1.1 Purpose and Scope
This guide provides basic information on mobile forensics tools and the preservation, acquisition, examination, analysis, and reporting of digital evidence present on mobile devices. This information is relevant to law enforcement, incident response, and other types of investigations. This guide focuses mainly on the characteristics of cellular mobile devices, including feature phones, smartphones, and tablets with cellular voice capabilities. It also covers provisions to be taken into consideration during the course of an incident investigation.
This guide is intended to address common circumstances encountered by organizational security staff and law enforcement investigators involving digital electronic data residing on mobile devices and associated electronic media. It is also intended to complement existing guidelines and delve more deeply into issues related to mobile devices and their examination and analysis.
Procedures and techniques presented in this document are a compilation of best practices within the discipline, and references have been taken from existing forensic guidelines. This publication cannot be used as a step-by-step guide for executing a proper forensic investigation when dealing with mobile devices or construed as legal advice. Its purpose is to inform readers of the various technologies involved and potential ways to approach them from a forensic perspective. Readers are advised to apply the recommended practices only after consultation with management and legal officials for compliance with laws and regulations (i.e., local, state, federal, and international) applicable.
1.2 Audience and Assumptions
The intended audience is varied and ranges from forensic examiners to response team members handling a computer security incident to organizational security officials investigating an employee-related incident. The practices recommended in this guide are designed to highlight key technical principles associated with the handling and examination of mobile devices. Readers are assumed to have a basic understanding of traditional digital forensic methodologies and capabilities involving stand-alone computers. Due to the changing nature of mobile devices and their related forensic procedures and tools, readers are expected
to be aware of and employ additional resources for the most current information.
1.3 Document Structure
The guide is divided into the following chapters and appendices:
- Chapter 1 explains the authority, purpose and scope, audience, and assumptions of the document and outlines its structure.
- Chapter 2 provides a background on mobile device characteristics, the internal memory of mobile devices, and characteristics of identity modules and cellular networks.
- Chapter 3 discusses the mobile device forensic tool classification system, methods for handling obstructed devices, and the capabilities of forensic tools.
- Chapter 4 discusses considerations for preserving digital evidence associated with mobile devices and techniques for preventing network communication.
- Chapter 5 examines the process of mobile device and identity module data acquisition, tangential equipment, and cloud-based services for mobile devices.
- Chapter 6 outlines the examination and analysis process, common sources of evidence extracted from mobile devices and identity modules, features and capabilities of tools for the examination, and call/subscriber records.
- Chapter 7 discusses an overview of report creation and the reporting of findings.
- Chapter 8 contains a list of references used in this guide.
- Appendix A contains a list of acronyms used in this guide.
- Appendix B contains a glossary defining terms used in this guide.
- Appendix C provides an example of the structure of call records maintained by cell phone carriers.
- Appendix D provides links to online resources.