Mobile device forensics

Forensic Anthropology
Forensic Dentistry
Forensic Entomology
Forensic Pathology
Forensic Botany
Forensic Biology
DNA Profiling
DNA Phenotyping
Bloodstain Pattern Analysis
Forensic Chemistry

Social Sciences

Forensic Psychology
Forensic Psychiatry

Forensic criminalistics

Ballistics
Ballistic fingerprinting
Body identification
Fingerprint analysis
Forensic accounting
Forensic arts
Forensic footwear evidence
Forensic toxicology
Gloveprint analysis
Palmprint analysis
Questioned document examination
Vein matching

Digital forensics

Computer forensics
Forensic data analysis
Database forensics
Mobile device forensics
Network forensics
Forensic video
Forensic audio

Related disciplines

Fire investigation
Fire accelerant detection
Forensic engineering
Forensic linguistics
Forensic materials engineering
Forensic polymer engineering
Forensic statistics
Vehicular accident reconstruction
Related articles

Crime scene
CSI effect
Perry Mason syndrome
Pollen calendar
Skid mark
Trace evidence

Use of DNA in
forensic entomology

v �
t �
e

Mobile device forensics is a branch of digital forensics relating to recovery of

digital evidence or data from a mobile device under forensically sound conditions.
The phrase mobile device usually refers to mobile phones; however, it can also
relate to any digital device that has both internal memory and communication
ability, including PDA devices, GPS devices and tablet computers.

The use of phones in crime was widely recognised for some years, but the forensic
study of mobile devices is a relatively new field, dating from the early 2000s. A
proliferation of phones (particularly smartphones) on the consumer market caused a
demand for forensic examination of the devices, which could not be met by existing
computer forensics techniques.[1]

Mobile devices can be used to save several types of personal information such as
contacts, photos, calendars and notes, SMS and MMS messages. Smartphones may
additionally contain video, email, web browsing information, location information,
and social networking messages and contacts.

There is growing need for mobile forensics due to several reasons and some of the
prominent reasons are:
Use of mobile phones to store and transmit personal and corporate information
Use of mobile phones in online transactions
Law enforcement, criminals and mobile phone devices [2]

Mobile device forensics can be particularly challenging on a number of levels:[3]

Evidential and technical challenges exist. for example, cell site analysis
following from the use of a mobile phone usage coverage, is not an exact science.
Consequently, whilst it is possible to determine roughly the cell site zone from
which a call was made or received, it is not yet possible to say with any degree of
certainty, that a mobile phone call emanated from a specific location e.g. a
residential address.
To remain competitive, original equipment manufacturers frequently change mobile
phone form factors, operating system file structures, data storage, services,
peripherals, and even pin connectors and cables. As a result, forensic examiners
must use a different forensic process compared to computer forensics.
Storage capacity continues to grow thanks to demand for more powerful "mini
computer" type devices.[4]
Not only the types of data but also the way mobile devices are used constantly
evolve.
Hibernation behaviour in which processes are suspended when the device is powered
off or idle but at the same time, remaining active.[2]
As a result of these challenges, a wide variety of tools exist to extract evidence
from mobile devices; no one tool or method can acquire all the evidence from all
devices. It is therefore recommended that forensic examiners, especially those
wishing to qualify as expert witnesses in court, undergo extensive training in
order to understand how each tool and method acquires evidence; how it maintains
standards for forensic soundness; and how it meets legal requirements such as the
Daubert standard or Frye standard.

Contents [hide]
1 History
2 Professional Applications
3 Types of evidence 3.1 Internal memory
3.2 External memory
3.3 Service provider logs

4 Forensic process 4.1 Seizure

4.2 Acquisition
4.3 Examination and analysis

5 Data acquisition types 5.1 Manual acquisition

5.2 Logical acquisition 5.2.1 File system acquisition

5.3 Physical acquisition

5.4 Brute force acquisition

6 Tools 6.1 Commercial Forensic Tools

6.2 Open source
6.3 Physical Tools 6.3.1 Forensic desoldering 6.3.1.1 Chip re-balling

6.3.2 JTAG

6.4 Command Line Tools 6.4.1 System commands

6.4.2 AT commands
6.4.3 dd

6.5 Non-Forensic Commercial Tools 6.5.1 Flasher tools

7 Controversies
8 Anti-forensics
9 References
10 External links

History[edit]

As a field of study forensic examination of mobile devices dates from the late
1990s and early 2000s. The role of mobile phones in crime had long been recognized
by law enforcement. With the increased availability of such devices on the consumer
market and the wider array of communication platforms they support (e.g. email, web
browsing) demand for forensic examination grew.[1]

Early efforts to examine mobile devices used similar techniques to the first
computer forensics investigations: analysing phone contents directly via the screen
and photographing important content.[1] However, this proved to be a time-consuming
process, and as the number of mobile devices began to increase, investigators
called for more efficient means of extracting data. Enterprising mobile forensic
examiners sometimes used cell phone or PDA synchronization software to "back up"
device data to a forensic computer for imaging, or sometimes, simply performed
computer forensics on the hard drive of a suspect computer where data had been
synchronized. However, this type of software could write to the phone as well as
reading it, and could not retrieve deleted data.[5]

Some forensic examiners found that they could retrieve even deleted data using
"flasher" or "twister" boxes, tools developed by OEMs to "flash" a phone's memory
for debugging or updating. However, flasher boxes are invasive and can change data;
can be complicated to use; and, because they are not developed as forensic tools,
perform neither hash verifications nor (in most cases) audit trails.[6] For
physical forensic examinations, therefore, better alternatives remained necessary.

To meet these demands, commercial tools appeared which allowed examiners to recover
phone memory with minimal disruption and analyse it separately.[1] Over time these
commercial techniques have developed further and the recovery of deleted data from
proprietary mobile devices has become possible with some specialist tools.
Moreover, commercial tools have even automated much of the extraction process,
rendering it possible even for minimally trained first responders�who currently are
much more likely to encounter suspects with mobile devices in their possession,
compared to computers�to perform basic extractions for triage and data preview
purposes.

Professional Applications[edit]

Mobile device forensics is best known for its application to law enforcement
investigations, but it is also useful for military intelligence, corporate
investigations, private investigations, criminal and civil defense, and electronic
discovery.

Types of evidence[edit]

As mobile device technology advances, the amount and types of data that can be
found on a mobile device is constantly increasing. Evidence that can be potentially
recovered from a mobile phone may come from several different sources, including
handset memory, SIM card, and attached memory cards such as SD cards.

Traditionally mobile phone forensics has been associated with recovering SMS and
MMS messaging, as well as call logs, contact lists and phone IMEI/ESN information.
However, newer generations of smartphones also include wider varieties of
information; from web browsing, Wireless network settings, geolocation information
(including geotags contained within image metadata), e-mail and other forms of rich
internet media, including important data�such as social networking service posts
and contacts�now retained on smartphone 'apps'.[7]

Internal memory[edit]

Nowadays mostly flash memory consisting of NAND or NOR types are used for mobile
devices.[8]

External memory[edit]

External memory devices are SIM cards, SD cards (commonly found within GPS devices
as well as mobile phones), MMC cards, CF cards, and the Memory Stick.

Service provider logs[edit]

Although not technically part of mobile device forensics, the call detail records
(and occasionally, text messages) from wireless carriers often serve as "back up"
evidence obtained after the mobile phone has been seized. These are useful when the
call history and/or text messages have been deleted from the phone, or when
location-based services are not turned on. Call detail records and cell site
(tower) dumps can show the phone owner's location, and whether they were stationary
or moving (i.e., whether the phone's signal bounced off the same side of a single
tower, or different sides of multiple towers along a particular path of travel).[9]
Carrier data and device data together can be used to corroborate information from
other sources, for instance, video surveillance footage or eyewitness accounts; or
to determine the general location where a non-geotagged image or video was taken.

The European Union requires its member countries to retain certain

telecommunications data for use in investigations. This includes data on calls made
and retrieved. The location of a mobile phone can be determined and this
geographical data must also be retained. In the United States, however, no such
requirement exists, and no standards govern how long carriers should retain data or
even what they must retain. For example, text messages may be retained only for a
week or two, while call logs may be retained anywhere from a few weeks to several
months. To reduce the risk of evidence being lost, law enforcement agents must
submit a preservation letter to the carrier, which they then must back up with a
search warrant.[9]

Forensic process[edit]

Main article: digital forensic process

The forensics process for mobile devices broadly matches other branches of digital
forensics; however, some particular concerns apply. Generally, the process can be
broken down into three main categories: seizure, acquisition, and
examination/analysis. Other aspects of the computer forensic process, such as
intake, validation, documentation/reporting, and archiving still apply.[3]

Seizure[edit]

Seizing mobile devices is covered by the same legal considerations as other digital
media. Mobiles will often be recovered switched on; as the aim of seizure is to
preserve evidence, the device will often be transported in the same state to avoid
a shutdown, which would change files.[10] In addition, the investigator or first
responder would risk user lock activation.

However, leaving the phone on carries another risk: the device can still make a
network/cellular connection. This may bring in new data, overwriting evidence. To
prevent a connection, mobile devices will often be transported and examined from
within a Faraday cage (or bag). Even so, there are two disadvantages to this
method. First, it renders the device unusable, as its touch screen or keypad cannot
be used. Second, a device's search for a network connection will drain its battery
more quickly. While devices and their batteries can often be recharged, again, the
investigator risks that the phone's user lock will have activated. Therefore,
network isolation is advisable either through placing the device in Airplane Mode,
or cloning its SIM card (a technique which can also be useful when the device is
missing its SIM card entirely).[3]

Acquisition[edit]

iPhone in an RF shield bag

 RTL Aceso, a mobile device acquisition unit
The second step in the forensic process is acquisition, in this case usually
referring to retrieval of material from a device (as compared to the bit-copy
imaging used in computer forensics).[10]

Due to the proprietary nature of mobiles it is often not possible to acquire data
with it powered down; most mobile device acquisition is performed live. With more
advanced smartphones using advanced memory management, connecting it to a recharger
and putting it into a faraday cage may not be good practice. The mobile device
would recognize the network disconnection and therefore it would change its status
information that can trigger the memory manager to write data.[11]

Most acquisition tools for mobile devices are commercial in nature and consist of a
hardware and software component, often automated.

Examination and analysis[edit]

As an increasing number of mobile devices use high-level file systems, similar to

the file systems of computers, methods and tools can be taken over from hard disk
forensics or only need slight changes.[12]

The FAT file system is generally used on NAND memory.[13] A difference is the block
size used, which is larger than 512 bytes for hard disks and depends on the used
memory type, e.g., NOR type 64, 128, 256 and NAND memory 16, 128, 256, or 512
kilobyte.

Different software tools can extract the data from the memory image. One could use
specialized and automated forensic software products or generic file viewers such
as any hex editor to search for characteristics of file headers. The advantage of
the hex editor is the deeper insight into the memory management, but working with a
hex editor means a lot of handwork and file system as well as file header
knowledge. In contrast, specialized forensic software simplifies the search and
extracts the data but may not find everything. AccessData, Sleuthkit, and EnCase,
to mention only some, are forensic software products to analyze memory images.[14]
Since there is no tool that extracts all possible information, it is advisable to
use two or more tools for examination. There is currently (February 2010) no
software solution to get all evidences from flash memories.[8]

Data acquisition types[edit]

Mobile device data extraction can be classified according to a continuum, along

which methods become more technical and �forensically sound,� tools become more
expensive, analysis takes longer, examiners need more training, and some methods
can even become more invasive.[15]

Manual acquisition[edit]

The examiner utilizes the user interface to investigate the content of the phone's
memory. Therefore, the device is used as normal, with the examiner taking pictures
of each screen's contents. This method has an advantage in that the operating
system makes it unnecessary to use specialized tools or equipment to transform raw
data into human interpretable information. In practice this method is applied to
cell phones, PDAs and navigation systems.[16] Disadvantages are that only data
visible to the operating system can be recovered; that all data are only available
in form of pictures; and the process itself is time-consuming.
Logical acquisition[edit]

Logical acquisition implies a bit-by-bit copy of logical storage objects (e.g.,

directories and files) that reside on a logical storage (e.g., a file system
partition). Logical acquisition has the advantage that system data structures are
easier for a tool to extract and organize. Logical extraction acquires information
from the device using the original equipment manufacturer application programming
interface for synchronizing the phone's contents with a personal computer. A
logical extraction is generally easier to work with as it does not produce a large
binary blob. However, a skilled forensic examiner will be able to extract far more
information from a physical extraction.

File system acquisition[edit]

Logical extraction usually does not produce any deleted information, due to it
normally being removed from the phone's file system. However, in some
cases�particularly with platforms built on SQLite, such as iOS and Android�the
phone may keep a database file of information which does not overwrite the
information but simply marks it as deleted and available for later overwriting. In
such cases, if the device allows file system access through its synchronization
interface, it is possible to recover deleted information. File system extraction is
useful for understanding the file structure, web browsing history, or app usage, as
well as providing the examiner with the ability to perform an analysis with
traditional computer forensic tools.[17]

Physical acquisition[edit]

Physical acquisition implies a bit-for-bit copy of an entire physical store (e.g.

flash memory); therefore, it is the method most similar to the examination of a
personal computer. A physical acquisition has the advantage of allowing deleted
files and data remnants to be examined. Physical extraction acquires information
from the device by direct access to the flash memories.

Generally this is harder to achieve because the device original equipment

manufacturer needs to secure against arbitrary reading of memory; therefore, a
device may be locked to a certain operator. To get around this security, mobile
forensics tool vendors often develop their own boot loaders, enabling the forensic
tool to access the memory (and often, also to bypass user passcodes or pattern
locks).[18]

Generally the physical extraction is split into two steps, the dumping phase and
the decoding phase.

Brute force acquisition[edit]

This section does not cite any sources. Please help improve this section by adding
citations to reliable sources. Unsourced material may be challenged and removed.
(November 2015)

Brute force acquisition can be performed by 3rd party passcode brute force tools
that send a series of passcodes / passwords to the mobile device. This is a time
consuming method, but effective none the less. Brute forcing tools are connected to
the device and will physically send codes on ios devices starting from 0000 to 9999
in sequence until the correct code is successfully entered. Once the code entry has
been successful, full access to the device is given and data extraction can
commence.
Tools[edit]

Main article: List of digital forensics tools � Mobile device forensics

Early investigations consisted of live manual analysis of mobile devices; with

examiners photographing or writing down useful material for use as evidence.
Without forensic photography equipment such as Fernico ZRT, EDEC Eclipse, or
Project-a-Phone, this had the disadvantage of risking the modification of the
device content, as well as leaving many parts of the proprietary operating system
inaccessible.

In recent years a number of hardware/software tools have emerged to recover logical

and physical evidence from mobile devices. Most tools consist of both hardware and
software portions. The hardware includes a number of cables to connect the phone to
the acquisition machine; the software exists to extract the evidence and,
occasionally even to analyse it.

Most recently, mobile device forensic tools have been developed for the field. This
is in response both to military units' demand for fast and accurate anti-terrorism
intelligence, and to law enforcement demand for forensic previewing capabilities at
a crime scene, search warrant execution, or exigent circumstances. Such mobile
forensic tools are often ruggedized for harsh environments (e.g. the battlefield)
and rough treatment (e.g. being dropped or submerged in water).[19]

Generally, because it is impossible for any one tool to capture all evidence from
all mobile devices, mobile forensic professionals recommend that examiners
establish entire toolkits consisting of a mix of commercial, open source, broad
support, and narrow support forensic tools, together with accessories such as
battery chargers, Faraday bags or other signal disruption equipment, and so forth.
[20]

Commercial Forensic Tools[edit]

Some current tools include Cellebrite UFED and Micro Systemation XRY.

Some tools have additionally been developed to address increasing criminal usage of
phones manufactured with Chinese chipsets, which include MediaTek (MTK), Spreadtrum
and MStar. Such tools include Cellebrite's CHINEX, and XRY PinPoint.

Open source[edit]

Most open source mobile forensics tools are platform-specific and geared toward
smartphone analysis. Though not originally designed to be a forensics tool, BitPim
has been widely used on CDMA phones as well as LG VX4400/VX6000 and many Sanyo
Sprint cell phones.[21]

Physical Tools[edit]

Forensic desoldering[edit]

Commonly referred to as a "Chip-Off" technique within the industry, the last and
most intrusive method to get a memory image is to desolder the non-volatile memory
chip and connect it to a memory chip reader. This method contains the potential
danger of total data destruction: it is possible to destroy the chip and its
content because of the heat required during desoldering. Before the invention of
the BGA technology it was possible to attach probes to the pins of the memory chip
and to recover the memory through these probes. The BGA technique bonds the chips
directly onto the PCB through molten solder balls, such that it is no longer
possible to attach probes.

A ball-grid array component displaying the "popcorn effect"

Here you can see that moisture in the circuit board turned to steam when it was
subjected to intense heat. This produces the so-called "popcorn effect."
Desoldering the chips is done carefully and slowly, so that the heat does not
destroy the chip or data. Before the chip is desoldered the PCB is baked in an oven
to eliminate remaining water. This prevents the so-called popcorn effect, at which
the remaining water would blow the chip package at desoldering.

There are mainly three methods to melt the solder: hot air, infrared light, and
steam-phasing. The infrared light technology works with a focused infrared light
beam onto a specific integrated circuit and is used for small chips. The hot air
and steam methods cannot focus as much as the infrared technique.

Chip re-balling[edit]

After desoldering the chip a re-balling process cleans the chip and adds new tin
balls to the chip. Re-balling can be done in two different ways.
The first is to use a stencil. The stencil is chip-dependent and must fit exactly.
Then the tin-solder is put on the stencil. After cooling the tin the stencil is
removed and if necessary a second cleaning step is done.
The second method is laser re-balling; see.[22][23][24] Here the stencil is
programmed into the re-balling unit. A bondhead (looks like a tube/needle) is
automatically loaded with one tin ball from a solder ball singulation tank. The
ball is then heated by a laser, such that the tin-solder ball becomes fluid and
flows onto the cleaned chip. Instantly after melting the ball the laser turns off
and a new ball falls into the bondhead. While reloading the bondhead of the re-
balling unit changes the position to the next pin.

A third method makes the entire re-balling process unnecessary. The chip is
connected to an adapter with Y-shaped springs or spring-loaded pogo pins. The Y-
shaped springs need to have a ball onto the pin to establish an electric
connection, but the pogo pins can be used directly on the pads on the chip without
the balls.[11][12]

The advantage of forensic desoldering is that the device does not need to be
functional and that a copy without any changes to the original data can be made.
The disadvantage is that the re-balling devices are expensive, so this process is
very costly and there are some risks of total data loss. Hence, forensic
desoldering should only be done by experienced laboratories.[13]

JTAG[edit]

Existing standardized interfaces for reading data are built into several mobile
devices, e.g., to get position data from GPS equipment (NMEA) or to get
deceleration information from airbag units.[16]

Not all mobile devices provide such a standardized interface nor does there exist a
standard interface for all mobile devices, but all manufacturers have one problem
in common. The miniaturizing of device parts opens the question how to
automatically test the functionality and quality of the soldered integrated
components. For this problem an industry group, the Joint Test Action Group (JTAG),
developed a test technology called boundary scan.

Despite the standardization there are four tasks before the JTAG device interface
can be used to recover the memory. To find the correct bits in the boundary scan
register one must know which processor and memory circuits are used and how they
are connected to the system bus. When not accessible from outside one must find the
test points for the JTAG interface on the printed circuit board and determine which
test point is used for which signal. The JTAG port is not always soldered with
connectors, such that it is sometimes necessary to open the device and re-solder
the access port.[12] The protocol for reading the memory must be known and finally
the correct voltage must be determined to prevent damage to the circuit.[11]

The boundary scan produces a complete forensic image of the volatile and non-
volatile memory. The risk of data change is minimized and the memory chip doesn't
have to be desoldered. Generating the image can be slow and not all mobile devices
are JTAG enabled. Also, it can be difficult to find the test access port.[13]

Command Line Tools[edit]

System commands[edit]

Mobile devices do not provide the possibility to run or boot from a CD, connecting
to a network share or another device with clean tools. Therefore, system commands
could be the only way to save the volatile memory of a mobile device. With the risk
of modified system commands it must be estimated if the volatile memory is really
important. A similar problem arises when no network connection is available and no
secondary memory can be connected to a mobile device because the volatile memory
image must be saved on the internal non-volatile memory, where the user data is
stored and most likely deleted important data will be lost. System commands are the
cheapest method, but imply some risks of data loss. Every command usage with
options and output must be documented.

AT commands[edit]

AT commands are old modem commands, e.g., Hayes command set and Motorola phone AT
commands, and can therefore only be used on a device that has modem support. Using
these commands one can only obtain information through the operating system, such
that no deleted data can be extracted.[11]

dd[edit]

For external memory and the USB flash drive, appropriate software, e.g., the Unix
command dd, is needed to make the bit-level copy. Furthermore, USB flash drives
with memory protection do not need special hardware and can be connected to any
computer. Many USB drives and memory cards have a write-lock switch that can be
used to prevent data changes, while making a copy.

If the USB drive has no protection switch, a blocker can be used to mount the drive
in a read-only mode or, in an exceptional case, the memory chip can be desoldered.
The SIM and memory cards need a card reader to make the copy. The SIM card is
soundly analyzed, such that it is possible to recover (deleted) data like contacts
or text messages.[11]

The Android operating system includes the dd command. In a blog post on Android
forensic techniques, a method to live image an Android device using the dd command
is demonstrated.[25]

Non-Forensic Commercial Tools[edit]

Flasher tools[edit]

A flasher tool is programming hardware and/or software that can be used to program
(flash) the device memory, e.g., EEPROM or flash memory. These tools mainly
originate from the manufacturer or service centers for debugging, repair, or
upgrade services. They can overwrite the non-volatile memory and some, depending on
the manufacturer or device, can also read the memory to make a copy, originally
intended as a backup. The memory can be protected from reading, e.g., by software
command or destruction of fuses in the read circuit.[26]

Note, this would not prevent writing or using the memory internally by the CPU. The
flasher tools are easy to connect and use, but some can change the data and have
other dangerous options or do not make a complete copy [12]

Controversies[edit]

In general there exists no standard for what constitutes a supported device in a

specific product. This has led to the situation where different vendors define a
supported device differently. A situation such as this makes it much harder to
compare products based on vendor provided lists of supported devices. For instance
a device where logical extraction using one product only produces a list of calls
made by the device may be listed as supported by that vendor while another vendor
can produce much more information.

Furthermore, different products extract different amounts of information from

different devices. This leads to a very complex landscape when trying to overview
the products. In general this leads to a situation where testing a product
extensively before purchase is strongly recommended. It is quite common to use at
least two products which complement each other.

Mobile phone technology is evolving at a rapid pace. Digital forensics relating to

mobile devices seems to be at a stand still or evolving slowly. For mobile phone
forensics to catch up with release cycles of mobile phones, more comprehensive and
in depth framework for evaluating mobile forensic toolkits should be developed and
data on appropriate tools and techniques for each type of phone should be made
available a timely manner.[27]

Anti-forensics[edit]

Anti-computer forensics is more difficult because of the small size of the devices
and the user's restricted data accessibility.[13] Nevertheless, there are
developments to secure the memory in hardware with security circuits in the CPU and
memory chip, such that the memory chip cannot be read even after desoldering.[28]
[29]

References[edit]

1.^ Jump up to: a b c d Casey, Eoghan (2004). Digital Evidence and Computer Crime,
Second Edition. Elsevier. ISBN 0-12-163104-4.
2.^ Jump up to: a b Ahmed, Rizwan. "Mobile Forensics: An Introduction from Indian
Law Enforcement Perspective". Retrieved 2 January 2014.
3.^ Jump up to: a b c Murphy, Cynthia. "Cellular Phone Evidence Data Extraction and
Documentation" (PDF). Retrieved 4 August 2013.
4.Jump up ^ Tsukayama, Hayley (13 July 2012). "Two-thirds of mobile buyers have
smartphones". Washington Post. Retrieved 20 July 2012.
5.Jump up ^ Jansen; et al. "Overcoming Impediments to Cell Phone Forensics" (PDF).
Retrieved 20 July 2012.
6.Jump up ^ Thackray, John. "Flasher Boxes: Back to Basics in Mobile Phone
Forensics". Retrieved 20 July 2012.
7.Jump up ^ Ahmed, Rizwan. "Digital evidence extraction and documentation from
mobile devices" (PDF). Retrieved 2 February 2015.
8.^ Jump up to: a b Salvatore Fiorillo. Theory and practice of flash memory mobile
forensics. Theosecurity.com, December 2009.
9.^ Jump up to: a b Miller, Christa. "The Other Side of Mobile Forensics".
Officer.com. Retrieved 24 July 2012.
10.^ Jump up to: a b Wayne, Jansen., & Ayers, Rick. (May 2007). Guidelines on cell
phone forensics. retrieved from http://csrc.nist.gov/publications/nistpubs/800-
101/SP800-101.pdf
11.^ Jump up to: a b c d e Willassen, Svein Y. (2006). "Forensic analysis of mobile
phone internal memory". CiteSeerX: 10.1.1.101.6742.
12.^ Jump up to: a b c d Marcel Breeuwsma, Martien de Jongh, Coert Klaver, Ronald
van der Knij?, and Mark Roelo?s. (2007). retrieved from Forensic Data Recovery from
Flash Memory. Small l Scale Digital Device Forensics Journal, Volume 1 (Number 1).
Also many of these tools have become more adept at recovering user passcodes /
passwords, without user data loss. tools commonly used for this area are [1] to
name just one.
13.^ Jump up to: a b c d Ronald van der Knij?. (2007). retrieved from 10 Good
Reasons Why You Should Shift Focus to Small Scale Digital Device Forensics.
14.Jump up ^ Rick Ayers, Wayne Jansen, Nicolas Cilleros, and Ronan Daniellou.
(October 2005). Retrieved from Cell Phone Forensic Tools: An Overview and Analysis.
National Institute of Standards and Technology.
15.Jump up ^ Brothers, Sam. "iPhone Tool Classification" (PDF). Retrieved 21 July
2012.
16.^ Jump up to: a b Eoghan Casey. Handbook of computer crime investigation -
forensic tools and technology. Academic Press, 2. edition, 2003.
17.Jump up ^ Henry, Paul. "Quick Look - Cellebrite UFED Using Extract Phone Data &
File System Dump". Retrieved 21 July 2012.
18.Jump up ^ Vance, Christopher. "Android Physical Acquisitions using Cellebrite
UFED". Retrieved 21 July 2012.
19.Jump up ^ "Mobile Digital Forensics for the Military". Dell Inc. Retrieved 21
July 2012.
20.Jump up ^ Daniels, Keith. "Creating a Cellular Device Investigation Toolkit:
Basic Hardware and Software Specifications". SEARCH Group Inc.
21.Jump up ^ "The Electronic Evidence Information Center". Retrieved 25 July 2012.
22.Jump up ^ Homepage of Factronix
23.Jump up ^ Video: Scheme of the Laser Re-balling process
24.Jump up ^ Video: Re-balling process
25.Jump up ^ Lohrum, Mark. "Live Imaging an Android Device". Retrieved 3 April
2015.
26.Jump up ^ Tom Salt and Rodney Drake. US Patent 5469557. (1995). Retrieved from
Code protection in microcontroller with EEPROM fuses.
27.Jump up ^ Ahmed, Rizwan. "Mobile Forensics: an Overview, Tools, Future trends
and Challenges from Law Enforcement perspective" (PDF). Retrieved 2 February 2015.
28.Jump up ^ Secure Boot Patent
29.Jump up ^ Harini Sundaresan. (July 2003). Retrieved from OMAP platform security
features, Texas Instruments.

External links[edit]
Video Tutorial on iPhone 4 Forensics
Seminar 'Covert Channels and Embedded Forensics'
Conference 'Mobile Forensics World'
SG Punja; RP Mislan. "Mobile Device Analysis" (PDF). Small Scale Digital Device
Forensics Journal. Retrieved 23 August 2010.
Chip-Off Forensics (forensicwiki.org)
JTAG Forensics (forensicwiki.org)

[hide]
v �
t �
 e

Digital forensics

Branches

Computer forensics �
Mobile device forensics �
Network forensics �
Database forensics

Hardware

Forensic disk controller

Software

EnCase �
Foremost �
FTK �
Registry Recon �
PTK Forensics �
The Sleuth Kit �
The Coroner's Toolkit �
COFEE �
Selective file dumper �
HashKeeper �
Xplico

Certification

Certified Forensic Computer Examiner (CFCE) �

Global Information Assurance Certification

Processes

Digital forensic process �

Data acquisition �
Digital evidence �
eDiscovery �
Anti-computer forensics

Organisations

National Software Reference Library �

American Society of Digital Forensics & eDiscovery �
 Department of Defense Cyber Crime Center �
National Hi-Tech Crime Unit (NHTCU) �
Australian High Tech Crime Centre (AHTCC)

People

Eoghan Casey �
Clifford Stoll �
Erik Laykin

Glossary of digital forensics terms

Categories: Computer security procedures

Digital forensics
Information technology audit
Mobile computers

Navigation menu

Not logged in
Talk
Contributions
Create account
Log in

Article

Talk

Read

Edit

View history
Main page
Contents
Featured content
Current events
Random article
Donate to Wikipedia
Wikipedia store

Interaction

Help
About Wikipedia
Community portal
Recent changes
Contact page

Tools

What links here

Related changes
Upload file
Special pages
Permanent link
Page information
Wikidata item
Cite this page

Print/export

Create a book
Download as PDF
Printable version

Languages

Add links

This page was last modified on 21 December 2015, at 16:49.

Text is available under the Creative Commons Attribution-ShareAlike License;
additional terms may apply. By using this site, you agree to the Terms of Use and
Privacy Policy. Wikipedia� is a registered trademark of the Wikimedia Foundation,
Inc., a non-profit organization.
Privacy policy
About Wikipedia
Disclaimers
Contact Wikipedia
Developers
Mobile view
Wikimedia Foundation
Powered by MediaWiki