BFOR 304: Introduction to Mobile Forensics
Introduction to Mobile Forensics
● Mobile Forensics - branch of digital forensics that deal with the acquisition and recovery
of evidence from mobile devices
● Forensically Sound - qualifying and justifying the use of a particular forensics technology
methodology wherein the original evidence must not have been modified
● Mobile forensics acquisition methods may involve removing a chip or installing a
bootloader on the mobile prior to extracting data for forensic examination
○ Procedures and changes have to be
■ Tested
■ Validated
■ Documented
Mobile Forensics Process
● The mobile forensics process is broken down into three main categories
○ Seizure
○ Acquisition
○ Examination/Analysis
Legal Authority
● There are two main types of legal authority to seize and search an electronic device
○ Search warrant
■ Signed by a judge
■ Law enforcement officer must have reasonable cause to believe that a
crime has been committed and that evidence of said crime can be located
within the item to be searched
■ Can be either written or oral that outlines said reasonable cause to
accompany the search warrant
○ Consent
■ Owner of a device can give verbal or written consent for a search of their
device
● Consent can be revoked at any time
● Additional types of legal authority
○ Exigent Circumstances
■ Risk of imminent danger to life or serious damage to property exists
○ Plain View
■ Plain view doctrine is based on the practical logic that an officer need not
turn a blind eyes to evidence that is immediately apparent as
incriminating when he is lawfully present, where the object can be seen,
and where he has a legal right to access that object (Fordham Law)
○ Probation/Parole
■ Have conditions set that allow their parole/probation officer to search their
electronic devices
■ Warrant is not needed
, ○ Private/Public Sector Workplace Searched
■ Might have policies in place regarding a device provided for business
purposes
Seizure
● Important parts of seizure include
○ Documentation
■ Write down everything that can be seen and done
○ Photograph
■ take photos of the device prior to touching it and throughout the process
○ Packaging the device
■ Turn the device off and place it into a faraday bag
■ As technology has evolved, turning the device off is no longer
recommended
■ Proper practice
● Turn device into airplane mode
● Attach device to external power source
● Place it into a Faraday bag
● Packaging the device is important as it needs to be the same as when seized
○ Be remotely accessed/remote wiped by the device user/owner
○ Have data be added/deleted on the phone
■ Calls
■ Messages
■ Third party application notifications
● Things to take into consideration when seizing electronic devices
○ State of device
■ In water
■ Covered in blood or other hazardous materials
■ Fingerprints
■ Contain drug residue
■ Severe damage to the physical device
Acquisition (On-Site Triage)
● Manual data extraction on scene and logical extractions utilizing specialized forensic
hardware/software
● Reasons for On-Site Triage
○ Urgent need to access the data (example: missing person case)
○ Encryption is present (data may otherwise be inaccessible is not previewed
immediately
■ Phone may be unlocked on scene
● May be useful
○ Identifying electronic devices that should be seized
○ When the investigation requires actionable intel to continue
Examination and Analysis
● Uncover the data on the device via applied methods and determining what data is
relevant
Introduction to Mobile Forensics
● Mobile Forensics - branch of digital forensics that deal with the acquisition and recovery
of evidence from mobile devices
● Forensically Sound - qualifying and justifying the use of a particular forensics technology
methodology wherein the original evidence must not have been modified
● Mobile forensics acquisition methods may involve removing a chip or installing a
bootloader on the mobile prior to extracting data for forensic examination
○ Procedures and changes have to be
■ Tested
■ Validated
■ Documented
Mobile Forensics Process
● The mobile forensics process is broken down into three main categories
○ Seizure
○ Acquisition
○ Examination/Analysis
Legal Authority
● There are two main types of legal authority to seize and search an electronic device
○ Search warrant
■ Signed by a judge
■ Law enforcement officer must have reasonable cause to believe that a
crime has been committed and that evidence of said crime can be located
within the item to be searched
■ Can be either written or oral that outlines said reasonable cause to
accompany the search warrant
○ Consent
■ Owner of a device can give verbal or written consent for a search of their
device
● Consent can be revoked at any time
● Additional types of legal authority
○ Exigent Circumstances
■ Risk of imminent danger to life or serious damage to property exists
○ Plain View
■ Plain view doctrine is based on the practical logic that an officer need not
turn a blind eyes to evidence that is immediately apparent as
incriminating when he is lawfully present, where the object can be seen,
and where he has a legal right to access that object (Fordham Law)
○ Probation/Parole
■ Have conditions set that allow their parole/probation officer to search their
electronic devices
■ Warrant is not needed
, ○ Private/Public Sector Workplace Searched
■ Might have policies in place regarding a device provided for business
purposes
Seizure
● Important parts of seizure include
○ Documentation
■ Write down everything that can be seen and done
○ Photograph
■ take photos of the device prior to touching it and throughout the process
○ Packaging the device
■ Turn the device off and place it into a faraday bag
■ As technology has evolved, turning the device off is no longer
recommended
■ Proper practice
● Turn device into airplane mode
● Attach device to external power source
● Place it into a Faraday bag
● Packaging the device is important as it needs to be the same as when seized
○ Be remotely accessed/remote wiped by the device user/owner
○ Have data be added/deleted on the phone
■ Calls
■ Messages
■ Third party application notifications
● Things to take into consideration when seizing electronic devices
○ State of device
■ In water
■ Covered in blood or other hazardous materials
■ Fingerprints
■ Contain drug residue
■ Severe damage to the physical device
Acquisition (On-Site Triage)
● Manual data extraction on scene and logical extractions utilizing specialized forensic
hardware/software
● Reasons for On-Site Triage
○ Urgent need to access the data (example: missing person case)
○ Encryption is present (data may otherwise be inaccessible is not previewed
immediately
■ Phone may be unlocked on scene
● May be useful
○ Identifying electronic devices that should be seized
○ When the investigation requires actionable intel to continue
Examination and Analysis
● Uncover the data on the device via applied methods and determining what data is
relevant
