Digital forensic procedure typically involves steps such as “pulling the plug”, acquiring data from static media, analysing and correlating the data to retrieve relevant evidence in a forensically sound manner. This forensic investigation procedure prevents further interference on potential evidence, is reliable and hence, acceptable by the law enforcement agencies during crime investigation involving computer systems.
When evidence is stored (or being transferred) off-site or a communication session discussing criminal activities is on-going, the “pull the plug” approach may not be appropriate. As static storage media increases in size, so does the amount of acquired data and potential evidence that requires processing. A live analysis of the current state of the system and its applications, is therefore necessary, so as to allow a more efficient forensic investigation process.
Techniques to protect the privacy of users and confidentiality of user data, such as encryption and password protection, have also indirectly provided counter forensics means to technologically aware criminals. Therefore, conventional forensic methods are no longer adequate and more research efforts have been placed in live memory forensic analysis of computer systems in recent years to complement or enhance these conventional forensic methods.
In mobile device forensics, live memory forensics has an even more important role to play. An example would be in mobile phones, which are becoming increasingly prevalent and are evolving into “smarter” devices (i.e. smartphones with higher processing power and enhanced features), where capabilities to perform in-depth forensics on such devices become essential.
However, current mobile phone forensics are still restricted to research and analysis of static data on subscriber identity module (SIM), memory cards and the internal flash memory. The constraint on storage capacity implies that exceedingly large amount of potential evidence need not be analysed. However, due to this limited storage, volatile information such as application data, Internet browsing data and instant messaging conversation histories are often not stored in non-volatile storage media. This is unlike computer systems which allow the caching and backup of a large amount of data (e.g. Microsoft Network (MSN) chat history).
For computer systems, an example is found in “Advances in Digital Forensics IV, IFIP International Federation for Information Processing, Springer, 285:129-138, August 2008” disclosing the use of a forensic tool, “AccessData Forensic Toolkit”, to examine artifacts recoverable from non-volatile memory when web-based IM services are executed on a Windows XP system. While evidence of forensic value (such as screen name and estimated time of conversation) could be retrieved, very limited chat logs were recoverable. Parameters such as the message length and human response time during chatting, which could affect the experimental results, were not defined. Evidence acquisition without the knowledge of the messages contents was also not discussed.
Returning to mobile phones, as they function to support communications, there is a need to be able to perform forensic analysis on its interactive based applications.
While mobile phone forensic tools exist (such as “TULP 2G”, “MOBILedit! Forensic”, “Cell Seizure” and “Oxygen Phone Manager”), which may be used on “Nokia” mobile phones, they have been found unable to extract certain information from the mobile phones. For instance, MD5 hash information was not found using “MOBILedit!” while SHA1 hash information was not found using “Cell Seizure”.