The Future of Mobile Forensics by CKingston1976

THE FUTURE OF MOBILE FORENSICS

by Clarence Kingston

A Capstone Project Submitted to the Faculty of Utica College

May 2018

in Partial Fulfillment of the Requirements for the Degree of Master of Science in Cybersecurity

Abstract The diversity in mobile technology and the pileup of digital evidence has triggered many challenges that hinder an acceptable acquisition of data. Due to the lack of device standardization, necessary training, and the availability of forensic tools, digital forensic examiners (DFE) struggle to acquire and analyze mobile data properly. Methodologies of the past are now obsolete, and both the mobile forensic community and law enforcement yearn to establish a unified approach for the future of mobile forensics. It is inevitable that many DFEs experience delays when expected to handle a majority of the workload associated with mobile forensic investigations. To reduce the massive backlog in cases and establish a standardized approach for the acquisition of data, many law enforcement investigators must assume their role in the mobile forensic process. As a result, many agencies are pushing to employ an in-house mobile forensics team. To ensure that evidence has been obtained in a timely, valid, and accurate manner, the pooling of resources, collaborative analysis, the sharing of best practices, and the equal distribution of duties are all necessary to maintain the admissibility of evidence. A unified approach allows for a richer depth of investigation resulting in more convictions. Keywords: Cybersecurity, Professor Donnie Wendt, Incident Response, Digital Forensics, First Responder.

iii

Acknowledgements I wish to express my gratitude to the faculty, staff, and fellow students of Utica College. At this point in my life, continuing education was not an easy challenge. In the beginning, I was skeptical when considering distant learning as an option to complete my Master’s Degree. However, the Engage learning environment and the overall Cybersecurity program structure was remarkable. Many of the professors here at Utica College were available momentarily to answer questions, and many took time out of their busy schedule to make this possible for me and my family. I would also like to thank my loving and supportive wife who has surrendered countless hours of our life together to witness me succeed. As Professor Wendt once stated, “Nobody undertakes the rigors of a Master’s Degree program alone.” Thank you for your precious time and support, and I look forward to spending the rest of my life with you.

Table of Contents Introduction ..........................................................................................................................1 Statement of The Problem ...................................................................................................3 Purpose of the Study ........................................................................................................5 Research Questions ..........................................................................................................5 Literature Review.................................................................................................................7 Obstacles in the Field of Mobile Forensics......................................................................7 Tools, Training, and the Admissibility of Evidence ......................................................18 Data Acquisition Methods .............................................................................................18 Common Risks ...............................................................................................................22 Reshaping Mobile Forensics .........................................................................................24 Summary ........................................................................................................................31 Discussion of Findings .......................................................................................................32 Unforeseen Challenges ................................................................................................32 Standardized Approach for the Acquisition of Data ....................................................35 Summary ......................................................................................................................37 Recommendations ..............................................................................................................39 The Pooling of Resources ............................................................................................39 Collaborative Analysis and the Equal Distribution of Duties ......................................40 The Sharing of Best Practices ......................................................................................40 Recommendations for Future Research .......................................................................41 Summary ......................................................................................................................41 Conclusion .........................................................................................................................43 References ..........................................................................................................................46

List of Illustrative Materials

(Figure 1) Available mobile apps as of March 2017 .........................................................11 (Figure 2) Mobile data traffic over an eight-year period ...................................................12 (Figure 3) Daily mobile app usage.....................................................................................13 (Figure 4) Common mobile operating systems ..................................................................15 (Figure 5) Mobile carriers and customer ratings as of 2016 ..............................................16 (Figure 6) Biometric authentication ...................................................................................17 (Figure 7) Mobile device data acquisition techniques .......................................................20 (Figure 8) Chip-Off technique for data acquisition ...........................................................21 (Figure 9) JTAG Mobile Device Connection ....................................................................22 (Figure 10) Cellebrite Touch Forensic ...............................................................................22 (Figure 11) Chain of custody form ....................................................................................25 (Figure 12) Mobile device users from 2010-2020 .............................................................26

Introduction According to Cisco (2016), the worldwide leader in networking equipment, there will be 11.6 billion mobile-connected devices by the year 2020. In many instances, a large percentage of the data that resides on these devices will be involved in criminal activity (Gillware, 2017). According to annual statistics published by the Federal Bureau of Investigation (FBI), the proliferation of mobile devices has triggered a steady rise in the perpetration of crimes. The annual report demonstrates a year-to-year growth in the number of mobile forensic examinations, the amount of data being examined, and the amount of data being examined per case (Irons and Lallie, 2014). Additionally, due to the Internet of things (IoT), the rise in mobile devices has placed many users at a greater risk to a diversity of cybercrimes (Troutman, 2013). In its infancy, digital forensics, or computer forensics, was the discovery, recovery, and investigation of digital evidence that had been extracted from computers or other digital devices. As technology progressed, digital forensics entailed the collection of standardized techniques, processes, and procedures used to preserve, extract, analyze, and present electronic evidence (Daware, et al., 2012). Mobile forensics is essentially an evolving field of digital forensics. The mobile forensic process entails the detection, extraction, and analysis of data and related electronic evidence from a wide variety of mobile devices, via a combination of open source and proprietary tools and forensically sound methodologies (Maurya, et al., 2015). Forensically sound methodologies are procedures that are used to ensure that acquired data is unaltered and remains in its original state until being admitted into evidence (Duke Law, 2018). The key step to preparing for a mobile forensic examination is understanding the hardware and software characteristics of the device that is under investigation. The remaining

steps entail conducting a forensically sound examination (Ayers et al., 2014). In doing so, continuing education and training is required to stay current on all evolving devices. Furthermore, a comprehensive approach to the acquisition and analysis of data remains necessary due to the complexity of todayâ&#x20AC;&#x2122;s devices (Waters, 2014). To ensure an efficacious outcome, it remains crucial that digital forensic examiners (DFE) are equipped with an acceptable workstation of tools and strategies to collect quickly and effectively, identify, and uncover any relevant data that can help to ensure a successful investigation (Reiber, 2014). Unfortunately, many digital forensic experts are struggling to keep up with rapidly evolving technologies (National Institute of Justice, 2018). Due to the lack of standardization and homogeneity in todayâ&#x20AC;&#x2122;s mobile devices, many DFEs continue to endure many obstacles when attempting to retrieve data for ongoing civil or criminal investigations. As such, many existing tools and strategies frequently become obsolete as a new or updated product line has been released (Azadegan et al., 2012). Therefore, the mobile forensic community could certainly benefit from a set of universal forensic tools and a standardized approach for the acquisition and analysis of data from all mobile devices, regardless of operating system or data type (Reiber, 2014).

Statement of The Problem Mobile devices are commonplace in todayâ&#x20AC;&#x2122;s digital venue. As such, a vast number of users rely on these devices for day-to-day transactions. Smartphones, tablets, personal digital assistants (PDA), and many other handheld devices, can stow a large volume of information in the form of e-mail, word documents, spreadsheets, text messages, global positioning system (GPS) tracking information and digital images, all of which could contain evidentiary data (Romanov, 2012). However, DFEs continue to endure various obstacles when attempting to both acquire and analyze data from todayâ&#x20AC;&#x2122;s rapidly evolving mobile devices (Bollo, 2017). When dealing with traditional computer forensics, DFEs have long established a standardized approach in which data can easily be acquired and analyzed from a variety of storage mediums. In doing so, known forensic tools and strategies are readily available (Sai et al., 2015). However, in the field of mobile forensics, many tools and strategies remain device specific. Therefore, no one tool or strategy exists to address all eventualities (Pendleton, 2013). In many cases, the mobile forensic process often requires specialized hardware and software to access much of the data that is contained on the mobile device. As such, many examinations require multiple tools and specialized hardware to collect much-needed data (BlueSheepDog, 2018). The overall mobile forensic process can be extremely time-consuming when determining which tool or procedure will ensure the most thorough analysis (Teel Technologies, 2012). Over the years, DFEs have seen an enormous increase in incidents that require the examination of mobile devices. As a result, law enforcement agencies have relied heavily on DFEs for data acquisition, analysis, and the presentation of relevant data. However, when faced with todayâ&#x20AC;&#x2122;s complex devices, the amount of data that can be collected remains limited by both

the examiners’ capabilities and the repository of tools that are available in the field (McMillan et al., 2013). Due to the rapid rise in mobile technology, variations in technical and physical characteristics have made it difficult for DFEs to acquire and analyze mobile data properly (Mahalik, 2014). Making matters worse, while developers work diligently to deliver a specific forensic tool, countless devices continue to be released. As a result, many examiners and software developers struggle when attempting to keep up with the rapid release cycle of today’s mobile devices (Pendleton, 2013). Additionally, many of today’s mobile devices come equipped with proprietary encryption software. As such, federal and local law enforcement agencies are concerned that existing security measures will hinder the ability to extract necessary data for criminal investigations (Dujardin, 2015). According to Goodison et al. (2015), researchers at the University of Denver, mobile devices are often a key component in many of today’s criminal cases. Therefore, any relevant data that is obtained can be used as evidence in a court of law. However, in many instances, experts lack accessible tools, innovative strategies, and a comprehensive understanding of how to extract and analyze data from many of today’s intricate devices. As a result, an enormous stockpile of digital evidence has consequently led many law enforcement agencies to suffer a backlog in caseloads (tracksinspector, 2018). Due to these circumstances, the mobile forensic community is eager to adopt any new tools or strategies that could better their chances of gathering evidence that is pertinent to the investigation (Ademu et al., 2011). When conducting forensic examinations, a best practice approach is expected from all participants. Therefore, additional education, extensive training and the deductive selection of tools and strategies are necessary in preparing for the case at hand. Best of all, a rational mindset

and an increase in overall competency will increase the chance of acquiring evidence that can be presented to a court of law (Dehaviland, 2015). While many mobile forensic tools are in development and much progress has been made, there is a high level of uncertainty regarding the future of mobile forensics (eForensics, 2017). Purpose of the Study First, the purpose of this research is to identify the key areas in which digital forensic examiners continue to struggle when assisting government and law enforcement agencies with a vast number of criminal investigations. Secondly, this research will address several underlying issues that prevent the availability of necessary forensic tools and training that is required to carry out a successful investigation. Lastly, this research will address the need to devise a plan or strategy that could provide support for all mobile devices, regardless of the operating systems or data types that are encountered in the field. Research Questions This research will address the following questions related to the future of mobile forensics: Q1.

What are some of the main obstacles that digital forensic examiners are encountering when attempting to acquire data from todayâ&#x20AC;&#x2122;s mobile devices?

Q2.

How do an expertâ&#x20AC;&#x2122;s lack of training, overall competency, and the absence of necessary tools, techniques and standardized procedures affect the mobile forensic process?

Q3.

What steps could be taken to establish a set of universal tools and a standardized approach for the acquisition of data from all mobile devices, regardless of technical or physical characteristics?

Literature Review Due to rapid advancements in mobile technology, many law enforcement agencies, and their affiliate forensic labs, continue to endure many setbacks when attempting to acquire and analyze data that resides on todayâ&#x20AC;&#x2122;s complex mobile devices (Reiber, 2014). Over the years, various methodologies have been suggested by the Department of Justice (DOJ) and the National Institute of Standards and Technology (NIST), however, due to the diversity in mobile technology, no one tool or strategy remains suitable for all cases (Pendleton, 2013). Furthermore, many DFEs often lack the necessary education and training to utilize the minimal set of tools that are readily available (Petraityte et al., 2017). Due to lack of available tools and the unskilled interaction with todayâ&#x20AC;&#x2122;s constantly evolving devices, much-needed evidence is often lost, distorted, or rendered inadmissible in a court of law (Petraityte et al., 2017). As the number of mobile devices continues to multiply, it is anticipated that the number of cases requiring mobile forensic analysis will likely increase in the coming years (Lillis, et al., 2016). At this point in the game, all entities involved long to develop and adopt a standardized procedure for the acquisition of data from a seemingly endless number of mobile devices (MarketWired, 2015). A standardized procedure, or standard operating procedure, is any method that has been established to be followed routinely for the performance of designated operations or in designated situations (Merriam-Webster, 2018). It is essential that all agencies whether local, state, federal, or international, seek out the necessary means to ensure readiness by establishing a unified approach to address the future of mobile forensics (Sule, 2014). Obstacles in Mobile Forensics Advancements in mobile technology and storage capacity continue to grow tremendously. As a result, mobile devices have evolved into massive data repositories in which

evidentiary data can accumulate. Any relevant evidence that can be gathered will be used to support ongoing criminal investigations (Bennett, 2011). Mobile forensics is a continuously evolving field, which involves permanently evolving tools and strategies. Over the years, numerous obstacles have continued to plague both the forensic community and law enforcement (Tahiri, 2016). Standardized procedures. With traditional computer forensics, an acceptable set of tools and procedures are used to extract evidence that may exist on a subject computer. Storage mediums can be easily accessed or removed, and various tools can be used to generate a forensic image prior to analysis (Dehaviland, 2015). A forensic image is essentially a working copy of the driveâ&#x20AC;&#x2122;s contents that is used throughout the examination (Rouse, 2018). A working copy ensures that original data is unaltered when presented as evidence to a court of law (Forensic Focus, 2018). Additionally, a live memory capture can be performed if the system is powered on at the time of seizure (Sai et al., 2015). The computer forensic process follows specific guidelines which have been standardized by the Department of Justice (DOJ) and the National Institute of Standards and Technology (NIST) (FORENSICON, 2018). When dealing with mobile devices, certain data cannot be collected by simply obtaining an image. Instead, the DFE is required to perform a process called acquisition of data. However, certain design specifications may only allow for one type of acquisition. Therefore, there is no well-established procedure that is suitable for all devices (INFOSEC, 2018). Mobile devices are generally sealed units, and specific cables are required to access internal data. Thus, a thorough understanding of input and output interfaces is necessary (Bollo, 2017). In some cases, the DFE can retrieve data from the device manually. However, to perform advanced analysis or to recover deleted data, the DFE requires specific hardware and various data

acquisition tools to interact with the device. Additionally, the device may need to be powered on to gain access. Due to the volatile nature of mobile devices, a mere change in device settings could trigger the loss of potential evidence (Yang et al., 2017). Volatile data is any information that is stored within device memory that can be altered or lost when the device is cycled on or off (DRS, 2018). Except for data stored on a Secure Digital (SD) card, which allows for backups and external storage, much of the software and applications are stored within the mobile deviceâ&#x20AC;&#x2122;s solid-state flash memory. Due to the vast number of mobile apps and the way individuals carry out day-to-day online activities, internal memory constantly changes (Bennett, 2011). Rapid assessment and preservation of data. When dealing with solid-state memory, the operating system periodically erases deleted data automatically, making data recovery near impossible. Additionally, any new data that is received, such as incoming text messages or emails, may also render older data unrecoverable. When a device is powered on and idle, the operating system makes use of this time to clean allocation units for reuse. The best practices require rapid assessment, proper handling, and preservation to prevent the permanent loss of data (IRIS LLC, 2016). Mobile apps and the rise in data. As todayâ&#x20AC;&#x2122;s mobile devices have transformed into handheld computers, a large market for mobile software applications, or apps, have emerged (Purcell, 2010). Unlike computer software, mobile apps are relatively low in cost and are much easier for the user to install and operate. Some of the many mobile apps include GPS navigation, weather forecasts, social networking, location sharing, banking and finance, communication tools, chat, instant messaging, entertainment, tv and radio broadcasting, and gaming. Millions of mobile apps exist, and billions of app downloads have occurred (AppBrain, 2018). In 2017,

nearly 3 million Google apps were available for download in the Google Play Store alone. Figure 1 depicts the number of available apps in various app stores as of March 2017 (Statista, 2017).

Figure 1. The number of available apps in leading apps stores as of March 2017. Adapted from â&#x20AC;&#x153;5 Common Mobile App Development Mistakes to Avoidâ&#x20AC;? by Harnill Oza (2017). http://yfsmagazine.com/2017/04/07/5-common-mobile-app-development-mistakes-to-avoid/. Copyright 2018 by YFS Magazine.

According to Magnet Forensics (2014), a leader in digital forensic solutions, the rise in mobile app activity has created many new obstacles for DFEs when attempting to recover an overwhelming amount of data that is contained within thousands of commonly used mobile applications. As with the rapid release cycle of mobile devices, more mobile apps continue to emerge. Over the years, there has been a tremendous rise in the use of mobile devices for business, communication, and entertainment purposes. The increase in mobile devices, faster networks, and the explosion of mobile apps, have triggered an enormous rise in the amount of data to be acquired and analyzed (RSA Conference, 2016). Figure 2 depicts the rise in mobile data traffic from 2008 through 2016 (Statista, 2017). On the condition that these statistics are 10

accurate, it is estimated that mobile data traffic will exceed 190 exabytes per year by 2018 (Guglielmo, 2014).

Figure 2. The rise in mobile data traffic over a period of eight years. Adapted from â&#x20AC;&#x153;Mobile Data Traffic to Grow 10x by 2016â&#x20AC;? by Andrew Nusca (2011). http://www.zdnet.com/article/mobile-data-traffic-to-grow-10x-by-2016-report-says/. Copyright 2018 by CBS Interactive. According to eMarketer (2017), the average user spends nearly three hours a day utilizing a large variety of mobile apps. As a result, it is estimated that mobile app activity accounts for nearly 85% of the time that mobile devices are connected the Internet. Figure 3 depicts the projected rise in daily usage of mobile apps from 2015 through 2019.

Figure 3. The rise in the average number of hours per day that mobile apps are utilized. Adapted from “Time spent in apps increases whilst overall number of apps being used is in decline” by Anne Freier (2017). http://www.mobyaffiliates.com/blog/time-spent-in-appsincreases-whilst-overall-number-of-apps-being-used-is-in-decline/. Copyright 2017 by eMarketer. While most users take advantage of today’s mobile apps for enhanced communication, productivity, and entertainment purposes, some individuals engage in activities that are illicit. Therefore, any trace of information that mobile app activity leaves behind can be vital to the investigation (Ayers, 2014). However, if the DFE is unaware of the apps that are frequently used, or is uncertain as to where data may reside, critical evidence is likely being missed (Magnet Forensics, 2014). According to Duggal (2014), author of Mobile Law, crimes such as mobile hacking, child pornography, identity theft, cyberstalking, software piracy, and credit-card fraud continue to push mobile devices into the spotlight of many criminal investigations. Social networking apps have become a standard fixture on many of today’s mobile devices. In many instances, users are online and logged in 24 hours a day. Apps such as Facebook, Twitter, Snapchat, LinkedIn, WhatsApp, etc., are by design a treasure trove of information. Unfortunately, in an online environment, massive amounts of information are both updated and deleted on a regular basis (Narayanan, 2015). According to Wright (2012), author of Social Media and the Changing Roles of Investigators, experts have very little control over the 12

social network in which the information is either stored or manipulated. Therefore, many investigators are often eyewitnesses to many of the crimes. As a result, multiple investigators, extensive documentation, and screen capture software may be necessary to corroborate their findings. In many instances, Facebook, the leader in social media, will assist law enforcement by releasing requested information that is potentially linked to illicit activity. However, due to strict privacy policies, Facebook may also exercise their right to withhold such information related to their dedicated users and/or their affiliates (Facebook, 2018). According to Reiber (2014), author of Mobile Forensic Investigation: A Guide to Evidence Collection Analysis and Presentation, nearly half of all Internet protocol (IP) traffic is generated from mobile app activity. Unfortunately, only five to ten percent of this data can be recovered by current mobile forensic tools. As a result, much-needed data slips through uncollected and thus unanalyzed (Cisco, 2017). Hardware and operating systems. According to Barmpatsalou et al. (2013), a forensic examiner from the INFOSEC Laboratory of Information and Communication Security, one of the main challenges in the field of mobile forensics is the lack of device standardization. With traditional computer forensics, many DFEs have long been acquainted with various storage mediums as well as a few known operating systems and their corresponding file structures. However, todayâ&#x20AC;&#x2122;s mobile devices come equipped with an assortment of hardware and a wide variety of operating systems including Apple's iOS, Google's Android, RIM's BlackBerry OS, Microsoft's Windows Mobile, and Nokia's Symbian OS (Mahalik, 2016). Figure 4 depicts some of the most common mobile operating systems that are being deployed on todayâ&#x20AC;&#x2122;s mobile devices (Connect.com, 2018).

Figure 4. Today’s most common mobile operating systems. Adapted from “2014 Mobile Market Shares” by MANIKANDAN (2014). https://connectwww.com/operating-systemmarket-share-october-2014/3723/. Copyright 2018 by Connect.com. According to Garrie (2014), author of Digital Forensic Evidence in the Courtroom: Understanding Content and Quality, the first step towards a successful forensic examination is being able to identify the suspect device clearly. In doing so, DFEs must be aware of the manufacturer make, model, operating system, hardware specifications and connectivity options. Due to the increase in demand, many manufacturers have joined forces to release many hybrid devices which operate on 15 different network carriers. Additionally, many carriers promote their version of a make or model which has been tailored to meet specific network requirements. As a result, varying physical and technical characteristics make it difficult for examiners to establish a functional workstation of tools and strategies which remain crucial to the examination process (Bollo, 2017). Figure 5 depicts the available mobile network carriers and related consumer ratings as of 2016. On a scale ranging from one through ten, 10.0 is the highest possible consumer rating (PCMag, 2018).

Figure 5. Available mobile carriers and related consumer ratings as of 2016. Adapted from “Readers’ Choice Awards 2016: Smartphones and Carriers” by Ben Z. Gottesman (2016). https://www.pcmag.com/article/342878/readers-choice-awards-2016-smartphones-and-carriers. Copyright 2018 by PCMag Digital Group. Security enhancements: User authentication and content encryption. Many of today’s mobile devices contain built-in security features that shield user data and attempt to uphold individual privacy. As an alternative to traditional password protection, a variety of login, biometric and other authentication methods are available for today’s mobile devices (Tahiri, 2016). Biometrics refers to the automated recognition of individuals based on biological or behavioral characteristics. Some examples of biometric authentication include facial recognition, fingerprints, vocal recognition, and retina scanning (Jain and Ross, 2015). Figure 6 depicts biometric fingerprint and retina scanning authentication methods (WordPress.com, 2015).

Figure 6. The use of biometric authentication for the security of mobile devices. Adapted from “World’s First Iris Scan Smartphone Launches-Unlock Phone and Make Payments With your Eye” by Heisscoming1725 (2015). https://heiscomingblog.wordpress.com/2015/05/14/worldsfirst-iris-scan-smartphone-launches-unlock-phone-and-make-payments-with-your-eye/. Copyright 2015 by WordPress.com. User authentication is the first line of defense for the unattended, lost or stolen mobile devices. In many instances, multiple layers of authentication present challenges for both the attacker and the investigator (Dujardin, 2015). Upon powering on the device, many DFEs will be required to enter a handset unlock code that is either assigned by the manufacturer or personalized by the user. If the mobile device was in standby mode or powered down at the time of seizure, the DFE may be unable to obtain the code that is required to gain access (Binary Intelligence, 2012). If the DFE has gained access to the mobile device, much-needed data is often encrypted via proprietary encryption algorithms, or proprietary cryptography (Commvault, 2018). Proprietary cryptography is a term used to describe hidden encryption techniques that provide additional security for the mobile device (Verdult, 2015). While some mobile devices offer full disk encryption, others offer protection for specific files and directories. As a result, valuable data such as short message service (SMS), e-mails, and multimedia files, can be individually protected (Donovan, 2017). Such security efforts can make data acquisition difficult and time-consuming without the help of hardware vendors or device manufacturers. Currently, it is not mandatory that manufacturers implement a backdoor for law enforcement to intercept

necessary data from a mobile device (IACP Summit, 2016). A backdoor is a technique in which a systems security mechanism can be bypassed to gain access to user data (Techopedia, 2018). Additionally, many service providers fail to retain much-needed communication content or records (IACP Summit, 2016). According to Cellebrite (2017), a leader in mobile forensic tools and solutions, many manufacturers provide for an early release of many device models for forensic testing purposes. However, according to Latronix (2018), a global leader in industrial networking solutions, many manufacturers are reluctant to assist with many examinations due to trade secrets and privacy laws. In either event, several security enhancements are implemented to ensure privacy by protecting sensitive user data (NIST, 2018). On many occasions, the DFE may need to find a workaround to extract necessary data from many of todayâ&#x20AC;&#x2122;s devices. In doing so, specific hardware and multiple forensic tools may once again be needed (McMillan, 2013). To make matters worse, many mobile manufacturers implement hidden functionalities such as data obfuscation, data hiding, data forgery, and secure wiping. Data obfuscation or masking refers to the process of concealing private data to avoid exposure. Numerous data masking techniques are utilized by many vendors in todayâ&#x20AC;&#x2122;s market (Analysis and Comparisons, 2018). Data hiding is a technique used in object orientated programming (OOP) in which data is hidden via computer code (Techopedia), 2018). Secure wiping is a process in which a storage medium is erased to avoid the theft or trace of sensitive user data and recent activity (DataDestructionInc, 2018). Such security measures make the examination extremely difficult if not impossible at times (INFOSEC, 2018). According to Ayers (2014), author of Guidelines on Mobile Device Forensics, it is important to remember that any improper interaction with mobile devices could permanently restrict access or even destroy valuable contents.

Tools, Training, and the Admissibility of Evidence The admissibility of evidence is dependent in part upon the availability of forensic tools, and the DFEs level of training and overall competency (Petraityte et al., 2017). Scientific Working Groups on Digital Evidence and Imaging Technology (SWGDE/SWGIT) suggest that examiners be trained according to industry standards and best practices as discussed in Guidelines & Recommendations for Training in Digital & Multimedia Evidence (SWDGE, 2010). According to SWDGE (2010), all entities that are involved with the collection, preservation, analysis, and examination of digital or multimedia evidence, should remain aware of both the capabilities and limitations of specific technologies. In doing so, it is recommended that those involved adapt to any common tools and procedures that have been established for the mobile forensic community, and any new developments that may be introduced.

There are various data acquisition tools and techniques available to the mobile forensics community; however, some are frequently in development, and others require extensive training to harness their true potential. Therefore, DFEs must be aware of the various tools and strategies that are readily available and be knowledgeable as to the capabilities and limitations of a particular methodology. Failure to do so can be detrimental to the investigation (Zareen, 2010). Data Acquisition Methods As the demand for data recovery continues to rise, so will the challenge to find the most suitable tool to acquire data from the device at hand. In many instances, DFEs will find that a combination of open-source and proprietary forensic tools must be used to increase the chances of discovering evidentiary data (IACP Summit, 2016). Figure 7 depicts a tool classification system which offers a framework for DFEs to compare data acquisition techniques and their accompanying forensic tools (INFOSEC, 2018).

Figure 7. Mobile device data acquisition techniques. Adapted from “Common Mobile Forensic Tools and Techniques” by INFOSEC (2018). http://resources.infosecinstitute.com/category/computerforensics/introduction/mobileforensics/common-mobile-forensics-tools-and-techniques/. Copyright 2018 by INFOSEC. Micro read. The micro-read technique allows DFEs to view data on memory chips via high-power electron microscopes. Such a procedure is costly, time-consuming, and requires extensive knowledge of hardware and file systems. As of 2014, there was no forensic tool available for this procedure (Ayers, 2014). Chip-off. The Chip-off technique allows the DFE to extract necessary data directly from the flash memory module. Once the memory chip has been removed from the mobile device, a binary image is then generated for analysis. This process is extremely costly and requires extensive knowledge of hardware. If an untrained DFE attempts to perform such a procedure, physical damage could occur rendering much-needed data unrecoverable (INFOSEC, 2018). Once the memory chip has been removed, specialized forensic tools and a chip reader can be used to extract the memory’s contents. The DFE must have extensive knowledge of hardware and software to perform such a procedure (Digital Forensics CORP, 2018). Figure 8 depicts the 19

Chip-off technique that can be used for data acquisition, along with the various chip readers that are used to extract necessary data from the memory chip (Digital Forensic CORPS, 2018).

Figure 8. Displays the Chip-Off technique for data acquisition in mobile forensics. Adapted from “Chip-Off Technique in Mobile Forensics” by Digital Forensics CORP (2018). https://www.digitalforensics.com/blog/chip-off-technique-in-mobile-forensics/. Copyright 2012 by Digital Forensic CORP. Hex dumping/JTAG. The hex dump or JTAG technique involves the physical extraction of data from the mobile device. Once the device is connected to a forensic workstation, forensic tools such as the Cellebrite UFED Analyzer, XACT, and Pandora’s Box can be used to create a raw image of the device’s memory. This procedure is cost-efficient and can recover deleted files and unallocated space. The DFE must have extensive knowledge of hardware and software to perform such a procedure (INFOSEC, 2018). Figure 9 depicts a JTAG mobile device connection that can be used to recover data from a mobile device’s memory chip (Binary Intelligence, 2012).

Figure 9. JTAG Mobile Device Connection. Adapted from “JTAG Forensics” by Binary Intelligence (2012). http://www.binaryintel.com/services/jtag-chip-off-forensics/jtag-forensics/. Copyright 2012 by Binary Intelligence. Logical extraction. With logical extraction, the mobile device is once again connected to the forensic workstation via Bluetooth, infrared, or USB. Once connected, forensic tools such as XRY Logical, Oxygen Forensic Suite, and Cellebrite UFED can be used to collect data directly from the mobile device’s memory chip. The DFE must have extensive knowledge of hardware, software, and input-output interfaces to perform such a procedure (INFOSEC, 2018). Figure 10 depicts logical and physical data acquisition using Cellebrite Touch Forensic Hardware and supported input-output interfaces (Cellebrite, 2018).

Figure 10. Logical and physical mobile data acquisition using Cellebrite Touch Forensic Hardware and supported input-output interfaces. Adapted from “Cellebrite Mobile Data Secured” by Cellebrite (2018). http://www.cits.co.za/cellebrite. Copyright 2018 by Cellebrite.

Manual extraction. With manual extraction, DFEs can access data via the deviceâ&#x20AC;&#x2122;s touchscreen or touchpad. Such a process requires extensive photography to properly document all steps performed. Forensic tools such as Project-A-Phone, Fernico ZRT, and EDEC Eclipse can be used to access necessary data. This procedure is very time-consuming and carries a high probability of human error. As such, an unskilled examiner could accidentally delete or modify original data (INFOSEC, 2018). Common Risks In the field of mobile forensics, an examinerâ&#x20AC;&#x2122;s skill set should frequently be assessed to maintain competency in any assigned duties. In doing so, DFEs will increase their chance of keeping pace with emerging technologies (SWGDE, 2010). As mobile technology constantly evolves, additional training is often required to stay current with the latest mobile technology, data acquisition methodology, and analytic capabilities. However, due to budget constraints, the lack of available resources makes it difficult to maintain proficiency in the field (Moser, 2013). Assigning various duties to an unskilled examiner can be risky for any investigation (Mahalik, 2014). A few of the most common risks are explained in detail below. Damaging or altering evidence. Digital evidence is extremely fragile and can be altered, damaged, or destroyed via improper handling. As such, the careful selection of forensic tools and strategies can make or break an investigation (Garrie, 2014). The DFE must be able to establish an effective workstation of tools and strategies based on performance and relevance. A best practice approach will ensure proper data acquisition, valid analysis, accurate data interpretation, and increase the chance of a successful investigation (NIST, 2018). A best practice approach ensures that evidence is obtained in a forensically sound manner and will remain useful in a court of law (Grobler and Solms, 2008). The improper selection of forensic

tools and strategies could result in the altering or destruction of original evidence (Saleem et al., 2016). Failure to examine evidence thoroughly. Todayâ&#x20AC;&#x2122;s mobile devices often contain massive amounts of data, and in some cases, the investigation can involve the utilization of multiple forensic tools, and several mobile devices. In many examinations, a considerable amount of valuable information is often overlooked due to the lack of training and the costs associated with the appropriate acquisition and analysis of data from mobile devices (CISION, 2018). A successful investigation relies heavily on the ability of the DFE to identify evidentiary data properly. Therefore, the weight of relevant data determines the outcome of many investigations (Imwinkelried and Davis, 2018). Inaccurate reporting. At the close of the examination, DFEs must make sense of any relevant findings (Weigel, 2013). Due to the complexity of the mobile forensic process, a thorough forensic report is required to help the court understand what was found or not found during the examination. Additionally, the report should present any related tools and methodologies that were utilized to reach a conclusion. Above all, the forensic report should contain a precise chain of custody to ensure proper evidence handling throughout the investigation (TERA Consulting, 2013). Figure 11 depicts a chain of custody form that is required to document the handling of evidence throughout the entire investigation.

Figure 11. Laboratory evidence chain of custody form that should accompany all evidence related to the mobile forensic investigation. Adapted from â&#x20AC;&#x153;Case Closed: What Really Happened During the 2001 Anthrax Attack? By Lew Weinstein (2018). https://caseclosedbylewweinstein.wordpress.com/. Copyright 2018 by WordPress.com. A chain of custody documents the handling of evidence from the time the evidence was acquired to the time the evidence is presented in court (SART, 2011). When a forensic report fails to document all associated tools and methodologies, or fails to replicate all findings within the examination, the report will hold very little credibility in a court of law (NIST, 2018). Furthermore, DFEs must report all findings in a simplistic manner so that all participants can interpret the material being presented (SANS, 2010). Reshaping Mobile Forensics While the practice of mobile forensics is still in its infancy, a vast number of devices continue to emerge and the rise in criminal investigations have spiraled out of control (Dixon, 2011). Currently, there are a combined total of nearly eight billion mobile device and smartphone users operating on multiple networks worldwide. By the year 2020, the number of users will exceed

nine billion (Statista, 2018). As a result, the need for mobile forensics will continue to increase (Mahalik, 2016). Figure 12 depicts the projection of mobile device users from 2010 through 2020 (Statista, 2018).

Figure 12. Projection of mobile device users from 2010-2020. Adapted from â&#x20AC;&#x153;Number of smartphone users worldwide from 2010 to 2020 (in billions)â&#x20AC;? by Statista (2018). https://www.statista.com/statistics/218984/number-of-global-mobile-users-since-2010/. Copyright 2018 by Statista. While traditional computer forensics may have paved the way for acceptable methods, processes, and a standardized approach for the acquisition of digital evidence, it remains obvious that the emergence of mobile devices has complicated the digital forensics process (Shah and Bansal, 2012). Given the diversity of mobile device technology, and the short release cycle of todayâ&#x20AC;&#x2122;s mobile devices, all parties will continue to endure obstacles unless necessary changes are considered (Zareen, 2010). To reshape the mobile forensic field, new techniques and technologies must be developed and deployed (Moulin, 2013).

Some experts believe that most backlogs can be reduced by raising awareness, taking advantage of available grants and training opportunities, clear communication amongst all levels of law enforcement, and the appropriate distribution of responsibilities throughout the mobile forensic process (Griffith, 2015). In the past, many law enforcement agencies were either unaware of the impact that mobile devices had on criminal investigations, lacked the necessary resources to accommodate for advanced mobile forensic tools and training, or simply ignored the severity of the situation (Flory, 2016). According to Dees (2013), a retired police officer and the former editor of two major law enforcement websites, roughly 80 percent of the law enforcement agencies in the United States have 25 or fewer sworn officers, and within these agencies, they have one or two trained mobile forensic detectives. Many agencies lack the necessary resources and manpower to employ a digital forensics team. Therefore, unskilled investigators are unable to acquire much-needed data when a mobile device has been presented as evidence. Under these conditions, the agency has no choice but to pass the case along to larger agencies that possess ample resources and a lab that is equipped with a variety of tools and capabilities. By not addressing the problem in-house, such actions inevitably add to the massive backlog of cases (Flory, 2016). Additional training and grant opportunities. In the past, few investigators possessed the technical knowledge to collect, preserve, and examine digital evidence directly from the field. Due to the growing backlog of cases, many law enforcement agencies now realize the true benefits of having trained investigators on hand for future investigations (PoliceGrantsHelp.com, 2018). The goal of additional training is to equip investigators with the necessary skills to acquire enough evidence on-site to establish a fast lead and to prevent further crimes from happening while awaiting analysis from a local, state, or regional forensic lab (Griffith, 2015).

Federal Law Enforcement Training Centers (FLETC) offer free mobile forensic training to all local, state, federal, and international law enforcement agencies. Such a program was designed to equip investigators with the latest tools and strategies needed to complete a forensically sound, logical acquisition of digital evidence from todayâ&#x20AC;&#x2122;s mobile devices. The FLETC program has formed a partnership with various agencies, both local and abroad, for advanced research, training, and the exchange of best practices to ensure that the most effective technologies and methodologies are accessible to all entities in the field (FLETC, 2018). Additional training will help to ensure that a proper chain of custody has been established and increase the chance of evidence standing up in a court of law. Furthermore, such efforts will ensure that evidence has been presented in a timely, valid, and accurate manner (DigitalIntelligence.com, 2018). Susteen SecureView is an organization that is driven to provide grant opportunities and training for all levels of law enforcement and first responders in the field. Millions of dollars in grant funding is available for training, communication equipment, computer hardware and software improvements, and the development of in-house mobile forensic laboratories. Grants are distributed annually, and the Susteen program will not discriminate due to agency size or jurisdiction (FirstResponderGrants, 2018). The combination of innovative tools and additional training can minimize the intense workload for many of todayâ&#x20AC;&#x2122;s forensic labs and allow for much-needed time to carefully analyze the mass of data that awaits processing (PoliceGrantsHelp.com, 2018). Advanced mobile forensic tools. According to Cellebrite (2018), a leader in mobile forensic solutions, the Universal Forensic Extraction Device (UFED) is one of the most commonly used tools in mobile forensics, both in the field and in the lab. Cellebrite claims that

the UFED offers support for nearly 95% of today’s mobile devices (MobileForensicsCentral, 2017). The Cellebrite UFED was designed to provide law enforcement investigators the necessary tools to conduct on-site preliminary data acquisition on a wide variety of mobile devices. Such a process allows for a specialized forensic skillset in the field, rather than being confined to the boundaries of a lab. Cellebrite offers an exclusive training program in which today’s investigators can gain a hands-on understanding of the UFED tool and data extraction process, as well as recognize the best practices for evidence collection and preservation (Cellebrite, 2017). Within the law enforcement and mobile forensic community, there is a critical need to ensure the reliability of any tools that are used for investigative purposes (NIST, 2018). As such, the NIST Computer Forensic Tool Testing (CFTT) program is responsible for the development of specifications and test methods for any presented mobile forensics tools. In July of 2016, the

Cellebrite UFED was extensively tested against an assortment of mobile devices whose operating systems included Apple’s iOS, Android, Brew MP, Blackberry, and Windows Mobile. According to a joint report released by NIST and the U.S. Department of Homeland Security (DHS) on July 11, 2016, the UFED tool had successfully identified the make, model, and operating system of all presented devices, however, there were variances in both the volume and type of data objects that had been recovered from each device. Additionally, much of the unrecovered data was directly related to the operating system’s file structure or the way data was stored. Such efforts suggested that the Cellebrite UFED was not a stand-alone solution for all mobile devices (DHS & NIST, 2016). Similar forensic tools are offered by AccessData, another leader in digital forensic solutions. According to AccessData, MPE+ and nFIELD are two powerful mobile forensic tools

that can perform data acquisition on nearly 10,000 mobile device models, regardless of operating system or hardware specifications. Furthermore, it is noted that MPE+ and nFIELD have a userfriendly Graphic User Interface (GUI) that can be utilized with little or no training required (AccessData, 2018). In December of 2016, AccessData MPE+ was also tested against an assortment of mobile devices with varying hardware and software specifications. According to a joint report released by the DHS and NIST on March 7, 2017, the AccessData MPE+ tool had successfully identified the make, model, and operating system of all presented devices, however, as with the Cellebrite UFED tool, there were variances in both the volume and type of data objects that had been recovered from each device. As such, multiple tools and strategies may be required for the acquisition of data from todayâ&#x20AC;&#x2122;s complex mobile devices (BlueSheepDog, 2018) According to NIST (2018), many techniques can be used to gather forensic data from mobile devices. And while one approach may be cost-efficient and less intrusive, other strategies may be sophisticated and expensive. However, a multiple layer approach may be necessary to acquire much-needed data. While several advanced mobile forensic tools do exist, extensive training is often required to stay current with the latest mobile technology, data acquisition methodology, and analytic capabilities (Moser, 2013). Standardizing the data acquisition process. With a standardized approach for the acquisition of data, it is probable that usable evidence can be obtained from all mobile devices in a forensically sound manner. The field of mobile forensics requires a standard methodology for recovering evidentiary data from a large variety of mobile devices. However, it may be necessary to acquire data on-site, the moment the device has been isolated and becomes accessible. Some devices support remote wiping, and the deviceâ&#x20AC;&#x2122;s owner could obliterate any data that has been stored on the device before it reaches the lab for analysis. Furthermore, data

may no longer be available to an investigator once the deviceâ&#x20AC;&#x2122;s screen is locked, or if the battery depletes. Therefore, time is of the essence. A standard triage of tools and strategies can be utilized to preserve evidence that may otherwise be lost (Kessler and Mislan, 2010). A digital triage is an initial phase that established a set of forensic tools to quickly gather any relevant information that will help prepare for a forensic examination. Triage tools are only responsible for the collection of data, not for evaluation or analysis purposes (Jusas et al., 2017). On-scene triage inspections can be performed by non-technical investigators, and mobile forensic tools such as Cellebrite UFED and AccessData MPE+ can provide these investigators a simplified approach to gather data quickly in the field. Once the initial data acquisition process has been completed, the evidence can then be thoroughly examined by a trained DFE in the lab. However, in some instances, the initial inspection may recover enough evidentiary data to eliminate the need for a lab, thus reducing backlogs for future investigations. Proper training, established guidelines, and available mobile forensic tools can quickly recover much-needed data to further the overall investigation (Kessler and Mislan, 2010). With the proliferation of mobile-based evidence, the need for the timely identification, analysis, and interpretation of evidence is the key towards a successful investigation. As with traditional computer forensics, a Digital Field Triage (DFT) was designed to provide the knowledge, skills, and abilities for non-digital evidence specialists to conduct basic forensic activities. A DFT will ensure that evidence is rapidly obtained and readily available for initial trials. The Computer Forensics Field Triage Model (CFFTM) was proposed by Marcus Rogers et al. in 2006 and was proposed for any digital forensic methodology (Hitchcock et al., 2016). Though an on-scene triage has many advantages, finding a controlled setting in which to work, and having the appropriate equipment to perform the acquisition of data, is not a common

occurrence. Fortunately, such conditions are readily available within an established forensic laboratory setting (NIST, 2013). Summary Mobile devices have become the norm for communication in todayâ&#x20AC;&#x2122;s society. Whether for personal, business, educational, or illicit purposes, mobile devices tend to document many day-to-day transactions. Any relevant data that is collected can be used to support a criminal investigation (Immen, 2017). Due to advancements in mobile technology, many mobile devices have the potential to store an enormous amount of evidentiary data. The accumulation of data, combined with the lack of necessary tools and training to ensure admissibility of evidence, has added to the inevitable backlog of many criminal investigations (Hitchcock et al., 2016). Over the years, mobile forensic investigations have been hindered by a variety of obstacles including screen locks, encryption barriers, password authentication, biometric security enhancements, hardware and operating system barriers, and the inability to capture public domain social media content (Cellebrite, 2017). Together, the mobile forensic community and law enforcement must establish a unified approach to alleviate the overwhelming number of pending criminal investigations (AccessData, 2018).

Discussion of Findings

This research reviewed a significant number of sources which have helped to determine how the mobile device has contributed to the tremendous backlog in todayâ&#x20AC;&#x2122;s criminal investigations. In addition, this research has addressed several factors which negatively impact the mobile forensic process. Lastly, this research supports the ongoing need for mobile forensics, and has discovered a possible solution for standardizing the acquisition of data from todayâ&#x20AC;&#x2122;s mobile devices. Unforeseen Challenges The dawn of the mobile device has brought forth many unforeseen challenges for the field of digital forensics. When dealing with traditional computer forensics, long-established procedures exist for the acceptable recovery of data. As such, many known tools can easily acquire information from a wide variety of storage mediums. Subsequently, like tools can be used to replicate findings which helps to ensure the admissibility of evidence. With mobile forensics, many tools are device specific, and the acquisition of data often requires multiple tools or specialized hardware to gain access (BlueSheepDog, 2018). Given the diversity of mobile device technology, the limited number of forensic tools, and the lack of training, many DFEs continue to struggle when deciding on a suitable approach for the acquisition of data. Lack of device standardization. One of the main challenges in the field of mobile forensics is the lack of device standardization (Barmpatsalou et al., 2013). Many of todayâ&#x20AC;&#x2122;s mobile devices come equipped with a variety of hardware and software specifications. With traditional computer forensics, DFEs are properly trained to work with known operating systems, file systems, and many existing storage mediums. However, with mobile forensics, many DFEs have difficulty choosing an appropriate strategy when faced with many unfamiliar devices. The 32

careful selection of a tool or strategy relies heavily on the DFEâ&#x20AC;&#x2122;s ability to identify the mobile device and any related characteristics. However, the lack of training makes this task difficult. The lack of device standardization has triggered a demand for further education and advanced training throughout the mobile forensic community. Assigning various duties to an unskilled DFE can lead to the loss or damage of evidence, inefficient analysis, and ultimately an unsuccessful investigation. Mobile devices often contain massive amounts of data, and in some cases, an examination can involve several mobile devices. In many investigations, a considerable amount of information is often overlooked due to the lack of training. When determining the most suitable approach for the acquisition of data, the DFE must identify the make, model, operating system, file structure, storage capabilities, and any existing connectivity options. Due to varying device characteristics and the lack of necessary training, the loss or damage of evidence is likely. The inevitable rise in mobile data. For many of todayâ&#x20AC;&#x2122;s mobile devices, data is stored in the form of texts, emails, call logs, multimedia files, web histories, geolocation data, etc. When combined with the growing number of mobile devices and the rise of mobile apps, the amount of data to be acquired and analyzed has skyrocketed. While many individuals have taken advantage of mobile devices for communication, entertainment, and productivity purposes, some individuals engage in illicit activity. Many activities, including the daily use of mobile apps, leave traces of information that can help to paint a clear picture of a suspectâ&#x20AC;&#x2122;s everyday transactions. Gaining access to this information is essential to many ongoing investigations. Unlike traditional computer forensics, DFEs are often unsure how and where to look for mobile device data. In failing to identify the many locations in which evidentiary data can reside, muchneeded evidence could slide by unrecovered and thus unanalyzed.

Security measures. Many of todayâ&#x20AC;&#x2122;s mobile devices come equipped with various security enhancements that shield much of the contents. In many instances, multiple layers of authentication create challenges for the investigation. While user authentication is necessary to protect personal information, such measures limit visibility into the device and reduce the chance of obtaining evidentiary data. Traditional passwords, device unlock codes, biometrics, and proprietary encryption, make data acquisition time-consuming and near impossible without the help of hardware vendors or device manufacturers. Due to the protection of trade secrets and user privacy, most vendors and manufacturers are reluctant to intervene in many investigations. Currently, it is not mandatory that manufacturers grant law enforcement the ability to intercept necessary data from a mobile device. Therefore, DFEs must use any acceptable means available to perform necessary data extraction. Overall competency and the admissibility of evidence. As previously mentioned, the admissibility of evidence relies heavily on the DFEâ&#x20AC;&#x2122;s ability to implement an acceptable methodology for the acquisition of data. Due to the limited number of mobile forensic tools and strategies, DFEs must be aware of current procedures and comprehend both the capabilities and limitations of any available approach. Digital evidence is extremely fragile and can be altered, damaged, or destroyed via improper handling. For the sake of the investigation, ample resources should be allocated for continuing education and training purposes. If resources are limited, all participants should take advantage of free training or grant programs that are readily available to all levels of law enforcement. Throughout the field of mobile forensics, there are various agencies that either sponsor or coordinate free mobile forensic training to all local, state, and international law enforcement agencies. Many of these grants are distributed annually, and do not discriminate due to agency

size or jurisdiction. The goal of these programs is to ensure that all agencies and affiliates possess the necessary tools and strategies to perform a forensically sound and logical acquisition of digital evidence from any encountered device. In the past, few investigators were equipped to handle digital evidence. As a result, larger state or federal agencies became responsible for the workload. Due to the current backlog of cases, many law enforcement agencies now realize the benefits of having their own mobile forensic team. In the field of mobile forensics, extensive training is often required to maintain competency in all assigned duties. Due to rapid advancements in mobile technology, DFEs must remain aware of all emerging mobile devices and become familiar with any data acquisition techniques that are readily available. Such efforts will increase the chance of producing admissible evidence. Standardized Approach for the Acquisition of Data For many years, the computer forensic process has followed various guidelines which have been set forth by the United States DOJ and NIST. Such guidelines support a standardized approach for how data should be recovered from an acquired storage device. Once the storage device has been processed, it can then be sent to the lab for a complete examination. In a controlled laboratory environment, many DFEs are extensively trained to use a large repository of forensic tools and strategies. Such methodologies have been tested for accuracy and approved to carry out the forensic examination. Prior to the examination, a preservation copy of the entire storage device can be saved to an external device for safe keeping. Subsequently, a working copy can be made to perform necessary data extraction and analysis. As a result, the original evidence is less likely to be altered or lost in the process. Over the years, DFEs have grown accustomed to this approach, and it remains suitable for many cases.

With the introduction of the mobile device, past methodologies are inapplicable. Therefore, new techniques and technologies must be developed and deployed to address the growing number of mobile devices. When dealing with mobile devices, a standardized approach for the acquisition of data would require innovative tools, extensive training, and the equal distribution of duties throughout the mobile forensic process. Unlike traditional computer forensics, most mobile device data is stored within a solid-state memory chip. Due to the widespread use of mobile apps and the way individuals carry out day-to-day online activities, internal storage constantly changes (Bennett, 2011). With traditional storage devices, many deleted files leave remnants that can be reconstructed to produce usable evidence. However, mobile operating systems periodically remove fragments to prepare for new data. This process makes the recovery of deleted information near impossible. Therefore, the best practices require rapid assessment, proper handling, and preservation to prevent the permanent loss of data (IRIS LLC, 2016). Due to the volatile nature of mobile device storage, valuable data could be lost during transport to the lab. Therefore, it is crucial that these contents be recovered on-scene at the time of seizure. On many occasions, non-technical law enforcement investigators are the first responders to the scene of the crime. Due to the lack of training, potential evidence is often damaged or lost via improper handling. As a result, it would seem logical to establish a preliminary triage of acceptable tools and strategies that could grant first responders the knowledge and skill to quickly gather much-needed information prior to the examination. Many software developers will tailor a desired triage tool to meet the needs of any agency or department. Additionally, free training may be available upon purchase to guide the first responder through the data acquisition process, and to ensure that the tool is pushed to its

maximum potential. Any data that is collected on-site can be used to establish a case early on. Establishing a fast lead will grant DFEs more time to conduct a thorough examination of the mobile device once it has reached the lab. Data must be gathered and presented in a timely and acceptable manner to ensure the admissibility of evidence. Fortunately, an initial triage inspection could recover enough data to eliminate the need for a lab, thus saving valuable time and reducing backlogs for future investigations. Within the law enforcement and mobile forensic community, there is a critical need to ensure the reliability of any tools that are used for investigative purposes. The NIST CFTT program is responsible for the development of specifications and test methods for any available mobile forensic tool (NIST, 2018). With traditional computer forensics, numerous tools are available to extract much of the data that resides on a storage device. Additionally, like tools can be used to replicate findings. However, with mobile forensics, no one tool exists to address all eventualities. While many software developers claim to have a universal solution for the acquisition of data, recent studies by the DOJ and NIST have determined that many mobile forensic tools produce varying results. Therefore, it is up to the mobile forensic community and law enforcement to decide on a suitable approach for each mobile device that has been acquired. Summary Since the dawn of digital forensics, law enforcement has relied heavily on digital forensic labs for the recovery of relevant data and the presentation of admissible evidence. Efficient tools and a standardized approach allow for the acceptable recovery of data from a large variety of storage devices. However, the introduction of the mobile device has created many unforeseen challenges for the digital forensic process. Many of these challenges tend to revolve around the lack of device standardization, the increased use of authentication and security mechanisms, the

inability to perform assigned duties, and the lack of a standardized approach for the recovery of mobile device data. Advanced mobile forensic tools, extensive training, and the equal distribution of duties are all necessary to establish a standardized approach for the mobile forensic process. However, to accomplish this task, both the mobile forensic community and law enforcement must assume their roles and face the future of mobile forensics as a team.

Recommendations

It is inevitable that many mobile forensic labs experience delays when expected to handle a majority of the workload associated with mobile forensic investigations. A unified approach allows for a richer depth of investigation resulting in more convictions (Forensicmag, 2018). It is essential that the mobile forensic community and all levels of law enforcement form a partnership to address the future of mobile forensics. Collaborative analysis, the pooling of resources, and the exchange of best practices will make certain that the most effective technologies and methodologies are accessible to all participants in the field (FLETC, 2018). Such efforts will also help to ensure that evidence has been obtained in a timely, valid, and accurate manner. All of which are required when presenting findings to a court of law (DigitalIntelligence.com, 2018). The Pooling of Resources Due to the rising number of crimes that involve mobile devices, many law enforcement investigators often get caught in the middle of a mobile crime scene. Unfortunately, many agencies lack the necessary resources and manpower to employ a mobile forensics team. Under these conditions, they have no choice but to pass the case along to larger agencies with ample resources and greater technical capabilities (Dees, 2013). It is highly inappropriate for one agency to ignore the severity of the situation by simply passing the workload on to another. However, it is acceptable for an agency to reach out and acquire the necessary tools and training that they alone cannot provide their team. The pooling of resources will help to ensure that more agencies have access to mobile forensic tools and a wider spectrum of state-of-the-art technologies. Such efforts are necessary to perform data acquisition and analysis appropriately (BlueSheepDog, 2018). 39

Collaborative Analysis and the Equal Distribution of Duties Much of the backlog in todayâ&#x20AC;&#x2122;s criminal investigations is due in part to the uncontrollable rise in digital evidence and the overwhelming responsibility placed on DFEs within the nationâ&#x20AC;&#x2122;s mobile forensic labs (Knaap, 2013). Interprofessional collaboration and the equal distribution of duties must be enforced to maintain an efficient mobile forensic process and reduce the number of backlogs (Griffith, 2015). A joint effort will ensure all participating agencies will be able to achieve better results in less time (Hitchcock et al., 2016). In many investigations, law enforcement investigators are the first responders. On-site data acquisition can allow for the categorization of evidence in order of relevancy. Such efforts help to reduce the DFEâ&#x20AC;&#x2122;s workload and ensure a smooth and efficient workflow throughout the investigation (PoliceGrantsHelp.com, 2018). On-site triage software grants investigators the ability to filter out any mobile devices that lack evidentiary data. Additionally, an average investigator can extract a large volume of information in a short amount of time (Jusas et al., 2017). Many triage tools can break down an enormous amount of data into manageable chunks. Subsequently, the investigators can then collaborate by passing on key evidence to various DFEs and subject matter experts who can provide a deeper analysis to a court of law. As the number of mobile devices continues to rise and the volume of evidentiary data increases, it remains clear that traditional approaches are obsolete. The Sharing of Best Practices For the field of mobile forensics, a best practice approach begins at the scene of the crime. As previously mentioned, unskilled law enforcement investigators are often the first responders. A first responder must be trained to properly handle any mobile device that is encountered in the field. Any data that is present on the device must be preserved at the time of

seizure. Depending on the current state of the mobile device, the investigator may need to establish an on-scene triage for immediate data extraction. Prior to performing the acquisition of data, the investigator must be able to categorize potential evidence by relevancy and specify what will be collected when acquiring a search warrant. The investigator must remember to properly document any tools or strategies that were used throughout the entire procedure. Close communication with a trained DFE or subject matter expert could help to ensure that the most effective technologies and methodologies were accessible during the preliminary stages of the investigation. As a result, the sharing of best practices will help to ensure the admissibility of evidence, and ultimately a successful investigation (Morgan, 2015). Recommendations for Future Research Although an on-scene triage can help to quickly recover much-needed data, and reduce the massive workload assigned to mobile forensic labs, the lack of device standardization will continue to pose a problem when establishing a set of on-scene data acquisition tools. Regardless of whether training is provided for the first responder, no one tool exists to acquire data from all devices. Therefore, future research should focus on any tool or set of tools that can maximize the recovery of data and help to ensure the admissibility of evidence. Such a task may require extensive collaboration between the mobile forensic community, law enforcement, software developers, and device manufacturers. Device manufacturers may need to allow for the early release of upcoming devices to make certain that any suggested tools can perform as expected. Summary Both the mobile forensic community and law enforcement lack the resources, manpower, training, and tools to handle the growing number of mobile devices properly. While trained

DFEs should be focusing on a deeper analysis of presented evidence, many continue to perform basic evidence gathering, which has contributed to an enormous backlog of cases. Due to the rising number of investigations that involve mobile devices, law enforcement investigators are often the first to arrive at the scene. Rather than passing the workload along to an overwhelmed lab, an on-scene triage could grant non-technical investigators the ability to gather necessary evidence prior to the examination. Once the preliminary acquisition of data has been performed, collaborative analysis amongst multiple labs will provide better results in less time. Most importantly, a collaborative effort will help to ensure that all participants have access to the tools and technologies needed to carry out a successful investigation. To properly address the future of mobile forensics, a unified approach must be established.

Conclusion We live in an age where people rely heavily on mobile devices to carry out day-to-day transactions. While some individuals take advantage of mobile technology for business, education, and entertainment purposes, others often engage in illicit activity. Due to the proliferation of mobile devices and the rise in criminal activity, the mobile device has become the center of many investigations. Since the dawn of computer forensics, DFEs have been responsible for the recovery and analysis of evidentiary data. Over the years, many successful examinations have involved standard storage devices and a few recognized operating systems. To reduce the loss or damage of evidentiary data, and ensure the admissibility of evidence, the DOJ and NIST have set forth a standardized approach for the acceptable recovery of digital evidence. A large repository of known forensic tools and strategies have been tested and approved for many forensic examinations. However, when faced with todayâ&#x20AC;&#x2122;s complex mobile devices, past methodologies have been rendered obsolete. Many of todayâ&#x20AC;&#x2122;s mobile devices come equipped with a wide variety of unknown hardware and software specifications. Additionally, the limited number of available tools are device specific and require extensive training to harness their true potential. Due to the lack of device standardization, necessary training, and the availability of forensic tools, DFEs struggle to acquire and analyze mobile data properly. As a result, a tremendous backlog of investigations has occurred. To make matters worse, many mobile devices contain multiple layers of user authentication and proprietary data encryption. Traditional passwords, device unlock codes, biometrics, and proprietary encryption make data acquisition time-consuming and near impossible without the help of hardware vendors or device manufacturers. Due to the protection

of trade secrets and individual privacy, many manufacturers are reluctant to intervene with the investigation. As a result, security enhancements often reduce the chance of obtaining evidentiary data needed to establish a case. In the past, few law enforcement investigators have had the technical knowledge to collect, preserve, and examine digital evidence. Therefore, many agencies had no choice but to pass the workload along to an overwhelmed lab with greater capabilities. Due to the growing backlog of cases, many law enforcement agencies now realize the true benefits of having their own mobile forensic team. Unfortunately, many agencies lack the necessary resources to meet these demands. If resources are limited, agencies should take advantage of free training or grant programs that are readily available to all levels of law enforcement. The goal of these programs is to ensure that all participants possess the necessary tools and strategies to properly handle digital evidence and perform the acquisition of data when necessary. On many occasions, law enforcement investigators are the first responders to the crime scene. Due to the volatile nature of mobile device storage, the acquisition of data may need to be performed on-site, and at the time of seizure. Establishing an on-site triage or workstation of tools could grant non-technical responders the ability to filter out any mobile devices that lack evidentiary data. Such efforts could help to reduce the DFEsâ&#x20AC;&#x2122; workload and allow them more time to focus on deeper analysis to present to the courts. Close communication with a trained DFE could help to ensure that the most effective technologies and methodologies were accessible during the initial acquisition of data. Advanced mobile forensic tools, extensive training, and the equal distribution of duties are all necessary to establish a standardized approach for the mobile forensic process. However, to accomplish this task, both the mobile

forensic community and law enforcement must assume their roles and face the future of mobile forensics as a team.

References AccessData (2018). MPE+ and nFIELD. Retrieved on 2/26/18, from https://accessdata.com/products-services/mobile-solutions Ademu, I., Imafidon, C., Preston, D. (2011). A new approach of digital forensic model for digital forensic investigation. International Journal of Advanced Computer Science and Applications. Vol. 2, No.12, 175-178. Analysis and Comparisons (2018). Differences between data masking and data obfuscation. Retrieved on 2/25/18, from http://www.differencebetween.info/difference-between-datamasking-and-data-obfuscation AppBrain (2018). Number of android applications. Retrieved on 2/18/18, from https://www.appbrain.com/stats/number-of-android-apps Azadegan, S., Yu, H., Sistani, M. (2012). Novel anti-forensics approaches for smartphones. 45th Hawaii International Conference on System Sciences. 5424-5431. Ayers, R., Brothers, S., Janson, W. (2014). Guidelines on mobile device forensics. NIST Special Publication, Issue 800-101, May 2014, 25-32. Barmpatsalou, K. (2013). A Critical Review of Seven Years of Mobile Device Forensics. Article from the University of Aegean. doi: 10.1016/j.diin.2013.10.003, 2-70. Bennett, D. (2011). The challenges facing computer forensics investigators in obtaining information from mobile devices for use in criminal investigations. Retrieved on 2/13/2018, from https://articles.forensicfocus.com/2011/08/22/the-challenges-facingcomputer-forensics-investigators-in-obtaining-information-from-mobile-devices-for-usein-criminal-investigations/ Binary Intelligence (2012). Cell phone forensics. Retrieved on 2/18/18, from http://www.binaryintel.com/services/cell_phone_forensics/ Bollo, J. (2017). Mobile forensics must keep up with the times. Retrieved on 2/10/18, from https://www.forensicmag.com/article/2017/06/mobile-forensics-must-keep-times BlueSheepDog (2018). The Demand for Mobile Forensics Continues to Grow. Retrieved on 2/4/18, from http://www.bluesheepdog.com/mobile-orensics/ Cellebrite (2017). UFED Ultimate and UFED InField. Product release notes version 6.4, August 2017, 1-12. Cisco (2016). The rise of mobile: 11.6 billion mobile-connected devices by 2020. Retrieved on 2/10/18, from http://mobilefuture.org/the-rise-of-mobile-11-6-billion-mobile-connecteddevices-by-2020/

Cisco (2017). IP traffic shoots up to 3 zettabytes by 2021. Retrieved on 2/20/18, from https://techcrunch.com/2017/06/08/cisco-ip-traffic-shoots-up-to-3-zettabytes-by-2021video-will-be-80-of-it/ CISION (2018). Mobile devices are important sources of digital evidence that can no longer be overlooked. Retrieved on 2/22/18, from http://www.prweb.com/releases/2012/9/prweb9879859.htm Commvault (2018). Data encryption. Retrieved on 2/20/18, from http://documentation.commvault.com/commvault/release_9_0_0/books_online_1/english _us/feature_support/feature_support.htm?var1=http://documentation.commvault.com/co mmvault/release_9_0_0/books_online_1/english_us/features/data_encryption/data_encry ption_faq.htm Connect.com (2018). Operating system market share October 2014. Retrieved on 3/5/18, from https://connectwww.com/operating-system-market-share-october-2014/3723/ DataDestructionInc (2018). Hard drive data wiping. Retrieved on 2/25/18, from https://www.datadestruction.com/hard-drive-data-wiping/ Dees, T. (2013). Computer forensics on a small department budget. Retrieved on 3/10/18, from https://www.policeone.com/csi-forensics/articles/6452741-Computer-forensics-on-asmall-department-budget/ Dehaviland, O. (2015). Prevalent challenges in mobile phone forensics. Retrieved on 2/1/18, from http://www.dataforensics.org/challenges-in-mobile-phone-forensics/ DHS & NIST (2016). UFED Touch: Test results for mobile device data acquisition tool. U.S. Department of Homeland Security (DHS) and the National Institute of Standards and technology (NIST), 15-24. DigitalIntelligence.com (2018). Cellebrite 5-day mobile examination. Retrieved on 2/16/18, from https://www.digitalintelligence.com/training/cellebrite.php Dixon, E. (2011). Mobile phone investigations: Best practices. Retrieved on 2/27/18, from https://www.forensicmag.com/article/2011/03/mobile-phone-investigations-best-practices Donovan, F. (2017). Encryption: securing sensitive data in changing corporate environments. Retrieved on 2/20/18, from https://www.esecurityplanet.com/networksecurity/encryption.html DRS (2018). What is volatile data? Retrieved on 2/16/18, from http://www.computerforensicsspecialists.co.uk/blog/what-is-volatile-data Duggal, P. (2014). Mobile law. Retrieved on 2/25/18, from https://pavanduggalonmobilelaw.wordpress.com/

Dujardin, P. (2015). Law enforcement worries about beefed-up phone encryption. Retrieved on 2/10/18, from http://www.dailypress.com/news/crime/dp-nws-phone-encryption20150412-story.html Duke Law (2018). Forensically sound procedures. Retrieved on 2/12/18, from https://www.edrm.net/glossary/forensically-sound-procedures/ eForensics (2017). Mobile phone forensics challenges. Retrieved on 2/8/18, from https://eforensicsmag.com/mobile-phone-forensic-challenges/ eMarketer (2017). How to collect forensic evidence in a mobile world. Retrieved on 2/18/18, from https://www.guidancesoftware.com/blog/digital-forensics/2017/08/23/how-tocollect-forensic-evidence-in-a-mobile-world Facebook (2018). Emergency Disclosure Form. For Law Enforcement Use Only. Version 0510. Retrieved on 4/1/18, from https://www.facebook.com/records/login/ FirstResponderGrants (2018). Susteen SecureView Grant Opportunities. Retrieved on 3/10/18, from https://firstrespondergrants.com/about/ FLETC (2018). Mobile device investigation program. Retrieved on 2/17/18, from https://www.fletc.gov/training-program/mobile-device-investigations-program Flory, T. (2016). Digital forensics in law enforcement: A needs-based analysis. Perdue University. Journal of Digital Forensics Security and Law. Volume 11, Number 1, Article 4, 7-38. FORENSICON (2018). What is forensic hard drive imaging? Retrieved on 2/15/18, from https://www.forensicon.com/resources/articles/what-is-forensic-hard-drive-imaging/ Forensic Focus (2018). Forensic copy versus forensic image. Retrieved on 2/20/18, from http://www.forensicfocus.com/Forums/viewtopic/t=1588/ Garrie, D. B. (2014). Digital forensic evidence in the courtroom: Understanding content and quality. Northwestern Journal of Technology and Intellectual Property. Volume 12, Issue 2. Gillware (2017). Why mobile forensics? Retrieved on 2/4/18, from https://www.gillware.com/forensics/mobile/ Goodison, R., Davis, S., Jackson, B. (2015). Digital evidence and the US Criminal Justice System. National Institute of Justice Publication. Griffith, D. (2015). Mobile forensics in transition. Retrieved on 2/25/18, from http://www.policemag.com/channel/technology/articles/2015/02/mobile-forensics-intransition.aspx

Grobler, MM and Solms, SH (2008). A best practice approach to live forensic acquisition. Council for Scientific and Industrial Research. South Africa. January, 2008. Guglielmo, C. (2014). Mobile devices will continue to rise as smart devices take over the world. Retrieved on 2/19/18, from https://www.forbes.com/sites/connieguglielmo/2014/02/05/mobile-traffic-will-continueto-rise-rise-rise-as-smart-devices-take-over-the-world/#5fc00d6d28a5 Hitchcock, B., Nhien, K., Scanlon, M. (2016). Tiered forensic methodology model for digital field triage by non-digital evidence specialists. Proceedings of the Third Annual DFRWS Europe. ELSEVIER. 2016, 575-585. Immen, W. (2017). Mobile workers are the new norm. Retrieved on 2/28/18, from https://www.theglobeandmail.com/report-on-business/careers/the-future-of-work/mobileworkers-are-the-new-norm/article8295535/ IACP Summit Report (2016). Data privacy and public safety: A law enforcement perspective on the challenges of gathering electronic evidence. IACP Summit Report, 2016. Imwinkelried, E., Davis, UC. (2018). Mobile forensics: examining the evidence. Retrieved on 3/5/18, from http://www.forensicbasics.org/?page_id=505 INFOSEC (2018). Computer forensics: mobile device hardware and operating system forensics. Retrieved on 2/18/108, from http://resources.infosecinstitute.com/category/computerforensics/introduction/mobileforensics/mobile-device-hardware-and-operating-system-forensics/ IRIS LLC (2016). Mobile device forensics. Information Retrieval Investigative Services. Digital Evidence Toolbox. Version 1, December, 2016. Irons, A., Lallie, H. (2014). Digital forensics to intelligent forensics. Future Internet 2014, 6, 584-596; doi:10.3390/fi6030584. Jusas, V., Birvinskas, V., Gahramanov, E. (2017). Methods and tools of digital triage in forensic context: survey and future directions. Symmetry MDPI. March 28, 2017. Kessler, G., Mislan, R. (2010). The growing need for on-scene triage of mobile devices. Elsevier Science Direct Journal. Version 6, 113-124. Knaap, N. (2013). Backlog in digital forensics: is justice being done? Retrieved on 3/25/18, from http://leidenlawblog.nl/articles/backlog-in-digital-forensics-is-justice-being-done Latronix (2018). Encryption and its importance to device networking. Latronix Inc. Rev.020905, 2-13. Lillis, D., Becker, B., Oâ&#x20AC;&#x2122;Sullivan, T., Scanlon, N. (2016). Current challenges and future research areas for digital forensic investigations. Annual ADFSL Conference on Digital Forensics, Security and Law, 9-20. 49

MacGibbon, A. (2013). Computer crime is on the rise. Retrieved on 2/20/18, from http://theconversation.com/computer-crime-is-on-the-rise-20908 Mahalik, H. (2014). Achieving advanced smartphone and mobile device forensics. Retrieved on 2/5/18, from https://www.forensicmag.com/article/2014/02/achieving-advancedsmartphone-and-mobile-device-forensics Mahalik, H. (2016). Practical Mobile Forensics 2nd Edition. PACKT Publishing. BirminghamMumbai. 2016. MarketWired (2015). Mobile forensics solutions for the lab and field. Retrieved on 2/27/18, from https://finance.yahoo.com/news/cellebrite-introduces-suite-ufed-mobile130000047.html McMillan, J. (2013). Investigating the increase in mobile phone evidence in criminal activities. 46th Hawaii International Conference on System Sciences. January 7-10, 2013. Merriam-Webster (2018). Standard operating procedure. Retrieved on 2/27/18, from https://www.merriam-webster.com/dictionary/standard%20operating%20procedure MobileForensicsCentral (2017). Cellebrite UFED. Retrieved on 2/26/18, from http://www.mobileforensicscentral.com/mfc/products/cellebrite.asp?pg=d&pid=&prid=3 55&return=undefined Morgan, B. (2015). Ensuring admissibility of evidence in court. The Federal Lawyer. March, 2015, 66-69. Moser, S. (2013). Confirmation bias: The pitfall of forensic science. Research Journal of Justice Studies and Forensic Science. Issue 1 Volume 1, Spring 2013, 71-81. Moulin, J. (2013). Creating a mobile digital forensics lab. Retrieved on 3/10/18, from https://www.joshmoulin.com/creating-a-mobile-digital-forensics-lab/ National Institute of Justice (NIJ) (2018). Digital evidence and forensics. Retrieved on 2/10/18, from https://www.nij.gov/topics/forensics/evidence/digital/Pages/welcome.aspx NIST (2018). Mobile security and forensics. Retrieved on 2/18/18, from https://csrc.nist.gov/projects/mobile-security-and-forensics/mobile-devices PCMag (2018). Readersâ&#x20AC;&#x2122; choice awards: smartphones and carriers. Retrieved on 3/5/18, from https://www.pcmag.com/article/342878/readers-choice-awards-2016-smartphones-andcarriers Pendleton, A. (2013). Admissibility of electronic evidence: A new evidentiary frontier. Retrieved on 1/23/18, from http://mnbenchbar.com/2013/10/admissibility-of-electronicevidence/

Petraityte, M. (2017). Mobile phone forensics: an investigative framework based on user impulsivity and secure collaboration errors. Contemporary Digital Forensic Investigations of Cloud and Mobile Applications, ELSEVIER, Chapter 6, 78-89. PoliceGrantsHelp.com (2018). Grant assistance resources from Cellebrite. Retrieved on 2/169/18, from https://www.policegrantshelp.com/Cellebrite-Grant-Assistance/program/ Purcell, K. (2010). The rise of apps culture. Pew Internet and American Life Project. September 15, 2-46. Romanov, Alex (2012). Mobile Convergence and Digital Dominance. iSign Media Corporation. Annual Report. September, 2012, 2-71. Reiber, L. (2014). Are digital investigations keeping up with advancements in mobile? Retrieved on 2/3/18, from http://securitymiddleeast.com/2014/08/19/are-digitalinvestigations-keeping-up-with-advancements-in-mobile/ Rouse, M. (2014). Forensic image. Retrieved on 2/20/18, from http://whatis.techtarget.com/definition/forensic-image RSA Conference (2016). 2016: The current state of cybercrime. RSA Whitepaper Report. Retrieved on 4/1/18, from https://www.rsa.com/ Sai, D., Prasad, N., Dekka, S. (2015). The forensic process: the analysis of the mobile device. International Journal of Computer Science and Information Technologies, Vol. 6, 48474850. Saleem, S., Popov, O., Baggili, I. (2016). A method and a case study for the selection of the best available tool for mobile device forensics using decision analysis. Retrieved on 2/21/18, from https://www.sciencedirect.com/science/article/pii/S1742287616300020 SANS (2010). Introduction to report writing. Retrieved on 2/24/18, from https://digitalforensics.sans.org/blog/2010/08/25/intro-report-writing-digital-forensics/ SART (2011). Chain of custody. Retrieved on 2/22/18, from https://ovc.ncjrs.gov/sartkit/develop/issues-coc.html Shah, V., Bansal, P. (2012). An improved mobile forensics model. International Journal of Computer Science and Information Technology & Security. Volume 2 No. 4, August 2012, 78-159. Spalevik, Z., Bjelejac, Z., Caric, M. (2013). The importance and the role in forensics of mobile. FAKTA University Article. Volume 25. August, 2012, 121-136. Sparkes, M. (2014). Is this finally the end to the landline phone? Retrieved on 3/4/18, from https://www.telegraph.co.uk/technology/news/11179482/Is-this-finally-the-end-for-thelandline-phone.html

Statista (2017). Number of available apps in leading apps stores as of March 2017. Retrieved on 2/18/18, from https://www.statista.com/statistics/276623/number-of-apps-available-inleading-app-stores/ Sule, D. (2014). Importance of forensic readiness. ISACA Journal. Volume 1, 2014. SWGDE (2010). Minimum requirements for quality assurance in the processing of digital and multimedia evidence. Scientific Working Group on Digital Evidence. Article Version 1. May 15, 2010, 1-13. SWGDE (2010). SWGDE/SWGIT guidelines & recommendations for training in digital & multimedia evidence. Scientific Working Groups on Digital Evidence and Imaging Technology Manual. Version 2, January 15, 2010, 1-18. Tahiri, S. (2016). Mastering mobile forensics. PACKT Publishing. Birmingham-Mumbai. 2016. Techopedia (2018). Data hiding. Retrieved on 2/25/18, from https://www.techopedia.com/definition/14738/data-hiding Teel Technologies (2012). Mobile forensic central. Retrieved on 2/6/18, from https://www.mobileforensicscentral.com/mfc/products_software.asp?pid= TERA Consulting (2013). Forensic reporting: how it works and why it is important. Retrieved on 2/22/18, from http://www.eteraconsulting.com/forensic-reporting-how-it-works-andwhy-is-it-important/ Tracksinspector (2018). Breaking the backlog of digital forensic evidence. Retrieved on 2/2/18, from https://tracksinspector.com/blog/breaking-the-backlog-of-digital-forensicevidence.html Troutman, A. (2013). Mobile devices are increasing the threat of cybercrime. Retrieved on 2/10/18, from https://solutionsreview.com/mobile-device-management/mobile-devicesincreasing-the-threat-of-cyber-crime/ Ursell, D. (2014). Data on the move: the growing frontier of mobile forensics. Retrieved on 2/18/18, from https://www.packtpub.com/books/content/mobile-forensics-data-on-themove Verdult, R (2015). The (in)security of proprietary cryptography. Retrieved on 2/18/18, from http://www.win.tue.nl/ipa/?event=the-insecurity-of-proprietary-cryptography Waters, R. (2014). Continuing education in digital forensics. Retrieved on 2/10/18, from https://www.forensicmag.com/article/2014/03/continuing-education-digital-forensics Weigel (2013). Forensic science and confessions that corrupt. Retrieved on 2/22/18, from https://journalistsresource.org/studies/government/criminal-justice/confessions-corruptevidence-cases 52

Wright, B. (2012). Social media and the changing roles of investigators. Retrieved on 2/18/18, from https://www.forensicmag.com/article/2012/12/social-media-and-changing-roleinvestigators Yang, S., Choi, J., Kim, K., Bhatia, R., Saltaformaggio, B. (2017). Live acquisition of main memory data from android smartphones and smartwatches. Journal of Digital Investigations. 51-62.