Mobile phone forensics is the acquisition of the digital evidence held on a mobile phone device using forensically sound procedures. This branch of forensics can be expanded to include other mobile devices, such as PDA’s, GPS devices and tablet computers.
Mobile devices are now used almost every day by a majority of the population for many different activities. A mobile device can now be used to stored many types of personal information such as contacts, calendars, notes, messaging systems. Some devices such as smartphones may also contain email, web browsing data, emails, videos, photos, location data and social media information.
Need for Mobile Phone Forensics
With more transactions and communication being done via mobile devices, the need for providing forensic analysis is extremely important. There are a number of reasons for this:
- Mobile phones used to store and transmit, both personal and business data
- Mobile phones are often used for online transactions, such as mobile banking
- Mobile phones can now be used for cardless payments in some stores
Types of Evidence
There are three basic types of evidence which can be gathered for use by the investigator. Internal memory on the phone which is now usually flash memory will need to be imaged. Any external memory is also required, which covers devices, such as SIM cards, SD cards, MMC cards, CompactFlash and Memory Sticks.
The third type of evidence, Service Provider logs is not technically part of mobile phone forensics, but may be a useful tool when used alongside the evidence taken directly from the mobile device. Such information will be records of call details and sometimes text messages. Service Provider logs can only be used when a request from the appropriate law enforcement agency has been issued, allowing the data to be released.
Mobile Forensics Process
The first step of the process is data acquisition from any internal and external memory on the mobile device. Once the data has been acquired, it can then be processed so that the data can be used by an investigator to search for any information that has been held on the device.
The investigator will examine all the data and produce a report, in a clear concise manner, which can be used as admissible evidence in court. Any Service Provider logs, if requested will also be used as part of this evidence. The investigator can also appear in court as an expert witness if required.
