Data Forensics - What about Mobile Devices?
Data forensics encompasses a vast field of systems, scenarios, and toolsets. No two investigations are truly the same. One might encounter a Linux device one day, a windows 11 device the next, MS-DOS after that, and perhaps Windows 95 to round it out. Each of these operating system architectures require different methods (such as different means of write-blocking), and skillsets.
In this vast field, there is also room for mobile devices! With more people than ever before carrying a smart phone or similar mobile device, it should come as no surprise that their inclusion in data forensic investigations is on the rise. While you may rarely see a system running MS-DOS, you will certainly be unable to say the same for mobile devices.
For the sake of this post, let’s split data forensics into two distinct types: traditional computer forensics and mobile forensics. To make it simpler, let’s just say that everything other than a mobile device involves traditional computer forensics. Now, let’s dive into mobile forensics.
The biggest difference between mobile forensics and traditional computer forensics is the architecture behind them. Mobile devices require knowledge of their unique architecture and file systems, both of which can vary wildly even within different mobile devices (Shaikh, 2019).
Android devices will be handled differently than Apple devices, and both will require different skillsets and tools than traditional computer forensics. As an example, you may need to jailbreak an apple device to access certain data whereas an android device does not require that same step (Apple, n.d.). Additionally, while data is primarily stored on the device, there are some cases, such as iCloud+, where the data is either duplicated or offloaded into the cloud when conditions are met (Apple, n.d.).
So why is validation emphasized so much in data forensics?
A hexadecimal editor can be used to compare hash values between data sets to ensure validity. Hash values can also be compared to known illegal file hash values, such as malware production software tools or illegal illicit files (Nelson, 2019). It can also help identify illegal files from file fragments left behind after a file has been deleted (Nelson, 2019). An example of a tool offering a hex editor function would be X-Ways Forensics (X-Ways, n.d.). Data validation is a critical process in mobile network forensics because of the need to ensure that collected evidence and findings are admissible in court. A defense attorney must find any reason to disqualify presented evidence against their client. Data validation helps provide a bulwark against these efforts when presenting your findings in court.
Bonus : What about virtual machines?
Virtual machines are not just a fun way to work on a home-lab! They are increasingly more common in data forensics, as companies and individuals leverage their low-profile design in their computing efforts. Investigating virtual machines is much the same as a standard computer forensic analysis. Virtual machines contain an image of the host computer, which is then exported and analyzed accordingly (Nelson, 2019). The same precautions should be taken, such as the usage of write-blockers, hash file validations, chain of custody procedures, and a detailed log of actions taken on the device by the investigator. The biggest difference in procedures is the inclusion of device snapshots, as well as virtual machine specific steps required.
References Apple. (n.d.). iCloud+ One powerfully connected experience. https://www.apple.com/icloud/
Apple. (n.d.). Unauthorized modification of iOS. Apple: https://support.apple.com/guide/iphone/unauthorized-modification-of-ios-iph9385bb26a/ios
Nelson, B. P. (2019). Guide to computer forensics and investigations. (6, Ed.) Cengage Learning. https://uagc.instructure.com/courses/143518/modules/items/7319808
Shaikh, H. (2019, July 6). Computer Forensics: Mobile Forensics [Updated 2019]. Infosec Institute: https://www.infosecinstitute.com/resources/digital-forensics/computer-forensics-mobile-forensics/
X-Ways. (n.d.). X-Ways Forensics: Integrated Computer Forensics Software X-Ways: https://www.x-ways.net/forensics/
In this vast field, there is also room for mobile devices! With more people than ever before carrying a smart phone or similar mobile device, it should come as no surprise that their inclusion in data forensic investigations is on the rise. While you may rarely see a system running MS-DOS, you will certainly be unable to say the same for mobile devices.
The biggest difference between mobile forensics and traditional computer forensics is the architecture behind them. Mobile devices require knowledge of their unique architecture and file systems, both of which can vary wildly even within different mobile devices (Shaikh, 2019).
Android devices will be handled differently than Apple devices, and both will require different skillsets and tools than traditional computer forensics. As an example, you may need to jailbreak an apple device to access certain data whereas an android device does not require that same step (Apple, n.d.). Additionally, while data is primarily stored on the device, there are some cases, such as iCloud+, where the data is either duplicated or offloaded into the cloud when conditions are met (Apple, n.d.).
So why is validation emphasized so much in data forensics?
A hexadecimal editor can be used to compare hash values between data sets to ensure validity. Hash values can also be compared to known illegal file hash values, such as malware production software tools or illegal illicit files (Nelson, 2019). It can also help identify illegal files from file fragments left behind after a file has been deleted (Nelson, 2019). An example of a tool offering a hex editor function would be X-Ways Forensics (X-Ways, n.d.). Data validation is a critical process in mobile network forensics because of the need to ensure that collected evidence and findings are admissible in court. A defense attorney must find any reason to disqualify presented evidence against their client. Data validation helps provide a bulwark against these efforts when presenting your findings in court.
Bonus : What about virtual machines?
Virtual machines are not just a fun way to work on a home-lab! They are increasingly more common in data forensics, as companies and individuals leverage their low-profile design in their computing efforts. Investigating virtual machines is much the same as a standard computer forensic analysis. Virtual machines contain an image of the host computer, which is then exported and analyzed accordingly (Nelson, 2019). The same precautions should be taken, such as the usage of write-blockers, hash file validations, chain of custody procedures, and a detailed log of actions taken on the device by the investigator. The biggest difference in procedures is the inclusion of device snapshots, as well as virtual machine specific steps required.
References Apple. (n.d.). iCloud+ One powerfully connected experience. https://www.apple.com/icloud/
Apple. (n.d.). Unauthorized modification of iOS. Apple: https://support.apple.com/guide/iphone/unauthorized-modification-of-ios-iph9385bb26a/ios
Nelson, B. P. (2019). Guide to computer forensics and investigations. (6, Ed.) Cengage Learning. https://uagc.instructure.com/courses/143518/modules/items/7319808
Shaikh, H. (2019, July 6). Computer Forensics: Mobile Forensics [Updated 2019]. Infosec Institute: https://www.infosecinstitute.com/resources/digital-forensics/computer-forensics-mobile-forensics/
X-Ways. (n.d.). X-Ways Forensics: Integrated Computer Forensics Software X-Ways: https://www.x-ways.net/forensics/
Comments
Post a Comment