Mobile devices are often submitted for laboratory processing with only specific items requested for recoveries, such as call logs or graphics. If any doubt or concerns exist about the requested data, contacting the submitter for clarification is recommended. Though it is not always necessary to recover all available data, a complete acquisition avoids having to redo the process later if additional data is requested. For examinations involving a limited scope search warrant (e.g., only text messages), a full memory data extraction may be completed, but take care to only report items covered by the warrant.
To acquire data from a mobile device, establish a connection to the device from the forensic workstation. Before performing an acquisition, the version of the tool or device being used should be documented, along with any applicable patches or errata from the manufacturer applied to the tool. As mentioned earlier, take caution and avoid altering a mobile device’s state when handling it, for example, by pressing keys that may corrupt or erase data. Once the connection has been established, the forensic software suite or device may acquire data from the mobile device.
The date and time maintained on the mobile device is an important piece of information. The date and time may have been obtained from the network or manually set by the user. Owners may manually set the day or time to different values from the actual ones yielding misleading values in the call and message records found on the mobile device. Upon seizing a device, record the date and time maintained and differences from a reference clock. Nevertheless, confirmation at the time of acquisition may prove useful. If the mobile device was off when seized, the date and time maintained and differences from a reference clock should be recorded immediately when first powered on. Actions taken during acquisition, such as removing the battery to view the device label, may affect the time and date values.
Mobile devices may provide the user with an interface for a memory card. Mobile device forensic tools that acquire the contents of a resident memory card normally perform logical acquisition. If the device is found in an active state, acquire the mobile device’s internal memory before removing and performing a physical acquisition of the associated media (e.g., microSD Card). Otherwise, if the device is found in a power-off state, a physical acquisition of the removable media should be performed before the internal handset memory of the mobile device is acquired. With either type of acquisition, the forensic tool may or may not have the capability to decode recovered data stored on the card (e.g., SMS text messages), requiring additional manual steps to be taken.
After an acquisition is finished, the forensic specialist should confirm that the correct capture of the contents of a device occurred. On occasion, a tool may fail without any error notification and require the specialist to reattempt acquisition. It is advisable to have multiple tools available and be prepared to switch to another if difficulties occur with the initial tool.
Invariably, not all relevant data viewable on a mobile device using the available menus may be acquired and decoded through a logical acquisition. Manually scrutinizing the contents via the device interface menus while video recording the process allows such items to be captured and reported and confirms that the contents reported by the tool are consistent with observable data. Manual extraction must always be done with care, preserving the device’s integrity if further, more elaborate acquisitions are necessary.
The contents of a mobile device’s memory often contain information, such as deleted data, that is not recoverable through either logical or manual extractions. Lacking a software tool to perform a physical acquisition may be necessary to turn to hardware-based techniques. Two techniques commonly used are acquisition through a standardized JTAG test interface. The contents of a mobile device’s memory often contain information, such as deleted data, that is not recoverable through either logical or manual extractions. Lacking a software tool to perform a physical acquisition may be necessary to turn to hardware-based techniques. Two techniques commonly used are acquisition through a standardized JTAG test interface, if supported on the device, and acquisition by directly reading memory that has been removed from the device.