6
An analysis of digital forensic examinations: Mobile devices versus hard disk drives utilising ACPO & NIST guidelines Paul Owen, Paula Thomas* Information Security Research Group, Faculty of Advanced Technology, University of Glamorgan, Pontypridd, CF37 1DL, UK article info Article history: Received 21 January 2010 Received in revised form 17 September 2010 Accepted 24 March 2011 Keywords: Mobile forensics Computer forensics Information security ACPO NIST abstract The aims of this paper are to compare and contrast the current guidelines involved in the forensic examinations of mobile devices and hard disk drives. The paper then identifies areas of mobile device examinations where current guidelines are different and could be lacking strength and solidity. Guidelines and research into the forensic examination of hard disk drives is much more established when compared to that of mobile devices. Both the United Kingdom and the United States of America have published guidelines for the forensic analysis of mobile devices; these guidelines are examined throughout this paper. In the United Kingdom they are issued by ACPO (Association of Chief Police Officers) Good Practice Guide for Computer-Based Electronic Evidence. In the United States of America these are issued by NIST (National Institute of Standards and Technology). Special Publication 800-101, Guidelines on Cell Phone Forensics. ª 2011 Elsevier Ltd. All rights reserved. 1. Introduction Forensics is the art or study of argumentative discourse where science is used to provide facts i.e. applying science to law. It is a technique for the identification, recovery and the recon- struction of evidence (ACPO, n.d.). Forensic Science investi- gators reconstruct/extract evidence that can be applied to criminal cases to provide further leads, or conclude facts. Computer Forensics has adopted a similar investigative procedure but the scientific examination is solely concerned with the data held on, or retrieved from, digital media. Therefore, Computer Forensics can be defined as the preser- vation, identification, extraction, documentation and inter- pretation of computer data (Barrett, 2004). Mobile devices have become an integral part of daily life and are essentially personal data storage and communica- tion devices. These devices are often seized as part of criminal investigations due to the nature and amount of data that such a device may contain. Mobile device foren- sics is a relatively new and emerging field of forensics that is closely associated with computer forensics as the forensic examination in concerned primarily with digital evidence. Forensic guidelines, whether traditional forensic science, computer forensics or mobile device forensics, follow strict procedures that must be adhered to in order for the evidence to be admissible in a court of law. The Association of Chief Police Officers (ACPO) guidelines serve to ensure that correct practices and procedures are initiated. The National Institute of Standards Technology (NIST) guidelines help to evolve correct policies and procedures as well as preparing special- ists to contend with new forensic circumstances when they arise. The NIST guidelines however, state that it is a guide to improving the field of mobile device forensics but it is not a guide for how law enforcement should handle mobile devices during an investigation. * Corresponding author. E-mail addresses: [email protected] (P. Owen), [email protected] (P. Thomas). Available online at www.sciencedirect.com journal homepage: www.elsevier.com/locate/diin digital investigation 8 (2011) 135 e140 1742-2876/$ e see front matter ª 2011 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2011.03.002

An analysis of digital forensic examinations: Mobile devices versus hard disk drives utilising ACPO & NIST guidelines

Embed Size (px)

Citation preview

Page 1: An analysis of digital forensic examinations: Mobile devices versus hard disk drives utilising ACPO & NIST guidelines

ww.sciencedirect.com

d i g i t a l i n v e s t i g a t i o n 8 ( 2 0 1 1 ) 1 3 5e1 4 0

Available online at w

journal homepage: www.elsevier .com/locate/di in

An analysis of digital forensic examinations: Mobile devicesversus hard disk drives utilising ACPO & NIST guidelines

Paul Owen, Paula Thomas*

Information Security Research Group, Faculty of Advanced Technology, University of Glamorgan, Pontypridd, CF37 1DL, UK

a r t i c l e i n f o

Article history:

Received 21 January 2010

Received in revised form

17 September 2010

Accepted 24 March 2011

Keywords:

Mobile forensics

Computer forensics

Information security

ACPO

NIST

* Corresponding author.E-mail addresses: [email protected] (P

1742-2876/$ e see front matter ª 2011 Elsevdoi:10.1016/j.diin.2011.03.002

a b s t r a c t

The aims of this paper are to compare and contrast the current guidelines involved in the

forensic examinations of mobile devices and hard disk drives. The paper then identifies

areas of mobile device examinations where current guidelines are different and could be

lacking strength and solidity. Guidelines and research into the forensic examination of

hard disk drives is much more established when compared to that of mobile devices.

Both the United Kingdom and the United States of America have published guidelines

for the forensic analysis of mobile devices; these guidelines are examined throughout this

paper. In the United Kingdom they are issued by ACPO (Association of Chief Police Officers)

Good Practice Guide for Computer-Based Electronic Evidence. In the United States of

America these are issued by NIST (National Institute of Standards and Technology). Special

Publication 800-101, Guidelines on Cell Phone Forensics.

ª 2011 Elsevier Ltd. All rights reserved.

1. Introduction data that such a device may contain. Mobile device foren-

Forensics is the art or study of argumentative discourse where

science is used to provide facts i.e. applying science to law. It is

a technique for the identification, recovery and the recon-

struction of evidence (ACPO, n.d.). Forensic Science investi-

gators reconstruct/extract evidence that can be applied to

criminal cases to provide further leads, or conclude facts.

Computer Forensics has adopted a similar investigative

procedure but the scientific examination is solely concerned

with the data held on, or retrieved from, digital media.

Therefore, Computer Forensics can be defined as the preser-

vation, identification, extraction, documentation and inter-

pretation of computer data (Barrett, 2004).

Mobile devices have become an integral part of daily life

and are essentially personal data storage and communica-

tion devices. These devices are often seized as part of

criminal investigations due to the nature and amount of

. Owen), [email protected] Ltd. All rights reserved

sics is a relatively new and emerging field of forensics that

is closely associated with computer forensics as the

forensic examination in concerned primarily with digital

evidence.

Forensic guidelines, whether traditional forensic science,

computer forensics or mobile device forensics, follow strict

procedures that must be adhered to in order for the evidence

to be admissible in a court of law. The Association of Chief

Police Officers (ACPO) guidelines serve to ensure that correct

practices and procedures are initiated. The National Institute

of Standards Technology (NIST) guidelines help to evolve

correct policies and procedures as well as preparing special-

ists to contend with new forensic circumstances when they

arise. The NIST guidelines however, state that it is a guide to

improving the field of mobile device forensics but it is not

a guide for how law enforcement should handle mobile

devices during an investigation.

ac.uk (P. Thomas)..

Page 2: An analysis of digital forensic examinations: Mobile devices versus hard disk drives utilising ACPO & NIST guidelines

d i g i t a l i n v e s t i g a t i o n 8 ( 2 0 1 1 ) 1 3 5e1 4 0136

2. Mobile device versus hard disk driveanalysis

Digital forensic investigators require tools to aid their investi-

gations; these tools should allow the investigator to analyse the

hard disk drive in amanner that it is forensically acceptable. In

order to address the issue of evidential integrity, the forensic

investigatorworksonadigital image/copyof theharddisk drive

usingwriteprotection, thusensuring that theseizeddiskdrive is

not altered to any degree. Examples of such tools used are

namelyGuidance Software’s EnCase andAccessData’s Forensic

Tool Kit. Both these software tools perform a range of functions

that help the forensic investigator e

� Make digital copies of hard disk drives (image).

� Decrypt files and identify stenography.

� Uses standard connections such as IDE or SATA.

� Recover passwords and perform dictionary based attacks.

� Provide search facilities for files and data carving.

� Control how a forensic image is created.

� Ability to perform cryptographic hashes to verify disk image

integrity.

� Efficient reporting functionality.

� Ability to examine various drive images at the same time.

� Recover deleted data.

� Examinations of file signatures of suspect files.

Software for use in the forensic examination of mobile

devices such as Micro Systemation’s .XRY, Paraben’s Device

Seizure and BitPim, are evolving rapidly however they all have

similar limitations -

� Imaging a mobile device is often difficult as each device

provides new challenges for the forensic examiner. A new

handset is introduced worldwide every 4 days; it may

incorporate different features and functionalities, a new

type of charger or a new version of an operating system.

These features may not be supported by existing software

tools and a release of a new revision of the forensic software

will be required to support the device.

� Most software will produce a report of data that may be

found on a mobile device. The contents of this report may

vary depending upon the make, model or even firmware

revision of the device.

� The interpretation or reconstruction of deleted data using

Hexadecimal (Hex) memory dumping is an ad-hoc, labo-

rious and problematic process. It is difficult to read and can

be incomplete. To understand this data if written in English,

it may be necessary to convert the hexadecimal format into

ASCII (American Standard Code for Information Inter-

change). As each manufacturer stores data in different

memory locations or addresses it is then necessary to

examine the memory dump to identify locations of poten-

tial evidence.

Hard disk drives and mobile devices both contain hard-

ware and software ‘layers’ that must be functioning to gain

access to data. For hard disk failures it is also possible to

replace faulty drive heads and attach new printed circuit

boards thus potentially gaining access to data. When a hard

disk is not recognised by a computer it is usually due to

physical damage, electrical failure or firmware failure on the

controller. It may be possible to reload firmware modules and

repair the drive hence allowing access to any user data on the

disk. Research by DeepSpar (Data Recovery, n.d.) has stated

that 50% of hard disk failures are due to corrupt firmware.

The process of exclusively repairing damaged firmware is not

attainable for faulty mobile devices. Corrupt firmware on

a mobile device requires that the device must be ‘flashed’ at

present. The firmware/operating system has to be reinstalled;

this process results in all logical data on a mobile device

being overwritten. A research study conducted by the

University of Glamorgan has shown that mobile device

‘flashing’ overwrote the logical data on over 300 mobile

devices from major manufacturers such as Nokia, Samsung

and Sony Ericsson (Researcher, n.d.)

Mobile devices have many more connected ‘layers’ that

can hinder or conclude investigations before they are initi-

ated. Failures faced at a ‘layer’ on a mobile device can render

the evidence unobtainable using standard software tools.

These failures present challenges as the device may not

indicate the fault(s) present, examples of failures are;

� Hardware layer e Processor, RAM, ROM, signal antennas

and various other input/output hardware and connections.

� Original Equipment Manufacturer - Vendor (OEM) layer e

Boot loading, configuration files, and the application layer.

Linked to the system start up, management, profiling,

power, timers and other event that may be enabled.

� The application layer e Applications are found here con-

sisting of such things as Microsoft Office, Internet applica-

tions, remote wiping and media players.

A hard disk when not directly connected to an electrical

supply is in an off state. A mobile device could, however be

in a 5 possible ‘states’. These states provide frequent chal-

lenges; a first responder or examiner might not know what

state a mobile device is in, thus a poor decision could be made

in handling or during examination. The examiner needs to be

aware that events could be triggered during an examination

which could alter the state and evidential integrity of the

device. These mobile device states are e

� Off e Powered off and the battery of the device is removed.

� Nascent State e No user data (factory fresh).

� Quiescent State e The device appears inactive even though

the device is actually performing functions whilst main-

taining user data such as keeping the time and date accurate

as well as maintain network connectivity.

� Semi Active State e This event is initiated when the device

is waiting for a set time to perform a function, for example

an alarm clock sounding or an application to perform a task.

� Active State e This is the status when the device is powered

on and tasks are performed on the device such as making/

receiving a telephone call.

Mobile devices present provocation in trying to obtain

forensically acceptable data; it is currently not possible to

make a digital bit by bit copy of a mobile device to another

Page 3: An analysis of digital forensic examinations: Mobile devices versus hard disk drives utilising ACPO & NIST guidelines

d i g i t a l i n v e s t i g a t i o n 8 ( 2 0 1 1 ) 1 3 5e1 4 0 137

mobile device as the available software/hardware tools are

significantly less advanced when compared to hard disk drive

imaging. The mobile device data has to be copied to

a computer namely its hard disk drive. Frequently examina-

tions commence directly with the seized mobile device due to

imaging limitations; this has implications for maintaining

evidential integrity. Data may also be written to the device

during the imaging process as software is often required to

access the device for initiation.

A mobile device has its operating system, data storage (not

including media card) and power source embedded into its

components and the mobile device has to be switched on so

that the data can be extracted for analysis. The process of

switching on the mobile device and connecting forensic soft-

ware/hardware results in changes being made to the state of

the mobile device.

When an image is created using a hard disk, it is an exact

forensic duplicate verified using cryptographic hash functions

such as MD5 (Network, n.d.). The forensic examiner would

then work on the image thus preserving the evidential integ-

rity of the original hard drive. Any cryptographic hashes

obtained from a mobile device will change whenever the

mobile device changes its state, for example automatic update

of time and date. This poses evidential integrity issues as the

evidence will have changed from when it was originally

seized. Therefore an examiner must be fully competent in

dealing with the mobile device and must be aware of the

impact of such changes in device state.

The functionality of mobile device forensics compared to

that of hard disk forensics can be seen as quite primitive and

problematic. The features and functionality granted to hard

disk drive forensic tools would be of great value to mobile

device forensic investigators. However, at present many of

these features are not incorporated into mobile device foren-

sics tools and much work needs to be undertaken to ensure

that the mobile device analysis can be considered comparable

to that of hard disks analysis.

3. A review of the Association of Chief PoliceOfficers (ACPO) good practice guide for computer-based electronic evidence v4.0 guidelines

The ACPO guidelines provide a guide to the examination of all

type of computer devices. The guide states that it assists in

dealing with allegations of crime which involve high-tech

elements and to ensure that all evidence is collected in

a timely and appropriate manner. It has been stated by

a senior police officer (CFET, 2009) that there are issues that

fall outside of the guide and that and examination may well

jeopardise the integrity of evidence.

There are four main ACPO principles detailing how elec-

tronic evidence should be handled during the course of an

investigation. These for reference to the paper are e

3.1. Principle 1

No action taken by law enforcement agencies or their agents

should change data held on a computer or storage media

which may subsequently be relied upon in court.

3.2. Principle 2

In circumstances where a person finds it necessary to access

original data held on a computer or on storage media, that

person must be competent to do so and be able to give

evidence explaining the relevance and the implications of

their actions.

3.3. Principle 3

An audit trail or other record of all processes applied to

computer-based electronic evidence should be created and

preserved. An independent third party should be able to

examine those processes and achieve the same result.

3.4. Principle 4

The person in charge of the investigation (the case officer) has

overall responsibility for ensuring that the law and these

principles are adhered to.

ACPO guidelines fully enforce that digital evidence is

important and that it should not be altered in any form, unless

necessary (Principle 2). At which point further documentation

must take place to maintain the chain of custody (Principle 3).

3.5. Further considerations for mobile devices

For the seizure/preservation of mobile device evidence, ACPO

Principle 1 recommends that examinations are taken place in

a controlled environment thus reducing the risk of accidental

communications. This can be conducted using a shielded

room or as an alternative a faraday tent is also recommended.

It has been found however that the integrity of the devicemay

well be jeopardised as any external power supply could act as

an antenna or the bag may be unsuitable for its purpose

(Salmon, 2010). When a device is seized and it is connected to

a network, the location area information is stored on the

handset/Subscriber Identity Module, transferring the handset

into a Faraday bag may in some cases result in a device still

being able to communicate with the network thus altering its

location status and receive incoming data (Phone, n.d.). Prin-

ciple 1 states further that another possible way to isolate the

device from the network is to turn it off. Research has shown

that the ‘normal’ way of turning a device off might not be

available as the device may be faulty and/or its power button

may not work. If a mobile device is left switched on then

changes will automatically occur, for example the clock and

time of day will be updated. ACPO states that other changes

may also occur however, there are no examples of what these

could be. An example of this could be remote deletion of data

on the device, this is possible via an external wireless source;

this alone is very important and is not even considered, thus

principle 1 could be completely violated.

A mobile device may not be compatible with a certain tool;

therefore manual examination has to take place and Principle

2 would immediately be invoked. The forensic integrity of this

method is called into question as it is impossible for a true

forensic examination to take place.

ACPO suggests an examiner should be familiar with the

mobile device and its buttons. The modern generation of

Page 4: An analysis of digital forensic examinations: Mobile devices versus hard disk drives utilising ACPO & NIST guidelines

d i g i t a l i n v e s t i g a t i o n 8 ( 2 0 1 1 ) 1 3 5e1 4 0138

handsets have less buttons as the trend turns to touch screen

devices. Principle 2 is often invoked in the examination of

touch screen mobile devices as the acquisition of data from

the device may involve the installation of third party software

that possibly changes the status to a storage device to enable

the software to communicate with it.

It is stated that it may be possible to acquire a device

wirelessly using infra red or Bluetooth. These methods are

least secure and datawill be written to the device, for example

Bluetooth pairings. Principle 2 states that a software virus

infection on the examining computer may compromise

current and subsequent examination jeopardising the integ-

rity of thewhole investigation. The onlymethod of acquisition

for certain devices using a tool is wireless connectivity;

therefore the investigator needs to be fully aware of Principle 2

and the implications of wireless acquisitions.

Usage of non forensic tools during investigations is

mentioned however, with regard to forensic integrity this

section states that their ‘operation/effects’ should be under-

stood. Using tools which are not forensically tested could well

make evidence inadmissible as their integrity could be called

into question.

ACPO Principle 1 suggests using an “access card” i.e.

a subscriber identity module card that will mimic the identity

of the original card for analysis. Replacing the ‘SIM’ card could

have forensic implications as inserting a ‘cloned SIM’ on some

handsets will destroy the call register on the device when it is

powered on. Problems are faced furthermore if the SIM is

stored under the battery, removing the battery could destroy

volatile data, examples could be destroying timestamps on

the phone proving for example, time and dates (events) had

taken place. Even if a competent person were examining

a device, data could be destroyed or changed unintentionally

whilst trying to obtain further evidence as actions engaged

could render the device inadmissible as potential evidence

could be destroyed.

It is not possible to conduct all examinations with the

battery inside some devices, some forensic hardware with

particular models of phones require that an external device be

placed underneath the battery and the battery then placed

inside the device, thus removing the battery could again

destroy vital evidence. Thus Principle 2 may well have to be

considered, for example when the battery is removed from

a Nokia 3310 the stored dates and times are lost.

Volatile data is present in memory on a mobile device

which could be lost due to a lack of power or an action

engaged by the examiner. Recovering volatile data presents

the investigator with challenges that need to be understood as

any actions performed could destroy potential evidence. To

initiate forensic examinations the resetting of the device due

to problems may be required, such as the device ‘freezing’.

Thus principle 2 would be required, this will result in the loss

of some data (device dependant) and a hard reset will destroy

everything held in RAM. A soft reset will initialise the RAMand

data earmarked for deletionwill be destroyed. In some devices

the removal of a power source will trigger a hard reset.

Obtaining knowledge of which devices will do this, and which

will not, can be impossible and thankless task as there are so

many different models and versions of devices that could

yield different results.

An investigator may have to contact the network to

unblock a phone using the PUK (Pin Unblocking Code) this

however is dependent on the network co-operating with the

investigator. Principle 2 may have to be considered as

a manual examination of the mobile device will be required.

Principle 1 is brought into consideration when a service

provider could/may disable the subscriber account so that it

no longer receives calls. Principle 2 however is more relevant

as the guidelines state that such an approach has not been

thoroughly tested and that the effects on the handset and SIM

are not fully understood. It has been stated that the disabling

of a subscribers account could permanently delete voicemail.

As ACPO have stated that it is not fully understood, the

evidential integrity of the device and investigations conducted

on it could be brought to question.

With such a diverse range of models, features and manu-

facturers available to the consumer it is extremely difficult to

knowwhat inadvertent actions Principle 2 could invoke. It has

been found through research at the University of Glamorgan

(Researcher, n.d.) that devices of the same model that have

different versions of software can also contain components

from different manufacturers which could yield different

results and result integrity issues for the investigation.

ACPO guidelines suggest that even after a forensic exami-

nation has been conducted, manual examination should be

undertaken to compare the results and ensure completeness

of a download. This does appear contradictory as Principles 1

and 2 are in direct conflict. It can only be assumed therefore

that the tools used in examinations are not totally reliable or

creditable as manual examinations have to be conducted on

seized devices.

If an investigator starts to manually examine mobile

devices then evidence will be changed, for example the last

time a picture was accessed or opening unread text messages.

Principle 2 highlights that a person must be competent to

conduct investigations and be able to give evidence and rele-

vance of their actions. Consideration must also be given to

applications installed on the device, should these therefore be

examined? If examined the actions performed may

completely change the evidential integrity of the device as the

application may change a significant portion of the devices

state. The investigator must also consider what other changes

are made to the device as a result of a manual examination.

Can the evidence now be trusted and is it in its true status

such as read or unread? With Principle 2 in mind, an investi-

gator may find it difficult to convince a court that what has

been imaged is correct, as the actual mobile device has

changed its status and the cryptographic hash value such as

MD5 are no longer comparable.

4. A review of the National Institute ofStandards and Technology (NIST) guidelines especial publication 800-101

The NIST guidelines state that “mobile device forensics is

a relatively new phenomenon, not usually covered in classical

computer forensics”. These guidelines are published solely for

cellular phone forensic examinations. The guidelines are not

limited to examining ‘traditional’ items such as text messages

Page 5: An analysis of digital forensic examinations: Mobile devices versus hard disk drives utilising ACPO & NIST guidelines

d i g i t a l i n v e s t i g a t i o n 8 ( 2 0 1 1 ) 1 3 5e1 4 0 139

and call records but also cover the operation and character-

istics of cellular networks, and standards, for example GSM

and CDMA. Details such as this are important as examiners

will need to fully understand network provider information

such as location status that could be destroyed.

The guidelines are clearly defined in terms of their scope of

aims and objectives which includes, procedures for the pres-

ervation, acquisition, examination, analysis and reporting of

mobile device evidence. It is clear that the aims of the guide-

lines are to benefit organisations make informed decisions

and to help prepare personnel in dealing with mobile device

forensics and to provide information that could aid develop

policies and procedures. It is stated that “every situation is

unique and therefore specific caution is required”. It is stated

that organisations should have their own set of forensic

policies for different scenarios and should not rely on the

guidelines. The level of detail that is required for a policy is

also defined indicating items that should be included to

maintain a chain of custody. Detail is given to the procedures

and practices that are undertaken during a forensic exami-

nation of a mobile device. Defined under procedures and

principles, clear advice and consideration is given to the

handling of evidence.

Variousmethods of data acquisition are discussed in detail;

it is recommended that a cable is used where possible. In

situationswhere this is not possible and awireless acquisition

has to bemade, due to damage or as the onlymethod available

for the tool being used, the associated risk level such as

changing the state of a device or possible infection are stated.

This is gratifying as clear scope is given to how evidence can

alter and create inadvertently inadmissible evidence.

The differences betweenphysical and logical examinations

are something that is well covered and it highlights how

evidence can be recovered and where it could possibly reside

in memory. Clear easy to understand guides examine how

mobile devicememory operates and how data can be stored in

various locations and how various considerations should be

made when dealing with it.

A lot of effort has gone into the production of a guide that

shows various types of evidence that could be on a U/SIM and

how it can be found and examined. It is pleasing to see how

NIST addresses the various types of extracted data for

example, 7-bit GSM and what this raw data means and how it

can be interpreted using tools.

Legal practices are also taken into consideration and are

discussed detail. ACPO Good Practice Guide for Computer-

Based Electronic Evidence v4.0 is mentioned as evidential

principles and it is stated that their aims are to ensure integ-

rity and accountability of digital evidence through its entire

lifecycle. Other principles are also mentioned these are the

Proposed Standards for the Exchange of Digital Evidence

(IOCE) are similar to the ACPO guidelines and the Daubert

standard (Law) remains as a set of standards that serve as

a guide when dealing with evidence in a court of law.

These principles aim to ensure the integrity and account-

ability of digital evidence throughout an investigation. NIST

has taken to account those standards or principles may be

relevant to different types of investigations therefore the onus

is on an investigator/procedure documenter to state which

principles are of best value for an investigations nature.

4.1. NIST tool evaluation

TheNIST guidelines detail tests ofmobile phone forensic tools

and produce test methods, reference data, and proof of

concept implementations as well as technical analysis to

advance the mobile forensic discipline. The guidelines are

clearly defined and include developing and improving stan-

dards such as in technical andmanagement. The NIST review

of mobile device forensic tools results in the development of

their own test specifications and requirements document for

the tool. Once testing has been performed, the tools are then

selected for formal testing using a defined test specification

(Koenneck, 2009). With predefined test plans, a test strategy is

formulated for informal testing. Finally a set up document is

created, this document is then peer reviewed and only at this

point is the test report available.

The guidelines requirements set out clear expectations of

what a tool claims to do and what it can actually do after the

vigorous testing phases. All tools should meet a defined core

standard in how they operate; an example of this is a reporting

facility. Optional requirements should only be met if the

features are offered by the tool. A broad range of features are

considered for example, looking how text from different

languages is interpreted and how it is represented.

One major part of NIST guidelines is the objective to

provide assurance that tools used provide valid results

(Mobile, 2009). It also aims to help to provide information to

help manufacturers improve their products. With this docu-

mented information, informed choices can be made on the

choice of product to buy as it has been reviewed by forensic

experts. Due to the rapid pace of development and devices

appearing on the market, the most problematic issue for tool

vendors is to continually update their product to take account

of new phones being released. This is addressed and limita-

tions are shown of tools and how they can be improved.

5. Comparisons of ACPO and NISTguidelines

ACPO guidelines do not encompass recommendations for

forensic software and hardware as required during an exam-

ination. In contrast, NIST provides considerations for the

purchasing of equipment, hardware and software to ensure

that the forensic integrity of an investigation is maintained by

their various testing procedures. Detailed information and

testing of tools would be of great value if included in ACPO

guidelines as it would help consistency of organisational

liaison and would speed up efficiency of investigations.

Principle 1 of the ACPO guidelines states that no action

taken by law enforcement agencies or other agents should

change data held on a computer or storage media which may

subsequentlybe reliedupon incourt.Withaharddisk themain

focus is to leave the disk in its original state as it was seized

(unchanged) and to present a forensic duplicate which is used

for analysis. Principle 1 states that all examinations should

include somedegree of examinationmanual examination. It is

impossible for forensic analysis to be conducted on a mobile

device without changing its state and therefore Principle 2 is

always invoked. This should be stated in much clearer detail

Page 6: An analysis of digital forensic examinations: Mobile devices versus hard disk drives utilising ACPO & NIST guidelines

d i g i t a l i n v e s t i g a t i o n 8 ( 2 0 1 1 ) 1 3 5e1 4 0140

and at present, this method of analysis has to be accepted as

the only way to conduct forensic analysis on mobile devices.

Encryption presents a problem to both mobile devices and

hard disks (Koenneck, 2009). Investigators need to be aware of

encryption and how to conduct their investigative actions

when it is encountered. The ACPO guidelines simply state that

encryption might be in place, but dealing with the problem of

encryption in an investigation requires more explanation to

gain a greater understanding. Working with a device that has

encryption deployed on it may cause integrity issues as

tampering with it could cause the device to start deletion of all

logical and physical data.

Mobile devicesmay be wiped remotely by the receipt of, for

example a text message. With mobile devices becoming

powerfulmini computers suchdestructiveactionswill become

more prevalent and investigative authorities need to be aware

of this and how to deal with such issues, rather than being

informed that such actions may be performed upon a device.

6. Conclusion

Smart mobile device technology has rapidly evolved to now

have the functionality of a computer, albeit in a slower, more

limited capacity they also have better connectivity and are

relatively inexpensive. The challenges posed by these technol-

ogies are many as ‘traditional’ crimes are migrating to mobile

devices, for example storing and distribution of indecent

images. The popularity of thesedevices continues to increaseas

more features and functionality are included (McCarthy, 2005).

Theprevalenceofmobile devicesand thedata theymaycontain

has resulted in them being seized as evidential items in an

increasingnumber of criminal cases.Mobile device information

can provide pivotal evidential information and this type of

supplementary evidence will be increasingly used.

At present, the forensic analysis ofmobile devices is heavily

reliant on the methods and tools that relate to specific manu-

facturers. TheACPOguidelines go someway in recognising this

fact, as it is a very important consideration for the integrity of

a devicewhereas the NIST guidelines are very informative and

cover many aspects of a mobile forensic examination. The

guidelines produced by NIST are not for legal advice and are

used for a starting point for the development of forensic

capabilities. In contrast, the ACPO guidelines do give the legal

considerations and the principles to follow that try to ensure

evidence the integrity of evidence remains. However, ACPO

lacks the guidance in defining how law enforcement should

handle mobile devices during investigations.

Both NIST and ACPO guidelines need to be updated quite

frequently as mobile devices are constantly evolving and their

features becomingmore ubiquitous. The forensic regulator for

the UK, Mr Andrew Rennison, appointed in 2008, and his

committee are being tasked with reviewing the principles of

ACPO. It was stated by a senior police officer at CFET, 2009 that

he is aware that the current ACPO principles require “mod-

ernising” to cope with the rapid changes in technology.

Mobile device evidence is usually offered as supplementary

evidence however, the nature of the evidence that may now

be obtained from a mobile device is evolving rapidly. It is

believed thatmobile device evidence will increasingly become

pivotal as the primary source evidence in legal cases. It is

believed that the amount of evidence recovered from amobile

device will be similar to that recovered from a hard disk drive

examples being, word processed documents and chat logs, as

well as ‘traditional’ cellular characteristics such as contact

names and call registers.

r e f e r e n c e s

ACPO v4.0: Good Practice Guide for Computer-Based ElectronicEvidence Internet, http://www.7safe.com/electronic_evidence/.

Barrett N. Digital trail of evidence. Swansea University U.K; 2004.CFET (Cybercrime Forensics Education & Training). Canterbury

Christ Church University U.K; 2009.Data Recovery Systems e DEEPSPAR, http://www.deepspar.com/

3d-data-recovery-overview.html.Koenneck Forensic Analysis of Cell Phones SIM Cards Internet,

http://www.mobileforensicsworld.com/2008/presentations/MFW2008_Koennecke_ForensicAnalysisofCellPhonesSIMCards.pdf.

Law Probability & Risk, http://lpr.oxfordjournals.org/cgi/content/abstract/7/2/87.

McCarthy P. Forensic analysis of mobile phones, University ofSouth Australia, Australia. In: NIST Publication 800-101:recommendations of the National Institute of Standards andTechnology, http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf; 2005.

Mobile Forensics World Conference, http://www.mobileforensicsworld.com; 2009.

Network Working Group Internet, http://www.ietf.org/rfc/rfc1321.txt.

Phone Forensics Internet, http://www.phone-forensics.com/forum/showthread.php?t¼13948&highlight¼paraben.

Researcher to Recover Mobile Info, http://news.bbc.co.uk/1/hi/wales/7374221.stm.

Salmon I. XACT Certification Training. Wyboston, UK: NationalPolicing Improvement Agency; 2010.