- Practical Mobile Forensics(Third Edition)
- Rohit Tamma Oleg Skulkin Heather Mahalik Satish Bommisetty
- 797字
- 2021-06-30 19:32:57
Challenges in mobile forensics
One of the biggest forensic challenges when it comes to the mobile platform is the fact that data can be accessed, stored, and synchronized across multiple devices. As the data is volatile and can be quickly transformed or deleted remotely, more effort is required for the preservation of this data. Mobile forensics is different from computer forensics and presents unique challenges to forensic examiners.
Law enforcement and forensic examiners often struggle to obtain digital evidence from mobile devices. The following are some of the reasons:
- Hardware differences: The market is flooded with different models of mobile phones from different manufacturers. Forensic examiners may come across different types of mobile models, which differ in size, hardware, features, and operating system. Also, with a short product development cycle, new models emerge very frequently. As the mobile landscape is changing each passing day, it is critical for the examiner to adapt to all the challenges and remain updated on mobile device forensic techniques across various devices.
- Mobile operating systems: Unlike personal computers, where Windows has dominated the market for years, mobile devices widely use more operating systems, including Apple's iOS, Google's Android, RIM's BlackBerry OS, Microsoft's Windows Phone OS, HP's webOS, and many others. Even within these operating systems, there are several versions, which makes the task of the forensic investigator even more difficult.
- Mobile platform security features: Modern mobile platforms contain built-in security features to protect user data and privacy. These features act as a hurdle during forensic acquisition and examination. For example, modern mobile devices come with default encryption mechanisms from the hardware layer to the software layer. The examiner might need to break through these encryption mechanisms to extract data from the devices. The FBI versus Apple encryption dispute was a watershed moment in this regard, where the security implementation of Apple prevented the FBI from breaking into the iPhone seized from an attacker in the San Bernardino case.
- Preventing data modification: One of the fundamental rules in forensics is to make sure that data on the device is not modified. In other words, any attempt to extract data from the device should not alter the data present on that device. But this is not practically possible with mobiles because just switching on a device can change the data on that device. Even if a device appears to be in an off state, background processes may still run. For example, in most mobiles, the alarm clock still works even when the phone is switched off. A sudden transition from one state to another may result in the loss or modification of data.
- Anti-forensic techniques: Anti-forensic techniques, such as data hiding, data obfuscation, data forgery, and secure wiping, make investigations on digital media more difficult.
- Passcode recovery: If the device is protected with a passcode, the forensic examiner needs to gain access to the device without damaging the data on the device. While there are techniques to bypass the screen lock, they may not always work on all the versions.
- Lack of resources: As mentioned earlier, with the growing number of mobile phones, the tools required by a forensic examiner would also increase. Forensic acquisition accessories, such as USB cables, batteries, and chargers for different mobile phones, have to be maintained in order to acquire those devices.
- Dynamic nature of evidence: Digital evidence may be easily altered either intentionally or unintentionally. For example, browsing an application on the phone might alter the data stored by that application on the device.
- Accidental reset: Mobile phones provide features to reset everything. Resetting the device accidentally while examining it may result in the loss of data.
- Device alteration: The possible ways to alter devices may range from moving application data or renaming files, to modifying the manufacturer's operating system. In this case, the expertise of the suspect should be taken into account.
- Communication shielding: Mobile devices communicate over cellular networks, Wi-Fi networks, Bluetooth, and infrared. As device communication might alter the device data, the possibility of further communication should be eliminated after seizing the device.
- Lack of availability of tools: There is a wide range of mobile devices. A single tool may not support all the devices or perform all the necessary functions, so a combination of tools needs to be used. Choosing the right tool for a particular phone might be difficult.
- Malicious programs: The device might contain malicious software or malware, such as a virus or a Trojan. Such malicious programs may attempt to spread over other devices over either a wired interface or a wireless one.
- Legal issues: Mobile devices might be involved in crimes, which can cross geographical boundaries. In order to tackle these multijurisdictional issues, the forensic examiner should be aware of the nature of the crime and the regional laws.
推薦閱讀
- 中國人民大學(xué)復(fù)印報(bào)刊資料轉(zhuǎn)載指數(shù)排名研究報(bào)告2016
- 一本書讀懂檔案管理
- 中國城市遺址類博物館開發(fā)模式研究
- Rust Programming By Example
- 國際集郵聯(lián)合會(FIP)集郵展覽評審規(guī)則
- 北疆博物院的故事
- 李一氓文存(套裝全五冊)
- 人文通識講演錄:歷史卷
- 圖書館服務(wù)均等化與資源共享(下冊)
- 知人者智:人物志讀本
- 獨(dú)立學(xué)院圖書館管理初探
- 現(xiàn)代圖書館管理與閱讀推廣服務(wù)
- 閱讀重慶:重慶市公共圖書館事業(yè)“十三五”發(fā)展報(bào)告
- 情報(bào)研究論
- 商業(yè)貿(mào)易