Challenges With Mobile Device Forensics

Manufacturer Protections

Modern mobile devices boast significant security protection mechanisms. While you will learn more about these specifically throughout the rest of the module, let's introduce you to some now.

Features such as full disk and file-based encryption have become a standard on modern devices, requiring some form of authentication (PIN/FaceID/Fingerprint, etc) to unlock, with data having various states in which it is or isn't readable. For example:

• Before First Unlock (BFU)

• Requiring authentication every time

• Only need to authenticate once

• No authentication needed

While disk and file encryption is not a new hurdle in digital forensics, it poses significant difficulty in acquisition. Mobile manufacturers have gone to great lengths to protect user data and their devices. Let's list some of the common protections that Android and iOS share at a high level.

Mechanism	Explanation
Full disk & file-based encryption	Unless authenticated or bypassed, forensic tooling cannot analyse the data stored within the device. Individual files can be encrypted with different keys.
Isolated encryption keys	Android and iOS both use a dedicated hardware component to store encryption keys, which is incredibly tough to retrieve. This is similar to the TPM module on motherboards.
Secure boot process	It ensures that only trusted and verified code from the manufacturer can load, preventing tampering. An old investigation technique used a custom bootloader that bypassed a wide range of security mechanisms.
Sandboxing	Applications run within their own environments, isolated from one another. You will learn more about this throughout the module.
Lockout wiping	These devices can be configured to wipe themselves after a certain number of unsuccessful authentication attempts (e.g., failed PIN entries). If enabled, this prevents brute-forcing.
Remote wiping	With the use of features like "Find My", devices can be remotely wiped from another in the event of theft, etc.

Modern smartphones contain sophisticated protection mechanisms that make acquisition and analysis difficult. Manufacturers are only getting better at these as the game of cat and mouse continues. We will examine how analysis is possible with these (and more) protections in mind.

Legal Debates

Numerous legal and political challenges have surrounded the mobile device investigation process, especially in recent years. For example, regarding encryption, we are seeing debates about the protection of individual privacy and the balance between public safety and law enforcement.

In very recent history, at the time of writing, Apple withdrew its advanced data protection feature in the UK after the UK government legally challenged Apple to provide access to circumvent these protection mechanisms for law enforcement. Rather than comply, Apple removed it entirely, removing end-to-end encryption for iCloud data for everyone in the UK.

We have seen, and will continue to see, events like this across the globe, with other countries making legal demands to tech providers and manufacturers to provide access to encrypted data upon request. Some of which have capitulated to controversial legislative bills, placing users at risk in the interest of public safety. It's a dynamic debate with strong arguments on both sides.

Analysts need technical skills in mobile forensics and familiarity with data protection laws and dynamic legislative processes when analyzing mobile devices, particularly across borders, and face ever-increasing scrutiny.

Detecting Malware

Detecting malicious behavior on mobile devices is notably difficult. As previously mentioned, malicious applications disguise themselves as legitimate utilities and perform nasty tricks behind the scenes. It's not like, for example, you can bring your favorite disassembler onto your iPhone to analyse an app.

Coupled with the fact that monitoring agents (such as EDR agents) are still catching up to mobile devices, these devices are generally less monitored on a corporate network than on a company workstation.

These devices are designed to be as user-friendly as possible. Due to the marketing terms about security they've heard from manufacturers, users will often have a lower "guard" when clicking links, etc.

Older smartphones may not have as sophisticated security mechanisms, or by exploiting 0days, you may come across malware that could rootkit the device, completely disguising itself.