XRY creates an encrypted file containing a copy of the information stored on the telephone.
The principles for the correct application of Forensically Sound techniques assume the primary purpose, which is the preservation and the possibility of non-contamination of the state of things.
All the phases, from the acquisition to forensics analysis of the mobile device, have to totally avoid non-alteration of the examined device. This process is not easy at all, particularly in mobile devices.
The continuous evolution of mobile devices technology, allows the commercialization of new mobile phones, which creates new digital investigations problems. Hardware and software for these type of mobile device analysis are numerous, but none is able to give an integrated solution for the acquisition and the forensic analysis of all smartphones.
Furthermore, mobile devices are able to contain plenty of digital information, almost like a computer, so not only a call log or SMS messages as old mobile phones.
Many of the digital information in a smartphone is reliant on applications installed on it, which evolve in such a variety that analysis software are not able to support them completely. Often the data acquisition from a mobile device is not compatible with some parameters, which define a Forensically Sound method.
In other words to have access to the mobile device it is necessary to use communication vectors, bootloader and other agents which are installed in the memory to enable the communication between the mobile phone and the instrument that we use for the acquisition and so it is not possible to use a write blocking option.
Often we resort on modify the device configuration for acquisition, but this operation risks to invalidate the evidence in the Court, even though all the techniques are always well-documented. As much as possible it is always fundamental to respect the international guidelines on mobile forensic to ensure the evidence integrity and the repeatability of the forensic process.
A fundamental aspect on device preservation at the crime scene is evidence collection on site; that is the preservation of the device found turned on, safeguarding it from Wi-Fi signals, telecommunication systems, GPS signals and keeping the battery on charge.
This is required to avoid its shutdown and the loss of important information such as a PIN. The shutdown could entail a later PIN bypass or even a data loss because of passwords or cryptography.
It is also fundamental to immediately provide electromagnetic isolation using faraday bags; devices or cases, which allows isolating the mobile device, darken from radio signals. Once the data is extracted from a device, different methods of analysis are used based on the underlying case.
As each investigation is distinct, it is not possible to have a single definitive procedures for all cases.
Each one of these steps has a basic role in the process of digital evidence production. The international standard are fed by many studies and publications that try to define the best practices and the guidelines for procedures and methods for the digital forensic, such as lots of publications and NIST guidelines.
This standard mostly defines methods and techniques in digital forensic investigations, which is accepted in many Courts.
However, the overall process can be broken into four phases as shown in the diagram Following: Below will be elucidated the two first steps involved in the production of a forensic evidence. In the next lessons will be explained in detail the remaining three steps.
Handling the device during seizure is one of the important steps while performing forensic analysis. It is necessary to seizure cables, chargers, SIM card data or any papers or notes which may contain access codes that can also be deduced from the personal papers of the criminals whose devices were confiscated.
Statistically many users use password similar on date of birth, celebrations, names, number plates and other personal information to remind themselves of passwords.
Look for PIN and password can save much time later to investigators. On the crime scene, it is fundamental to use proper techniques to protect the device from communicating with other devices, which may be phone calls, SMS, Wi-Fi Hotspot interferences, Bluetooth, GPS and many more.
It is necessary to place the device into a Faraday bag and if it is possible add the use of a jammer, to avoid the alteration of the original state of the device. A phone call, an SMS, an email may overwrite the previous ones during the evidence collection phase if the phone was not isolated.
It is important to isolate the mobile phone keeping it on charge with an emergency battery which will allow you to arrive to the lab safely.
It is also important for the power cord to be isolated because it may allow the mobile to receive communications. There are different types of Faraday bags on sale that go from simple bags isolated from radio signals which I do not recommend to real isolation boxes which allow more efficiency.Performing a forensic recovery of the iPhone's backup files can be accomplished using one of the available mobile forensic or open-source tools.
Any tool used to analyze an iPhone backup must convert the binary plists into the standard file structure seen on the iPhone. “ MOBILedit Forensic Express is mainly used by larger forensic companies, private detective agencies, or law enforcement as a triage tool and a way to enable even the less technical members of their teams to uncover and utilise forensic data from mobile devices.
Mobile phone inspector software shows complete detail of any windows based mobile phone. Stay Safe with Best Free Password Managers for iPhone View investigation (forensic) purpose and 3/5(2). Forensicon does not provide cell phone forensics services related to spyware, malware, or hacking investigations.
Download Sample Report (iPhone 4) Tags: mobile devices, cell phone forensics, sms messages, mms messages, call logs, Digital Cyber Forensic Analysis Computer Forensics Company. Today most evidence resides in cell phones, get the maximum including deleted data. From the founders of the field, 20 years in the forensic industry.
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. information available to forensic analysts on iOS, this paper will cover the basics to The local storage on an iOS mobile device has several differences from the traditional Microsoft Windows or UNIX flavored.