Mobile forensics is the process of obtaining information on a mobile device such as a smartphone or tablet. The technology has grown in sophistication, and it can be used to uncover hidden content on devices, including text messages, apps and Wi-Fi connections. Mobile forensics goes beyond mere wireless security breaches. Today's mobile forensic tools can uncover true digital evidence and unlock devices with few endpoints or even no recovery partitions to access."

Mobile forensics is increasingly important in today's connected world. In this lesson, you'll learn more about mobile forensics, its uses, and the importance and steps of a forensically sound mobile investigation.

A division of digital forensics, which deals with the extraction of data from electronic sources, is mobile forensics. Mobile forensics is specifically concerned with recovering evidence from portable electronic devices like smartphones and tablets. Since so many people send, receive, and search for data via mobile devices today, it makes sense that these devices contain a significant amount of evidence that could be useful to investigators.

Mobile devices can disclose a variety of crucial data, including as phone logs, text messages, web search history, and GPS information that reveals the owner's potential location at any given time.

The secret to gathering digital evidence is following forensically sound procedures, regardless of who utilises mobile forensics or how it is applied. According to Duke University's Electronic Discovery Reference Model, the word "forensically sound" refers to "procedures employed for gathering electronic information in a way that assures it is "as originally discovered" and is dependable enough to be allowed into evidence."

This basically implies that mobile evidence is treated so that it will be admissible in court and that it is not compromised during the forensic procedure. The idea of being forensically sound is based on the fundamental idea that transportable evidence should be kept in the same condition as when it was first discovered.

A defined procedure that helps to guarantee law enforcement or anyone collecting the data follow best practises for doing so lies behind forensically sound mobile evidence collection. Let's examine those actions.

The foundation of digital forensics is the idea that evidence must always be properly processed, stored, and admissible in court. Mobile device confiscation is accompanied by a few legal considerations.

The activation of the lock (by the user, suspect, or unintentional third party), as well as the network or cellular connection, are the two main hazards associated with this stage of the mobile forensic procedure.

It's always a good idea to isolate your network, and there are two ways to do it: 1) put your phone in aeroplane mode and disable Wi-Fi and hotspots, or 2) copy your device's SIM card.

Mobile devices are frequently confiscated switched on, therefore the best way to carry them is to try to keep them turned on to avoid a shutdown, which would unavoidably change files. This is because the goal of their confiscation is to preserve evidence.

For performing mobile forensics, common pieces of equipment are a Faraday box or bag and an external power source. Unlike the latter, which is a power source implanted inside the Faraday box/bag, the former is a container particularly made to isolate mobile devices from network communications while also assisting with the safe transfer of evidence to the laboratory. To preserve the integrity of the evidence, disconnect the phone from the network, turn off all network connections (Wi-Fi, GPS, Hotspots, etc.), and switch on flight mode before placing it in the Faraday bag.

A Faraday bag is a device that isolates electronic devices from electromagnetic interference. The main benefit of a Faraday bag is that it prevents signals on a phone or computer: phone calls, messages and data transfers. In the legal environment in particular, not only must investigators/lawyers protect their cell phones but also all related devices like laptops and tablets."

The phase's objective is to get data off the mobile device. With the proper PIN, password, pattern, or biometrics, a locked screen can be unlocked (Note that biometric approaches while convenient are not always protected by the fifth amendment of the U.S. Constitution). The Virginia Circuit Court has ruled that while passcodes are protected, fingerprints are not. Additionally, apps, pictures, SMSs, and messengers may all have lock features similar to this. On the other side, encryption offers protection at a hardware, software, or both level that is frequently impossible to defeat.

Controlling data on mobile devices is challenging because the data itself is portable. Control is lost once messages or files are sent from a smartphone. Although a variety of devices can store a large amount of data, the data itself may actually be in another place. As an illustration, data synchronisation between devices and programmes can happen both directly and over the cloud. Users of mobile devices frequently use services like Apple's iCloud and Microsoft's One Drive, which opens the door to data collection from there.

Hardware and software might be able to close the data gap because data is continually being synchronised. Take Uber as an example; it has a website that is both functioning and an app. The Uber website or even the Uber software package installed on a computer can be used to view all the data that is accessible through the Uber app on a phone.

Regardless of the device type, the fragmentation of operating systems and item specs can make it more difficult to locate the data. Even Apple's iOS can change from version to version, and the open-source Android operating system alone has multiple versions. The proliferation and constant evolution of mobile apps present another difficulty for forensic professionals. Make a complete list of all installed applications. Some applications backup and archive data.

The next step is to correctly gather the data when one has identified the data sources. When it comes to acquiring information in the context of mobile technology, there are certain difficulties. Many mobile devices can't be gathered through the creation of an image; instead, they might need to go through a procedure called data acquisition. There are many protocols for gathering data from mobile devices since some design requirements could only permit a particular kind of acquisition. The forensic investigator should employ SIM Card imagining, a technique that generates a copy of the SIM Card's contents. The original evidence will be preserved while using the replica image for analysis, just like with previous replicas. To guarantee that the data is valid and unmodified, all picture files should be hashed.

Every digital investigation involving a mobile device or devices must begin with the forensic expert identifying:

What kind of mobile device(s) it is—for example, GPS, smartphone, tablet, etc.

GSM, CDMA, and TDMA networks are available. Carrier service provider (Reverse Lookup)

To get and evaluate data stored on the machine, the examiner may need to employ a variety of forensic tools. There is no one-size-fits-all set of mobile forensic tools because of how different mobile devices might be from one another. As a result, it is recommended to employ many tools when doing an examination. Popular forensic software programmes with analytical features include AccessData, Sleuthkit, and EnCase. Depending on the type and model of mobile device, the best tool or tools are selected.

From the perspective of a forensic analyst, timeline and link analysis, which is accessible in many mobile forensic technologies, could connect each of the most important occurrences.

They are typically lengthier and more complicated. It is quite likely that the only option to recover data from a device in situations when it is completely non-functional owing to significant damage will be to manually remove and image the device's flash memory chips. The forensic expert might need to physically collect the contents of the chip even if the equipment or object is in good shape

A procedure that describes taking data directly out of the memory chip of the mobile device. The chip is removed from the device in accordance with the procedures relevant to this level, and data contained on the device under enquiry is extracted using a chip reader or a second phone. The fact that there are so many different chip kinds available on the mobile market should be recognised as making this procedure technically difficult. The chip-off procedure is also costly, calls for training, and requires the examiner to purchase particular hardware in order to de-solder and heat the memory chip. Unparsed, uncoded, and uninterpreted bits and bytes of raw data are still being extracted from the memory.

The whole process consists of five stages:

Detect the memory chip typology of the device

Physical extraction of the chip (for example, by unwelding it)

Interfacing of the chip using reading/programming software

Reading and transferring data from the chip to a PC

Interpretation of the acquired data (using reverse engineering)

This technique entails manually viewing the entire memory chip via an electron microscope's lenses in order to examine the information visible there, more specifically the physical gates on the chip. In a word, micro read is an expensive, time-consuming procedure that requires the highest level of competence and is only used in extreme national security crises.

CSI wife killers are Ireland's most notorious wife killers — men whose murder trials gripped the nation and whose evil crimes sent shock waves through the spines of the public.

For killing the ladies, they shared their lives with, Joe O' Reilly, Eamonn Lillis, and Brian Kearney are all currently beaten up in jail.

Lillis was ultimately found guilty of his wife's manslaughter, while Kearney and O'Reilly are currently serving life sentences for murder. Although the intricate cases that senior gardai established against these three offenders were unique, they all shared significant similarities.

But in cracking these cases, detectives relied hugely on innovations in technology and forensic science to succeed. There can be little doubt that just two decades ago it would have been almost impossible for the gardai to secure convictions in these investigations. Advances in forensic science, CCTV and the fact that information can be obtained from mobile phones and email mean that gardai are now better equipped to solve serious crime.

DETECTIVES were aware that their investigation into Joe O'Reilly would shed light on a branch of forensic science that could aid criminals in eluding the law.

The prosecution considered expert testimony on the locations and times O'Reilly used his cell phone to be crucial to convincing the jury of his guilt.

The wife-phone killer's would demonstrate that he could not be in two places at once, and this was to prove to be his demise in a case that was primarily built on circumstantial evidence. Communications experts told the court that the location of O'Reilly's phone on the day of the murder contradicted his account of his movements. A garda source said that career criminals would never again dream of using mobile phones registered to them or associates. "Joe O'Reilly was not a career criminal and clearly didn't know his phone could be tracked and place him close to the scene of the crime at a time when he claimed to be somewhere else. What this trial has done, I suppose, is show once again that we have access to this sort of technology. A phone doesn't even have to be used to show where it is."As someone moves across a city, for example, their phone registers to the nearest mast. It doesn't give a precise location, but it can contradict a false alibi.

"Checking mobile records is now standard protocol in so many cases, particularly those involving missing persons and homicide. Joe O'Reilly didn't appear to be aware of it."

This is not the first time gardai have used mobile phone evidence, often described as the "new fingerprint", in a high-profile trial. Perhaps the most famous case concerned the 1998 Real IRA bombing of Omagh, which left 29 people dead.

In January 2002, father-of-four Colm Murphy was found guilty at the Central Criminal Court of plotting the atrocity. His 25-day trial heard allegations that he had loaned two phones to the bombers. RUC and gardai working with mobile phone experts, tracked the movements of the phones from the Republic to Omagh and back on the day of the outrage. The prosecution's case was that Murphy had given the phones to the bombers knowing they would be used for unlawful purposes.

Murphy subsequently won an appeal. His conviction was quashed, and a retrial has been ordered. His lawyers are currently arguing for the case to be dropped on the grounds that he is too ill for a retrial.

Nevertheless, the case set a new standard for garda investigations.

Mobile phone evidence helped one of Britain's most notorious killers come to terms with his misdeeds. In August 2002, Holly Wells and Jessica Chapman, two 10-year-old schoolgirls from the English town of Soham, were kidnapped and slain by Ian Huntley. Investigators determined that Jessica's phone was off inside or close to Huntley's home. O'Reilly's phone would also lead to his demise since it revealed he had lied about Nikki Pelley, his lover. He claimed the connection was finished in his statement to garda police, but experts found that a total of 18 conversations and texts were made between his and Ms. Pelley's phones on the day he killed his wife.

Appendix A mapping to cybersecurity framework¶. Appendix A Mapping to Cybersecurity Framework – NIST SP 1800-27 documentation. (n.d.). Retrieved October 17, 2022, from https://www.nccoe.nist.gov/publication/1800-27/VolB/vol-b-appendix.html