It is 8:45 in the morning. You are stuck in bumper-to-bumper traffic and will be unforgivably late for a crucial conference call. You decide to call in on your mobile phone. Then you realise that you have left your phone and personal digital assistant (PDA) at home ... and you start to sweat...
This scenario would be a nightmare to most people because they rely so much on handheld devices today. A study by Gartner estimated there would be 2.6 billion mobile phones in use by the end of 2009. Many mobile phones have built-in cameras and some possess the capabilities of both mobile phones and PDAs and can store music files too.
With the proliferation of mobile phones, smart phones, and PDAs worldwide for business and leisure, legitimate and illegitimate purposes, these advanced capabilities have an immense impact on computer forensics because forensic investigators are highly likely to encounter such handheld devices during their investigation process. The increasing size of storage, built-in cameras, and Internet-enablement of handheld devices make them a rich source of evidence. Apart from forensic investigators, system administrators as well as senior management in organizations should also beware that they cannot treat forensics of mobile phone and PDA lightly because of the unique characteristics of such handheld devices.
To date, only limited publications on handheld device forensics are available and they are predominantly technical papers describing how one should examine different types of handheld devices.2,3,6,11 The objective of this article is to draw the readers' attention to some of the major differences between personal computer forensics and handheld device forensics. As the target audience is not forensic professionals, this article forgoes the more technical details of handheld forensics and does not provide any specific forensic instructions. Instead it highlights and explains in laymen terms the unique characteristics of mobile phones and PDAs during the forensic investigation process in comparison with those of ordinary personal computers.
Computer forensics is about investigating digital evidence related to criminal or suspicious behavior where computers or computer-related equipment may or may not be the targets. This process of "identifying, preserving, analysing, and presenting" digital evidence which is legally acceptable7 is not much different from traditional forensic science. The only difference is that the former focuses on digital evidence whereas the latter focuses on physical evidence. Casey defines digital evidence as "any data stored or transmitted using a computer that support or refute a theory of how an offence occurred or that address critical elements of the offence such as intent or alibi."3
Digital evidence includes computer-generated records such as outputs of computer programs and computer-stored records such as email messages. It is important to criminal investigations because it can be used as proof of crime, connection or alibi.3 However, handling digital evidence is challenging because the evidence can be easily hidden, manipulated or altered. Moreover, it is difficult to attribute certain computer activities to an individual especially in a multiaccess environment. Similar to physical evidence, digital evidence provides only a partial view of what may have happened.
Falling prices of handheld devices and their resultant mass adoption make it more likely for forensic investigators to deal with mobile phones and PDAs today than 10 years ago. It was estimated approximately two billion people used mobile phones worldwide in 2005 and the number of mobile phone users was predicted to reach three billion in 2007. As more people use handheld devices for applications such as e-mail, SMS (Short Message Service), MMS (Multimedia Messaging Service) and online transactions, such devices provide a good source of evidence for forensic investigators to prove or disprove the commitment of crimes or location of suspects/victims. Evidence stored on a handheld device, such as its unique IMEI (International Mobile Equipment Identification) number, recent incoming and outgoing numbers, text messages, stored calendar events, as well as evidence stored beyond the device itself, such as the subscriber database and call data records maintained by network providers, can be useful to investigators.11
Similar to tracing Internet access activities, investigators can use mobile phone cell station information to determine the approximate location of either victims or crime suspects. Evidence generated from the cell site analysis of a victim's mobile phone was used by British police to convict the murderer of two teenage girls in 2003.9 In 2005, police tracked down a suspect of the London Underground bombings in Italy using a similar method.1
Computer forensics has attracted much attention in recent years because computers are often involved in crimes either directly or indirectly. The term "computer forensics" prima facie implies collecting digital evidence from computer equipment such as personal computers, servers and printers, but it is a process which is also applicable to handheld devices such as mobile phones and PDAs. While Palm, Nokia and Research In Motion (RIM)'s Blackberry tend to dominate the PDA, mobile phone and smart phone markets respectively, their market leadership positions are being constantly challenged by brands such as Sony Ericsson, Motorola, Panasonic, and Casio Cassiopeia. Such a wide variety of brands and models of handheld devices makes the tasks of forensic investigators even more complex and challenging.
Investigation principles. The fundamental principles of handling evidence are the same for computers and handheld devices. According to the NHTCU8 (the National Hi-Tech Crime Unit was established under the Association of Chief Police Officers, UK, and is now part of the Serious Organised Crime Association, 'SOCA'), forensic investigators should follow four main principles of handling digital evidence:
Regardless of the equipment encountered, forensic investigators should always follow the above four general computer forensic principles and maintain an unbroken chain of evidence and chain of custody of evidence at all times. Imaging and hashing are required to help the investigators maintain the chain of evidence. They should document everything and know their limitations. They should also look around the home or office of a suspect to look for any personal identification numbers (PINs) and any computer which might synchronise information with handheld devices. Before handling any equipment, investigators should photograph screens, take notes, and dust for fingerprints, if necessary. Forensic investigators who arrive at the scene often need to decide whether to leave the device on or to turn it off. They often need to retrieve evidence from deleted records on the seized equipment. However, it is often difficult for forensic investigators to link a computer or device to a specific individual especially in an unsecured office environment. When it comes to mobile phones and PDAs, it can be equally difficult for forensic investigators to establish such a linkage, particularly with prepaid mobile phones.9 Table 1 summarises some key differences between forensics of computers and that of handheld devices.
On/off dilemma. Investigators face a Catch-22 situation when it comes to preservation of evidence. It is controversial whether forensic investigators should turn off a suspect's computer. A similar but probably bigger problem exists for handheld devices. If handheld devices are turned off, existing evidence such as previously called numbers can be protected. Yet investigators may lose opportunities to gather more evidence from future incoming phone calls. Turning off the device may also potentially cause evidence to be lost and investigators may not be able to turn it on later if security measures are in place. For example, data from volatile memory could be wiped if a Blackberry is completely turned off.2
On the other hand, if mobile phones are kept on, existing evidence may be overwritten because of new incoming information.2 Criminals may also remotely access the handheld devices and destroy evidence. Therefore, unless a handheld device is put in a Faraday bag, signals going in and out of the device may potentially alter the evidence. Similarly, such signals may alter evidence when the device is moved from one geographic location to another.
Evidence volatility. While the SIM (Subscriber Identity Module) card of a handheld device is a good source of evidence, more evidence these days is stored on the built-in memory of the devices. Just like data stored on a computer hard disk, deleted files on a handheld device may be recovered provided that they are not overwritten. The internal memory of a PDA is a goldmine for forensic investigators because it typically stores information such as user data, program stack, pen strokes and key presses.10 However, this goldmine of evidence may just as easily turn into a minefield, as evidence may be lost easily due to power loss or receipt of new data.4 Because of the small size of their memory chip, evidence stored on handheld devices, especially those which are always on, such as Blackberry, is generally more volatile because existing evidence is more likely to be overwritten by new incoming messages. It is impossible for forensic investigators to recover remnants of previous messages in slack space as in dealing with computers because the unused space in mobile phones is filled with hex value FF.11 Handling of handheld devices is more tricky than ordinary computers also because evidence could be lost if the battery of the handheld device goes flat.5
Imaging process. Similar to handling digital evidence stored on computers (such as recovering deleted data), forensic investigators need to conduct imaging and hashing on handheld devices to maintain the chain of evidence. Yet unlike evidence on a computer hard disk, evidence on mobile phones and PDAs is more likely to be unavailable. Although certain products such as Palms have a 'backdoor' that facilitates imaging of evidence from RAM and/or ROM, subsequent imaging of the same device will generate different message digest values because heaps inside the device are reinitialised internally.10 Therefore, it is vital for investigators to get it right the first time when they conduct imaging on handheld devices to prevent potential loss of evidence.
Size of evidence. Although handheld devices especially PDAs and smart phones have more computing power and can store more data than a decade ago, the size of evidence stored on them is still relatively smaller than that of personal computers. Hence, it will take forensic investigators relatively shorter time to image the handheld device and analyse the evidences.
The ever-advancing computing industry requires investigators to constantly keep themselves abreast of the latest technological developments. Such rapid development is especially true of handheld devices. For example, while customers worldwide are switching to 3G mobile devices slowly these days, the communication industry has been working fiercely on the 4g mobile technology.
With the design of handheld devices becoming more complex and diverse over time due to a lack of standardisation among handset manufacturers,12 it becomes more problematic for forensic investigators. While only three main operating systems are used in personal computers: Windows, Unix, and Macintosh,4 there is a wide variety of brands (for example, 3Com Palm, Casio Cassiopeia, Blackberry, Nokia, Motorola) and models of mobile phones and PDAs which use different operating systems. In addition to the Palm operating system (OS) which dominates the PDA market and the Symbian OS which dominates the smart phone market, there are other operating systems in use by handheld devices such as Pocket PC, Embedded Linux and derivatives of Windows CE. It is hard for forensic investigators to familiarise themselves with all the diversities. Hence, investigators have a higher chance of accidentally altering evidence when they deal with handheld devices and personal computers.
Although the ownership rate of handheld devices increases dramatically over the last decades, training available for forensic investigators is still concentrated mainly on personal computers. Likewise, certification for computer forensic investigators by organizations such as International Information Systems Forensics Association (IISFA) and International Society of Forensic Computer Examiners (ISFCE) is limited primarily to non-handheld devices, although some specialized training in handheld devices investigations is provided by organizations such as High Tech Crime Institute (HTCI) and Paraben Corporation.
Forensic tools for PDAs and handhelds are relatively fewer than those available for personal computers, and of those available, their application is generally limited to the popular operating systems - Palm and Pocket PC.6 Tools such as Palm dd (pdd), which is a spin off the Unix dd, and Pilot-Link can be used to retrieve an image of the RAM of a PDA device. Researchers in the Netherlands also have been working on a tool called TULP2G to recover evidence from handheld devices. Compared to personal computers, forensics tools for are more often open-source and in command mode.
While handheld device forensics belong to the family of computer forensics and the two may appear identical to the uninformed, they are not in reality identical. Their latent dissimilarities make them quite different and potentially fatal to the unwary investigators. The objective of this article is to address the traps that lie ahead of forensic investigation of handheld devices. The eight key differences between forensics of computers and that of handheld devices discussed here include: on/ off dilemma, evidence volatility, imaging process, size of evidence, technology development, operating systems, training, and forensic tools. In order to prevent any mishandling of digital evidence, business managers and IT professionals need to take a proactive approach to equip themselves and their staff with knowledge specific to handheld device forensics.
More training provided by government agencies, private forensic consultancy companies, and tertiary institutions is required. Meanwhile, computer forensic certification associations also need to expand their certification scope and clarify their requirements on how to handle handheld devices. Demand of forensic investigators who are adept at handling handheld devices is fuelled by an increasing adoption rate of such devices. If IT professionals are not ready for this new wave of technology, they will miss out on the opportunity.
1. BBC. Tracking a suspect by mobile phone. BBC News, (Aug. 3, 2005); http://news.bbc.co.Uk/l/hi/technology/4738219.stm
2. Burnette, M.W. Forensic Examination of a RIM (Blackberry) Wireless Device. Rogers & Hardin LLP Report (2002); http://www.rh-law.com/ediscovery/Blackberry.pdf.
4. InformIT. PDA forensics. 2006. InformIT. com; http://www.informit.com/guides/content.asp?g=security&seqNurn=104&rl=1.
5. IOCE (International Organisation on Computer Evidence) Good practices for seizing electronic devices, 2000; http://www.ioce.org/2000/ioce%202000%20electronic%20devices%20good%20practices.doc.
7. McKemmish, R. No. 118 What is Forensic Computing. Australian Institute of Criminology Trends and Issues in Crime and Criminal Justice (1999) http://www.aic.gov.au/publications/tandi/till8.pdf
9. Summers, C. Mobile phones - the new fingerprints. BBC News, (Dec. 18 2003); http://news.bbc.co.Uk/l/hi/uk/3303637.stm.
10. Weiss, A. PDAs and Forensic Science. Presentation Slides 2002; http://www.cs.ucf.edu/courses/cgs5132/spring2002/presentation/weiss.ppt
12. Yeomans, R. New developments in Mobile Phone Forensics and Call Analysis. 2005; http://www.vogon-international.com/vision/16/forensic/mobile-phone-forensics.htm.
©2009 ACM 0001-0782/09/0600 $10.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
No entries found