1. AN ANALYSIS OF CHALLENGES ENCOUNTERED WHEN PERFORMING MOBILE
FORENSICS ON EMERGING MOBILE DEVICE TECHNOLOGIES
by
Raymond Gonzales
A Capstone Project Submitted to the Faculty of
Utica College
December 2015
in Partial Fulfillment of the Requirements for the Degree of
Master of Science in
Cybersecurity

2. ii
© Copyright 2015 by Raymond G. Gonzales Jr.
All Rights Reserved

3. iii
Abstract
The purpose of this capstone project was to research the challenges encountered when
performing mobile forensics on emerging mobile device technologies. This study includes an in-
depth look at the data stored within a mobile device, the challenges an investigator faces when
performing mobile forensics on a mobile device, and the need for valid mobile forensic practices
when handling emerging mobile device technologies. This research was designed to help
identify the importance of mobile forensics in modern day investigations; and to provide an
understanding of how modern forensic challenges affect a mobile forensic investigations.
Mobile forensic investigations provide examiners with detailed information and evidence that
can assist with the apprehension of criminals and other malicious individuals. A review of
mobile forensic publications on the handling of emerging mobile device technologies was non-
existent. The only material and research available on the topic of mobile forensics would be
considered out dated by mobile forensic standards. This lack of research on the topic, only
further acknowledges the dire need for current and relevant research on how to perform mobile
forensics on emerging mobile device technologies. A collaborative effort between
manufacturers and the forensics community is the recommended plan in order to address the
various challenges facing the field of mobile forensics. The collaborative effort can provide up
to date research, technology standards, and forensic guidelines that can assist investigators with
their mobile forensic investigations. Keywords: Cybersecurity, identity modules, mobile device
isolation, data storage, anti-forensics, mobile device security.

4. iv
Acknowledgements
This capstone project was made possible because of the immense amount of support that
was provided to me by various people. First and foremost, I would like to thank my partner in
crime, Kristin Hunt. If it were not for her patience and understanding this would have been a
long and lonely journey. For the better part of a year and a half, Kristin has stood by my side
while I was here and overseas supporting various efforts in Afghanistan. I do not know of many
people or women who would have gone and done what she did for me, and for that, I am
grateful.
I would also like to thank my computer and network forensic professors DeSarro,
McCandlish, and Wood for not only teaching the forensic classes, but for also taking the time to
talk and work with me in order to ensure that I was able to submit my forensic assignments in a
timely manner. To my capstone advisors, Professor Michael Sanchez and Robert DeCarlo, thank
you. Professor Sanchez, I feel that I got very lucky to have you as my primary capstone advisor
since we both have similar thought processes and OCD mentalities on how to approach
problems. Thank you for allowing me to discuss my ideas and concepts with you over the
phone, and for helping me find an appropriate scoped topic that was based on my overall interest.
Professor DeCarlo, thank you for your feedback and insight on various portions of my project.
The insight I received from the both of you was invaluable to me, and helped me to cultivate my
writing into a Masters level project.
A special thanks to my second reader Professor Paul Pantani who unselfishly agreed to
volunteer his time to be my subject matter expert. Finally, I would like to thank the entire Utica
College Staff. Each professor had a direct influence on me and my education, which culminated
in my ability to complete this capstone project.

5. v
Table of Contents
Introduction..................................................................................................................................... 1
Statement of the Problem............................................................................................................ 3
Research Questions..................................................................................................................... 6
Deficiencies in what we know.................................................................................................... 6
Defining the Audience ................................................................................................................ 9
Literature Review.......................................................................................................................... 10
Introduction............................................................................................................................... 10
Data Stored on Emerging Mobile Device Technologies .......................................................... 11
Challenges of Performing Mobile Forensics on Emerging Mobile Device Technologies ....... 16
Importance of Valid Mobile Forensic Practices in Mobile Forensic Investigations ................ 28
Discussion of the Findings............................................................................................................ 30
Major Findings.......................................................................................................................... 30
Digital Data Stored on Mobile Devices.................................................................................... 31
Theme One: Mobile Forensic Challenges................................................................................. 36
Theme Two: Importance of Valid Mobile Forensic Practices.................................................. 39
Comparison of the Findings...................................................................................................... 40
Limitations of the Study............................................................................................................ 41
Recommendations......................................................................................................................... 43
Recommendations for Research ............................................................................................... 43
Conclusion .................................................................................................................................... 47
References..................................................................................................................................... 49

6. 1
Introduction
Cutting-edge mobile device technologies such as smart phones, digital tablets, and smart
watches have become an integral part of people’s daily personal and professional lives. For
personal use, a majority of mobile device owners use their personal mobile devices to: follow
breaking news, share information about happenings in their local community, live-stream digital
media, and use mobile devices to help navigate the world around them. In professional settings,
mobile devices are used heavily in order to meet the high demands of the business world (Aouad,
2008). Mobile devices provide users with readily available access to information and allow
individuals to communicate with one another at any time, or anywhere around the world
(Bosomworth, 2015).
Mobile device technologies are ephemeral. As a result of this technological trend,
manufacturers have continually flooded the consumer market with a myriad of technology,
software, and security features for emerging mobile device technologies (DeGusta, 2012). The
advancements in mobile device technologies are driving the innovations and development of new
services in various areas of digital content. These innovations affect the product release cycles
and keep the evolution of mobile devices moving at a rapid rate, making mobile device
technologies fluid and dynamic (Groupe Speciale Mobile Association GSMA, 2006). Because
of this rapid evolution, and short development cycles of 1-2 years for market release, there is no
shortage of mobile devices for global consumers (Aman, 2011).
Digital forensic investigators face a continuous challenge of staying knowledgeable and
proficient in the handling of mobile device technologies that may be encountered during a
forensic investigation. Due to the rapid evolution of mobile device technologies, the forensics
community is facing an ongoing challenge of providing current mobile forensics research that

7. 2
can assist forensic investigators with the handling of emerging mobile device technologies. In
today’s technologically advanced society, there is a heavy reliance on mobile device
technologies in order to perform various daily activities. Globally the average person owns
approximately two or three mobile devices and uses them in a variety of ways throughout the day
(Kamboj & Lippert, 2013). No other digital technology has had the same impact that mobile
devices have had on today’s society. The capabilities of mobile devices have directly influenced
how we as a society interact with one another and our surrounding environments. Mobile device
technologies have also greatly influenced how professionals in various fields conduct business
on an everyday basis. By understanding this global trend of dependence on mobile device
technologies, the forensic community can foresee the need for research to develop proper
forensic practices relating to emerging mobile device technologies. Understanding how to
handle mobile device technologies properly during mobile forensic investigations will ensure
that the digital evidence collected during an investigation will be performed in a forensically
sound manner (Mahalik, 2014).
Mobile device forensics has become a necessity in today’s forensic investigations.
Mobile device technologies are being used every day in a variety of ways in order to store and
transmit various types of data. Individuals with malicious intent can exploit the mobile device’s
technology and capabilities in order to perform a variety of malicious acts and criminal activities.
Criminals can use mobile devices in order to carry out various cybercrimes such as data theft,
fraud, money laundering, various child sex offences, stalking, or the mobile device can be used
in order to coordinate other various criminal activities (Australian Crime Commission, n.d.).

8. 3
Statement of the Problem
Over the years, the capabilities of mobile device technologies have progressed at an
accelerated rate. Due to the rapid evolution of mobile device technologies, mobile devices now
have the capability to perform tasks that were once reserved for personal computers (Campbell,
2015). Because of these advancements, mobile devices have now become more frequently
associated with target, tool, and incidental cybercrimes.
Target cybercrimes are crimes where a mobile device or mobile network is the target of
an attack. Mobile devices can be physically stolen from an unsuspecting individual, due to their
small and compact nature; or mobile devices can be accessed by an unauthorized individual
through malware (CyberTrend, 2015). The primary goal of a target cybercrime is to infiltrate the
target device or mobile network by using various techniques and malicious attacks in order to
gain unauthorized access. Once unauthorized access is gained by a criminal, the criminal has
various options on how to attack the device or the network. The criminal may choose to steal or
destroy the information stored within the memory of the device; or the criminal may choose to
disrupt and disable services used by the device or network (Ruggiero & Foote, 2011).
Mobile malware is malicious software that has been specifically created to target and
exploit the vulnerabilities of a mobile device system. Mobile malware can find its way onto
mobile devices through downloaded applications, exposed security vulnerabilities, or by clicking
on ostensibly trusted links (McAfee, n.d.). Ransomware is an example of a particular form of
malware that disables and encrypts the infected user’s data and digital device. Ransomware
extorts money from the user in order to regain access to both the data and the mobile device.
Currently there is a version of ransomware that goes by the name of CryptoWall that has been
infecting mobile devices that are running the Android operating system (OS). According to the

9. 4
FBI (2015), “A fairly new ransomware variant has been making the rounds lately; called
CryptoWall (and CryptoWall 2.0, its newer version). This virus encrypts files on a computer’s
hard drive and any external or shared drives to which the computer has access” (para 5).
Tool cybercrimes are crimes where a computer, cell phone, or any other electronic device
is used as a tool in order to commit a crime. Mobile devices can be used as a tool in a variety of
ways in order to perform various malicious activities. Mobile devices can be utilized by
individuals to perform various acts of stalking, child abuse, or exploitation (United Nations,
2015). Mobile devices with their various capabilities also possess the capability to be exploited
in order to gain unauthorized access to networks and other digital devices.
According to Pettersson (2012), the latest trend by cybercriminals is to gain employee
login credentials by using spam and phishing emails, keystroke loggers and remote
access trojans. Such attacks were seen in September 2012, when the Bank of America
and Wells Fargo were among those struck. (pg. 2)
A criminal using a mobile device as a tool can send malware and perform various cyber-attacks
from the mobile device in order to attempt to gain access into restricted digital devices. Once
infected with malware a criminal can gain unlimited unauthorized access to a digital device’s
databases and connected networks. By having the capability to manipulate a system’s analytical
processes, a criminal can perform various actions that can help facilitate a cybercrime (Sanger &
Perlroth, 2015).
Incidental cybercrimes are crimes where a mobile device does not play a primary role in
the commission of a crime but is related to a criminal act. The use of a mobile device can
provide the criminal with the capability to coordinate various criminal activities and/or store
information relating to various criminal activities. According to McEwen (2010), “Mobile

10. 5
phones can be viewed as tools used by both drug dealers (including higher level wholesalers and
distributors and lower level sellers) and buyers to coordinate trans-action logistics” (p. 6).
As the capabilities of mobile devices evolve, so does the potential for the exploitation of
their capabilities for various malicious and criminal purposes. Cyber criminals and other
malicious individuals will always develop new methods and techniques in order to exploit the
capabilities of new technologies in order to maximize their opportunities and minimize their risk
when performing criminal or malicious acts. These individuals use mobile devices on a regular
basis in order to communicate, organize, and widen their spectrum for various criminal and
malicious activities (Savona & Mignone, 2004). Due to the frequent usage of mobile devices for
various activities, mobile devices can possess troves of data that corresponds to the usage of the
mobile devices for various activities. Location data associated with calls, Wi-Fi networks, geo-
tagged photos and various mobile application data that are stored within a mobile device can be
retrieved and examined by an investigator during a forensics investigation. Deleted user
messages and deleted Internet browsing history data files can be extracted and retrieved from a
mobile device by an examiner, as long as the deleted data has not been overwritten by new data
on the mobile device (Ayers, Brothers, & Jansen, 2014).
The data extracted and analyzed from a mobile device during a mobile forensics
investigation can provide an examiner with useful information and evidence that can assist with
an ongoing investigation. The extracted and analyzed location data from the user’s mobile
device can help associate the user to a specific location within a given window of time.
Extracted and analyzed messages and Internet browsing information can provide insight about
the user’s behavior and conversations regarding possible questionable behavior (Digital
Forensics Magazine, 2014). All various data extracted from the mobile device can provide an

11. 6
investigator with the necessary details in order to create a detailed profile on the user. The
analyzed data can provide important information that can help piece together motives, events,
and possibly provide new leads within the investigation.
Research Questions
The purpose of this study is to analyze the forensic challenges of performing mobile
forensics on emerging mobile device technologies. This research intended to answer the
following questions:
Q1: What type of data and evidence can be found from emerging mobile device
technologies?
Q2: What are some of the challenges an examiner may face when attempting to extract
and retrieve data in a forensically sound manner on new mobile device technologies?
Q3: Why valid mobile forensic practices are needed when dealing with emerging mobile
device technologies?
Deficiencies in what we know
Mobile forensics is a constantly evolving branch of digital forensics that is filled with
new and various challenges that are created by the rapid evolution and development of mobile
device technologies. The process of performing mobile forensics on a mobile device can prove
to be a bit more challenging than performing traditional computer forensics. This is primarily
due to the volatile nature of the data stored within a mobile device and the various mobile device
configurations that can be encountered during an investigation. Due to the challenges of
supporting the constant flow of new mobile device technologies there is no one-size-fits-all
solution when attempting to perform mobile forensics on a mobile device.

12. 7
Forensic toolkits and applications used for mobile device forensics are relatively new.
Developers creating these tools are having a difficult time staying up to date with all of the
emerging technological advances for mobile device technology (Engler & Miller, 2013). During
a mobile forensics investigation, the examiner needs to perform a data extraction on the mobile
device in order to examine the stored data within the mobile device. Data extractions from
mobile devices are commonly classified by two approaches; the physical and logical approach
(Ayers, Brothers, & Jansen, 2014). A physical data extraction is a low-level approach that
utilizes special hardware equipment in order to retrieve data from the mobile device; versus the
logical approach that utilizes communication protocols within the phone in order to extract data.
Each data extraction method has its advantages and disadvantages when applying the technique
to a mobile device (Cellebrite, n.d.).
The advantage of the physical approach is that it allows the investigator to obtain the raw
data contents of the mobile device without jeopardizing the integrity of the data on the device.
The disadvantage of this process is that it is time-consuming and requires expensive and
sophisticated equipment. The advantage of using the logical data extraction approach is that the
examiner is able to obtain the mobile device data immediately in a humanly readable form. The
disadvantage to this approach is that the amount of data extracted from the mobile device is
much less than that of a physical extraction (Lessard & Kessler, 2010). It is important that the
toolkit developers and forensic investigators continuously develop and update their skills in order
to increase their understanding of the new emerging mobile device technologies.
Due to the fierce competiveness between mobile device developers to release the latest
emerging mobile device technology, the current market is saturated with various types of mobile
devices with varying configurations. The lack of leading-edge guidelines and standards for

13. 8
mobile device developers creates an ongoing challenge for forensic investigators (Jackson,
2012). When system designers and manufacturers create new mobile device technologies, the
manufacturers adhere to a deploy-first and secure later type of mentality (Federal Trade
Commission, 2013; Murphy, n.d.). When forensic investigators encounter a mobile device
during an investigation, implementing forensically sound forensic techniques on a new mobile
device can be challenging due to the various new capabilities and security features employed by
the mobile device.
Forensic investigators and software tool developers alike are facing the challenge of
keeping up to date with recent mobile device technologies and their new software releases. Due
to the lack of standard guidelines for emerging mobile device technologies, an examiner may
have to use a variety of forensic tools on a single device in order to perform mobile forensics on
a mobile device. As a result of this, forensic tool developers are creating new forensic tools for
mobile devices that are missing the full functionality in order to perform mobile forensics on a
wide range of systems and devices (Bennett, 2011).
In order to begin mitigating these challenges, the digital forensic community needs to
play a central role in the evolving Information Technology (IT) space, rather than continually
catching up with the industry and the new technologies being introduced by manufacturers.
With the help of the forensic community, technology standards and guidelines can be created and
adopted by mobile device technology manufacturers. Having these standards and guidelines in
place can help ensure that a universal solution for creating fully functional forensic toolkits and
sound forensic practices for emerging mobile device technologies can be deployed during mobile
forensic investigations (Wood, 2014).

14. 9
Defining the Audience
By exploring and understanding the various challenges forensic investigators face when
attempting to perform a data extraction on an emerging mobile device technology; any
investigator facing similar difficulties can use this information in order to help mitigate their
issues as much as possible. The intended audience for this research ranges from scholars within
the field of digital forensics, forensic examiners, and any forensic response team members that
may be handling an investigation where a mobile device may be encountered. Forensic
investigators at all levels and disciplines can benefit from this information regarding the
challenges faced on a case-by-case basis when attempting to perform data extraction from an
emerging mobile device technology.

15. 10
Literature Review
Introduction
The author proposes to explore the various challenges associated with performing mobile
forensics on new emerging mobile device technologies. Mobile device forensics is the science
of recovering digital evidence from a mobile device under forensically sound conditions using
forensically accepted methods. Currently, there is a lack of research, protocols, standards, and
fully functional forensic tools that are readily available to assist mobile forensic examiners with
their mobile forensic investigations. The foundation of the author’s research project is to provide
understanding about what data is stored within mobile devices, what challenges forensic
examiners face when performing mobile forensics on emerging mobile device technologies, and
the importance and necessity for valid mobile forensic practices when dealing with emerging
mobile device technologies.

16. 11
Data Stored on Emerging Mobile Device Technologies
In today’s society, the use of mobile device technology has now exceeded the use of
computer technology as a resource for communicating with individuals or accessing information
(Mahalik, 2014). Mobile device technology has come a long way since the inception of the
original cell phone device. Emerging mobile device technologies have permanently changed
how members of society interact and communicate with one another on a personal and
professional level (Smith, 2012). Individuals personally and professionally utilize the various
capabilities of their mobile devices, outside of their calling capabilities, in order to send or
receive text messages, access the Internet, send or receive emails, download various mobile
applications, listen to music, receive directions, and access other location based information
(Duggan, 2013).
Approximately, two-thirds of Americans today now own a personal mobile device.
People use the mobile device’s capabilities to access various on-line services and to stay
connected with the world around them (Smith, 2015). Individuals utilize the capabilities of
mobile devices in order to access information that can contribute to their overall growth and
education at a personal and professional level (Naismith, Lonsdale, Vavoula, & Sharples, 2004).
Due to the personal nature of mobile devices, data extractions from mobile devices can provide
an examiner with troves of information that can provide useful insight and information during a
forensics investigation (Rosenthal & Pate, 2015).
RAM and non-volatile memory. Similar to personal computers (PCs), mobile devices
utilize both Random Access Memory (RAM) and Non-Volatile Memory (NVM) in order to
perform various actions. RAM is a very fast, but volatile memory that allows the mobile device
to run complex software and multiple applications simultaneously. When a mobile device is

17. 12
powered off, all RAM data is lost (GSMArena, n.d.). NVM has the capability to hold saved data
such as SMS, call records, pictures, and videos, even if the power has been removed from the
device (Computer Language Company, n.d.).
Hardware and software configurations. Details about the mobile device’s current
operating configuration can be discovered within the memory of a mobile device. An examiner
may either use manual or logical mobile data extraction techniques in order to collect and
examine the mobile device’s configuration information. Manual extraction of data consists of an
examiner manually navigating through the menus of a mobile device in order to view the data
stored within. Logical extraction requires the examiner to connect with one of the mobile
device’s interfaces by using the mobile device’s original manufacturer equipment, or by utilizing
the mobile device’s built in Bluetooth capabilities. Once connected, an examiner can use a
logical data extraction tool, and its various communication protocols, to extract any data stored
within a mobile device (Ayers, Brothers, & Jansen, 2014). According to Schwamm and Rowe
(n.d.), the configuration details of a mobile device can be found within various locations of a
mobile device’s memory. These configuration details can provide an examiner with information
about the mobile device’s software build, model number, Media Access Control (MAC)
addresses, phone name, phone number and the International Mobile Equipment Identifier
(IMEI), or Mobile Equipment Identifier (MEID) of the mobile device. MAC addresses are
unique identifiers that are assigned to a network interface in order to distinguish individual
devices that are communicating on a network (Steel, 2006). IMEI and MEID are both unique
sets of serial numbers that are assigned by the Federal Communications Commission (FCC) in
order to identify individual mobile devices (Federal Communications Commission, 2015).

18. 13
Identity modules. Subscriber Identity Modules, or SIM Cards as they are more
commonly referred to, are small circuit boards found in mobile devices running on the Global
System for Mobile communications (GSM) network (Ayers, Brothers, & Jansen, 2014). GSM is
a radio network standard that was originally developed by the European Telecommunications
Standards Institute (ETSI) in order to describe protocols for second-generation digital cellular
networks used by mobile devices (3GPP, n.d.). SIM cards used in mobile devices store a GSM
subscriber’s user identity, location information, phone number, address book information, call
logs, network authorization data, and personal security keys. All of which are loaded onto the
mobile device accessing the GSM network (Willassen, 2003). Not all mobile devices operate on
the GSM network. Certain mobile devices receive their mobile service through the Code
Division Multiple Access (CDMA) radio network. Similar to GSM mobile devices, CDMA
mobile devices operate specifically on the CDMA radio network and do not use a SIM card as a
means of network authentication. Instead, mobile devices using the CDMA radio network
authenticate the subscriber by using the mobile device’s built in technology (Ayers & Jansen,
n.d.).
Mobile applications. A mobile application is a type of application software that is
specifically designed to utilize the full capabilities of a mobile device. Mobile applications
provide the user with similar services and capabilities that are readily available on a computer
(Federal Trade Commission, 2011). Manufacturers of mobile device technologies sell mobile
devices to consumers with several mobile applications included as a part of the pre-installed
software package for the mobile device. A mobile device user can add additional capabilities to
their existing device by simply downloading additional mobile applications from a mobile
application store. A mobile application store is an online portal where mobile application

19. 14
software is made available for download for specific mobile devices that are running a particular
mobile OS. Application stores, such as Android’s Google Play or Apple’s App store, are portals
where additional application software can be downloaded by the mobile device user (Budiu,
2013).
Media files. Media files are various image, audio and video file formats that are stored
on mobile devices. When image media files are created by a mobile device Exchangeable Image
File Format (EXIF) data is stored as a part of the data associated with the media file. EXIF data
is information that corresponds to the mobile device’s camera settings; such as International
Standards Organization (ISO) speed, shutter speed, resolution, date, and the time when the image
was captured (Tachibanaya, 1999). Additionally, when audio, video, and other media file
formats are created on mobile devices metadata is also created and stored within the various
media files on the mobile device. Metadata is data that is created by the actions of the user on
the mobile device and is used to describe and summarize the additional details associated with
the stored data files (Garoufallou & Greenburg, 2013).
SMS, MMS, and Emails. Communication data files associated with Short Message
Service (SMS), Multimedia Message Service (MMS) and Electronic Mail (E-mail)
communication are frequently created when their specific services are utilized by a mobile
device. Specific usage information associated with these services can be found stored within the
memory of a mobile device (Techopedia, n.d.; Matterson, 2014). SMS messages are a type of
text message that are created by a mobile device that can consist of up to 160 characters within a
text message. These mobile device generated text messages are primarily used by individual
mobile device users in order to communicate with one another (Phoenix Contact GmbH, 2012).
MMS messages work in a similar way to SMS messages; however, in the addition to the actual

20. 15
text within the message, an MMS message contains multimedia data such as an image, audio or
short video clip (Nokia, 1999). E-mail is an electronic message that is created by a user of a
digital device. E-mail can be sent or received from a variety of digital devices. E-mail messages
may contain text and other variety of other attached file types within a message. An e-mail
message contains an address, routing information, and content, which are sent over a
telecommunications network. E-mail messages can be sent out to a specific individual or sent to
a group (Internetguide, n.d.).
Location, browser history. A myriad of location data is stored within a mobile device.
Geo-spatial data corresponding to the connectivity locations of the telecommunication towers,
Wi-Fi locations and Global Positioning System (GPS) data can all be found stored within a
mobile device (Sack, Kroger, & Creutzburg, 2012). Geo-spatial data is data that is stored within
a mobile device that is used to identify the geographic location of a mobile device. Geo-spatial
data will possess latitudinal and longitudinal coordinates, in order to pinpoint the device’s
location on the earth (National Geospatial-Intelligence Agency, n.d.).
Similar to PCs, various mobile browsing applications store the mobile user’s browsing
history on the device. The mobile browsing history of a mobile device can be found within the
browsing cache folder that is associated with the browser on the device. A mobile browsing
cache folder is a folder location within the device that is used as a temporary storage area that
stores the user’s most recent browsing history information (The Computer Language Company
Inc., n.d.). Information contained within the mobile browsing cache folder consists of the user’s
history of visits and various websites accessed by the mobile browsing application.

21. 16
Challenges of Performing Mobile Forensics on Emerging Mobile Device Technologies
Digital forensics is a branch of forensic sciences that specializes in the preservation,
recovery, and examination of evidence that is retrieved from digital devices during a forensic
investigation (Sammons, 2015). During a forensic investigation, an investigator will need to
utilize the capabilities of various tools and forensic toolkits in order to perform a thorough
mobile forensic investigation on the emerging mobile device technology. Due to the rapid
evolution of mobile device technologies, forensic investigators encounter numerous challenges
when handling the mobile device; challenges that are unique to mobile device forensics
(Gonzalez & Hung, 2011).
Various mobile device configurations. Due to the constant evolution of mobile device
technologies and their steady assimilation into our everyday lives, the growth and demand for
mobile telecommunications networks and emerging mobile device technologies has flourished
over the past several years (Schneiderman, 2012). The rapid development of mobile device
technologies is constantly being influenced by the swift evolution of new services and
applications that are made available on the latest mobile device technologies (GSMA, 2015).
This continual evolution in technology results in today’s consumer market to be flooded with
various mobile device technologies that possess various configurations from various
manufacturers.
Hardware. When dealing with mobile device technologies during a forensic
investigation, investigators encounter hardware challenges that are unique to mobile forensics.
As a result of trade secrets, proprietary technologies, lack of standardized specifications and
guidelines for mobile device hardware, examiners frequently encounter a wide variety of
hardware and hardware configurations when examining mobile devices (Ahmed, Dharaskar, &

22. 17
Thakare, 2014). Encountering various mobile device hardware configurations during a forensic
investigation can provide a challenge to mobile device investigators when attempting to extract
digital data from a mobile device. No single forensic tool is capable of performing data
extractions on all mobile device configurations. Various forensic tools are often required in
order to perform a forensically sound data extraction (Bennett, 2011).
Software. The operating systems and other software being developed for emerging
mobile devices are being developed using proprietary software or open source code principles.
Open source code refers to the free distribution and availability of source code that has been
created by the developers of a software program, application, or operating system. The concept
behind open source code is that a larger group of programmers will evaluate and improve the
originally created source code (Mian, Teixeira, & Koskvaara, 2011). Proprietary software is
software that is created by an individual or firm that possesses copyrights for the intellectual
property of the software. Unlike open source code, proprietary software is kept secret and never
shared with the public. A proprietary software developer sells or provides their intellectual
property to a company under specific licensing agreements in order for a company to use their
created software (Pankaja & Mukund, 2013).
Operating systems. Many mobile device manufacturers have chosen to operate their
mobile devices on one of the four more popular operating systems available for mobile devices.
The four most popular OSs available for mobile devices today are Android, iOS, Windows
Phone, and Blackberry OS (IDC Research, Inc., 2015). Android is the open source operating
system created by Google that is primarily programmed in Java and based on the Linux OS.
Android OS is capable of running multiple applications at the same time and is widely utilized
by various mobile devices around the world (Bazard & Bhardwaj, 2011). IOS is the proprietary

23. 18
mobile OS that is utilized by all Apple mobile devices. IOS is a very stable and secure mobile
OS that possesses very few software errors and does not require frequent software patches. This
is a result of Apple’s high level of standardization in developing applications and updates for
mobile devices (Asokan, 2013). Windows Phone, or Windows 10 Mobile as it is now called, is
the proprietary mobile OS that was created by the software developers at Microsoft. Windows
mobile is based on Windows CE kernel and designed to look and operate similar to the desktop
version of Microsoft Windows. Conceptually similar to Apple’s iOS, Windows Phone is
structured similarly with protocols regarding user information and registry entries, file and web
activities, recently connected computers, and Wi-Fi access points (Yates, 2010). Blackberry OS
is another proprietary mobile OS that was developed by the software developers at Blackberry
for its Blackberry mobile devices. Primarily used in corporate settings the Blackberry OS is best
known for its security, multi-tasking capabilities, and interoperability with corporate
infrastructures (Syngress, n.d.).
Mobile device isolation. Digital data contained within a mobile device is extremely
volatile and dynamic. In order to ensure a forensically sound data extraction from a mobile
device, it is important first to preserve the current data stored on a mobile device upon seizure
and prior to beginning any investigation (Thakur, Chourasia, & Singh, 2012). It is essential that
forensic examiners isolate the mobile device immediately from all communication networks and
interfaces. By properly isolating the mobile device from various communication networks, the
integrity of the data stored on the mobile device can be protected from remote wiping and other
factors that can compromise the integrity of the data stored on the mobile device (e-Forensics
Magazine, 2015). Remote wiping is a security feature on a mobile device that allows a network
administrator or device owner to send a command to the mobile device instructing it to delete all

24. 19
stored data (Kaspersky, 2013). By isolating the mobile device during a forensics investigation,
an examiner can be confident that the evidence retrieved and examined from a mobile device
will be considered valid in a court of law (Spalevic, Bjelajc, & Caric, 2012).
Mobile device isolation tools and techniques. Mobile devices possess various
technologies that allow mobile devices to connect to telecommunication networks, Bluetooth
devices, or Wi-Fi networks through wireless signals. It is imperative that forensic investigators
deploy isolation tools and techniques when seizing a powered on mobile device in order to block
these wireless signals. By isolating the mobile device from wireless signals, an examiner can
preserve the integrity of the data that is stored on the mobile device for forensic examination
(Casey & Turnbull, 2011). When isolating a mobile device for seizure, transportation, and
analysis, an examiner can use mobile isolation tools such as a faraday bag, an RF isolation box,
or a cellular jammer. As an alternate method, the forensic examiner can manually switch the
mobile device into airplane mode during the seizure, transportation and examination (Doherty,
2014). Faraday bags are mobile device enclosures that are used by forensic examiners and first
responders in order to shield the mobile device from external signals that may alter or delete data
stored on a mobile device (Disklabs, n.d.). An RF isolation box is an enclosure that is designed
to isolate a mobile device from any network. The RF isolation box allows an investigator to
have hands on operating and viewing of the mobile device, while the device is completely
isolated from external signals (Foundation Futuristic Technologies, n.d.). A cellular jammer is
an electronic device that emits wireless signals in the same frequencies that mobile devices use
for communication purposes. The jammer causes strong interference with incoming radio
signals to the mobile device and effectively shields the mobile device from external signals
(Signal Isolation, 2007). As an alternative to using forensic tools to isolate the mobile device, an

25. 20
examiner can utilize the built in airplane mode that is found on the mobile device. When
airplane mode is activated by the examiner on the mobile device, the device suspends the mobile
device’s capability to transmit and receive signals on the mobile device (Scientific Working
Group, 2013).
Data storage capabilities. With all of the advances in data storage and mobile device
technologies over the years, the newest mobile devices are capable of generating, storing and
accessing massive amounts of data. Mobile device technologies today come with built in storage
capabilities that average 64 gigabytes (GBs) and in many cases have expansion slots where
additional memory cards can be placed into the device in order to increase the storage capability
(PricewaterhouseCoopers, 2015). These small mobile device memory cards can be used and
switched out easily from the mobile device in order to store data in various physical locations;
making the efforts to recover all available data for the mobile device difficult for forensic
investigators (Ayers, Brothers, & Jansen, 2014).
Outside of physical data storage, the examiner must also face the additional challenge of
attempting to extract mobile data from locations that are not physically present on the mobile
device. Many current mobile device technologies now have the capability to store additional
data outside of the mobile device using cloud based storage, computing services (NIST Cloud
Computing, 2014). Cloud based storage is a low cost, state of the art storage service that
maintains and manages data. Users utilizing cloud services are capable of easily storing and
accessing their data from various digital devices that are connected to their cloud network of
services (Zhang, Cheng, & Boutaba, 2010). As data storage technologies evolve and increase in
their storage capabilities, so will the built in storage capacities of mobile device technologies.

26. 21
Improvements in data storage will only increase the amount of data that a forensic investigator
must extract and examine during a forensic investigation.
Dealing with digital anti-forensic measures. Mobile device technologies have emerged
as important personal devices that serve an important role in peoples’ daily professional and
personal lives. With mobile devices’ increased capabilities of processing and storing data,
mobile devices are capable of storing a myriad of digital data associated to the activities of a
mobile device user (McAfee, 2012). In order to ensure the security and privacy of the data
stored on a mobile device, a digital device user may implore digital anti-forensics techniques in
order to protect the data from unwanted eyes. Digital anti-forensics techniques can be exploited
by perpetrators of various types of crimes in order to conceal their illegal activities from
investigators and law enforcement (Stamm, Lin, & Liu, 2012). Data destruction, data
contraception, and data hiding are several anti-forensic techniques that can be used on an
individual’s mobile device in order to conceal or destroy evidence (De Beer, Stander, & Van
Belle, 2014).
Data destruction. Data destruction is the anti-forensics technique that securely deletes
data from a mobile device. Data destruction on a mobile device can be performed by deploying
the mobile device’s security feature to delete all stored data within the mobile device; this is
known as remote wiping. Once the digital data has been securely deleted from the mobile device
the data cannot be restored, accessed, or used in a mobile forensics investigation (Distefano, Me,
& Pace, 2010).
Data contraception. Data contraception is the anti-forensics technique that uses various
software programs in order to minimize the amount of data that is generated by the mobile
device. In order to minimize the generated data on a mobile device, the user will utilize syscall

27. 22
proxying, memory resident compiler/assembler, remote library injection, direct kernel object
manipulation (DKOM), livedistros, and portable application software (Smith, 2007; Computer
Forensic and, n.d.). By minimizing the amount of data generated from the mobile activities, a
forensic investigator will encounter difficulties when attempting to develop a profile of the
mobile user’s activities.
Syscall proxying. This anti-forensics technique is performed by having a local program
transparently proxy into a process’s system call to a remote server. By providing this direct
interface into the target’s OS, syscall proxying allows the attack code and the tools of the
individual performing the syscall proxying to be automatically in control of the remote resources
within the digital device. This can be done because the syscall proxying simulates the remote
execution of the commands from the local program (Caceres, 2002).
Memory resident compiler/assembler. The use of a resident compiler/assembler consists
of when remote code fragments are sent from a remote device to the compiler/assembler that
resides in the local memory of the mobile device. This technique allows tools to be compiled for
the mobile device platform immediately within the memory of a hijacked process. By hijacking
the memory of the running process, this ensures that no digital traces of the activities are left
stored on the local memory or disk of the device (Aitel, n.d.).
Remote library injections. This anti-forensic technique is performed by a user who
forcibly injects a dynamically linked library into the memory of a mobile device. By forcibly
injecting the library into the memory there is no creation of any disk activity on the hosting
machine. Once loaded into the device, the library exists like any other standard library. The
initialization routines are called and the library’s exported symbols can be resolved through the
platform’s symbol resolution interfaces (Turkulainen, 2004).

28. 23
Direct kernel object manipulation (DKOM). The anti-forensics method that allows an
attacker to use drivers or loadable kernel modules in order to modify the memory associated with
the kernel objects (Butler, n.d.; Becher & Hund, 2008). Use of DKOM allows the user full
control of the kernel and allows the user to hide processes, drivers, and ports; which can present
various challenges for a forensics investigator. By modifying the associated memory with the
kernel objects a user can have direct access to memory and freely modify pointers and make the
DKOM invisible to the targeted system (Kornblum, n.d.).
Livedistros. The anti-forensic technique where a fully operational OS is run from a type
of storage medium. The OS and the applications of the livedistro run directly from the portable
media that is connected to the digital device. By doing this, there are no changes made to the
host system unless initiated by the user. The system automatically returns to its previous state
once the OS has been exited or the digital device has been restarted (Workshop Series for, n.d.).
Portable applications. This anti-forensics technique directly deploys software from a
storage device that is directly connected to the digital device. The portable application software
does not require the files on the storage device to be installed onto the digital device in order to
operate (Baggaley, 2006). These particular software applications are designed with the intention
to be easily moved from one computing environment to another. Portable applications can
consist of browsers and other various specialized application that are designed to enhance the
mobile computing of the device (Ohana & Shashidhar, 2013).
Data hiding. Data hiding is an anti-forensic technique that is used by individuals in order
to conceal data and information from unwanted individuals. Individuals who may be performing
illegal activities, and using their mobile device as a means of facilitation, may use cryptography,
steganography, anonymizing browsers, program packers, and generic data hiding in order to

29. 24
conceal their activities and information that is stored on the mobile device. Each of these data
hiding techniques help ensure the privacy of the data and restrict the access of information from
outside individuals who may attempt to intercept or tamper with the integrity of the data
(Armistead, 2007). Each of these various data hiding techniques can provide various challenges
for an investigator who is attempting to extract and examine data from the mobile device.
Cryptography. The anti-forensic technique of cryptography is the science of enabling
secure communications between a sender and one or more recipients. The purpose of
cryptography is to ensure data confidentiality and integrity, author authentication, and origin of
the data (Kaur & Singh, 2013). In cryptography, text data that has not gone through any
cryptographic process is known as plaintext. Plaintext is ordinary readable text data that can
easily be read by anyone encountering the text information. Plaintext that has gone through the
cryptographic process and been encrypted is known as cipher text. Cipher text is text
information that has gone through the encoding process and is no longer easily recognizable
(Drummond, 2003). In order for a user to cipher or decipher any data, an individual must
possess the cryptographic key. The cryptographic key is a piece of data that determines the
functional output of the cryptographic algorithm. Without the key, the algorithm will not
produce the deciphered result (Microsoft, 2015).
Steganography. Steganography is the process of hiding data or information in plain view
within another piece of data or payload applied to mask and conceal the presence of the hidden
data or information. Steganography is similar to cryptography in the way that it is used to secure
information from any unwanted parties (Rughani & Pandya, 2012). Unlike cryptography,
steganography relies on its stealth in order to maintain the privacy of the information. When
applying steganography to information or data, the amount of data that can be hidden is

30. 25
dependent on the embedding capacity of the hosting data file or payload (Badgaiiyan,
Dewangan, Pandey, Yeulkar, & Sinha, 2012).
Anonymizing browsers. Anonymizing browsers are anti-forensics Internet browsing tools
that allow a user to access the Internet anonymously. According to Huber, Mulazzani, and
Weippl (2014), these anonymizing browsers prevent outsiders from monitoring the network data
activities of a user; and cloak the origin of the Internet protocol (IP) address that is making the
data requests. One of the most popular anonymizing browsers available for mobile device users
is The Onion Router (Tor) anonymizing network. The Tor network is made up of numerous
nodes that are hosted by individuals within the network. These nodes are responsible for
encrypting, passing, and re-encrypting the user’s data as it travels through the network. The
user’s data passes through a minimum of three randomly selected bridging nodes prior to
arriving at a random exit node. Once at the exit node, the source and destination data belonging
to the user has been completely masked; allowing the user to privately and anonymously browse
the Internet (TOR, n.d.).
Program packers. Program packers are commonly used for code obfuscation or
compression by mobile users. Program packers can be used to hide evidence by compressing
and encrypting the evidence files in secondary memory and transforming the executable binaries
into another format using the program packer (Wright, 2010). By compressing and encrypting
the data files with a program packer, the original data files are transformed into a smaller
variation of the original uncompressed data file. This allows the data file to be obscured from
the original data file, which creates a challenge for the examiner when trying to match file
signatures of data extracted from the mobile device (Mellado, Sanchez, Fernandez-Medina, &
Piattini, 2013).

31. 26
Generic data hiding. An alternate method of hiding data on a mobile device is to hide
additional information and data within the slack space of a data file that is stored within a mobile
device. Slack space or unallocated space refers to the additional storage space that resides at the
end of the stored file to the end of the file cluster of a data file (NUIX, 2014). Similar to
steganography, hiding data within the slack space of another file relies on stealth and the ability
to remain undetected.
Mobile device security. Mobile device security measures are designed to protect the
sensitive information stored on and transmitted by mobile devices. Mobile device security
measures consist of user authentication, SIM card pin and Personal Unlocking Key (PUK) (Lutes
& Mislan, 2014). Mobile device technologies deploy various security measures in order to
ensure the security of the mobile device by preventing access to unauthorized users.
User authentication. User authentication is the verification of a user’s identity to the
mobile device. In order to access a mobile device the user is required to provide specific
information that corresponds to the user’s authentication. Once the mobile device has
authenticated, the user the user is granted access to the data contents and device capabilities of
the mobile device (Crawford & Renaud, 2014). The most popular methods of user
authentication on mobile devices are performed by inputting a passcode, graphical login, or by
inputting biometric data into the mobile device. These various methods of user authentication
provide a mobile device user various options as to how to secure their mobile device (Anwar &
Imran, n.d.). A passcode or pin is a sequence of numerical data that is created by the individual
user of the mobile device in order to secure the device. Only by inputting the correct numerical
information on the locked home screen of the mobile device will the individual be able to unlock
the device, and be granted access.

32. 27
A graphical login has the same goal of a passcode but consists of the user inputting a user
specific sequential pattern into the home screen of the mobile device (Krikelas, Xydas, &
Bonnefoi, 2013). Utilizing the input sensor technology of a mobile device, a user can use their
biometric data in order to secure their mobile device. Biometric data is information that is based
specifically on unique and measureable characteristics of an individual. Fingerprints, facial
features, and voice signatures are all examples of biometric data that can be collected from the
sensor of the mobile device in order to authenticate the user (Trewin, Swart, Koved, Martino,
Singh, & Ben-David, 2012).
After several failed attempts of inputting the correct user authentication information into
the mobile device; the device will lock and disable the home screen of the mobile device. This is
performed as a precautionary security measure in order to protect the information contained
within the device from unauthenticated individuals. The home screen of the mobile device can
become unlocked after a certain period of time has passed or may require a password reset be
performed once a user’s authentication has been performed via the e-mail associated with the
mobile device (Apple, 2015; Chemerkin, 2012).
SIM card pin and PUK code. The SIM card is a non-volatile storage device that is
capable of storing a mobile device user’s subscriber related information and other various types
of data that is created on the mobile device. In order to gain access to the information stored
within the SIM card, an individual must authenticate with the correct SIM pin. After three failed
attempts to input the SIM pin, the SIM card will lock and the PUK code will be required to
unlock the locked SIM card (Savoldi & Gubian, 2007). A PUK code can be retrieved by a user
by accessing their associated telecommunications account online and following the specific
instructions in order to obtain the PUK code. Another option for a mobile device user is that

33. 28
they can call their telecommunications provider and, upon authenticating themselves to the
customer service representative, the user shall obtain the SIM card’s PUK code. After ten failed
attempts in a row to input the PUK code, the SIM card will permanently lock (ATT, 2015).
Importance of Valid Mobile Forensic Practices in Mobile Forensic Investigations
With the constant evolution, rapid development, and emerging capabilities of mobile
device technologies, it is crucial that mobile forensic investigators develop new skills and
forensic practices in order to meet the increased demands for mobile forensics. The practice of
mobile device forensics is dependent on recovering and examining digital evidence under
forensically sound conditions, while deploying accepted forensic practices (Murphy, n.d.). Due
to the expeditious evolution of mobile device technologies and their capabilities, mobile forensic
investigators have encountered difficulties in staying current with mobile device technologies.
Mobile forensic investigators face the unique ongoing challenge of developing new and up to
date forensic practices that can be deployed on emerging mobile device technologies (Tolman,
2012). A thorough knowledge and understanding of the various device configurations can help a
forensic investigator select which forensic tools, toolkits, and techniques to implement when
performing mobile forensics (Raghav & Saxena, 2009). The growing demand for mobile
forensics in modern day investigations makes the need for up to date research on forensic
guidelines and practices a necessity in mobile forensics.
Need for guidelines and standards on emerging mobile device technologies. The
need for up to date mobile forensics methods and practices is critical for current day mobile
forensics. With the increasing number of mobile devices being submitted for forensic
investigations, a backlog of mobile devices awaiting forensic analysis is steadily growing
(Mislan, Casey, & Kessler, 2010). These ongoing challenges are created due to the lack of up to

34. 29
date forensic practices, guidelines, and standards for mobile device forensics. Due to the lack of
research in mobile forensics, forensic investigators are left with outdated material on how to
perform mobile forensics properly on a mobile device.
This lack of up to date guidelines and standards critically affect the developers of forensic
tools. Forensic tool developers are combating the short development cycles of new mobile
device technologies and mobile device software. These short development cycles make it
difficult for developers to keep up to date, and to create and test fully functional forensic toolkits.
This ultimately leads to forensic toolkits lacking the full functionality required to perform
forensically sound data extractions and examinations on emerging mobile devices (Marturana,
Me, Berte, & Tacconi, 2011). Research, on creating formalized guidelines for mobile forensics,
has been performed by the National Science Foundation (NSF), National Institute of Justice
(NIJ), and the National Institute of Standards and Technology (NIST). Although massive
amounts of time, money, research, and efforts have been put forth in order to create formalized
guidelines and practices for mobile forensics; there has been a lack of success of communicating
the findings to the end users (Garfinkel, 2010). The most up to date mobile forensics guidelines
were released by the NIST in 2014. The relevance of the forensic methods and practices
contained within the NIST document are completely dependent on the evolution of mobile
device technologies and will be outdated with the next generation of mobile device hardware and
software.

35. 30
Discussion of the Findings
Major Findings
The objective of this capstone project was to demonstrate the challenges associated with
performing mobile forensics on new emerging mobile device technologies. This research project
intended to provide insight regarding the data stored within emerging mobile device
technologies; the specific challenges mobile forensic investigators face when attempting to
perform forensically sound data extractions on emerging mobile device technologies; and the
importance of valid mobile forensics practices. Numerous scholarly articles and publications
touch on the various topics of mobile forensics. None of the articles or publications researched
provided specific detailed information or guidelines on how to perform mobile forensics on
emerging mobile device technologies. This research project contains detailed information about
the challenges associated with mobile forensics; along with the plethora of useful data that can
be extracted and examined by investigators during a mobile forensic investigation. This research
project also provides insight about the deficiencies of current research, forensic practices, and
guidelines within the field of mobile forensics. The topics chosen for this research project were
selected to explore the understanding of the forensic challenges mobile investigators face when
attempting to perform mobile forensics on emerging mobile device technologies.
The literature review covered an advanced look into the challenges forensic investigators
face when performing mobile forensics on emerging mobile device technologies. This research
investigated the data and data types that are created and accessed by the mobile device user;
along with the various data storage locations of the mobile device. Forensic challenge topics
such as dealing with various mobile device configurations, increased capabilities of mobile
device technologies, various anti-forensic measures, and the need for up to date forensic

36. 31
practices were also covered within this research. Sources chosen for this study were selected
from scholarly articles and publications, which were based on various mobile forensic topics
related to the architecture of emerging mobile device technologies, mobile forensic practices and
challenges, and the need for mobile forensics in modern day investigations. These sources were
chosen to provide detailed insight and understanding of the forensic challenges investigators face
when performing mobile forensics on emerging mobile device technologies.
The concepts covered within this research provide insight about the various types of data
stored within a mobile device, the various difficulties forensic investigators face when
attempting to perform mobile forensics on a mobile device, and the need for modern mobile
forensic practices. This study on the challenges of performing mobile forensics on emerging
mobile device technologies is only a snapshot of the current challenges mobile forensic
investigators currently face. Research related to mobile forensics will never be complete due to
the fluid and dynamic evolution of mobile device technologies.
Digital Data Stored on Mobile Devices
Mobile device technologies are capable of storing troves of data that can provide useful
information to a mobile examiner during a forensic investigation. The mobile device is capable
of storing unique data in various media locations inside and outside of the mobile device.
Random Access Memory (RAM), non-volatile memory (NVM), mobile device configurations,
subscriber identity modules, mobile application data, media files, communication data files, and
GPS and location information are examples of the various types of data that can be extracted and
analyzed by an examiner during a mobile forensic investigation. The data that is extracted and
analyzed from a mobile device can provide a forensic examiner with useful information relating
to an investigation. The analysis of the evidence gathered from the mobile forensic investigation

37. 32
can provide an examiner with precise data that can allow a detailed timeline and profile of the
user’s whereabouts and activities to be created from the information gathered.
RAM and NVM. Mobile device technologies utilize both random access memory
(RAM) and non-volatile memory (NVM) in order to perform various capabilities and to store
important data within the mobile device. The quick and volatile RAM allows the mobile device
to run mobile device software programs and applications in parallel, which provide the mobile
device with its various capabilities. NVM provides the mobile device with the capability to store
and retain information on the device even when power has been removed. Unlike the volatile
RAM, NVM retains all of its memory even when power is removed from the mobile device.
Mobile device configurations. Information corresponding to the mobile device’s
current operating configuration can be found within the memory of a mobile device. In order to
extract and analyze the mobile device’s configuration data, the examiner can use either manual
or logical data extraction techniques. Manual data extraction techniques consist of the forensic
examiner manually navigating through the various menus of the mobile device and documenting
the information that is discovered. Manual data extraction can only be performed by an
examiner if the mobile device being examined is unlocked; making the mobile device’s
information readily accessible to the examiner. In order to access the hardware and software
configuration data stored within the mobile device using manual data extraction, the examiner
must navigate through the settings menus within the mobile device, in order to view the mobile
device’s configuration information.
The alternative method of extracting the mobile device’s configuration information is to
use logical data extraction techniques. This data extraction method requires the examiner to
connect the investigative computer equipment to one of the mobile device’s interfaces. The

38. 33
examiner can connect to the mobile device either by using the mobile device’s standard
equipment or via the mobile device’s Bluetooth capability. Using the investigation computer, a
mobile examiner can launch their logical data extraction tool, use communication protocols to
access and extract the mobile configuration. Both data extraction methods can yield unique and
specific configuration data that can help identify the mobile device’s activities on various
networks that the mobile device has come in contact with.
GSM and CDMA mobile devices. Mobile devices using the Global System for Mobile
Communications (GSM) networks utilize SIM cards in order to access the GSM
telecommunication network. SIM cards store specific data that correspond to the user’s identity,
location, phone number, address book, call logs, encryption keys, and network authentication
information. Mobile device technologies that utilize Code Division Multiple Access (CDMA)
technology do not use SIM cards to store information or to authenticate a mobile device’s
identity information. Instead, CDMA devices use the technology that is stored internally within
the device in order to perform the same actions of a SIM card.
Application data. Mobile devices deploy various mobile applications in order to
perform various services and capabilities on a mobile device. Mobile applications consist of
software that is specifically designed to provide the mobile device user with capabilities that are
normally used on computers. Additional mobile applications for a mobile device can be found
and downloaded from the mobile device’s application store or additional online locations.
Mobile device users can add or remove mobile applications from the mobile device in order to
customize and utilize the full capabilities of their mobile device. Data files corresponding to the
mobile applications can provide an examiner with useful information about passwords used,
documents accessed, and additional storage locations for the mobile device. The extracted

39. 34
mobile application data can provide useful information that leads to additional digital evidence
and leads that can assist a forensic investigation.
Digital media. Mobile device technologies are capable of creating and storing various
types of media data files. Contained within the media files an examiner can find additional
metadata and exchangeable image file (EXIF) information stored within the associated media
file. The EXIF and metadata stored within the associated media files can provide an examiner
with a summary of information corresponding to the creation of the media file. Geo-graphic
location, name of the digital device, and the digital device’s settings used to create the media file
can all be found stored within the EXIF and metadata of the media file. This summary of
specific information on how the file was created can allow an investigator to associate not only
when the file was created but on what type of device. This additional information can lead to the
discovery of additional devices that need to be investigated or additional evidence that can
provide additional insight about the ongoing investigation.
Communication data files. Emerging mobile device technologies possess numerous
mobile applications that provide mobile devices the capability to communicate with other mobile
device users through a variety of platforms and applications. Mobile devices are capable of
using short message service (SMS), multimedia messaging service (MMS), and E-mail as a
means of communicating with other mobile device users and individuals possessing a valid e-
mail account. Specific usage information for these communication services can be found stored
within the memory of a mobile device. The extracted usage information can provide an
examiner with detailed information about messages sent and received from the mobile device.
This provides an examiner with detailed information that allows the investigator to add
information to a detailed timeline. This additional information can help identify the

40. 35
communication habits of the mobile device user and others with whom the user may have
communicated. The timeline can help associate the user to criminal activities that were
performed on the mobile device, or associate the user’s involvement with other malicious
activities.
Geo-location data. Mobile device technologies create and store massive amounts of
location data that correspond to the actions and activities that are performed on mobile devices.
Mobile device technologies create and log specific latitudinal and longitudinal geo-spatial data
that is associated with the connectivity locations of GPS data, telecommunication towers, and
Wi-Fi hotspots that are encountered by the mobile device. The geo-spatial information that is
extracted and examined from a particular mobile device can provide an examiner with detailed
locations identifying the locations where the mobile device has been at various times. This
additional information extracted from a mobile device can help provide additional evidence
when attempting to associate an individual with a specific place and time during an investigation.
Browsing history data. Mobile device technologies possess specific mobile browsing
applications that provide the user with the capability to access the Internet readily. Similar to the
browsing tools utilized on PC devices, mobile browsing applications store the browsing history
of the mobile device user. The browsing history of the mobile device user can be found stored
within the mobile browsing cache folder of the mobile application. The information contained
within the cache folder is the user’s browsing history that consists of specific dates and times
when the user visited various websites. The Internet browsing history that is extracted and
examined during a forensic investigation can provide an examiner with additional details and
evidence that can help associate and individual with certain criminal activities, or provide the
examiner with additional leads for evidence.

41. 36
Theme One: Mobile Forensic Challenges
Mobile forensics is a specialized branch of digital forensics that requires a forensic
examiner to have a thorough understanding of mobile device technologies. Unlike other
branches of digital forensics, where device configurations are not a concern; mobile forensic
examiners face the unique challenge of encountering various mobile device configurations on a
case-by-case basis. It is imperative that a forensic examiner has a basic understanding of how a
mobile device operates, in order to mitigate and minimize any challenges experienced during a
mobile forensic investigation.
Mobile configurations. Over the past several years, mobile device technologies and
their evolving capabilities have found much success with today’s technologically advanced
society. The short development cycles of new technology and software releases ensure that the
consumer is provided with the latest mobile device technology. As a result of this rapid
evolution, mobile forensic investigators encounter numerous device configurations during
forensic investigations. When encountering an emerging mobile device technology during an
investigation, a forensic examiner may not possess the proper training, interface tools, or
software required to perform a forensically sound investigation. By not having up to date
training in the handling of the new mobile device’s technology, a forensics examiner may fail to
properly preserve, collect, or examine the data stored within the mobile device. Performing
improper mobile forensic practices can jeopardize the integrity of the data stored within a mobile
device; which can ultimately jeopardize a forensic investigation.
Device isolation. When performing forensics on a mobile device, a forensic examiner
must exercise forensically sound practices when handling the mobile device, in order to preserve
the volatile data. It is important for the examiner to isolate the mobile device properly from all

42. 37
outside factors in order to preserve the integrity of the data during the seizure, transportation, and
analysis of the mobile device. Failure to isolate the mobile device properly from outside factors
can jeopardize the integrity of the data stored on the mobile device, or leave the device
susceptible to remote wiping. Any type of contamination, corruption, or loss of data on a mobile
device can jeopardize the validity of the evidence. By properly isolating the mobile device, the
examiner can protect the integrity of the data stored within the device from anti-forensic
measures; and ensure that the evidence retrieved and examined from the mobile device will be
considered valid in a court of law.
Mobile storage. Advances in data storage technology for mobile devices have made
mobile devices capable of accessing and storing massive amounts of data in various media
device locations inside and outside of the mobile device. Performing forensics on a mobile
device with these storage capabilities can create numerous challenges for an investigator.
Having these increased capabilities to store data only increases the amount of data an examiner
has to extract and examine during an investigation. The increased number of storage locations
on and off the mobile device makes it difficult for an examiner to extract and collect all of the
data created by the mobile device. If an investigator is unable to collect and examine all of the
data that was created by the mobile device, an examiner may miss key data that could provide
insight or evidence about the criminal or malicious activities that were performed on the mobile
device.
Anti-forensics. Mobile device users, who wish to conceal their activities, and keep their
data safely protected from unwanted eyes, may use anti-forensics techniques in order to maintain
the privacy of their mobile device data. The various anti-forensic techniques utilize different
strategies and software in order to minimize and conceal the data created and stored within a

43. 38
mobile device. Anti-forensic techniques can be exploited and utilized by criminals in order to
conceal their illegal activities from law enforcement officers and forensic investigators.
Criminals using anti-forensic techniques on their mobile devices can minimize and conceal their
data that has been created and stored on the mobile device; making the search for evidence
cumbersome.
Mobile security. The security measures in place on mobile device technologies have
been designed to ensure the privacy and protection of the information created, stored, and
transmitted on a mobile device. In order to secure the mobile device properly and its contents,
various security measures have been implemented within the overall architecture of the mobile
device. The same security features meant to protect the mobile device can also hinder mobile
forensic examiners from performing mobile forensics on the device. The security features of the
mobile device can prevent an examiner from gaining access to the data stored within the mobile
device. If an examiner is unable to bypass the security measures or properly authenticate oneself
to the device, the information stored within the mobile device will remain inaccessible for
mobile forensics.
The research performed indicated that there is an extensive list of possible methods to
conceal, eradicate, or erase data, in order to prevent forensic examination. This section shows
how complex and difficult digital forensics can be; and that the level of difficulty is exacerbated
by the continual evolution of mobile technologies. In order to mitigate the ongoing challenges in
mobile forensics, it is imperative that the forensics community collaborates with manufacturers
and other entities within the public and private sectors in order to provide a solution. Only by
having a thorough understanding of all of the facets of mobile forensics and the new emerging

44. 39
mobile technologies can an examiner mitigate the various challenges experienced during an
investigation.
Theme Two: Importance of Valid Mobile Forensic Practices
Mobile device technologies and their emerging capabilities are evolving at an accelerated
rate. Due to the rapid releases of emerging mobile device technologies to the consumer market,
forensic investigators are faced with the challenge of not being properly equipped with the
necessary tools and information that ensure forensically sound practices are being implemented
on emerging mobile device technologies. It is imperative that mobile forensic investigators
constantly evolve their skills and forensic practices in order to minimize and mitigate forensic
challenges that may be experienced during a mobile forensic investigation. In order to perform a
successful mobile forensic investigation an investigator must be knowledgeable in the handling
of the mobile device, and know how to approach the entire mobile forensic investigation with
accepted forensic practices.
Creating and updating mobile forensic guidelines and standards. The lack of up to
date research, guidelines, and standards in mobile forensics is creating numerous challenges for
the mobile forensic community. Mobile forensic investigators are performing mobile forensics
on emerging mobile device technologies with outdated information and research. Developers of
mobile forensic tools are combating short development cycles of mobile device technologies,
which results in developers creating forensic tools that are lacking full mobile forensic
capabilities. With the growing demand for requests for mobile forensics to be performed in
modern day investigations, it is critical that updated research and forensic practices be created in
order to address the challenges that the mobile forensics community is facing.

45. 40
Research and guidelines that are currently available have been created by institutions
within the mobile forensics community. The National Science Foundation (NSF), National
Institute of Justice (NIJ), and the National Institute of Standards and Technology (NIST) have all
invested great amounts of time, money, and research efforts in order to create a formalized
standard that the mobile forensics community can adhere to. Unfortunately, there has been an
ongoing challenge of successfully communicating the research and findings of the information to
various end users. Currently, the NIST has recently released a document that provides guidelines
on how to perform a mobile forensics investigation (Ayers, Brothers, & Jansen, 2014). Due to
the rapid evolution of mobile device technologies, the recently released document’s relevance is
fleeting. The constructed guidelines and forensic practices created by the NIST will only be
relevant for a small amount of time, due to the rapid evolution of mobile device technologies.
The relevance of the document is completely dependent on how quickly the next generations of
emerging mobile device technologies evolve and once again make the current mobile forensic
research, guidelines, and practices outdated.
Comparison of the Findings
This study is a broad look at the forensic challenges mobile forensic investigators face
when attempting to perform mobile forensics on emerging mobile technologies. The published
works and research that are currently available for mobile forensics either vaguely focus on
various aspects of mobile forensics or specifically focus on a particular mobile forensic topic.
None of the research discovered provided detailed analysis that encompassed the various
challenges and aspects of mobile device forensics. This study combined research information
from various sources within the mobile forensics community in order to provide a complete and
detailed analysis for this study. This study covered the various types of data and information that

46. 41
can be stored within a mobile device, the various challenges mobile forensic investigators face
when dealing with emerging mobile device technologies and their capabilities, and the
importance of valid mobile forensic guidelines and practices.
This study focused on the forensic challenges mobile investigators face when performing
mobile forensics on emerging mobile device technologies. Previously there were no existing
studies, which focused on the forensic challenges experienced by mobile forensic examiners,
when performing mobile forensics on emerging mobile device technologies. This study
highlights the importance of mobile forensics and discusses the various types of evidence that
can be extracted from the mobile device, the challenges of mobile forensics, and the need for up
to date mobile forensic guidelines and forensic practices.
Limitations of the Study
This study was limited primarily due to the lack of current research performed by the
forensic community in order to address the ongoing challenges mobile forensic examiners face
when dealing with emerging mobile device technologies. Many of the various publications
regarding mobile forensics frequently referenced the research and work of Ayers and Jansen; the
authors of various NIST documents who address various topics relating to mobile forensics and
mobile device technologies. Existing research and publications were outdated, vaguely touched
on various forensic topics, or focused primarily on a single specific forensic topic. Any previous
research performed on mobile forensic practices or mobile device technologies that do not
correspond to the current generation of mobile devices can be considered outdated and no longer
relevant for current mobile forensic practices.
The challenge of performing research on the forensic challenges of performing mobile
forensics on emerging mobile device technologies for this project was limited due to the lack of

47. 42
current and up to date research. This study solely relied on research performed by other
professionals within the mobile forensics community and not firsthand experience performing
mobile forensics on emerging mobile device technologies. This study gathered available
research on mobile forensics and provided detailed analysis and insight on the various challenges
mobile forensic investigators face when performing mobile forensics on emerging mobile device
technologies. As a result of this study, the information gathered and analyzed on mobile
forensics on emerging mobile device technologies may be unable to address new emerging
challenges created by new mobile device technologies; this is because no research is currently
available on these specific mobile forensic challenges.
The scope of this research was limited to covering only the top-level architecture of the
four most popular operating systems available for mobile devices. This study could be expanded
to cover all other various mobile device operating systems and a deeper dive into the varying
architectures could be performed. The additional research into this study would provide
additional detailed information that can yield specific forensic practices and guideline on how to
approach a mobile device operating on a specific operating system. Additional research
addressing all of the various mobile device operating systems and their specific forensic
challenges would be beneficial to the entire mobile forensics community.
Research in this study relating to the needs for up to date mobile forensic practices and
guidelines included various publications that supported the forensic challenge. A majority of the
publications cited were either outdated or lacked detailed information or a control plan on how to
mitigate the ongoing issue facing the mobile forensics community. The inclusion of this section
was to emphasize the need for further research in order to address the ongoing issue the mobile
forensics community faces when dealing with emerging mobile device technologies.

48. 43
Recommendations
This capstone project focused on the forensic challenges mobile forensic investigators
face when performing mobile forensic investigations on emerging mobile device technologies.
The field of mobile forensics has become crucial in modern day investigations; mobile device
technologies have become valuable sources of evidence for investigators during forensic
investigations (Askokan, 2013; Ayers, Brothers, & Jansen, 2014; Bennett, 2011; Casey &
Turnbull, 2011; Mislan, Casey, & Kessler, 2010; Raghav & Saxena, 2009). This research
identified the importance of mobile forensics in modern day forensic investigations and the
substantial gaps in current research concerning emerging mobile device technologies. Due to the
ongoing technological trends occurring within our society, the need for forensically sound
mobile forensic practices is greater than ever. The scope of this project touched on various
challenges mobile forensic investigators face when dealing with emerging mobile device
technologies during mobile forensic investigations. A more in-depth look into specific forensic
challenges and other various mobile operating systems outside of the operating systems
researched could be performed in order further identify additional challenges not mentioned in
this research.
Recommendations for Research
This study touched on the various challenges that mobile forensic investigators face when
performing mobile forensics on emerging mobile device technologies. This study was limited
due to the lack of current research and information that was currently available on the topic of
performing mobile forensics on emerging mobile technologies. The scope of this research was
based solely on existing research that corresponded to the field of mobile forensics. Within the
literature review, the author was able to discover various government and academic articles

49. 44
referencing various mobile forensic topics. Most of the research either discussed various mobile
forensic topics at a high level and offered minimal insight or provided a thorough in depth
analysis on a single particular topic.
In order to resolve these issues currently seen within the field of mobile forensics the
author recommends a collaboration between the manufacturers of mobile device technologies
and various experts within the field of digital forensics. Having this collaboration between the
two parties can allow for the creation of specific standards and guidelines for mobile device
technologies and relevant research on emerging mobile device technologies. Having this up to
date information will help resolve any ongoing issues seen in the field of mobile forensics.
Research within the field of mobile forensics needs to be a constant ongoing process due
to the constant evolving nature of mobile device technologies. As long as mobile device
technologies and their capabilities are evolving, so must the mobile forensic investigators and
their forensic practices in order to fill in the gaps and discrepancies within the field of mobile
forensics. By having this understanding and knowledge of how a mobile device operates, a
mobile forensic investigator can be better prepared when handling a mobile device during a
forensic investigation.
Mobile Manufacturer’s Collaboration with the Forensic Community. Rapid
evolution of mobile device technologies and their short release cycles of less than 1-2 years are
directly responsible for the ongoing challenges mobile forensic investigators face during mobile
forensic investigations. The unusually short development cycle of mobile device technology
makes it difficult for mobile forensic investigators, forensic tool developers, and forensic
researchers to develop forensic tools, procedures, and protocols in order to assist the forensic
investigators in the field during their investigations. In order to mitigate these challenges, there

50. 45
needs to be a working group collaboration between various mobile device technology
manufacturers and various organizations within the digital forensics community. Only through
such collaborative efforts, can the various challenges facing mobile forensics be addressed and
resolved.
The proposed professional working group collaboration would be comprised of
professionals and experts from various mobile device manufacturers and developers of mobile
device technologies, along with numerous subject matter experts in the field of mobile forensics.
This dynamic working group of professionals and experts would be headed up by the NIST. The
main goal of this working group of subject matter experts would be to collaborate with the
various manufacturers and developers of mobile device technologies and create various controls
and contingency plans in order to quickly address and mitigate various mobile forensic issues.
This working group partnership and collaboration would allow the digital forensics community
to educate the software developers and manufacturers of mobile device technologies on the
importance of proper digital forensic principles and practices.
By creating this understanding amongst manufacturers, developers, and the forensic
community, the working group could create regulations that can assist mobile forensic
investigators. Regulations created by the working group can hold manufacturers accountable for
providing digital forensic tools that are capable of unlocking data stored within the newly created
mobile device technology. These forensic toolkits would be provided to the NIST prior to the
release of the mobile technology. By creating and enforcing this regulation and others like it,
mobile examiners will possess fully functional tools that will allow them to perform mobile
forensics on new emerging mobile device technologies.

51. 46
The ultimate goal of educating the manufacturers and developers on forensic principles
and practices would be to increase their awareness of the ongoing issues that they are creating for
the mobile forensics community. Having this mutual understanding the working group can begin
working with the manufacturers and begin developing standardized guidelines and practices to
which all software developers and manufacturers can adhere. By having these standardized
guidelines and practices in place the various challenges mobile forensic investigators and
forensic tool developers face, would be greatly mitigated.

52. 47
Conclusion
Mobile forensics has become increasingly important in the field of modern digital
forensics and forensic investigations. Rapid development and cutting-edge advancements in
mobile device technologies provide mobile device users with great capabilities to communicate
with one another and have information readily available to them. As a result of integrating these
mobile technologies into our everyday lives, mobile devices are capable of storing troves of
personal information that can provide specific details about the individual mobile device user.
During a forensic investigation, the information stored within a seized mobile device can be a
great source of evidence that can assist an examiner throughout the forensic investigation.
As a result of the rapid development of these emerging mobile device technologies, the
consumer market is flooded with various mobile device configurations that possess a multitude
of capabilities. The mobile forensic community faces the challenge of attempting to keep mobile
forensic practices and guidelines up to date as new emerging mobile device technologies are
created and developed. Without updated research and information on proper forensic practices
on how to handle emerging mobile device technologies during a mobile forensic investigation
various challenges could arise that could hinder the ongoing forensic investigation.
Current studies within the field of mobile forensics rely on publications that are
considered outdated within the field of mobile forensics due to the rapid evolution of mobile
device technologies and their capabilities. A majority of the documents available either provide
basic overall insight on basic mobile forensic principles, or provide in depth analysis and
research on a specific topic. These factors demonstrate the dire need for current and ongoing
research in mobile forensics in order to address the ongoing challenges that are created by
emerging mobile device technologies.

53. 48
This capstone project demonstrated the importance of mobile forensics within current
forensic investigations. Various data stored within a mobile device can provide the mobile
examiner with useful information during a forensic investigation. The data extracted and
analyzed from a mobile device can provide the examiner with detailed information allowing
them to create a timeline corresponding to the various actions and activities that were performed
by the user on the mobile device. The extracted and analyzed information from the mobile
device can also provide the examiner with additional leads within the case that can provide
additional evidence that is related to the ongoing investigation. This research on the various
challenges forensic examiners face when performing mobile forensics on emerging mobile
device technologies provided great insight into an ongoing issue within the field of mobile
forensics.
Not all forensic investigations result in the solving of a crime or a capture of a malicious
individual. A mobile forensic investigator can only contribute to the ongoing investigation by
performing forensically sound mobile forensics on the emerging mobile devices that are
encountered throughout an investigation. The evidence that is extracted and analyzed from these
mobile devices can provide law enforcement with useful insight that could ultimately result in
the capture of a malicious criminal or prevention of a future criminal or terrorist act.

54. 49
References
3GPP (n.d.). GSM Spec History. Retrieved from:
http://www.3gpp.org/specifications/gsm-history
Abrams, L. (July 17, 2012). What is a File Extension? Retrieved from:
www.bleepingcomputer.com/tutorials/whats-is-a-file-extension/
Ahmed, R., Dharaskar, R., & Thakare, V. (April, 2014). Forensic Preservation of Digital
Evidence on Mobile Devices from the Perspective of Efficient Generalized Forensics
Framework for Mobile Devices (EGFFMD). International Journal of Advanced Research
in Computer Science, 5(4), 214-218. Retrieved from:
https://www.academia.edu/9466536/Forensic_Presevation_of_Digital_Evidence_on_Mo
bile_Devices_EGFFMD
Aitel, D. (n.d.) MOSDEF. Retrieved from:
www.blackhat.com/presentations/bh-federal-03/bh-fed-03-aitel.pdf
Armistead, L. (March, 2007). ICIW 2007 2nd
International Conference on i-Warfare and
Security. Naval Postgraduate School, Monterey, CA March 2007: Anti-Forensics:
Techniques, Detection and Countermeasures
Aman, S. (June 23, 2011). New Report Finds U.S. Consumers Driving Adoption of Newest
Wireless Handsets. Retrieved from:
www.mobilefuture.org/newsroom/new_report_finds_u-s-_consumers_driving_adoption_
of_newest_wireless_handset/
Anwar, M. & Imran, A. (n.d.). A Comparative Study of Graphical and Alphanumeric
Passwords for Mobile Device Authentication. Retrieved from:
ceur-ws.org/Vol-1353/paper_11.pdf

55. 50
Aouad, L. (2008). The Changing Face of Digital Forensics. Retrieved from:
http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=120
8
Apple. (2015). If you forgot the passcode for your iPhone, iPad, or iPod touch, or your device is
disabled. Retrieved from:
https://support.apple.com/en-us/HT204306
Asokan, M. (February, 2013). Android vs. iOS – An Analysis. International Journal of
Computer Engineering & Technology (IJCET), 4(1), 377-382. Retrieved from:
www.academia.edu/2958151/ANDROID_Vs_iOS_AN_ANALYSIS
ATT. (2015). Unlock SIM card with PUK code. Retrieved from:
www.att.com/esupport/article.jsp?sid=KB64870&cv=820
Australian Crime Commission. (n.d.). Cyber and Technology Enabled Crime. Retrieved from:
https://www.crimecommission.gov.au/publications/intelligence-products/crime-profile-
fact-sheets/cyber-and-technology-enabled-crime
Ayers, R. & Jansen, W. (n.d.). Forensic Software Tools for Cell Phone Subscriber Identity
Modules. Retrieved from:
http://csrc.nist.gov/groups/SNS/mobile_security/documents/mobile_forensics/pp-SIM-
tools-final.pdf
Ayers, R., Brothers, S., & Jansen, W. (May, 2014). Guidelines on Mobile Device Forensics.
NIST Special Publication 800-101, Revision 1.
http://dx.doi.org/10.6028/NIST.SP.800-101r1
Badgaiiyan, C., Dewangan, A., Pandey, B., Yeulkar, K., & Sinha, K. (2012). A New
Steganographic Technique: Image Hiding In Mobile Application. International Journal