Mobile Device Forensics

Smartphones offer many different features and allow users to do almost anything that was previously done with computers. Smartphones replace desktop computers in almost every way, with the advantages of portability; It is more suitable for use in most applications, from private use to business, from photography to online banking. As a result of this situation, smartphones carry valuable information for many researches. It helps the forensic investigator to identify the target person and obtain information about the person's recent activities by providing access to data such as recent chats, call logs, location data, pictures. In most cases, they carry more personal information than a traditional PC used to be. Thus, analyzing mobile phones has become the main part of a forensic investigation.

A forensic investigation has 4 main parts: • Seizure: The responsible agency seizes the mobile device and protects it from network communication. • Data Extraction: Extraction of data from a mobile device with a known set of mobile forensic tools. (Cellebrite, UFED, MSAB XRY, Oxygen Extractor, Hancom GMD, etc.) • Analysis: Analysis of extracted data with the help of a mobile forensic toolset. Evidence search and verification. • Reporting: Export of found evidence in an easy-to-understand format for subsequent use by non-technical personnel.

• Environmental documentation: When it comes to evaluating evidence in any forensic institution, preparing documents as they should be is one of the most important tasks. First of all, photographs should be taken of the mobile device itself and its environment (especially cables, adapters, docking station, etc.). In addition, the status of the device (operating/not working; locked/unlocked; visible damage, etc.) should be noted in the documentation. • Documentation of IMEI: As an identifier for smartphones, documents often use IMEI (International Mobile Station Equipment Identity). Since IMEI is supposed to identify a device in cellular network, dual SIM phones have two IMEIs, phones made for CDMA network have MEID instead of IMEI. Tablets without the ability to connect to a cellular network do not have an assigned IMEI. Usually the IMEI is printed on the back of the phone or on a sticker under the battery. If you can't find an IMEI this way, you can usually find it in the phone's menu or by pressing *# 06. • Using Locked Mobile Devices: If the phone is found in the unlocked state, the first priority is to stop the phone from locking, tap the screen and set the screen timeout setting to maximum. The next step is to go to the security settings and check if any lock codes are set. If the lock code is present and the code is unknown, data extraction from the phone may be considered immediately at the scene. If the screen is not active when the device is found, the screen should not be touched; so that possible blemishes on the screen can be removed and resolved with possible unlock patterns of the phone. All modern smartphones have the option to lock the phone or delete all data on the phone with the command of the remote control. This imposes your risk of losing all evidence of a device. Additionally, data coming into the device after the seizure can alter or overwrite evidence and undermine the forensic soundness of your examination. Therefore, the next priority should be to disconnect the device from the network.