ArticlePDF Available

Hashing Techniques for Mobile Device Forensics

Authors:

Abstract

Previous research conducted at the National Institute of Standards and Technology has shown that mobile device internal memory hash values are variable when performing back-to-back acquisitions. Hash values are beneficial in providing examiners with the ability to filter known data files, match data objects across platforms and prove that data integrity remains intact. The research conducted at Purdue University compared known hash values with reported values for data objects populated onto mobile devices using various data transmission methods. While the results for the majority of tests were uniform, the hash values reported for data objects transferred via Multimedia Messaging Service (MMS) were variable.
SMALL SCALE DIGITAL DEVICE FORENS ICS JOURNAL, VOL. 3, NO. 1, JUNE 2009 ISSN# 1941-6164 1
Hashing Techniques for Mobile Device Forensics
Shira Danker Rick Ayers Richard P. Mislan
Abstract- Previous research conducted at the National Institute of
Standards and Technology has shown that mobile device internal
memory hash values are variable when performing back-to-back
acquisitions. Hash values are beneficial in providing examiners
with the ability to filter known data files, match data objects across
platforms and prove that data integrity remains intact. The research
conducted at Purdue University compared known hash values with
reported values for data objects populated onto mobile devices using
various data transmission methods. While the results for the
majority of tests were uniform, the hash values reported for data
objects transferred via Multimedia Messaging Service (MMS) were
variable.
Index Terms - Cell Phone Forensics, Mobile Device Forensics,
Hashing, MMS, MD5.
I. INTRODUCTION
With the increasing popularity and technological advances
of mobile devices, new challenges arise for forensic examiners
and toolmakers [2]. Data recovered from mobile devices has
proven useful in solving incidents and investigating criminal
activity [3]. Cryptographic hash functions provide forensic
examiners with the ability to verify the integrity of acquired
data. The resulting hash value, a fixed-size bit string, is often
used to identify known files and illustrates that data has not
been modified. The two most commonly used hash functions
are MD5 and SHA-1 [4].
Minimal research has been performed on how mobile phone
forensic tools report hash values for individual data objects.
Recent research conducted at Purdue University explored the
hash results reported by mobile device forensic tools for
acquired graphical images (e.g., .jpg, .bmp, .gif). While
research conducted shows consistent behavior across mobile
forensic tools, the following area of concern illustrates the
need for future research: data objects transferred using
Multimedia Messaging Service (MMS).
This paper addresses issues surrounding mobile forensic
tools and the ability to use hashing mechanisms to validate the
integrity of acquired data objects. The document is divided
into the following chapters and appendix:
Terminology: Defines terms used throughout the
document.
Previous Research: Provides a summary of earlier
research performed in this area.
Methodology: Describes the procedures used for
conducting individual tests.
Results: Illustrates the final results of tests conducted
over each prescribed scenario.
Conclusions: Provides a summary of the document,
test results and future research.
Appendix A: Illustrates individual calculated hash
values for individual data objects produced by the
forensic workstation and the mobile forensic tools.
II. TERMINOLOGY
Data Transfer Methods: Communication channels
(e.g., Bluetooth, Multimedia Messaging Service, etc.)
that provide a conduit to populate the internal
memory of mobile devices.
Secure Hash: A mathematical algorithm that takes an
arbitrary block of data and returns a fixed-size bit
string, the hash value, such that any change to the
data will modify the hash value.
Mobile Device Data Objects: Individual files (e.g.,
.jpg, .bmp, .gif, etc.) residing in the internal memory
of the mobile device.
Mobile Device Forensic Tool: Acquisition tools
designed to perform a logical acquisition from the
internal memory of mobile devices.
Personal Computer Forensic Tool: Forensic tools
designed to acquire data from hard drives (e.g., IDE,
SATA, SCSI, etc.)
III. PREVIOUS RESEARCH
Previous research on mobile device forensic tool hash
generation has been minimal. Ayers, Jansen, Moenner, and
Delaitre [5] performed a series of tests using multiple mobile
forensic tools in an update to their pervious publication
regarding an overview of forensic software tools for mobile
devices. Two tests related to hashing were conducted: one to
determine if mobile forensic applications reported consistent
overall case file hashes when performing back-to-back
acquisitions, and the other to validate the reported hash values
of individual files (i.e., data objects) from subsequent
acquisitions. While their research showed that the overall case
file hashes were inconsistent, the majority of tools reported
consistent hash values for individual data objects.
Sobieraj and Mislan [6] researched the metadata stored for
graphical images captured by camera phones. Images contain
metadata known as Exif information (e.g., camera model,
time/date stamp, etc.) Their research showed that date and
time information is variable and cannot be counted on during
an investigation [6]. Therefore, additional metadata attributes
may be useful in determining the source of a picture. If
metadata tied to graphical data was consistent across camera
phones, the Exif information might be useful in addition to
hashing.
SMALL SCALE DIGITAL DEVICE FORENS ICS JOURNAL, VOL. 3, NO. 1, JUNE 2009 ISSN# 1941-6164 2
IV. METHODOLOGY
Initial preparation begun by calculating MD5 hashes for
individual data files listed below in Table 1. Each individual
graphic file was downloaded to a forensic workstation and
hashed using Access Data’s Forensic Toolkit to calculate
MD5. The tool was chosen based on availability. The hash
values reported for acquired data objects by the mobile device
forensic tools were compared to the known start value.
The mobile devices were selected solely on their availability
and similar feature set (e.g., MMS, Bluetooth, internal
camera). Eight pairs of duplicate (i.e., make, model, firmware)
mobile devices were selected. By using duplicate mobile
devices one is able to determine if mobile device forensic tools
report consistent hash values for pre-defined data objects
across shared mobile devices. Two mobile device forensic
tools: Paraben’s Device Seizure [7] and Susteen’s Secure
View [8] were selected due to availability, embedded hashing
functionality, and acquisition support for the selected mobile
devices.
There are numerous ways to transfer data onto a mobile
device. Multiple tests were performed to determine if hash
values remain consistent across various data transmission
methods. The following data transmission methods were
used: universal memory exchanger, MMS, Bluetooth, and
MicroSD. Additional orientation tests were conducted to
determine if reported hash values were modified when a)
altering the role of a stored graphic file (i.e., saving as
wallpaper) and b) transferring the snapshot taken from the
mobile device’s internal camera onto the forensic workstation.
The research involved several objectives, which were: a) to
determine if discrepancies appeared between known hash
values, b) to document that reported hash values remained
consistent and finally, c) to document found anomalies. The
following subsections outline each individual test.
A. Graphic File Format Tests
The graphic file format tests required populating the target
mobile device with graphic files (i.e., .jpg, .bmp, .gif) from a
pre-defined dataset using the Cellebrite UME-36 [9] universal
memory exchanger. The Cellebrite UME-36 was selected
solely on availability and its data transmission scheme. The
Cellebrite UME-36 unit is a stand-alone phone memory
transfer and backup solution.
B. MMS Tests
MMS tests required mobile devices capable of sending and
receiving MMS messages. MMS is used to send a graphic file
to target mobile devices. Once the MMS message was
successfully received on the target mobile device, the graphic
file was saved to the target mobile device internal memory.
C. Bluetooth Tests
Bluetooth tests required Bluetooth enabled mobile devices.
A forensic workstation was used to send a graphic file using
Bluetooth to all target mobile devices.
D. MicroSD Card Tests
The following techniques were used for the MicroSD card
tests based upon the capabilities of the mobile device forensic
tools and mobile devices. Mobile devices not supporting
MicroSD required a graphic file to be saved on a flash drive
and then pushed to the internal memory of the mobile device
using Cellebrite UME-36. For mobile devices that supported
MicroSD and were acquired using Secure View, the graphic
file was copied to the internal memory of the mobile device
from the MicroSD card. Acquisition performed by Device
Seizure allowed a graphic file to be acquired directly from the
MicroSD memory card.
E. Wallpaper Tests
The wallpaper tests required populating the target mobile
device with a .jpg graphic file from a pre-defined dataset using
the Cellebrite UME-36. Once the graphic file was successfully
saved to the mobile device internal memory, the file was
manually reassigned as wallpaper.
F. Camera Phone Tests
Camera phone tests required mobile devices containing an
internal camera. Graphic files taken with the internal camera
phone were transferred to a forensic workstation and mobile
devices using the Cellebrite UME-36.
Test.jpg Bluetooth.jpg Card.jpg
3c3111ded5df821d66
8aecf9b598100b
6c8a1401a3af826450
4f16334e774b5c
77bebd7fb998797dd
5768c99fdbda8f6
Mathematics.bmp Stress-test.gif Mail.jpg
7d3b824769389bead
b69b536a0295662
9b902382728b6bbdc
65009a5d1084041
d57fac85a5be5a7804
05a0484254256b
Table 1: Pre-define Data Set (Graphic Files) – MD5Sum
V. RESULTS
The following section summarizes the final results and
provides additional information on each test scenario
conducted. Due to the mobile device graphic file format
limitations, the test results for some devices may not contain a
hash entry for a particular test. The subsequent tables illustrate
final test results.
A. Graphic File Format Test Results
Device Seizure and Secure View reported consistent hash
values with the forensic workstation.
SMALL SCALE DIGITAL DEVICE FORENS ICS JOURNAL, VOL. 3, NO. 1, JUNE 2009 ISSN# 1941-6164 3
B. MMS Test Results
MMS hash values for transmitted graphic files were found
to be inconsistent within different mobile device families. This
generated a second round of testing to verify the findings of
hash inconsistencies were related to different mobile device
MMS format implementations.
C. Round 2 - MMS Test Results
The second round of tests confirmed that a) inconsistent
reported hash values occurred across both alike and different
mobile device families and b) resending saved graphic files
sent using MMS may result in different hash values as
illustrated in Table 6.
D. Bluetooth Test Results
Device Seizure and Secure View reported consistent hash
values with the forensic workstation.
E. MicroSD Card Test Results
Device Seizure and Secure View reported consistent hash
values with the forensic workstation.
F. Wallpaper Test Results
The mobile device forensic tools generated consistent hashes
for all tested mobile devices. Hash values generated by the
forensic workstation matched the mobile device forensic tools’
reported hash values.
G. Camera Phone Test Results
Device Seizure and Secure View reported consistent hash
values with the forensic workstation.
VI. CONCLUSION
The objective of the tests conducted at Purdue University
was to determine if reported hash values for graphic files
remain consistent between mobile device forensic tools and a
forensic workstation. The majority of tests conducted (i.e.,
graphic file format tests, Bluetooth tests, MicroSD card tests,
wallpaper tests, camera phone tests) have shown that the
reported hash values remain consistent. Although,
inconsistencies occur when mobile device graphic files are
transferred using MMS.
With over 2 billion mobile phones in use today, mobile
device forensics continues to be a concentrated area of interest
among the forensic community [10]. As mobile devices
evolve, the storage capacity and richness of data objects
increase. From an investigative perspective, the data acquired
from mobile devices is often times beneficial in providing
leads or solving a case. Therefore, researching the behavior
and reliability of mobile device forensic tools is advantageous
for toolmakers and the forensic community.
While minimal research has been conducted on the hash
values calculated for mobile device data objects, future
research exploring the effects of additional data objects (e.g.,
audio, documents, video) commonly found on mobile devices
is paramount.
ACKNOWLEDGEMENTS
The authors, Shira Danker, Rick Ayers and Richard P.
Mislan, thank Barbara Guttman and Craig Russell from NIST
and Sam Brothers from U.S. Customs and Border Protection
for reviewing drafts, technical support and contributions to
this document.
Certain commercial entities, equipment, or materials may be
identified in this document in order to describe an
experimental procedure or concept adequately. Such
identification is not intended to imply recommendation or
endorsement by the National Institute of Standards and
Technology, nor is it intended to imply that the entities,
materials, or equipment are necessarily the best available for
the purpose.
REFERENCES
[1] Mead, S., (2006). Viability of MD5 and SHA-1 for forensic hashing.
Retrieved from http://www.techsec.com/TF-2006-PDF/TF-2006-SteveMead-
Viability_of_MD5_SHA1_(NSRLv17)-v4.pdf.
[2] Al Zarouni, M. (2006). Mobile handset forensic evidence: a challenge for
law enforcement. Proceedings from the 4th Australian Digital Forensics
Conference. Perth, Western Australia, 4 December 2006, pp 1 -10. Edith
Cowan University
[3] Shachtman, N. (2006). Fighting crime with cellphones’ clues. Retrieved
from
http://www.nytimes.com/2006/05/03/technology/techspecial3/03cops.html
[4] AccessData (2006). MD5 Collisions: The effect on computer forensics.
Retrieved from
http://www.accessdata.com/media/en_US/print/papers/wp.MD5_Collisons.en
_us.pdf
[5] Ayers, R., Jansen, W., Moenner, L., & Delaitre, A. (2007). Cell phone
forensic tools: An overview and analysis update. Retrieved from
http://csrc.nist.gov/publications/nistir/nistir-7387.pdf
[6] Sobieraj, S., & Mislan, R. (2007) Mobile phones: Digital photo metadata.
Retrieved from
http://www.cerias.purdue.edu/symposium/2007/materials/pdfs/E26-CF9.pdf
[7] Paraben Forensics. (2007). Device Seizure v1.3> Retrieved from
http://www.paraben-
forensics.com/catalog/product_info.php?cPath=25&products_id=405
[8] Secure View. (2009). Secure View Kit for Forensics> Retrieved from
http://www.datapilot.com/productdetail/253/producthl/Notempty
[9] Cellebrite. (2008). Retrieved from http://www.cellebrite.com
[10] Murph, Darren. (2007). Mobile phone subscriptions hit 3.3 billion.
Retrieved January 12, 2007 from
http://www.engadget.com/2007/11/29/mobile-phone-subscriptions-hit-3-3-
billion.html>
SMALL SCALE DIGITAL DEVICE FORENS ICS JOURNAL, VOL. 3, NO. 1, JUNE 2009 ISSN# 1941-6164 4
APPENDIX A
Table 2 – Image Format Test - JPEG Results (Test.jpg)
Computer Hash Value Motorola Phones Hash Value – Secure View Hash Value – Device Seizure
3c3111ded5df821d668aecf9b598100b
Motorola RAZR V3m
ID:1347
3c3111ded5df821d668aecf9b598100b 3c3111ded5df821d668aecf9b598100b
3c3111ded5df821d668aecf9b598100b
Motorola
RAZR V3m
ID:1556
3c3111ded5df821d668aecf9b598100b
3c3111ded5df821d668aecf9b598100b
LG Phones
3c3111ded5df821d668aecf9b598100b
LG
VX8550 chocolate
ID:5297
3c3111ded5df821d668aecf9b598100b N/A
3c3111ded5df821d668aecf9b598100b
LG
VX8550 chocolate
ID:7361
3c3111ded5df821d668aecf9b598100b N/A
3c3111ded5df821d668aecf9b598100b
LG
VX8350
ID:7938
3c3111ded5df821d668aecf9b598100b N/A
3c3111ded5df821d668aecf9b598100b
LG
VX8350
ID:7939
3c3111ded5df821d668aecf9b598100b N/A
Samsung Phones
3c3111ded5df821d668aecf9b598100b
Samsung
SCH-U540
ID:8448
3c3111ded5df821d668aecf9b598100b N/A
3c3111ded5df821d668aecf9b598100b
Samsung
SCH-U540
ID:8204
3c3111ded5df821d668aecf9b598100b N/A
Table 3 – Image Format Test - BMP Results (Mathematics.bmp)
Computer Hash Value Motorola Phones Hash Value –
Secure View
Hash Value –
Device Seizure
7d3b824769389beadb69b536a0295662
Motorola RAZR V3m
ID:1347
7d3b824769389beadb69b536a0295662 7d3b824769389beadb69b536a0295662
7d3b824769389beadb69b536a0295662
Motorola RAZR V3m
ID:1556
7d3b824769389beadb69b536a0295662 7d3b824769389beadb69b536a0295662
LG Phones
7d3b824769389beadb69b536a0295662
LG
VX8550 chocolate
ID:5297
7d3b824769389beadb69b536a0295662 N/A
7d3b824769389beadb69b536a0295662
LG
VX8550 chocolate
ID:7361
7d3b824769389beadb69b536a0295662 N/A
Table 4 – Image Format Test - GIF Results (Stress-test.gif)
Computer Hash Value Motorola Phones Hash Value – Secure View Hash Value – Device Seizure
9b902382728b6bbdc65009a5d1084041
Motorola RAZR V3m
ID:1347
9b902382728b6bbdc65009a5d1084041 9b902382728b6bbdc65009a5d1084041
9b902382728b6bbdc65009a5d1084041
Motorola
RAZR V3m
ID:1556
9b902382728b6bbdc65009a5d1084041 9b902382728b6bbdc65009a5d1084041
LG Phones
9b902382728b6bbdc65009a5d1084041
LG
VX8550 chocolate
ID:5297
9b902382728b6bbdc65009a5d1084041 N/A
9b902382728b6bbdc65009a5d1084041
LG
VX8550 chocolate
ID:7361
9b902382728b6bbdc65009a5d1084041 N/A
Table 5 - MMS Test (Test.jpg)
Computer Hash Value Motorola Phones Hash Value – Secure View Hash Value – Device Seizure
N/A
Motorola RAZR V3m
ID:1347
3c3111ded5df821d668aecf9b598100b 3c3111ded5df821d668aecf9b598100b
N/A
Motorola RAZR V3m
ID:1556
3c3111ded5df821d668aecf9b598100b 3c3111ded5df821d668aecf9b598100b
LG Phones
N/A
LG
VX8550 chocolate
459c85d0fb234482142787c91dfca003 N/A
SMALL SCALE DIGITAL DEVICE FORENS ICS JOURNAL, VOL. 3, NO. 1, JUNE 2009 ISSN# 1941-6164 5
ID:5297
N/A
LG
VX8550 chocolate
ID:7361
459c85d0fb234482142787c91dfca003 N/A
N/A
LG
VX8350
ID:7938
3c3111ded5df821d668aecf9b598100b N/A
N/A
LG
VX8350
ID:7939
3c3111ded5df821d668aecf9b598100b N/A
Samsung Phones
N/A
Samsung
SCH-U540
ID:8448
459c85d0fb234482142787c91dfca003 N/A
Table 6 - MMS 2nd Round (Mail.jpg)
Computer Hash Value Motorola Phones Hash Value – Secure View
N/A
Motorola RAZR V3m
ID:1347
d57fac85a5be5a780405a0484254256b
N/A
Motorola
Motorola RAZR V3m
ID:1556
d57fac85a5be5a780405a0484254256b
N/A
Motorola RAZR V3m
ID:1347
821718317819a169dcf01ef49eaf0d5c
N/A
Motorola RAZR V3m
ID:1556
d57fac85a5be5a780405a0484254256b
LG Phones
N/A
LG
VX8550 chocolate
ID:5297
a2712817b8fce9b925e8a710e979e1b9
N/A
LG
VX8550 chocolate
ID:7361
a2712817b8fce9b925e8a710e979e1b9
Table 7 - Bluetooth Tests (Bluetooth.jpg)
Computer Hash Value Motorola Phones Hash Value – Secure View Hash Value – Device Seizure
6c8a1401a3af8264504f16334e774b5c
Motorola RAZR V3m
ID:1347
6c8a1401a3af8264504f16334e774b5c 6c8a1401a3af8264504f16334e774b5c
6c8a1401a3af8264504f16334e774b5c
Motorola RAZR V3m
ID:1556
6c8a1401a3af8264504f16334e774b5c 6c8a1401a3af8264504f16334e774b5c
LG Phones
6c8a1401a3af8264504f16334e774b5c
LG
VX8550 chocolate
ID:5297
6c8a1401a3af8264504f16334e774b5c N/A
6c8a1401a3af8264504f16334e774b5c
LG
VX8550 chocolate
ID:7361
6c8a1401a3af8264504f16334e774b5c N/A
6c8a1401a3af8264504f16334e774b5c LG
VX8350
ID:7938
6c8a1401a3af8264504f16334e774b5c N/A
6c8a1401a3af8264504f16334e774b5c LG
VX8350
ID:7939
6c8a1401a3af8264504f16334e774b5c N/A
Table 8 - MicroSD Card Tests (SD card.jpg)
Computer Hash Value Motorola Phones Hash Value –
Secure View
Hash Value –
Device Seizure
77bebd7fb998797dd5768c99fdbda8f6
Motorola RAZR V3m
ID:1347
77bebd7fb998797dd5768c99fdbda8f6 77bebd7fb998797dd5768c99fdbda8f6
77bebd7fb998797dd5768c99fdbda8f6
Motorola RAZR V3m
ID:1556
77bebd7fb998797dd5768c99fdbda8f6 77bebd7fb998797dd5768c99fdbda8f6
LG Phones
77bebd7fb998797dd5768c99fdbda8f6
LG
VX8550 chocolate
ID:5297
77bebd7fb998797dd5768c99fdbda8f6
N/A
77bebd7fb998797dd5768c99fdbda8f6
LG
VX8550 chocolate
ID:7361
77bebd7fb998797dd5768c99fdbda8f6 N/A
77bebd7fb998797dd5768c99fdbda8f6
LG
VX8350
77bebd7fb998797dd5768c99fdbda8f6 N/A
SMALL SCALE DIGITAL DEVICE FORENS ICS JOURNAL, VOL. 3, NO. 1, JUNE 2009 ISSN# 1941-6164 6
ID:7938
77bebd7fb998797dd5768c99fdbda8f6
LG
VX8350
ID:7939
77bebd7fb998797dd5768c99fdbda8f6 N/A
Samsung Phones
77bebd7fb998797dd5768c99fdbda8f6
Samsung
SCH-U540
ID:8448
77bebd7fb998797dd5768c99fdbda8f6 N/A
77bebd7fb998797dd5768c99fdbda8f6
Samsung
SCH-U540
ID:8204
77bebd7fb998797dd5768c99fdbda8f6 N/A
Table 9 - Wallpaper Tests (Test.jpg)
Computer Hash Value Motorola Phones Hash Value –
Secure View
3c3111ded5df821d668aecf9b598100b Motorola RAZR V3m
ID:1347
3c3111ded5df821d668aecf9b598100b
3c3111ded5df821d668aecf9b598100b Motorola RAZR V3m
ID:1556
3c3111ded5df821d668aecf9b598100b
LG Phones
3c3111ded5df821d668aecf9b598100b LG
VX8550 chocolate
ID:5297
3c3111ded5df821d668aecf9b598100b
3c3111ded5df821d668aecf9b598100b LG
VX8550 chocolate
ID:7361
3c3111ded5df821d668aecf9b598100b
3c3111ded5df821d668aecf9b598100b LG
VX8350
ID:7938
3c3111ded5df821d668aecf9b598100b
3c3111ded5df821d668aecf9b598100b LG
VX8350
ID:7939
3c3111ded5df821d668aecf9b598100b
Samsung Phones
3c3111ded5df821d668aecf9b598100b Samsung
SCH-U540
ID:8448
3c3111ded5df821d668aecf9b598100b
3c3111ded5df821d668aecf9b598100b Samsung
SCH-U540
ID:8204
3c3111ded5df821d668aecf9b598100b
Table 10 - Camera Phone Pictures
Computer Hash Value Motorola Phones Hash Value –
Secure View
Hash Value –
Device Seizure
2214247fec280890e04d6e923e88dc90
Motorola RAZR V3m
ID:1347
2214247fec280890e04d6e923e88dc90 2214247fec280890e04d6e923e88dc90
2214247fec280890e04d6e923e88dc90
Motorola RAZR V3m
ID:1556
2214247fec280890e04d6e923e88dc90 2214247fec280890e04d6e923e88dc90
LG Phones
2214247fec280890e04d6e923e88dc90
LG
VX8550 chocolate
ID:5297
2214247fec280890e04d6e923e88dc90 N/A
2214247fec280890e04d6e923e88dc90
LG
VX8550 chocolate
ID:7361
2214247fec280890e04d6e923e88dc90 N/A
2214247fec280890e04d6e923e88dc90
LG
VX8350
7938
2214247fec280890e04d6e923e88dc90 N/A
2214247fec280890e04d6e923e88dc90
LG
VX8350
7939
2214247fec280890e04d6e923e88dc90 N/A
Samsung Phones
2214247fec280890e04d6e923e88dc90
Samsung
SCH-U540
ID:8448
2214247fec280890e04d6e923e88dc90 N/A
2214247fec280890e04d6e923e88dc90
Samsung
SCH-U540
ID:8204
2214247fec280890e04d6e923e88dc90 N/A
... The researchers in [106] provided a comprehensive discussion about the evaluation of mobile internal acquisition tools and logical acquisition. The authors in [107] introduced the hashing techniques applicable to mobile forensics. In [108], problems with Symbian forensics and all of the methods proposed in the literature for the acquisition purpose are discussed. ...
Article
Full-text available
For reliable and relevant scientific evidence to be admitted in a court of law, it is important to apply digital forensic investigation techniques to corroborate a suspected potential security incident. Mainly, traditional digital forensics techniques have focused on computer desktops and servers. However, recent advances in digital media and platforms have seen an increased need for the application of digital forensic investigation techniques to other subdomains including small and mobile devices, databases, networks, cloud-based platforms, and the Internet of Things (IoT). To assist forensic investigators, conduct investigations within these subdomains, academic researchers have attempted to develop a number of investigative processes. However, many of these processes are domain-specific or describe domain-specific investigative tools. Hence, we hypothesize that the literature is littered with potentially overlapping and contradicting investigative process for conducting investigations within these subdomains. To investigate this hypothesis, a digital forensic model-orientated Systematic Literature Review (SLR) within the above digital forensic subdomains was undertaken. The purpose of the SLR was to identify the different and heterogeneous practices that have emerged within the specific subdomains. A key finding from the SLR is that there is a potential information overload and a high-degree of ambiguity among investigative processes in the above subdomains. The outcome of this study proposes a high-level abstract metamodel called The Digital Forensic Metamodel (DFM), which combines common processes, activities, techniques, and tasks for the above subdomains.
... In another project [41], and inclusive discussion is presented regarding assessing the mobile internal acquisition tools and logical acquisition. In [42], hashing techniques are suggested to be used for MF purposes. The authors in [43] addressed the Symbian forensics and all acquisition approaches. ...
Article
Full-text available
Mobile Forensics (MF) field uses prescribed scientific approaches with a focus of recovering Potential Digital Evidence (PDE) from mobile devices levaraging forensic techniques. Consequently, increased proliferation, mobile-based services, and the need for new requirements have led to the development of the MF field, which has in the recent past become an area of importance. In this paper, the authors take a step to conduct a review on Mobile Forensics Investigation Process Models (MFIPMs) as a step towards uncovering the MF transitions as well as identifying open and future challenges. Based on the study conducted in this paper, a review of the literature revealed that there are a few MFIPMs that are designed for solving certain mobile scenarios, with a variety of concepts, investigation processes, activities, and tasks. A total of 100 MFIPMs were reviewed, to present an inclusive and up-to-date background of MFIPMs. Also, this study proposes a Harmonized Mobile Forensic Investigation Process Model (HMFIPM) for the MF field to unify and structure whole redundant investigation processes of the MF field. The paper also goes the extra mile to discuss the state of the art of mobile forensic tools, open and future challenges from a generic standpoint. The results of this study find direct relevance to forensic practitioners and researchers who could leverage the comprehensiveness of the developed processes for investigation.
... Live forensics is an analysis technique that involves data that runs on systems or volatile data that is generally stored in Random Access Memory (RAM) [6], [7]. Especially in the case of dead computers, forensic technology has been developed to investigate digital evidence directly [8], [9]. Dead Forensics is a technique that requires data stored permanently on a hard disk storage device [10], [11]. ...
Article
Full-text available
Facebook Messenger is a popular social media. The increasing number of Facebook Messenger users certainly has a positive and negative impact, one of the negative effects is being used for digital crime. One of the sciences to get digital evidence is to do Digital forensics. Digital forensics can be done on a smartphone used by criminals. This research will carry out as much evidence of digital crime as possible from Facebook Messenger. In this study the forensic devices, Magnet AXIOM and Oxygen Forensics Suite 2014 were used using the National Institute of Standards Technology (NIST) method. NIST has work guidelines for both policies and standards to ensure that each examiner follows the same workflow so that their work is documented and the results can be repeated and maintained. The results of the research in the Magnet AXIOM and Oxygen Forensics Suite 2014 get digital evidence in the form of accounts, conversation texts, and images. This study successfully demonstrated the results of an analysis of forensic devices and digital evidence on Facebook Messenger. The results of the performance evaluation of forensic tools in the acquisition process using AXIOM Magnets are considered the best compared to Oxygen Forensics Suite 2014.
... A Cryptographic hash functions provide forensic examiners with the ability to verify the integrity of acquired data. The resulting hash value, a fixed-size bit string, is often used to identify known files and illustrates that data has not been modified [10]. ...
Article
Full-text available
Growing use of mobile handheld devices, such as cell phones and PDA does provide productivity benefits but they also pose new security risks. Due to continued growth of processing power and ever evolving ubiquitous functionality of these devices, they are also being used for lots of criminal activities too. This poses great challenges for investigators and law enforcement officials all over the world. The use of mobile phones in criminal activities has led to the need of recovering the data in them. The acquisition of information derived from cellular devices can be used as forensic evidence which has become a prime component of crime scene investigations. Digital evidence, like any other type of evidence, requires identification, collection, a chain of custody, examination/analysis, and finally authentication in court during presentation to the trier of fact. Forensic hashing is used for identification, verification and authentication of data and provide forensic examiner with the ability to verify the integrity of acquired data. This paper focuses on use of cryptographic hashing in mobile forensics and discusses the current challenges. Additional experiments were carried out to validate compared known hash values with reported values for data objects populated onto mobile devices using various data transmission methods.
... Cryptographic hash functions such as SHA512 are hash functions that must be able to withstand all known types of cryptanalytic attack and have very strong cryptographic requirements [3]. ...
Article
Full-text available
We analyse energy efficiency versus quality characteristics of hashing algorithms in a mobile device and describe methodologies for energy measurement on a Java-enabled smart phone. Energy efficiency of 17 hash functions (Adler32, Crc16, Crc32, Haval256, MD2, MD4, MD5, MD6, SHA1, SHA224, SHA256, SHA384, SHA512, Skein, SV1, Tiger, Whirlpool) is evaluated using the GSM modem-based battery charge measurement method, and quality is evaluated using the Avalanche and Chi-square tests. The results show that the most energy-efficient hash function on a mobile device is SV1 for cryptographic applications, and crc16 for non-cryptographic applications.
... Investigating the remote cloud data is complex in nature, as the data is accessed virtually and gaining physical access to the respective data is a tedious job and thus gained lot of importance over researchers. Traditional digital and mobile forensic tools are inefficient and ineffective over cloud forensics and thus a new model or methodology of forensics analysis and investigation is required in this context [15]. ...
Article
Full-text available
With the increased use of mobile devices, the respective data is stored and maintained over the remote clouds. In case of any data crimes at the cloud, the existing forensic tools are not capable of data recovery and thus lot of research was being proposed at this level. A detailed review of the existing forensic tools used for the digital and mobile analysis will be reviewed and the respective literature gaps with respective to cloud forensic will be evaluated. Literature gaps with respective current digital and mobile forensics tools against required data acquisition, investigation, preservation, examination and analysis are identified. With the increased usage of mobile apps like Facebook, Google plus and Viber, data of the users is stored across the remote clouds. The main challenge for the mobile forensics tools in this context is that to acquire the remotely located data of mobile locations. Based on the research gaps identified the actual methodology of the research is proposed, where a new approach will be proposed against the mobile forensics which can integrate with the existing tools, that can acquire and analyse the remote data storage from the clouds.
... Given the high volume of data there is need for fast access and retrieval of required or relevant data. Several of the existing data structures are hashing [1] [2] [3] [4] [5] [6], search trees [7] [8], and clustering [9]. Hashing is a technique that utilizes a hash function to convert large values into hash values and maps similar large values to the same hash values or keys in a hash table. ...
Article
Full-text available
Clustering is a very useful scheme for data structuring and retrieval behuhcause it can handle large volumes of multi-dimensional data and employs a very fast algorithm. Other forms of data structuring techniques include hashing and binary tree structures. However, clustering has the advantage of employing little computational storage requirements and a fast speed algorithm. In this paper, clustering, k-means clustering and the approaches to effective clustering are extensively discussed. Clustering was employed as a data grouping and retrieval strategy in the filtering of fingerprints in the Fingerprint Verification Competition 2000 database 4(a). An average penetration of 7.41% obtained from the experiment shows clearly that the clustering scheme is an effective retrieval strategy for the filtering of fingerprints.
Research
Full-text available
This research will explore the relationship between automation and artificial intelligence in digital forensics, but with a bias toward improving the identification and prognosis of cybercrimes.
Conference Paper
Mobile devices are very common in everyone’s day-to- day life. Nowadays such devices come with many features of desktop or laptop. Hence people can use these devices for diverse applications. As the acceptability and usability of such devices are very high, there are chances that these devices can be used for illegal activities. The percentage of mobile phones or smart phones involved in cyber crimes is in hike. So it becomes necessary to digitally analyze such devices requiring cyber forensics tools. This paper discusses different types of digital evidence present in Microsoft’s Windows Mobile smart phones and an agent based approach for logically acquiring such devices. Also it describes a tool developed for forensically acquiring and analyzing Windows Mobile devices and WinCE PDAs.
Mobile phones: Digital photo metadata
  • S Sobieraj
  • R Mislan
Sobieraj, S., & Mislan, R. (2007) Mobile phones: Digital photo metadata. Retrieved from http://www.cerias.purdue.edu/symposium/2007/materials/pdfs/E26-CF9.pdf
Retrieved from http Mobile phone subscriptions hit 3.3 billion
  • Cellebrite Murph
Cellebrite. (2008). Retrieved from http://www.cellebrite.com [10] Murph, Darren. (2007). Mobile phone subscriptions hit 3.3 billion. Retrieved January 12, 2007 from http://www.engadget.com/2007/11/29/mobile-phone-subscriptions-hit-3-3- billion.html>
Cell phone forensic tools: An overview and analysis update
  • R Ayers
  • W Jansen
  • L Moenner
  • A Delaitre
Ayers, R., Jansen, W., Moenner, L., & Delaitre, A. (2007). Cell phone forensic tools: An overview and analysis update. Retrieved from http://csrc.nist.gov/publications/nistir/nistir-7387.pdf
Fighting crime with cellphones' clues
  • N Shachtman
Shachtman, N. (2006). Fighting crime with cellphones' clues. Retrieved from http://www.nytimes.com/2006/05/03/technology/techspecial3/03cops.html
Viability of MD5 and SHA-1 for forensic hashing
  • S Mead
Mead, S., (2006). Viability of MD5 and SHA-1 for forensic hashing. Retrieved from http://www.techsec.com/TF-2006-PDF/TF-2006-SteveMead-Viability_of_MD5_SHA1_(NSRLv17)-v4.pdf.
Device Seizure v1.3> Retrieved from http
  • Paraben Forensics
Paraben Forensics. (2007). Device Seizure v1.3> Retrieved from http://www.parabenforensics.com/catalog/product_info.php?cPath=25&products_id=405
Secure View Kit for Forensics> Retrieved from http
  • Secure View
Secure View. (2009). Secure View Kit for Forensics> Retrieved from http://www.datapilot.com/productdetail/253/producthl/Notempty
MD5 Collisions: The effect on computer forensics
  • Accessdata
AccessData (2006). MD5 Collisions: The effect on computer forensics. Retrieved from http://www.accessdata.com/media/en_US/print/papers/wp.MD5_Collisons.en _us.pdf
Mobile phone subscriptions hit 3.3 billion
  • Darren Murph
Murph, Darren. (2007). Mobile phone subscriptions hit 3.3 billion. Retrieved January 12, 2007 from http://www.engadget.com/2007/11/29/mobile-phone-subscriptions-hit-3-3-billion.html>