Mobile devices contain both non-volatile and volatile memory. Volatile memory (i.e., RAM) is used for dynamic storage, and its contents are lost when power is drained from the mobile device. Non-volatile memory is persistent as its contents are not affected by the loss of power or overwriting data upon reboot. For example, solid-state drives (SSD) that store persistent data on solid-state flash memory.
Mobile devices typically contain one or two different types of non-volatile flash memory. These types are NAND and NOR. NOR flash has faster read times, slower write times than NAND and is nearly immune to corruption and bad blocks while allowing random access to any memory location. NAND flash offers higher memory storage capacities, is less stable, and only allows sequential access.
Memory configurations among mobile devices have evolved. Feature phones were among the first types of devices that contained NOR flash and RAM. System and user data are stored in NOR and copied to RAM upon booting faster code execution and access. This is known as the first generation of mobile device memory configurations.
With the introduction of smartphones, memory configurations evolved, adding NAND flash memory. This arrangement of NOR, NAND, and RAM is referred to as the second generation. This generation of memory configurations stores system files in NOR flash, user files in NAND, and RAM is used for code execution.
The latest smartphones contain only NAND and RAM (i.e., third generation) due to higher transaction speed, greater storage density, and lower cost. To facilitate the lack of space on mobile device mainboards and the demand for higher density storage space (i.e., 2GB – 128GB), the new Embedded Multimedia Cards (eMMC) style chips are present in today’s smartphones.
Figure 1 illustrates the various memory configurations contained across all mobile devices.
RAM is the most difficult to capture accurately due to its volatile nature. Since RAM is typically used for program execution, information may be valuable to the examiner (e.g., configuration files, passwords, etc.).
Mobile device RAM capture tools are just beginning to become available.
NOR flash memory includes system data such as operating system code, the kernel, device drivers, system libraries, memory for executing operating system applications, and the storage of user application execution instructions. NOR flash will be the best location for data collection for first-generation memory configuration devices.
NAND flash memory contains PIM data, graphics, audio, video, and other user files. This type of memory generally provides the examiner with the most useful information in most cases. NAND flash memory may leave multiple copies of transaction-based files (e.g., databases and logs) due to wear-leveling algorithms and garbage collection routines. Since NAND flash memory cells can be re-used for only a limited amount of time before they become unreliable, wear-leveling algorithms are used to increase the life span of Flash memory storage by arranging data so that erasures and re-writes are distributed evenly across the SSD. Garbage collection occurs because NAND flash memory cannot overwrite existing data. First, erase the data before writing to the same cell.