One of draft versios of "Concepts and Methodology in Mobile Devices Digital Forensics Education and Training",
Abstract - This paper presents various issues in digital forensics of mobile devices and how to address these issues in the related education and training process. Mobile devices forensics is a new, very fast developing field which lacks standardization, compatibility, tools, methods and skills. All this drawbacks have impact on the results of forensic process and also have deep influence in training and education process. In this paper real life experience in training is presented, with tools, devices, procedures and organization with purpose to improve process of mobile devices forensics and mobile forensic training and education
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Training
1. Concepts and Methodology in Mobile Devices
Digital Forensics Education and Training
Damir Delija
INsig2 d.o.o, Zagreb, Croatia
damir.delija@insig2.hr
Abstract - This paper presents various issues in digital
forensics of mobile devices and how to address these issues
in the related education and training process. Mobile
devices forensics is a new, very fast developing field which
lacks standardization, compatibility, tools, methods and
skills. All this drawbacks have impact on the results of
forensic process and also have deep influence in training
and education process. In this paper real life experience in
training is presented, with tools, devices, procedures and
organization with purpose to improve process of mobile
devices forensics and mobile forensic training and
education.
I. INTRODUCTION
Some interesting issues and situation were noticed
trough providing digital forensic services, especially
during training and education. These situations are part of
whole digital forensic process but usually not stressed
enough, it is worth of mentioning and analyzing. Most of
issues are coherent with current state of the mobile
forensics, some are specific. Some of the issues and
problems are already recognized and reported in mobile
forensics field (“Is Mobile Device Forensics Really
Forensics?” NIST discussion) [3], others are specific but
still rooted in same basic issues.
Experience comes from business position as service
provider in digital forensics, what covers full life cycle
from defining solution proposal, development,
implementation, support, consulting, training,
improvements, and upgrades. This is project oriented
lifecycle, training and support is a lion share of it with aim
to improve solution and keep it operational.
Basically all projects in mobile digital forensics means
introduction of new functions into existing system (law
enforcement, business etc) trough providing forensic tools
and methods. In such setup training and consulting is
essential for success. Fromclient viewpoint it is often very
challenging since personnel usually does not have basic
training and skills, also there is usually no infrastructure
for fast internal training and skill distribution. In a few
words this means you actually fail if you provide only
tools and installations without training, since everything
will be shelved because no one will be able to efficiently
use it.
Experience stress education and training as most
important part of mobile forensics projects. Aim is to
improve ability of users to work independently and in
forensically acceptably way with various mobile devices.
This conceptual goal with both firm understanding what
tools and procedures can do and what can’t do is essential
for any acceptable mobile forensic practice.
The profession of digital forensics requires continuous
education, training, and practice based on above
mentioned concepts. It is necessary to define methodology
which can fulfill these requirements in the context of
projects (law enforcement environment, military,
governmental). This methodology should provide training
in basic forensic science, basic computer science and
engineering, understanding of forensic tools and
procedures and understanding and position tools and
methods available projects context.
Mobile forensic is a very dynamic, new field in digital
forensics which is by itself a new field in forensic science.
Situation is up to extreme, as it is presented in recent 2014
paper “Is Mobile Device Forensics Really Forensics?”, [3]
which address some open questions. Fast development
rate and actually a slave position to development in other
fields, puts mobile forensics into very unpleasant situation
where lack of standardization stands among other
problems.
As an excellent overview into tools, skills, knowledge
and procedures required for mobile forensics is
presentation “Cell Phone and GPS Forensic, Tool
Classification System, (2009 Update)” done by Sam
Brothers in 2009 which defines classification of tasks,
tools and skills [5].
II. MOBILE FORENSICS SPECIFICS
It is important to stress mobile forensic is specific
field, it is even hard to find coherent definitions what is
mobile device and what is mob ile device forensic. There
are various definition for mobile devices most of them
defining mobile device as small size device which is
mobile and with network connection [3]. Even if
definition of mobile forensic is more straightforward but it
is sill biased enough because of ambiguous definition of
mobile devices. As early as in definition there are
problems about procedures, tools, methods and
compatibility with rest of digital forensics. Key issues to
be solved are relation with essential principles of digital
forensics. The simplest firm relations is mobile device
forensics is a sub-science of digital forensic science, while
digital forensics is a computer science an engineering
science [3]. In precise terms forensic is the application of
scientific knowledge to legal problems [3]. Still it is
possible to argue this definition based on Vietse Wenema
definition of digital forensic “Gathering and analyzing
2. data in a manner as free fromdistortion or bias as possible
to reconstruct data or what has happened in past of the
system” which is used by SANS Institute [6]. It is crucial
to see that it is scientific and engineering process what is
wide enough concept, in that sense mobile forensic is a
digital forensics applied on the mobile devices.
No one actually can count number of mobile device
and even can not count the number of different models
and types. The only sure thing is constant arrival of new
devices. To complicate things even more it impossible to
get data from mobile service providers about devices used
and connected to their infrastructure, while this data surely
exists and it is not confidential or illegal.
Table T1: Mobile device evidence extraction process –
mobile device forensic process
Preparation Step 1. Device Intake, device is
taken into forensic process
2. Device Isolation from
mobile and WIFI network
3. Device Identification,
type, model, features
4. Device Preparation,
preparation for extraction
and manipulation
Analyses Step 1. Processing extracting data
2. Verification of extraction
and findings
3. Documentation/ Reporting
of findings
Finalization
Step
1. Presentation of findings
and reports
2. Archiving device and
results
3. Tools calibration and
maintenance
One very distinctive mobile forensic trait is how
commercial vendors approach mobile forensics. Roughly
we can separate vendors in specialized mobile forensic
vendors and general purpose digital forensic tool vendors.
Among these groups there are no common tools or
standards from mobile devices viewpoint. What is even
more interesting is separation among vendors based on
how they handle mobile devices. Digital forensic vendors
usually have only support for smartphones and very
limited support for other mobile phones, while mobile
forensic vendors almost completely ignore anything else
than mobile devices. What is also stunning is lack of
compatibility and standards among mobile vendors and
lack of using existing established forensic data formats.
From practical viewpoint of conducting investigations
or just using forensic tools and methods it is important to
recognize real works task and address it properly in
training and education. Basic steps in mobile forensic
process are defined in Table T1, it is same process as any
other digital forensic process, difference are among
stressing preparatory steps and having very specialized
tools almost on data recovery level. Skillets and mobile
forensic analyses levels are related to mobile forensic
process as it is presented in Table T2, skills are hard to
achieve and requires a lot of practical work [5], [2].
By our current experience for former Yugoslavia area,
gathered trough customer support, feedback and trainig, in
most of the situations data available trough logical level
extraction or even manual level of extraction are
sufficient. Only small number of situation about 10%
requires phone memory dump (physical extraction) or
more complex extraction methods. Same situation is with
number of mobile devices included in one investigation
process; mostly only one or two mobile devices are
included, often related to one or two computers forensic
images too. Sources are unoffcial since there are no
formal reports.
Table T2: Mobile forensics analyses types and skills
levels [5].
Skill level Description
1. Manual
Analysis
Introduction
/ beginner
taking picture of
device screenshots,
manually
accessing reading
data
2. Logical
Analysis
Introduction
/ beginner
extracting data
from mobile
devices by logical
synchronization
commands, usually
done be forensic
tool
3. Hex Dump
(Physical
Analysis)
Intermediate extracting bit by bit
copy of mobile
device memory,
done by forensic
tool or specific
usage of non
forensic tools
(flash boxes, jtag)
4. Chip-Off
(Physical
Analysis)
Expert
/advanced
extracting flash
chips from devices
and reading chip
contest, required
dedicated
laboratory
equipment
5. Micro Read
(Physical
Analysis)
Expert
/advanced
extracting chips
and reading logical
gate states by
electronic
microscope
III. MOBILE FORENSICS TRAINING
There are many possible classifications of digital
forensic training process. In theory it can be vendor
specific or vendor independent, academic or
professionally oriented, certified or uncertified, practical
or theoretical. In reality it is always compromise
especially in the case of the mobile forensic. As for any
digital forensic education training devices and tools are
essential, because of variety of possible models and
3. scenarios. With mobile forensics it is essential to provide
realizable method of configuration mobile devices to
prove same set of artifacts and same results during
different training steps. Being unable to provide relevant
training environment with up to date tools and
configurations render training process ineffective and
sometimes contra productive since outdated methods
usually compromise evidence and results.
Experience in mobile forensic training and education
Mobile forensic tools become part of portfolio in 2009,
with now defunct EnCase Neutrino. Since 2009 many
other products have been accepted like Cellebrite UFED,
MicroSystemation XRY, and Oxygen and provided with
full service. With such wide product curriculums vendor
independent mobile forensic services and support is
provided, based on the requirements and current state of
the market. Full mobile forensic training infrastructure
was implemented and added to training curriculum in
2012. Since 2012 each training is evaluated and analyzed
for valuable actionable data.
Table T4: Number of mobile forensic trainings provided
Attendees Type of training
2012 40 vendorspecific
2013 30 vendorspecific and / or
vendorrefresher
2014 30 vendorindependent
To present volume of activity in mobile forensic
training, training events are presented in Table T4. Each
training event is fully documented, analyzed and
evaluated for lesson learned, but not only from attendee’s
viewpoint but also from trainers and logistic viewpoint
too. It is crucial to acquire such data to understand
practices of different vendors and how this practices and
tools fit into current environment. To keep quality and to
understand what should be improved or modified such
data are necessary, also whole process must formalized to
prevent overseeing important factors. Based on this data
and data acquired trough vendor products trainings and
usage process is developed which keep necessary skills
and ability to teach mobile forensics.
The key concept is to understand that training event is
specific and unique since version and tools are fast
changing. To demonstrate we can use data about UFED
family of products. Just since 2012 UFED forensic
portfolio has a substation changes both in hardware and
software, while continuously being upgraded with new
supported mobile devices and analyses capabilities. Table
T2, T0 and T3 shows volume and type of changes which
have to be incorporated into training process to keep it
efficient. Supported phone models grow as hundreds per
year, not only as a new device model, also but with
support for new applications, functionalities in mobile
devices application and operating systems. Very important
chat tool Skype can be used as example. In 2009 Skype
was not supported as analyses feature in automated
analyses on smartphones, while in 2013 it is standard part
of analyses. Since Skype artifacts are extremely important
that new functionality has to be introduced and supported
in training, with examples, drawbacks, practical issues etc.
This is typical for feature and application support in
mobile forensics. To show volume of work required for
only one application, in this case Skype analyses, in 2012
extraction was done trough cooperation with other
forensic tools [4], while in 2013 generic support was
introduced. Again during training both methods were
presented. General method of using other forensic
application to verify artifacts findings is mentioned since
it is example of common practice. Application evolves
and it is always possible to find a new version which is
not supported on the current tool, but is supported by
some other tool like Belkasoft, InternetEvidenceFinder, or
by customdeveloped script [5].
Table T5: UFED models and software from 2012 till
January 2015
Device Software used with device
UFED classic Logical analyzer, physical analyzer,
phone detective,UFED_OSIMage
UFED touch Logical analyzer, physical analyzer,
phone detective,UFED_OSIMage
UFED4PC Logical analyzer, physical analyzer,
phone detective,UFED4pc
It is same for all features and applications on mobile
devices, especially about encryption support, geolocation
information and other new developments. Available
forensic methods have to be presented, while optional
solutions should be provided at least at the conceptual
level, as it is shown in Table T5.
Table: T6: UFED versions and devices since 2009, till
January 2015
UFED
hardware
models
Software
product
revisions
Physical
analyses
supported
devices
Logical
analyses
supported
devices
2009 UFED
classic
unknown 1242 2384
2010 UFED
classic
Unknown 502 1114
2011 UFED
classic
unknown 578 1104
2012 UFED
classic
6 832 617
2013 UFED
touch,
UFED
classic
3 469 754
2014 UFED4pc,
UFED
touch
5 613 855
2015 UFED4pc,
UFED
touch
1 8 2
4. Table T7: UFED attributes supported per mobile device
model. In mobile forensic tools attribute is application,
feature or anything else forensically significant on mobile
device, defintion by vendor documentation
. UFED logical UFED ultimate (physical)
2015 24 110
2013 23 55
Each of the changes presented in tables T5, T6, T7
require a full cycle of preparation and training refreshing
both for trainers and for people who already have attend
training. To illustrate full impact of this changes it is
important to describe how all this elements are used in
UEFD proposed mobile forensic process, as it is done it
Table T8.
Table T8: How UFED tool is used in mobile forensic
process
Step UFED Module
used
Description
Mobile device
identification
(preparation)
Phone Detective phone detective
software is used,
in this step mobile
device is
indentified,
supported
functionalities,
procedure and
cables kit
elements to handle
phone are defined
Mobile device
data acquisition
(analyses)
UFED device UFED device or
UFED4pc
software on pc is
used to extract
data from mobile
device, logical or
physical analyzer
software cane be
used to store data
directly to PC
Mobile device
data analyses
(analyses)
Logical or
Physical
analyzer
software
software is used to
analyze and report
data
Maintenance
and upgrade
(finalization)
All hardware
and software
modules
software and
UFED devices are
upgraded to latest
standard
Since changes are in all steps, each step has to be
included in theoretical and practical part of training, with
appropriate training mobile devices and artifacts on
mobile devices. Maintenance and troubleshooting issues
are key to provide UFED kits operational it also has to be
included. Hrere it is stressed since it is usually overlooked
in trainings.
Other mobile forensic tools are close to UFED since
mobile phone development force forensic vendors to keep
close. With general purpose forensic tools vendors’
situation is different, since tool has limited mobile
forensic capabilities, mostly only smartphone support.
Good illustration for general forensic tool is EnCase from
GuidanceSoftware. With introduction of EnCase version 7
in 2011 former mobile forensic version of EnCase,
Neutrino, was discontinued. Its functionality and later was
added as special smartphone module into main EnCase v7
product. Since 2011 EnCase v7 get 26 versions and
subversions with various upgrades, functionality changes
and bug fixes (table T9). It is same amount of change to
keep with it as for the mobile forensic tools, with same
support, testing and development requirements. It same
for education and training for EnCase.
Table T9: Encase versions changes
EnCase revisions
2011 8
2012 5
2013 6
2014 7
IV. METHODOLY FOR MOBILE FORENSIC TRAINIGN END
EDUCATION
Preparation of training mobile devices and forensic
images requires forensically sound approach, method and
tools which will guarantee that training results will be
reliable and useful. As for specific vendor training
forensic images and artifacts are usually provided by
vendor, same as for training materials. In reality it can
happen as it was for early UFED situation where there
were only forensic images of mobile devices provided by
vendor,but no officially approved training materials.
Preparing training materials, mobile devices and
forensic images is important and complicated task,
basically for each new version or feature images have to
be recreated and reinstalled on mobile devices. This
process is independent from training and unusual it covers
three basic steps and some additional logistics steps
Basic steps
Initialization of mobile devices to known
state: Resetting mobile device to factory
defaults, than installing image from backup
or other source, depends on mobile device
model, operating system etc. After this step
mobile device is ready for next training event
Creating mobile artifacts for each specific
mobile device platform: complex step which
requires using application, tools on mobile
device in real life scenario. For example for
each supported mobile phone real chat
sessions were done, emails send and
received, sms’s going trough town, images
taken, video, connecting to WIFI etc .. Each
action is documented and time stamped so
artifacts can be compared and verified as
5. preparation for training. It is a lengthily task
requiring a lot of time and resources, usually
done by student on his internship work.
Creating mobile device image: when mobile
devices has all necessary artifacts a forensic
image and backup is created as baseline
image from which other mobile devices of
same type will be cloned. Methods of cloning
are different depending on mobile devices
models, varies from backup/restore,
synchronizations methods or using dedicated
cloning tools like Ufed. It is also important
to remember creating relevant forensic clones
of SIM cards to prevent mobile devices
changing installed images. Forensic SIM
clone is SIM copy of user data but without
data required for GSM connection, so mobile
device can not connect to network while
keeps it configuration and artifacts
unchanged. This SIM copy is done with
mobile forensic devices like UFED trough
specialized SIM cloning function.
Additional logistic steps
Acquiring and maintain the necessary fleet
of mobile device: mobile devices are
changing and to keep with this change typical
models and functionalities must be obtained.
By our experience it means to have about 5
devices of same type in training kit. At the
moment it is about 60 mobile devices, 30
smartphones and 30 of other phones models
some of them ageing. From this kit some of
15 are in various states of degradation being
replaced by new models. Also it is
important to keep some broken devices to
show techniques and methods available for
partially functioning devices.
Acquiring and maintaining set of SIM
cards: SIM as for the mobile devices SIM
cards from various mobile service providers
have to be obtained, initialized, used and
cloned to provide realistic usage patterns.
Each SIM has limited life time so it has to be
regularly maintained, subscription renewed
and replaced if necessary. For each event it is
necessary to have a set of SIMs in specific
condition, locked or damaged to provide
realistic training scenarios.
Maintaining forensic equipment: forensic
kits for mobile forensics have different
elements, but it should be maintained and
kept in order as any other tool, basically it is
keeping with vendor updates and changes
Maintaining versions of forensic images
and backups: each mobile device forensic
image, backup or configuration has to
uniquely named, documented, listed and
stored.Without this administrative practices
After each training event forensic image of
each used mobile device can be crated and
compared with baseline image. Forensic
image should be created with available
forensic tools and procedures. This is not
mandatory step but it helps to keep track on
changes and possible bugs of malfunctions in
forensic software or equipment. Also it
presents the patterns how trainees work with
mobile devices and efficiency of training,
since any change in mobile device
configuration or content out of planned
actions shows failure in training procedures.
Up to no such failures were detected in
forensic images.
As for the no-vendor specific trainings and education
it is almost the same situation but with specifics issues.
This type of training and education covers general issues
about mobile devices but also presents specific tools and
tasks to solve it with ecah tool, leaving tools for vendor
trainings. In such typical training curriculums we have list
of topics with expected interval for renewal and change, it
is listed in Table T10.
Table T10: Topics in mobile training curriculum and its
lifecycle influences
Training
topic
How often
has to be
updated
Specific forensic image
required
or specific device
Introduction to
mobile devices,
technologies
Yearly No
Introduction to
mobile networks
Yearly No
SIM Cards and
key serial
numbers
Yearly SIM cards and forensic
images
Common
challenges with
Devices
For each
version or
event
No
Forensics of the
mobile devices
For each
version or
event
example of locally used
devices
Seizure of Mobile
Devices
Yearly example of locally used
devices
Types of
extractions with
mobile devices
and comparison
to regular
computer
extractions
For each
version or
event
example of locally used
devices
Tools for mobile
forensics –
Analysis,
Searching,
Reporting
For each
version or
event
New devices and tools
with updated kits,
connection cables, flash
boxes etc
Introduction to
Smartphones and
other “Smart”
yearly example of locally used
devices
6. devices
Introduction to
mobile devices
operating systems
For each
version or
event,
forensic
images have
to updated
example of locally used
devices and forensic
images of devices,
forensic images have to
updated, same for the
mobile devices
Key features
challenges with
“Smart” devices
in forensic sense
yearly example of locally used
devices
recovering
deleted data from
a wide range of
mobile devices,
including locked
devices
For each
version or
event
example of locally used
devices and forensic
images of devices,
forensic images have to
updated, same for the
mobile devices
understand how
forensic software
extracts and
decodes data
For each
version or
event
, forensic images of
devices, forensic images
have to updated
understand how
you can approach
a forensic
problem, defining
a forensic strategy
which may use a
combination of
tools and
techniques to
obtain evidence
from a mobile
device
For each
version or
event
example of locally used
mobile devices, forensic
tools
Understand the
different
challenges in the
field of mobile
device forensics
compared to those
in traditional
computer
forensics
For each
version or
event
example of locally used
devices and forensic
images of devices,
forensic tools, forensic
images have to updated,
same for the mobile
devices
Understand the
different
acquisition
methods available
when examining
mobile devices
For each
version or
event
example of locally used
devices and forensic
images of devices,
forensic tools, forensic
images have to updated,
same for the mobile
devices
Understand how
and when to use
the different
approaches
For each
version or
event
example of locally used
devices and forensic
images of devices,
forensic tools, forensic
images have to updated,
same for the mobile
devices
Awareness of the
limitations of
each method
forensic method
For each
version or
event
example of locally used
devices and forensic
images of devices,
forensic tools, forensic
images have to updated,
same for the mobile
devices
Know how to For each example of locally used
approach defining
an acquisition
strategy for a new
device
version or
event
devices and forensic
images of devices,
forensic tools, forensic
images have to updated,
same for the mobile
devices
Each of this changes require a full cycle of preparation
and training refreshing both for trainers and for people
who already have attend training. Since each topic has
very fast update rate, special type of training refreshers are
needed. To keep with this lifecycle and requirements
efficient organization and logistic process should be
established, with well defined procedures for each step in
training process.
V. LESSON LEARNED
For organizations sending personnel to training and
education it is important to stress it is actually skill set and
internal organization what have to be acquired,
implemented and maintained. This should be done by
establishing internal organizational structure, career path
and trough continuous education and training for
organization members [1]. It is often that internal
organizational structure is missing while need for specific
skills are recognized, what is very common scenario in
law enforcement and defense organization or any other
organization which has strict legally defined structure.
Methods and practical solutions how to cope with such
problems are presented in “Digital Forensic Triage” [1].
Since formally defining such organizational structure is
not part of training and education it is important to deliver
messages about importance of it, because without it skills
and knowledge is lost nullifying the training results.
Based on the our gathered experience it can be said
that mobile education and training is key part in keeping
forensic ability especially in law enforcement or military
organizations. In such organization there is a dichotomy
among needs and ability to implement organizational
structure which keep skills and expertise, this dichotomy
should be constantly addressed and remedied with various
formal and informal methods of training and education.
Such methods as conferences, workshop, and refreshers
etc while are not efficient as full set training provide at
least minimal necessary updates forskills and knowledge.
As for the personnel receiving training it is important
to stress necessity of continuous working and keeping
with current development, what again leads back to
internal organizational structure in the organization from
where trainee comes. Again without such organization
person will probably get only one minimal introduction
training, there will be no upgrades and no career path.
Skills and forensic capabilities will be soon lost.
In some organization informal internal keeping-up
events can be organized, but this is sometimes double
edge situation which often keeps for short period of time
and fails later. Other key element for such organizations is
implementing internal communication network among
personnel to keep skills and knowledge active. There are
many possible models; the right model depends on the
structure of organization and legal requirements, since it is
not the same for the law enforcement, military or business.
What it is often good model is kind of helpdesk or internal
7. forum type of organization what works well in the most of
situations. There we have experts helping others and
keeping knowledge and skills alive with very simple
informational infrastructure for support.
As mobile devices and forensic tools keep extremely
fast change rate same should be for training and
education, where aim should be dual to improve expert
level of knowledge and skills for a usually small expert
users and to keep growing number of user able to
efficiently apply mobile forensics
VI. CONCLUSIONS
As general conclusion we can say training process
should be tailored for the needs of the organization and
attendees. To cope with this conclusion very efficient but
resource consuming process should be implemented
where trainings are kept up to date with various inputs:
vendor development, user requirements, current best
practice and client abilities (mostly budget restrains). This
process is resource expensive for all party involved since
it mandates real time following fast changing inputs and
compiling it into materials and technologies available for
current situation. As example what is proposed by vendor
or it is best practice in another country is not applicable in
local context because of various technical or even legal
reasons.
The conclusion for trainig process is that each training
session should be tailored for the needs of the organization
and attendees. To cope with this conclusion very efficient
but resource consuming process should be implemented
where trainings are kept updated with various inputs:
vendor’s development, user requirements, current best
practice and client abilities, mostly budget restrains. This
process is resource expensive for all party involved since
it mandates following fast changing inputs and compiling
it into materials and technologies available for current
situation..
.
LITERATURE
[1] Stephen Pearson;Richard Watson: “Digital Triage Forensics”,
Syngress ,July 13, 2010, ISBN-13: 978-1-59749-596-7
[2] Sam Brothers: “iPhone Tool Classification”
http://www.appleexaminer.com/iPhoneiPad/ToolClassification/To
olClassification.html,
[3] Gary C. Kessler:“Is Mobile Device Forensics Really
"Forensics"?”, NIST Mobile Forensics Workshop, Gaithersburg,
MD, June 2014
[4] Paul Henry: „Quick Look - Cellebrite UFED Using Extract Phone
Data & File System Dump“,SANSForensic Blog2010
[5] Sam Brothers :„Cell Phone and GPS Forensic, Tool Classification
System (2009 Update)“, State of the Market Place as of: May
2009”
[6] Windows Forensic http://www.sans.org/