The Challenge of Mobile Forensic Tools and Technique: Anti-mobile Forensic and Call Detailed Record (CDR)

The Challenge of Mobile Forensic Tools and Technique: Anti-mobile Forensic and Call Detailed Record (CDR)

Hendratna Mutaqin

Abstract

Mobile phone not only use for calling and sending a message but also can change a computer function. People use this device to various purpose even to commit a crime. Some of the criminal case solved by digital evidence provided from a mobile phone. Acquiring digital from a mobile phone is not as easy as people imagine with many challenges to prohibit investigators conduct their investigation. This paper discusses anti-mobile forensic and Call Detailed Record (CDR). Anti-mobile forensic tools and techniques make an investigation harder and time-consuming. CDR may potentially give a proper criminal evidence for Law Enforcement Agency (LEA). Handling CDR and dealing with the regulation of telecommunication data retention are the challenge which LEA has to deal with it. 

Introduction

The mobile phone as if to be the primary need of people around the world in the late 2000’s with multiple function and low price. Kemp (2017) on global digital snapshot capture the total population of people in the world is around 7,4 billion. Moreover, mobiles phone user is around 4.9 billion, 66% of human population, with approximately 3.7 billion people use the internet. With the multiple functions equipped with internet connection, perpetrators possibly use this device as tools to commit a crime. On the other hand, LEA uses this device as evidence to help them solve the criminal case. A multiple of forensic tools has been developed to retrieve data from the mobile device. The issue of anti-mobile forensic and reliability of mobile forensic result become a challenge to be anticipated by an investigator. 

This study will explore the current problem of mobile forensic and anti-forensic approaches for a smartphone. Knowing the vulnerabilities of mobile forensic will help an investigator to anticipate counter-measure from the opponent. CDR is the other will discuss which currently becomes one of the extensive evidence used by LEA to solve a criminal case.

Literature Review

Scientific Working Group on Digital Evidence (2006), cited by Ahmed and Dharaskar (n.d.) defined digital evidence is the information can be evidence is stored or transmitted in binary form. The source of information not only come from a computer but also a mobile device. There are several obvious potential evidence in the smartphone device: call history, contact list, text messages, email, media, browsing history, chats log, social network account, calendar, notes, connection, maps, and software (Alghafli, et.al., 2011). Mobile phone data can be evidence if it's handling correctly regarding standard. Mobile forensic is the way to deal with it. Barmpatsalou, et.al. (2013), cited by Holzknecht (n.d.) defined mobile forensic defined the process of recovering digital evidence by using the acceptable forensically sound and proven methods. 

Dealing with CDR and the threat from anti-mobile forensic produce a huge problem. Kesler (2007), Distefano (2010) and Garfinkel (2007) cited by Azadegan, et.al., (2012) defined anti-forensics is a method and strategy to prevent and make the digital investigation process failed. Many techniques can be used such as data hiding, artefact wiping, trail obfuscation, attacks on the forensics tools themselves, destroying evidence, eliminating evidence sources, counterfeiting evidence, encrypted file systems, disk sanitization utilities, timestomp, and transmogrify.

Nphansal (2010) define CDR is the record of the data consist of information about each call that was processed by Call Manager, for example, origination and destination of the call, the date and time the call was started, actually connected, and ended. CDR can be used by LEA to help to solve a criminal chase such as identify the suspect by analyzing theirs’s communication and behavior patterns, and find the location a perpetrator during the entirety of theirs’s call. The current issue emerges regarding the privacy and the ability of mobile forensic to analyse. 

Reviewing the literature leads back to the question:
1. What is the current challenge of mobile forensic and how significant is the impact of an investigation result?

2. How to handling CDR to be a valid evidence?

Research Result

Current Challenge of Mobile Forensic

Mislan and Lutes (2014) found six current cell phone problems during their survey: carriers and manufacturers, data preservation, power and data connectors, operating system and communications protocols, security mechanisms, unique data format.

1. Carrier and manufacturer

An investigator, even an expert, currently face the difficulty to identify multiple network carriers and devices manufacturer. There is so many kinds of network operator exist in the world, and most of them are different so that an investigator, for example, in the UK has to deal a new network system analysis when they do the mobile investigation in the other country. Multiple device manufacturers force auditor to give extra work to acquire and review the mobile device evidence. Connecting mobile device to forensic tools mostly need hard drive driver. It becomes more difficult dealing with unrecognized cell phone driver on mobile forensic tools such as some of the Chinese handphone. 

2. Data preservation

An investigator must be aware of the data vulnerability in the mobile phone. Many factors can change the cell phone’s data, for example, incoming call, a next text message, malware sent by the network. Mobile device evidence has to store in the place that can ignore the possibility access from the outside. The tools contain three layers of aluminum foil and copper can be used to resist wireless devices from radio frequencies.

3. Power and data connectors

Mobile phone evidence probably saves in the volatile memory which needs the device always on to prevent losing the data. An investigator needs cable connector to protect the mobile device off because of running out the battery. Unfortunately, there is no standard of cable connector for a cell phone at this time. Hence, the possibility of losing the evidence emerges when an investigator face a mobile evidence when they have no power connector. Unified the cable connector from all mobile device could be the answer to reducing losing evidence on the mobile forensic investigation.

4. Operating system and communication protocols

The characteristic of mobile phone evidence is different with computer evidence. It needs a protocol to communicate to forensic investigator’s computer so that an investigator can access and retrieve information from a mobile phone. Unfortunately, most of the cell phone have a different protocol to the other with the consequence need the special treatment. Sometimes, it needs an investigator to copy program directly to cell phone to make a connection with the possibility erasing the evidence.

5. Security mechanism

Almost all of the mobile phone have security device either embedded from manufacture or SIM card like PINs and PUKs to ensure the data is protected. The further challenge is data encryption. It will be quite difficult to decrypt the data without help from the hardware or operating system vendor.

6. Unique data format

An investigator needs to explore all storage of mobile phone to search the potential evidence. There is the likely possibility of the mobile phone storage that contains the evidence such as SIM card, Random Acces Memory (RAM), Read Only Memory (ROM). Each storage mostly has a different treatment to gain the data, for example, a volatile evidence on RAM require an electrical charge, evidence on ROM is hard to change by the end user. The data format of the file in a mobile phone is sometimes different which need the other tools to open and analyse it. The standard file is founded in the cell phone are telephone numbers, address books, email messages, and text messages image and video.

The other challenge on smartphone device when doing mobile forensic also mentioned by Alghafli (2011):

1. The technology of smartphone device change rapidly causes the problem of capturing the data in the smartphone.

2. Most of the forensic tools kit work with an undamaged smartphone. Developing a new mobile forensic tools kit that can deal with data from a damaged smartphone is urgently required.

Anti-forensics approaches for smartphones

Many software developers have been developing mobile forensic tools for helping Police or the other user to resolve the criminal case. On the other hand, perpetrators also develop their techniques to anticipate thwarting the digital investigation process conducted by forensic investigators. The advantages of the anti-mobile forensic application are most of them is free and ready to use, have no require expert technical knowledge, and successfully tested with two commercial forensic tools, Paraben Device Seizure and Oxygen Forensic Suite (Sporea, et.al., 2012). The experiment uses two mobile devices, HTC Desire HD and iPhone 3G. There are four anti-mobile forensic was tested in their research.

1. File Shredding

File shredder application is available on Android, for example, File Shredder and IOS platforms such as ProtecStar iShreder Pro. It can remove permanently file on mobile devices and overwrite with random data. The result is both Paraben Device Seizure and Oxygen Forensic Suite cannot detect the trace of deleted files. File Shredder is data shredder working on Android can destroy files by overwriting them with random data (Google Play, 2017). ProtecStar iShreder Pro is data shredder for iOS used by state and military organizations in a secure deletion that have a function to delete without a trace and impossible to recover any deleted data (protectstar, 2017).

2. Encryption

The method is well known as cryptography to secure the communication by hiding information. The research used LUKS Manager application that offers encryption to virtual folders. Both mobile forensic tools kit can detect the volume created and the encrypted data but not the contents of the files stored with encrypted. LUKS Manager is the Android application can provide on-the-fly encryption (AES by default) to virtual folders (Google Play, 2017).

3. Steganography

The method to hide a digital file inside another carrier, for example, image and audio or video. The research used StegDroid and MobiStego application working on Android to cover up a message. The result is both Paraben Device Seizure, and Oxygen Forensic Suite cannot detect any trace of the hidden message.

StegDroid is an android application developed by computer science at the University of Cambridge that can embed a secret text message inside the audio file (Google Play, 2017). MobiStego is an Android application that can hide a message into an image and save or send it through MMS (Mobistego, 2015).

4. Location information

The location of the mobile phone user has ever visited is the evidence usually search during the investigation. The application such as Fake GPS Location on Android or the jailbreaking of iOS 9.3.3 can change the current location to the other location a mobile phone user. Both Device Seizure and Oxygen Forensic cannot detect the information of fake location for the social network or Google Maps. Moreover, the position of the image, which created the malicious position, will be empty. Fake GPS location is an application on Android that can teleport the phone’s location to any place in the world so that every other app in your phone belives we are there (Google Play, 2017). The other application is iOS 9.3.3 jailbreak that allows the iPhone’s users to fake their iPhone location (Llyoid, 2016). 

The other anti-mobile forensic techniques study is Garfinkel (2007), cited by Chen and Yang (n.d.) is:

1. Overwriting

The aim is to substitute the original data and make it unable to acquire. The method is randomly cover blocks the original data with a large number of the other data.

2. Wipe

Making the data recovery process was difficult to perform by overwriting several times or demagnetize the disk.

3. Physical destruction

The irreversible method to destroy the hard disk to ensure that track is incomplete and cannot be read such as cutting scratch, drilling, and bend or distortion.

4. Data hiding

The skills to hide a message in unallocated on unreachable location. 

On their research, Chen and Yang (n.d.) create an anti-mobile forensic application with Java and Android API and run it on Android phone. The software can delete mobile phone’s data such as contacts, call logs, text message, browser history and photos logically. The research tested by several mobile forensic tools kits such as Oxygen (Trail), MOBIL edit Forensic and Mobile Go. The result is acquiring the deleted data by using a logical method is not effective. The result can remove mobile phone data and cannot be detected by mobile forensic tools kit when performing a logical method to acquire the data. 

Call Detailed Record (CDR) Challenge

CDR are a list of data files produced by a telephone exchange consist of phone calls, text messages, and data transactions. Type of phone and completion status, destination number, time duration, cell tower, caller are various attributes to store and categorized the data (Secure cube, 2017). LEA can get these data directly from network operator with prior authorisation. CDR give much information for LEA to identify suspects, for example, communication and behavior patterns, an individual's relationships with associates, and even location of the suspect during the entirety of their call (Wikipedia, 2017). Analyzing CDR records, is hard without the help of mobile forensic tools, for example, Securecube Phone Log and Oxygen Forensic.

1. Securecube Phone Log

An investigator can import CDR data from many sources with different data structures and create their importer to analyse other types of record by using the particular Graphical User Interface (GUI). This device allows the user to imports logs from UFED (Cellebrite Forensic Cellphone Extraction application) reports, SecurCube’s BTS Tracker hardware, and other mobile device extractions. The result can be displayed with the integration of maps online and offline. It can identify the behaviors of the suspect and track their movement, and additional information about using a handphone. It also can make a relation among suspect, phones, cells, and even different crimes (MediaClone, 2017).

2. Oxygen Forensic

This tool allows an investigator to import and analyse CDR files from mobile service providers even the layouts and column format different with .xls, .xlsx, .csv are supported format. 

It has guidance for importing call data records and converting into a unified format. The result of the process can be displayed as well as analysed by the user. It's also allowing the user to create a link of callers on the graph both direct and indirect and can be saved to external files on PC as well (Oxygen Forensics, 2017).

Telecommunication data retention

CDR have a tremendous impact on solving a criminal case. The question is emerge it is possible to destroy CDR from the provider side. The answer is not possible because the service provider keeps CDR for a period depend on the telecommunications data retention live law in each country.

1. United Kingdom (UK)

The Act and new regulations in the UK reveal by Smith (2014) allow the Secretary of State request to public telecommunications operators data retention. The period of the retention vary subject to a maximum 12 months and specify different times for various types as well as relate to an operator or description of operators.

2. Australia

Australian’s telecommunications companies to store a particular set of telecommunications data for at least two years regarding the Telecommunications (Interception and Access) Act 1979 to ensure Australia’s law enforcement and security agencies can access data, subject to strict controls Australian Government, Attorney-General’s Department (2017).

3. United States (US)

Telecommunication data retention in the US regarding Electronic Frontier Foundation (n.d.) currently has no mandatory data retention law. However, under the Stored Communications Act (SCA) government may get access to the stored data if electronic communications or communications records being stored by providers of electronic communications or remote computing services. On the other hand, Electronic Communications Privacy Act in 1986 regulate mandatory data preservation for up to 180 days on government request.

4. Thailand

Tilleke & Gibbins (2014) explained Thailand government control that telecommunication data retention has to keep not less than 90 days or if any demand from a competent official it has to save up to 1 year whenever based on CCA s.26.

5. Argentina

Argentina government asked telecommunications companies and Internet Service Providers based on an amendment to the National Telecommunications Law of 2003 to keep, index, and store traffic data for a 10-year period. Attorney General's Office and the Argentinean Judicial Branch required this information; they have to provide. This law became inactive in May 2009 when the Argentinean Supreme Court re-affirmed that Argentina’s data retention law was unconstitutional (Electronic Frontier Foundation, n.d.).

Conclusion

Mobile technology has been growing fast make a mobile phone not only use for calling or sending a message but can replace a computer or well known as a smartphone. It also utilized by the perpetrator as tools to commit a crime. Analyzing the mobile device content of suspected person by using mobile forensic tools is recommended to find evidence. However, anti-mobile forensic issue and vulnerability of mobile device file become a challenge has to be addressed by an investigator. Many problems have been occurring of the vulnerability of cell phone to an investigator to deal. Carrier and manufacturer, data preservation, power and data connectors, operating system and communication protocols, security mechanism, and unique data format. Moreover, an investigator also faces with the change of mobile phone technology and damaged smartphone make hard to capture the mobile data. On the other hand, perpetrators also develop their techniques to anticipate to thwart the digital investigation process conducted by forensic investigators or well known as anti-mobile forensic. The method such as overwriting, wipe, physical destruction, steganography, data hiding, and encryption make mobile phone investigation harder than before. The other challenge on mobile forensic is analyzing CDR. It gives LEA overwhelming potential evidence but hard to interpret. Mobile forensic tools such as Securecube Phone Log and Oxygen Forensic can use to address the problem with the advantages of each. However, an investigator has to deal with the issue of telecommunication data retention emerge in several countries by using CDR as evidence.

References

Ahmed, R., Dharaskar, R. (n.d.). Mobile Forensics: an Overview, Tools, Future trends and Challenges from Law Enforcement perspective. India: College of Engineering and Technology.

Alghafli, K., Jones, A., Martin, T. (2011). Guidelines for the digital forensic processing of smartphones. Perth: Proceeding of the 9th Australian Digital Forensics Conference, Edith Cowan University.

Australian Government, Attorney-General’s Department. (2017). Data retention. Retrieved from: https://www.ag.gov.au/dataretention. (Accessed on 9/4/2017)

Azadegan, S., Yu, W., Liu, H., Sistani, M., Acharya, S. (2012). Novel Anti-forensics Approaches for Smart Phones. Towson: Towson University.

Electronic Frontier Foundation. (n.d.) United States data retention. Retrieved from: https://www.eff.org/issues/mandatory-data-retention/us. (Accessed on 9/4/2017)

Electronic Frontier Foundation. (n.d.) Argentina data retention. Retrieved from: https://www.eff.org/id/issues/mandatory-data-retention/argentina (Accessed on 9/4/2017)

Chen, Ren-Ji and Yang Chung-Huang. (n.d.). Research on android anti-forensic tools. Taiwan: National Kaohsiung Normal University. 

Google Play. (2017). File Shredder. Retrieved from: https://play.google.com/store/apps/details?id=net.fizzl.fileshredder. (Accessed on 6/4/2017)

Google Play. (2017). LUKS Manager. Retrieved from: https://play.google.com/store/apps/details?id=com.nemesis2.luksmanager&hl=in. (Accessed on 6/4/2017)

Google Play. (2017). StegDroid Alpha. Retrieved from: https://play.google.com/store/apps/details?id=uk.ac.cam.tfmw2.stegdroid&hl=in. (Accessed on 6/4/2017)

Google Play. (2017). Fake GPS Location. Retrieved from: https://play.google.com/store/apps/details?id=com.lexa.fakegps&hl=in. (Accessed on 6/4/2017)

Kemp, S. (2017). Digital Snapshot: Internet and social media use in 2017. Retrieved from: https://www.techinasia.com/talk/digital-snapshot-internet-social-media-2017.

Lloyd, C. (2016). How to fake your location on iPhone. Retrieved from: http://www.gottabemobile.com/2016/07/25/how-to-jailbreak-ios-9-3-3/. (Accessed on 6/4/2017)

Lutes, K., Mislan, R. (2014). Challenges in Mobile Phone Forensics. Purdue: Purdue University. 

MediaClone. (2017). Phonelog call detail records analysis software-CDR analysis. Retrieved from: https://www.media-clone.net/PhoneLog-CDR-Analysis-Software-Call-Detail-Record-p/cdr-0001-00a.htm. (Accessed on 7/4/2017) 

Mobistego. (2015). What is mobistego?. Retrieved from: http://mobistego.sourceforge.net/. (Accessed on 6/4/2017)

Nphansal. (2010). Understanding CDR (Call Detail records). Cisco Support Community. Available at: https://supportforums.cisco.com/document/53056/understanding-cdr-call-detail-records (accessed on 5/4/2017)

Oxygen Forensics. (2017). Call Data Records. Retrieved from: https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective/detective/call-data-records. (Accessed on 7/4/2017)

Protectstar. (2017). iShredder is now data shredder for IOS: military grade deletion for iPhone, iPad, and iPod touch. Retrieved from: https://www.protectstar.com/en/products/ishredder-ios. (Accessed on 6/4/2017)

Sporea, I, Aziz, B, McIntyre, Z. (2012. On the availability of anti-forensic tools for smartphone. International Journal of Security (IJS), 6: 4.

Securecube. (2017). Call data records (CDR), cell site analysis, and data device correlation. Retrieved from: http://securcube.net/phonelog/. (Accessed on 7/4/2017)

Wikipedia. (2017). Retrieved from: https://en.wikipedia.org/wiki/Call_detail_record. (Accessed on 7/4/2017)

Smith, G. (2014). Mandatory communication data retention lives on in the UK-0r does it?. Retrieved from: https://www.twobirds.com/en/news/articles/2014/uk/mandatory-communications-data-retention-lives-on-in-the-uk. (Accessed on 9/4/2017)

Tilleke & Gibbins. (2014). Ensuring compliance with the Thai computer-related crimes act. Retrieved from: http://www.tilleke.com/resources/ensuring-compliance-thai-computer-related-crimes-act. (Accessed on 9/4/2017)