ArticlePDF Available

Abstract and Figures

The aim of this article is to show forensic investigation methods for mobile phones to students in a university forensic lab environment. Students have to learn the usefulness of forensic procedures to ensure evidence collection, evidence preservation, forensic analysis, and reporting. Open source tools as well as commercial forensic tools for forensic investigation of modern mobile (smart) phones are used. It is demonstrated how important data stored in the mobile device are investigated. Different scenarios of investigations are presented that are well-suited for forensics lab work in university.
Content may be subject to copyright.
Examination of mobile phones in a university forensic lab
environment
Silas Luttenberger, Knut Kr¨oger
and Reiner Creutzburg
Brandenburg University of Applied Sciences, Department of Informatics and Media,
Magdeburger Straße 50, D-14770 Brandenburg, Germany
ABSTRACT
The aim of this article is to show forensic investigation methods for mobile phones to students in a univer-
sity forensic lab environment. Students have to learn the usefulness of forensic pro cedures to ensure evidence
collection, evidence preservation, forensic analysis, and reporting.
Open source tools as well as commercial forensic tools for forensic investigation of modern mobile (smart)
phones are used. It is demonstrated how important data stored in the mobile device are investigated. Different
scenarios of investigations are presented that are well-suited for forensics lab work in university.
Keywords: Cell phone forensics, forensics for mobile devices, cell phone, mobile phone forensics, Smartphone
forensics, iPhone forensics
1. INTRODUCTION - DIGITAL FORENSICS
In the last years the number of mobile phones sold has increased greatly. Almost every
person owns one cell phone
and uses it every day. Many models with different functions, structure and technical accessories are relea sed
every year. How can an examiner analyze this diversity of devices with the whole range of functions? This is only
possible with a good knowledge and understanding of those devices
7
. So it becomes more and more important
t
o organize a goo d training for new specialists in this field. E specially because forensic investigations are not
only important for the police. Even in private companies, examiners are increasingly needed to analyze internal
violations for the court. Because of confidential or secret informa tion they can‘t ask for exter nal support. That‘s
why training for new staff becomes more important. The education and training for computer for ensics, especially
in this paper for mobile phone forensics ca n already start in the universities, for example in the computer science
programs, giving the students a basic knowledge of forensic investigation methods. This c an be done with the
help of tasks and practical work.
In this study an overview is given of what a lab for forensic investigation can look like. Besides, some practical
work examples are shown and what is needed for a lab.
First of all it is important to know what digital forensics means?
Digital forensics is the examination of hardware or software in the pursuit of evidence to disprove
or prove an allegation. Handheld forensics is the examination of hardware and software that are
typically an integrated unit in the pursuit of evidence to disprove or prove an allegation
1
.
The
main difference between computer forensics and cell phone forensics is tha t the investigator has to handle
a diversity of different hardwar e and software standards. Besides, mobile phones have their own methods for
communication and special data formats and op eration systems. The approaches of investigation are very diverse
and differ a lot from the standard forensic approaches with computers.
The information that can be obtained from a cell phone depends on the device, manufacturer and model.
Dependent on the facts of the case and the device, the following information can be obtained from the phone:
Further author information: (Send correspondence to S. Luttenberger)
S. Luttenberger: E-mail: luttenbe@fh-brandenburg.de
K. Kr¨oger: E-mail: kroeger@fh-brandenburg.de
R. Creutzburg: E-mail: creutzbu@fh-brandenburg.de, Phone: +49 (0) 3381 355 442
phone book with contacts, calendar, notes, voice notes, video, audio, pictures, calls(missed, dialed and received),
e-mails, Internet activities, IMEI (International Mobile Equipment Identity) for GSM devices, MEID (Mobile
Equipment Identifier) for CDMA devices, games and applications. For Smartphones text messages have to be
added to the list, because they don‘t save them anymore on the SIM car d, but on the device itself. Especially
from pictures, emails, Internet proto cols, audio data, videos, notes, calendar entries and protocols of calls one
can get very imp ortant information about social contacts, offenders, victims, places and activities at a certain
time. All this information can be evidence in a forensic investigation.
For an investigation of a mobile device the same approaches and procedures are used as for the general
computer forensics
4
. That‘s why the students have to know the two basic forensic approaches for an investigation,
Liv
e Analysis and Post Mor tem Analysis. The students should know about the hash codes too and what they
are used for.
Live Analysis
The Live analysis is the investigation of the device while it‘s still working. This approa ch makes it possible
to collect volatile data. The advantage of the live analysis is that the examiner can comprehend the workflow of
processes. The disadvantage is the manipulation of data, because of the active usage of the system. Proto cols
and the access time for data will be updated. Additionally, new processes can be created and the memory will
change. The examiner risks activating badly programs or processes on the device which can manipulate data,
delete or hide them while searching manual on the pho ne
8
.
Po
st Mortem Analysis
A Post Mortem analysis will be applicable after an incident and on an image of the device. The image has to
be a one-by-one copy of the examination object. On tho se hard disk images and memory dumps interesting data
like pictures, movies, log files or deleted files are investigated. The advantage of using a forensic image is that
no processes or data will be manipulated or deleted. The investigation is independent of the device, therefore
the device can used for another investigation. Additionally it is possible to cr eate a chain of evidence.
Hash code
Hash codes are ver y important for computer forensics, because they are like a fingerprint of data. One file
will always get the same hash code as long as the content, name or other attributes are not changed. Thereby
a manipulation on a file may be detected. That‘s why hash codes are used especially for the integrity of data
in computer forensics. Many forensic programs calculate the ha sh c ode during the investigation process for each
investigated file. If this is not the case separate programs like HashCalc can calculate the hash code for each file,
image or drive.
2. EXPERIMENTAL ENVIRONMENT LAB STRUCTURE
Giving an overview of what a lab environment can look like, the structure of the IT and
Media Forensics
Laboratory in Brandenburg University of Applied Sciences is used as an example. For a forensic investigation,
different equipment is needed which should be up-to-date to support a wide range of devices. This includes a
diversity of different possibilities o f tasks. Figure 1 a) and b) show two pictures of the lab environment.
For a good workplace the student groups should be small. The following list shows the e quipment of the
forensic lab that is used for the analysis of mobile pho nes:
10× Windows 7 (64 Bit) PC‘s with 4 GB RAM, 1 TB hard drive, NVIDIA graphics card GTX560 Ti (2
GB), 3× removable hard drives slots
2× Forensic Workstation ACME Portable Sherlock 763
SIM card reader
AccessData For ensic Toolkit (FTK) (Version 3.1.2)
FTK Imager (Freeware) (Version 3.0)
X-Ways Forensics (Version 15.6)
Guidance Encase 6 (Version 6.13)
Oxygen Forensic Suite 2010 (Version 3.0.0.0)
Elcomsoft Bundle + Clients (Version 5.0)
Paraben SIM Card Seizure (Version 2.0)
Passware Kit Forensic (Version 10.1)
MOBILedit!Lite (Freeware)(Version 5.0.2.1015)
WinHex (Freeware) (Version 15.8)
Data Recovery Software GetDataBack (Version 4 .2)
MS Office (Windows 2007)
From this list FTK, X-Ways, Encase, Oxygen, Paraben and MOBILedit! are programs for forensic investigation.
Whereby especially Oxygen is used for cell phone forensics and Paraben SIM Card Seizure for analyzing SIM
cards. The others are helpful for the work a nd used in other forensic exercises. FTK, Paraben and MOBILedit!
have a specialized software for cell phone forensics. All programs which can be used for mobile forensics support
thousands of cell phones, functions like image reading and crea tion, report creation, hash verification of files and
images.
Different programs are needed to get lots of information out of an object, especially when it comes to
mobile phone forensics
7
. The forensic programs support different devices and they do not always get the same
info
rmation
6
. Commercial forensic software is not needed for all experiments and tasks. Some Freeware examples
are listed above. For example with a hex editor like WinHex, some backup files of a cell phone which can be
found in the Internet c an be viewed. The freeware version o f MOBILedit! is good to get an idea of what a
forensic program can look like and work (the real forensic software is MOBILedit! Forensic).
(a) Portable forensic workstation (ACME Portable) (b)Labenvironmentinuse
Figure 1: Forensic lab o ratory environment of Brandenburg University of Applied
Sciences
3. LAB EXERCISES FOR FORENSIC INVESTIGATION OF MOBILE PHONES
Because of the software which is used in the Forensics Lab at the Br andenburg University of Applied Computer
Science, the following exercises are based on these programs. The pr ocedures are almost similar on other forensic
software.
In general examinations the examiners have to ask themselves different questions which makes it ea sier to
focus on special details and finding the right evidence.
The following questio ns
9
are interesting in forensics:
Wher
e was the device found?
Who is the owner of the device and is it possible to allocate it to an individua l person?
How can the device be linked to a criminal offense?
Which log files, like for example e-mail access, can be analyzed?
Which identification number is allocated to the device or SIM card?
Which provider is allocated to the device?
Has the device a camera and which data can be extracted from it?
Can the device be connected to the Internet?
Can cookies be read or recovered from the device?
Can groups of people and relations between them be reconstructed with the help of phone book entries or
saved SMS, MMS or e-mails?
Which phone calls were held? (Who? When? How long?)
Are there calendar entries or notes saved?
Which music files are saved?
Also helpful for an investigation is a flowchart for preservation of mobile devices (see figure 9), which shows
the different steps of the investigation and how to react in certain situations.
3.1 Lab exercise 1: Investigation of an individual mobile phone
9
Aim of the lab exercise: file
structure, information finding, image creation, forensic investigation with Oxygen
Forensic Suite 2011
Introduction, Background
In this exercise the students can choose either their own cell phone or one of the lab‘s phones. It is the standard
form of an investigation on a mobile phone. To show the pro cess a Windows Mobile Phone HTC P3600 is used.
For the task, the device will be connected via cable or bluetooth, but cable is recommended, because most devices
don‘t have Infrared and for Bluetooth changes must be made to the phone like adding a connection number or
installing an application on the phone for the connection.
Procedure
At the b eginning of the investigation process the program Oxygen Forensic Suite 2011 has to be started. The
user finds a button in the left corner called connect new device (see figure 2). After this button is pressed a
window will be opened where the user can choos e o ne connection type like Bluetooth, Infrared or Cable (see
figure 3). Students can try all the ways, but the best way here is to use the connection via cable, because this
changes nothing on the phone. The next window will show the detected device (see figure 3b)). If the information
of the detected device are right, the next button can be pressed. Now the window (see figure 4a), appears where
the students can write some notes and information for the evidence case. The next step is to select the data
which should be read from the phone (see figure 4b)). After the data type selection, the data will be read from
the phone in some seconds and a window will appear which shows the general information about the phone and
what was read from the phone (see figure 5). In this case the information about the Windows Mobile Phone are
shown like the IMEI, hardware and software revision, which hash algorithm was used for verification and on the
right side of the window the information which was extracted from the phone like how many contacts, messages,
calendar entries, event logs and file browser. Now the students can look through the different categories. In
figure 6 the file structure was chosen which looks similar to Windows E xplorer. Here in the file structure the
entries of the folders can be viewed and the folders which can be interesting for the case can be chosen and
extracted in a report or separate file format.
Results
At the end of the task, the students should know the general process, how to connect, how long the extraction
takes and how to read the data of a cell phone. They should know the difference between the connections via
cable, Blueto oth and Infrared, what are the advantages and disadvantages of the connection types. Students
have to figure out the important information of the phone like IMEI, memory size, mobile phone type, software
and all kind of entires (messages, notes, phone book, event logs, calendar entries, ... ). Optionally they should
create a report or export some of the information they found during the examination.
3.2 Lab exercise 2:
Investigation of a mobile phone image
9
Aim of the lab exercise: file structure, data retrieval of a cell phone image, information finding
Introduction, Background
Students can choose one or two of the following mobile phone fore nsic images that are produced by Oxygen
Forensics (see http://www.oxygen-fo rensic.com/en/download/demo
archives.php). The students have to lo ok
for information which can be important in an investigation. They should learn how to handle a forensic image
and what information can be found in it. This task is based on the lab exercise 1. For this task Oxygen Fo rensic
Suite is used again. As an alternative the FTK Imager can also be used to see how far the students get with it
compared to Oxygen and if they get the same information out of the backup file.
Procedure
First at all the students get the task sheets. They form teams so that the different groups are searching o n
various images. After that the groups can choose one of the following backup files, which are made with Oxygen
(from the Oxygen website above):
iphone3g.ofb
nokian95.ofb
gsmartmw700.ofb
nokian73.ofb
iTunes
nokia6500classic.ofb
iphone1.ofb
blackb erry8800.ofb
motorola
droid.ofb
tmobileg1.ofb
Now the students have to load the backup file and look through the file structure for information which can
be of interest to an examiner. All steps of the examination must be documented with the help of screensho ts,
so that the groups can compare the results and problems they faced during the investigation. In the end the
students can create a report with all information or only with the informatio n they think is of importance for a
case.
Results
As a result the students should define which data structure they are faced with. They should show what data
they found, if only pictures and files or also system data or maybe deleted data. At the end, all students should
know how to use forensic software like Oxygen for analyzing cell phone backups. The comparison of the results
with other groups makes clear that cell phones use different data file types and that not everything is supported
by the software. Students should know why an image is used for an analysis and what a hash code is needed o r
used for during the investigation. Ano ther outcome can be a forensic report, so that the students get to know
what a report looks like. The students can find out that the forensic images from Oxygen can also be read by
FTK Imager, when this option is used.
3.3 Lab exercise 3: SIM card forensics
8
Aim of the lab exercise: file
structure of the SIM card, and data retrieval from SIM cards
Introduction, Background
Different information from the SIM card is important for an investigator. This includes the phone book with
contacts, a nd also received and written messages. Sometimes some forensic programs can reconstruct deleted
messages. On some mobile phones the user can choose if this information shall be saved on the SIM card or on
the device. From the phone book and SMS the examiner can get lots of important information, like contacts
to other persons, communication traffic, time and date as well as passwords, the PIN and e-mails which can be
saved in text messages or phone b ook entries. Therefore received, dialed and missed calls are logged in a protocol.
These logs can show time, date and communication partner, thus giving digests of persons possibly involved in
the case. Otherwise the SIM card has mainly saved information of services, networks, PIN and PUK code. Other
interesting details are: the IMSI (International Mobile Subscriber Identity) and is the unique number of a SIM
card, which identifies the user to the mobile phone provider. From these digits an investigator can get the Mobile
Country Code (MCC), Mobile Network Code (MNC) and the Mobile Subscriber Identification Number (MSIN),
which is the identification number of a mobile station (the device itself). Each SIM card has an Integrated
Circuit Card Identification (ICCID), which is mostly printed on the SIM card and saved in the memory. The
ICCID is a serial number and has up to 18 digits plus one check digit, which is necessary for error detection
andiscalculatedwiththeLuhn algorithm. With the check digit input errors of digits and permutations of two
digits can be detected
2
. For this task, Paraben SIM Card Seizure is
used because Oxygen does not support the
examination of SIM ca rds via SIM card reader.
Procedure
The procedure of an investigation of SIM cards is very similar to on a mobile phone. Just the connection is a
bit different, because a SIM card reader is needed which can be connected via the USB port. At the beginning
the students have to connect the SIM card re ader with the computer and start the forensic software. They can
choose their SIM card and put it in the reader. In Parab en SIM Card Seizure the students have to create first
a file (.cse) which saves the information about the evidence (see figure 7a )). After that it is possible to start
data acquisition from the SIM card. Now some windows will show up where the user chooses the supported
manufacturer, models and connection type and can include some information about the case. This information
will be written in the final report. After that the PIN has be entered. Then a window appears for selection of the
data which should be extracted (see figure 7b)). The following window shows an overview of all selected options
and included entries (see figure 8a)). Right after this list the data of the SIM card will be extracted (takes a few
minutes) and show up as a list (see figure 8b)). In this list data like messages, logs, provider and others can be
viewed. At the end o f the extraction a report can be created and saved in different data types.
Results
As a result the students should get text messages and basic information out of the card. They should understand
how the file structure is built and that different SIM cards exist some of which extract the data structure and
deleted messages and some not. At the end they know how a n examination of a SIM card works with Paraben
SIM Card Seizure and how to crea te a forensic rep ort with it.
4. CONCLUSION
Mobile phone forensics becomes more and more important and should be a part of the normal computer science
cu
rriculum in a university. In this paper an overview was given of a set of laboratory exercises for mobile phone
forensics based on the environment of the Brandenburg University of Applied Sciences IT - and Media Fo rensics
Lab. It was shown what tasks can be used for students and some optional variations. There are lots of other
tasks which can be used to teach the basics of forensic investigations to students. The forensic investigation of
iPhones was not discussed in this paper, because it is a to pic of separate papers (see for iPhone fo rensics
310
). The who le learning effect in the differen
t tasks can be improved when scenarios are created which show an
example of evidence of a criminal activity.
5. PROSPECT
In the next years investigations of mobile phones will become more difficult because of the diversity of functions,
A
pps (applications), anti-forensics and malware like viruses, trojans or worms. That‘s why many forensic sci-
entists are needed in the future to improve the forensic software for making investigations possible and court
ready. It will always be difficult for examiners to be up-to-date in a fast growing area like mobile phone forensics,
but this makes it interesting. For examiners there will be enough challenges in the future and enough work for
forensic investigations. Especially because mobile phone usage reflects the daily life of many people.
ACKNOWLEDGEMENTS
Special thanks to Karl
K
¨
ummel (M. Sc.) and Thomas H
¨
one (B. Sc.), who helped us during writing this
paper and making the practical experiments.
References
[1] Cohen, T. and Schroader, A., Alternate Data Storage Forensics, Syngress Publishing, Inc. 2007.
[2] Jansen, W. and Ayers, R., Forensic Software Tools for Cell Phone - Subscriber Identity Modules”, National
Institute of Standards and Technology, Technical Rep ort CISE-CSE-08-05, 2006.
[3] one, Th., “iPhone-Forensik mit MAC OS X basierten Open-Source-Anwendungen”, B. Sc. Thesis, Fach-
hochschule Brandenburg - University of Applied Sciences, Depa rtment of Informatics and Media, Brandenburg
(Germany), 2010.
[4] Geschonneck, A., Computerforensik Computerstraftaten erkennen, ermitteln, aufkl¨aren, ISBN 0596153589,
O‘Reilly, 2008.
[5] Jansen, W. and Ayers, R., “Guidelines on Cell Phone Forensics”, Special Publication 800-101, National
Institute of Standards and Technology April 2007, Sponsored by the Department of Homeland Security.
[6] Luttenberger, S., “Forensik ausgew¨ahlter mobiler Endger¨ate”, B. Sc. Thesis, Fachhochschule Brandenburg -
University of Applied Sciences, Department of Informatics and Media, Brandenburg (Germany), 2010.
[7] Volonino, L. and Anzaldua, R., Computer Forensics For Dummies, Wiley Publishing, Inc. 2008.
[8] Luttenberger, S. and Creutzburg , R., “Forensic inve stigation of certain types o f mo bile devices”, Proc. SPIE
7881, (2011).
[9] Kr¨oger, K., “Concept, Implementation, Test and Evaluation of Laboratories for Professional Continuing
in Computer and Mobile Forensics (in German)”, M.Sc. Thesis, Fachhochschule Brandenburg - University of
Applied Sciences, Department of Informatics and Media, Brandenburg (Germany), 2011.
[10] one, Th., “iPhone forensics - a practical overview with certain commercial software”, Proc. SPIE 8063,
(2011)
Figure 2: Connection button for the device or image
(a) Connection type (b) Detected device
Figure 3: Oxygen Forensic Software connection process
(a) Information input (b) Data selection
Figure 4: Oxygen Forensic Software information input and data selection
(a) Filling information about the Examiner (b) Selection of data which should be read
Figure 7: Creation of a new case and data type selection with Paraben SIM Card Seizure to be seized extracted
(a) Information overview (b) Explorer view of read data
Figure 8: Paraben SIM Card Seizure information overview and list of extracted data
Figure 9: Flowchart of Geschonneck for pr e servation of mobile devices
3
... The second traineeships deals with the forensic examination of mobile phones. The exercises include the correct connecting and readout of a mobile phone, the detailed study of individual types of mobile phones including iPhone, Nokia or Android phones and a special viewing of forensically interesting differences, such as the analysis of an iPhone with and without jailbreak (see [7]). Using the presented training concept, more than 20 exercises have been created. ...
Chapter
Full-text available
IT security and computer forensics are important components in the information technology. From year to year, the number of incidents and crimes increases that target IT systems or were committed with their help. More and more companies and authorities have security problems in their own IT infrastructure. To respond to these incidents professionally, it is important to have well trained staff. The fact that many agencies and companies work with very sensitive data makes it necessary to further train the own employees in the field of IT forensics. Motivated by these facts a training concept, which allows the creation of practical exercises is presented in this paper. The focus is on the practical implementation of forensic important relationships.
Chapter
Full-text available
The growth of Android in the mobile sector and the interest to investigate these devices from a forensic point of view has rapidly increased. Many companies have security problems with mobile devices in their own IT infrastructure. To respond to these incidents, it is important to have professional trained staff. Furthermore, it is necessary to further train their existing employees in the practical applications of mobile forensics owing to the fact that a lot of companies are trusted with very sensitive data. Inspired by these facts, this paper − a continuation of a paper of January 2012 [1] which showed the conception of a course for professional training and education in the field of computer and mobile forensics − addresses training approaches and practical exercises to investigate Android mobile devices.
Conference Paper
Full-text available
IT security and computer forensics are important components in the information technology. From year to year, incidents and crimes increase that target IT systems or were done with their help. More and more companies and authorities have security problems in their own IT infrastructure. To respond to these incidents professionally, it is important to have well trained staff. The fact that many agencies and companies work with very sensitive data make it necessary to further train the own employees in the field of network forensics and penetration testing. Motivated by these facts, this paper - a continuation of a paper of January 2012 [1], which showed the conception of a course for professional training and education in the field of computer and mobile forensics - addresses the practical implementation important relationships of network forensic and penetration testing.
Conference Paper
Full-text available
The growth of Android in the mobile sector and the interest to investigate these devices from a forensic point of view has rapidly increased. Many companies have security problems with mobile devices in their own IT infrastructure. To respond to these incidents, it is important to have professional trained staff. Furthermore, it is necessary to further train their existing employees in the practical applications of mobile forensics owing to the fact that a lot of companies are trusted with very sensitive data. Inspired by these facts, this paper - a continuation of a paper of January 2012 [1] which showed the conception of a course for professional training and education in the field of computer and mobile forensics - addresses training approaches and practical exercises to investigate Android mobile devices.
Conference Paper
Full-text available
The aim of this article is to give a practical overview of certain commercial software for investigation of the new iPhone 4. It is demonstrated how important data stored in the iPhone are investigated. Different cases of investigations are presented that are well-suited for forensics lab work.
Conference Paper
Full-text available
The aim of this paper is to show the usefulness of Windows based Open Source Tools and other demo versions of software tools for forensic investigation of modern mobile devices. It is demonstrated how important data stored in the mobile device are investigated. Different scenarios of investigations are presented that are well-suited for a inexpensive forensics lab work in university. In particular the forensic investigation of three different cell phones is described: Motorola V3m, Motorola V3i, and BlackBerry 8700g.
Book
Learn to pull digital fingerprints from alternate data storage (ADS) devices including: iPod, Xbox, digital cameras and more from the cyber sleuths who train the Secret Service, FBI, and Department of Defense in bleeding edge digital forensics techniques. This book sets a new forensic methodology standard for investigators to use. This book begins by describing how alternate data storage devices are used to both move and hide data. From here a series of case studies using bleeding edge forensic analysis tools demonstrate to readers how to perform forensic investigations on a variety of ADS devices including: Apple iPods, Digital Video Recorders, Cameras, Gaming Consoles (Xbox, PS2, and PSP), Bluetooth devices, and more using state of the art tools. Finally, the book takes a look into the future at not yet every day devices which will soon be common repositories for hiding and moving data for both legitimate and illegitimate purposes. * Authors are undisputed leaders who train the Secret Service, FBI, and Department of Defense * Book presents "one of a kind" bleeding edge information that absolutely can not be found anywhere else * Today the industry has exploded and cyber investigators can be found in almost every field.
Article
Cell phones and other handheld devices incorporating cell phone capabilities (e.g., smart phones) are ubiquitous. Besides placing calls, cell phones allow users to perform other tasks such as text messaging and phonebook entry management. When cell phones and cellular devices are involved in a crime or other incident, forensic specialists require tools that allow the proper retrieval and speedy examination of data present on the device. For devices conforming to the Global System for Mobile Communications (GSM) standards, certain data such as dialed numbers, text messages, and phonebook entries are maintained on a Subscriber Identity Module (SIM). This paper gives a snapshot of the state of the art of forensic software tools for SIMs.1
Guidelines on Cell Phone Forensics " , Special Publication 800-101, National Institute of Standards and Technology
  • W Jansen
  • R Ayers
Jansen, W. and Ayers, R., " Guidelines on Cell Phone Forensics ", Special Publication 800-101, National Institute of Standards and Technology April 2007, Sponsored by the Department of Homeland Security.
Computer Forensics For Dummies
  • L Volonino
  • R Anzaldua
Volonino, L. and Anzaldua, R., Computer Forensics For Dummies, Wiley Publishing, Inc. 2008.
Concept, Implementation, Test and Evaluation of Laboratories for Professional Continuing in Computer and Mobile Forensics (in German)
  • K Kröger
Kröger, K., "Concept, Implementation, Test and Evaluation of Laboratories for Professional Continuing in Computer and Mobile Forensics (in German)", M.Sc. Thesis, Fachhochschule Brandenburg-University of Applied Sciences, Department of Informatics and Media, Brandenburg (Germany), 2011.