examiners to extract data from
cellular devices on GSM/non-GSM networks and from SIMs via a PC/SC reader.
Although exporting is disallowed, the examiner can store the acquired data across
several files such as Graphics and Phonebook. The tool has all the drivers and cables
for supported phones, password-protect mechanism although no hashing exists, a
search engine for analysing a part of acquired data and import option. (Ayers et al.,
2005)
59
2.13 Challenges
With the increasing analysis of smart phones in digital forensics, different challenges are
on the rise. Listed below are these difficulties as pointed out by Raghav and Saxena (2009)
[54] as well as Zareen and Baig (2010) [71].
Preserving a Scientifically Sound Technique of Data Capturing: This problem has

come up because of the rapidly changing smartphone technology that has resulted in
diverse and enormous number of models. The existing tools, therefore, may or may
not work with the newer models (Murphy, 2013) [52].
No Sufficient Clarity about Different Operating Systems: At present, several types
of operating systems exist for smartphones, of which some are open source and others
are closed ones. For instance, while Apple is a closed source OS, Android is an open
source system. How a closed source operating system functions is not fully
comprehended because it is kept secret by the creators. Therefore, a forensic
investigator is surely not clear about how the closed operating system stores, changes
and retrieves data. Moreover, the complexity of operating systems creates more
hurdles in extracting data (Casey, 2004) [28]. This triggers the need of operational
analysis of each smartphone OS for thorough comprehension of its functioning.
Remote Data Wiping: This is a problem because of the various tools and techniques
that a suspect or an offender may use to remotely change or destroy data on a
smartphone. This can be prevented only if the investigator is aware of this fact and
consequently uses a signal-isolated box for transporting the device from the sight to
the forensic lab.
Limited Battery Life: At the time of seizure, both incoming and outgoing signals
must be blocked for averting any probable data alteration or removal. However, it
might be necessary to preserve the battery or keep the phone powered until full
analysis for preventing data loss due to power shut off or reboot. As a fact, a
smartphones battery life is limited and that storing it in isolation drains the remaining
battery as the device begins to look for a network after been isolated. This can be
prevented when the investigator uses a portable power supply that is compatible with
60
the model seized and attaches it to the device before isolation (Alghafli et al.,
2011)[10].
Confusion Regarding Cable Types: Several power and data cables are in use by
smartphones, nowadays. This can lead to logistical issues along with confusion over
the right type of cable to choose and use for the investigator. In order to solve this
difficulty, it is advisable to prepare a database of each model along with its right or
compatible cables. Doing so will surely make the process of detecting the apt cables
for a known model as well as retaining the gadget in its original state simpler. The
only effort that a forensic investigator has to make here is carrying a bag full of likely
portable cables while reaching the place of crime (Zareen & Baig, 2010) [71].
Lack of Tools to Deal with Damaged Smartphones: A majority of the available
forensic tools tend to work only with intact smartphones. This poses a problem when
it comes to acquiring data from a physically damaged smartphone.
Delay in Data Access: In case of obstructed smartphones, the investigator needs to
use an authentication code for keeping unauthorised access at bay. This can result in
delay in accessing and acquiring the stored data. Further, in case the number of trials
for submitting the correct code goes beyond the set limit, the phone might clean itself.
Moreover, determining PIN or PUK along with the memory card passwords can be
tough in some cases. The possible solution is to build techniques for bypassing the
authentication on all models (Alghafli et al., 2011) [10].
Lack of Tools for Deleted Data: The existing forensics tools facilitate only logical
analysis of data, which can help in recovering or retrieving deleted messages, call or
browsing histories, or files. Such data can actually add to the relevance evidence for
proving or disproving a case in the court of law. Retrieving such data is only possible
through physical acquisition but there are not enough tools in this category to work
with most models.
2.14 Conclusion
Smartphones, particularly those with latest abilities, are relatively fresh gadgets due to
which they are not included in standard computer forensics. This chapter attempts to cover
this gap by offering a profound insight into these gadgets, their implemented technologies
and their association with forensic dealings. It covers gadgets having capabilities beyond
61
simple text messaging and voice communications, discusses the stages of a proactive forensic
investigation and explores the role of forensic tools at all these stages. This guide will help
the concerned organisations to develop a forensic potential to apply it in the milieu of present
technology and practices.
62
References
1. Gartner.com (2014) Gartner Says Smart phone Sales Grew 46.5 Percent in Second
Quarter of 2013 and Exceeded Feature Phone Sales for First Time, Available at:
http://www.gartner.com/newsroom/id/2573415.
2. Mokhonoana, P. M. and Olivier, M. S. (n. d) Acquisition of a Symbian Smart phones
Content with an On-Phone Forensic Tool, Available at:
http://www.satnac.org.za/proceedings/2007/papers/software/Paper%2011%20-
%20Mokhonoana.pdf.
3. Lim, N. and Khoo, A. (2009) 'Forensics of computers and handheld devices: identical
or fraternal twins?', Commun. ACM, 52, pp.132-135.
4. McAfee (2013a) McAfee Threats Report: First Quarter 2013, Available at:
http://www.mcafee.com/in/resources/reports/rp-quarterly-threat-q1-2013.pdf.
5. McAfee (2013b) Mobile Malware Growth Continuing in 2013, Available at:
http://www.mcafee.com/in/security-awareness/articles/mobile-malware-growth-
continuing-2013.aspx.
6. Hadadi, M. and AlShidhani, A. (2013) Smart phone Forensics Analysis: A Case
Study, International Journal of Computer and Electrical Engineering, 5(6).
7. Gonzalez, J. and Hung, J. (2011) Mobile Device Forensics:
A Brave New World?Bloomberg Law Reports Technology Law, 3 (10), Available
at: http://www.strozfriedberg.com/files/Publication/224ca0f8-5101-4e1b-938a-
4d4b128ad5ed/Presentation/PublicationAttachment/ef4a28ad-ff7d-4014-aea8-
80505789b86c/Mobile%20Device%20Forensics_%20A%20Brave%20New%20Worl
d.pdf>.
8. Norton (2011) Norton Study Calculates Cost of Global Cybercrime: $114 Billion
Annually, Available at:
http://www.symantec.com/about/news/release/article.jsp?prid=20110907_02.
9. International Telecommunication Union (2012) Key Statistical Highlights: ITU Data
Release, Available at:
http://www.itu.int/ITUD/ict/statistics/material/pdf/2011%20Statistical
%20highlights_June_2012.pdf.
63
10. Alghafli, K. A., Jones, A. and Martin, T. A. (2011) Guidelines for the Digital
Forensic Processing of Smart phones, Edith Cowan University, Research Online, In
the Proceedings of the 9th Australian Digital Forensics Conference, Edith Cowan
University, Perth, Western Australia.
11. Mutawa, M. A., Baggili, I. and Marrington, A. (2012) Forensic Analysis of Social
Networking Applications on Mobile Devices, Digital Investigation, 9, pp. S24-S33.
12. Mylonas, A., Meletiadis, V., Tsoumas, B., Mitrou, L. and Gritzalis, D. (2011) Smart
phone Forensics: A Proactive Investigation Scheme for Evidence Acquisition,
International Data Corporation (IDC) Smart phones Outstrip Feature Phones for First
Time in Western Europe as Android Sees Strong Growth in 2Q11.
13. Grobler, C., Louwrens, C. and Von Solms, S. (2010) A Multi-component View of
Digital Forensics, In: Aleksy, M., Ghernaouti-Helie, S. and Quirchmayr, G. (eds.),
International Conference on Availability Reliability and Security (ARES 10), pp.
647-652.
14. Sutherland, I., Evans, J., Tryfonas, T., and Blyth, A. (2008) Acquiring Volatile
Operating System Data Tools and Techniques, SIGOPS, Operating System Review,
42(3).
15. Mislan, R. P., Casey, E. and Kessler, G. C. (2010) The Growing Need for On-Scene
Triage of Mobile Devices, Digital Investigation, 6(3-4), pp. 112-124.
16. Vacca, J. R. (2010) Computer Forensics: Computer Crime Scene Investigation,
Charles River Media, pp. 3-31.
17. Iqbal, A., Marrington, A. and Baggili, I. (n. d) Forensic Artifacts of the Chat ON
Instant Messaging Application, Academia, Available at:
https://www.academia.edu/5729425/Forensic_artifacts_of_the_ChatON_Instant_Mess
aging_application.
18. Jansen, W. and Ayers, R. (2007) Guidelines on Cell Phone Forensics,
Recommendationsof the National Institute of Standards and Technology (NIST),
Special Publication 800-101, Gaithersburg, MD.
19. Mt. San Antonio College (2013) Network and Communications Applications, CISB
11, Walnut, CA, Available at:
64
http://inside.mtsac.edu/~rpatters/CISB11/Chapters/Chapter_07/Chap07/LectureFrame
.htm.
20. Ahmed, M. H., Penney, J., Ikki, S., Salami, A., Bath, T. L., Allah, M. A. and
Mansour, S. (2009),Threats to Mobile Phone Users Privacy, Memorial University of
Newfoundland, Canada, Available at:
http://www.engr.mun.ca/~mhahmed/privacy/mobile_phone_privacy_report.pdf>.
21. Ayers, R., Brothers, S. and Jansen, W. (2013) Guidelines on Mobile Device
Forensics, Recommendationsof the National Institute of Standards and Technology
(NIST), Special Publication 800-101, Revision 1, Gaithersburg, MD.
22. Hefny, A. (2012) Speed of Different Cellular Networks, Hochschule Furtwangen,
Available at: http://webuser.hs-furtwangen.de/~heindl/ebte-
2011ws/Speed%20of%20different%20cellular%20networks-p.pdf.
23. Chen, M. (2011) Cellular Network Organization, Urban Omnibus, Available at:
http://urbanomnibus.net/2011/07/signal-space/.
24. Polarsat (2014) GSM Network Architecture, Available at:
http://www.polarsat.com/en/index.php?option=com_content&view=category&layout
=blog&id=7&Itemid=17&lang=en>.
25. Scourias. J. (1997) Overview of the Global System for Mobile Communications,
Department of Computer Science, University of Waterloo, Available at:
http://ccnga.uwaterloo.ca/~jscouria/GSM/gsmreport.html.
26. Ayers, R., Jansen, W., Cilleros, N. and Daniellou, R. (2005) Cell Phone Forensic
Tools: An Overview and Analysis, National Institute of Standards and Technology
(NIST), Gaithersburg, MD.
27. Ayers, R., Jansen, W., Moenner, L. and Delaitre, A. (2007) Cell Phone Forensic
Tools, NIST Interagency Report-7387, Available at:
http://csrc.nist.gov/publications/nistir/nistir-7387.pdf.
28. Casey, E. (2004) Digital Evidence and Computer Crime, Academic press, pp. 12-13.
29. Zachman, J. A. (1987) A Framework for Information Systems Architecture, IBM
Systems Journal, 26(3), pp: 276-292.
30. Mylonas, A. (2008) Smart phone Spying Tools, M.Sc. Thesis, Royal Holloway,
University of London.
65
31. Valli, C. and Hannay, P. (2010) Geotagging: Where Cyberspace Comes to Your
Place, Security and Management, pp. 627-632.
32. Kunz, M. and Wilson, P. (2004) Computer Crime and Computer Fraud, University of
Maryland, Department of Criminology and Criminal Justice, Available at:
http://www6.montgomerycountymd.gov/content/cjcc/pdf/computer_crime_study.pdf.
33. European Telecommunications Standards Institute (2005) Specification of the

Subscriber Identity Module - Mobile Equipment (SIM - ME) Interface, ETSI, TS
11.11, 8.13.0v, Technical specification, Available at:
http://www.etsi.org/deliver/etsi_ts/100900_100999/100977/08.13.00_60/ts_100977v0
81300p.pdf.
34. Jansen, W. and Delaitre, A. (2009) Mobile Forensic Reference Materials: A
Methodology and Reification, NIST Interagency Report-7617, Available at:
http://csrc.nist.gov/publications/nistir/ir7617/nistir-7617.pdf.
35. Associated Press (2005) Man gets nine years of spamming, BCC, Available at:
http://news.bbc.co.uk/2/hi/americas/4426949.stm
36. Ayers, R., Jansen, W., Cilleros, N. and Daniellou, R. (2007) Cell Phone Forensic
Tools: An Overview and Analysis Update, National Institute of Standards and
Technology (NIST), NIST 7387, Gaithersburg, MD.
37. Bos, J. and Knijf, R. (2005) Tulp2g An Open Source Forensic Software
Framework for Acquiring and Decoding Data Stored in Electronic Devices,
International Journal of Digital Evidence, 4(2).
38. Brown, I. (2009) Regulation of Converged Communications Surveillance, In:
Neyland , D. and Goold, D. (eds.), New Directions in Surveillance and Privacy, pp.
39-73.
66
39. Burnette, M. (2002) Forensic Examination of a Rim (BlackBerry) Wireless Device,
Available at: https://www.rh-law.com/ediscovery/Blackberry.pdf.
40. Casadei, F., Savoldi, A. and Gubian, P. (2006) Forensics and SIM Cards: An
Overview,International Journal of Digital Evidence, 5(1), Available at:
http://www.utica.edu/academic/institutes/ecii/publications/articles/EFE3EDD5-
0AD1-6086-28804D3C49D798A0.pdf.
41. CERT (2001) Denial of Service Attacks, Carnegie Mellon University, Available at:
http://www.cert.org/tech_tips/denial_of_service.html.
42. Denning, D. E. (2004) Cyberterrorism, Georgetown University: Department of
Computer Science, Available at:
http://www.cs.georgetown.edu/~denning/infosec/cyberterror.html.
43. Federal Office for Information Security (BSI) GSM Cellular Network, Available at:
https://www.bsi.bund.de/EN/Publications/GSMCellularNetwork/index_e_htm.html;js
essionid=C80ED2D3CB154C7ABEC40AA2D6F7B8CB.2_cid374#doc475752bodyT
ext1.
44. Gast, Ty. (2011) Forensic Data Handling, Cybertrust Inc., Available at:
http://www.bizforum.org/whitepapers/cybertrust-1.htm.
45. Gershowitz, A. (2008) The iPhone Meets the Fourth Amendment, Available at:
http://works.bepress.com/cgi/viewcontent.cgi?article=1002&context=adam_gershowit
z.
46. Goodman, M. (2001) Making Computer Crime Count, FBI Law Enforcement
Bulletin, pp: 10-17.
47. GSM Association (2013) IMEI Allocation and Approval Process, GSM Association,
Permanent Reference Document TS.06, 7.0, Available at:
http://www.gsma.com/newsroom/wp-content/uploads/2013/12/TS06-v7-0.pdf >.
48. Holder, E., Robinson, L. and Rose, K. (2009) Electronic Crime Scene Investigation:
An On-the-Scene Reference for First Responders, National Criminal Justice
Reference Service (NCJRS), Available at:
https://www.ncjrs.gov/pdffiles1/nij/227050.pdf.
67
49. ITU-T (2006) Automatic International Telephone Credit Cards, International
Telecommunications Union - Telecommunication Standardization Sector (ITU-T),
Recommendation E.118.
50. McCarthy, P. (2005) Forensic Analysis of Mobile Phones, BS CIS Thesis, University
of South Australia, School of Computer and Information Science, Mawson Lakes,
Available at:
http://www.8051projects.net/files/public/1236046309_9698_FT19075_forensic_analy
sis_of_mobile_phones.pdf.
51. Morrissey, S. (2010) IOS Forensic Analysis: For IPhone, IPad and IPod Touch,
Apress, Available at: http://alitalia.noblogs.org/files/2012/12/iOS-Forensic-Analysis-
for-iPhone-iPad-and-iPod-Touch.pdf .
52. Murphy, C. (2013) Developing Process for Mobile Device Forensics, Available at:
http://www.mobileforensicscentral.com/mfc/documents/Mobile%20Device%20Foren
sic%20Process%20v3.0.pdf.
53. OConnor, T. (2009) Provider Side Cell Phone Forensics, Small Scale Digital
Device Forensics Journal, 3(1), Available at:
http://www.ssddfj.org/papers/SSDDFJ_V3_1_OConnor.pdf.
54. Raghav, S. and Saxena, A. K. (2009) MobileForensics: Guidelines and Challenges in
Data Preservation and Acquisition, IEEE Student Conference on Research and
Development (SCOReD), Malaysia, pp. 5-8.
55. Sam Brothers (2008), How Cell Phone Forensic Tools Actually Work Cell Phone
Tool Leveling System, Chicago, IL: Mobile Forensic World.
56. Smith, G. (2006) Handset Password Unlock, Mobile Telephone Evidence
Newsletter, Trew & Co, 4.
57. Solomon, M. G., Barrett, D. and Broom, N. (2005) Computer Forensics: Jump Start,
SYBEX, pp. 73-155.
58. Technical working group (2008) Electronic Crime Scene Investigation: A Guide for
First Responders, Second Edition, NCJ 219941, Available at:
https://www.ncjrs.gov/pdffiles1/nij/219941.pdf
68
59. Technical working group (2004) Forensic Examination of Digital Evidence: A Guide
for Law Enforcement, U.S. Department of Justice, NCJ 199408, Available at:
http://www.ncjrs.org/pdffiles1/nij/199408.pdf.
60. U.S. Department of Justice(2001) Electronic Crime Scene Investigation: A Guide for
First Responders, Technical working group, NCJ 187736, Available at:
http://www.ncjrs.org/pdffiles1/nij/187736.pdf.
61. The mobile phone forensics sub-group (2006) Mobile Phone Forensics, INTERPOL,
47th meeting of EWPITC (European Working Party on IT Crime).
62. U.S Department of Justice (2008) Electronic Crime Scene Investigation: A Guide for
First Responders, Second edition, NCJ 219941, Available at:
https://www.ncjrs.gov/pdffiles1/nij/219941.pdf.
63. Vamosi, R. (2007) Cell Phone CSI, CNET Reviews, <http://reviews.cnet.com/4520-
3513_7-6737586-1.htm>.
64. Warren, G., Kruse, II. and Heiser, J. G. (2001) Computer Forensics Incident
Response Essentials, Pearson Education.
65. Wiebe, A. (2008) The New Fundamental Right to IT Security - First Evaluation and
Comparative View at the U.S., Datenschutz und Datensicherheit, pp. 713-716.
66. Wiebke, A. (2009) Agents, Trojans and Tags: The Next Generation of Investigators,
International Review of Law, Computers & Technology, 23 (1-2), pp. 99-108.
67. Willassen, S. (2003) Forensics and the GSM Mobile Telephone System,
International Journal of Digital Evidence, 2(1), Available at:
http://www.utica.edu/academic/institutes/ecii/publications/articles/A0658858BFF6-
C537-7CF86A78D6DE746D.pdf.
68. Williams, J. (2012) Good Practice Guide for Computer-based Electronic Evidence,
ACPO or Association of Chief Police Officers, 5, Available at:
http://www.acpo.police.uk/documents/crime/2011/201110-cba-digital-evidence-
v5.pdf .
69. Wolfe, H. (2003) Evidence Analysis, Computers and Security, 22(4), pp. 289-291.
70. Xenofon, V. (n. d) GPS forensics A System Approach for GPS Evidence
Acquisition through Forensics Readiness, University of Piraeus, Department of
69
Digital Systems, Available at:
http://digilib.lib.unipi.gr/dspace/bitstream/unipi/4121/1/Vasilakopoulos.pdf.
71. Zareen, A. and Baig, S. (2010) Mobile Phone Forensics Challenges, Analysis and
Tools Classification, Fifth International Workshop on Systematic Approaches to
Digital Forensic Engineering (SADFE), pp. 47-55.
72. Zimmerman, S. and Glavach, D. (2011) Cyber Forensics in the Cloud, IA newsletter,
The Newsletter for Information Assurance Technology Professionals, 14(1), Available
at: http://iac.dtic.mil/csiac/download/Vol14_No1.pdf.
70

Forensic Analysis of Smartphones Research Proposal

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Forensic Analysis of Smartphones Research Proposal

Transféré par

Droits d'auteur :

Formats disponibles

Forensic Analysis of Smartphones

The literature pertaining to forensic analysis of smartphones, as explored in this paper,

1.1 Introduction ...................................................................................................................... 5

1.2 Outline of the Dissertation ............................................................................................... 7

Chapter II: Forensic Analysis Of Smart phones ........................................................................ 7

2.1 Introduction ...................................................................................................................... 9

2.2 Forensic Analysis ........................................................................................................... 10

2.2.1 Computer versus Smart phone Forensics ................................................................ 12

2.3 Background .................................................................................................................... 12

2.3.1 Cell Network Traits ................................................................................................. 13

2.3.2 Mobile Phone Characteristics .................................................................................. 18

2.3.2 Identity Module Characteristics............................................................................... 20

2.4 Potential Evidence in Smart phones ............................................................................... 21

2.5 Possible Crimes .............................................................................................................. 23

2.6 The Forensic Process ...................................................................................................... 27

2.6.1 Principles ................................................................................................................. 29

2.6.2 Schemes ................................................................................................................... 30

2.6.3 Roles ........................................................................................................................ 32

2.7 Preservation of Evidence ................................................................................................ 33

2.7.1 Investigating and Documenting the Scene .............................................................. 34

2.7.3 Transmitting and Storing Evidence ......................................................................... 37

2.8 Acquisition ..................................................................................................................... 40

2.8.1 Identifying the Device ............................................................................................. 40

2.8.2 Selecting a Tool ....................................................................................................... 42

2.8.3 Memory Considerations and Acquisition ................................................................ 43

2.8.4 Obstructed and Unobstructed Gadgets .................................................................... 45

2.8.5 Tangential Equipment.............................................................................................. 46

2.9 Examination and Analysis .............................................................................................. 47

2.9.1 Potential Evidence ................................................................................................... 48

2.9.2 Using Tools with Experience .................................................................................. 49

2.9.3 Subscriber and Call Records.................................................................................... 50

2.10 Reports ......................................................................................................................... 51

2.11 Legal Considerations .................................................................................................... 52

2.12 Forensic Tools .............................................................................................................. 53

Source: Jansen and Ayers (2007) ..................................................................................... 56

2.12.1 USIM Tools ........................................................................................................... 56

2.12.2 Handset Tools ........................................................................................................ 57

2.12.3 Integrated Toolkits ................................................................................................. 58

2.13 Challenges .................................................................................................................... 60

Figure 1: Smart phone sales

Figure 2: Total Mobile Malware Attack 2004-2013

1.2 Outline of the Dissertation

Chapter II: Forensic Analysis of Smartphones

Smart phones, as ubiquitous gadgets, are characterised by context awareness, mobility

In terms of conventional context, forensic triage is implemented, which relates to on-

2.2 Forensic Analysis

Digital forensics, generally known as computer forensics, is defined as the collection,

As of now, there is no universal approach to smartphone forensics due to which it is

2.2.1 Computer versus Smart phone Forensics

Source: Adopted from Alghafli, Jones & Martin (2011) [10]

2.3.1 Cell Network Traits

CDMA is the Qualcomm technology that features spread spectrum communication

Source: Adopted from Chen (2011) [23]

As a phone moves from cell to cell, a cellular arrangement employs active

Figure 4: Mobile Network Architecture

Mobile station Base station substation Network Substation

2.3.2 Mobile Phone Characteristics

Figure 5: Hardware Components of Mobile Phones

16-bit Better Memory- Video & Removable,

12-bit More Removable,

Source: Adopted from Ayers et al (2005) [26]

Figure 6: Software Components of Mobile Devices

Text with Via

Basic Proprietory No Apps Text SMS No E-mail No Web Simple Phonebook