What is Mobile Device Forensics?

 What is Mobile Device Forensics?

Mobile device forensics, also known as mobile forensics, is a subfield of digital forensics that involves extracting information from a mobile device (such as smartphones and tablets) in a forensically sound manner. The information obtained via mobile device forensics may include deleted files, application data, GPS data, call logs, text messages, and photographs and videos.

Like other domains of forensics, mobile device forensics is commonly used to recover evidence in connection with a criminal investigation. As such, mobile device forensic investigators must take care to retrieve and analyze data that is legally admissible as evidence.

Mobile device forensics has connections with other branches of digital forensics—such as network forensics, computer forensics, and malware analysis—in terms of the knowledge and skill set required. However, the distinguishing feature of mobile device forensics is that the extracted data is located on a mobile device.

Therefore, mobile device forensic analysts must be intimately familiar with mobile devices and their operating systems and file systems. They should also have experience with various software and hardware tools for extracting data from mobile devices. Finally, mobile device forensic analysts should have strong problem-solving and critical thinking skills and knowledge of the legal issues surrounding collecting data from mobile devices.

The Process of Mobile Device Forensics

There are four general steps to follow during a forensic investigation: identifying the evidence, acquiring the evidence, analyzing the evidence, and producing a forensic report. Below are these four steps as they pertain to the process of mobile device forensics:

1. Device seizure: First, the mobile device is seized from its user. At this stage, investigators should also start documenting the chain of custody. For example, the records of who handled the device and when. A search warrant is usually required if the device is used in a criminal investigation.
2. Device acquisition: Investigators create a sector-level duplicate of the device, a process known as “imaging” or “acquisition.” This duplicate image and the original device are passed through a hashing function, and their outputs are compared to ensure that it is an exact copy. Next, analysts decide on the investigation’s proper approach and goals.
3. Device analysis: Investigators begin work on the device image to confirm a hypothesis or search for hidden data. Specialized tools (such as those described in the next section) are used to help find and recover information. Data may be located within the accessible hard disk space, deleted (unallocated) disk space, or the operating system cache.
4. Reporting: After acquiring the data, investigators store and analyze it to reconstruct a plausible version of events. A report is prepared, which may be technical or non-technical, depending on the audience.