becoming increasingly prevalent and are constantly evolving
into “smarter” devices (i.e. smartphones with higher pro-
cessing power and enhanced features), capabilities to perform
in-depth forensics on these devices also become essential.
However, current mobile phone forensics are still restricted to
the research and analysis of static data on the Subscriber
Identity Module (SIM), memory cards and the internal flash
memory (Willassen, 2003; Forensic analysis, 2006; Jansen and
Ayers, 2006; Williamson et al., 2006; Casadei et al., 2006; Ayers
et al., 2007; Kim et al., 2007; Al-Zarouni, 2007; Mokhonoana
and Olivier, 2007; Jansen et al., 2008; Bhadsavle and Wang,
2008; Distefano and Me, 2008; Ahmed and Dharaskar, 2008;
Berte et al., 2009; Hoog, 2009; Hoog and Gaffaney, 2009).
Although the constraint on the storage capacity implies that
they do not face the problem of exceedingly large amount of
potential evidence to be analysed, it introduces another
problem. Due to this limited storage, volatile information such
as the application data, Internet browsing data, and instant
messaging conversation histories are often not stored in the
non-volatile storage media. This is unlike computer systems
which allows the caching and backup of a large amount of
data (e.g. MSN chat history). In this case, the limitations of
static forensic analysis on mobile phones become even more
evident. Without the means to perform live memory forensics
on mobile phones, potentially incriminating evidence may be
lost forever.
As a mobile phone’s main functionality is to support
communications, the capability to perform forensic analysis
on its interactive based applications is very important. In
this paper, we propose an automated system to support the
mobile phone’s live memory dynamic properties analysis
on interactive based applications. We implemented the
system components and performed an investigation on the
persistency of the mobile phone’s volatile data and real-
time evidence acquisition analysis. The mobile phone used
in our investigation was an Android mobile phone, the
Google development set. The choice of the Android plat-
form was due to it being the latest released mobile plat-
form and its fast rising popularity among users and the
mobile phone manufacturers (Kumparak, 2010). As our
future work, we will be investigating on applying the
methodology and porting the system to other mobile phone
platforms.
The rest of the paper is organised as follow. In Section 2, we
present an overview of research conducted on mobile phone
forensics. We describe our live memory forensic analysis
system in Section 3. The experiments and results are pre-
sented and discussed in Section 4. Future work is described in
Section 5. Conclusions follow in Section 6.
2. An overview of mobile phone forensics
research
In an early work (Willassen, 2003), Willassen researched on
the forensic investigation of GSM phones. The author pre-
sented the types of data of forensic relevance, which can exist
on the phones, the SIM and the core network, and emphasized
the need for more sound mobile forensic procedures and
tools. In (Forensic analysis, 2006), Willassen proposed
extracting the physical image of the mobile phone’s internal
flash memory by desoldering the memory chip and reading it
from a device programmer. Another proposed method was to
read the memory through the boundary-scan (JTAG) test pins.
The extracted memory was examined to detect the presence
of deleted file contents.
In Casadei et al. (2006), the authors presented their SIM-
brush tool developed for both the Linux and Windows plat-
forms. The tool relied on the PCSC library and supported the
acquisition of the entire file system, including the non stan-
dard files, on the SIM. However, files with restricted read
access conditions could not be extracted.
In Kim et al. (2007), the authors presented a tool to acquire
the data from a Korea CDMA mobile phone’s internal flash
memory. The tool communicated with the phone through the
RS-232C serial interface and was able to acquire the existing
files on the phone using the underlying Qualcomm Mobile
Station Modem diagnostic mode protocol.
In Al-Zarouni (2007), the author studied the mobile phone
flasher devices and considered their applicability in mobile
phone forensics. As these devices offered access to the
phone’s flash memory and did not require installation on the
phone, they were deemed to be forensically sound. However,
their operations were not well-documented. Since they were
designed to write to the memory, the effect of evidence
altering while performing a read was unknown. Their reading
capability and memory access range also varied for phones of
different brands and models.
In Mokhonoana and Olivier (2007), the authors proposed an
on-phone forensic tool to acquire the active files from a Sym-
bian OS v7 phone and store it on the removable media. Instead
of interfacing with the PC connectivity services, the tool
interacted with the operating system to perform a logical copy
of the files. The tested phone was Sony Ericcson P800. One
main limitation of the tool was that those files in use could not
be copied (e.g. call logs, contacts).
In Distefano and Me (2008), the authors proposed the
mobile phone internal acquisition technique on the Sym-
bian OS v8 phones. The mobile phone data was acquired
using a tool residing on the removable media, instead of
the PC/mobile phone USB connection based approach. The
tool utilised the Symbian S60 File Server API in the read-
only mode. The authors carried out experiments comparing
the tool with Paraben Device Seizure (USB connection to
phone) and P3nfs (Remote access through Bluetooth). The
tool took a longer time to perform the acquisition. It was
able to acquire more data compared to the P3nfs but lesser
data compared to the Paraben Device Seizure. However, the
authors observed that the larger data size from Paraben
was due to the additional information from its acquired
data management.
In Jansen et al. (2008), the authors proposed a phone
manager protocol filtering technique by intercepting the
data between the phone and the phone manager. The
objective was to address the latency in the coverage of
newly available phone models by existing forensic tools.
The authors also proposed an identity module program-
ming technique, to populate the phone’s SIM with reference
test data, so as to provide a baseline for the validation of
SIM forensic tools.
digital investigation 7 (2010) S74eS82 S75