Upload
paul-owen
View
229
Download
2
Embed Size (px)
Citation preview
ww.sciencedirect.com
d i g i t a l i n v e s t i g a t i o n 8 ( 2 0 1 1 ) 1 3 5e1 4 0
Available online at w
journal homepage: www.elsevier .com/locate/di in
An analysis of digital forensic examinations: Mobile devicesversus hard disk drives utilising ACPO & NIST guidelines
Paul Owen, Paula Thomas*
Information Security Research Group, Faculty of Advanced Technology, University of Glamorgan, Pontypridd, CF37 1DL, UK
a r t i c l e i n f o
Article history:
Received 21 January 2010
Received in revised form
17 September 2010
Accepted 24 March 2011
Keywords:
Mobile forensics
Computer forensics
Information security
ACPO
NIST
* Corresponding author.E-mail addresses: [email protected] (P
1742-2876/$ e see front matter ª 2011 Elsevdoi:10.1016/j.diin.2011.03.002
a b s t r a c t
The aims of this paper are to compare and contrast the current guidelines involved in the
forensic examinations of mobile devices and hard disk drives. The paper then identifies
areas of mobile device examinations where current guidelines are different and could be
lacking strength and solidity. Guidelines and research into the forensic examination of
hard disk drives is much more established when compared to that of mobile devices.
Both the United Kingdom and the United States of America have published guidelines
for the forensic analysis of mobile devices; these guidelines are examined throughout this
paper. In the United Kingdom they are issued by ACPO (Association of Chief Police Officers)
Good Practice Guide for Computer-Based Electronic Evidence. In the United States of
America these are issued by NIST (National Institute of Standards and Technology). Special
Publication 800-101, Guidelines on Cell Phone Forensics.
ª 2011 Elsevier Ltd. All rights reserved.
1. Introduction data that such a device may contain. Mobile device foren-
Forensics is the art or study of argumentative discourse where
science is used to provide facts i.e. applying science to law. It is
a technique for the identification, recovery and the recon-
struction of evidence (ACPO, n.d.). Forensic Science investi-
gators reconstruct/extract evidence that can be applied to
criminal cases to provide further leads, or conclude facts.
Computer Forensics has adopted a similar investigative
procedure but the scientific examination is solely concerned
with the data held on, or retrieved from, digital media.
Therefore, Computer Forensics can be defined as the preser-
vation, identification, extraction, documentation and inter-
pretation of computer data (Barrett, 2004).
Mobile devices have become an integral part of daily life
and are essentially personal data storage and communica-
tion devices. These devices are often seized as part of
criminal investigations due to the nature and amount of
. Owen), [email protected] Ltd. All rights reserved
sics is a relatively new and emerging field of forensics that
is closely associated with computer forensics as the
forensic examination in concerned primarily with digital
evidence.
Forensic guidelines, whether traditional forensic science,
computer forensics or mobile device forensics, follow strict
procedures that must be adhered to in order for the evidence
to be admissible in a court of law. The Association of Chief
Police Officers (ACPO) guidelines serve to ensure that correct
practices and procedures are initiated. The National Institute
of Standards Technology (NIST) guidelines help to evolve
correct policies and procedures as well as preparing special-
ists to contend with new forensic circumstances when they
arise. The NIST guidelines however, state that it is a guide to
improving the field of mobile device forensics but it is not
a guide for how law enforcement should handle mobile
devices during an investigation.
ac.uk (P. Thomas)..
d i g i t a l i n v e s t i g a t i o n 8 ( 2 0 1 1 ) 1 3 5e1 4 0136
2. Mobile device versus hard disk driveanalysis
Digital forensic investigators require tools to aid their investi-
gations; these tools should allow the investigator to analyse the
hard disk drive in amanner that it is forensically acceptable. In
order to address the issue of evidential integrity, the forensic
investigatorworksonadigital image/copyof theharddisk drive
usingwriteprotection, thusensuring that theseizeddiskdrive is
not altered to any degree. Examples of such tools used are
namelyGuidance Software’s EnCase andAccessData’s Forensic
Tool Kit. Both these software tools perform a range of functions
that help the forensic investigator e
� Make digital copies of hard disk drives (image).
� Decrypt files and identify stenography.
� Uses standard connections such as IDE or SATA.
� Recover passwords and perform dictionary based attacks.
� Provide search facilities for files and data carving.
� Control how a forensic image is created.
� Ability to perform cryptographic hashes to verify disk image
integrity.
� Efficient reporting functionality.
� Ability to examine various drive images at the same time.
� Recover deleted data.
� Examinations of file signatures of suspect files.
Software for use in the forensic examination of mobile
devices such as Micro Systemation’s .XRY, Paraben’s Device
Seizure and BitPim, are evolving rapidly however they all have
similar limitations -
� Imaging a mobile device is often difficult as each device
provides new challenges for the forensic examiner. A new
handset is introduced worldwide every 4 days; it may
incorporate different features and functionalities, a new
type of charger or a new version of an operating system.
These features may not be supported by existing software
tools and a release of a new revision of the forensic software
will be required to support the device.
� Most software will produce a report of data that may be
found on a mobile device. The contents of this report may
vary depending upon the make, model or even firmware
revision of the device.
� The interpretation or reconstruction of deleted data using
Hexadecimal (Hex) memory dumping is an ad-hoc, labo-
rious and problematic process. It is difficult to read and can
be incomplete. To understand this data if written in English,
it may be necessary to convert the hexadecimal format into
ASCII (American Standard Code for Information Inter-
change). As each manufacturer stores data in different
memory locations or addresses it is then necessary to
examine the memory dump to identify locations of poten-
tial evidence.
Hard disk drives and mobile devices both contain hard-
ware and software ‘layers’ that must be functioning to gain
access to data. For hard disk failures it is also possible to
replace faulty drive heads and attach new printed circuit
boards thus potentially gaining access to data. When a hard
disk is not recognised by a computer it is usually due to
physical damage, electrical failure or firmware failure on the
controller. It may be possible to reload firmware modules and
repair the drive hence allowing access to any user data on the
disk. Research by DeepSpar (Data Recovery, n.d.) has stated
that 50% of hard disk failures are due to corrupt firmware.
The process of exclusively repairing damaged firmware is not
attainable for faulty mobile devices. Corrupt firmware on
a mobile device requires that the device must be ‘flashed’ at
present. The firmware/operating system has to be reinstalled;
this process results in all logical data on a mobile device
being overwritten. A research study conducted by the
University of Glamorgan has shown that mobile device
‘flashing’ overwrote the logical data on over 300 mobile
devices from major manufacturers such as Nokia, Samsung
and Sony Ericsson (Researcher, n.d.)
Mobile devices have many more connected ‘layers’ that
can hinder or conclude investigations before they are initi-
ated. Failures faced at a ‘layer’ on a mobile device can render
the evidence unobtainable using standard software tools.
These failures present challenges as the device may not
indicate the fault(s) present, examples of failures are;
� Hardware layer e Processor, RAM, ROM, signal antennas
and various other input/output hardware and connections.
� Original Equipment Manufacturer - Vendor (OEM) layer e
Boot loading, configuration files, and the application layer.
Linked to the system start up, management, profiling,
power, timers and other event that may be enabled.
� The application layer e Applications are found here con-
sisting of such things as Microsoft Office, Internet applica-
tions, remote wiping and media players.
A hard disk when not directly connected to an electrical
supply is in an off state. A mobile device could, however be
in a 5 possible ‘states’. These states provide frequent chal-
lenges; a first responder or examiner might not know what
state a mobile device is in, thus a poor decision could be made
in handling or during examination. The examiner needs to be
aware that events could be triggered during an examination
which could alter the state and evidential integrity of the
device. These mobile device states are e
� Off e Powered off and the battery of the device is removed.
� Nascent State e No user data (factory fresh).
� Quiescent State e The device appears inactive even though
the device is actually performing functions whilst main-
taining user data such as keeping the time and date accurate
as well as maintain network connectivity.
� Semi Active State e This event is initiated when the device
is waiting for a set time to perform a function, for example
an alarm clock sounding or an application to perform a task.
� Active State e This is the status when the device is powered
on and tasks are performed on the device such as making/
receiving a telephone call.
Mobile devices present provocation in trying to obtain
forensically acceptable data; it is currently not possible to
make a digital bit by bit copy of a mobile device to another
d i g i t a l i n v e s t i g a t i o n 8 ( 2 0 1 1 ) 1 3 5e1 4 0 137
mobile device as the available software/hardware tools are
significantly less advanced when compared to hard disk drive
imaging. The mobile device data has to be copied to
a computer namely its hard disk drive. Frequently examina-
tions commence directly with the seized mobile device due to
imaging limitations; this has implications for maintaining
evidential integrity. Data may also be written to the device
during the imaging process as software is often required to
access the device for initiation.
A mobile device has its operating system, data storage (not
including media card) and power source embedded into its
components and the mobile device has to be switched on so
that the data can be extracted for analysis. The process of
switching on the mobile device and connecting forensic soft-
ware/hardware results in changes being made to the state of
the mobile device.
When an image is created using a hard disk, it is an exact
forensic duplicate verified using cryptographic hash functions
such as MD5 (Network, n.d.). The forensic examiner would
then work on the image thus preserving the evidential integ-
rity of the original hard drive. Any cryptographic hashes
obtained from a mobile device will change whenever the
mobile device changes its state, for example automatic update
of time and date. This poses evidential integrity issues as the
evidence will have changed from when it was originally
seized. Therefore an examiner must be fully competent in
dealing with the mobile device and must be aware of the
impact of such changes in device state.
The functionality of mobile device forensics compared to
that of hard disk forensics can be seen as quite primitive and
problematic. The features and functionality granted to hard
disk drive forensic tools would be of great value to mobile
device forensic investigators. However, at present many of
these features are not incorporated into mobile device foren-
sics tools and much work needs to be undertaken to ensure
that the mobile device analysis can be considered comparable
to that of hard disks analysis.
3. A review of the Association of Chief PoliceOfficers (ACPO) good practice guide for computer-based electronic evidence v4.0 guidelines
The ACPO guidelines provide a guide to the examination of all
type of computer devices. The guide states that it assists in
dealing with allegations of crime which involve high-tech
elements and to ensure that all evidence is collected in
a timely and appropriate manner. It has been stated by
a senior police officer (CFET, 2009) that there are issues that
fall outside of the guide and that and examination may well
jeopardise the integrity of evidence.
There are four main ACPO principles detailing how elec-
tronic evidence should be handled during the course of an
investigation. These for reference to the paper are e
3.1. Principle 1
No action taken by law enforcement agencies or their agents
should change data held on a computer or storage media
which may subsequently be relied upon in court.
3.2. Principle 2
In circumstances where a person finds it necessary to access
original data held on a computer or on storage media, that
person must be competent to do so and be able to give
evidence explaining the relevance and the implications of
their actions.
3.3. Principle 3
An audit trail or other record of all processes applied to
computer-based electronic evidence should be created and
preserved. An independent third party should be able to
examine those processes and achieve the same result.
3.4. Principle 4
The person in charge of the investigation (the case officer) has
overall responsibility for ensuring that the law and these
principles are adhered to.
ACPO guidelines fully enforce that digital evidence is
important and that it should not be altered in any form, unless
necessary (Principle 2). At which point further documentation
must take place to maintain the chain of custody (Principle 3).
3.5. Further considerations for mobile devices
For the seizure/preservation of mobile device evidence, ACPO
Principle 1 recommends that examinations are taken place in
a controlled environment thus reducing the risk of accidental
communications. This can be conducted using a shielded
room or as an alternative a faraday tent is also recommended.
It has been found however that the integrity of the devicemay
well be jeopardised as any external power supply could act as
an antenna or the bag may be unsuitable for its purpose
(Salmon, 2010). When a device is seized and it is connected to
a network, the location area information is stored on the
handset/Subscriber Identity Module, transferring the handset
into a Faraday bag may in some cases result in a device still
being able to communicate with the network thus altering its
location status and receive incoming data (Phone, n.d.). Prin-
ciple 1 states further that another possible way to isolate the
device from the network is to turn it off. Research has shown
that the ‘normal’ way of turning a device off might not be
available as the device may be faulty and/or its power button
may not work. If a mobile device is left switched on then
changes will automatically occur, for example the clock and
time of day will be updated. ACPO states that other changes
may also occur however, there are no examples of what these
could be. An example of this could be remote deletion of data
on the device, this is possible via an external wireless source;
this alone is very important and is not even considered, thus
principle 1 could be completely violated.
A mobile device may not be compatible with a certain tool;
therefore manual examination has to take place and Principle
2 would immediately be invoked. The forensic integrity of this
method is called into question as it is impossible for a true
forensic examination to take place.
ACPO suggests an examiner should be familiar with the
mobile device and its buttons. The modern generation of
d i g i t a l i n v e s t i g a t i o n 8 ( 2 0 1 1 ) 1 3 5e1 4 0138
handsets have less buttons as the trend turns to touch screen
devices. Principle 2 is often invoked in the examination of
touch screen mobile devices as the acquisition of data from
the device may involve the installation of third party software
that possibly changes the status to a storage device to enable
the software to communicate with it.
It is stated that it may be possible to acquire a device
wirelessly using infra red or Bluetooth. These methods are
least secure and datawill be written to the device, for example
Bluetooth pairings. Principle 2 states that a software virus
infection on the examining computer may compromise
current and subsequent examination jeopardising the integ-
rity of thewhole investigation. The onlymethod of acquisition
for certain devices using a tool is wireless connectivity;
therefore the investigator needs to be fully aware of Principle 2
and the implications of wireless acquisitions.
Usage of non forensic tools during investigations is
mentioned however, with regard to forensic integrity this
section states that their ‘operation/effects’ should be under-
stood. Using tools which are not forensically tested could well
make evidence inadmissible as their integrity could be called
into question.
ACPO Principle 1 suggests using an “access card” i.e.
a subscriber identity module card that will mimic the identity
of the original card for analysis. Replacing the ‘SIM’ card could
have forensic implications as inserting a ‘cloned SIM’ on some
handsets will destroy the call register on the device when it is
powered on. Problems are faced furthermore if the SIM is
stored under the battery, removing the battery could destroy
volatile data, examples could be destroying timestamps on
the phone proving for example, time and dates (events) had
taken place. Even if a competent person were examining
a device, data could be destroyed or changed unintentionally
whilst trying to obtain further evidence as actions engaged
could render the device inadmissible as potential evidence
could be destroyed.
It is not possible to conduct all examinations with the
battery inside some devices, some forensic hardware with
particular models of phones require that an external device be
placed underneath the battery and the battery then placed
inside the device, thus removing the battery could again
destroy vital evidence. Thus Principle 2 may well have to be
considered, for example when the battery is removed from
a Nokia 3310 the stored dates and times are lost.
Volatile data is present in memory on a mobile device
which could be lost due to a lack of power or an action
engaged by the examiner. Recovering volatile data presents
the investigator with challenges that need to be understood as
any actions performed could destroy potential evidence. To
initiate forensic examinations the resetting of the device due
to problems may be required, such as the device ‘freezing’.
Thus principle 2 would be required, this will result in the loss
of some data (device dependant) and a hard reset will destroy
everything held in RAM. A soft reset will initialise the RAMand
data earmarked for deletionwill be destroyed. In some devices
the removal of a power source will trigger a hard reset.
Obtaining knowledge of which devices will do this, and which
will not, can be impossible and thankless task as there are so
many different models and versions of devices that could
yield different results.
An investigator may have to contact the network to
unblock a phone using the PUK (Pin Unblocking Code) this
however is dependent on the network co-operating with the
investigator. Principle 2 may have to be considered as
a manual examination of the mobile device will be required.
Principle 1 is brought into consideration when a service
provider could/may disable the subscriber account so that it
no longer receives calls. Principle 2 however is more relevant
as the guidelines state that such an approach has not been
thoroughly tested and that the effects on the handset and SIM
are not fully understood. It has been stated that the disabling
of a subscribers account could permanently delete voicemail.
As ACPO have stated that it is not fully understood, the
evidential integrity of the device and investigations conducted
on it could be brought to question.
With such a diverse range of models, features and manu-
facturers available to the consumer it is extremely difficult to
knowwhat inadvertent actions Principle 2 could invoke. It has
been found through research at the University of Glamorgan
(Researcher, n.d.) that devices of the same model that have
different versions of software can also contain components
from different manufacturers which could yield different
results and result integrity issues for the investigation.
ACPO guidelines suggest that even after a forensic exami-
nation has been conducted, manual examination should be
undertaken to compare the results and ensure completeness
of a download. This does appear contradictory as Principles 1
and 2 are in direct conflict. It can only be assumed therefore
that the tools used in examinations are not totally reliable or
creditable as manual examinations have to be conducted on
seized devices.
If an investigator starts to manually examine mobile
devices then evidence will be changed, for example the last
time a picture was accessed or opening unread text messages.
Principle 2 highlights that a person must be competent to
conduct investigations and be able to give evidence and rele-
vance of their actions. Consideration must also be given to
applications installed on the device, should these therefore be
examined? If examined the actions performed may
completely change the evidential integrity of the device as the
application may change a significant portion of the devices
state. The investigator must also consider what other changes
are made to the device as a result of a manual examination.
Can the evidence now be trusted and is it in its true status
such as read or unread? With Principle 2 in mind, an investi-
gator may find it difficult to convince a court that what has
been imaged is correct, as the actual mobile device has
changed its status and the cryptographic hash value such as
MD5 are no longer comparable.
4. A review of the National Institute ofStandards and Technology (NIST) guidelines especial publication 800-101
The NIST guidelines state that “mobile device forensics is
a relatively new phenomenon, not usually covered in classical
computer forensics”. These guidelines are published solely for
cellular phone forensic examinations. The guidelines are not
limited to examining ‘traditional’ items such as text messages
d i g i t a l i n v e s t i g a t i o n 8 ( 2 0 1 1 ) 1 3 5e1 4 0 139
and call records but also cover the operation and character-
istics of cellular networks, and standards, for example GSM
and CDMA. Details such as this are important as examiners
will need to fully understand network provider information
such as location status that could be destroyed.
The guidelines are clearly defined in terms of their scope of
aims and objectives which includes, procedures for the pres-
ervation, acquisition, examination, analysis and reporting of
mobile device evidence. It is clear that the aims of the guide-
lines are to benefit organisations make informed decisions
and to help prepare personnel in dealing with mobile device
forensics and to provide information that could aid develop
policies and procedures. It is stated that “every situation is
unique and therefore specific caution is required”. It is stated
that organisations should have their own set of forensic
policies for different scenarios and should not rely on the
guidelines. The level of detail that is required for a policy is
also defined indicating items that should be included to
maintain a chain of custody. Detail is given to the procedures
and practices that are undertaken during a forensic exami-
nation of a mobile device. Defined under procedures and
principles, clear advice and consideration is given to the
handling of evidence.
Variousmethods of data acquisition are discussed in detail;
it is recommended that a cable is used where possible. In
situationswhere this is not possible and awireless acquisition
has to bemade, due to damage or as the onlymethod available
for the tool being used, the associated risk level such as
changing the state of a device or possible infection are stated.
This is gratifying as clear scope is given to how evidence can
alter and create inadvertently inadmissible evidence.
The differences betweenphysical and logical examinations
are something that is well covered and it highlights how
evidence can be recovered and where it could possibly reside
in memory. Clear easy to understand guides examine how
mobile devicememory operates and how data can be stored in
various locations and how various considerations should be
made when dealing with it.
A lot of effort has gone into the production of a guide that
shows various types of evidence that could be on a U/SIM and
how it can be found and examined. It is pleasing to see how
NIST addresses the various types of extracted data for
example, 7-bit GSM and what this raw data means and how it
can be interpreted using tools.
Legal practices are also taken into consideration and are
discussed detail. ACPO Good Practice Guide for Computer-
Based Electronic Evidence v4.0 is mentioned as evidential
principles and it is stated that their aims are to ensure integ-
rity and accountability of digital evidence through its entire
lifecycle. Other principles are also mentioned these are the
Proposed Standards for the Exchange of Digital Evidence
(IOCE) are similar to the ACPO guidelines and the Daubert
standard (Law) remains as a set of standards that serve as
a guide when dealing with evidence in a court of law.
These principles aim to ensure the integrity and account-
ability of digital evidence throughout an investigation. NIST
has taken to account those standards or principles may be
relevant to different types of investigations therefore the onus
is on an investigator/procedure documenter to state which
principles are of best value for an investigations nature.
4.1. NIST tool evaluation
TheNIST guidelines detail tests ofmobile phone forensic tools
and produce test methods, reference data, and proof of
concept implementations as well as technical analysis to
advance the mobile forensic discipline. The guidelines are
clearly defined and include developing and improving stan-
dards such as in technical andmanagement. The NIST review
of mobile device forensic tools results in the development of
their own test specifications and requirements document for
the tool. Once testing has been performed, the tools are then
selected for formal testing using a defined test specification
(Koenneck, 2009). With predefined test plans, a test strategy is
formulated for informal testing. Finally a set up document is
created, this document is then peer reviewed and only at this
point is the test report available.
The guidelines requirements set out clear expectations of
what a tool claims to do and what it can actually do after the
vigorous testing phases. All tools should meet a defined core
standard in how they operate; an example of this is a reporting
facility. Optional requirements should only be met if the
features are offered by the tool. A broad range of features are
considered for example, looking how text from different
languages is interpreted and how it is represented.
One major part of NIST guidelines is the objective to
provide assurance that tools used provide valid results
(Mobile, 2009). It also aims to help to provide information to
help manufacturers improve their products. With this docu-
mented information, informed choices can be made on the
choice of product to buy as it has been reviewed by forensic
experts. Due to the rapid pace of development and devices
appearing on the market, the most problematic issue for tool
vendors is to continually update their product to take account
of new phones being released. This is addressed and limita-
tions are shown of tools and how they can be improved.
5. Comparisons of ACPO and NISTguidelines
ACPO guidelines do not encompass recommendations for
forensic software and hardware as required during an exam-
ination. In contrast, NIST provides considerations for the
purchasing of equipment, hardware and software to ensure
that the forensic integrity of an investigation is maintained by
their various testing procedures. Detailed information and
testing of tools would be of great value if included in ACPO
guidelines as it would help consistency of organisational
liaison and would speed up efficiency of investigations.
Principle 1 of the ACPO guidelines states that no action
taken by law enforcement agencies or other agents should
change data held on a computer or storage media which may
subsequentlybe reliedupon incourt.Withaharddisk themain
focus is to leave the disk in its original state as it was seized
(unchanged) and to present a forensic duplicate which is used
for analysis. Principle 1 states that all examinations should
include somedegree of examinationmanual examination. It is
impossible for forensic analysis to be conducted on a mobile
device without changing its state and therefore Principle 2 is
always invoked. This should be stated in much clearer detail
d i g i t a l i n v e s t i g a t i o n 8 ( 2 0 1 1 ) 1 3 5e1 4 0140
and at present, this method of analysis has to be accepted as
the only way to conduct forensic analysis on mobile devices.
Encryption presents a problem to both mobile devices and
hard disks (Koenneck, 2009). Investigators need to be aware of
encryption and how to conduct their investigative actions
when it is encountered. The ACPO guidelines simply state that
encryption might be in place, but dealing with the problem of
encryption in an investigation requires more explanation to
gain a greater understanding. Working with a device that has
encryption deployed on it may cause integrity issues as
tampering with it could cause the device to start deletion of all
logical and physical data.
Mobile devicesmay be wiped remotely by the receipt of, for
example a text message. With mobile devices becoming
powerfulmini computers suchdestructiveactionswill become
more prevalent and investigative authorities need to be aware
of this and how to deal with such issues, rather than being
informed that such actions may be performed upon a device.
6. Conclusion
Smart mobile device technology has rapidly evolved to now
have the functionality of a computer, albeit in a slower, more
limited capacity they also have better connectivity and are
relatively inexpensive. The challenges posed by these technol-
ogies are many as ‘traditional’ crimes are migrating to mobile
devices, for example storing and distribution of indecent
images. The popularity of thesedevices continues to increaseas
more features and functionality are included (McCarthy, 2005).
Theprevalenceofmobile devicesand thedata theymaycontain
has resulted in them being seized as evidential items in an
increasingnumber of criminal cases.Mobile device information
can provide pivotal evidential information and this type of
supplementary evidence will be increasingly used.
At present, the forensic analysis ofmobile devices is heavily
reliant on the methods and tools that relate to specific manu-
facturers. TheACPOguidelines go someway in recognising this
fact, as it is a very important consideration for the integrity of
a devicewhereas the NIST guidelines are very informative and
cover many aspects of a mobile forensic examination. The
guidelines produced by NIST are not for legal advice and are
used for a starting point for the development of forensic
capabilities. In contrast, the ACPO guidelines do give the legal
considerations and the principles to follow that try to ensure
evidence the integrity of evidence remains. However, ACPO
lacks the guidance in defining how law enforcement should
handle mobile devices during investigations.
Both NIST and ACPO guidelines need to be updated quite
frequently as mobile devices are constantly evolving and their
features becomingmore ubiquitous. The forensic regulator for
the UK, Mr Andrew Rennison, appointed in 2008, and his
committee are being tasked with reviewing the principles of
ACPO. It was stated by a senior police officer at CFET, 2009 that
he is aware that the current ACPO principles require “mod-
ernising” to cope with the rapid changes in technology.
Mobile device evidence is usually offered as supplementary
evidence however, the nature of the evidence that may now
be obtained from a mobile device is evolving rapidly. It is
believed thatmobile device evidence will increasingly become
pivotal as the primary source evidence in legal cases. It is
believed that the amount of evidence recovered from amobile
device will be similar to that recovered from a hard disk drive
examples being, word processed documents and chat logs, as
well as ‘traditional’ cellular characteristics such as contact
names and call registers.
r e f e r e n c e s
ACPO v4.0: Good Practice Guide for Computer-Based ElectronicEvidence Internet, http://www.7safe.com/electronic_evidence/.
Barrett N. Digital trail of evidence. Swansea University U.K; 2004.CFET (Cybercrime Forensics Education & Training). Canterbury
Christ Church University U.K; 2009.Data Recovery Systems e DEEPSPAR, http://www.deepspar.com/
3d-data-recovery-overview.html.Koenneck Forensic Analysis of Cell Phones SIM Cards Internet,
http://www.mobileforensicsworld.com/2008/presentations/MFW2008_Koennecke_ForensicAnalysisofCellPhonesSIMCards.pdf.
Law Probability & Risk, http://lpr.oxfordjournals.org/cgi/content/abstract/7/2/87.
McCarthy P. Forensic analysis of mobile phones, University ofSouth Australia, Australia. In: NIST Publication 800-101:recommendations of the National Institute of Standards andTechnology, http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf; 2005.
Mobile Forensics World Conference, http://www.mobileforensicsworld.com; 2009.
Network Working Group Internet, http://www.ietf.org/rfc/rfc1321.txt.
Phone Forensics Internet, http://www.phone-forensics.com/forum/showthread.php?t¼13948&highlight¼paraben.
Researcher to Recover Mobile Info, http://news.bbc.co.uk/1/hi/wales/7374221.stm.
Salmon I. XACT Certification Training. Wyboston, UK: NationalPolicing Improvement Agency; 2010.