This feature article is all about how the fast growth of the number and variety of mobile phones demands new skills from the digital forensic examiner. There are several common obstacles that lie before any mobile forensic expert. There are more operating systems for smartphones than for desktop computers. The digital forensics examiner must be able to recognize a phone's make/model and know what connections to make and what data acquisition methods can be applied to the device. It is important to be fully aware what an acquisition tool does and what can and cannot be extracted from the phone. Lastly, there is currently no single software tool capable of extracting all of the data from any mobile phone available on the market.
Having identified the problems, this article will attempt to offer some advice on how some of these problems may be overcome in a practical sense.
A great number of the mobile phones used worldwide require special knowledge and skills from forensic experts. More often, it is not enough to be an experienced expert in computer forensics to understand all the peculiarities and difficulties of mobile forensics. This article describes technical problems encountered by specialists in mobile forensics.
Operating systems and manufacturers
Market share of the end user desktop systems is divided between three major vendors: MS Windows, OS X from Apple Inc., and Linux OS variations. That is the opposite for the OS's of mobile devices. Each year brings to life a new top of the line phone, while the previous year leaders can easily and quickly lose their positions.
At the moment, mobile OS market share shows the following casting
- Android OS – 52,5%,
- Apple iOS – 16,9%,
- BlackBerry OS – 11%,
- Symbian – 16,9%,
- Microsoft – 8,7.
We can easily track the fundamental changes in comparison with the market allocation two years ago:
- Android OS – 3,9%,
- Apple iOS – 14,4%,
- BlackBerry OS – 19,9%,
- Symbian – 46,9%,
- Microsoft – 1,5%.
Despite the fact that all OS's offer (approximately) the same functions and options, they differ considerably in the way they store data and access rights, as well as security and other settings and characteristics. For example, Microsoft produces two operating systems – Windows Mobile and Windows Phone. These two OS's can even be separately rated. Both OS's are the work of the one developer, and Windows Phone OS is actually a successor of the first one, but that is where the similarity ends.
Among the above OS's, iOS and BlackBerry can only be marked as proprietary operating systems, and Apple is the only company that uses the same OS for all of its devices. (BlackBerry released their new Playbook based on QNX and is planning to use it in all its brand-new smartphones in the nearest future.)
That means that mobile phones produced by other manufacturers can be based on almost any existing OS. For example, Samsung Company, one of the world market leaders, produced and is still producing mobile devices based on Android, Symbian, Windows Mobile, Windows Phone operating systems, as well as on a proprietary Bada platform. Another market leader – Nokia – has, also, produced millions of the devices based on their proprietary operational system in addition to an old favorite – Symbian OS, and a new one – Windows Phone. Besides, one cannot but pay attention to the underestimated Chinese market with its dozen of operating systems, hundred of manufacturers and thousands of models.
All this turns the world of mobile phones into a huge diverse zoo, where it is really hard to identify its individual representatives. Sometimes, one cannot even trust the manufacturer's name marked on the phone. Devices from the Chinese company Nokla replicate the look and even the name of the models from Nokia, but have nothing to do with the original company in their OS. For Samsung and LG companies, it becomes a common practice to produce models that are virtually indistinguishable in appearance but use different operating systems.
To connect a phone, an expert has to choose the right model from a long list of thousands of names. The better smart software tools can make life easier for the expert and determine the plug-in model type. But, this will work for the USB connection only (the most popular though). It is worth noting that most of the popular mobile forensics tools work under Windows OS only, and in this case the effect is smoothed over by the fact that before connecting the phone one must install the appropriate USB driver. Searching for the right driver can be a real headache as an expert might receive a phone without its box with a CD. Visiting the manufacturer's site cannot always be a solution, especially when the phone model has been removed from production. It is not that hard to connect mobile devices produced by Apple, Nokia, or Motorola. In most cases, to be able to work with all phones manufactured by a company, only one driver should be installed.
The opposite situation exists with phones based on the Android OS. On the Google site, developer of the Android operating system, you can download the official driver (also included in the Android SDK). This driver works with phones branded by Google only (Nexus, Nexus S, Nexus 3), as well as made available to developers as a reference (i.e. T-Mobile G1). Drivers for all other devices have to be found on the Internet. Fortunately, many forensic tools usually include a driver pack for all supported models. If one computer has several mobile forensics products installed, the expert must be careful as the driver packs from different vendors can have older versions of drivers which can interfere with each other. In addition, Windows x64 will most likely need a separate version of the drivers.
Some words should be said about the software products designed for Mac OS. Despite the fact that there are no Windows-like problems with drivers for Mac OS, almost all products (Lantern, BlackBag) support Apple devices only and are not of any help with other phones. Therefore, the choice of universal products is limited by Windows software only. Along with searching for an appropriate driver comes another problem - searching for an appropriate cable. Most modern phones use mini-USB/micro-USB connectors for the cable connection. Relatively old models, as well as devices without official cable connection, require custom cables. Most manufacturers include a set of cables in the package. Usually these cables cover over 90% of the supported phone models. Besides, these cables are usually interchangeable, and it is possible to use particular software with cables that are included in the other software package.
Most modern phones are, also, equipped with Bluetooth and WiFi modules, providing a wireless connection. If a USB connection is impossible (connector is damaged, it is impossible to find a cable or a driver) Bluetooth/WiFi connection is the only way to retrieve data from the phone. Unfortunately, no software is able to read data via Bluetooth from devices based on Apple iOS or Android OS. None of the tools use WiFi as data transfer.
Logical vs. Physical
Nowadays, data extraction is commonly classified by two approaches: physical and logical. The physical approach performs data extraction at a low level (often with the help of special hardware equipment). The logical approach uses communication protocols offered by the phone at a higher level.
Advantages and disadvantages of each method are quite clear. The physical method allows one to obtain the contents of the entire phone memory as is. But usually, it is time-consuming and requires complex and expensive equipment. As a result one receives a "raw" image, which, in most cases, is encrypted. Even if one is lucky enough to decrypt an image (nobody has been able to do this with BlackBerry, f.ex.), further analysis can be made by means of special sophisticated software tools only.
Using a logical method allows one to obtain data in a human readable form immediately. Unfortunately, the amount of acquired data is much lower. This is because the API provided by the phone were not developed for forensic purpose but to operate the phone as a modem, as well as to synchronize data with desktop PIM.
In 2004, Oxygen Software Company introduced a new method which highly improved the quality of data extracted with the logical method. The method consists of installing a specially designed application (so called Agent) into the device which uses all possibilities offered by the operating system and returns really forensically important information that is not available through standard API: logs, temporary files, cache, deleted data, etc. Sometimes, the Agent helps to simplify as well as accelerate the process of device connection and data exchange.
Several years ago, this method raised serious doubts about forensic compliance. The main principle is that the phone data is invariably violated. In fact, with a specially-designed agent, the user data remains unchanged. Actually, the phone can't be "frozen" if the phone is turned on. Modern smartphones are like mini PC's with a fully functional OS's with dozens of processes launched at the same time (even if they were not started manually), and all of them constantly use the device’s RAM and file system. For example, the Symbian OS process is responsible for the calls log; even if one puts the Symbian OS-based phone into a Faraday bag and closes all running applications, after some period of time, all the old log entries will be deleted.
The use of standard logical methods for data retrieval is even more dangerous than reading it with an agent. The fact of the matter is that the appropriate process controls the data exchange from the phone - in fact, the same agent. But in contrast to "our" agent, one does not know its side effects.
The source code is usually unavailable, and data reading is often performed through the synchronization process (which potentially threatens major change in the user data). Moreover, the phone may be based on an old OS version that does not allow one to read all available information, and the solution may require the update of all software in the phone. Forensic agents lack these drawbacks.
As a result, the mobile forensics world has recognized this method as trusted, and it is now used by almost all mobile forensic tools developers - Cellebrite, .XRY, Paraben, etc. It should be noted that this approach is only one way to retrieve the logical data from Android OS devices. Such applications are widely used for Symbian OS and Windows Mobile devices.
Software assessment. Which one tool?
Today's markets are represented by more than a dozen software and hardware solutions for mobile devices data extraction and analysis. For data reading, many of them combine physical and logical approaches. So, the obvious question is: which one to use?
Unfortunately, analysis of product descriptions given on developers' sites does not give a clear understanding of software functions and features. First of all, there is confusion of terms; and "support for more than seven thousand profiles," might actually mean support for 3000 models, while taking into account the different ways of data extraction from the same model and identical models under different brands. Secondly, the stated support for certain manufacturers’ products does not imply the support for all the models produced by them. Often, a detailed description of what can be read from a device is not indicated for each model, but for the entire range of models. Investigators must not forget that support for a particular function can be implemented at different levels. For example, MMS messages can be read as just container files. After that, an expert must find and decode them. (It is necessary to know file system specifics of the particular model, and there are several common, as well as proprietary, formats for MMS encoding).
Usually, the support level is not specified in the description. Reviews and tests conducted by NIST as well as various independent experts (for example, viaforensics.com) come to the experts rescue. It is not hard to find the detailed comparison of the results of the software interaction with Apple devices. But one might be lucky enough to find a review on a specific model while talking about mobile phones produced by Samsung or Nokia companies--which released more than a hundred models (compared with ten from Apple). Which tool should one choose? Forensic practitioners experience shows that it is impossible to apply just one product for all occasions. Taking into account the budget, experts have to use a set of several means and choose the most appropriate product, in each and every case, according to their own experience and community advice. The image taken from a modern device can measure tens of gigabytes (for example, iPad 64 GB). As a result, software features on the analysis of the extracted data become the major priority. Today, all software products use more or less the same methods of data extraction from devices, and no less important are the speed, completeness and depth of analysis of extracted information.
In addition to issues of forensic examination purity, examiners have to deal with absolutely technical problems, starting with identifying the manufacturer and operating system of the specific phone. Great variety of modern phones makes this a real challenge. When choosing software for investigations, it is important not only to be fully aware of what data is available and not available for extraction from a device in principle, but, also, how much data can be retrieved and processed by the specific software.
Oleg Davydov - Co-Founder and CTO Oxygen Software Company Graduated from Moscow State University, Department of Applied Math & Cybernetics with Master's degree in 1996. In the year 2000 together with Oleg Fedorov founded Oxygen Software Company. 20 years in IT business. Experienced in team management, applied and system software design and product management.