Computer forensics involves the identification, preservation, extraction, documentation, and analysis of computer data. Computer forensic examiners follow clear, well-defined methodologies and procedures that can be adapted for specific situations. Such methodologies consist of the following steps:
Prepare a forensic copy (i.e., an identical bit-for-bit physical copy) of the acquired digital media, while preserving the acquired media’s integrity.
Examine the forensic copy to recover information.
Analyze the recovered information and develop a report documenting any pertinent information uncovered.
Forensic toolkits are intended to facilitate the work of examiners, allowing them to perform the above steps in a timely and structured manner, and improve the quality of the results. This paper discusses available forensic software tools for handheld cellular devices, highlighting the facilities offered and associated capabilities.
Forensic software tools strive to address a wide range of applicable devices and handle the most common investigative situations with modest skill level requirements. These tools typically perform logical acquisitions using common protocols for synchronization, debugging, and communications. More complicated situations, such as the recovery of deleted data, often require highly specialized hardware-based tools and expertise, which is not within the scope of this report.
Handheld device forensics is a fairly new and emerging subject area within the computer forensics field, which traditionally emphasized individual workstations and network servers. Discrepancies between handheld device forensics and classical computer forensics exist due to several factors, including the following, which constrain the way in which the tools operate:
The orientation toward mobility (e.g., compact size and battery powered, requiring specialized interfaces, media, and hardware)
The filesystem residing in volatile memory versus non-volatile memory on certain systems
Hibernation behavior, suspending processes when powered off or idle, but remaining active
The diverse variety of embedded operating systems used
Short product cycles for introducing new handheld devices
Most cell phones offer comparable sets of basic capabilities. However, the various families of devices on the marketplace differ in such areas as the hardware technology, advanced feature set, and physical format. This paper looks at forensic software tools for a number of popular platforms, including Symbian, Research In Motion (RIM), Pocket PC, and Palm OS devices. Together these platforms comprise the majority of the so-called smart phone devices currently available and in use. More basic phones, produced by various manufacturers and operational on various types of cellular networks are also addressed in the paper.