In this section, we will deeply describe our MFIPF provided in Figure 2. The stages of the framework (Data Preparation, Information Analysis, Case construction, and Case Closing) will be explained showing the detailed steps at each phase.
Figure 2: The Proposed Forensics Investigation Process Framework (MFIPF)
3.1. Data Preparation
The data preparation phase aims to generate a processed dataset that is technically usable for the analysis phase. In this phase, four steps are carried out to guarantee that the acquainted data is gathered systematically and legally. The four steps shown in Figure 2 are described below:
- Resource seizure: In this step, the mobile device is seized in a way that guarantees that the device will not be modified and there should be no ability to connect with the device. To achieve this step, we have to follow the following process [36]: (i) issuance of research warrant from legal representatives; (ii) turning off all wireless communications and putting the mobile device in Airplane Mode; (iii) shieling the mobile device in a Faraday bag that prohibits any external signals to reach the mobile, and (iv) Document these steps and send the mobile device to the digital forensics lab for investigations.
- Resource identification: Once the mobile device arrives at the digital forensics lab, the resource identification process is carried out. The process aims to identify the mobile device under investigation and choose the suitable tools that can be used for the data extraction phase. A description of the mobile device is provided here, the description includes the model and type, physical status (if the device is broken), and logical status (the device is on or off, the device is functioning or not). Based on this information, the investigator will be able to determine the suitable tools required for the data extraction process. This process should be formally documented [37].
- Data extraction: This is a very important process where the data is extracted from the mobile device, the extracted data will then be used in further stages to extract evidence. The information gathered in the identification phase is the basis of the data extraction method to be used, these methods include:
- Manual data extraction: here the investigator manually navigates the mobile device to search for the required evidence; documentation of this process is essential and might be done by video recording of the screen of the mobile device during the navigation process [37]. It is important here for the investigator to conduct the boundaries of the research warrant and never explore data that is not included in the research warrant. This process requires the ability of the investigator to access the device by having the password or pattern. It is worth mentioning here that manual data extraction will affect the integrity of the files and hence the investigator should precisely document the steps he did and the findings as well.
- Logical extraction: When applying this method, the investigator will be able to generate a copy of the file system that can be used later to extract data using some tools designed for this purpose. This copy will enable the investigator to view the same data that can be generated using manual extraction [38]. However, this method does not affect the integrity of the files of the mobile device and the investigator can only work on the copy of the files and the original device will be kept safely in an evidence container.
- Physical extraction: in this method, a raw image in a binary format of the mobile device’s memory is generated, and the output is a bitwise copy of the memory of the mobile device [39]. This copy includes all system files and can also be used to retrieve some of the deleted files as well. However, to generate this copy usually we need to root the device which will affect the integrity of the evidence, so the investigator has to document the details of this step. The generated copy can then be used to retrieve system files as well as some of the deleted files using dedicated data analysis tools.
It is worth noting that the aforementioned methods can be applied only when the mobile device is functional, i.e., not broken, and does not work for broken or malfunctioning mobile devices. In such a case some other methods might be used such as chip-off by which the memory chip of the mobile device is physically removed and attached to a memory reader or a similar device and the data is then extracted [40]. This method requires high skills in electronic device maintenance and may cause the chip to be destroyed if not removed or attached correctly. Another extremely hard method that might be used in very rare cases such as national security is called Micro-read where an electronic microscope is used to read the contents of the memory on gate level base [41]. This method is very expensive and takes too much time but might be used to extract some data from broken devices.
3.1.4 Data preprocessing: In this process, the characteristics of the mobile device operating system are studied, and data is categorized based on applications to pinpoint potential evidence(s). Classification techniques are used here to group data based on file system analysis and system log analysis. The output of this process is a well-prepared dataset that can be used in the analysis stage to extract evidence. The preprocessing step might also include putting the data in a proper file format that is compatible with mobile forensics tools in the analysis phase [42].
3.2 Information analysis
In the analysis phase, evidence(s) is/are extracted by formally interpreting the information generated by the previous phase – data extraction-. The investigator should follow standards and best practices in the field of forensic analysis so that the evidence will be intact, and results are reproducible and acceptable. For a robust mobile forensic analysis, the following steps are suggested to be followed:
3.2.1 Forensic Tools: The first step in the analysis includes the selection of a forensic tool. The selection of the tool depends on many factors including cost, user interface, the familiarity of the examiner, computing platform and environment, and legislative –whether the tool is legally approved or not [43]. A list of mobile forensics analysis tools and their properties are provided in Table [1].
Typically, the examiner may use different tools to generate different information and events, there is also a possibility to use different tools to generate the same event to make sure that the event is reproducible and to prove its validity [44] Therefore, an examiner should be familiar with different tools to conduct his analysis successfully.
3.2.2 Information examination: After selecting the appropriate tool(s), the examiner will feed the tool with the data preprocessed data and perform a variety of tests and processing tasks against the data. The processing aims to generate an event from the evidence file. There might be many events generated from the same or multiple tools. These events are then stored and fed to the next step which is evidence validation [45]
Events in a mobile device might be found at different locations according to the information the examiner is trying to find. Some of the events might be found in SMS and call logs, others might be found in saved pictures or emails. Some complex events might require retrieving deleted files using special tools while other events require the use of different tools and gathering information to reconstruct that event. The selection of the tool and the process depends on the examiner and requires skilled persons to successfully perform the task [41].
3.2.3 Evidence validation: According to [46], validation is the process of proving the validity of the evidence to a jury. The process implies proving acceptable error rates as well as using scientifically proven valid data, applications, and results. The validation process is applied to all stages in mobile forensics and covers data collection and storage, system, application, user, and algorithm applicability validation.
A very important issue related to validation is the use and following up of standards and best practices developed for this purpose. Many countries have developed standards for digital and mobile forensics through their dedicated institutions such as NIST in the states. Besides, some well-known digital forensics developers have also proposed some best practices that are proven to generate valid evidence with an acceptable error rate [47]. The examiner must follow these standards and verify the validity of the evidence during the entire investigation process.
3.2.4 Evidence correlation: Correlation involves the ability to extract the semantics from different sources such as SMS, social media messaging, emails, …, etc, and to generate a knowledge base that clearly shows the correlation among these generated events. Domain and application ontologies might be used to correlate different events to a knowledge base [48].
Event correlation and reconstruction might be carried out using different techniques and technologies including rule-based, semantic models, tree/graph-based, timestamp-based, finite state machines, and live event construction [49], such techniques aim to construct valid evidence from different sources of events with acceptable error rate. The output of this stage will be used as input for the next phase which is case construction.
3.3. Case Construction
The output of the second stage - information analysis - is fed as an input to the case construction stage, which takes the evidence list to prepare results and move towards closing the case. Four steps are necessary in the process of case construction: results analysis, results examination, results reporting, and results dissemination. In what follows, a detailed explanation is provided for each step.
3.3.1 Results analysis: In this step, examiners must analyze all the technical findings extracted from the information analysis phase consistently and clearly. When analyzing the results, examiners can divide the analysis sequential logical parts divided into multiple headings and comment on results as they are described to ease the decision-making process, the results could be supported by figures, tables, and equations to enrich the findings. In addition, the results’ conclusion must be kept very brief that aggregates the findings with robust paragraphs [50].
During the process of validating the results of a mobile forensic scene, several methods can be used to verify the validity of the results such as calculating the hash value with two different forensics tools, or the various steps might be revisited using the same tool to obtain the digital evidence and recalculated the hash value to validate the results. At some point, the results generated using experimental and validation stages must be repeatable. Any variable that might affect the outcome of the validation should be determined after several test runs. However, some cases require more runs to generate valid results, besides; examiners need to utilize the literature to assess the results’ validations [51]
3.3.2 Results reporting: The most fruitful result that should be created following the forensic process is the documentation of the findings. Once completed, investigators can use the report to their advantage in a number of ways, including (i) sharing the results with other investigators and decision-makers for use in making decisions, (ii) communicating the facts that may support the investigation of other cases, (iii) offering a clear justification for gathering more digital evidence, and (iv) using the report to evaluate the specific case. The final report must be written by digital examiners taking into account all conditions and guidelines established by national law. To ensure that the report complies with the law, they must first independently review it. Any divergent opinions will eventually be examined for flaws to bolster the assertions.
In general, there is no set format or structure for reporting the findings, but any final report must include the bare minimum of the following data: jurisdiction, the nature of the case, the court's document format, and the reason ID, calendar of all depositions (timestamps), deponent’s name and ID, and other details like time and date the case created, phone physical situation, the phone status on or off, mobile manufacturer information, pictures for each accessory and the phone itself, which tools used in the investigation, any additional data added during an examination. Many forensics reporting tools provide ways to automatically annotate evidence fragments and generate automatic reports according to the examiner’s configuration. These tools enable the examiner to perform sub-functions such as tagging, bookmarking, log reports, or even report generation. The report relies on solid documentation, photos, notes, and tool-generated content. The examiner should then check the report and edit his configuration if necessary [52]
3.3.3 Results disseminationIt describes the procedure the examiner uses to communicate to policy-makers the findings from the analysis phase. The major goal of this method is to provide action reports for each detected artifact and its analysis. The investigator's defensive strategy and any potential implementation difficulties can also be included in the presentation phase. In an iterative approach, the results from this phase might be used to conduct additional acquisitions. As a result, each process produces more analytical artifacts, which are then provided as feedback to other processes. For lengthy criminal investigations, this feedback iterative procedure may go through numerous iterations.
This step might help other investigators working on similar cases to proceed with their cases accordingly, or to criticize the case, and hence further steps might be required to be performed for the disseminated case [53].
3.4. Case Closing
Case closing is the last stage in the mobile forensics investigation process framework (MFIPF) which undergoes three main steps to ensure the successful termination of the process model. They are case closing, making the legal decision, and case archiving. Understanding how to close and archive the case is also crucial to perform a targeted analysis of the data for future updates. It is important that the digital examiner must have good knowledge of how to store and collect similar cases which might help in case examination.
3.4.1 Legal decision: The constructed case should be finally put in its legal context, here, the final legal decision should be a judicial determination of all parties rights and obligations reached by a court based on facts and law. A decision can mean either the act of delivering a court's order or the text of the court's opinion on the case and the accompanying court after you complete a case. Since every user owns his/her data and digital device, forensic examiners face ethical and legal issues in accessing and collecting the required information [54]
3.4.2 Review: The final step in the lifecycle is to review the case to identify successful decisions and actions and determine how the system performance should be improved in terms of time, and accuracy. Critique the case, self-evaluation and peer review are essential parts of professional growth. Investigators must keep the OS and digital forensics tools current in order for everything to be consistent. This necessitates updating the OS frequently, installing all new system updates and patches, and regularly checking the tools' websites for new updates or patches. [55]
3.4.3 Case archiving: When work on a case is completed and immediate access to it is no longer necessary, that case can be archived. This step aims at closing the case after its resolution. Digital forensics case achieving includes the storage of the electronic copies of evidence as well as the case report and the generated artifacts and the documentation of the whole stages of the case. The aim of case archiving is to enable examiners to review the procedures carried out to use them in similar cases. The case archive should enable the examiner to reconstruct the case from scratch based on the available copies of the case evidence which will help if the case was legally re-opened [56]. Many tools might be used in case archiving that enable ease of use and retrieval of cases, some of these tools will be provided in Section 4.