Mobile Forensics: Repeatable and Non-Repeatable Technical Assessments

This paper presents several scenarios where digital evidence can be collected from mobile devices, their legal value keeping untouched. The paper describes a robust methodology for mobile forensics developed through on-field experiences directly gained by the authors over the last 10 years and many real court cases. The results show that mobile forensics, digital analysis of smartphone Android or iOS can be obtained in two ways: on the one hand, data extraction must follow the best practice of the repeatability procedure; on the other hand, the extraction of the data must follow the best practice of the non-repeatability procedure. The laboratory study of the two methods for extracting digital data from mobile phones, for use as evidence in court trials, has shown that the same evidence can be obtained even when the procedure of unavailability of file mining activities has been adopted. Indeed, thanks to laboratory tests, the existence of multiple files frequently and continuously subjected to changes generated by the presence of several hashes found at forensic extractions conducted in very short moments of time (sometimes not exceeding 15 min) has been proven. If, on the other hand, the examination of a device is entrusted to a judicial police officer in order to conduct a forensic analysis to acquire data produced and managed by the user (such as images, audio, video, documents, SMS, MMS, chat conversations, address book content, etc.) we have sufficient grounds to believe that such examination can be organized according to the system of repeatable technical assessments.