Seeking the Truth from Mobile Evidence
eBook - ePub

Seeking the Truth from Mobile Evidence

Basic Fundamentals, Intermediate and Advanced Overview of Current Mobile Forensic Investigations

  1. 528 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Seeking the Truth from Mobile Evidence

Basic Fundamentals, Intermediate and Advanced Overview of Current Mobile Forensic Investigations

Book details
Book preview
Table of contents
Citations

About This Book

Seeking the Truth from Mobile Evidence: Basic Fundamentals, Intermediate and Advanced Overview of Current Mobile Forensic Investigations will assist those who have never collected mobile evidence and augment the work of professionals who are not currently performing advanced destructive techniques. This book is intended for any professional that is interested in pursuing work that involves mobile forensics, and is designed around the outcomes of criminal investigations that involve mobile digital evidence. Author John Bair brings to life the techniques and concepts that can assist those in the private or corporate sector.

Mobile devices have always been very dynamic in nature. They have also become an integral part of our lives, and often times, a digital representation of where we are, who we communicate with and what we document around us. Because they constantly change features, allow user enabled security, and or encryption, those employed with extracting user data are often overwhelmed with the process. This book presents a complete guide to mobile device forensics, written in an easy to understand format.

  • Provides readers with basic, intermediate, and advanced mobile forensic concepts and methodology
  • Thirty overall chapters which include such topics as, preventing evidence contamination, triaging devices, troubleshooting, report writing, physical memory and encoding, date and time stamps, decoding Multi-Media-Messages, decoding unsupported application data, advanced validation, water damaged phones, Joint Test Action Group (JTAG), Thermal and Non-Thermal chip removal, BGA cleaning and imaging, In-System-Programming (ISP), and more
  • Popular JTAG boxes ā€“ Z3X and RIFF/RIFF2 are expanded on in detail
  • Readers have access to the companion guide which includes additional image examples, and other useful materials

Frequently asked questions

Simply head over to the account section in settings and click on ā€œCancel Subscriptionā€ - itā€™s as simple as that. After you cancel, your membership will stay active for the remainder of the time youā€™ve paid for. Learn more here.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Both plans give you full access to the library and all of Perlegoā€™s features. The only differences are the price and subscription period: With the annual plan youā€™ll save around 30% compared to 12 months on the monthly plan.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes, you can access Seeking the Truth from Mobile Evidence by John Bair in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Academic Press
Year
2017
ISBN
9780128110577
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science
Part 1
Basic, Fundamental Concepts
Chapter 1

Defining Cell Phone Forensics and Standards

Abstract

This chapter provides a definition for cell phone forensics in three simple key words. Within this chapter, these are expanded on and provide the reader with a comprehensive understanding of the components involved in this unique forensic field. The logical and physical examination types are also discussed, and the reader is shown visual examples of each. As the chapter continues, it explains the specific standards that need to be followed, with reference to the guidelines on mobile forensics that are provided by the National Institute of Standards and Technology (NIST). Agencies and companies that are tasked with processing digital evidence must at times follow federal, state, and internal policies. There should also be minimum standards that these are built on. Building a standard operating procedure, an internal policy, or a guide should always include aspects from a number of sources such as NIST, any applicable set standard, and a review from any legal representative.

Keywords

Cell phone forensics; File system examinations; Logical examinations; Mobile forensics standards; NIST; Physical examinations; Recovering cellular data; Validated data
Information in This Chapter
ā€¢ Defining cell phone forensics
ā€¢ Recovering
ā€¢ Data
ā€¢ Logical data
ā€¢ File system
ā€¢ Physical data
ā€¢ Validating
ā€¢ Standards
ā€¢ National Institute of Standards and Training (NIST)

Introduction

What is Cell Phone Forensics? Before we begin to answer this question, let us briefly address how the general public has recently begun to learn more about this field. At the time that this book was being written, many people who may have been uninterested in mobile forensics have learned aspects about this practice by reading about how the Federal Bureau of Investigation (FBI) and Apple had conflicting views on how to recover data from a suspected terroristā€™s iPhone. An outside entity ultimately assisted in the case and was able to defeat user-enabled security and allow a forensic search to be conducted. There are many moving parts that are involved in that case, and it can be boiled down to the protection of user data weighing heavily in balance with due process. However, the purpose of this book is not to address those issues. During that particular period of unresolved issues between the FBI and Apple, more individuals asked the authorā€™s opinion (about the case) than during any other criminal investigation he had been involved with up to that date. Some begin understanding a few of the elements that are involved with mobile forensics. Because of the nature of the terrorism case, people would actually want to hear more details than normal about this field. They would express valid points from both sides of the argument. The author would normally have ā€œlight-heartedā€ conversations with acquaintances regarding work. Now, they were now bringing up elements that dealt directly into their constitutional rights. Oftentimes the conversation led to answering the question that was posed at the start of this chapter.

Defining Cell Phone Forensics

Cell Phone Forensics is the process of recovering cellular-related data through a forensic examination using validated means. To understand this, we must expand on the three key words that have been used in this definition.

Recovering

To recover data, we must first actually have an incident in which the need has arisen to obtain the specific artifacts. For law enforcement, this will generally originate from an actual crime that has occurred. In the private sector, this could be a breach of network security or a financial loss. Within the elements of the case itself, there would be a mobile device that contains potential evidence related to the crime or incident. The key element that is necessary to recover potential data is the legal process. The legal process and its requirements are addressed in chapters 3 and 4. Once the legal process is met, the acquisition of the device can take place. In short, the ability to begin ā€œrecoveringā€ data is tied to obtaining the legal process.

Data

The actual artifacts that are located on mobile devices are categorized as logical and physical. Logical data is easy to understand. Within the target device, it can be viewed through the graphical user interface (GUI). For example, this may be a stored image, text message content, or a phone book contact. Vendors who sell mobile phones often invest in features that complement the userā€™s ability to use, manage, and interact with logical data. This will include the camera, sending and receiving messages, navigational assistance, and web browsing, to name a few.
Logical data will not require special tools, programs, or training to interpret. It will usually have its own story to tell. This is what most prosecutors will want to introduce to the jury. Fig. 1.1 depicts logical data as commonly viewed through the screen of a flip phone. This is a (redacted) short message service (SMS) that simply indicates ā€œHelloā€ as the content. The entire message with the date and time it was sent can logically be viewed by scrolling down within the screen. This message would be stored in a particular encoded fashion within the memory of this device. We will explain encoding in a later chapter, but for now let us understand that this message was created by the user. Without actually knowing it, this same user of the device turned on a series of bytes that in turn were encoded by the operating system (OS). These bytes then displayed on the GUI so that it could be understood by the user. All this was going on inside the phoneā€™s memory with little to no thought of how it all works.
Physical data can be defined as the composition of logical data. These are the ā€œingredientsā€ that make up what the user may be viewing or may have once seen, as in the case where the data have been deleted. Here is an example. Pretend for a minute that you are a bad guy. You and another bad guy have conspired to murder other individuals. The murder was committed using firearms. The (two) victimā€™s bodies were to be disposed of in a city landfill. Your coconspirator has a phone number of 12536065884. Your phone number is the same number that was used as the example in the top image in Fig. 1.1ā€”ā€œTOā€: 514-5 (redacted). You send a message about this offense to your bad guy friend, but after it is sent, you delete it. Logically no one can see the message when they look in the ā€œSentā€ folder of the phone. Physically, however, an examiner could locate the message if certain circumstances were present within the file system. Using the values of the physical encoding, an examiner searches for the bad guyā€™s number, 2536065884, within the binary. The deleted message is located. Using special programs, the entire message can now be read.
At the bottom of Fig. 1.1 is an example of physical data related to this example. Later, we will explain much more about physical data, types of encoding, interpreting timestamps, and additional elements related to this example.
image

Figure 1.1 Example of logical data: short message service (SMS) sent message ā€œHelloā€ and physical data example: deleted SMS related to homicide.
There are some things to remember about logical and physical data. Here are two lists that separate some of the main points of both data types.

Logical Data

ā€¢ Data may be limited and generally do not contain deleted artifacts.
ā€¢ It usually requires some form of application program interface or a specific agent to pull the requested information off the target mobile device.
ā€¢ Logical data can easily be interpreted, needing no specific training or pro...

Table of contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. Foreword
  7. Preface
  8. Acknowledgment
  9. Introduction
  10. Part 1. Basic, Fundamental Concepts
  11. Part 2. Intermediate Concepts
  12. Part 3. Advanced Concepts
  13. Index