Mobile Device Forensics - Infosec · PDF fileRunning head: MOBILE DEVICE FORENSICS 1 Mobile...
Transcript of Mobile Device Forensics - Infosec · PDF fileRunning head: MOBILE DEVICE FORENSICS 1 Mobile...
Running head: MOBILE DEVICE FORENSICS
1
Mobile Device Forensics
By: Vicki Holzknecht
East Carolina University
Contact: [email protected]
Running head: MOBILE DEVICE FORENSICS
2
Abstract
In 2015, Gartner expects personal computer shipments to be estimated at 268 million, on the other hand
mobile device shipments is roughly around 2 billion shipments (Rivera, van der M., 2014). Businesses
when adopting the Bring Your Own Device (BYOD) platform, face head on securing private information
from prying eyes. However, disgruntled employees can erase videos, pictures, text messages, or corporate
data that could be used as evidence to implicate the user for any wrongdoings. Retrieving any type of
data, forensics experts use mobile forensic tools that are designed to penetrate and analyze deep into the
heart of the mobile devices hardware and software, recovering data that was thought to be lost.
Keywords: Mobile Forensics, Extractions, Software Recovery Tools
Running head: MOBILE DEVICE FORENSICS
3
Mobile Device Forensics
Introduction
Mobile technology has come a long way since World War II, soldiers were shouldering a twenty-
five pound phone that had spotty reception and was limited to a range of five miles (Meyers, 2011). Fast-
forwarding to present day, mobile phones are so compact, they can now fit into shirt pockets, purses, and
coverage is nationwide and even international depending on the carrier. The advancement of mobile
technology has allowed employees to perform what was once considered office environment task, can
now be completed while on the go such as making calls, e-mailing, instant messaging / text messaging,
setting up calendar events, storing contacts, and working on presentations, etc. Mobile devices are
interwoven into the consumer’s daily life whether it is personal or work usage. What consumers do not
realize is the mobile devices are really just a treasure trove of data; law enforcement can use in a court of
law. Digital evidence is found in eighty percent of today’s civil, criminal, and domestic prosecutions,
(Daniel, n.d.), this should not be a surprise when there is approximately 6.8 million mobile devices
around the globe (Moshe, 2014). During a NIST Mobile Forensics Webcast Richard Ayers noted that 2.5
trillion text messages are sent per year (Ayers, 2014). Many users are under the assumption that once a
text message is deleted or removed from a device it is non-retrievable. Paul Luehr part of a cybercrime
expert team recently retrieved a years worth of text messages, even after the device had been erased
(Kaneshige, 2014).
Mobile Device Forensics Defined
The recovery of digital evidence using forensically sound and proven methods of acceptance is
known as mobile device forensics (Barmpatsalou, Damopoulos, Kambourakis, Katos, 2013). Mobile
forensics falls underneath the umbrella of the digital forensic sciences. Digital forensic science is defined
as:
Running head: MOBILE DEVICE FORENSICS
4
“The use of scientifically derived and proven methods toward the preservation, collection,
validation, identification, analysis, interpretation, documentation and presentation of digital evidence
derived from digital sources… (Palmer, 2001).”
The National Institute of Standards and Technology published a revised document 800-101:
“Guidelines on Mobile Device Forensics” updating any information that is no longer prevalent to the
field, because of continual changes in mobile technology (Ayers, Brothers, Jansen, 2014). The Guide on
Mobile Device Forensics is drafted to be a reference tool that forensic analysts could use to become
acquainted with common mobile technologies, and common industry procedures. For evidence to not be
dismissed in a court of law sound methods much be exercised (Tassone, Martini, Choo, Slay, 2013).
NIST clearly states, that the 800-101 guide is to be used explicitly as a reference manual, NOT to be
misconstrued as a step-by-step model for lawful advice (Ayers, Brothers, Jansen, 2014).
Types of Data
According to a survey observing statistics from January to March in 2014 by a mobile
measurement platform Flurry; American’s spend 162 minutes per day on their device (Soper, 2014);
hence the amount of evidence that can be discovered and recovered. Table 1 below lists various sources
that can be used as evidence for investigations:
Contacts Call log (Time Stamps, Incoming,
Outgoing, and Missed Electronic Email Text Messages (MMS,
SMS) Photos Internet Browsing Cache
GPS Coordinates Social Network Data (Facebook, Twitter, etc)
Calendar Documents
Video/Audio Removable Media Cards
Instant Messengers (Skype, Facebook
Chat)
Subscriber Identifiers
Running head: MOBILE DEVICE FORENSICS
5
Equipment Identifiers
Gaming Data (Applications)
Table 1 Types of Evidence (Ayers, 2014)
Hardware
Two of the most ubiquitous mobile operating systems used today are Android and iOS, both
having conventional hardware architectural frameworks. Each device holds a microprocessor, memory
(ROM, RAM), liquid crystal display, keyboard, touchscreen capabilities and a digital signal processor
(Al-Zarouni, 2006) just to mention a few. Read Only Memory (ROM) and Random Access Memory
(RAM) is a key factor when collecting digital evidence off of a mobile device. Random Access Memory
is temporary memory that stores information when performing a certain task; Read Only Memory, is the
mobile devices internal memory (Gonzalez, Hung, Friedberg, 2011). RAM is volatile memory, meaning
if the device battery depletes all the way, or the investigator inadvertently shutdowns the device, potential
evidence (data) that was stashed in RAM is non-recoverable; it is the most difficult to accurately capture
(Ayers, Brothers, Jansen, 2014). The device being powered off does not affect non-volatile memory
ROM.
Subscriber Identity Modules, known as SIM cards is used to authenticate the mobile device to the
carriers cellular network, and storing data about the users identity (Gonzalez, Hung, Friedburg, 2011).
There are several cellular networks, two that are used more so than others Code Division Multiple Access
(CDMA) and Global System for Mobile Communications (GSM) (Murray, n.d.). CDMA devices are
assigned a 32 bit electronic serial number (ESN) or Mobile Equipment Identifier (MEID), embedded on a
protected chip, identifying the manufacturer and the serial number (Ayers, Brothers, Jansen, 2014). A
GSM device uses the International Mobile Equipment Identity (IMEI), which is a 15-digit number that
identifies the manufacturer, model and the country allowing the devices (Ayers, Brothers, Jansen, 2014).
If the device is turned on an examiner documenting every step made, can go onto an iOS device select
Settings, General, and then About to discover more device information that can be researched. Figures 2
and Figures 3 shows a screenshot of an iPhone 4 and an iPhone 6-device label:
Running head: MOBILE DEVICE FORENSICS
6
Figure 2 iPhone 4 Device Label (Holzknecht, 2015)
Figure 3 iPhone 6 Device Label (Holzknecht, 2015)
Forensic experts can use online databases such as International Numbering Plans1 to look up
IMEI’s if they are uncertain of manufacturer and or model of the device. Under a free account, a forensic
expert can analyze up to twenty devices for approximately eight months. Figure 4 is an example of
returned information from the International Numbering Plans analysis tool:
1 https://www.numberingplans.com
Running head: MOBILE DEVICE FORENSICS
7
Phone Scoop2 a collective database on mobile phones where specifications and device features
can be found (Ayers, Brothers, Jansen, 2014). It is advisable to obtain current documentation or a user
manual on the device before it is to be analyzed (SWGDE, 2013).
Extraction Levels
Research has shown, that using more than one tool to acquisition evidence can balance out each
of the tools strengths and weaknesses (Barmpatsalou, Damopoulos, Kambourakis, Katos, 2013). What
one tool may not discover, the other tool may penetrate deeper into the system retrieving valuable
information. Tools available in general are third party. Sam Brothers originated the Mobile Device Tool
Classification pyramid back in 2007 (Ayers, 2014). The pyramid shows the different levels of
acquisitions that can be accomplished using mobile forensic tools; going up the classification structure
2 http://www.phonescoop.com/phones
Figure 4 iPhone 6 IMEI Lookup (Holzknecht, 2015)
Running head: MOBILE DEVICE FORENSICS
8
requires more training, analyses periods are longer, invasive, and it gets technical, sometimes involving
the removal of a chip (Brothers, 2014). Going down the classification structure the procedure is less
invasive, analysis times are quicker, not a lot of technical training involved (Brothers, 2014). Table 2 is a
visual representation of the different classification levels for tools (bottom to top approach):
Micro Read Physical Extraction
Chip-Off Physical Extraction
Hex Dumping Physical Extraction
Logical Extraction
Manual Extraction
Table 2 Extraction Classification (Brothers, 2014)
Manual Extraction also known, as hand jamming is the process of physically looking at the
device, this is considered one of the easiest extraction levels when there is small amount of data involved
(Brothers 2014). During the manual extraction level document steps taken using a camera, or a video
recorder when sorting through the devices using the screen and keyboard to unearth evidence (Ayers,
2014). This method is popular with the police departments. In some cases, mobile users will voluntarily
hand over their device to the police for a quick glance at text messages, e-mails, calendars, social
applications (Facebook, Twitter), call logs (Brothers, 2014); to see if there is any probable cause to seize
the device for an in-depth investigation.
There are a couple of tools that can be used for manual extraction, ZRT 2 and Project-A-Phone
(Brothers, 2014). Project a Phone3 is a cataloging system that takes 8 Mega Pixel photos and 720p video;
with software that generates reports, cost is around $400. ZRT 2 is another camera that is good for
Optical Character Recognition within pictures, also has the capability to take videos, generates reports
works with almost every phone; the price is around $3,800 (Brothers, 2014), ZRT 3 is now available.
3 http://www.project-a-phone.com/icd-8000.html
Running head: MOBILE DEVICE FORENSICS
9
Logical Extraction involves connecting the device through a data cable to a computer; the
computer software then sends a command to the mobile device, and the mobile device responds
accordingly, (Ayers, 2014), using AT commands (Casey, Turnbull, 2011). Some possible AT commands
are at+xlog=0 gives the firmware version and at+cpbr which is SIM phonebook read (Rivers, 2012). AT
Commands are considered a weak approach because investigators cannot extract deleted information
(Willassen, 2005). A couple of tool extractions that can be used at level two are Oxygen Forensics
Extractor, and ACESO Kiosk. Oxygen Forensics Extractor4 analyzes, geological coordinates from
photos, collecting user data from over 550 applications, device logs, and passwords to accounts that the
device user owns, and Wi-Fi hotspots, et cetera, price requires a quote request. The ACESO Kiosk5 can
be used with any technical skill levels, the forensic analyst inserts the device extracting metadata,
providing timestamps, geo-tagging the model and make of device, retrieving data off of SIM and memory
cards, storing all the data gathered in an AES encrypted format and a comprehensive report.
The next three tier levels are through procedures of physical extractions. The third level is
through methods of Hex Dumping (Barmpatsalou, Damopoulos, Kambourakis, Katos, 2013), requiring
connectivity (Wi-Fi, wired, et cetera) between mobile device and digital forensic workstation (Ayers,
Brothers, Jansen, 2014). Hex Dumping forces a boot loader onto the device dumping the information that
is harvested on the protected parts of the memory (RAM) (Brothers, 2014). Forensic analyst use a flasher
box connecting the device data port to the digital forensic workstation, then the device is placed in a
diagnostic mode, where the analyst can send commands and the flasher box “captures’ section(s) of the
memory transporting the data back to the workstation (Ayers, Brothers, Jansen, 2014). Cellebrite’s UFED
Touch Ultimate is the most popular tool used in the United States (Brothers, 2014). The Touch Ultimate6
performs both logical and physical extraction and decoding; also for Android devices the Touch Ultimate
4 http://www.oxygen-forensic.com/en/products/oxygen-forensic-extractor/for-mobile-devices 5 http://www.radio-tactics.com/products/law/aceso-kiosk 6http://www.cellebrite.com/Media/Default/Files/UFED%20Touch%20data%20sheet.pdf
Running head: MOBILE DEVICE FORENSICS
10
can bypass security features such as pattern lock, and pin (Cellebrite, 2015), price range is around $4500
(Brothers, 2014). XRY Office7 is an all-in-one packaged tool that performs logical and physical
extractions of data; it can read and clone SIM cards, produce a combined live and delete report, and
provides a hex viewer to examine the data. XRY is widely used in the United Kingdom, and price tag is
around $4000 (Brothers, 2014).
The fourth classification tier level is chip-off. Chip-Off is the removal of the chip from the
device, so the analyst can create a binary image of the chip (Ayers, Brothers, Jansen, 2014). The copy of
the chip can then be read in another device or through an EEPROM reader (Brothers, 2014). UP-828
Programmer8 by TEELtechnologies supports different Android and Blackberry flash chip technologies,
the beginning price is $2012, if further adapters are required for newer phone support it is a $670
investment. The Netherlands Forensic Institute developed NFI Memory Toolkit9; it is a universal kit that
examines the memory retrieving phone numbers, text messages, browser history even when the device is
damaged and / or protected.
The last level in the tool classification module is Micro Read. Micro Read is using an electron
microscope to examine NAND and NOR chips; at this level it should only be performed during a high
profile case, there are no Micro Read tools available (Ayers, Brothers, Jansen, 2014). “NOR chips store
operating system code, drivers for the device, system libraries; NAND memory comprises of graphics,
audio, video and other useful files” (Ayers, Brothers, Jansen, 2014).
The table below defines some of the pros and cons of each level in the classification tier.
7 https://www.msab.com/products/office/ 8 http://www.teeltech.com/mobile-device-forensic-tools/up-828-programmer/ 9https://www.forensicinstitute.nl/products_and_services/forensic_products/memory_toolkit/
Running head: MOBILE DEVICE FORENSICS
11
Pros Cons
Manual Fast, work on almost all devices, no cables needed
Not all data is retrieved, error prone, broken buttons, time consuming
Logical Fast, easy, gather lots of valuable information, report printout
Possible data change, cables, minimal access to log files
Hex Dumping Extract data that was hidden in menus of the device, retrieve deleted data, bypass passwords (methods vary for bypassing passwords since
there are different security mechanisms available)
Data needs to be converted, some tools from hacker community, customized
cables, manufacturer support is limited, lacking source code
Chip Off Extract ALL data from device memory, more of a holistic approach, training is available
Reporting is lacking, hard to use, possible chip damage, customized cable harnesses needed, lacking source code
Micro Read Extract and verify all data from memory, best picture of what is going on in the device
More time consuming than other levels, expensive, requires high level of
technical experience, hard to understand extracted data
Table 3 Classification Levels Pros and Cons (Brothers, 2014)
The main difference between physical and logical extractions, physical is a bit-by-bit copy of all of the
flash memory including the unallocated space; logical extraction is viewing the file structure and
directories through flash memory (Mooij, 2010).
Documentation
Documenting evidence should begin upon arrival of the scene. Preserving the data in its original
condition is key (Casey, Turnbull, 2011); the integrity of the evidence is only beneficial in court using
standard method(s) to acquire the evidence (Bennett, 2011). Documenting evidence is not only of how
the data was extracted through software tools, but also a timestamp of when the device was seized, battery
level, applications showing on the display, physical state of device, any original cables (Dixon, n.d.).
When involved in digital evidence case, a couple of defensible practices need to occur, chain of custody
and verifying evidence (Daniel, n.d.). Proper documentation of the chain of custody allows the court to
see who has handled the evidence. Verifying the evidence allows others to validate data has not been
altered, and steps that were originally taken, could be repeated, returning equivalent results. (Casey,
Running head: MOBILE DEVICE FORENSICS
12
Turnbull, 2011). Any blunders made during the process, i.e. the battery drained shutting off the device;
this needs to be noted somewhere because potential evidence that was stored in RAM while the device
was on it now completely gone.
Forensic Mishaps
Turning off the device can be a regrettable action; a security lock feature could be activated such
as a pin code, drawing a pattern, and a biometric feature (finger print, facial scan). Integrity of the device
is important, Faraday isolator bags / cages block out radio waves (Admin, 2012); preventing network
access to the device. Also, placing the device in airplane mode limits access to the cell towers (SWGDE,
2013). Network access to the device can cause an alteration of current data (incoming calls, messages);
also remote wipe features could be initiated inhibiting evidence that may be crucial to the investigation
(Casey, Turnbull, 2011). Any mishandlings or loss of data could threaten the investigation (Ayers,
Brothers, Jansen, 2014). There are times when data is retrieved from the device while it is sitting in a
cradle connected to a machine, this too can alter potential evidence (Casey, Turnbull, 2011), if something
happens during synchronization processing. Neglecting evidence is possible during examination; an
application for Android and iOS that is known for peer-to-peer messaging using elliptic curve encryption
is Wickr10. An investigator could assume that the Wickr is an application for designing wicker baskets,
thus overlooking text-messaging evidence that could have been the smoking gun in the case.
Education and Training
Reading reference guides, and HOWTOs can only go so far; proper hands-on training should be a
pre-requisite before entering into a live forensics acquisition environment solo. Training would also
benefit situations where personnel (crime scene technicians, patrol officers, agents) who have been
delegated the responsibility of analyzing the devices having pessimistic attitudes:
10 https://wickr.com/how-wickr-works/
Running head: MOBILE DEVICE FORENSICS
13
• Afraid of destroying digital evidence
• Afraid of misreading the digital evidence
• Digital evidence does not that big of a sway in court verdicts
• No technical background
(Miller, 2015).
Nationally recognized, Champlain College offers a Baccalaureate program in Computer and
Mobile Forensics encoding a skill set that students need to be successful in this growing area allowing
them to work alongside of law enforcement in live digital investigation cases (Champlain College, 2015).
There is hands-on and online training available through the SANS Internet Storm Center for
Advanced Smartphone Forensics covering topics on how to bypass locks, detecting malicious software,
and performing forensics on two of the top mobile platforms that users are on today Android and iOS
(SANS, 2015). InfoSec Institute offers a boot camp training course where 60% of the training is hands-
on; learning how to read sqlite data stores, recovering keyboard caches, breaking the devices encryption
keys, and other useful skills to carryout investigations on devices (InfoSec, n.d.).
Conclusion
Mobile Forensics is a relatively new, and a difficult field to tackle. The changes in mobile
technology are a major headache for digital evidence analyst who has to constantly keep up with current
mobile developments. So much data is accumulated on a mobile device, that it becomes a gold mind for
evidence. Software tools have been developed for manually, logically, and physically acquisition data
from the devices memory chips, call logs, text messages, SIM cards, file system, et cetera. Documentation
can go along way in a court of law; the analyst will need to justify the method(s) used for collecting
evidence (Gonzalez, Hung, Friedberg, 2011). Becoming a successful mobile forensic analyst requires
extensive training in the diverse field, an open mind, and who can think on their toes when necessary..
Running head: MOBILE DEVICE FORENSICS
14
References
Admin. (2012). How a faraday bag works. Retrieved from http://forensicstore.com/how-a-faraday-bag-works/
Ayers, R. (2014). Mobile forensics tool testing at NIST. Retrieved from http://www.nist.gov/forensics/nist-
mobile-forensics-webcast.cfm
Ayers, R., Brothers, S. & Jansen, W. (2014). Guidelines on mobile forensic devices. Retrieved from
http://dx.doi.org.jproxy.lib.ecu.edu/10.6028/NIST.SP.800-101r1
Barmpatsalou, K., Damopoulos, D., Kambourakis, G., & Katos, V. (2013). A critical review of 7 years of mobile
device forensics. Digital Investigation, 10(4), 323-349. doi:http://dx.doi.org/10.1016/j.diin.2013.10.003
Bennett, W. D. (2011). The challeneges facing computer forensic investigators in obtaining information from
mobile devices for use in criminal investigation . Retrieved from
http://articles.forensicfocus.com/2011/08/22/the-challenges-facing-computer-forensics-investigators-in-
obtaining-information-from-mobile-devices-for-use-in-criminal-investigations/
Brome, R., & Zeman, E. (2015). Phone scoop. Retrieved from http://www.phonescoop.com/phones/
Brothers, S. (2014). Acquisition techniques: Mobile foresnics A to Z. Retrieved from
http://www.nist.gov/forensics/nist-mobile-forensics-webcast.cfm
Casey, E., & Turnbull, B. (2011). Digital evidence on mobile device. Digital evidence and computer crime (3rd
ed., pp. 1) Elsevier Inc.
Cellebrite. (2015). UFED touch. Retrieved from
http://www.cellebrite.com/Media/Default/Files/UFED%20Touch%20data%20sheet.pdf
Champlain College. (2015). Computer and digital forensics. Retrieved from http://www.champlain.edu/computer-
forensics/computer-and-digital-forensics-major
Daniel, L.Digital forensics for attorneys: An overview of digital forensics. Retrieved from
https://sog.adobeconnect.com/p69493734/
Running head: MOBILE DEVICE FORENSICS
15
Dixon, E.Best practices in mobile forensic investigations. Retrieved from
http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=659
Friedberg, S., Gonzalez, J. & Hung, J. (2011). Mobile device forensics: A brave new world? Retrieved from
http://www.strozfriedberg.com/files/Publication/224ca0f8-5101-4e1b-938a-
4d4b128ad5ed/Presentation/PublicationAttachment/ef4a28ad-ff7d-4014-aea8-
80505789b86c/Mobile%20Device%20Forensics_%20A%20Brave%20New%20World.pdf
Infosec Institute.Mobile computer forensics. Retrieved from http://www.infosecinstitute.com/courses/mobile-
computer-forensics.html#pricing
International Numbering Plans. (2015). Retrieved from https://www.numberingplans.com.
Kaneshige, T. (2014). Think deleted text messages are gone forever? think again. Retrieved from
http://www.cio.com/article/2378005/byod/byod-think-deleted-text-messages-are-gone-forever-think-
again.html?page=2
Meyers, J. (2011). Watch the incredible 70-year evolution of the cell phone . Retrieved from
http://www.businessinsider.com/complete-visual-history-of-cell-phones-2011-5
Miller, C. M. (2015). Fear of mobile device evidence collection? Law Enforcement Technology, 42(2), 8-10.
Retrieved from http://search.ebscohost.com/login.aspx?direct=true&db=i3h&AN=101065797&site=ehost-
live
Mooij, B. (2010). Data extraction from a physical dump. Retrieved from
http://www.forensicmag.com/articles/2010/09/data-extraction-physical-dump
Moshe-Ben, Y. (2014). Digital detection. Retrieved from
http://www.cellebrite.com/collateral/AR_Digital%20Detection_Forensic%20Investigator_NOV2014.pdf
MSAB. (2015). XRY office. Retrieved from https://www.msab.com/products/office/
Murray, D. J.Guide to computer forensics and investigations. Retrieved from
http://mgt.buffalo.edu/departments/mss/djmurray/mgs410/ch13.ppt
Running head: MOBILE DEVICE FORENSICS
16
Netherlands Forensic Institute.NFI memory tool kit. Retrieved from
https://www.forensicinstitute.nl/products_and_services/forensic_products/memory_toolkit/
Oxygen Forensics.Oxygen forensic extractor. Retrieved from http://www.oxygen-
forensic.com/en/products/oxygen-forensic-extractor/for-mobile-devices
Palmer, G. (2001). A roadmap to digital forensics research. Retrieved from http://www.dfrws.org/2001/dfrws-rm-
final.pdf
paraben corporation. (2015). Project-A-phone ICD-8000 . Retrieved from http://www.project-a-phone.com/icd-
8000.html
Radio Tactics. (2015). Phone and device forensics. Retrieved from http://www.radio-
tactics.com/products/law/aceso-kiosk
Rivera, J., & van der, M. R. (2014). Gartner says worldwide traditional PC, tablet, ultramobile and mobile phone
shipments on pace to grow 7.6% in 2014 . Retrieved from ttp://www.gartner.com/newsroom/id/2645115
Rivers, A. (2012). Find any AT command for iPhone baseband using my list . Retrieved from
http://letsunlockiphone.guru/iphone-at-baseband-command-list/
SANS. (2015). FOR585: Advanced smartphone forensics. Retrieved from http://www.sans.org/course/advanced-
smartphone-mobile-device-forensics#results
Soper, T. (2014). Study: Americans spend 162 minutes on their mobile device per day, mostly with apps .
Retrieved from http://www.geekwire.com/2014/flurry-report-mobile-phones-162-minutes/
SWGDE. (2013). Best practices for mobile phone forensics. Retrieved from
https://www.swgde.org/documents/Current%20Documents/2013-02-
11%20SWGDE%20Best%20Practices%20for%20Mobile%20Phone%20Forensics%20V2-0
Tassone, C., Martini, B., Kim-Kwang, R. C., & Slay, J. (2013). Mobile device forensics: A snapshot. Trends &
Issues in Crime & Criminal Justice, (460), 1-7. Retrieved from
http://search.ebscohost.com/login.aspx?direct=true&db=i3h&AN=90116161&site=ehost-live
Running head: MOBILE DEVICE FORENSICS
17
Teel, B. (2014). UP-828 programmer. Retrieved from http://www.teeltech.com/mobile-device-forensic-tools/up-
828-programmer/
Wickr. (2015). How wickr works. Retrieved from https://wickr.com/how-wickr-works/
Willassen, S. (2005). Forensic analysis of mobile phone internal memory. In M. Pollitt, & S. Shenoi (Eds.), (pp.
191-204) Springer US. doi:10.1007/0-387-31163-7_16
Zarouni-Al, M. (2006). Mobile handset forensic evidence: A challenge for law enforcement. Edith Cowan
University. (4th)