Mobile Forensics

Mobile forensics is a branch of digital forensics related to the recovery of digital evidence from mobile devices. With the continued growth of smart phone market, the probability of their use in criminal activities has continued to increase. Mobile phone nowadays comes with a wide variety of software application, new technologies and operating systems. Therefore it becomes complicated for a forensic investigator to examine the evidence from a mobile phone. A proper knowledge of forensic tools and their features is required to collect relevant information.Forensics Operating system like android, being open source, is an advantage for the software developers; but, it is the biggest disadvantage for forensic analysts, as they have to craft and implement new methods for breaking into the device and performing forensic analysis. The methods of performing forensics analysis and data acquisitions on mobile devices are not constant. Investigators must adapt to new methods and change their approach each time they perform forensic investigation on mobile devices.

Important aspects of cell phones which are to be analysed:

· Internal memory

· SIM card

· Memory card

· Network provider

Important data types which can be extracted from the forensic analysis of mobile devices are - Text messages, contacts, history, photos, audio, video, GPS location, emails, memos, calendar, documents, web-history such as use of social media applications like Facebook, twitter, Instagram, WhatsApp etc.

The Chip-Off and JTAG methods are increasingly gaining popularity because of capability of this method to by-pass complicated phone locks and drive encryption. Ultimately, the tool on which forensic analysis is performed will be provided with physical image of the memory chip from that mobile device. In Chip-Off method, the chip is removed or unmounted from the circuit board of the mobile device and testing and programming is done using JTAG (Joint Test Action Group). This method requires the knowledge of location of the chip and JTAG connectors in the device. Along with this, the person must have the knowledge of dismantling and repairing the hardware of the device. The main difference between Chip-Off and JTAG method is that, in the chip extracted during Chip-off analysis cannot be remounted again in the device unlike the JTAG where the connections can again be soldered. Hence, Chip-Off is normally used on damaged devices. This physical image is created by bit-by-bit copy of data stored on memory chip. There are many cases, where calculating a physical dump is not possible with physically extracting the storage chip. Today with such a fast growing pace of mobile devices, it is impossible to design a customized tool for every device, but the physical dump obtained from a memory chip can be analysed in a similar way. Even though Chip-off and JTAG are complicated processes, due to their output obtaining capabilities, there use is on the rise. Sometimes, forensic experts need to analyse mobile devices which are completely damaged in an accident or even sometimes the suspects damage it on purpose, in-order to destroy the evidence, during such time, this method can be very effective and where the other processes fail.

Ms.Sonali Sharma

(Assistant Professor-IT)

Department of IT