Computer forensics is a section of forensic science that pertains to legal evidence found in computers and other digital storage media. Computer forensics is also referred to as digital forensics. The aim of digital forensics is to analyze the current state of digital artifact. These artifacts include computer system, storage media like hard disks or CD-ROMs, electronic documents like e-mail messages or images, and packets that move through a computer network.
The field of computer forensics has other branches within it like firewall forensics, network forensics, database forensics and mobile devices forensics. The focus of this paper is on mobile device forensics. Mobile device forensics involves ways that evidence can be obtained from a mobile device. This is how the memory of a mobile device can be forensically stored resulting to a memory image. Mobile electronic devices use in forensic investigations is a relatively new and improving field within computer forensics.
The mobile devices are well versed in collecting evidence because of their compact size and integrated features. The memory image can be used to give evidence and also to be used for investigations. Investigation is necessary in case the device fails to capture or recover some important information. Mobile devices can be used to capture a lot of information like addresses, photographs, dates, and notes (Walker, 2000). Mobile devices One of the most commonly used mobile device for forensics is the mobile phone.
Another device that is used in computer forensic is the Personal Digital Assistants (PDAs). Mobile devices are currently a double-edged sword. They create new data security risks while providing important sources of evidence for computer forensics. They have continually developing capabilities that have made them more like personal computers, accompanying people as they move around the world. Digital forensic experts have been able to utilize data stored on and generated by mobile devices to reconstruct people’s movements, communications and other personal details (Walker, 2000).
The success of the mobile phone is because of its ability to satisfy variety of human needs like gratification. Delaying is inconveniencing; this is why all the technologies in the market are aimed at having better, faster and convenient functionality. The customer base for mobile phones is broadening. This has enabled the manufacturers to provide more enhanced capabilities and putting more resources in them for the benefit of the users. In fact most of the modern phones are more of mobile computers.
Most of them provide much the same functionality as provided by a desktop computer. This fact has made mobile phones a significant source of proof in forensic investigations. The modern phones have larger on-board memory capacity added to the expandable memory slots, inbuilt word processor and other additional applications and internet. The additional capabilities have greatly increased the abundance and value of data from these devices (Murphy, 2008). There are various differences between desktop computers and mobile electronic devices that are used in forensic investigations.
The differences exist due to various features like wide range in hardware modes and accessories, a wide range of inbuilt operating systems, short product lifecycle with new models coming up very often, mobility, files stored in temporary memory on some devices while in permanent on some other devices, hybrid devices that have enhanced networking and communication capabilities, and suspense on programs when switched off or idle or while the device is active in the background.
Apart from being compact and light in weight, the devices are battery powered. This enables them to operate for a long time without recharging (Walker, 2000). Data that provide evidence Data from some of the mobile devices are limited, but they are constantly increasing. In the past only a limited amount of data could be retrieved from a telephone, but this is changing with the development in technology.
Gone are the days when only phonebook was found in a mobile phone. Mobile devices have a high penetration rate and are currently connected to increasing number of criminal cases (Schwabe, Davis & Jackson, 2001). They are a prime source of evidence due to the fact that their information capability is comparable to that of computers. There is variety of data that can be obtained from mobile devices and are capable of providing evidence for a criminal activity.
They include messages (Short Messaging Service, MMS, Twitter and chat), appointment calendar data, phone book data, date or time, language and other phone settings, call logs, dialed, incoming and unanswered calls, multimedia files (sounds, music, images, video and pod casts), e-mails, audio and video recordings, internet browser history/bookmarks/cookies, personal information (contacts, and notes), maps (Google, and OpenStreetMap), connection information (Bluetooth, WLAN, VPN), multi media messages, electronic documents, running processes, routing tables, network and connectivity statistics, GPS positions, boot sequence, and default libraries. With the increase in applications and memory, the amount and complexity of information will expand. The list of data that can be retrieved cannot be viewed as complete because the devices will be in a position to save larger and more files (Murphy, 2008). Capability to provide evidence
As long as the integrity of the evidence is intact, mobile device evidence is admissible in courts of law. Special measures should be ensured in conducting mobile device forensic investigations if the evidence is to be used in a court of law. One of the most important measures is ensuring that the evidence is collected as accurately as possible. It is also important to make sure that there is a clear chain of custody from the crime scene to the investigator and eventually to the court. This is to ensure that the information provided has integrity and that the evidence is not distorted (Walker, 2000). Data in mobile devices can be so easily altered.
In cases where the data being presented in a court of law is altered in any way, then it cannot be presented as evidence or used for investigation. In case the data held in those devices is accessed before it is used in court, the person responsible should be in a position to defend his action. In this case he should be in a position to explain the importance and implications of his action (Schwabe, Davis & Jackson, 2001). Issues related to mobile device forensics When mobile devices are used to gather evidence of a criminal activity, forensic investigators require the use of tools that can properly retrieve and examine the information from the device. In that case there exist a number of commercial off-the-shelf (COTs) and open-source tools that help the experts in doing so.
Forensic experts, law enforcement and response teams depend upon well designed procedures and techniques together with proper tools to ensure the integrity of digital evidence. There is no proper guidance in the area of mobile forensics. The procedures and techniques that are designed for standard computer forensics cannot be applied directly because they are not designed to handle the different characteristics of mobile devices. There is need to have in place appropriate policies and procedures that will deal with mobile devices (Roth & Olson, 2001). There is difficulty in getting particular types of data that emanate from the proprietary nature of mobile devices.
Features such as Bluetooth and running third-party applications can cause problems. This has resulted in the mobile device forensic equipments fighting hard to reliably get data from a wide range of mobile devices. This has also necessitated the enhancement of the functionality of mobile forensic tools to accommodate the increasing amount of evidence and the various types of mobile devices. If this is not done, catching up with the amount and complexity of information would be impossible (Murphy, 2008). Cryptographic hash functions give forensic investigators the capacity to validate the authenticity of the data retrieved from mobile devices.
The use of the cryptography hash results in a hash value, that is, affixed-size bit string, oftenly used to recognized files illustrating if the data has been modified or not. The two most common cryptographic hash functions are MD5 and SHA-1. The use of the mobile device forensic tools in reporting hash values for specific data has not been researched thoroughly. This means that the accuracy of the hash values produced has not been verified. Extensive research is required in this area especially the sending and receiving of Multi Media Messages (MMS). The alteration in data that can be hard to prove is for example changing a read message to mark unread (Roth & Olson, 2001). Using a mobile phone to get information keeps the memory active and constantly changing.
This can cause inconsistencies in the hash values of subsequent acquisitions by the same phone memory. The problem is further complicated by the use of unique cables and drivers to establish connections. More than one acquisition has also been seen to produce different hash values. This can be attributed to an internal clock that constantly change timestamps or other unique information that is in flux (Schwabe, Davis & Jackson, 2001). The tools that retrieve data from mobile devices utilize AT commands, FBUS OBEX and other communication protocols to retrieve the data. All these communication protocols are phone-dependent. The methods also depend upon standard phone software that brings in some issues.
The issues include information can be altered when using the protocols especially AT commands or Nokia FBUS; important information can be left out from the phone in response to a command; there are information that can never be accessed over software interface; and data that can be retrieved from one device might not be accessible on other similar phones even in using similar commands. This creates a problem in that some of the data expected to prove a case may be unreliable (Murphy, 2008). Dealing with mobile device forensic also requires a lot of expertise. This is not only due to the vastness and complexity of the data involved, but also the complexity in technology required to retrieve and process the data. For this reason forensic experts should be prepared to handle the information and prove its authenticity. They also need to be equipped with knowledge, not only in the handling existing tools but also any incoming technology.
They need to acknowledge that technology is changing and prepare themselves for any new situation that they may encounter (Roth & Olson, 2001). Importance to computer forensics Mobile devices play a very key role in computer forensics. They are slowly replacing the paper helpers like schedules and address books. Data retrieved from mobile devices has proven important in resolving incidences and investigation of criminal activities. Mobile device forensic is applicable to corporate and law enforcement investigations and incidence response activities. Mobile Device forensics attempts to capture the entire picture in an investigation rather than only evidence processing.
Mobile device forensic ensure that all the major tasks associated with an investigation are described and that there is proper information flow among various phases of an investigation. The major tasks in investigation include preservation, identification, collection and analysis of evidence. The evidence captured in mobile devices can be preserved in case it is required in the future for investigation. The method has ensured a proper chain of evidence custody making it a good scheme for law enforcement. Care has been taken to take into account the variety of technical issues that are associated with the investigation using mobile devices. This is beneficial for the computer forensics. In this case, mobile device forensic has bridged the gap between law enforcement and computer forensics.
The method ensures evidence collection for a long period of time since they have a rechargeable battery. After charging they operate for some time before they require recharging. The compact size and light weight ensures their portability thus convenience in data collection. People can carry them for very long distance without getting tired and they can also gather information without being noticed (Walker, 2000). Data that has been deleted can be recovered by forensic experts using readily available tools. They are able to do so by acquiring and analyzing the full contents of the memory. Deleted data can have very important information in an investigation. Some mobile devices are capable of storing location-based information.
Investigators can retrieve this information to determine the geographical location of the device at a particular time. There are cases where the clock on a device is incorrect. This is solved by timestamps on the device that might be correct as they are generated by system on the core network. For example, a received SMS has a timestamp set by the Short Message Service Center and not by the phone (Roth & Olson, 2001). Conclusion There is need for methods, standards and procedures that are use in mobile device forensics to be accepted by all forensic professionals. The methods that are used to retrieve and manage evidence will be best if understood and accepted by the majority of the experts.
There is need to come up with a well laid down and generally accepted standard that can be applied to all cases. There is need for extensive research that will assist in seeing the accomplishment of all this. More courses to train forensic experts should be established. References: Murphy, E. (2008). “Paradigms of Restraint,” Duke Law Journal, Vol. 57. Roth, M & Olson, J. (2001). Historical Dictionary of Law Enforcement. Westport, CT: Greenwood Press. Schwabe, W, Davis, L & Jackson, B. (2001). Challenges and Choices for Crime-Fighting Technology: Federal Support of State and Local Law Enforcement. Santa Monica, CA: Rand. Walker, G. (2000). “Information Warfare and Neutrality,” Vanderbilt Journal of Transnational Law, Vol. 33.