Unsourced material may be challenged and removed. Smartphones may additionally contain video, email, web browsing information, location information, and social networking messages and contacts. Evidential and technical challenges exist. Consequently, whilst it is possible to determine roughly the cell site zone from which a call cell phone case pattern pdf made or received, it is not yet possible to say with any degree of certainty, that a mobile phone call emanated from a specific location e.
Storage capacity continues to grow thanks to demand for more powerful “mini computer” type devices. Not only the types of data but also the way mobile devices are used constantly evolve. Hibernation behaviour in which processes are suspended when the device is powered off or idle but at the same time, remaining active. As a field of study forensic examination of mobile devices dates from the late 1990s and early 2000s.
The role of mobile phones in crime had long been recognized by law enforcement. Early efforts to examine mobile devices used similar techniques to the first computer forensics investigations: analysing phone contents directly via the screen and photographing important content. However, this proved to be a time-consuming process, and as the number of mobile devices began to increase, investigators called for more efficient means of extracting data. Enterprising mobile forensic examiners sometimes used cell phone or PDA synchronization software to “back up” device data to a forensic computer for imaging, or sometimes, simply performed computer forensics on the hard drive of a suspect computer where data had been synchronized. However, this type of software could write to the phone as well as reading it, and could not retrieve deleted data. Some forensic examiners found that they could retrieve even deleted data using “flasher” or “twister” boxes, tools developed by OEMs to “flash” a phone’s memory for debugging or updating. For physical forensic examinations, therefore, better alternatives remained necessary.
To meet these demands, commercial tools appeared which allowed examiners to recover phone memory with minimal disruption and analyse it separately. Over time these commercial techniques have developed further and the recovery of deleted data from proprietary mobile devices has become possible with some specialist tools. Moreover, commercial tools have even automated much of the extraction process, rendering it possible even for minimally trained first responders—who currently are much more likely to encounter suspects with mobile devices in their possession, compared to computers—to perform basic extractions for triage and data preview purposes. NAND or NOR types are used for mobile devices.
This includes data on calls made and retrieved. The location of a mobile phone can be determined and this geographical data must also be retained. In the United States, however, no such requirement exists, and no standards govern how long carriers should retain data or even what they must retain. For example, text messages may be retained only for a week or two, while call logs may be retained anywhere from a few weeks to several months. Seizing mobile devices is covered by the same legal considerations as other digital media. In addition, the investigator or first responder would risk user lock activation.
This may bring in new data, overwriting evidence. Even so, there are two disadvantages to this method. First, it renders the device unusable, as its touch screen or keypad cannot be used. Second, a device’s search for a network connection will drain its battery more quickly.
While devices and their batteries can often be recharged, again, the investigator risks that the phone’s user lock will have activated. With more advanced smartphones using advanced memory management, connecting it to a recharger and putting it into a faraday cage may not be good practice. The mobile device would recognize the network disconnection and therefore it would change its status information that can trigger the memory manager to write data. Most acquisition tools for mobile devices are commercial in nature and consist of a hardware and software component, often automated. Different software tools can extract the data from the memory image.
The advantage of the hex editor is the deeper insight into the memory management, but working with a hex editor means a lot of handwork and file system as well as file header knowledge. In contrast, specialized forensic software simplifies the search and extracts the data but may not find everything. Since there is no tool that extracts all possible information, it is advisable to use two or more tools for examination. Therefore, the device is used as normal, with the examiner taking pictures of each screen’s contents.
Logical acquisition has the advantage that system data structures are easier for a tool to extract and organize. However, a skilled forensic examiner will be able to extract far more information from a physical extraction. Logical extraction usually does not produce any deleted information, due to it normally being removed from the phone’s file system. File system extraction is useful for understanding the file structure, web browsing history, or app usage, as well as providing the examiner with the ability to perform an analysis with traditional computer forensic tools. A physical acquisition has the advantage of allowing deleted files and data remnants to be examined.