Unit 3

Mobile Forensics
Mobile device forensics is a branch of digital forensics relating to recovery of digital
evidence or data from a mobile device under forensically sound conditions. The
phrase mobile device usually refers to mobile phones; however, it can also relate to any
digital device that has both internal memory and communication ability,
including PDA devices, GPS devices and tablet computers.

Mobile devices can be used to save several types of personal information such as contacts,
photos, calendars and notes, SMS and MMS messages. Smartphones may additionally
contain video, email, web browsing information, location information, and social networking
messages and contacts.

Depending on situation, the officer in charge may decide to seize the mobile or take a backup
or take an image of the mobile device. Procedure for gathering evidence from Mobile Phones

1. If the device is ―OFF‖, do not turn ―ON‖

2. If the device is ―ON‖, do not trun ― OFF‖. Powering down device could
enable password, thus preventing access to the evidence

3. Photograph device and screen display

4. Label and collect all cables ( including power supply)

5. Note that you should do the imaging prior to it gets discharged. Keep the device
charged

6. Seize additional storage media like memory sticks etc

7. Document all steps involved in seizure of device and components

A Faraday bag may be used by the officer in charge to avoid in signals. This prevents any
changes that may take place in the phone by receiving a signal. So evidence cannot be
manipulated till acquisition.

The officer in charge should specifically fill up the Mobile Device collection form which is
given below. All the details should be filled up
 Mobile Devices Collection Form-Checklist
Name of the Authorized Officer:
Name of the assessee :
Date: Time: Premise Address:

Examiner‟s Name and Details:

System State If switched On, What is visible on screen?

O On Off Hibernation/Sleep
Make: Model:
System Info Mobile Type: GSM CDMA 3G Others
If Others Specify
Time Zone Settings:

Date/Time of Mobile Phone: Actual Date/Time:

IMEI/MEID Number
Mobile Serial Number(If any)
Operating System
( Including Version Number)
Is the SIM Card Present? SIM Service Provider Name:
Yes No

SIM Card Size IMSI Card Number

Mobile Phone State: Shutdown Type

ON OFF OFFLINE NORMAL BATTERY PULLED
Mobile Phone State: Media Card Serial Number:
YES NO
Media Card Make and Capacity:

Does the Assessee phone has the ability to access Internet? YES NO
Storage Copy Details Working Copy Details
Make: Model: Make: Model:
Serial No: Serial No:

Is the Media Card Removed? Date: Time:

Yes No
Media Card Replaced after Imaging? Date: Time:
Yes No

Is the SIM Card Removed? Date: Time:

Yes No

SIM Card Replaced after Imaging? Date: Time:

Yes No

Is the signature of witness taken? Yes No

Note by the AO regarding the potential evidences in the digital devices:

The details of various backup procedures are enclosed in Annexure 4.

Unit-3

Cyber Forensic Labs

& Forensic Data Extraction
Centers

Cyber forensics have become important in the recent times as most of the transactions
done by the businessmen are being done on the computers, heavy and complicated
accounting packages are being used and also due to the fact that the hi-tech digital devices are
easily and cheaply available in recent times. Nowadays, the data is not only being stored in
the word documents and excel sheets but also on mobile phones, networks, clouds, emails
etc. This data may be sometimes protected by passwords or encrypted also. To retrieve this
data so that the data is not altered/modified/deleted and to also to make sure that the data
collected should be admissible as an evidence in the courts of law, cyber forensics is very
much necessary.

Hence, ideally at each major centre of Income tax office, a Forensic lab or Forensic data
extraction centre needs to be established, with some basic forensic hardware and software
tools and some dedicated trained staff. At the same time the awareness and training
programmes for all the officers and Inspectors in the field needs to be organized. The
facilities and skills can be upgraded from time to time. Certain requirements in this regard are
as under:

11.1Constitution of each Forensic lab / Forensic data analysis and

extraction facility:

 High-end laptops equipped with Forensic Write blockers (IDE, SATA, SCSI &
USB), Forensic software toolkit, Password Recovery Software toolkit, Registry
Viewer, Distributed Network Attach & Wipe Drive. Each of these needs to be
bundled with external interface for enabling acquisition from external hard disks of
varying interface such as SATA hard disks, SCSI hard disks, laptops, USB Pen
drives/ MP3 players/ iPods, digital cameras, CDs & DVDs / floppies, mobile SIM
cards, and all types of flash card memories.
  One high speed hardware wiping device capable of forensically wiping two disks
at a time at speeds of up to 8GB/min

 Three disk imaging devices for IDE/ SATA/PATA/laptop hard drives Should
support formatting of destination drive in both FAT and NTFS format with speeds
up to 5.5 GB/minute

 One disk imaging device for SCSI type hard drives Should support formatting of
destination drive in both FAT and NTFS format with speeds up to 9 GB/minute

 One high end Quad processor server Should be compatible with LTO, DLT
drives and DTA drives

 One hardware shadow device/ previewing device with the functionality of

connection between mother board and drive of subject disk, and should allow
booting in forensically sound manner without altering the data.

 Write Blockers for IDE/ SATA/PATA drives, for SCSI drives, for SATA drives,
and for USB drives. All these blockers should support both USB and firewall
connectivity with source hard drive.

 Live Server Imaging Kit for imaging live servers.

 SIM interrogation system/ Mobile phone forensic devices for recovering data
from SIM cards.

 High end PCs for work stations

11.2Software

 Rainbow tables/ other software for password cracking

Should fit on a DVD and should crack 98% of all 40 Bit encrypted office documents
  Forensic software tool kit for Server
Should contain Forensic software (that uncovers hidden, deleted, encrypted
misnamed and archived data including emails also has high speed indexed searching
ability), registry viewer, distributed network attack and wipe drive software.

 Forensic software tool kit for PCs

Should contain Forensic software, that uncovers hidden, deleted, encrypted
misnamed and archived data including emails also has high speed indexed searching
ability. It is important that the device should be easy to operate and should support
hard disks in all jumper positions otherwise an officer in the field may commit a
mistake. The device suggested should support all hard drives except SCSI for which
other device is suggested.

 Consumables
This will include a variety of blank hard disks for making images, hard disk casings,
Cartridges, CDs, DVDs and pen drives

11.3Reference Material

Books and Journals in the subject on computer forensics may be procured and made
available to the staff working in the lab.

11.4Work practices for the Forensic labs/ facilities

11.4.1 Support to Investigation Units

 The main function of the lab shall be to provide technical support to the
Investigation units in acquiring data on subject disks through cloning/
imaging, analysing the clones to uncover deleted, hidden and password
protected data, and handing over to the Investigation unit for analysing the
same for defaults relating to Income Tax.
 Each Lab will need a custodian of digital records for keeping record of all
 digital media entering and leaving the lab and for safe custody of the
archived disks. A log of all forensic activities carried out on a disk will be
maintained in the lab.
 Wherever possible, the Investigation unit will give a requisition for the
services of the lab mentioning the computer environment expected at the
site. This may include such information as-
 Make /model /number of servers at the location
 Number of client computers,
 presence of any unusual media such as LTO drive systems, SAN etc.
 Kind of networking or kind of connectivity to the internet.
 Whether remote dial-in facilities exist or not etc.
 The brief for the search parties can, inter alia, contain suggestions regarding-
 Method for performing a preview of computers and other disks found
by the search team
 Treatment regarding loose media found at the site – floppies, CDs,
CF cards, Tapes, Memory sticks, USB pen drives, MP3 players,
iPods, mobile phones, digital cameras etc ,
 Whether imaging/ cloning is to be done onsite or whether hard disk
would be required to be seized
 Whether all computers found on site will be seized/ imaged or not. If
not what criterion are to be applied to select the computers relevant
to the investigation

 A forensic team can be deputed to the site where digital data is found. It must
carry-
 Sufficient number of pre-wiped disks for imaging/cloning
 Disk imaging device capable of imaging all types of disks drives
 Portable Labs for previewing computers hard disks in-case a decision
has to be made as to which computers to be imaged or not.
 Sufficient evidence bags and tags for properly packing, labelling &
transporting the imaged data in a proper form
11.4.2 Procedure for onsite imaging /seizure of disks

The Forensic team will examine:

 communications network and other connections and observe the screen
display.
 Unplug communications connections and Modems from computers without
turning off the computers, and label all connections. It is recommended to
disconnect Network cables and connections at the time of investigation. This
can also be done by switching off the Network Hubs and Switches and
sealing them till the Search/Seizure operation is complete.
 Identify serial numbers of CPUs, monitors, hard disk drives and other
electronic equipment Decide whether to shutdown the computers that is on,
recording reasons as to why and when a shut down was carried out.
 Access the computers through write blockers and make two physical images
(clones) of each hard disk found using previously wiped blank disks using
hardware imaging devices. It will compute hash value of each disk found
and mention it in the panchnama.
 In case any disk is to be seized, seize the hard disk by properly labelling and
placing in protective covering
 Shut down and collect the computer(s), peripherals, printouts (if any),
floppies (if any) and any other potential evidence - bag and tag individually
 The following information will need to be included in the panchnama, copy
of which will be given to the assessee
 Inventory of all computer hard disks/ media found
 the time displayed in the CPU clock of the PC /Server and the actual
local time at that time
 Inventory of all disks which were cloned/ imaged with number of
clones created/ seized giving hash value of each disk,
 Inventory of all disks found and seized without cloning

11.4.3 Procedure for imaging seized hard disks

In cases where hard disks cannot be cloned at site and are therefore seized, two sets
 of images/clones should be created in the lab in presence of the assessee or his
representative and the authorised officer following the same procedure as described
above. A panchnama should be prepared for this activity recording the hash value
of each of the hard disks imaged and the other particulars mentioned above. The
assessee may be given an option to obtain copy of image at his cost.

11.5 Manpower and Training

Each lab/ unit will need at least one ITO, two Inspectors and one Tax Assistant on full
time basis for maintaining records and equipment. These personnel will need thorough
training in use of the hardware and software tools. This training needs to be factored in
the procurement process itself and the vendor should be obliged to provide training to a
fixed number of Officers per license/ HW purchased.

11.6Cyber forensic lab in Mumbai, Delhi and Ahmedabad

As of now, there are three cyber forensic labs being operated at Mumbai, Delhi and
recently at Ahmedabad. In case of other directorates/field formation who want to use
the facility of these cyber forensic labs, the following steps needs to be undertaken to
maintain the integrity of the data:
1. The Original Digital Evidence should be collected and all the entries in Digital
Evidence Collection Form (enclosed in Annexure-7) should be filed up and
signatures should be taken by the assessee and two witnesses
2. The chain of custody form (enclosed in Annexure-8) should be filed up. This is a
key document that should be mandatorily filed up to ensure that integrity of the
data cannot be questioned by any court of law.
3. In case the Digital Evidence is a mobile phone, the Mobile Phone Evidence
Collection Form (enclosed in Annexure-9) should be filed up.
4. Appropriate Packaging and Labelling of the evidence should be undertaken.
Primary steps should be taken to choose packaging that is of proper size and
material, to fit into the evidence. Do not drop your digital evidences into a
plastic grocery bag you commonly find or some make shift package. Various
types of special packaging should be prepared using envelopes, bags and
containers. The packaging should be clean and preferably new to avoid
 contamination. Each piece of evidence should be packaged separately and then
properly labelled, sealed and documented. Use anti-static bags to transport
evidences as these will protect and prevent any localized static electricity charge
from being deposited onto the devices.
5. Diskettes are fragile, so if packed loosely may get damaged during transport.
Hard Disks should not be subjected to shocks. If you are transporting a CPU,
Media devices in a vehicle, steps should be taken not to place the same in area
where drastic change in temperature is expected. You should guard the evidence
against electrostatic discharge.

Apart from this a forwarding letter to the Cyber Forensic Labs for scientific
analysis and opinion should mention the following information:
 Brief History of the case
 The details of the exhibits seized and their place of seizure
 The model, make and description of the hard disk or any storage device
 The date and time of the visit to the premises
 The condition of the computer system (on or off) at the scene of crime
 Is the photograph of the scene of crime is taken?
 Is it a stand alone computer or a network?
 Is the computer has any internet connection or any means to
communicate with external computers?
 The details of the operating system
 The application software used if any and details of the same
 Any Password files which have been impounded or taken as part of any
statement
 Bios Date and Time Stamps
 Whether the storage media previewed, if so, is the preview
done forensically or not?
 Some keywords useful for analysis like ― cash‖, ― lakhs‖ etc
 The date and time at which the seizure of the digital evidence was done
 The printout of any important files relevant to the case
 The output of the business application software which is required
 The details of deleted files if any required
  Reasons on why the system in question was seized and the details
which the concerned officer is looking for.

An analysis of cyber forensic lab at Mumbai throws the following details:

1. The lab is attached to one of the units with the office of DGIT(Inv), Mumbai,
who has control over the functioning of the lab.
2. There is a software engineer working in the lab and this job is outsourced. This
engineer is mainly used for the data extraction and acquisition and also for on-
the-spot analysis of data. The analysis of data acquired is mainly done by the
DDIT concerned but in case on-the-spot analysis is required, then the help of
this engineer is taken.
3. Services of another private firm are also being taken, in case there is large
amount of data acquisition and extraction.
4. The data extracted in kept with the DDIT concerned and then transferred to the
assessment units when the case is centralized. In case of this transfer, chain of
custody form should be filled up and kept in safe custody for further reference.
5. In this lab, the functions such as Files Analysis ( MS Office Files), Recovery of
Deleted Files, Analysis of Hidden Files, Recovery of Formatted/deleted
Partition, File Signature Verification, Internet History and cookies, Mail Box
viewing, Slack space data analysis, Key Word Searching, Analysis of file meta-
data etc are being done.
6. Different hardware tools which are used in this lab are Drive Wiper Voom
which can sanitize 2 HDs at a time, Wipe Master which can sanitize upto 9 HDs,
write blocking devices such as Ultra Kit, Vroom Shadow-II, forensic duplicator
which duplicates all sectors of evidence device to target device, UFED for
mobile back up, FRED(Forensic Recovery of Evidence Device) which has an
inbuilt write blocker and pre-installed forensic software is used for acquiring
data during the course of search/survey etc are being used.
7. Different software tools used in this lab are Cyber Check Suite 4.0 used to
acquire image from an evidence hard disk and to recover deleted data, file
signature mismatch, etc., Encase 7.0 which is similar to Cyber Check Suite,
Encase Portable which is software tool in a pendrive used for onsite analysis,
Passware used to crack passwords and which supports 180+ file types, Recover
 My files used to see the deleted files, File Salvage which is same as Recover-
My-Files but it is used in case of MAC OS and Helix which is a live tool which
is bootable CD, acquires RAM memory, duplicates HDD, sees Computer
Configuration, software installed on it and reads System Registry in a user
readable format etc.

As seen from the above, it is clear that the cyber forensic lab is helping the department
to acquire and analyse complex data. Hence, there is a need for creation of cyber
forensic lab at major centres and its help should be taken for proper analysis of data.
Care also should be taken to keep upgrading the tools present in the labs and also
upgrade the knowledge base of the people working with it.