Professional Documents
Culture Documents
Frameworkanda Processfor Digital Forensic Analysison Smart Phoneswith Multiple Data Logs Jan 2017
Frameworkanda Processfor Digital Forensic Analysison Smart Phoneswith Multiple Data Logs Jan 2017
net/publication/320396033
CITATIONS READS
0 240
4 authors, including:
Yaser Jararweh
Jordan University of Science and Technology
424 PUBLICATIONS 11,752 CITATIONS
SEE PROFILE
All content following this page was uploaded by Loai Tawalbeh on 14 October 2017.
Biographical notes:
Benjamin Thomas (BSc, MRes) has recently completed his MRes in computer
Science from Staffordshire University. Benjamin research interest falls into
digital forensics more specifically, mobile forensincs.
Lo’ai A. Tawalbeh: (SM IEEE) received his MSc and PhD degrees in Computer
Engineering from Oregon State University, USA in 2002 and 2004 respectively. Dr
Tawalbeh is a Tenure associate professor at the Computer Engineering Department at
Jordan University of Science and Technology (JUST), Jordan, and the Director of the
Cryptographic Hardware and Information Security (CHiS) lab at (JUST). From 2013
and till 2016 he was a visiting professor at Umm AlQura University, Mecca, SA. Now
he is a researcher at Koc Lab, UCSB, CA, USA. Dr Tawalbeh worked in many
Table 1. Problem area comparison between PCs and handheld/ mobile devices
secondary or volatile memory, and Read Only
Memory (ROM), or primary memory. A mobile
device only has one, RAM, unless a SIM card is
There are many differences between computers and present then the SIM card functions as ROM”11. More
mobile phone. Mobile phones run off lots of different evaluation techniques and tools for mobile forensics
types of operating systems depending on the make and can be found in (Micro Systemation, 2013), (Murphy,
model of the phone and each operating system works 2011) and (Oxygen Forensics Suite, 2013).
differently. The main mobile phone operating systems
are Android (Rastogi et. al., 2016), IOS and Windows, The next section covers the related work including the
but there are others and also many different versions of description of the most known mobile forensic
the operating systems that get upgraded on a regular analysers. Then Section 3 will provide an evaluation
basis. On the other hand computer operating systems and comparison of these analysers, identifying the
don’t change as much and there are also fewer main gap, which will be addressed by the contribution
operating systems to choose from. The main operating of this paper. Section 4 evaluates the most relevant
systems are frameworks from literature related to mobile forensic
Windows, Mac OS and Linux. There are different analysis. Section 5 covers in details the proposed
versions of each of these operating systems but they framework to address the identified gap in existing
do not get updated as often as the mobile phone frameworks and tools. Section 6 is the conclusion.
operating systems. This is also the case for the mobile
hardware, which keeps changing. Due to the varying
software and hardware on mobile phones, analysis 2. Related Work
tools will also need constant updating to cope with
these changes. Table 1 shows Forensic tool attributes Mobile phone forensics is extremely important in the
for PCs and mobile/handheld devices (Finocchiaro, modern world. Due to the way that mobile phones
2008) (Forensic Pathways, 2012). have improved what they can do over the last 10 years
they are now more or less mini computers that can be
Yates argues that there is great difficulty in performing taken anywhere. Mobile phones can know hold almost
digital forensics on mobile devices due to lack of tools all types of file on them meaning that carrying illegal
that can keep up with the proliferation of variants of data is much easier. Due to how data can be
devices and operating systems. Compared to PCs, transferred to and from mobile phone devices, other
modern mobile phones run off more diverse operating data can be extracted from mobile phone devices than
systems depending on the make and model of the from that of computers, including texts, calls and
phone. Mobile phones’ operating systems tend to many other kinds of data. Now that mobile phones
upgrade more often than those of the PCs; similarly, have satellite location built in to them this means that
mobile phones’ hardware changes at a faster pace. as long as it is turned on data about the location of a
Yates also emphasises on the physical constructional person can be extracted using certain mobile phone
differences as being pertinent. “Computers have two analysers.
types of memory: Random Access Memory (RAM), or
242 E. Benkhelifa et al.
The use of phones in crime was widely recognized for raw data from the physical storage device. Physic
some years, but the forensic study of mobile devices is extracted allows the investigator to recover deleted
a relatively new field, dating from the early 2000s. A data from the device to gather more evidence. The
proliferation of phones (particularly smartphones) on physical extraction is a two stage process, these are the
the consumer market caused a demand for forensic `dump` and the `decode`. The dump stage is where the
examination of the devices, which could not be met by raw data is recovered from the device and the decode
existing computer forensics techniques (Amstrong, stage is where XRY can automatically reconstruct the
2012). As a result of these challenges, a wide variety raw data into a readable format. For example,
of tools exist to extract evidence from mobile devices; extracting deleted SMS messages without needing to
no one tool or method can acquire all the evidence manually carve the data. Physical extraction is mainly
from all devices. It is therefore recommended that used when mobile devices do not have SIM cards or
forensic examiners, undergo extensive training in have security locks of the phones. Some of the key
order to understand how each tool and method features of using XRY are:
acquires evidence; how it maintains standards for
forensic soundness; and how it meets legal XRY specialises in recovering and restoring
requirements. Paraben Corporation published an deleted data.
extensive comparison chart for most credible mobile Works with all mobile devices including mobile
forensic software solutions available in the market, phones, smartphones, GPS navigation and tablet
which yet confirms the authors knowledge that there computers.
exist no mobile forensic solution that extracts and Allows SIM card cloning.
maps data from calls (incoming and outgoing) together Decoding of recovered data into a readable format
with pictures, geographical location and web logs. without data carving.
This is therefore the main motivation behind the
research presented in this paper, where the authors 2.2 Oxygen Forensic Suite
propose a framework solution, which could contribute
to the development of a novel and potentially a market Oxygen Forensic Suite is a software package that
leading mobile forensic tool (Pan, 2008). allows users to extract and analyse data from mobile
devices. Oxygen Forensic Suite is able to extract data
There are not many tools for forensic phone analysis from mobile phones, smartphones, satellite navigation
available in the market. The available tools do treat systems and certain tablet computers. Oxygen
very similar tasks but in different ways. This section Forensic Suite is compatible with more than 6300
reviews and compare the most known, used and cited mobile devices, all of the main brand mobile devices
Mobile Phone Forensic Analyzers. This will be used to are included and most of the phones that have a
help identify the gaps within the market. Chinese chip in them are also covered. Oxygen
Forensic Suite can extract more than just the basic
information from mobile devices. This means that
more data can be extracted, meaning that more
2.1 Micro Sestemation XRY potential evidence is secured. Oxygen Forensic Suite
can also recover deleted SMS’s from the mobile
devices. Depending on the mobile model Examples of
XRY (Micro Systemation, 2012) is a software package
that allows secure forensic extraction of data from a this data are; SIM card data, Speed dial lists, Missed,
variety of mobile devices including mobile phones, dialed and incoming calls, SMS timestamp
smartphones, satellite navigation systems, 3G information, Geographical coordinates, Java
application, GPRS (General Packet Radio Service),
modems, portable music players and the latest tablet
devices. XRY allows users to decide between physical Wi-Fi activity. (Oxygen Forensic Suite, 2013).
and logical extraction. These two methods can extract Oxygen Forensic Suite allows for easy analysing and
the same data but extra data through physical report creation. This allows all data to be easily seen in
extraction. Logical extraction from the mobile device an order to enable quick and easy examination. Some
of the key features of using Oxygen Forensic Suite are:
will be presented to the investigator in a logical and
ordered method that allows the data to be easily sorted
and find the evidence required. Logical extraction also More than 6300 mobile devices are compatible.
allows for easier report creation. Supports a large amount of phone manufacturers
and models.
Physical extraction works by by-passing the operating Allows recovery of deleted SMSs.
system of the mobile phone to be able to extract the Allows geographic coordinates to be extracted.
Allows Wi-Fi activity extraction. Logical and physical data extraction.
User password extraction.
2.3 Cellebrite Mobile Forensics UFED Touch Advanced data parsers.
Ultimate Google earth plotting feature.
UFED Touch Ultimate is an all in one software and 2.5 Forensic Phone Analyser – FPA
hardware package that enables logical and physical
extraction of data from mobile devices. UFED Touch Forensics phone analyzer (Forensic Pathways, 2012) is
Ultimate allows decoding of data, analysing of data a piece of software that allows for mapping of calls
and reporting on the data. UFED Touch Ultimate is that have been made and received from a mobile
compatible with feature phones, smart phones, phone. Forensic phone analyser works by using taking
portable GPS units, tablet computer and any chipsets extracted data and ordering it to allow to faster and
that have been manufactured in China. The UFED more effective reporting a querying. Forensic phone
Touch Ultimate allows the investigator to extract the analyser takes the data and can map all of the phone
file systems from the mobile devices; this means that calls that have been made and received from a mobile
how the data is stored on the mobile device can be phone and output the data in a visual representation.
seen meaning more data can be identified, this Forensic phone analyser can connect phones together
includes any deleted data that has been found in the through the phone number of the mobile phone, this
file systems. UFED Touch Ultimate also allows for allows for individuals and phone numbers to be
password extraction, this means passwords do not connected together. This proves that the phones have
have to be cracked in-order to access files that are had call made or received between them .Forensic
protected. (Cellebrite, 2013). Some of the main phone analyser works by taking data that has been
features of the UFED Touch Ultimate are: extracted using a separate mobile phone analysing
tools and imports the data. Example of the phone
Cellebrite is an all in one unit meaning that it is analysers that are supported are XRY and Cellebrite.
portable. Examples of data that is used within the mapping;
It has a UFED reader built in that allows phone hard drive, SIM cards, SMS messages,
authorized personnel to share information with Contacts, Images, Communication. Forensic phone
others. analyser advertises a list of key features of the
Comes with all the cables that will be needed to software include:
connect to every phone.
File system and password extraction. Converts/cleans the data into common format
Aggregates data from many different sources
2.4 Paraben Device Seisure Cross reference calls, texts and address books
Enables the data to be search and queried
Reveals links, associations, relationships within
Paraben Device Seizure is a Windows based mobile
the data
device analyser. Paraben Device Seizure allows logical
and physical extraction of mobile devices. Paraben Common and/or legitimate numbers can be
Device Seizure is compatible with most CDMA ignored
(Code Division Multiple Access) phones, Android Enables statistical analyse of the data
phones and some GPS devices. Paraben Device Seizer Enables automated reporting of results
allows password extraction to be able to see all of the
data that is on the device. This allows a fuller 3. Evaluation of Existing Mobile Phone Forensic
investigation to be carried out. Paraben Device Seizure Analysers
also has an integrated Google earth function, this
allows the GPS coordinates to be plotted to endure a The evaluation is done by creating a set of metrics to
visual representation of where the phone has been enable a fair evaluation of the chosen tools. Using
throughout the world. The advanced data parser metrics to critically evaluate mobile forensic tools
function allows for all the data that is extracted to be against one another will increase the understanding of
shown in a readable format making it easier to analyse the tools themselves, allowing for a greater in-depth
the data and then present it in a readable format for the knowledge of what the mobile forensic tools are
report creation. (Paraben Corporation, 2013). Some of capable of doing. The metrics are also used to allow
the main features of Paraben Device Seizure are: the evaluator to be able to have a visual representation
of the data that the mobile forensic tools can give. This
allows for a faster and more effective way of seeing
244 E. Benkhelifa et al.
the data that has been evaluated. These metrics were Table 2 shows that most attributes for extracting data
chosen by evaluating the main mobile phone analysing from mobile phones are possible, but via using
tools that are available in the market place and listing multiple evaluation tools, which is time consuming,
the main features that the tools advertise. costly and requires expert users of all these evaluation
tools. Also, by using more than one analysis tool, on
This was done by choosing some of the features that the same smart phone for different data logs, the
all of the tools have but mainly looking at the unique possibility of inaccuracy in the analysis could be high.
features of each tool. Some metrics were then thought Table 2 also shows a gap in the market for mobile
up that have not been brought up bought up through forensic analysis tools, which can also map the
reading the literature. These metrics came from analysis of geographical location, password extraction
knowledge and background reading within the area. and 4G connectivity.
The metrics were chosen due to them covering a large
area of the capabilities of the mobile phone analysing
tools that are available on the market, also some of
these areas are not covered by all of the mobile phone
analysing tools allowing for the gaps within the market
to open up and become visible.
The Evidence Extraction Framework, proposed by SFIPM (Smartphone Forensic Investigation Process
(Murphy, 2011) has been created to demonstrate the Model), proposed by (Geol et al, 2012), explains the
process for extracting evidence for a device and then entire process of a smartphone forensic investigation.
documenting it and archiving the data for use at a later SFIPM is also capable of do cell site analysis; which
date. The framework covers all of the main processes locates where smartphone was or is at a specific date
of extracting the data from a device and can be used and time (Disklabs, 2013). SFIPM addresses most of
for computers data extraction and for mobile device the gaps found in the previously described
extraction. For this paper, we focus on the mobile data frameworks, in addition to new features such as
extraction. The reason this framework has been supporting Personal Digital Assistant mode and
created is to make sure that no steps get missed out whether the memory is volatile or non-volatile
during one of the most important stages of the (Freudenrich C, 2012). However, This model needs to
investigation in order to avoid loosing any vital data. focus more on the examination and analysis sections to
The extraction process can be a long process and allow for more in-depth understanding of the overall
having a framework to be able to visually show all the investigation of mobile phones.
main processes could come in useful. The framework
has many good aspects to it such as, starting the 5. The Proposed Framework for Smartphone
extraction process from the point of intake; the Forensic Analyser
framework also states the stages of presentation and
archiving. However, the way that the framework The overall proposed framework is depicted in Figure
comes across is a mix between the extraction phase 1. The purpose of the framework is to allow the
and the investigation phase. Through the extraction investigator to be able to plot a map of where an
process documentation will need to be carried out individual (phone holder) has been travelling to and
throughout, however a report will not be carried out from with the mobile device. The framework starts off
until the investigation stage has been complete. Due to by collecting the metadata from the mobile phone, this
the wording of the framework it seems that this has not data comes from the different sections of the phone.
been taken into consideration. From this one stage the This framework considers the metadata related to
framework then moves on to presentation and photos, calls and geographical location. The metadata
archiving of the extracted data, from an extracting that the framework will collect is location (co-
point of view this does not have to be carried out as ordinates), times and dates (of the locations). This
the data will need to be in its raw form for it to be metadata in archived in a database for the duration of
investigated properly, also it would not need to be the investigation.
archived as it has not yet been examined. Also, this
framework does not give any detail of what will need The inference engine of the framework will then plot
to be carried out for each of the steps to be completed; all of the locations and number them; the numbering
this makes the framework more of a general overview of the locations allows for a look up table to be used to
of data extraction. enable the investigator to put the times and dates with
the location markers. The framework produces a map
(Haggerty et al, 2011) proposed a framework for the around the area of the locations; this map will have all
investigation of email data. The proposed framework of the locations that have been extracted from the
demonstrates how emails can be acquired, analysed mobile phone device on it. Each location will have the
and presented within computer forensics. This co-ordinates of the location next to it in brackets. This
framework can easily be adapted to work within
246 E. Benkhelifa et al.
map will also have lines connecting each of the Fig.1. High level framework architecture
locations with each other to show the movements of
the phone holder. These lines will be plotted according
to the time and dates that the phone holder was at that The process then extracts the information about the
location. The framework will then produce a table that locations that have been searched for within the
will have the location number, time and date of each application; this can show potential locations that an
location. This will act as a look-up table for the individual has been to. The process then takes all of
investigator and makes the map easy to analyse. the locations and extracts the dates and times that the
application has opened and the destinations that have
Figure 1 shows how the data travels through the been searched. This information is then stored in the
process. Within the phone, metadata from the photos, metadata database. The satellite navigation side of the
call, geographical location and web logs/content is process works in a similar way. It will extract the
first extracted and stored in the metadata database. The information about the routes that have been searched
metadata is extracted from the general data that was for. This information will allow the investigator to see
provided (this metadata is location, time and date). any potential routes that may have been looked at for
The engine then requests the data from the database; travelling. The process then extracts information about
the engine is the part of the framework where most of all the routes that have travelled. This allows the
the work happens. From the engine the reports and investigator to track the exact route that an individual
map is created, this is what the investigator will show have travelled along. The final stage is extracting the
in court. dates and times of these route searches and routes
travelled. This information is then stored in the
metadata database.
5.1 Extracting the Geographical Data
Fig.7. Types of data that can be extracted from one mobile device for forensic investigation
Armstrong, C. (2003). ‘Developing a framework for Murphy, C. (2011). ‘Developing process for the
evaluating computer forensic tools’. The Evaluation in examination of cellular phone evidence. 1-12.
Crime and Justice: Trends and Methods Conference
convened by the Australian Institute of Criminology in
Oxygen Forensics Suite. (2013). ‘Oxygen Forensics Suite’.
conjunction with the Australian Bureau of Statistics.
[online] http://www.oxygen-forensic.com/en/ (accessed July
Canberra, 24-25 March 2003
2015)
Ayers, R., Jansen, W., Cilleros, N., & Daniellou, R. Pan, Y. (2008). ‘Project 1: Tools of mobile forensics’.
(2005). ‘Cell phone forensic tools: An overview an [online]
analysis’. NIST, Gaithersburg. NISTIR 7250. http://www.ericgoldman.name/media/Mobile_Forensics-
Tool_Analysis.pdf (accessed July 2015)
Benkhelifa, E., Welsh, T., Tawalbeh, L., & Jararweh, Y.
(2016). ‘Promoting Energy Modelling in Network Paraben Corporation. (2013). ‘Device seizure 6’. [online]
Simulations for Optimising Mobile Device Power http://www.paraben.com/device-seizure.html (accessed Nov
Consumption’ Springer Mobile Network and Applications. 2016)
Cellebrite, 2013. ‘UFED touch ultimate’. [Online] Rastogi, S., Bhushan, K., et. al. (2016)."Android
http://www.cellebrite.com/mobile-forensic-products/ufed- Applications Repackaging Detection Techniques for
touch-ultimate.html. (accessed Nov 2016) Smartphone Devices," Procedia Computer Science,
Elsevier, 2016
Benkhelifa, E., Welsh, T., Tawalbeh, L., & Yaser Jararweh
(May, 2016). ‘Framework for Mobile Devices Analysis’.
Tawalbeh. L., Mehmood, M., Benkhelifa, E., Song. H.
Procedia Computer Science, Elsevier. In the 7th Ambient
(2016). Mobile Cloud Computing Model and Big Data
systems and Networks conference (ANT 2016). Vol 83,
Analysis for Healthcare Applications. IEEE Access.
pp1188 – 1193.
ISSN 2169-35-36. Pages 6171-6180.
Daojing, H., Chan, S., and Guizani, M. (2015) ‘Mobile
Lo'ai, A.T., Bakheder, W. and Song, H., 2016, June. A
application security: malware threats and defenses.’ IEEE
mobile cloud computing model using the cloudlet scheme
Wireless Communications 22.1 (2015): 138-144.
for big data applications. In Connected Health:
Applications, Systems and Engineering Technologies
Disklabs. (2013). Cell Site Analysis. [online]
(CHASE), 2016 IEEE First International Conference on (pp.
http://www.mobilephoneforensics.com/cell-site-
73-77). IEEE.
analysis.php (accessed April 2015)
William, E. (2011) ‘Defending users against smartphone
Finocchiaro, C., Goldman, E., Natarajan, A., & Stanek, M. apps: Techniques and future directions.’ International
(2008). ‘Mobile device froensic tool evaluation.’ [online] Conference on Information Systems Security. Springer
http://www.ericgoldman.name/security/17-forensics/36- Berlin Heidelberg, 2011.
mobile-device-forensic-tool-investigation (accessed April
2015) Yi, X., and Mao, S. (2013) "A survey of mobile cloud
Forensic Pathways. (2012). ‘Mobile/cell phone forensics.’ computing for rich media applications." IEEE Wireless
[online] http://www.forensic-pathways.com/products-and- Commun. 20.3 (2013): 1-0.
services/mobile-phone-forensics (accessed April 2015)
Geiger, M. (2005). ‘Evaluating commercial counter-forensic
tools’. Pittsburgh.