- 21 Eki 2015
- 477
- 1
Hello dear THT members,
In this topic we will talk about the Mobile Forensics. We'll have an idea about what mobile forensics is and how the data on the mobile device can be obtained. Let's try to define Forensic Informatics in general.
What is the forensic information?
Transferring data obtained from electronic & digital devices to another device for analysis and then analyzing and reporting this data is called as Forensic Informatics. With the Forensic Informatics, the data deleted from devices can be restored. In the Forensic Informatics process, it is essential to obtain the data on the device examined without any change and this process can be quite too long. However, even though the data obtained as a result of forensic investigations are critical enough to change the court of the case, if used as an evidence in court. It is also important in terms of recovering data deleted from the device.
What is mobile forensics?
Mobile Forensic Informatics consists of analyzing user data in mobile devices such as phones and tablets. It also includes SIM card review. The Mobile Forensics process consists of the stages of collection, examination & analysis of evidence. The most important thing to be considered during the evidence collection phase is that the evidence should not be changed while collecting. In this context the examination of the mobile device to be examined using the Faraday bag is effective to protect the device from external signals. At the same time, the examination of the device that was seized in off/close way without opening it is important in the protection of data that can serve as evidence.
Different methods and tools may need to be used for different devices in forensic examinations on mobile devices. The people who are doing this job should have a good command of different analysis methods and skills or should be done by those who is professional in his/her job.
Hard things they face in mobile forensics
Due to the fact that user data stored on mobile devices can be changed or deleted remotely with different devices, so more difficulties are encountered in Mobile Forensics compared to other types of forensic informatics. These difficulties can be listed as Hardware differences, mobile security features, pperating system differences, ability to prevent data change, bypassing the device and etc.
The process time of mobile forensics.
The part of the collecting devices.
Mobile devices located at the crime scene are obtained. The device is protected in order to prevent the data contained in the obtained mobile devices from being changed.
Identification of Mobile Device
At this stage, the system information, so brand, model, storage of device and other resources of the mobile device are defined before the forensic examination. In this way, the process of forensic investigation is determined.
Preparation for Forensic Examination.
At this stage, the tools and resources to be used for the analysis are determined from the defined information of the device.
Protecting of Mobile Device.
At this stage as we mentioned before, external signals to the device should be blocked and a new data should not be sent to the device by remotely controlling the device.
Getting images from a Mobile Device.
The device is should not be opened and examined by forensic experts. Instead, the physical image of the device is taken to obtain the data on the device with minimum loss. In the image taken, almost all of the data on the device is obtained. The image taken is should be analyzed in another place.
Data analysis
The user data on the device is accessed by analyzing the image taken from the device. These data provide whether the user was involved in the crime in question and the extent and shape of the crime.
Reporting and Presentation
The tools used during the Forensic Review process, the status of the device, device information, the date of the analysis and the data obtained are reported by forensic experts. The report is presented as evidence in the court after it is clearly prepared with the data obtained.
Methods of obtaining data from Mobile Devices.
Physical data collection.
With the Physical Data Collection method, more detailed and intact information can be obtained compared to other methods. In this method, the memory is directly accessed and an image is taken as an exact copy of the mobile device. The image taken is analyzed by transferring it to different devices. In this way, deleted data can also be obtained from the device.
Logical data collection.
With this method, data in logical storage can be obtained. It is one of the easy data acquisition methods. Although the files in the device can be obtained by this method, the data in the unallocated cannot be obtained. It has an important place especially in obtaining call history and text messages.
Manual information collection.
Because it is a very laborious data collection method, it is often used by Forensic experts as a last resort. In this method, the information in the device is obtained directly from the device. The analysis process may take longer depending on the number of files. The data that can be obtained using this method is as much as the operating system can access. A photograph is taken for each data displayed during data collection and these photographs are recorded as evidence together with the information they contain.
In this topic we will talk about the Mobile Forensics. We'll have an idea about what mobile forensics is and how the data on the mobile device can be obtained. Let's try to define Forensic Informatics in general.
What is the forensic information?
Transferring data obtained from electronic & digital devices to another device for analysis and then analyzing and reporting this data is called as Forensic Informatics. With the Forensic Informatics, the data deleted from devices can be restored. In the Forensic Informatics process, it is essential to obtain the data on the device examined without any change and this process can be quite too long. However, even though the data obtained as a result of forensic investigations are critical enough to change the court of the case, if used as an evidence in court. It is also important in terms of recovering data deleted from the device.
What is mobile forensics?
Mobile Forensic Informatics consists of analyzing user data in mobile devices such as phones and tablets. It also includes SIM card review. The Mobile Forensics process consists of the stages of collection, examination & analysis of evidence. The most important thing to be considered during the evidence collection phase is that the evidence should not be changed while collecting. In this context the examination of the mobile device to be examined using the Faraday bag is effective to protect the device from external signals. At the same time, the examination of the device that was seized in off/close way without opening it is important in the protection of data that can serve as evidence.
Different methods and tools may need to be used for different devices in forensic examinations on mobile devices. The people who are doing this job should have a good command of different analysis methods and skills or should be done by those who is professional in his/her job.
Hard things they face in mobile forensics
Due to the fact that user data stored on mobile devices can be changed or deleted remotely with different devices, so more difficulties are encountered in Mobile Forensics compared to other types of forensic informatics. These difficulties can be listed as Hardware differences, mobile security features, pperating system differences, ability to prevent data change, bypassing the device and etc.
The process time of mobile forensics.
The part of the collecting devices.
Mobile devices located at the crime scene are obtained. The device is protected in order to prevent the data contained in the obtained mobile devices from being changed.
Identification of Mobile Device
At this stage, the system information, so brand, model, storage of device and other resources of the mobile device are defined before the forensic examination. In this way, the process of forensic investigation is determined.
Preparation for Forensic Examination.
At this stage, the tools and resources to be used for the analysis are determined from the defined information of the device.
Protecting of Mobile Device.
At this stage as we mentioned before, external signals to the device should be blocked and a new data should not be sent to the device by remotely controlling the device.
Getting images from a Mobile Device.
The device is should not be opened and examined by forensic experts. Instead, the physical image of the device is taken to obtain the data on the device with minimum loss. In the image taken, almost all of the data on the device is obtained. The image taken is should be analyzed in another place.
Data analysis
The user data on the device is accessed by analyzing the image taken from the device. These data provide whether the user was involved in the crime in question and the extent and shape of the crime.
Reporting and Presentation
The tools used during the Forensic Review process, the status of the device, device information, the date of the analysis and the data obtained are reported by forensic experts. The report is presented as evidence in the court after it is clearly prepared with the data obtained.
Methods of obtaining data from Mobile Devices.
Physical data collection.
With the Physical Data Collection method, more detailed and intact information can be obtained compared to other methods. In this method, the memory is directly accessed and an image is taken as an exact copy of the mobile device. The image taken is analyzed by transferring it to different devices. In this way, deleted data can also be obtained from the device.
Logical data collection.
With this method, data in logical storage can be obtained. It is one of the easy data acquisition methods. Although the files in the device can be obtained by this method, the data in the unallocated cannot be obtained. It has an important place especially in obtaining call history and text messages.
Manual information collection.
Because it is a very laborious data collection method, it is often used by Forensic experts as a last resort. In this method, the information in the device is obtained directly from the device. The analysis process may take longer depending on the number of files. The data that can be obtained using this method is as much as the operating system can access. A photograph is taken for each data displayed during data collection and these photographs are recorded as evidence together with the information they contain.
