Mobile Forensics

Seizing a mobile device during an investigation? 

Then diving in without a plan could cost us critical evidence..

I call mobile preservation/acquisition as 𝐝𝐢𝐠𝐢𝐭𝐚𝐥 𝐦𝐢𝐧𝐞𝐟𝐢𝐞𝐥𝐝 for a reason.

Yes, from lock screens to everywhere data encryption and remote-wiping apps, it is not straightforward and one wrong move could cost you critical evidence.

That is the reason having a clear, step-by-step acquisition checklist is a necessity step.

Knowing what to do first, at what stage and how to acquire the most possible data before it disappears.. is crucial.

Below is the brief about it, and here is a diagram I showed for the acquisition's procedures from SWGDE (https://www.swgde.org/)

Here are some key terms that you may want to know:

- 𝐀𝐟𝐭𝐞𝐫 𝐅𝐢𝐫𝐬𝐭 𝐔𝐧𝐥𝐨𝐜𝐤 (𝐀𝐅𝐔/𝐇𝐨𝐭): A collection of available data from a powered-on device that has been unlocked at least once since the last operating system boot.

- 𝐁𝐞𝐟𝐨𝐫𝐞 𝐅𝐢𝐫𝐬𝐭 𝐔𝐧𝐥𝐨𝐜𝐤 (𝐁𝐅𝐔/𝐂𝐨𝐥𝐝): A collection of available data from a powered-on, locked device that has not been unlocked since the last operating system boot.

- 𝐅𝐮𝐥𝐥 𝐅𝐢𝐥𝐞 𝐒𝐲𝐬𝐭𝐞𝐦 (𝐅𝐅𝐒): A complete collection of all available active files and

folders.

- 𝐋𝐨𝐠𝐢𝐜𝐚𝐥: A process that requests file data from the operating system, which then interprets and returns the resultant data by using such techniques like backup utilities, application agents, and manual interaction.

- 𝐏𝐡𝐲𝐬𝐢𝐜𝐚𝐥: A process that extracts data via a direct connection to the device storage area.

This includes one of 4 methods below. The resultant data from a device that utilizes File-Based Encryption (FBE) or Full-Disk Encryption (FDE) will be encrypted.

- 𝐁𝐨𝐨𝐭 𝐋𝐨𝐚𝐝𝐞𝐫: Code that executes in a runtime environment prior to operating system initialization. Physical acquisitions using this method replace the existing code.

- 𝐂𝐡𝐢𝐩-𝐎𝐟𝐟: A destructive process that involves the removal and reading of a

memory chip to conduct analysis.

- 𝐈𝐧-𝐒𝐲𝐬𝐭𝐞𝐦 𝐏𝐫𝐨𝐠𝐫𝐚𝐦𝐦𝐢𝐧𝐠 (𝐈𝐒𝐏): A process to read data from an embedded

Multi-Media Card (eMMC) chip. This process involves the disassembling of a

device without removing the eMMC from the PCB.

- 𝐉𝐨𝐢𝐧𝐭 𝐓𝐞𝐬𝐭 𝐀𝐜𝐭𝐢𝐨𝐧 𝐆𝐫𝐨𝐮𝐩 (𝐉𝐓𝐀𝐆): In physical acquisitions, data is acquired via disassmelbing the device and connection to these defined test access ports.

--

- 𝐅𝐢𝐥𝐞-𝐁𝐚𝐬𝐞𝐝 𝐄𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 (𝐅𝐁𝐄): A method of protecting files on storage media by using unique encryption keys per file.

- 𝐅𝐮𝐥𝐥-𝐃𝐢𝐬𝐤 𝐄𝐧𝐜𝐫𝐲𝐩𝐭𝐢𝐨𝐧 (𝐅𝐃𝐄): A method of protecting a specific storage area using a single encryption key.