As the world of technology continues to move toward mobile devices, these devices are becoming rich targets for malware, bad actors, and even government agencies seeking to increase the scope of their surveillance capability. Of course, there's a lot that an enterprise can do to secure their mobile devices properly. However, the reality of today's threat landscape is such that that organizations will likely need to conduct mobile forensics when—not if—the mobile devices of their users are compromised, or if detailed activity information is required to determine how a device was used in an inappropriate manner. While traditional digital forensics methods share some common aspects with mobile device forensics, there are several aspects of mobile devices that require an additional level of technical and procedural discipline if forensic capabilities are to be useful.
Mobile Data Storage Complexity
One of the most complex issues around mobile device forensics is the myriad of locations, components, and form factors where useful data is stored. Where a typical laptop computer will have volatile memory (RAM), non-volatile memory (such as the BIOS), and disk storage as the primary locations to look for data during forensic analysis, mobile devices aren't that simple. The mobile device itself contains both volatile and non-volatile memory, such as NAND and NOR flash memory, both of which may contain applications and data useful for forensics, such as pictures and address books. A universal integrated circuit card (UICC) is also present on any mobile device that can access cellular networks (usually as a SIM card), and it contains both RAM and ROM that can include valuable forensic data, including text messages, call logs, location information, and other data. Moreover, the physical SIM card format itself can vary; there are currently three different size form factors for SIM cards on the market today, and the European Union (EU) is currently evaluating a fourth. Beyond these locations where mobile data is located, there are a diverse collection of other sources, including SD format media, CompactFlash (CF) media, and other removable data repositories where data critical to mobile forensics can reside. Of course, the most difficult aspect of mobile forensics is simply the wide range of operating systems, coupled with hardware makes and models, as compared to a traditional computer. As this goes on, this fragmentation will continue to pose ever-greater challenges for forensic engineers.
Mobile Forensics Standards
For many organizations, in-house forensic assessment of mobile devices has been impossible; forensics have required outsourcing to highly specialized vendors, for enormous sums of money. While the need for specialized forensic software and hardware isn't going away any time soon, the tide is beginning to turn regarding best practices and processes for forensic analysis. The National Institute of Standards and Technology (NIST) has established standards (known as Special Publication 800-101, "Guidelines on Mobile Device Forensics," and currently in draft form) for mobile device forensics, and these standards are strongly focused on the development of processes to ensure effective data collection with minimal damage, while preserving the chain of custody if legal proceedings are required. Other organizations, such as the Department of Homeland Security (DHS) CyberFETCH site, provide additional best practices for mobile digital forensics. These sources provide engineers who need to conduct forensic activities with blueprints for handling key steps in the forensic process, including preservation and isolation of the device, data acquisition, data analysis and context, and chain of custody legal issues and potential challenges.
While the discipline of digital forensics has been around for decades, mobile devices present new challenges for physical access, device isolation, data acquisition, and analysis. Fortunately, emerging consensus-driven standards, including the draft of NIST's, present an opportunity for organizations and forensic tool vendors to ensure consistent, effective digital forensics across nearly any type of mobile device and provide much-needed information in the event of an attack.