Digital forensics has become one of the most important aspects of data security in that studying digital evidence after an attack is how we learn to prevent further attacks and mitigate damages. Within digital forensics, mobile device forensics is becoming even more important.
The inundation of mobile devices upon the workplace has overwhelmed IT security. BYOD and business-supplied smartphones and tablets both leave holes in IT security measures that can’t always be covered. Anytime a device is used on an external wireless network, the possibility of infection by a virus or Trojan is real.
Mobile device forensics is evolving into a must-have role within many enterprise-IT organizations. Although it is a relatively new specialty segment within IT forensics, recovering clues from a digital device after an attack can help an organization further secure that device and many others.
In our IT Downloads area, the informative document “Guidelines on Mobile Device Forensics” explains the importance of such techniques for organizations. The guide’s objectives are explained as such:
The objective of the guide is twofold: to help organizations evolve appropriate policies and procedures for dealing with mobile devices and to prepare forensic specialists to conduct forensically sound examinations involving mobile devices.
The guide sets the scope of its documentation, explains its audience, and goes on to detail on how the guide is laid out. From there, topics and sections include:
- Mobile device characteristics
- Memory considerations
- Forensic tools
- Securing and evaluating the scene
- Mobile device identification
- Examination and analysis
- Potential evidence
Many other topics are covered to help those interested in mobile device forensics to become educated on the various aspects of importance. In the area of forensic tools, it explains the types of tools available:
The types of software available for mobile device examination include commercial and open source forensic tools, as well as non-forensic tools intended for device management, testing, and diagnostics. Forensic tools are typically designed to acquire data from the internal memory of handsets and UICCs without altering their content and to calculate integrity hashes for the acquired data. Both forensic and non-forensic software tools often use the same protocols and techniques to communicate with a device. However, non-forensic tools may allow unrestricted two-way flow of information and omit data integrity hash functions. Mobile device examiners typically assemble a collection of both forensic and non-forensic tools for their toolkit.
Mobile forensic tools are classified in one of several levels. Level 1 includes manual extraction methods, level 2 logical extraction methods, level 3 Hex dumping and JTAG extraction, level 4 chip-off methods, and level 5 involves the most invasive micro-read methods.
This guide would appeal to anyone in IT security who is currently or will soon be dealing with mobile devices in the workplace. It’s equally as informative to those dealing with BYOD and those whose companies supply mobile devices.