Mobile Forensic Tool and Analysis

Mobile Technology Overview

A cell phone or mobile phone is an electronic telecommunication tool working the same way as the traditional telephone booth, but which is portable and is connected wirelessly or remotely to the telephone system servers.  Cell phones connect to a remote or wireless communication network via a satellite or radio wave transmission.  Mobile phone provides a wide range of functions to the user including Short Message Service (SMS), voice communication, internet services such as email, browsing, and social media services,  games, and radio services, taking pictures and videos, and storage of data among many other functions.  While all cell phones permit users to remotely make phone calls and send text messages from almost anywhere within their network coverage map, these mobile phones use different technology. Each wireless service provider uses different mobile technology.  As a result of the phones on a particular network not compatible with another phone on a different network, forcing providers to engage in an agreement (Anobah et al., 2014).

The commonly use the digital network in the globe is the GSM (Global System for Mobile). Carriers operating on the GSM network include T-mobile and AT&T.  Other technologies involved in the Global System for Mobile standard are EDGE and GPRS, which provide quicker transfer of data on 2G networks.  High-Speed Downlink Packet Access (HSDPA), is the 2G GSM network.  The second digital network service commonly used is the CDMA (Code Division Multiple Access), which is quite the latest technology that provides high transfer of data capabilities. Carriers using CDMA networks include Sprint Nextel and Verizon.  The EV-DO (Evolution-Data Optimized is the 3G CDMA standard.  The third generation of Mobile phone network service is the Long Term Evolution (LTE), also described as 4G. Verizon and AT&T will use LTE Advanced Networks and LTE.  LTE provides increased network capacity as well as speed to the user of mobile phones (Mikhaylov, 2017).  LTE provides higher peak transfer rates of data up to about 100 Mbps downstream as well as 30 Mbps upstream. It also offers scalable bandwidth, reduced latency, and backward-compatibility with the current UMTS and GSM technology (Anobah et al., 2014).

The use of mobile tools has adequately penetrated companies to warrant including support for mobile in an incident response strategy. Cell phones can be used to access sensitive data and affect the enterprise operation. Just like other technology, mobile phones have security flaws, which can expose the company or the user at risk (Anobah et al., 2014).  Most the enterprises have a well-defined response plan, but only a few have created tools and processes to respond to a mobile phone incident. This apparent gap requires a quick address by the security team. Common mobile episodes include mobile malware discovered, device stolen or lost, a device acting suspiciously, data breach through a mobile phone, support for an investigation, and insider attack through mobile phone (Mikhaylov, 2017).

Even though the security industry has controlled mobile malware, it still exists. It is more common especially in the Android ecosystem because of the ability to quite efficiently distribute as well as install the apps outside the Google play store. The two common types of mobile malware incidents include malware impersonating a brand and malware installed in a person’s mobile device. The first scenario, an unlawful actor publish a mobile app targeting customers by impersonating a brand. The second case affects a small group or single device that are part of an enterprise such as employee-owned gadgets, corporate-owned devices, or consultants (Doherty, 2016). When a mobile phone device is acting suspiciously, a contractor or employee will notify the IT, incident or security response team about the issue. The case is quite challenging because of lack of historical data, limited visibility into the gadget, the accuracy of the incident reporter, urgency because of possible effect and utility of a mobile tool and the sensitive nature associated with accessing the mobile phone of an individual. A stolen or lost mobile phone is a case that is most understood. Both iOS and Android have built-in capabilities for tracking a stolen or lost phone, locking it as well as performing a remote wipe  (Doherty, 2016).  Detection of insider attacks is very hard because the cell phone available telemetry data is restricted and the security tools are still advancing (Mikhaylov, 2017). The most common incident would involve a person already being monitored, and an incident responder being instructed to investigate the mobile tool.  Supporting internal investigation particularly at larger companies is quite common for instance, workers violating policies of the company, theft of data by department worker, and e-discovery or litigation freeze request.  Data breach through mobile phones is common especially the leaking of sensitive data. The increasing risk of a data breach through mobile phones require a quick solution (Anobah et al., 2014).

Mobile Forensic Plan

Digital forensics, which is a branch of forensic science that focuses on the recovery as well as investigation of raw data inside the digital or electronic devices. The primary objective of the process is to extract as well as recover any relevant information from the digital device without altering changing the existing original data in the machine (Mikhaylov, 2017). Digital forensics has many branches including mobile forensics, network forensics, and computer forensics. Mobile forensics is associated with recovering digital evidence from mobile devices. The evidence extracted from mobile phones should not be distorted in any way(Osho&Ohida, 2016).  It is very difficult, especially with mobile devices. Specific forensic tools need a communication vector with the mobile gadget; hence, standard write protection will be inappropriate during the acquisition.  Other acquisition techniques may involve installing a bootloader or removing a chip on the mobile phone before extracting data for forensic examination.  In scenarios where the data acquisition or examination is impossible without altering the device configuration, the changes and the procedure must be tested, validated as well as documented (Osho&Ohida, 2016).

Using proper guidelines and methods is essential in the analysis of mobile devices since it yields the most valuable data.  Just like other methods of gathering evidence, following a wrong procedure during the examination process can lead to damage or loss of crucial evidence or render the evidence inadmissible in the law court.  Successful examination and analysis of mobile devices demand skills and knowledge of mobile forensic experts (Doherty, 2016).

The process of mobile forensic is divided into three major groups: analysis/examination, acquisition, and seizure. Forensic examiners often face several challenges in an attempt to seize the mobile gadget to offer crucial evidence. Mobile forensic functions on the value that evidence must well preserved, processed, as well as admissible in the court (Anobah et al., 2014). Certain legal factors must be taken into account when confiscating mobile devices. The major challenge in the seizure stage: lock activation and cellular/network connection (Rocha  &Guarda, 2018). Network isolation is always prudent and is achieved by cloning the SIM card of the device and airplane mode as well as disabling the hotspots and WI-FI. When the found mobile phone is switched off, it can be placed in a faraday bag to avoid any alteration in the scenario the mobile automatically switches on. As indicated in the figure below, Faraday bags are designed purposely to isolate the cellphone from the network coverage (Anobah et al., 2014).


(Doherty, 2016).

If the cellphone is on, switching it off comes with many concerns. In the case the phone has a password or PIN or is encrypted, the forensic analyst will have to determine the PIN or bypass the lock to gain access to the mobile (Doherty, 2016).  The cellphone is normally networked gadgets which can receive or send data via many sources such as Wi-Fi access points, Bluetooth, and telecommunication systems so when it is on mode, the criminal can remotely erase all the valuable data. When on, the first step is to put the phone on airplane mode and disable all the network connections, and this may preserve the battery (Osho&Ohida, 2016).

Forensic software tools are used to extract data in a professional manner of mobile devices. The tools carry out logical acquisition employing common protocols for synchronization, debugging as well as communication (Anobah et al., 2014).  The use of sound forensic procedures will allow the tool to extract data from the mobile phone as well as generate customized reports. The report may include a person’s transactions such as all travel and communication logs. The software tools are examined on different levels (advanced, basic, and the ability to cope as well as an encounter with the unanticipated scenarios). The differences in behavior of various forensic tools for the cases tested against can help reveal their performance utility and efficiency.

While most mobile forensic toolkits support a full range of reporting, examination, and acquisition functions, specific tools concentrate on a subset (Anobah et al., 2014). On the same note, various tools can employ different interfaces, for example, serial cable, Bluetooth or IrDA to acquire device data. The information that a given tool can obtain vary widely and include phone call logs; personal information Management data; MMS/EMS/SMS messages; IM, and email content; URLs as well as content of web sites visited; video, image, and audio contents; Uninterrupted image data; and SIM content(Osho&Ohida, 2016). The information contained in the phone can vary based on several factors such as the modification that user made to the phone, the network subscribed and used by the user, the modification that network operator made to the phone, and the inbuilt capabilities of the phone.

Acquisition of data using cable interface usually yield superior results than any other methods. However, a remote interface such as Bluetooth or infrared can serve the same purpose in a situation where the correct cable is lacking. Irrespective of the interface employed, it is essential to be wary of related forensic issues. It is important to take into account that some tools do not support resident SIM content especially those strongly inclined to PDAs.  The open source and commercially available tools are of various types, and each can be effective for a given type of mobile phones (Osho&Ohida, 2016).

This includes PDA Seizure which primary function is to acquire, examine and report. It targets Pocket PC, Palm OS, and RIM OS phones. It lacks the support that receives SIM data, and it only supports cable interface (Anobah et al., 2014). The next tool is the pilot-link, which is mainly for acquisition only. It is an open source non-forensic software which targets palm OS phones. It does not have a support feature that can recover SIM information and supports cable interface only.  The third tool is cell seizure that is mainly used for acquisition, analysis, and reporting, and it targets particular models of CDMA, TDMA, and GSM phones. It can recover the external and internal SIM but only support cable interface. Another type of tool is GSM.XRY, which is mainly for acquisition, analysis, and reporting (Anobah et al., 2014). The tool is designed for specific models of GSM phone and supports external and internal SIM recovery. It also supports some GSM phones, support IR, and cable interfaces as well as external and internal SIM. Mobiledit forensic tool is also used for acquisition, examination, and reporting and can recover data from SIM card. SIMIS technology supports external SIM cards only.

Forensic software tools will acquire data from the phone in either of two modes: logical or physical acquisition (Anobah et al., 2014). The physical acquisition is the most preferred because it allows all data included remnant data to be analyzed, which else may go uncounted for especially if the logical method used.  Physical tool images can easily be imported to another tool for analysis and reporting.  But a logical acquisition offers a more natural as well as understandable organization of acquired data (Doherty, 2016). Hence doing the two types of acquisition is the best thing. Several tools have been created now to deal with the SIMs independently outside the mobile device. The SIM is removed and inserted into the right reader (Anobah et al., 2014).

One of the major forensic challenges in the mobile phone platform is that multiple devices are used to access, store, and stored mobile data. Since data is volatile and one can easily transfer or delete remotely even without the phone itself, more effort is needed to preserve such data. The hardware is also entirely different, and this would force the investigator to have thousands of cables to match each hard(Osho&Ohida, 2016). Mobile investigation is difficult to standardize since each mobile phone has its unique feature based on the manufacturer. The operating systems of the phones also vary and this tricky.  Different operating systems, as well as hardware, imply a different way of data storage as well as running a different file system. Besides, the in-built security of each mobile is entirely different ranging from a simple 4-digit pin to a more complicated password, and some even use biometric information thus making it hard a complicated process to extract information from the phone (Osho&Ohida, 2016).



Anobah, M., Saleem, S. and Popov, O. (2014). Testing Framework for Mobile Device Forensics Tools. Journal of Digital Forensics, Security and Law.

Curran, K., Robinson, A., Peacocke, S. and Cassidy, S. (2010). Mobile Phone Forensic Analysis. International Journal of Digital Crime and Forensics, 2(3), pp.15-27.

Doherty, E.P. (2016). Digital Forensics for Handheld Devices. CRC Press.

Mikhaylov, I. (2017). Mobile Forensics Cookbook. Packt Publishing.

Osho, O. and Ohida, S. (2016). Comparative Evaluation of Mobile Forensic Tools. International Journal of Information Technology and Computer Science, 8(1), pp.74-83.

Rocha, A., &Guarda, T. (2018). Proceedings of the International Conference on Information Technology & Systems (ICITS 2018).

Do you need high quality Custom Essay Writing Services?

Custom Essay writing Service