See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/320396033

A Framework and a Process for Digital Forensic Analysis on Smart Phones

with Multiple Data Logs

Article in International Journal of Embedded Systems · January 2017

DOI: 10.1504/IJES.2018.10014929

CITATIONS READS

0 240

4 authors, including:

Elhadj Benkhelifa Loai Tawalbeh

Staffordshire University Texas A&M University San Antonio
188 PUBLICATIONS 3,661 CITATIONS 149 PUBLICATIONS 3,667 CITATIONS

SEE PROFILE SEE PROFILE

Yaser Jararweh
Jordan University of Science and Technology
424 PUBLICATIONS 11,752 CITATIONS

SEE PROFILE

All content following this page was uploaded by Loai Tawalbeh on 14 October 2017.

The user has requested enhancement of the downloaded file.

Int. J. Xxxxxx Xxxxxxx Xxxxxxx, Vol. X, No. Y, XXXX

A Framework and a Process for Digital Forensic Analysis on Smart

Phones with Multiple Data Logs

Elhadj Benkhelifa1, Benjamin E. Thomas1, Lo’ai Tawalbeh2,3, and Yaser

Jararweh3
1
Staffordshire University, Mellor Building, College Road, Stoke on Trent, ST UK
2
Computer Engineering Department, Umm Al-Qura University, Makkah, Saudi Arabia
3
College of Computer and Information Technology, Jordan University of Science and
Technology, Irbid, Jordan

Abstract: Nowadays mobile devices are considered an essential component of

our daily lives. The rapid evolution in mobile computing has becomes a
frustrating factor for law enforcement and the forensic community at large,
because of the lack of industry standard, tools and training. Smartphones are
becoming the most difficult to extract evidentiary data from. While many
commercial forensic tools have made great strides in supporting data extraction,
decoding, and analysis, some challenges remain. The smart phones not only
keep us connected but also can act as a mobile office, a social tool, and an
entertainment center. The combination of functionality, processing power, and
storage space makes smartphones a prime target for investigators. Up to our
knowledge, there is no mobile forensic analysis solution that maps data from
different sources including calls, geographical location, multimedia, and web
logs. Based on this motivation, in this paper, we aim to propose a framework
solution, which could contribute to the development of a novel and potentially a
market leading mobile forensic tool.

Keywords: Mobile Computing, Smart Phones Analysis, Framework, Digital

Forensics, Metadata, mobile phone forensics

Reference to this paper should be made as follows: Author(s) (2017) ‘paper

title ’, Int. J. Embedded Systems, Vol. X, No. Y4, pp.000–000.

Biographical notes:

Elhadj Benkhelifa (PhD, IEEE) is an Associate Professor at Staffordshire

University, Faculty Director of Mobile Fusion Applied Research Centre and
Head of Cloud Computing and Application Research Lab. Elhad is leading a
fast growing research team in pioneering research projects and has published
extensively in his areas of research. Elhadj has also founded and chaired a
number renowned conferences and is a member of a number of editorial boards.

Benjamin Thomas (BSc, MRes) has recently completed his MRes in computer
Science from Staffordshire University. Benjamin research interest falls into
digital forensics more specifically, mobile forensincs.

Lo’ai A. Tawalbeh: (SM IEEE) received his MSc and PhD degrees in Computer
Engineering from Oregon State University, USA in 2002 and 2004 respectively. Dr
Tawalbeh is a Tenure associate professor at the Computer Engineering Department at
Jordan University of Science and Technology (JUST), Jordan, and the Director of the
Cryptographic Hardware and Information Security (CHiS) lab at (JUST). From 2013
and till 2016 he was a visiting professor at Umm AlQura University, Mecca, SA. Now
he is a researcher at Koc Lab, UCSB, CA, USA. Dr Tawalbeh worked in many

Copyright © 201x Inderscience Enterprises Ltd.

240 E. Benkhelifa et al.

universities between 2005 and 2012 including: NewYork Institute of Technology

(NYIT) and DePaul’s University. He has over 70+ publications in well established
international Journals and conferences in the areas of cyber security and cryptography,
cloud and mobile cloud computing and Big data privacy. He is a co-founding chair of
many IEEE workshops/conferences about cloud/mobile cloud security such as
MCSMS, IoTNAT, and BIGDATA4HEALTH.

Yaser Jararweh received his Ph.D. in Computer Engineering from the

University of Arizona in 2010. He is currently an associate professor of
computer sciences at Jordan University of Science and Technology. He has co-
authored several technical papers in established journals and conferences in
fields related to cloud computing, HPC, SDN, security and Big Data. He is co-
chairing many IEEE events such as ICICS, FMEC, SDS, MCSMS, IoTNAT,
CCSNA, OSNT,, SNAMS, BDSN, IoTSMS, ISCW, and many others.

1 Introduction forensic tools have made great strides in supporting

data extraction, decoding, and analysis, some
Digital forensics is the process used to investigate
challenges remain. In this paper, we proposed a new
electronic data in order to produce forensically sound
framework for mobile devices analysis that tackles
evidence. Such investigations are not exclusively
many of the challenges of the current available frame
limited to electronic devices; digital forensics also
works for mobile devices analysis.
involves network and internet investigations
(Amstrong, 2003). Digital forensic practice consists of
The use of phones in crime was widely recognized for
forensic processes (acquisition and preservation,
some years, but the forensic study of mobile devices is
analysis and presentation) which are guided by
a relatively new field, dating from the early 2000s. A
principles and guidelines. Mobile devices have
proliferation of phones (particularly smartphones) on
become an essential component of our daily lives.
the consumer market caused a demand for forensic
These devices keep us connected and act as so much
examination of the devices, which could not be met by
more than the cell phones and portable music players
existing computer forensics techniques (Disklabs,
of the 1990's. It is common today for a smartphone to
2013). As a result of these challenges, a wide variety
act as a mobile office, social tool, and an entertainment
of tools exist to extract evidence from mobile devices;
center all rolled into one (William, 2011) (Benkhelifa
no one tool or method can acquire all the evidence
et al 2015). Today’s smartphones come with storage
from all devices. It is therefore recommended that
capacity that is similar to business laptops of just a few
forensic examiners undergo extensive training in order
years ago (Ayers et al, 2005). The combination of
to understand how each tool and method acquires
functionality and storage space makes smartphones a
evidence; how it maintains standards for forensic
prime target for forensics investigators. The rapid
soundness; and how it meets legal requirements.
evolution in mobile computing is forcing towards the
Mobile phone forensics is the act of extracting data
need for standards and tools to investigate and analyze
from a mobile phone and analysing that data to be able
these mobile devices and extract useful information
to use it to help the conviction of an individual.
that help in more protection against cyber threats
Mobile phone forensic investigation tools are some of
(Daojing, et al, 2015) and improving performance in
the most cutting edge software in the computing
many aspects including power consumption
industry. Mobile phone forensics is relatively new
(Benkhelifa et al, 2016). The rapid evolution in
within the world of digital forensics and has had to
mobile computing is a frustrating factor for law
rapidly expand and change in order for it to keep up
enforcement and the forensic community at large
with modern day smartphones and the data that can be
because of the lack of industry standard, tools and
stored on them.
training. Smartphones are some of the most difficult to
extract evidentiary data from. While many commercial

Table 1. Problem area comparison between PCs and handheld/ mobile devices

There are many differences between computers and
mobile phone. Mobile phones run off lots of different
types of operating systems depending on the make and
model of the phone and each operating system works
differently. The main mobile phone operating systems
are Android (Rastogi et. al., 2016), IOS and Windows,
but there are others and also many different versions of
the operating systems that get upgraded on a regular
basis. On the other hand computer operating systems
don’t change as much and there are also fewer
operating systems to choose from. The main operating
systems are
Windows, Mac OS and Linux. There are different
versions of each of these operating systems but they
do not get updated as often as the mobile phone
operating systems. This is also the case for the mobile
hardware, which keeps changing. Due to the varying
software and hardware on mobile phones, analysis
tools will also need constant updating to cope with
these changes. Table 1 shows Forensic tool attributes
for PCs and mobile/handheld devices (Finocchiaro,
2008) (Forensic Pathways, 2012).
Yates argues that there is great difficulty in performing
digital forensics on mobile devices due to lack of tools
that can keep up with the proliferation of variants of
devices and operating systems. Compared to PCs,
modern mobile phones run off more diverse operating
systems depending on the make and model of the
phone. Mobile phones’ operating systems tend to
upgrade more often than those of the PCs; similarly,
mobile phones’ hardware changes at a faster pace.
Yates also emphasises on the physical constructional
differences as being pertinent. “Computers have two
types of memory: Random Access Memory (RAM), or
secondary or volatile memory, and Read Only
Memory (ROM), or primary memory. A mobile
device only has one, RAM, unless a SIM card is
present then the SIM card functions as ROM”11. More
evaluation techniques and tools for mobile forensics
can be found in (Micro Systemation, 2013), (Murphy,
2011) and (Oxygen Forensics Suite, 2013).
The next section covers the related work including the
description of the most known mobile forensic
analysers. Then Section 3 will provide an evaluation
and comparison of these analysers, identifying the
main gap, which will be addressed by the contribution
of this paper. Section 4 evaluates the most relevant
frameworks from literature related to mobile forensic
analysis. Section 5 covers in details the proposed
framework to address the identified gap in existing
frameworks and tools. Section 6 is the conclusion.
2. Related Work
Mobile phone forensics is extremely important in the
modern world. Due to the way that mobile phones
have improved what they can do over the last 10 years
they are now more or less mini computers that can be
taken anywhere. Mobile phones can know hold almost
all types of file on them meaning that carrying illegal
data is much easier. Due to how data can be
transferred to and from mobile phone devices, other
data can be extracted from mobile phone devices than
from that of computers, including texts, calls and
many other kinds of data. Now that mobile phones
have satellite location built in to them this means that
as long as it is turned on data about the location of a
person can be extracted using certain mobile phone
analysers.
242 E. Benkhelifa et al.
The use of phones in crime was widely recognized for
some years, but the forensic study of mobile devices is
a relatively new field, dating from the early 2000s. A
proliferation of phones (particularly smartphones) on
the consumer market caused a demand for forensic
examination of the devices, which could not be met by
existing computer forensics techniques (Amstrong,
2012). As a result of these challenges, a wide variety
of tools exist to extract evidence from mobile devices;
no one tool or method can acquire all the evidence
from all devices. It is therefore recommended that
forensic examiners, undergo extensive training in
order to understand how each tool and method
acquires evidence; how it maintains standards for
forensic soundness; and how it meets legal
requirements. Paraben Corporation published an
extensive comparison chart for most credible mobile
forensic software solutions available in the market,
which yet confirms the authors knowledge that there
exist no mobile forensic solution that extracts and
maps data from calls (incoming and outgoing) together
with pictures, geographical location and web logs.
This is therefore the main motivation behind the
research presented in this paper, where the authors
propose a framework solution, which could contribute
to the development of a novel and potentially a market
leading mobile forensic tool (Pan, 2008).
There are not many tools for forensic phone analysis
available in the market. The available tools do treat
very similar tasks but in different ways. This section
reviews and compare the most known, used and cited
Mobile Phone Forensic Analyzers. This will be used to
help identify the gaps within the market.
2.1 Micro Sestemation XRY
XRY (Micro Systemation, 2012) is a software package
that allows secure forensic extraction of data from a
variety of mobile devices including mobile phones,
smartphones, satellite navigation systems, 3G
modems, portable music players and the latest tablet
devices. XRY allows users to decide between physical
and logical extraction. These two methods can extract
the same data but extra data through physical
extraction. Logical extraction from the mobile device
will be presented to the investigator in a logical and
ordered method that allows the data to be easily sorted
and find the evidence required. Logical extraction also
allows for easier report creation.
Physical extraction works by by-passing the operating
system of the mobile phone to be able to extract the
raw data from the physical storage device. Physic
extracted allows the investigator to recover deleted
data from the device to gather more evidence. The
physical extraction is a two stage process, these are the
`dump` and the `decode`. The dump stage is where the
raw data is recovered from the device and the decode
stage is where XRY can automatically reconstruct the
raw data into a readable format. For example,
extracting deleted SMS messages without needing to
manually carve the data. Physical extraction is mainly
used when mobile devices do not have SIM cards or
have security locks of the phones. Some of the key
features of using XRY are:
 XRY specialises in recovering and restoring
deleted data.
 Works with all mobile devices including mobile
phones, smartphones, GPS navigation and tablet
computers.
 Allows SIM card cloning.
 Decoding of recovered data into a readable format
without data carving.
2.2 Oxygen Forensic Suite
Oxygen Forensic Suite is a software package that
allows users to extract and analyse data from mobile
devices. Oxygen Forensic Suite is able to extract data
from mobile phones, smartphones, satellite navigation
systems and certain tablet computers. Oxygen
Forensic Suite is compatible with more than 6300
mobile devices, all of the main brand mobile devices
are included and most of the phones that have a
Chinese chip in them are also covered. Oxygen
Forensic Suite can extract more than just the basic
information from mobile devices. This means that
more data can be extracted, meaning that more
potential evidence is secured. Oxygen Forensic Suite
can also recover deleted SMS’s from the mobile
devices. Depending on the mobile model Examples of
this data are; SIM card data, Speed dial lists, Missed,
dialed and incoming calls, SMS timestamp
information, Geographical coordinates, Java
application, GPRS (General Packet Radio Service),
Wi-Fi activity. (Oxygen Forensic Suite, 2013).
Oxygen Forensic Suite allows for easy analysing and
report creation. This allows all data to be easily seen in
an order to enable quick and easy examination. Some
of the key features of using Oxygen Forensic Suite are:
 More than 6300 mobile devices are compatible.
 Supports a large amount of phone manufacturers
and models.
 Allows recovery of deleted SMSs.
 Allows geographic coordinates to be extracted.
  Allows Wi-Fi activity extraction.
2.3 Cellebrite Mobile Forensics UFED Touch
Ultimate
UFED Touch Ultimate is an all in one software and
hardware package that enables logical and physical
extraction of data from mobile devices. UFED Touch
Ultimate allows decoding of data, analysing of data
and reporting on the data. UFED Touch Ultimate is
compatible with feature phones, smart phones,
portable GPS units, tablet computer and any chipsets
that have been manufactured in China. The UFED
Touch Ultimate allows the investigator to extract the
file systems from the mobile devices; this means that
how the data is stored on the mobile device can be
seen meaning more data can be identified, this
includes any deleted data that has been found in the
file systems. UFED Touch Ultimate also allows for
password extraction, this means passwords do not
have to be cracked in-order to access files that are
protected. (Cellebrite, 2013). Some of the main
features of the UFED Touch Ultimate are:
 Cellebrite is an all in one unit meaning that it is
portable.
 It has a UFED reader built in that allows
authorized personnel to share information with
others.
 Comes with all the cables that will be needed to
connect to every phone.
 File system and password extraction.
2.4 Paraben Device Seisure
Paraben Device Seizure is a Windows based mobile
device analyser. Paraben Device Seizure allows logical
and physical extraction of mobile devices. Paraben
Device Seizure is compatible with most CDMA
(Code Division Multiple Access) phones, Android
phones and some GPS devices. Paraben Device Seizer
allows password extraction to be able to see all of the
data that is on the device. This allows a fuller
investigation to be carried out. Paraben Device Seizure
also has an integrated Google earth function, this
allows the GPS coordinates to be plotted to endure a
visual representation of where the phone has been
throughout the world. The advanced data parser
function allows for all the data that is extracted to be
shown in a readable format making it easier to analyse
the data and then present it in a readable format for the
report creation. (Paraben Corporation, 2013). Some of
the main features of Paraben Device Seizure are:
 Logical and physical data extraction.
 User password extraction.
 Advanced data parsers.
 Google earth plotting feature.
2.5 Forensic Phone Analyser – FPA
Forensics phone analyzer (Forensic Pathways, 2012) is
a piece of software that allows for mapping of calls
that have been made and received from a mobile
phone. Forensic phone analyser works by using taking
extracted data and ordering it to allow to faster and
more effective reporting a querying. Forensic phone
analyser takes the data and can map all of the phone
calls that have been made and received from a mobile
phone and output the data in a visual representation.
Forensic phone analyser can connect phones together
through the phone number of the mobile phone, this
allows for individuals and phone numbers to be
connected together. This proves that the phones have
had call made or received between them .Forensic
phone analyser works by taking data that has been
extracted using a separate mobile phone analysing
tools and imports the data. Example of the phone
analysers that are supported are XRY and Cellebrite.
Examples of data that is used within the mapping;
phone hard drive, SIM cards, SMS messages,
Contacts, Images, Communication. Forensic phone
analyser advertises a list of key features of the
software include:
 Converts/cleans the data into common format
 Aggregates data from many different sources
 Cross reference calls, texts and address books
 Enables the data to be search and queried
 Reveals links, associations, relationships within
the data
 Common and/or legitimate numbers can be
ignored
 Enables statistical analyse of the data
 Enables automated reporting of results
3. Evaluation of Existing Mobile Phone Forensic
Analysers
The evaluation is done by creating a set of metrics to
enable a fair evaluation of the chosen tools. Using
metrics to critically evaluate mobile forensic tools
against one another will increase the understanding of
the tools themselves, allowing for a greater in-depth
knowledge of what the mobile forensic tools are
capable of doing. The metrics are also used to allow
the evaluator to be able to have a visual representation
of the data that the mobile forensic tools can give. This
allows for a faster and more effective way of seeing
244 E. Benkhelifa et al.
the data that has been evaluated. These metrics were
chosen by evaluating the main mobile phone analysing
tools that are available in the market place and listing
the main features that the tools advertise.
This was done by choosing some of the features that
all of the tools have but mainly looking at the unique
features of each tool. Some metrics were then thought
up that have not been brought up bought up through
reading the literature. These metrics came from
knowledge and background reading within the area.
The metrics were chosen due to them covering a large
area of the capabilities of the mobile phone analysing
tools that are available on the market, also some of
these areas are not covered by all of the mobile phone
analysing tools allowing for the gaps within the market
to open up and become visible.
Table 2 - Evaluation for the market analysis
Tracking the exact or approximate geographical
location of mobile devices which could be used in a
crime or during a crime, is very valuable as part of the
investigation, especially when it is mapped to other
date logs on the same mobile phone.
Password extraction covers not just the extraction of
the password but also decode the cipher text into a
readable password for an examiner to understand. Not
many of the mobile phone analysers allow the user to
conduct this, meaning that any data that has a
password on it cannot be seen and therefore cannot be
used as evidence against an individual unless the
defendant releases the password. Password extraction
Table 2 shows that most attributes for extracting data
from mobile phones are possible, but via using
multiple evaluation tools, which is time consuming,
costly and requires expert users of all these evaluation
tools. Also, by using more than one analysis tool, on
the same smart phone for different data logs, the
possibility of inaccuracy in the analysis could be high.
Table 2 also shows a gap in the market for mobile
forensic analysis tools, which can also map the
analysis of geographical location, password extraction
and 4G connectivity.
allows for quicker examination of the data from a
mobile phone, meaning that time is not used up having
to manually decipher the cipher text to make it in to a
readable password for the examiner to be able to use.
Being able to connect to the internet anywhere at any
time can bring up some valuable data in the context of
mobile phone forensics. Being able to connect to a
faster network means that more data will be able to be
transferred to a mobile device wirelessly, allowing
potential criminals to take advantage of this. No
mobile phone analyser advertises that their product is
or is not compatible with 4G connectivity.
4. Evaluation of Relevant Frameworks
The most relevant three frameworks found in literature
are discussed in this section, these are:
1. Evidence extraction framework (Murphy,
2011)
2. framework for the investigation of email data
(Haggerty et al, 2011)
3. SFIPM (Smartphone Forensic Investigation
Process Model) (Geol, Tyagi, & Agarwal,
2012)
The Evidence Extraction Framework, proposed by
(Murphy, 2011) has been created to demonstrate the
process for extracting evidence for a device and then
documenting it and archiving the data for use at a later
date. The framework covers all of the main processes
of extracting the data from a device and can be used
for computers data extraction and for mobile device
extraction. For this paper, we focus on the mobile data
extraction. The reason this framework has been
created is to make sure that no steps get missed out
during one of the most important stages of the
investigation in order to avoid loosing any vital data.
The extraction process can be a long process and
having a framework to be able to visually show all the
main processes could come in useful. The framework
has many good aspects to it such as, starting the
extraction process from the point of intake; the
framework also states the stages of presentation and
archiving. However, the way that the framework
comes across is a mix between the extraction phase
and the investigation phase. Through the extraction
process documentation will need to be carried out
throughout, however a report will not be carried out
until the investigation stage has been complete. Due to
the wording of the framework it seems that this has not
been taken into consideration. From this one stage the
framework then moves on to presentation and
archiving of the extracted data, from an extracting
point of view this does not have to be carried out as
the data will need to be in its raw form for it to be
investigated properly, also it would not need to be
archived as it has not yet been examined. Also, this
framework does not give any detail of what will need
to be carried out for each of the steps to be completed;
this makes the framework more of a general overview
of data extraction.
(Haggerty et al, 2011) proposed a framework for the
investigation of email data. The proposed framework
demonstrates how emails can be acquired, analysed
and presented within computer forensics. This
framework can easily be adapted to work within
mobile phone forensics. There is extra supporting
information about each stage in the framework,
however, these stages are lacking details as well as an
in depth knowledge of the different forensic tools that
are available along with knowing how to use all of the
functions available. The stage that will need further
development in the proposed framework is the
analysis stage. The framework needs to outline the
stages that will need to be carried out during the
analysis stage of an investigation in more depth in
order to allow the user to know what data is being
investigated, enabling a better outcome of the
investigation.
SFIPM (Smartphone Forensic Investigation Process
Model), proposed by (Geol et al, 2012), explains the
entire process of a smartphone forensic investigation.
SFIPM is also capable of do cell site analysis; which
locates where smartphone was or is at a specific date
and time (Disklabs, 2013). SFIPM addresses most of
the gaps found in the previously described
frameworks, in addition to new features such as
supporting Personal Digital Assistant mode and
whether the memory is volatile or non-volatile
(Freudenrich C, 2012). However, This model needs to
focus more on the examination and analysis sections to
allow for more in-depth understanding of the overall
investigation of mobile phones.
5. The Proposed Framework for Smartphone
Forensic Analyser
The overall proposed framework is depicted in Figure
1. The purpose of the framework is to allow the
investigator to be able to plot a map of where an
individual (phone holder) has been travelling to and
from with the mobile device. The framework starts off
by collecting the metadata from the mobile phone, this
data comes from the different sections of the phone.
This framework considers the metadata related to
photos, calls and geographical location. The metadata
that the framework will collect is location (co-
ordinates), times and dates (of the locations). This
metadata in archived in a database for the duration of
the investigation.
The inference engine of the framework will then plot
all of the locations and number them; the numbering
of the locations allows for a look up table to be used to
enable the investigator to put the times and dates with
the location markers. The framework produces a map
around the area of the locations; this map will have all
of the locations that have been extracted from the
mobile phone device on it. Each location will have the
co-ordinates of the location next to it in brackets. This
246 E. Benkhelifa et al.
map will also have lines connecting each of the
locations with each other to show the movements of
the phone holder. These lines will be plotted according
to the time and dates that the phone holder was at that
location. The framework will then produce a table that
will have the location number, time and date of each
location. This will act as a look-up table for the
investigator and makes the map easy to analyse.
Figure 1 shows how the data travels through the
process. Within the phone, metadata from the photos,
call, geographical location and web logs/content is
first extracted and stored in the metadata database. The
metadata is extracted from the general data that was
provided (this metadata is location, time and date).
The engine then requests the data from the database;
the engine is the part of the framework where most of
the work happens. From the engine the reports and
map is created, this is what the investigator will show
in court.
5.1 Extracting the Geographical Data
Figure 2 depicts the process of extracting the metadata
from map application and satellite navigation
application. The map application side of the process
starts off by extracting all of the locations that the
application has been used at. This data is stored on the
phone when an phone holder opens the application.
Fig.1. High level framework architecture
The process then extracts the information about the
locations that have been searched for within the
application; this can show potential locations that an
individual has been to. The process then takes all of
the locations and extracts the dates and times that the
application has opened and the destinations that have
been searched. This information is then stored in the
metadata database. The satellite navigation side of the
process works in a similar way. It will extract the
information about the routes that have been searched
for. This information will allow the investigator to see
any potential routes that may have been looked at for
travelling. The process then extracts information about
all the routes that have travelled. This allows the
investigator to track the exact route that an individual
have travelled along. The final stage is extracting the
dates and times of these route searches and routes
travelled. This information is then stored in the
metadata database.
Fig.2. Extraction of Geographical Metadata
5.2 Extracting the photos Metadata
After retrieving the relevant images from the mobile
phone device; this process will then process the
images to extract the required metadata from the
images. The first stage of extraction will be searching
for the dates and times that the images were taken,
downloaded or upload on to the mobile phone. Then
the process will determine any geographical data about
each photo. This will allow the plotting of the
locations and the images on to the location tracking
map. Some images may not give data about the
locations they were taken at but the dates and times
could be connected with other dates and times and
images and locations could be put together to
strengthen any evidence. Figure 3 depicts this process.
Fig.3. Extracting metadata from Photos
5.3 Extracting Metadata for calls
Figure 4 shows the process of extracting the metadata
of phone calls. The data that will be needed will
include both incoming calls and outgoing calls. The
first stage of the process is to extract the dates and
times that the phone calls took place; the time will be
when the phone call was dialled or answered.
Similarly, this information can be used to match dates
and times with known locations that have already been
determined.
Fig.4. Extraction of metadata for calls
The second stage of process is to extract any
information about the location of the mobile phone
when calls were made or received. Also, information
about which telegraph pole the mobile signal was
connected to at the time could be extracted. As each
telegraph pole can only have a certain radius of signal
to an area of where a mobile phone could have been.
This could prove vital within an investigation.
Though, the exact location of a person may prove
difficult to determine from only phone calls, but
combined with other data held in the same mobile
device, location could be identified.
5.4 Process for Metadata Plotting
Figure 5 illustrates the proposed process for metadata
plotting. All of the data that will be required for the
investigation is retrieved from the metadata database
as shown in Figure 1, and then send the information to
the reporting stage of framework 1. The first stage of
this framework is to plot all of the locations that are
stored within the database; this allows for the
visualisation of the locations that the mobile phone has
been in. From this point the investigator can go two
ways. The first way is to create the table that lists all of
the location numbers and, times and dates (to the
corresponding location); this is now the reference
sheet for this investigation and can be used within the
report. The second direction is to define each day’s
location with a different colour, this helps to identify
the movements for each day. This then moves on to
plotting lines of movement between each point. These
lines will be done by firstly date but also time and will
allow the investigator to plot the movement of the
device throughout each day. From this step there are
two directions that can be taken. The first direction is
to review how many times a location has been visited.
This will be done by adding up the total amount of
times a location has been visited. This can help tie the
individual to a location that is frequently visited.
248 E. Benkhelifa et al.
Fig.5. Process for Plotting of the metadata
Using this information the investigator can track the
duration of time between each check-in. This tells the
investigator how frequently that location is visited and
could lead to good intelligence to follow up on at a
later date. The final part of this framework is
calculating the most popular routes travelled by an
individual. This will show which journeys are taken
the most and could show some routes known to police
or could bring to light some new routes regularly taken
by gangs.
5.5 Process for Metadata mapping
Figure 6 shows how the metadata will be used within
the engine stage. Before this stage can take place the
metadata will have to be queried so that this
framework will know what data needs to be extracted
from the database? The query will consist of the user
ticking which functions (type of data e.g. calls, photos)
need to be plotted and also what dates and times want
to be looked at. These dates and times can cover one
day or the entirety of the mobile phone’s life time.
This will allow the plotted data to cover the desired
time frame.
Figure 6 has three main layers to it. The first layer will
look at the query to define whether or not the
information will be required. For example, the first
question could be, do calls need mapping? If the
answer is yes then the metadata will be collected from
the database and inserted into a table. If the answer is
no then that stage will be missed out and move on to
the next function. If that metadata needs to be mapped
then each stage will be completed, however if the
metadata is not needed then the framework will move
to the next function.
When the process comes to the final function, it will
either end or complete. If the answer to the final
question is no the process will need to find out if any
data is located within the table, if there is then final
layer will be continued. If there is no metadata in the
table then a new query will be made. If the answer is
yes then the same steps will happen, except after the
final stage the process will display a table showing all
of the metadata that has been found in the database.
This information will go to the next step that will be
matching the metadata in order to see whether any of
the dates, times or locations match one another. The
data from the inference engine will also be pushed to
metadata plotting function, depicted in Figure 5, where
the metadata will be mapped onto a map.
Int. J. Xxxxxx Xxxxxxx Xxxxxxx, Vol. X, No. Y, XXXX
Fig.6. The inference engine process
6. Conclusion
Mobile device and smart phones are playing very
important roles in our lives. They are used to do a
variety of tasks from playing games to internet
shopping. The need for a comprehensive tool that is
able to collect data and link it together in smart phones
is the main motivation behind this paper. We proposed
a framework that gathers data from different sources
and map it together. This framework can be developed
as a dedicated forensic tool for smart phones, which is
currently not available in the market. The proposed
framework focuses on mapping metadata from
location, calls, images and web applications
Copyright © 201x Inderscience Enterprises Ltd.
typical smartphone, nowadays. More areas could be
brought into it such as general media/entertainment
applications and SMS’s, for instance. Figure 7 shows
other areas where more data from one mobile device
could be combined in any one forensic investigation.
This framework could be expanded to allow for
multiple mobile phone investigations simultaneously
to uncover any patterns or insights into the
investigation.
Mobile Cloud Computing is an emerging technology,
which is expected to revolutionize the way we use
smartphones and deal with data. This technology will
introduce many more challenges in the context of
mobile forensics (Yi and Mao, 2013) (Tawalbeh et al.
2016), and (Lo’ai et al).
250 E. Benkhelifa et al.
Fig.7. Types of data that can be extracted from one mobile device for forensic investigation
ACKNOWLEDGMENT
This work is funded by grant number (13-INF2526-10) from
the Long-Term National Science Technology and
Innovation Plan (LT-NSTIP), the King Abdul-Aziz City for
Science and Technology (KACST), Kingdom of Saudi
Arabia. We thank the Science and Technology Unit at Umm
Al-Qura University for their continued logistics support.
References
Armstrong, C. (2003). ‘Developing a framework for
evaluating computer forensic tools’. The Evaluation in
Crime and Justice: Trends and Methods Conference
convened by the Australian Institute of Criminology in
conjunction with the Australian Bureau of Statistics.
Canberra, 24-25 March 2003
Ayers, R., Jansen, W., Cilleros, N., & Daniellou, R.
(2005). ‘Cell phone forensic tools: An overview an
analysis’. NIST, Gaithersburg. NISTIR 7250.
Benkhelifa, E., Welsh, T., Tawalbeh, L., & Jararweh, Y.
(2016). ‘Promoting Energy Modelling in Network
Simulations for Optimising Mobile Device Power
Consumption’ Springer Mobile Network and Applications.
Cellebrite, 2013. ‘UFED touch ultimate’. [Online]
http://www.cellebrite.com/mobile-forensic-products/ufed-
touch-ultimate.html. (accessed Nov 2016)
Benkhelifa, E., Welsh, T., Tawalbeh, L., & Yaser Jararweh
(May, 2016). ‘Framework for Mobile Devices Analysis’.
Procedia Computer Science, Elsevier. In the 7th Ambient
systems and Networks conference (ANT 2016). Vol 83,
pp1188 – 1193.
Daojing, H., Chan, S., and Guizani, M. (2015) ‘Mobile
application security: malware threats and defenses.’ IEEE
Wireless Communications 22.1 (2015): 138-144.
Disklabs. (2013). Cell Site Analysis.
http://www.mobilephoneforensics.com/cell-site-
analysis.php (accessed April 2015)
Finocchiaro, C., Goldman, E., Natarajan, A., & Stanek, M.
(2008). ‘Mobile device froensic tool evaluation.’ [online]
http://www.ericgoldman.name/security/17-forensics/36-
mobile-device-forensic-tool-investigation (accessed April
2015)
Forensic Pathways. (2012). ‘Mobile/cell phone forensics.’
[online] http://www.forensic-pathways.com/products-and-
services/mobile-phone-forensics (accessed April 2015)
Geiger, M. (2005). ‘Evaluating commercial counter-forensic
tools’. Pittsburgh.
View publication stats
Geol, A., Tyagi, A., & Agarwal, A. (2012). ‘Smartphone
Forensic Investigation Process Model’. International Journal
of Computer Science &Security , 322-341.
Haggerty, J., Karran, A. J., Lamb, D. J., & Taylor, M. J.
(2011). ‘A framework for the forensic investigation of
unstructured email relationship data’. International journal
of digital crime and forensics , 1-18.
Micro Systemation. (2013). ‘What is XRY’. [online]
http://www.msab.com/xry/what-is-xry (accessed June 2015)
Murphy, C. (2011). ‘Developing process for the
examination of cellular phone evidence. 1-12.
Oxygen Forensics Suite. (2013). ‘Oxygen Forensics Suite’.
[online] http://www.oxygen-forensic.com/en/ (accessed July
2015)
Pan, Y. (2008). ‘Project 1: Tools of mobile forensics’.
[online]
http://www.ericgoldman.name/media/Mobile_Forensics-
Tool_Analysis.pdf (accessed July 2015)
Paraben Corporation. (2013). ‘Device seizure 6’. [online]
http://www.paraben.com/device-seizure.html (accessed Nov
2016)
Rastogi, S., Bhushan, K., et. al. (2016)."Android
Applications Repackaging Detection Techniques for
Smartphone Devices," Procedia Computer Science,
Elsevier, 2016
Tawalbeh. L., Mehmood, M., Benkhelifa, E., Song. H.
(2016). Mobile Cloud Computing Model and Big Data
Analysis for Healthcare Applications. IEEE Access.
ISSN 2169-35-36. Pages 6171-6180.
Lo'ai, A.T., Bakheder, W. and Song, H., 2016, June. A
mobile cloud computing model using the cloudlet scheme
for big data applications. In Connected Health:
Applications, Systems and Engineering Technologies
[online]
(CHASE), 2016 IEEE First International Conference on (pp.
73-77). IEEE.
William, E. (2011) ‘Defending users against smartphone
apps: Techniques and future directions.’ International
Conference on Information Systems Security. Springer
Berlin Heidelberg, 2011.
Yi, X., and Mao, S. (2013) "A survey of mobile cloud
computing for rich media applications." IEEE Wireless
Commun. 20.3 (2013): 1-0.