Mobile Investigations: Investigation Plan
MOBILE INVESTIGATIONS TRANSCRIPTScreen 1You're the lead digital forensic investigator for the Glaxsom County Sheriff's Department. The department is handling a case where a local teenage girl has gone missing.Screen 2Sheriff Jamison informs you that the teen's iPhone was retrieved from the mother, but she does not have the passcode.Screen 3You also learn that the teen's mother logged into her daughter's Facebook account and saw some things that alarmed her. It seems that the teen had recently friended a man the family does not know, and the two had been engaging in flirtatious conversations over the past two weeks.Screen 4Lastly, Sheriff Jamison tells you that the Internet service provider has provided call logs for the teen's phone, after a search warrant for the information was served.Screen 5Sheriff Jamison: "I need a report by the end of the week that details the current state of mobile incident response and investigation. You'll need an investigation plan, a forensic report based on processing the image from the phone, and an analysis of tools that I should prepare our department to use in cases like this. You're one of our lead investigators—I know you can do this."Mobile forensics is an increasingly complex environment for investigators because of the rapid rate of innovation and adoption of new technologies, applications, and hardware. Smartphones are being used in so many different ways that they have become a central focus in digital forensic investigations. The mobile platform is a forensic challenge because of the number of third-party applications found on many devices, the rapidly evolving security measures employed by the device manufacturers and application developers, and the explosive growth in the use of mobile devices and options.Mobile devices include cell phones, tablets, and wearables, with literally several thousand different devices, equipped with countless types of interfaces, operating systems, and connectivity options. This type of environment has many implications for the incident responder. The number of devices makes it impossible to be well-versed in each one, complicating analysis. The sheer number of devices also makes it very expensive to stay abreast of the major players in the market. Users tend to choose mobile devices based on their portability, number of communication interfaces and sensors (e.g., GPS), and easy wireless Internet connectivity. The features that make these devices popular are the same features that make them a critical piece of a digital forensics investigation.In the steps that comprise this project, you will examine mobile investigative challenges, as well as the techniques and technologies available to perform mobile forensic examinations. First, familiarize yourself with the details of the case and the basics provided by the sheriff. Then, you will need to develop an investigation plan that describes the current state of mobile incident response and investigation. As you proceed through Project 4, you will get hands-on practice using the forensic tool MPE+ by AccessData and complete a forensic report. The next component will be a comparative analysis, in which you will describe the features of companion mobile phone forensic tools and recommend tools and techniques to use in the current investigation. The final component is a comprehensive forensic investigation report that will synthesize the investigation plan, forensic report, and comparative analysis.Now that you know what’s ahead of you, move on to the first step of the project.Step 1: Familiarize Yourself with the Case and Devise an Overall PlanWith a forensic investigation focused on an iPhone, you plan to undertake a series of steps to develop the report for Sheriff Jamison. You’ll start with an investigation plan that describes the current state of mobile incident response and investigation. In this plan you will discuss the types of mobile phone technologies, challenges presented, and investigative techniques. The goal of this plan is to summarize the current landscape with mobile phone forensics, the guidelines for how examiners approach mobile phone evidence, the challenges posed by iPhones, limitations and constraints, and the expectations for forensic analysis of this device.Next, you’ll focus on analyzing a mobile phone image using AccessData’s Mobile Phone Examiner Plus (MPE+). MPE+ is a forensics tool used to detect, collect and uncover data from iOS and Android mobile phones. As part of the AccessData suite, MPE+ integrates seamlessly with FTK, a leading tool used in digital forensic investigations. You’ll use what you learned about MPE+ to complete a forensic report.Then, you’ll conduct a comparison analysis that scans the environment to evaluate, compare, and contrast three mobile phone forensic tools—companion tools to MPE—that could be used to address the concerns Sheriff Jamison identified in the case. This comparative analysis will culminate in your recommendation of a mobile phone forensic tool that best fits the needs of this investigation.The final step is a comprehensive forensic investigation report to Sheriff Jamison that includes the investigation plan, as well as reports from the MPE+ investigation with your findings, the comparative tool analysis, and case overviews and conclusions.Step 2: Write an Investigation PlanAs a preliminary step in the process, Sheriff Jamison asks you to write an investigation plan identifying how you, as the digital forensics investigator, can assist with the case by examining the missing girl’s iPhone for footprints, and by providing a description of the considerations and mobile investigative challenges associated with mobile forensics and mobile platforms, including third party applications, security measures, communication interfaces, and sensors. As a reporting technique, this plan should include the following:where mobile phone data may be extracted fromwhat types of mobile phone data might be presenthow mobile phone data can be retrieved from an iPhonehow the data will be forensically preserved and analyzedmobile phone applications that may hold useful information to this casehow the evidence will be handled in anticipation of court admissibilityBased on your experience and expertise, you know to include deep diving to locate deleted and locked data and timelines, as well as geographic information systems and Bring Your Own Device. As you prepare to scan for tools to use in this investigation, you outline the need to look at the phone (SIM/USIM), and any additional memory (SD/memory cards), for Call Logs, Text and SMS Messages, Call Logs, Text and Sms Messages, Contacts, Graphics, Web History, Location Information, Wi-Fi Connections call logs, text and SMS messages, contacts, graphics, web history, location information, Wi-Fi connections and application data. The goal of this plan is to summarize the current landscape with mobile phone forensics and mobile incident response and investigation, the guidelines for how examiners approach mobile phone evidence, the challenges posed by iPhones, limitations and constraints, and the expectations for forensic analysis of this device.Construct an investigation plan that addresses the concerns listed above. An investigation plan would typically be four to six pages, not including images and references. Use APA format and submit your plan to Sheriff Jamison (your instructor) for review and feedback. You will include the investigation plan in your forensic investigation report. Now you are ready to begin your investigation!