MobileTechnology Overview Existing within the United States are various types ofcellular and digital networks available for mobile device use.
The two mostcommon cellular networks are known as Code Division Multiple Access (CDMA) andGlobal System for Mobile Communications (GSM). CDMA is commonly found in theUnited States, whereas GSM is used worldwide and originated in Europe. Moremodern devices, such as Apple’s iPhone, are compatible with both networks,while many other devices are not without replacing the SIM card. Mobile devicesare typically tied to a mobile service provider that uses one or more types ofcellular networks. Despite the differences in cellular networks, are thetechnology and organization of the cellular network which are basically one inthe same. Mobile Phones Communicate with Cell Sites, Cellular to CellularCommunication, Mobile Switching Centers, and the Base Switching Subsystem. Cellularnetworks are very different from computer networks found in a typical home oroffice.Mobile Devices Communicationwith Cell Sites Most mobile devices communicate with certain subclassesthe network types mentioned above, in most case those associated with themobile device service provider for which the phone was purchased from or thecompany for the mobile device user has a service agreement with.
Digital cellular networksdeliver service by segregating large geographical areas into concentrated areasof mobile device service. Cellular towers performance is an important role in theuse of radio frequencies within the radio spectrum available which allow morecellular commination to happen weather this communication is mobile devicecalls or data to occur. As a mobile device travels from one cellular tower toanother, a mobile device cellular agreement involves all mobile device activityand connections to be observed and successfully distributed between cellulartowers to uphold the connection. Managing the cellular network, administeringsubscriber amenities, and accurately billing mobile device subscriber financialrecords, data, service agreement and activities is encapsulated and sustainedby the cellular network infrastructure.Mobile Switching CenterMobile switching centersoversees the general communications for the entire cellular network, includingregistration, authentication, location updating, handovers, and call routing.Mobile switching centers interact within the public switch telephone network(PSTN) arena via a Gateway MSC (GMSC).
Mobile Switching Centers utilizesvarious databases. The main database is known as the central repository systemfor cellular subscriber services and usage information, referred to as the HomeLocation Register (HLR). Several other databases which work in combination withthe HLR is the Visitor Location Register (VLR), which keeps track of mobiledevices roaming inside and outside of the mobile device user service area. TheServing GPRS Support Node performs a similar role as that of MSC and VLRdatabases, however, provisions General Packet Radio Service also known aspacket-switched services for allowing access to the Internet. Mobile deviceuser information relevant to the user account, Information such as user data, userservices, and the last user location registered within the network are containedwithin the HLR database and interacts with MSC database to generate usage records routecalls and messages and Call Detail Records. Mobile DeviceCharacteristicsThecompressed form factor of today’s mobile device such as a tablet and smartphones limitations in power and capability should not miss-lead people to viewthem as being ineffective. These mobile device are very well built and containpowerful processors with an ample amount of memory and features.These mobile device canoperate on dual networks including cellular and Wi-Fi simultaneously.
Employeesmay now come to the office with private Internet access in their pocket, withlittle or no control via the information security team.As these devices travelacross multiply wireless networks and cellular networks, Mobile devices havethe ability to connect and disconnect as the network infrastructure transitions.These mobile devices also continuously eavesdropping for all wireless networksboth known and unknown. These Mobile devices will frequently query the preferrednetwork list (PNL) for previously connected wireless networks. Once thepreferred network is in range the mobile device will connect to the networkwith the strongest signal.
Today’smobile phone devices have a large storage capacity and a wide range ofapplications and connectivity options available to the user with eachtelecommunications provider. Mobile device forensics applications and toolkitsare relatively new and developers are having difficulty in keeping up with theemerging technological advances due to the revolving door of products frommarket demand. The forensic tools available are often limited to one or morephone manufacturers with a limited number of devices supported (Marwan, 2-3).Mobile Device StandardsRegardingstandards, the only evaluation document available for mobile phone forensicstoolkits is published by the National Institute of Standards and Technology(NIST) (Ayers NIST Web, 1-2).
NIST and various law enforcement staffs help todevelop the requirements, assertions and test case documents to evaluate thetoolkits and to assist in providing guidance in choosing the correct product tofit their need. The NIST evaluation document contains generic scenarios createdto mirror real-life situations that may arise during a forensic examination ofa mobile device. The NIST scenarios serve as a baseline for helping theforensics community determine a tool’s capacity to acquire and examine data inorder to gain a perspective on the correct tools to invest. The NIST evaluationdocuments are considered to be an important resource for forensicsinvestigators to maintain quality control and to validate toolkit functionalityfor mobile device forensics in proper data acquisition and reporting.It is no simple task totry and create standards for such a varying group of device manufacturers whoutilize proprietary circuits and do not seem to agree on a communicationsstandards so the forum has had limited success in the United States. Apple hasalready stated they will not join any standards.
The outcome of the WAC willlikely be a broad set of guidelines that will be adopted inconsistently bymanufacturers. It would be prudent for the government to support open standardsin order to lower the cost for law enforcement forensics investigators torecover data for investigations and to choose the appropriate tools to utilize.LawsForensics evidence isonly as valuable as the integrity of the method that the evidence was obtained.The methods applied to obtain evidence are best represented if standards areknown and readily established by the digital forensics community. The FourthAmendment limits the ability of government agents to perform search and seizureevidence tactics without a warrant, including computers.The Fourth Amendmentstates: The right of the people to be secure in their persons, houses, papers,and effects, against unreasonable searches and seizures, shall not be violated,and no Warrants shall issue, but upon probable cause, supported by Oath oraffirmation, and particularly describing the place to be searched, and thepersons or things to be seized.
The Fourth Amendmentquestion that typically comes up in digital evidence cases asks whether anindividual has a reasonable expectation of privacy having electronicinformation stored on electronic devices under that individual’s control.Computer evidence can present a challenge for both prosecutors and defendantsalike. A guide to offering mobile device data as evidence is beyond the scopeof this research but a few examples of some digital forensics issues in reallife situations are described below.Like digital evidencefrom a computer, it is necessary to have proper legal authority in order toperform a forensics investigation of cellular telephones and mobile handhelddevices. Such searches are allowed by the court to be performed for the preservationof evidence that could easily be altered or damaged. The authors of the FourthAmendment could not have envisioned the powerful technology of today’selectronic age and courts have only begun to answer difficult questions thatare being introduced through the use of these devices. Current Fourth Amendmentdoctrine and precedent cases suggest that the United States Supreme Court wouldconsent to invasive searches of a mobile device found on the person of manyindividuals and has allowed an exception permitting warrantless searches on thegrounds that law enforcement should be allowed to look for weapons or otherevidence that could be linked to an alleged crime.
The Obama administration andmany local prosecutors feel that warrantless searches are perfectlyconstitutional during arrests (McCullagh,2).Privacy advocates feelthat existing legal rules allowing law enforcement to search suspects at thetime of an arrest should not apply to mobile devices like the smart phonebecause the value of information being stored is greater and the threat of anintrusive search is much higher, such as PII. Personally identifiableinformation (PII) is information connected to an individual including but notlimited to education, financial transactions, medical information, and criminalor employment history which can be used to trace that individual’s identitysuch as name, social security number, or birth date.
While technologies haveevolved over the years, the search incident principle has remained constant.In digital mediasearches, the media is frequently searched off site and in an enclosedforensics laboratory. Generally, courts have treated the offsite forensicsanalysis of seized digital media as a continuation of the initial search andthus, the investigator is still bound by the Fourth Amendment. Because thisanalysis is often treated as part of the initial search, the government bearsnot only the burden of proving the seizure was reasonable and proper, but alsothat the search was conducted in a reasonable manner. To ensure that search andseizure forensics analysis meets the burden later at the trial, the forensicsinvestigator should generate a written report with clear documentation of theanalysis.Chain of Custody andPreservation of EvidenceThe goal of a forensicinvestigator is to obtain evidence utilizing the most acceptable methods, sothe evidence will be admitted according to law in the trial. Obtaining ajudge’s acceptance of evidence is commonly called admission of evidence.Evidence admissibility will require a lawful search and the strict adherence tochain of custody rules including evidence collection, evidence preservation,analysis, and reporting.
According to theInternational Organization on Computer Evidence, some general principles shouldbe followed in recovering digital evidence for chain of custody: All of the general forensic and procedural principles should be adhered to when dealing with digital evidence. Upon seizing digital evidence, any actions taken should not modify the original evidence. When it is necessary for personnel to access the original digital evidence, the personnel should be appropriately trained for the purpose. All activities associated to the seizure, access, storage or transfer of digital evidence must be fully and properly documented, preserved and available for review. An individual is responsible for all actions taken with respect to digital evidence when digital evidence is in that individual’s possession. Any agency that is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with all six principles (Guidelines for Best Practice in the Forensic Examination of Digital Technology 17-18).While a mobile phone ispowered on, it will search for the strongest signal, usually from the nearestactive cellular tower, or a tower that enables the device to obtain the bestsignal. As a mobile device is transported, it will continue to search andadjust to maximize the strength of signal with that tower.
The designation ofthe most recently connected cellular tower is then recorded as a database entryin the file system of the cellular phone; thus, when a mobile device moves to anew area, a new entry will be updated in that database.The most important stepfor a first-responder investigator, when arriving at the scene of a crime andidentifying a mobile device for possible evidence submission, is to determinehow best to preserve that device and its data. Recording and documenting thescene, including photographs of the mobile device in an undisturbed stateshould be included. It is recommended to power the mobile device off topreserve the data and battery power. If it is not possible to power the deviceoff in a safe manner, the phone should be protected from cellular phone towers.Aside from locking down the mobile device by either disengaging or maintainingthe power supply, the investigator should seize any additional accessories tothe device such as SIM and media cards, headsets, charger cables and cases thatcould potentially contain evidence.
When a mobile device hasbeen powered off, text messages and other data may queue for delivery when thephone is powered back on and returned to service. The queued messages and datacan overwrite old and deleted messages and/or data once they are delivered tothe carrier. Carrier providers may update system files and roaming serviceswhen the mobile device is connected to the system.
There will also be thepotential for corruption of downloaded data as well as the file system of thedevice during a forensic examination when the system updates are transmitted tothe system.The equipment that worksthe best is Radio Frequency (RF) shielded test enclosure boxes such as the typefrom a forensics product vendor like Ramsey Electronics. The Ramsey boxesensure the mobile device is isolated from a cellular carrier’s network, andother RF signals to prevent any incoming or outgoing communications, includingGPS tracking.Another option totransport a mobile device from the crime scene to the crime lab is a Faradaybag. Faraday bags are specially designed RF plastic coated shielded bags usedto shield a mobile device from external contact.
The bags are coupled with aconductive mesh to provide secure transportation to the laboratory. One issuewith Faraday bags is that, oftentimes a cell phone will continue to search fora signal even while in the protected bag thus zeroing out the register thatholds the location data – and making the device useless as an evidenceartifact. Yet another issue is the increased activity while in the Faraday bagwhile the mobile device is powered on that can cause the battery to fail at afaster pace. With the Apple iPhone in particular, it is imperative for theforensic investigator to properly seize the mobile device due to the option ofthe Remote Wipe feature on the phone. A user can perform this command if thesmart phone is connected to the Internet or phone network. If the device ispowered off or placed in a Faraday bag, it cannot be remotely wiped; however,once powered back on, the wiping process, if activated, will automatically beinvoked.
When choosing a shieldingartifact like one of the above-mentioned products, it is important to enablethe forensics investigator to utilize the necessary tools to complete theexamination and within the shielded area of a forensics laboratory if possible.Need for Mobile ForensicsMobiledevice forensics is the process of recovering digital evidence from a mobiledevice under forensically sound conditions and utilizing acceptable methods.Forensically sound is a term used in the digital forensics community to justifythe use of a particular technology or methodology. Many practitioners use theterm to describe the capabilities of a piece of software or forensic analysisapproach (McKemmish).
Mobile devices vary in design and manufacturer. They arecontinually evolving as existing technologies progress and new technologies areintroduced. It is important for forensics investigators to develop anunderstanding of the working components of a mobile device and the appropriatetasks to perform when they deal with them on a forensic basis.
Knowledge of thevarious types of mobile devices and the features they possess is an importantaspect of gathering information for a case since usage logs and other importantdata can potentially be acquired using forensics toolkits.Some of the reasonsinclude: Mobile devices require specialized interface, storage media and hardware. File systems that are contained in mobile devices operate from volatile memory or computer memory that requires power to maintain stored information versus nonvolatile memory devices like a standalone hard disk drive that does not require a maintained power supply. The diverse variety of operating systems that are embedded in mobile devices. The short product cycles from the manufacturers to provide new mobile devices and their respective operating systems are making it difficult for law enforcement agencies to remain current with new technologies.
ConclusionMobiledevice forensics is an ever-evolving field filled with challenges andopportunities when analyzing a mobile device for forensic evidence in supportof a criminal investigation. The process can be more difficult than traditionalcomputer forensics due to the volatile nature of electronic evidence. A welltrained, highly skilled digital forensics investigator plays an essential rolein the criminal investigation process when performing forensics analysis ofmobile devicesEvensuch a pertinent piece of forensics equipment, like the Faraday bag for thefirst-responder, is not free from issue. Once removed from the Faraday bag, amobile device can start receiving data if powered on and be able to connect tothe network. This may be difficult to control for the first responder if he isinstructed by a higher official to leave the mobile device powered on upondiscovery at the crime scene.
Some devices can be controlled by placing thephone in airplane mode, thus disabling the wireless features, but not allmobile devices possess this functionality. For the most part, Faraday bags arereliable but cannot fully guarantee that a signal will not reach the phone.Successfully blocking the signal depends upon the quality of the bag, thedistance to the cell tower, and the power of the transmitter in the mobiledevice.Forensiccomputing continues to play an increasingly important role in civillitigations, especially in electronic discovery, intellectual property (IP)disputes, as well as information security and employment law disputes.Forensics investigators must be aware of certain issues pertaining to dataacquisition and the preservation of digital evidence for a criminal investigation.
Electronic data is very susceptible to alteration or deletion, whether throughan intentional change or from the result of an invoked application in somecomputing process. As electronic data is created, modified or deleted throughthe normal operations of a computing system, there lies the possibility ofmodifications arising from an incorrect or inappropriate digital forensicsprocess. Given that the results of such actions can be treated as criticalevidence in a case, it is essential that every measure be taken to ensure thereliability and accuracy of the forensics process.
A digital forensics processmust be developed and applied with due regard to jurisprudence issues. It isimperative that the digital forensics process is capable of being examinedthoroughly to determine the reasonableness and reliability to refrain frombeing admissible.