You’re the lead digital forensic investigator for the Glaxsom County Sheriff’s Department. The department is handling a case where a local teenage girl has gone missing.
Sheriff Jamison informs you that the teen’s iPhone was retrieved from the mother, but she does not have the passcode. You also learn that the teen’s mother logged into her daughter’s Facebook account and saw some things that alarmed her. It seems that the teen had recently friended a man the family does not know, and the two had been engaging in flirtatious conversations over the past two weeks. Lastly, Sheriff Jamison tells you that the Internet service provider has provided call logs for the teen’s phone, after a search warrant for the information was served.
“I need a report by the end of the week that details the current state of mobile incident response and investigation. You’ll need an investigation plan, a forensic report based on processing the image from the phone, and an analysis of tools that I should prepare our department to use in cases like this. You’re one of our lead investigators—I know you can do this.”
Mobile forensics is an increasingly complex environment for investigators because of the rapid rate of innovation and adoption of new technologies, applications, and hardware. Smartphones are being used in so many ways that they have become a central focus in digital forensic investigations.
The mobile platform is a forensic challenge because of the number of third-party applications found on many devices, the rapidly evolving security measures employed by the device manufacturers and application developers, and the explosive growth in the use of mobile devices and options.
Mobile devices include cell phones, tablets, and wearables, with literally several thousand different devices, equipped with countless types of interfaces, operating systems, and connectivity options.
This type of environment has many implications for an incident responder. The number of devices makes it impossible to be well-versed in each one, complicating analysis. The sheer number of devices also makes it expensive to stay abreast of the major players in the market. Users tend to choose mobile devices based on their portability, number of communication interfaces and sensors (e.g., GPS), and easy wireless internet connectivity. The features that make these devices popular are the same features that make them a critical piece of a digital forensics investigation.
In the steps that comprise this project, you will examine mobile investigative challenges, as well as the techniques and technologies available to perform mobile forensic examinations.
First, familiarize yourself with the details of the case and the basics provided by the sheriff. Then, you will need to develop an investigation plan that describes the current state of mobile incident response and investigation.
As you proceed through Project 4, you will get hands-on practice using the forensic tool EnCase and complete a forensic report. The next component will be a comparative analysis, in which you will describe the features of companion mobile phone forensic tools and recommend tools and techniques to use in the current investigation. The final component is a comprehensive forensic investigation report that will synthesize the investigation plan, forensic report, and comparative analysis.
Now that you know what’s ahead of you, move on to the first step of the project.
Your work will be evaluated using the competencies listed below.
- 1.1: Organize document or presentation clearly in a manner that promotes understanding and meets the requirements of the assignment.
- 1.6: Follow conventions of Standard Written English.
- 2.1: Identify and clearly explain the issue, question, or problem under critical consideration.
- 2.4: Consider and analyze information in context to the issue or problem.
- 2.5: Develop well-reasoned ideas, conclusions or decisions, checking them against relevant criteria and benchmarks.
- 5.1: Demonstrate best practices in organizing a digital forensic investigation.
- 5.3: Demonstrate the appropriate use of multiple digital forensic tools and techniques for imaging.
- 5.5: Apply risk management principles to an investigation.
- 5.6: Use of multiple digital forensic tools and techniques for imaging.
- 5.7: Use forensic tools and techniques to carry out an email investigation.
- 6.1: Perform report creation, affidavit creation, and preparation to testify.
- 6.2: Demonstrate ability to investigate mobile technology.
- 6.3: Use forensic tools for investigation of multimedia technologies.
- 6.4: Demonstrate the ability to gather file system evidence.
- 6.7: Access encrypted data or process data and systems that have been subjected to anti-forensics techniques.
- 6.9: Employ ethics throughout the forensic investigation process.
- 7.5: Evaluate encryption.
- 7.7: Incorporate Geographic Information Systems into plans for conducting Digital Forensics on a network.
- 8.1: Employ ethics when planning and conducting forensic investigations, and when testifying in court.
- 8.2: Incorporate international issues including culture and foreign language to plans for investigations.
- 9.1: Examine Data Storage and Transport Technologies.
- 9.3: Analyze File Systems.
- 9.5: Investigate Operating Systems.
Step 1: Get Familiar With the Case and Devise an Overall Plan
With a forensic investigation focused on an iPhone, you plan to undertake a series of steps to develop the report for Sheriff Jamison. You’ll start with an investigation plan that describes the current state of mobile incident response and investigation. In this plan, you will discuss the types of mobile phone technologies, challenges presented, and investigative techniques.
The goal is to summarize the current state with mobile phone forensics, the guidelines for how examiners approach mobile phone evidence, the challenges posed by iPhones, limitations and constraints, and the expectations for forensic analysis of the iPhone.
Next, you’ll focus on analyzing a mobile phone image using Cellebrite Reader, a forensics tool that can be used to examine an image of a mobile phone.
Then, you’ll conduct a comparison analysis that scans the environment to evaluate, compare, and contrast three other mobile phone forensic tools that could be used to address the concerns Sheriff Jamison identified in the case. This comparative analysis will culminate in your recommendation of a mobile phone forensic tool that best fits the needs of this investigation.
The final step is a comprehensive forensic investigation report to Sheriff Jamison that includes the investigation plan, a report of your findings, the comparative tool analysis, and case overviews and conclusions.
Step 2: Write an Investigation Plan
As a preliminary step in the process, Sheriff Jamison asks you to write an investigation plan identifying how you, as the digital forensics investigator, can assist with the case by examining the missing girl’s iPhone for footprints, and by providing a description of the considerations and mobile investigative challenges associated with mobile forensics and mobile platforms, including third-party applications, security measures, communication interfaces, and sensors. As a reporting technique, this plan should include the following:
- where mobile phone data may be extracted from
- what types of mobile phone data might be present
- how mobile phone data can be retrieved from an iPhone
- how the data will be forensically preserved and analyzed
- mobile phone applications that may hold useful information to this case
- how the evidence will be handled in anticipation of court admissibility
Based on your experience and expertise, you know to include deep diving to locate deleted and locked data and timelines, as well as geographic information systems and bring your own device guidelines. As you prepare to scan for tools to use in this investigation, you will outline the need to look at the phone (SIM/USIM), and any additional memory (SD/memory cards), for call logs, text and SMS messages, contacts, graphics, web history, location information, Wi-Fi Connection logs, and application data.
The goal of this plan is to summarize current mobile phone forensics and mobile incident response and investigation, the guidelines for how examiners approach mobile phone evidence, the challenges posed by iPhones, limitations and constraints, and the expectations for forensic analysis of this device.
Construct an investigation plan that addresses the concerns listed above. An investigation plan would typically be four to six pages, not including images and references. Use APA format and submit the plan to Sheriff Jamison (your instructor) for review and feedback. You will include the investigation plan in your forensic investigation report. Now you are ready to begin your investigation.
Step 3: Process Mobile Phone Image and Prepare a Forensic Report
Warning: This step will take you about three hours to complete. If you leave the lab without finishing it, you will have to start over again at the beginning; the lab environment does not save your information. Access the associated resources before beginning the lab.
Now that you have an investigation plan, you are prepared to begin the analysis of the iPhone. You’ll need to review some investigation instructions, then access the virtual lab to obtain the mobile phone image; it is a subset of a full iPhone image.
Cellebrite is a mobile forensic tool from a company based out of Israel. Cellebrite was originally developed for things like copying contacts from one phone to another. So, when a new phone was purchased the owner wouldn’t have to retype all of their contact information. Cellebrite was a hardware-based tool that was called a UFED. While the UFED is still being used a computer-based solution known as Physical Analyzer. Cellebrite supports the extraction of thousands of different devices. Physical Analyzer can generate a report, or it can generate an extract that can be read and analyzed with Cellebrite Reader. Cellebrite Reader has many of the same features as Physical Analyzer, including the ability to generate reports. This lab will utilize an extract from Physical Analyzer that generated a file to be used with Cellebrite Reader
You open the case that contains the processed mobile phone image, conduct the laboratory investigation, and prepare a forensic report. The forensic report should include screenshots and information on mobile phone data, including the following:
- the evidence handling and processing steps that you use
- responses to the questions (in the lab)
- screenshots and/or other forensic artifacts to support each response
- summary and other case documentation (e.g., tools used, version, and image hashes)
- as in previous labs, refer to the Guidelines for Digital Forensics Examiner Reports.
Prepare a forensic report based on the template. Consult with your supervisor (instructor) if you have any questions. Otherwise, review it for accuracy and completeness. You will include it in your forensic investigation report.
In the next step, you will describe and compare EnCase to three other mobile phone forensic tools.
Step 4: Write a Comparative Analysis Report
So far, you have constructed an investigation plan and analyzed the mobile phone Image from the missing girl’s iPhone. In this step, you will complete a comparative analysis report, focused on the evaluation of three companion tools to EnCase Mobile Investigator that could be used in the digital forensics investigation and analysis of a mobile phone.
In this report, you will identify three alternative mobile phone forensic tools for the analysis of mobile phones. In addition, you will:
- assess similarities to Cellebrite Reader and one another
- assess differences between Cellebrite Reader and one another
- summarize the similarities and differences in all four tools
The outcome will be a comprehensive identification and review of four (including EnCase Mobile Investigator) mobile phone forensic tools that Sheriff Jamison can use to select a tool for future investigations involving mobile phones. The structure of your analysis report should include the following:
- Introduction (clearly state the purpose of your analysis)
- main idea statement
- description of mobile phone forensic tools
- evaluation of advantages and disadvantages of each tool
- recommendation of a tool for future investigations
A comparative analysis would typically be four to six pages, excluding appendices and references. Use APA format and submit your plan to your supervisor (instructor) for review and feedback. You will include the comparative analysis in your forensic investigation report.
Consult with your supervisor (instructor) if you have any questions. In any case, review the results of your analysis carefully for accuracy and completeness.
Step 5: Submit the Final Report
You have conducted an exhaustive analysis of the missing teen’s iPhone. Sheriff Jamison is looking forward to seeing your forensic investigation report. It is time to synthesize the investigation plan, lab analysis with EnCase, and comparative analysis elements into a single, cohesive Final Report document that includes:
- an abstract
- table of contents
- an introduction including the purpose of the report
- an incident summary
- your investigation plan
- a step-by-step description of steps taken in your examination including screenshots
- identification of all pieces of evidence located during your examination
- an analysis of each identified evidence artifact and your findings from the forensic report
- your comparative analysis
- a conclusion
- supporting documentation
- labeled figure screenshots from the lab
- tables and graphics
The Final Report should include an abstract overview and an introduction paragraph explaining your experience working through the case. Describe mobile investigative challenges and the techniques and technologies available to perform mobile forensic examinations.
The report should flow easily from an introduction, which explains the reason for the report and investigation, to a conclusion, which summarizes the previous steps and supports recommendations for future investigations.
Sign and date the final report in your capacity as a digital forensics examiner, and initial and date each page. Make sure the report has a cover page containing your name, course number and section, and date. Submit the final report to Sheriff Jamison (your instructor) for evaluation by following the instructions below.