mobile digital forensics challenges

7/29/2019 Mobile Digital Forensics Challenges

1/5

radicaldevelopment.net http://radicaldevelopment.net/mobile-digital-forensics-challenges

Figure 1: Type s of Mob ile De vices

Mobile Digital Forensics Challenges

The world of digital forensics has experienced transformation in recent years. With the mobile landscapechanging with each passing day, it is critical that the f orensics f ield adapt promptly to all the challenges. Th

post takes a closer look at mobile devices and the makeup of these devices, which includes hardware,memory, hard drives, and finally the data, particularly in the way that data is volatile and accessible. Mobiledevices present challenges in the area of network intrusion, malware, and data retention. The reality ismodern mobile devices are just as powerful as computers o f years past and provide a high level offunctionally. For example, audio, video, rich files, and voice communications, which are all easily shared,deleted, and modif ied across the mobile spectrum. Only when a comprehensive understanding of the mobileplatform is taken into consideration can a digital forensic analyst successfully and properly conduct aconclusive invest igation.

Mobile Digital Forensic Challenges

The modern day challenge of forensics when it comes to themobile platform is the fact that data can be both accessed,stored, and synchronized across countless devices t o alsoinclude cloud computing platf orms such as Google Docs. This canoften be a moving target when it comes to forensics and requiresmuch more ef f ort since the data is vo latile and can quicklytransform or even deleted remotely as well as the utterassort ment o f mobile devices, see f igure 1. Mobile devices areeasily accessible by the public and for the most part provide thesame level of productivity as compared to a personal computer.

Case in point, t he use of a camera for images or video may bemanipulated and used f or illegitimate purposes (Wilson, Craggs,Robinson, Jones, & Brimble, 2012). Also mobile devices are of tenlost or stolen and the fact is that we would like to think privacy isacknowledged, but the f act is 50% of devices were accessed byunauthorized parties (Fox News, 2012). As the mobile technology stack cont inues t o grow, the idea is oneday, sooner than later, the f orensics world will be able to reduce the risks that are present modern day.

Issue Personal Computers Smartphones

Power On/Of f Low Risk High Risk

Volatility Low Risk High Risk

Imaging Low Risk High Risk

Evidence Size Large Small

Forensic Tools Open Source and Proprietary Open Source
http://radicaldevelopment.net/mobile-digital-forensics-challenges/http://radicaldevelopment.net/cloud-computing/http://radicaldevelopment.net/the-mobile-landscape/http://radicaldevelopment.net/mobile-digital-forensics-challenges/


2/5

Table 1: Personal Computers versus Smartphones

Because mobile devices present unique challenges and risks as outlined in table 1 (Nena, & Anne, 2009), it imperative to have a solid practice in place that allows f or proper f orensic analysis. This includesunderstanding the challenges and how to no t f all victim to t hose challenges, o therwise the credibility o f theinvestigation is at risk itself . In terms o f the priority of threats o f when it comes t o network intrusion,malware, and insider file deletions we can prioritize the following aspects o f the mobile technology st ack.

1. Hardware

2. Memory

3. Disk Drives

4. Data

Digital f orensics when it is all said and done comes down to the preservat ion, recovery, and reporting ofdata that is stored on a device.

Hardware

To understand the challenges associated with mobile devices it is imperative to understand the architectureThis can be diff icult t o say the least because the fact is that while the GSM architecture is a publishedstandard, the reality is GSM and the associated protocols are understood by a small set of engineers(Welte, 2010). The modern smartphone essentially utilizes a modem that encompasses three core f eaturesthat include handling of the GSM f requencies, analog data translat ion, and f inally digital data translat ion.When it comes to the area of security, there are widely accepted standard features that each smartphonehas but the reality is these same features and not consistent (Welte, 2010). The lack of consistency doesnot present a significant hurdle for a forensic analyst because features such as the International MobileEquipment Identif ier (IMEI), Subscriber Identity Module (SIM) card, and f irmware signatures can be ofass istance during the invest igation and any legal actions t hat may arise.

Internal and Flash Memory

Memory whether it is internal or removable f lash memory cards is an important component o f thesmartphones operation. The protection of these components are extremely challenging because of storagopt ions and loss o r thef t risks (Daesung, Byungkwan, Yongwha, & Jin-Won, 2010). To complex matters,f lash memory is dif f icult to manage, has a short lifet ime, and is port able. It does not take a great deal ofef f ort and time to access f lash memory by either a USB connection or a s imple copy of the memoryscontents.

Disk Drives

A typical smartphone does not have per say a t ypical hard drive but this device acts essentially like aportable hard drive because of the memory capacity and the hardware which when connected to a personacomputer behaves like any other t ype drive. I would like to say that hardening of the device is eas ilyaccomplished, but the reality is the software that drives smartphones differ strongly across the mobilespectrum. In addition, manuf acturers and end users are f acing major security problems that have never beeseen previously.

Data

Face it, the entire idea of a smartphone is to be able to access and share data quickly and easily. However,with this freedom comes inherit risks of modification, interception, and deletion of that same data. The fac


3/5

Figure 2: Energy Use Comp arison

is these same smartphones often access critical data and they have no firewall or antivirus software inplace thus enhancing the s ecurity risks. Intrusion may be as s imple as a lost device or more complex as ablack hat capturing the data exchange while the smartphone is connected to public or pro tected Wi-Finetworks. There are options available that assist in protecting data and these options include the use of aVirtual Private Network (VPN) and encryption (Munro, 2007).

Network Intrusion

The facts about network intrusion are painf ully obvious and an argument may be presented that whileprevention is a team ef f ort , the f act is most people are complacent when it comes to security. I have to rannetwork intrus ion as t he highest priority because of the mobile device being both easily hidden and powerfuIn addition, the reality is many Network Intrusion Detection Systems (NIDS) simply monitor and alert wellknown attacks and often overlook mobile devices.

Once a mobile device is connected t o a given network, thef act remains if the device is compromised, it can easilyaf f ect the network in a number of ways that is of tendetrimental t o the company. Chung, Jacoby, and Davis(2010) present a compelling concept o f intrusion with

mobile devices that come down to something as s imple aspower consumption. Because a mobile devices power levelincreases when the wireless mode is enabled or whenthey send and receive data packets an IDS couldpotentially monito r and alert t he Information Technology(IT) staff with any suspicious behavior, figure 2demonstrates a power comparison by technology withclearly shows how power consumption may be monitored.Chung et al. (2010) propose the use o f what is called abattery-based intrusion detection (B-bid) system on themobile devices themselves.

Malware

The second greatest threat is malware. Malware by def inition is malicious sof tware that is installed withoutyou knowledge or permission. Depending upon the point of view, many arguments were made against CarrieIQ and the f act the sof tware meet the definition o f malware because many consumers were not aware ofthis software. In any case, Carrier IQ serves as a great example of what malware can accomplish. Carrier IQwas designed to allow providers to measure performance and use with no visible impact to t he device owne(Tsukayama, 2011), but the problem was unsuspecting users were not informed of the sof tware, much lesswhat data was or was no t be collected and transmitted to the provider.

Protect ion f rom malware can be an uphill batt le because as more and more mobile devices are f looded intothe market the growth of malware explodes. While there are mechanisms that protect f rom malware the f acis mobile device owners of ten are not compelled to install antivirus sof tware (Ortega, Fuentes, lvarez,Gonzalez- Abril, & Velasco, 2011). For a f orensic analyst malware presents a substant ial problem becausemalware exploits vulnerabilities in code, which in turn af f ects hardware, data, f ile integrity, and networkprotoco ls. While malware presents challenges, Ortega et al. (2011) presents the idea of a monitoring modulwhich analyzes data t ransmiss ions. This module as outlined provides the necessary monito ring andinspection of the data transf er to both allow and sto re decisions based upon the transmission. The f actthat the decision history is maintained provides great value to the area of digital forensics as an audit trail.Keep in mind that because mobile operating systems and the hardware that t hey run on dif f er greatly, anytype of monitoring system would have to adapt to the diff erences across devices.
http://radicaldevelopment.net/wp-content/uploads/2012/12/mobilepower.png


4/5

File Integrity

At this point one thing that should be painf ully obvious is the f act that mobile devicespose a very large threat. These devices are data centric and this s ame data could beharmf ul in the hands of the wrong individual. Consider f or a moment the ease ofcapturing pictures or videos. Furthermore, assume you turned on the evening newsonly to hear a report of a well-known politician in an unflat tering picture, it can happen.

While image a video o nly represent one aspect o f f ile integrity, I do believe it isextremely important because of ease of access. In f act, f rom a f orensic standpoint itis imperative to distinguish between any alterations to the media (Rocha, Scheirer,Boult, & Goldenstein, 2011). Protection and acquisition o f data f rom mobile devices isof ten very s imple. For example, mos t smartphones when connected to a PC simplyshow up as a disk drive. With Android devices, a forensic analyst may utilize the Android Debug Bridge (adb)to acquire data.

Conclusion

Mobile devices have quickly become the norm and everyone from all walks of live have, which includesadminist rato rs, developers, s ecretaries, and yes even grandma and grandpa. Because of the wide range inthe use base complicated with the verbose usage of mobile devices and a false sense o f security, thethreats are just as verbose as t he devices themselves. Sto p for a moment and consider the challenges withmalware, network intrus ion, and f ile integrity when it comes to user behavior, see f igure 6. While each ofthese areas address a specif ic concern together they can immensely assist any digital f orensicinvestigation.

References

Chung, J., Jacoby, G., & Davis, N. (2010). Detecting network intrusion on mobile device by monitorin

power consumption. Retrieved from http://www.ece.vt.eduDaesung, M., Byungkwan, P., Yongwha, C., & Jin-Won, P. (2010). Recovery o f f lash memories f or

reliable mobile storages. Mobile Information Systems, 6(2), 177-191. doi:10.3233/MIS-2010-0098

Fox News. (2012). Symantecs los t cell phone st udy conf irms the worst in people. Retrieved f romhttp://www.foxnews.com

Munro, K. (2007). Kill deleted data for good. SC Magazine: For IT Security Professionals. p. 19.Retrieved f rom http://www.haymarket.com

Nena, L., & Anne, K. (2009). Forensics of computers and handheld devices identical or fraternaltwins? Communications of the ACM, 52(6), 132-135. Retrieved from http://www.acm.org

Ortega, J. A., Fuentes, D., lvarez, J. A., Gonzalez-Abril, L., & Velasco, F. (2011). A novel approach totro jan horse detection in mobile phones messaging and bluetooth services. KSII Transactions o nInternet & Information Systems, 5(8), 1457-1471. doi:10.3837/tiis.2011.08.006

Rocha, A., Scheirer, W., Boult , T., & Go ldenstein, S. (2011). Vision o f the unseen: Current trends andchallenges in digital image and video f orensics . ACM Computing Surveys, 43(4), 26.1-26.42.doi:10.1145/1978802.1978805

Tsukayama, H. (2011). What is Carrier IQ? Washington Post. Retrieved fromhttp://www.washingtonpost.com

Welte, H. (2010). Anatomy of contemporary GSM cellphone hardware. Retrieved fromhttp://laforge.gnumonks.org
http://laforge.gnumonks.org/http://www.washingtonpost.com/http://www.acm.org/http://www.haymarket.com/http://www.foxnews.com/http://www.ece.vt.edu/


5/5

Wilson, M., Craggs, D., Robinson, S., Jones, M., & Brimble, K. (2012). Pico-ing into the future ofmobile projection and contexts. Personal & Ubiquitous Computing, 16(1), 39-52. doi:10.1007/s00779-011-0376-2

Author: Steven Swaff ord

Highly mot ivated inf ormation technology prof essional with 16+ years of experience. Workingas a so f tware engineer Steven develops and maintains web based so f tware so lutions. As askilled prof essional he is f ocused on the design and creation o f so f tware. Becausecommunication skills are extremely important Steven continues to expand his knowledge inorder to communicate clearly with all facets o f business. Recently Steven has been leading ef f ort s tostandardize sof tware development t oo ls and technology, plans and coordinates web accessibility as applieto IT Solutions, and he is tackling application security in terms of best pract ices and implementation of theSecurity Development Life-cycle.
http://radicaldevelopment.net/author/steven-swafford/

mobile digital forensics challenges

Documents