An Overview – Mobile Phone Forensics
Mobile Phone forensics has grown massively in the last 15 years, even more so that computer based forensics, as almost every person carries one and communicates frequently with it via a variety of different methods including social media, SMS, video and voice calls.
A phone can be used to browse Internet websites, add comments on Twitter, Facebook etc and to take photographs.
The use of cell’s and wireless networks in order for them to connect to a phone or Internet based network also allows for the location of the device to be identified.
Therefore, the portability and diversity of use of mobile phones mean that they can often contain evidence that can be significant within criminal, family or civil cases.
Mobile Phone Forensics is the extraction of that data in a usable and readable format from a mobile phone without causing it to be altered so that it can be used and accepted in Court.
It is also sometimes, though not always possible, to retrieve deleted messages and activity from a handset.
Whilst mobile phone companies, including Apple spend significant amounts on money in attempting to secure the data so that the privacy of the user is protected, after time, processes can be developed that allow previously deleted data to be retrieved from them.
The Preservation of Evidence – Mobile Phone Forensics
Digital forensics is the preservation and investigation of data on a digital device, including mobile phones.
The ability to consider the information in context as well as to examine the data in an unaltered form is critical to being able to deliver reliable and accurate findings.
In order to ensure that the data is extracted in a suitable manner, the techniques, software and hardware used by the examiner should be recognised within the industry and is likely to include additional processes that allow for the integrity of the data to be verified, including acquisition and verification hash values and time/date stamps of the files considered.
The Acquisition of the Evidence – Mobile Phone Forensics
Depending upon the handset being examined and the nature of the instructions, the examiner should assess what type of extraction is possible and most suitable.
For example, a physical extraction includes all data present on the device and results in a bit-by-bit copy of all data present, including all deleted data. However, it is frequently not possible to acquire a physical copy of the handset and on some it can also take a significantly long period of time to extract all of the data present.
A file system extraction allows for the retrieval of all files within the file system of the handset which may include some previously deleted files that are still held within temporary cache etc.
A logical extraction is the quickest and often allows the examiner to specific the exact files required to be retrieved and is likely to contain only those types of files, meaning that unknown file types and databases may not be extracted.
HFS+ File system – Mobile Phone Forensics
The Hierarchical File System Plus (HFS+) was developed by Apple and released in January 1998 with Mac OS 8.1.
HFS+ is a journaling file system that continued as the main file system used by Apple computers until it was replaced by the Apple File System (APFS) in 2017 with the release of OSX High Sierra.
HFS+ uses larger block addresses of 32-bits in length instead of 16-bit used within the previous file system HFS (Hierarchical File System) and uses Unicode for naming items.
HFS+ also supports hard links to directories and permits file name lengths of up to 255 characters long.
The HFS+ file system has 2 types of blocks, logical, which are 512 bytes in size and numbered first to last and allocation blocks that are groups of logical blocks used to track data.
The HFS+ file system uses the catalog files to organise data and contains the metadata of the file, for example, the file creation and last altered dates.
A variation of the HFS+ file system is named HFSX and is used in Apple mobile devices and differs by allowing two files with the same name as long as the cases differ between them.
The HFSX File System – Mobile Phone Forensics
Apple iOS devices contain a system partition and a data partition.
iOS System Partition
The system partition mainly contains iOS and pre-installed application data and does normally not contain information relevant to an investigation as it contains no user data and the system partition is identified as Disk0s1 within the disk.
However, the user password can be found within the passwd file located at the path /private/etc/ which can contain mobile and root password hashes that can then be used within cracking tools.
iOS Data Partition
The data partition contains user stored data and includes several directories including those named mobile which contains user data, preferences which contains the configuration files, and Logs that contains files including the OS version information.
The call_history.db SQL database contains the call history records within the call table. The sms.db SQL database contains all SMS messages sent/received using the handset as well as iMessages within the message table of the database.
Forensic Acquisition from iTunes Backup
When an iPhone is connected to the iCloud or to a computer, the iTunes or iCloud software automatically synchronises and stores a copy of the data on the phone either online or the the computer connected to it.
If the phone is not available then it is sometimes possible to recover the data from it if the computer that had been connected to it can be retrieved.
If the computer previously connected to the iPhone is available then it is possible to examine it and produce the data from it which can include communication including call records and text messages as well as images , documents and music present on the phone at the point of connection.
The iCloud facility allows users to store communication and personal files including images and documents from their iPhone to an online storage area relating to their iTunes account.
Therefore, if the phone is not available for examination then there are alternatives sources for consideration if the data from it is required. This data can be retrieved in a forensic manner that can then be used in court if required.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.