The purpose of this Poll concerns mobile phone tools used for examination that have not been Certified/Validated as forensically sound for the purpose to which they have and are currently being put to use to generate evidence.
Can I ask, which tools have been or alternatively where would I find this information ? Is the process of validation country specific ?
Can I ask, which tools have been or alternatively where would I find this information ? Is the process of validation country specific ?
None of the mobile phone tools used to meet the criteria being discussed have been Certified/Validated for that purpose as no Board has been operating to do that job, thus a list wouldn't exist. There are some organisations in some countries who produce guides of what they examined, but by the same token of those tools mentioned in those guides the same tools in the UK are noted not to be forensically sound and are tools that have no recognition or Certifed/Validated status as forensically sound. It does raise the question how come we noted the flaws but those who examined those tools for those guides didn't mention them? An answer might be that possibly those producing the guides do not Certify/Validate those tools as forensically sound.
Tool sales bounce across national boundaries based upon who is willing to buy them, irrespective whether the tool is country specific or not or that a forensic standard is in place. There are some tools labelled 'forensic' and supplied free of charge into the marketplace. So the Poll above takes those into account too.
Certified/Validation scheme would therefore probably need to be country specific for many technical and legal reasons.
IMHO validation of the tools available for mobile phone examination is far from simple and would in fact be a massive task for any organization to undertake.
For certification/validation to be meaningful each tool would have to be verified against every handset and SIM card that it claims to support. It would then be necessary to repeat the process every time the manufacturer updates the software and take into account new handsets supported and features added to the support of older handsets, and then compare results with those obtained under the previous software version.
Examiners have a duty to ensure that the tools they use work as anticipated, and verify the results they obtain. If they fail to do this the system of justice in the UK has plenty of experience in uncovering any deficiencies.
Andrew Hawkins
With a tool for computer forensics, in the simplest terms, you are looking for one which does not change the original media (although this is usually facilitated by using a write blocker) and produces accurate, verifiable and repeatable interpretations of the original media.
I confess to not knowing much about mobile phone forensics, but what would be the key characteristics of a forensically validated mobile phone forensic tool in your opinions ?
Andrew, do your comments confirm that you think exactly the same way about computer forensics? That is if you use your own statement and directly apply it to computer forensics
"Examiners have a duty to ensure that the tools they use work as anticipated, and verify the results they obtain. If they fail to do this the system of justice in the UK has plenty of experience in uncovering any deficiencies."
Processing a phone has some serious distinctions from processing a computer. First, the phone probably has to be turned on to allow the tool (hardware and/or software) to access the phone. You can not remove or image the "drive" as you would with a computer. And turning the phone on may necessarily change the contents to some small extent, something anathema to processing a computer. Even using a Faraday cage to prevent the phone network from relaying a wipe command to the phone won't prevent the booting process from possibly altering something. Different hardware/software may or may not work on particular phones, or may work to differing degrees. Also, some phones require that the forensic tool implant a small client through which it will communicate with the phone. All that to say that "certifying/validating" tools for phone forensics is not straightforward. For reference, start by reading http//
The NIST report for 2007 is a helpful and useful guide, but a guide only. The report refers to handsets and their OSs. So the report only says NIST throw n-selection of examination tools at these handset and their OSs and this is what they concluded at that time. The examination tools the report describes identifies those tools capability or, put another way, their limitations. The report doesn't advise on how to make something forenically sound, does not claim mobile phone tools cannot be made to be forensically sound, offers no innovation or skills to achieve that objective. NIST report does not qualify any of the manufacturers or programmers of these tools as certified or validated leaders in this field of distinction. On that basis the scope of the review carried out by those preparing the report was or is too narrow to justify that mobile phone examinations tools cannot be certified/validated to be forensically sound.
Greg
The answer to your question is yes, examiners have a duty to ensure that the tools they use work as anticipated, and verify the results they obtain. This does not mean that examiners, regardless of whether we are talking about computers or mobile phones should be able to reverse engineer the tool’s functionality and explain exactly how it works. It does; however, entail having an understanding of the processes that are involved and being able to verify the results. This principle is important to any type of forensic examination.
Computer Forensics has an advantage in that examiners are, in the vast majority of cases, working with a bit for bit copy of the original media. They are usually examining a known and well documented file system, containing a known and well documented operating system. If the forensic tool(s) reports that a file exists at a certain location, the file data can be examined on disk as can all the metadata objects that relate to the particular file, verifying that the tool is working as anticipated.
Books such as ‘Forensic Computing a practitioners guide’ by Sammes & Jenkinson and ‘File System Forensic Analysis’ by Carrier (to name but two) are available to and used by many forensic computer examiners, along with the user manuals produced by the manufacturers of forensic tools and forums such as this.
Mobile phone forensics on the other hand is very much a ‘moveable feast’. Handset manufacturers compete with each other to get new models into the shops with added functionality and features and the documentation about how these handsets work at a file system and operating system level is not widely available. There are scholarly articles available on examination of certain handsets such as the iPhone and various RIM Blackberry models but from my perspective the material available for the vast majority of handsets is limited and difficult to come by. You will undoubtedly know far more than I about the body of published material that exists, and I know you share your knowledge freely on forums such as this and at the conferences you organise.
Andrew Hawkins
It seems to me that the poll is missing an important option, namely, that it would be desirable to have some sort of certification process if it were practical, but given the current state of affairs, requiring such would likely hamper legitimate investigations.
We try to address the validation (not certification) process by acquiring one or more used models of the phone that we intend to examine and experimenting with them, first, in order to be sure that we understand the risks and issues with that may arise with the subject phone.
The "one bite of the apple" principle is not inappropriate when talking about mobile phone/PDA forensics.