Smartphone Forensics: Part 6
The first posting in this series provided an introduction to smartphone forensics. Parts two, three, four and five covered forensics in iPhones, BlackBerrys, Motorola smartphones, and iPods, respectively. So far we’ve gone over how to use forensics procedures to capture data from each type of cell phone as well as some of the challenges involved, but we haven’t really gone farther in the forensics process. This sixth posting in this series covers some of the other extremely important procedural considerations, These include how to gain access to data on smartphones, ensuring that all relevant data are captured, protecting the integrity of data, dealing with differences in operating systems and file systems, and being careful to avoid errors that can easily invalidate a forensics investigation.
• Gaining access to data on smartphones. Some smartphones do not require authentication—they allow access to the phone and its contents without any security whatsoever. In contrast, some require entry of a password or PIN. In this latter case, the forensics investigator must guess the password or PIN, somehow find it, ask the owner of the smartphone for it, or exploit a vulnerability that enables the investigator to bypass authentication altogether. Guessing a password or PIN is likely to be easier with smartphones than conventional computers because smartphone passwords and PINs are likely to be shorter in length than passwords and PINs for conventional systems. Why? Many smartphones do not have password policies that require, among other things, a minimum password length. Remember, too, that some smartphones have default passwords that users almost never bother to change. Consider also that a smartphone may be seized while it is being used, something that precludes having to know or guess the password or PIN to gain access to the data stored therein.
• Ensuring that all relevant data are captured. Smartphones almost without exception have less RAM than do conventional computing devices. If users want to increase the RAM, they often add memory devices such as MMC (Multi Media Card) and SD (Secure Digital Memory Card) cards. Be sure, therefore, to inspect the device you are forensically investigating for the presence of extra memory devices, and if they exist, to dump the data from them, too. It is easy to overlook these sources of potentially very important data in a forensics investigation with smartphones. Additionally, as mentioned in a previous posting in this series, you have the option of capturing only certain regions of memory or partitions on hard drives. All things considered, it is better to err on the side of capturing too much, even though some types of data may not seem pertinent to an investigation.
• Protecting data integrity. Some smartphones have hard drives; others do not. In smartphones that do not have hard drives, e.g., Windows smartphones, data are stored in volatile memory. If these phones are powered off, data in volatile memory are very likely to be lost. Data lost in this manner may or may not be recoverable. Complicating things is the fact that in many smartphones forensics data capture is not possible if the phones are turned off. And even if a smartphone is ostensibly in the off state, it in reality is probably not completely off. In most major types of smartphones, background processes that can change data run continuously even though users have turned the phones off. Worse yet, it is easy to start the forensics data capture process without realizing that a smartphone may still have an active wireless connection through which someone could still obtain remote access to change or erase data. Additionally, the presence of malware on a smartphone can change data integrity. Furthermore, hardware keys can be maliciously altered to start functions that modify or delete data. In sum, there are many ways that data on smartphones may be changed from the time that a smartphone comes into your possession to the time that your forensics dump is finished—think of the negative implications for court cases. About the best thing you can do is to ensure that the device you are forensically analyzing is disconnected from all wireless networks. Then record the state (on or off) of the device when you begin forensically investigating the device and use MD5 and/or SHA1 to compute a hash value for the phone’s data at that point in time. When you are finished, again record the state of the phone and compute another hash value using the same hashing algorithm. Any changes between the two points in time spell trouble in the forensics process.
• Dealing with differences in operating systems and file systems. The range of operating systems in today’s generation of smartphones is surprisingly large. Different versions of each operating system also typically exist. Forensics tools that work in connection with one operating system and version may not work in connection with others, often necessitating buying a number of different forensics tools. The existence of different file systems on smartphones presents yet another complication. Dumping data from a smartphone’s file system to another file system (e.g., the NTFS-5 file system on Windows computers) is extremely likely to result in loss or modification of some of the data on the original file system.
• Avoiding major errors. It is incredibly easy to make a mistake that results in loss or modification of forensics data. Resetting the device accidentally while conducting an investigation is one of the most common errors—one that typically results in loss of data. A hard reset will delete the contents of RAM. If a battery runs out during an investigation, a hard reset will occur, so it is wise to ensure that there is a continuous source of electrical power independently of the battery during a forensics investigation with smartphones. Finally, an accidental or intentional soft reset should also be avoided because it reinitializes dynamic memory; to-be-deleted data are deleted if this happens.
It should once again be evident that although some similarities in the processes and procedures for forensics investigations in conventional computing systems and in mobile devices exist, many critical differences exist. Also, although mistakes can occur at any point in any forensics investigation, mistakes in smartphone forensics investigations can be particularly detrimental, and must thus be avoided at all costs. Learning about the special “care and feeding” that is required in forensics investigations with smartphones and incorporating them into special forensics procedures (at a minimum, one for each type of smartphone) is imperative if forensics investigations involving smartphones are to be performed properly.