A Review of Mobile Forensic Investigation Process Models

Mobile Forensics (MF) field uses prescribed scientific approaches with a focus on recovering Potential Digital Evidence (PDE) from mobile devices leveraging forensic techniques. Consequently, increased proliferation, mobile-based services, and the need for new requirements have led to the development of the MF field, which has in the recent past become an area of importance. In this article, the authors take a step to conduct a review on Mobile Forensics Investigation Process Models (MFIPMs) as a step towards uncovering the MF transitions as well as identifying open and future challenges. Based on the study conducted in this article, a review of the literature revealed that there are a few MFIPMs that are designed for solving certain mobile scenarios, with a variety of concepts, investigation processes, activities, and tasks. A total of 100 MFIPMs were reviewed, to present an inclusive and up-to-date background of MFIPMs. Also, this study proposes a Harmonized Mobile Forensic Investigation Process Model (HMFIPM) for the MF field to unify and structure whole redundant investigation processes of the MF field. The paper also goes the extra mile to discuss the state of the art of mobile forensic tools, open and future challenges from a generic standpoint. The results of this study find direct relevance to forensic practitioners and researchers who could leverage the comprehensiveness of the developed processes for investigation.

[1]  Svein Yngvar Willassen Forensic Analysis of Mobile Phone Internal Memory , 2005, IFIP Int. Conf. Digital Forensics.

[2]  Bambang Sugiantoro,et al.  Digital Forensic Analysis on Android Smartphones for Handling Cybercrime Cases , 2019 .

[3]  Henry Owen,et al.  BlackBerry IPD parsing for open source forensics , 2009, IEEE Southeastcon 2009.

[4]  John Doyle,et al.  Introduction to Windows Mobile Forensics , 2010, Digit. Investig..

[5]  Ibrahim M. Baggili,et al.  A Simple Cost-Effective Framework for iPhone Forensic Analysis , 2010, ICDF2C.

[6]  Isao Echizen,et al.  A Comparison between Windows Mobile and Symbian S60 Embedded Forensics , 2009, 2009 Fifth International Conference on Intelligent Information Hiding and Multimedia Signal Processing.

[7]  Mohammad Iftekhar Husain,et al.  iForensics: Forensic Analysis of Instant Messaging on Smart Phones , 2009, ICDF2C.

[8]  Golden G. Richard,et al.  Acquisition and analysis of volatile memory from android devices , 2012, Digit. Investig..

[9]  Ibrahim Baggili,et al.  iPhone 3GS Forensics: Logical analysis using Apple iTunes Backup Utility , 2010 .

[10]  Ivo Pooters Full user data acquisition from Symbian smart phones , 2010, Digit. Investig..

[11]  Kyaw Kyaw Lin,et al.  Comparative Analysis of Android Mobile Forensics Tools , 2020, 2020 IEEE Conference on Computer Applications(ICCA).

[12]  Hein S. Venter,et al.  Attributing users based on web browser history , 2017, 2017 IEEE Conference on Application, Information and Network Security (AINS).

[13]  Siti Hajar Othman,et al.  Model Derivation System to Manage Database Forensic Investigation Domain Knowledge , 2018, 2018 IEEE Conference on Application, Information and Network Security (AINS).

[14]  N. P. Gopalan,et al.  Mobile Forensic Investigation (MFI) Life Cycle Process for Digital Data Discovery (DDD) , 2016 .

[15]  Richard P. Ayers,et al.  Guidelines on PDA Forensics , 2004 .

[16]  S. Bhowmick,et al.  FROST , 2020, ACM Transactions on Intelligent Systems and Technology.

[17]  Chung-Huang Yang,et al.  Physical Forensic Acquisition and Pattern Unlock on Android Smart Phones , 2013 .

[18]  Andrew Marrington,et al.  A Comparison of Forensic Acquisition Techniques for Android Devices: A Case Study Investigation of Orweb Browsing Sessions , 2014, 2014 6th International Conference on New Technologies, Mobility and Security (NTMS).

[19]  Lianhai Wang,et al.  Forensic analysis of social networking application on iOS devices , 2013, Other Conferences.

[20]  Darren Quick,et al.  Forensic analysis of the android file system YAFFS2 , 2011 .

[21]  Jong Hyuk Park,et al.  Digital Trails Discovering of a GPS Embedded Smart Phone - Take Nokia N78 Running Symbian S60 Ver 3.2 for Example , 2011, STA Workshops.

[22]  Jung-Hyun Lee,et al.  Fast Data Acquisition with Mobile Device in Digital Crime , 2012, ICITCS.

[23]  Martin S Olivier,et al.  Acquisition of a Symbian Smart phone’s Content with an On-Phone Forensic Tool , 2007 .

[24]  Dea-Woo Park,et al.  A Study on the Forensic Data Extraction Method for SMS, Photo and Mobile Image of Google Android and Windows Mobile Smart Phone , 2012, ICHIT.

[25]  Nicolas Christin,et al.  Passe-Partout: A General Collection Methodology for Android Devices , 2013, IEEE Transactions on Information Forensics and Security.

[26]  Wayne Jansen,et al.  Overcoming Impediments to Cell Phone Forensics , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[27]  Rusydi Umar,et al.  Mobile Forensic Tools Evaluation for Digital Crime Investigation , 2018 .

[28]  Cosimo Anglano,et al.  The Android Forensics Automator (AnForA): A tool for the Automated Forensic Analysis of Android Applications , 2020, Comput. Secur..

[29]  T. Sakthivel,et al.  Enhanced Forensic Process for Improving Mobile Cloud Traceability in Cloud-Based Mobile Applications , 2020 .

[30]  Ali Dehghantanha,et al.  Volatile memory acquisition using backup for forensic investigation , 2012, Proceedings Title: 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec).

[31]  Faisal Saeed,et al.  A metamodel for mobile forensics investigation domain , 2017, PloS one.

[32]  Yitao Yang,et al.  Historical Data Recovery from Android Devices , 2014 .

[33]  Vrizlynn L. L. Thing,et al.  Symbian Smartphone Forensics: Linear Bitwise Data Acquisition and Fragmentation Analysis , 2012 .

[34]  Shukor Abd Razak,et al.  Extraction of Common Concepts for the Mobile Forensics Domain , 2017 .

[35]  Vrizlynn L. L. Thing,et al.  Live memory forensics of mobile phones , 2010, Digit. Investig..

[36]  Mark Roeloffs,et al.  Forensic Data Recovery from Flash Memory , 2007 .

[37]  Andrew Hoog,et al.  iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices , 2011 .

[38]  Joseph Grand pdd: Memory Imaging and Forensic Analysis of Palm OS Devices , 2002 .

[39]  Gianluigi Me,et al.  Android anti-forensics through a local paradigm , 2010, Digit. Investig..

[40]  Cole Troutman,et al.  Mobile Forensics , 2019, Digital Forensic Education.

[41]  C. Klaver,et al.  Windows Mobile advanced forensics , 2010, Digit. Investig..

[42]  Gianluigi Me,et al.  A Quantitative Approach to Triaging in Mobile Forensics , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[43]  Aditya Mahajan,et al.  Forensic Analysis of Instant Messenger Applications on Android Devices , 2013, ArXiv.

[44]  Nicolas Christin,et al.  Toward a general collection methodology for Android devices , 2011, Digit. Investig..

[45]  Cosimo Anglano,et al.  Forensic analysis of WhatsApp Messenger on Android smartphones , 2014, Digit. Investig..

[46]  C. Racioppo,et al.  Android Forensics: A Case Study of the "HTC Incredible" Phone , 2012 .

[47]  Jian Wu,et al.  FORENSIC RESEARCH ON DATA RECOVERY OF ANDROID SMARTPHONE , 2013 .

[48]  Paolo Gubian,et al.  Forensics and SIM Cards: An Overview , 2006, Int. J. Digit. EVid..

[49]  B. Iqbal,et al.  A novel method of iDevice (iPhone, iPad, iPod) forensics without jailbreaking , 2012, 2012 International Conference on Innovations in Information Technology (IIT).

[50]  Ali Dehghantanha,et al.  Framework of digital forensics for the Samsung Star Series phone , 2011, 2011 3rd International Conference on Electronics Computer Technology.

[51]  Hein S. Venter,et al.  Mobile forensics using the harmonised digital forensic investigation process , 2014, 2014 Information Security for South Africa.

[52]  Luis Gómez-Miralles,et al.  Versatile iPad forensic acquisition using the Apple Camera Connection Kit , 2012, Comput. Math. Appl..

[53]  Shashikala Tapaswi,et al.  Logical acquisition and analysis of data from android mobile devices , 2015, Inf. Comput. Secur..

[54]  Tetsutaro Uehara,et al.  Development and Evaluation of Guideline Total Support System for Evidence Preservation by Using an Android Phone , 2013, 2013 IEEE 37th Annual Computer Software and Applications Conference Workshops.

[55]  Luis Gómez-Miralles,et al.  Analysis of the Forensic Traces Left by AirPrint in Apple iOS Devices , 2013, 2013 27th International Conference on Advanced Information Networking and Applications Workshops.

[56]  Kim-Kwang Raymond Choo,et al.  An Android Social App Forensics Adversary Model , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[57]  J.-M. Luck,et al.  An Integrated Approach to Recovering Deleted Files from NAND Flash Data , 2008 .

[58]  Shukor Abd Razak,et al.  Observing Consistency in Online Communication Patterns for User Re-Identification , 2016, PloS one.

[59]  Chun-Te Chen,et al.  Study on constructing forensic procedure of digital evidence on smart handheld device , 2013, 2013 International Conference on System Science and Engineering (ICSSE).

[60]  Frederick Rehault,et al.  Windows mobile advanced forensics: An alternative to existing tools , 2010, Digit. Investig..

[61]  Kim-Kwang Raymond Choo,et al.  Conceptual evidence collection and analysis methodology for Android devices , 2015, The Cloud Security Ecosystem.

[62]  David A. Dampier,et al.  Selecting keyword search terms in computer forensics examinations using domain analysis and modeling , 2006 .

[63]  Ibrahim M. Baggili,et al.  BlackBerry PlayBook Backup Forensic Analysis , 2012, ICDF2C.

[64]  Gianluigi Me,et al.  An overall assessment of Mobile Internal Acquisition Tool , 2008, Digit. Investig..

[65]  Sangjin Lee,et al.  Analysis of Smartphone-Based Location Information , 2012, CSA 2012.

[66]  Sangjin Lee,et al.  Sensitive Privacy Data Acquisition in the iPhone for Digital Forensic Analysis , 2011 .

[67]  Kim-Kwang Raymond Choo,et al.  Forensic Collection and Analysis of Thumbnails in Android , 2015, TrustCom 2015.

[68]  Hein S. Venter,et al.  A Web-Based Mouse Dynamics Visualization Tool for User Attribution in Digital Forensic Readiness , 2017, ICDF2C.

[69]  Theodore Tryfonas,et al.  Forensic analysis of wireless networking evidence of Android smartphones , 2012, 2012 IEEE International Workshop on Information Forensics and Security (WIFS).

[70]  Marcus K. Rogers,et al.  Mobile Phone Forensics Tool Testing: A Database Driven Approach , 2007, Int. J. Digit. EVid..

[71]  Simson L. Garfinkel Book Review: iPhone and iOS Forensic: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices , 2013, J. Digit. Forensics Secur. Law.

[72]  Barrie Mellars Forensic examination of mobile phones , 2004, Digit. Investig..

[73]  Gary C. Kessler,et al.  Android forensics: Simplifying cell phone examinations , 2010 .

[74]  Deepak Kumar Sharma,et al.  Smartphone Security and Forensic Analysis , 2020 .

[75]  Han-Chieh Chao,et al.  Research of Digital Evidence Forensics Standard Operating Procedure with Comparison and Analysis Based on Smart Phone , 2011, 2011 International Conference on Broadband and Wireless Computing, Communication and Applications.

[76]  Andrew Hunt,et al.  Automated identification of installed malicious Android applications , 2013, Digit. Investig..

[77]  Giuseppe F. Italiano,et al.  Data reverse engineering on a smartphone , 2009, 2009 International Conference on Ultra Modern Telecommunications & Workshops.

[78]  Raylin Tso,et al.  Design and Implementation of Digital Forensic Software for iPhone , 2013, 2013 Eighth Asia Joint Conference on Information Security.

[79]  Do Hyun Kim,et al.  Study of identifying and managing the potential evidence for effective Android forensics , 2020, Digit. Investig..

[80]  Victor R. Kebande,et al.  A comparative analysis of digital forensic readiness models using CFRaaS as a baseline , 2019 .

[81]  Marcus K. Rogers,et al.  Results of Field Testing Mobile Phone Shielding Devices , 2011, ICDF2C.

[82]  Mohammad Hammoudeh,et al.  Forensic Data Recovery from Android OS Devices: An Open Source Toolkit , 2013, 2013 European Intelligence and Security Informatics Conference.

[83]  A. Chamberlain,et al.  Comparisons of forensic tools to recover ephemeral data from iOS apps used for cyberbullying , 2019 .

[84]  Ankit Agarwal,et al.  Smartphone Forensic Investigation Process Model , 2012 .

[85]  Shukor Abd Razak,et al.  A psychographic framework for online user identification , 2014, 2014 International Symposium on Biometrics and Security Technologies (ISBAST).

[86]  Sangjin Lee,et al.  Forensic analysis techniques for fragmented flash memory pages in smartphones , 2012, Digit. Investig..

[87]  Jonathan Zdziarski Iphone forensics , 2008 .

[88]  Kim-Kwang Raymond Choo,et al.  iOS Forensics: How Can We Recover Deleted Image Files with Timestamp in a Forensically Sound Manner? , 2013, 2013 International Conference on Availability, Reliability and Security.

[89]  Ibrahim Baggili,et al.  Forensic analysis of social networking applications on mobile devices , 2012, Digit. Investig..

[90]  Dowon Hong,et al.  Data Acquisition from Cell Phone using Logical Approach , 2007 .

[91]  Hongmei Chi,et al.  A framework for validating aimed mobile digital forensics evidences , 2018, ACM Southeast Regional Conference.

[92]  Nickson M. Karie,et al.  A Mobile Forensic Readiness Model aimed at Minimizing Cyber Bullying , 2016 .

[93]  Natarajan Meghanathan,et al.  A Theoretical Process Model for Smartphones , 2012, ACITY.

[95]  Hein S. Venter,et al.  User attribution based on keystroke dynamics in digital forensic readiness process , 2017, 2017 IEEE Conference on Application, Information and Network Security (AINS).

[96]  Victor R. Kebande,et al.  Novel digital forensic readiness technique in the cloud environment , 2018 .

[97]  Richard P. Ayers,et al.  Hashing Techniques for Mobile Device Forensics | NIST , 2009 .

[98]  K. L. Thomas,et al.  An Agent Based Tool for Windows Mobile Forensics , 2011, ICDF2C.

[99]  Roberto Di Pietro,et al.  Windows Mobile LiveSD Forensics , 2013, J. Netw. Comput. Appl..

[100]  Kim-Kwang Raymond Choo,et al.  Forensic Collection and Analysis of Thumbnails in Android , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[101]  Nickson M. Karie,et al.  Diverging deep learning cognitive computing techniques into cyber forensics , 2019, Forensic Science International.

[102]  Chen Shaoyan,et al.  Research of Mobile Forensic Software System Based on Windows Mobile , 2009, 2009 International Conference on Wireless Networks and Information Systems.

[103]  Sangjin Lee,et al.  A study of user data integrity during acquisition of Android devices , 2013, Digit. Investig..

[104]  Andrew Hoog Android forensics : investigation, analysis, and mobile security for Google Android / Andrew Hoog ; John McCash, technical editor. , 2011 .

[105]  Siti Hajar Othman,et al.  Development and validation of a Database Forensic Metamodel (DBFM) , 2017, PloS one.

[106]  Lilian Mitrou,et al.  Smartphone Forensics: A Proactive Investigation Scheme for Evidence Acquisition , 2012, SEC.

[107]  Kelsey Billups New and Emerging Mobile Apps Among Teens - Are Forensic Tools Keeping Up? , 2020 .

[108]  S. Maus,et al.  Forensic Analysis of Geodata in Android Smartphones , 2011 .

[109]  Shukor Abd Razak,et al.  Polychronicity tendency-based online behavioral signature , 2019, Int. J. Mach. Learn. Cybern..

[110]  Liehui Jiang,et al.  A Process Model for Forensic Analysis of Symbian Smart Phones , 2009, FGIT-ASEA.

[111]  Wayne Jansen,et al.  Guidelines on Cell Phone Forensics , 2007 .

[112]  Darsana P. Josyula,et al.  Design and validation of a metamodel for metacognition support in artificial intelligent systems , 2014, BICA 2014.

[113]  Giuseppe Cattaneo,et al.  A Novel Anti-forensics Technique for the Android OS , 2011, 2011 International Conference on Broadband and Wireless Computing, Communication and Applications.

[114]  Fabio Dellutri,et al.  Fast smartphones forensic analysis results through mobile internal acquisition tool and forensic farm , 2009, Int. J. Electron. Secur. Digit. Forensics.

[115]  Svein Yngvar Willassen Forensics and the GSM Mobile Telephone System , 2003, Int. J. Digit. EVid..

[116]  Steven Kelly,et al.  Worst Practices for Domain-Specific Modeling , 2009, IEEE Software.

[117]  Bradley L. Schatz A visual approach to interpreting NAND flash memory , 2014, Digit. Investig..

[118]  Hein S. Venter,et al.  On digital forensic readiness in the cloud using a distributed agent-based solution: issues and challenges , 2018 .

[119]  Richard P. Mislan,et al.  Hashing Techniques for Mobile Device Forensics , 2009 .

[120]  Kim-Kwang Raymond Choo,et al.  A Forensically Sound Adversary Model for Mobile Devices , 2015, PloS one.

[121]  Marwan Al-Zarouni Introduction to Mobile Phone Flasher Devices and Considerations for their Use in Mobile Phone Forensics , 2007 .

[122]  Sean Morrissey,et al.  iOS Forensic Analysis: for iPhone, iPad, and iPod touch , 2010 .

[123]  Wooyoung Soh,et al.  Comparative analysis on integrated digital forensic tools for digital forensic investigation , 2020, IOP Conference Series: Materials Science and Engineering.

[124]  Umit Karabiyik,et al.  Analysis of iOS SQLite Schema Evolution for Updating Forensic Data Extraction Tools , 2020, 2020 8th International Symposium on Digital Forensics and Security (ISDFS).

[125]  Shahrin Sahib,et al.  Mapping Process of Digital Forensic Investigation Framework , 2008 .

[126]  Ray Hunt,et al.  Forensic information acquisition in mobile networks , 2009, 2009 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing.

[127]  John C. S. Lui,et al.  Droid Analytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[128]  Shukor Abd Razak,et al.  A GENERIC DATABASE FORENSIC INVESTIGATION PROCESS MODEL , 2016 .

[129]  Yenting Lai,et al.  Design and Implementation of Mobile Forensic Tool for Android Smart Phone through Cloud Computing , 2011, ICHIT.

[130]  Dasari Manendra Sai,et al.  The Forensic Process Analysis of Mobile Device , 2015 .

[131]  Ali Dehghantanha,et al.  Advances of mobile forensic procedures in Firefox OS , 2014 .

[132]  K. L. Thomas,et al.  BlackBerry Forensics: An Agent Based Approach for Database Acquisition , 2011, ACC.

[133]  A U Mentsiev,et al.  Mobile forensic tools and techniques: Android data security , 2019 .

[134]  Kazuhiro Nishimura,et al.  Forensic Analysis of Water Damaged Mobile Devices , 2019, Digit. Investig..

[135]  Tim Storer,et al.  A comparison of forensic evidence recovery techniques for a windows mobile smart phone , 2011, Digit. Investig..

[136]  Rafael Timóteo de Sousa Júnior,et al.  Acquisition and Analysis of Digital Evidence in Android Smartphones , 2011 .

[137]  Kim-Kwang Raymond Choo,et al.  CDBFIP: Common Database Forensic Investigation Processes for Internet of Things , 2017, IEEE Access.

[138]  Antonio,et al.  Issues in Symbian S60 Platform Forensics. , 2009 .

[139]  Lilian Mitrou,et al.  Smartphone sensor data as digital evidence , 2013, Comput. Secur..

[140]  Indrakshi Ray,et al.  A Generic Digital Forensic Investigation Framework for Internet of Things (IoT) , 2016, 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud).

[141]  Hein S. Venter,et al.  Adding event reconstruction to a Cloud Forensic Readiness model , 2015, 2015 Information Security for South Africa (ISSA).

[142]  Daryl Johnson,et al.  Third Party Application Forensics on Apple Mobile Devices , 2011, 2011 44th Hawaii International Conference on System Sciences.

[143]  Hein S. Venter,et al.  Digital forensic readiness framework based on behavioral-biometrics for user attribution , 2017, 2017 IEEE Conference on Application, Information and Network Security (AINS).

[144]  Edmundo Monteiro,et al.  Mobile Forensic Data Analysis: Suspicious Pattern Detection in Mobile Evidence , 2018, IEEE Access.

[145]  Marnix Kaart,et al.  Android forensics: Interpretation of timestamps , 2014, Digit. Investig..

[146]  Vrizlynn L. L. Thing,et al.  Symbian Smartphone Forensics and Security: Recovery of Privacy-Protected Deleted Data , 2012, ICICS.

[147]  Kim-Kwang Raymond Choo,et al.  Categorization and Organization of Database Forensic Investigation Processes , 2020, IEEE Access.