The availability of forensic software tools for mobile devices is considerably different from that of personal computers. While personal computers may differ from mobile devices from a hardware and software perspective, their functionality has become increasingly similar. Although most mobile device operating systems are open-source (i.e., Android), feature phone OS’s are typically closed. Closed operating systems make interpreting their associated file system and structure difficult. Many mobile devices with the same operating system may also vary widely in their implementation, resulting in many file system and structure permutations. These permutations create significant challenges for mobile forensic tool manufacturers and examiners.
The types of software available for mobile device examination include commercial and open-source forensic tools and non-forensic tools intended for device management, testing, and diagnostics. Forensic tools are typically designed to acquire data from the internal memory of handsets and UICCs without altering their content and calculating integrity hashes for the acquired data. Both forensic and non-forensic software tools often use the same protocols and techniques to communicate with a device. However, non-forensic tools may allow an unrestricted two-way flow of information and omit data integrity hash functions. Mobile device examiners typically assemble a collection of both forensic and non-forensic tools for their toolkit. The range of devices they operate is typically narrowed to distinct platforms, a specific operating system family, or even a single type of hardware architecture. Short product release cycles are the norm for mobile devices, requiring tool manufacturers to continually update their tools, providing forensics examiners with a forensic solution. The task is formidable, and tool manufacturers’ support for newer models may lag significantly behind introducing a device into the marketplace. Though out of date, models of older functioning mobile devices can remain in use for years after their initial release. Mobile device models introduced into one national market may also be used in areas by exchanging the UICC of one cellular carrier with another carrier. The current state is likely to continue, keeping the examination cost significantly higher than if a few standard operating systems and hardware configurations prevailed.