UNIT-4

COMPUTER FORENSICS AND INVESTIGATION

Computer Forensics
Cyber forensics is a process of extracting data as proof for a crime (that involves electronic
devices) while following proper investigation rules to nab the culprit by presenting the evidence
to the court. Cyber forensics is also known as computer forensics. The main aim of cyber
forensics is to maintain the thread of evidence and documentation to find out who did the crime
digitally. Cyber forensics can do the following:

 It can recover deleted files, chat logs, emails, etc

 It can also get deleted SMS, Phone calls.

 It can get recorded audio of phone conversations.

 It can determine which user used which system and for how much time.

 It can identify which user ran which program.

Why is cyber forensics important?

In todays technology driven generation, the importance of cyber forensics is immense.

Technology combined with forensic forensics paves the way for quicker investigations and
accurate results. Below are the points depicting the importance of cyber forensics:

 Cyber forensics helps in collecting important digital evidence to trace the criminal.

 Electronic equipment stores massive amounts of data that a normal person fails to see.
For example: in a smart house, for every word we speak, actions performed by smart
devices, collect huge data which is crucial in cyber forensics.

 It is also helpful for innocent people to prove their innocence via the evidence collected
online.

 It is not only used to solve digital crimes but also used to solve real-world crimes like
theft cases, murder, etc.

 Businesses are equally benefitted from cyber forensics in tracking system breaches and
finding the attackers.
The Process Involved in Cyber Forensics

1. Obtaining a digital copy of the system that is being or is required to be inspected.

2. Authenticating and verifying the reproduction.

3. Recovering deleted files (using Autopsy Tool).

4. Using keywords to find the information you need.

5. Establishing a technical report.

How did Cyber Forensics Experts work?

Cyber forensics is a field that follows certain procedures to find the evidence to reach
conclusions after proper investigation of matters. The procedures that cyber forensic experts
follow are:

 Identification: The first step of cyber forensics experts are to identify what evidence is
present, where it is stored, and in which format it is stored.

 Preservation: After identifying the data the next step is to safely preserve the data and
not allow other people to use that device so that no one can tamper data.

 Analysis: After getting the data, the next step is to analyze the data or system. Here the
expert recovers the deleted files and verifies the recovered data and finds the evidence
that the criminal tried to erase by deleting secret files. This process might take several
iterations to reach the final conclusion.

 Documentation: Now after analyzing data a record is created. This record contains all
the recovered and available(not deleted) data which helps in recreating the crime scene
and reviewing it.

 Presentation: This is the final step in which the analyzed data is presented in front of the
court to solve cases.

Types of computer forensics

There are multiple types of computer forensics depending on the field in which digital
investigation is needed. The fields are:

 Network forensics: This involves monitoring and analyzing the network traffic to and
from the criminal’s network. The tools used here are network intrusion detection systems
and other automated tools.
  Email forensics: In this type of forensics, the experts check the email of the criminal and
recover deleted email threads to extract out crucial information related to the case.

 Malware forensics: This branch of forensics involves hacking related crimes. Here, the
forensics expert examines the malware, trojans to identify the hacker involved behind
this.

 Memory forensics: This branch of forensics deals with collecting data from the
memory(like cache, RAM, etc.) in raw and then retrieve information from that data.

 Mobile Phone forensics: This branch of forensics generally deals with mobile phones.
They examine and analyze data from the mobile phone.

 Database forensics: This branch of forensics examines and analyzes the data from
databases and their related metadata.

 Disk forensics: This branch of forensics extracts data from storage media by searching
modified, active, or deleted files.

Advantages

 Cyber forensics ensures the integrity of the computer.

 Through cyber forensics, many people, companies, etc get to know about such crimes,
thus taking proper measures to avoid them.

 Cyber forensics find evidence from digital devices and then present them in court, which
can lead to the punishment of the culprit.

 They efficiently track down the culprit anywhere in the world.

 They help people or organizations to protect their money and time.

 The relevant data can be made trending and be used in making the public aware of it.

Computer Forensics Software Tools

Digital forensic is a process of preservation, identification, extraction, and documentation of
computer evidence which can be used by the court of law. There are many tools that help you to
make this process simple and easy. These applications provide complete reports that can be used
for legal procedures.
1) ProDiscover Forensic

ProDiscover Forensic is a computer security app that allows you to locate all the data on a
computer disk. It can protect evidence and create quality reports for the use of legal procedures.
This tool allows you to extract EXIF(Exchangeable Image File Format) information from JPEG
files.

Features:

 This product supports Windows, Mac, and Linux file systems.

 You can preview and search for suspicious files quickly.

 This Digital forensics software creates a copy of the entire suspected disk to keep the
original evidence safe.

 This tool helps you to see internet history.

 You can import or export .dd format images.

 It enables you to add comments to evidence of your interest.

 ProDiscover Forensic supports VMware to run a captured image.

2) Sleuth Kit (+Autopsy)

Sleuth Kit (+Autopsy) is a Windows based utility tool that makes forensic analysis of computer
systems easier. This tool allows you to examine your hard drive and smartphone.

Features:

 You can identify activity using a graphical interface effectively.

 This application provides analysis for emails.

 You can group files by their type to find all documents or images.

 It displays a thumbnail of images to quick view pictures.

 You can tag files with the arbitrary tag names.

 The Sleuth Kit enables you to extract data from call logs, SMS, contacts, etc.

 It helps you to flag files and folders based on path and name.
3) FTK Imager

FTK Imager is a forensic toolkit i developed by AccessData that can be used to get evidence. It
can create copies of data without making changes to the original evidence. This tool allows you
to specify criteria, like file size, pixel size, and data type, to reduce the amount of irrelevant data.

Features:

 It provides a wizard-driven approach to detect cybercrime.

 This program offers better visualization of data using a chart.

 You can recover passwords from more than 100 applications.

 It has an advanced and automated data analysis facility.

 FTK Imager helps you to manage reusable profiles for different investigation
requirements.

 It supports pre and post-processing refinement.

4) X-Ways Forensics
X-Ways is software that provides a work environment for computer forensic examiners. This
program is supports disk cloning and imaging. It enables you to collaborate with other people
who have this tool.

Features:

 It has ability to read partitioning and file system structures inside .dd image files.

 You can access disks, RAIDs (Redundant array of independent disk), and more.

 It automatically identifies lost or deleted partitions.

 This tool can easily detect NTFS (New Technology File System) and ADS (Alternate
Data Streams).

 X-Ways Forensics supports bookmarks or annotations.

 It has the ability to analyze remote computers.

 You can view and edit binary data by using templates.

 It provides write protection for maintaining data authenticity.

5) Volatility Framework

Volatility Framework is software for memory analysis and forensics. It is one of the best
Forensic imaging tools that helps you to test the runtime state of a system using the data found in
RAM. This app allows you to collaborate with your teammates.

Features:

 It has API that allows you to lookups of PTE (Page Table Entry) flags quickly.

 Volatility Framework supports KASLR (Kernel Address Space Layout Randomization).

 This tool provides numerous plugins for checking Mac file operation.

 It automatically runs Failure command when a service fails to start multiple times.

6) Magnet RAM capture

Magnet RAM capture records the memory of a suspected computer. It allows investigators to
recover and analyze valuable items which are found in memory.

Features:

 You can run this app while minimizing overwritten data in memory.

 It enables you to export captured memory data and upload it into analysis tools like
magnet AXIOM and magnet IEF.

 This app supports a vast range of Windows operating systems.

 Magnet RAM capture supports RAM acquisition.

Computer Forensics Hardware Tools

The features and advantages of hardware computer forensic tools are based on techniques that
substitute software for processes and the use of equipment that is compact and easy to operate.

These devices are often powered from the source or from the suspect machine. However, the
forensic analyst who relies on forensic hardware must ensure that all possible connectors are
available prior to starting a job. Some of the advantages include:
 1. The mbedded development that has been completed, saving space and time and generally
simplifying the acquisition process.

2. The greater portability of the products.

3. The increeased speed of acquiring of digital data using hardware devices compared to
using software.

Hard Disk Write Protection Tools

Hardware protection devices offer a simple method to acquire an image of a suspect drive with
much less fiddling with the configuration settings in software. This makes the process simpler
and less prone to error.

The following section introduces a number of these hardware-based forensic tools.

NoWrite

NoWrite prevents data from being written to the hard disk. It supports hard disk drives with high
capacities. It is compatible with all kinds of devices including USB or FireWire boxes, adapters,
and IDE interface cables. It supports communication between common IDE interfaces.

NoWrite is only functional on native IDE devices. It supports all USB features such as plug-
and-play. It is compatible with most operating systems and drive formats. NoWrite is transparent
to the operating system and the application programs.

Validating and Testing Forensics Software

Being the ‘data experts’ that we are, we get called to test and validate procedures revolving
around data security and destruction quite often. With our advanced knowledge of file systems
and data structures, we can test your data security or sanitation policies and provide you with
written affidavits or certificates as needed.

We provide 3rd party validation for OEM’s looking to test their drive sanitation policies within
their service centers. We also validate hardware sanitation devices for many hardware
manufacturers.

Validation is important for laboratories so that they can be trusted to produce accurate results
every time. At Flashback Data, we can check your data security or sanitation policies to make
sure they are reliable and precise.
Principles of Digital Forensics Testing

The basis of digital forensics is being able to repeat processes and obtain quality evidence. If the
results are not accurate, then it is difficult to trust the laboratory and company. Digital forensic
test results need to be repeatable and reproducible to pass as electronic evidence, according to the
National Institute of Standards and Technology (NIST).

What is Repeatable and Reproducible Evidence?

Repeatable evidence means there are always the same results when the same process is used with
the same test items, operator, and equipment inside the same laboratory. Reproducible evidence
means the same results are produced with the same methods on the same items but in a different
facility with different operators and equipment.

How Does the Daubert Standard Connect to Forensic Validation?

The Daubert Standard is a legal guide that can be used for software and tool validations. In the
ruling of Daubert v. Merrell Dow Pharmaceuticals Inc., there are five questions that influence the
reliability of a scientific method:

 Has the method undergone any empirical testing?

 Have peers reviewed the method?

 Are there standards to control the method’s operation?

 Does this method have a potential error rate?

 Has the scientific community generally accepted this method?

This ruling was not directed toward the digital forensics field and validation, but it is useful as a
starting point. The ruling also recognized that scientific principles should be flexible and should
be the product of reliable methods and principles, which means that although a method may be
lacking peer reviews or have acceptance from the community doesn’t mean it’s not valid.

Other Factors to Consider in Validation Testing

Another factor of validation testing is that it examines precision, accuracy, and sensitivity. This
also connects to reliability, reproducibility as well as robustness. When data is not accurate and
reliable, it is difficult to be accepted in court cases, because digital forensic data is scrutinized in
court to ensure that it is admissible evidence. When items are tested, they should always yield
accurate results no matter the facility. A strong method should fit all of these standards.
Iris and Fingerprint Recognition
Fingerprint recognition is a popular security feature in the newer generation of smartphones and
is a well-known biometric technology. Since Microsoft introducing iris recognition feature in its
smartphones, there were comparisons between these two biometric traits. We will be discussing
both these biometric technologies, their capabilities and security features.

Iris and fingerprint recognition both have higher accuracy, reliability and simplicity as compared
to other biometric traits. These attributes make iris and fingerprint recognition perform better and
a particularly promising security solution in today’s society. The process starts by capturing the
images of iris and fingerprint which are then pre-processed to remove any noise effects. The
distinguishing features are then extracted and matched to find similarity between both the feature
sets. The matching scores that are generated from the individual recognizers are given to the
decision module which decides if a person is genuine or an impostor.

How does iris recognition work?

Iris pattern is unique to each individual and remains constant throughout the lifetime of a person.
A circular black disk known as pupil lies in the center of the eyeball that dilates on exposure to
light and contracts in dark. So the size of the pupil varies with respect to the amount of light it is
exposed to. The annular ring that is located between the sclera and pupil boundary is called the
iris and contains a large number of minute details. The iris also has an extremely data rich
physical structure and contains the flowery pattern that is unique to each individual. This pattern
remains unchanged with age.

Strengths of iris recognition

1. Iris recognition has a proven highest accuracy rate. A biometric products testing final
report found

2. iris recognition to have no false matches in over two million cross-comparisons.

3. Iris recognition is able to handle very large populations at high speed. It has the capacity
to perform very large 1: all searches within extremely large databases.

4. Iris biometric is very convenient and the individual simply needs to do look into a camera
for a few seconds. The process captures a video image that is non-invasive and inherently
safe.
 5. The iris is very stable and remains unchanged throughout a person’s life. There are also
no changes to the physical characteristics of the iris even when the person ages.

6. Iris recognition is an affordable biometric modality and has very low maintenance costs.
Moreover, it allows seamless interoperability between different hardware vendors and
can also work well with other applications.

What are the steps involved in fingerprint recognition?

Fingerprint recognition is a proven technique to verify the identity of individuals and hence it is
one of the most widely used biometric technologies. A fingerprint is basically composed of
ridges and valleys that are on the surface of the finger. In fingerprint recognition, there are three
major steps that are applied to acquired images using the minutiae matching approach.

Strengths of fingerprint recognition

1. Fingerprint recognition is a widely accepted biometric modality and is excellent for

background checks. It has found numerous applications in the areas of law enforcement
and government forensics such as the AFIS database.

2. For populations that have a low incidence of “outliers”, fingerprint biometric has a
relatively low false rejection rate and false acceptance rate. This however may not be the
case for large groups or groups that have race and gender variations.

3. Fingerprint solutions are provided by a wide range of vendors.

4. Fingerprint technology has the ability to enroll multiple fingers.

Fingerprint technology has been widely used within the law enforcement community and in the
AFIS database. Thus it is a very popular biometric technology and also widely accepted.
However, fingerprint readers may not be sufficient to handle the large variation in populations
that need to be enrolled. Performing a search in large-scale deployments may take many minutes
and might also require ancillary data such as age, sex etc. for partitioning the database in order to
increase search speed. Moreover, the search may also return multiple matches. Thus a back-up
identification method such as iris recognition is required that can provide resolution for these
multiple matches.

Fingerprint technology works best for background check applications. Iris recognition has a very
high accuracy rate and is also a non-invasive biometric technology. In this article, we have
reviewed both fingerprint and iris recognition. We have also highlighted the benefits and
weaknesses of these two biometric modalities.

Forensic Audio-Video Analysis and Verification

Audio and video are the digitalized source of evidence that can be found at the scene of a crime
or with the victim or the accused in the form of audio-video from mobile device or any CCTV
footage. Such types of digital evidences are of utmost importance in civil or criminal cases.
Therefore, audio and video forensics is the leading branch of forensic science in the digitalized
era.

In forensic science, audio-video forensics forms three basic principles such as acquisition,
analysis, and evaluation of audio and video recordings which are admissible in the court of law.
One of the main tasks of audio and video forensic experts is to establish the authenticity and
credibility of digital evidence. The forensic examination of audio and video is done in order to
enhance the recordings to improve speech intelligibility and audibility of the sounds.

How the analysis of Audio-Video evidences are performed?

One of the primary tasks of forensic digital investigators to assist the crime scene investigators in
order to find the conclusive proof via a number of scientific tools and equipments. After
following the standardized procedure of crime scene investigation, at the time of evidence
collection, the investigators must thoroughly search the suspected area and recover the evidence
carefully. Such digital evidences must be protected from physical harm, environment, and heat.

Once the evidence is collected in a safe and secure manner, the proper documentation of
evidence must be done in the form of notes or photography/videography. The documentation
must include in which condition the evidence was found from the crime scene along with the
name of the evidence collector, date, and time of evidence collection. All examination protocols
are carefully examined and constructed for enhancement techniques that must be employed to
the recovered evidence.

A variety of enhancement techniques can be employed on audio and video analysis. The
techniques which are employed for video enhancement are as follows:

a. Sharpening: This step makes the edges of the images more clear and distinct.

b. Video Stabilization: This step reduces the amount of movement in the video, and also
produces the fine playback.

c. Masking: This step covers the face or areas of the video that may protect the victim, witness
or any law enforcement official.

d. Interlacing: In an analog system, the interlaced scanning is used to record the images or at the
same time, this process is used to de-interlace which may be used to retrieve the information.

e. Demultiplexing: There is a device in CCTV named multiplexer, which is used to combine

multiple series of video signals into a single signal.

The techniques which are employed for audio enhancement are as follows:

a. Frequency Equalization: There is a need for highly precise equalizers that are used to cut
specific bands of frequencies. The frequency band which often contains more speech content is
amplified or isolated. Large noise or interruptions can be analyzed by spectrum analyzer and the
corresponding frequencies are reduced in order to reduce noise level.

b. Compression: Faint or low sound can be increased by compressing or leveling the signal so
that the loud range can be minimized.

Such evidences are critically analyzed and listened carefully and proper documentation must be
done. After standard forensic protocol, the forensic report is prepared by a forensic cyber expert
and presented in the court of law.

The forensic audio-video report must include the following details:

1. Results which were obtained from the analysis of audio-video files

2. Waveform charts of audio recordings and comparison waveform with formants

3. Identification of the format and type of recording

4. Type of processing which was used to analyze

5. Date and Time of analysis of audio files.

6. Description of the evidence in the type of circumstances and conditions in which it was
collected

7. Description of the enhanced audio-video and type of software that was used.

8. Qualifications of the Audio Video Analyst.

9. Authorized signatory with name and stamp

10. Hash Values of the Audio Video Files

Windows System Forensics

Windows Forensic Analysis focuses on 2 things:

1. In-depth analysis of Windows Operating System.

2. Analysis of Windows System Artifacts.

Windows artifacts are the objects which hold information about the activities that are performed
by the Windows user. The type of information and the location of the artifact varies from one
operating system to another. Windows artifacts contain sensitive information that is collected
and analyzed at the time of forensic analysis.

What are Forensic Artifacts?

Forensic artifacts are the forensic objects that have some forensic value. Any object that contains
some data or evidence of something that has occurred like logs, register, hives, and many more.
In this section, we will be going through some of the forensic artifacts that a forensic investigator
look for while performing a Forensic analysis in Windows.

1. Recycle Bin: The windows recycle bin contains some great artifacts like:

 $1 file containing the metadata. You can find this file under the path C:\$Recycle.Bin\
SID*\$Ixxxxxx

 $R file containing the contents of the deleted files. This file can be located under the
path C:\$Recycle.Bin\SID*\$Rxxxxxx

 $1 file can be parsed using a tool $1 Parse.

2. Browsers: Web browsers contain a lot of information like:

 Cookies.

 Cached website data.

 Downloaded files.

3. Windows Error Reporting: This features enables user to inform Microsoft about application
faults, kernel faults, unresponsive application, and other application specific problems. This
feature provides us with various artifacts like:

 Program Execution, if a malicious program crashes during program execution.

 You can locate these artifacts at the following locations:

 C:\ProgramData\Microsoft\Windows\WER\ReportArchive

 C:\Users\XXX\AppData\Local\Microsoft\Windows\WER\ReportArchive

 C:\ProgramData\Microsoft\Windows\WER\ReportQueue

C:\Users\XXX\AppData\Local\Microsoft\Windows\WER\ReportQueue

4. Remote Desktop Protocol Cache: When using the “mstc” client that is provided by the
Windows, RDP can be used to move laterally through the network. Cache files are created
containing the sections of the screen of the machine to which we are connected to and that is
rarely changing. These cache files can be located in the directory:

C:\Users\XXX\AppData\Local\Microsoft\Terminal Server Client\Cache

Tools like BMC-Tools can be used to extract images stored in these cache files.

5. LNK Files: .lnk files are the windows shortcut files. LNK files link or point to other files or
executables for ease of access. You can find following information in these files:

 The original path of the target file.

 Timestamp of both the target files and the .lnk files.

 File Attributes like System, Hidden, etc.

 Details about the disk.

 Remote or local execution.

 MAC address of the machines.

Linux System Forensics
Linux forensics refers to performing forensic investigation on a Linux operated device. To do
so, the investigators should have a good understanding on the techniques required to conduct live
analysis; to collect volatile and non-volatile data, along with knowledge of various shell
commands and the information they can retrieve. The investigators should also be aware of the
Linux log files, their storage and location in the directory, as they are the most important sources
of information to trace down the attacker. This module will walk you through the various shell
commands, methods to collect volatile data, the different log files and the information they
provide.

Shall Commands

Investigators use the shell commands in Linux for collecting information from the system. Some
of the frequently used commands include:

1. dmesg

The command dmesg is the short for display message or ‘Driver Message’. The command
displays the kernel ring buffers, which contains the information about the drivers loaded into
kernel during boot process and error messages produced at the time of loading the drivers into
kernel. These messages are helpful in resolving the restoring the device’s driver issues.

Syntax: dmesg options

dmesg | grep –i ethO (Displays hardware information of the Ethernet port eth0)

2. fsck

The command fsck, is meant for File System Consistency Check. It is a tool to check the
consistency of Linux file system and repair.

Syntax: fsck —A (Checks all configured filesystems)

3. Stat

Displays file or file system status.

Syntax: stat [OPTION]… FILE…

4. history

The command history checks and lists the Bash shell commands used. This command helps the
users for auditing purposes.

Syntax: history n (Lists the last n commands)

5. mount

The command mount causes mounting of a file system or a device to the directory structure,
making it accessible by the system.

Syntax: mount -t type device dir (Requests kernel to attach the file system found on device of
type type at the directory dir)

Graphics and Network Forensics

The word “forensics” means the use of science and technology to investigate and establish facts
in criminal or civil courts of law. Forensics is the procedure of applying scientific knowledge for
the purpose of analyzing the evidence and presenting them in court.

Network forensics is a subcategory of digital forensics that essentially deals with the
examination of the network and its traffic going across a network that is suspected to be involved
in malicious activities, and its investigation for example a network that is spreading malware for
stealing credentials or for the purpose analyzing the cyber-attacks. As the internet grew
cybercrimes also grew along with it and so did the significance of network forensics, with the
development and acceptance of network-based services such as the World Wide Web, e-mails,
and others.

With the help of network forensics, the entire data can be retrieved including messages, file
transfers, e-mails, and, web browsing history, and reconstructed to expose the original
transaction. It is also possible that the payload in the uppermost layer packet might wind up on
the disc, but the envelopes used for delivering it are only captured in network traffic. Hence, the
network protocol data that enclose each dialog is often very valuable.

For identifying the attacks investigators must understand the network protocols and applications
such as web protocols, Email protocols, Network protocols, file transfer protocols, etc.

Investigators use network forensics to examine network traffic data gathered from the networks
that are involved or suspected of being involved in cyber-crime or any type of cyber-attack. After
that, the experts will look for data that points in the direction of any file manipulation, human
communication, etc. With the help of network forensics, generally, investigators and cybercrime
experts can track down all the communications and establish timelines based on network events
logs logged by the NCS.

Processes Involved in Network Forensics:

Some processes involved in network forensics are given below:

 Identification: In this process, investigators identify and evaluate the incident based on
the network pointers.
  Safeguarding: In this process, the investigators preserve and secure the data so that the
tempering can be prevented.

 Accumulation: In this step, a detailed report of the crime scene is documented and all the
collected digital shreds of evidence are duplicated.

 Observation: In this process, all the visible data is tracked along with the metadata.

 Investigation: In this process, a final conclusion is drawn from the collected shreds of
evidence.

 Documentation: In this process, all the shreds of evidence, reports, conclusions are
documented and presented in court.

Challenges in Network Forensics:

 The biggest challenge is to manage the data generated during the process.

 Intrinsic anonymity of the IP.

 Address Spoofing.

Advantages:

 Network forensics helps in identifying security threats and vulnerabilities.

 It analyzes and monitors network performance demands.

  Network forensics helps in reducing downtime.

 Network resources can be used in a better way by reporting and better planning.

 It helps in a detailed network search for any trace of evidence left on the network.

Disadvantage:

 The only disadvantage of network forensics is that It is difficult to implement.

Cell Phone and Mobile Device Forensics

Today's smartphones can perform functions that were possible only with a computer just a few
years ago. In fact, the tables have turned. Many applications are only supported on phones, with
developers choosing to ignore cross-platform development for computers entirely. While you
may use your computer at work and at other intermittent times throughout the day, you don't
have constant access all the time as you do to the phone in your pocket.

Cell phones are used for everything from making calls and sending texts to transferring money
and storing confidential documents. Cell phones store millions of data records in the form of
emails, messages, pictures, location data, financial information, and thousands of others. Much
of this data can be recovered even if it has been deleted.

Mobile Device Forensics

Our experts are certified and highly experienced in mobile device forensics. Coupled with access
to state-of-the-art forensic hardware and software, our team possesses the technology and
expertise to provide comprehensive consultation and analysis to help you achieve the best
possible outcome in your case.

Our cell phone forensics experts can recover, analyze and report on the following common data
types, among thousands of others:

 Text messaging

 Social media

 Location history

 Internet activity

 Search activity

 Email communication
  Photos and videos

 Voice calls

 Application data

 Biometric data

 Financial data

Cell Phone Forensics Experts

Our cell phone forensics experts include, but are not limited to:

 XRY Certified Examiners (XRY)

 Cellebrite Certified Operators (CCO)

 Cellebrite Certified Physical Analysts (CCPA)

 Cellebrite Advanced Smartphone Analysis (CASA)

 Cellebrite Certified Mobile Examiners (CCME)

The Mobile Device Forensic Examination Process

Digital evidence is fragile and volatile. Improper handling of a mobile phone can alter or destroy
the evidence contained on the device. Further, if the mobile phone is not handled following
digital forensics best practices, it can be impossible to determine what data was changed and if
those changes were intentional or unintentional. To protect the evidence and prevent spoilation,
mobile devices need to be analyzed by a trained examiner using mobile device forensic tools.

The initial handling of digital evidence can be divided into four phases: identification, collection,
acquisition, and preservation.

Identification

The identification phase's purpose and scope are to identify the digital evidence relevant to the
case. It is possible that this evidence will span multiple devices, systems, servers, and cloud
accounts. With a mobile phone, the data is not isolated only to the device. The data contained in
the device can be synced to cloud storage or another mobile device or backed up onto a
computer.

Identification also requires comprehensive documentation. Documentation is critical throughout

the entire investigative process, but especially in the beginning, as any mistakes can taint the
evidence. The acquisition phase gives us a perfect snapshot in time (forensic copy) of how the
data exists. Since identification is the first step and before acquisition, mistakes made here are
carried out throughout the process.

Collection

The collection phase involves gathering physical devices, such as the smartphone and other
mobile devices. Since digital evidence can span multiple devices, systems, and servers,
collecting it can become more complicated than securing more traditional forensic evidence.
There are vital functions that should be performed to protect the evidence.

Acquisition

The acquisition process is where a digital forensic examiner acquires, or forensically copies, the
data from a mobile device using a variety of methods.

Preservation

The mobile phone's integrity and the data on it need to be established to ensure that evidence is
admissible in court.

Reporting

If requested by the client, a report will be prepared of the data contained on the mobile device.
Sometimes, it makes the most sense for our examiners to export all of the data from a cell phone
for counsel's review. We format this export in such a way that makes it as accessible as possible,
with the ability to search and filter the data.

Sometimes, when timelines, data types, or types of particular forensic artifacts need to be
explained in order to tell the story of what happened in a case, a more in-depth report is needed.