5.4 Tangential Equipment

Tangential equipment includes devices that contain memory and are associated with a mobile device. The three main categories are memory cards, host computers to which a mobile device has synchronized its contents and cloud-based storage.

Smartphones may provide an interface that supports removable media (e.g., microSD or MMC), which may contain significant amounts of data. Memory cards are typically flash memory, used as auxiliary user file storage, or as a means to convey files to and from the device. Data may be acquired with the use of a write-blocked media reader and a forensic application.

The data contained on a mobile device is often present on a personal computer, due to the capability of mobile devices to synchronize or otherwise share information among one or more host computers. Such personal computers or workstations are referred to as synched devices. Because of synchronization, a significant amount of evidence on a mobile device may be present on the suspect’s laptop or personal computer and recovered using a conventional computer forensic tool for hard drive acquisition and examination [Bad10].

5.4.1 Synched Devices

Synchronization refers to the process of resolving differences in certain classes of data, such as e-mail residing on two devices (i.e., a mobile phone and a personal computer), to obtain a version that reflects any actions taken by the user (e.g., deletions or additions) on one device or the other. Synchronization of information may occur at either the record level or the file level. When done at the file level, any discrepancies from the last synchronization date and time result in the latest version automatically replacing the older version. Occasionally manual Synchronization refers to the process of resolving differences in certain classes of data, such as e-mail residing on two devices (i.e., a mobile phone and a personal computer), to obtain a version that reflects any actions taken by the user (e.g., deletions or additions) on one device or the other. Synchronization of information may occur at either the record level or the file level. When done at the file level, any discrepancies from the last synchronization date and time result in the latest version automatically replacing the older version. Occasionally manual

Mobile devices are typically populated with data from the personal computer during the synchronization process. A significant amount of informative data may reside locally on a personal computer. Data from the mobile device may also be synchronized to the computer, through user-defined preferences in the synchronization software. Because the synchronized contents of a mobile device and personal computer tend to diverge quickly over time, additional information may be found in one device or the other.

The synchronization software and the device type determine where mobile device files are stored on the PC. Each synchronization protocol has a default installation directory, but the location may be user specified.

5.4.2 Memory Cards

Memory card storage capacity ranges from 128MB and up. As technological advances are made, such media becomes smaller and offers larger storage densities. Removable media extends the storage capacity of mobile devices allowing individuals to store additional files beyond the device’s built-in capacity and to share data between compatible devices.

Some forensics tools are able to acquire the contents of memory cards; many are not. If the acquisition is logical, deleted data present on the card is not recovered. Fortunately, such media can be treated similarly to a removable disk drive and imaged and analyzed using conventional forensic tools with the use of an external media reader. Memory card adapters exist that support a USB interface. Such adapters allow removable media to be treated as a hard disk and used with a write blocker, which ensures that the removable media remains unaltered.

A physical acquisition of data present on removable media provides the examiner the potential to search the contents of the media and potentially recover deleted files. One drawback is that mobile device data, such as SMS text messages may require manual decoding or a separate decoding tool to interpret. A more serious issue is that content protection features incorporated into the card may block the recovery of data. For instance, BlackBerry™ devices provide the user with the ability to encrypt data contained on the removable media associated with the mobile device. Table 4 gives a brief overview of various storage media in use today.

Table 4: Memory Cards

Name

Characteristics

MMCmicro Dime size (length-14 mm, width-12 mm, and thickness-1.1 mm) 10-pin connector and a 1 or 4-bit data bus Requires a mechanical adapter to be used in a full size MMCplus slot

Secure Digital (SD) Card Postage stamp size (length-32 mm, width-24 mm, and thickness- 2.1mm) 9-pin connector, 1 or 4-bit data bus Features a mechanical erasure-prevention switch

MiniSD Card Thumbnail size (length-21.5 mm, width-20 mm, and thickness-1.4 mm) 9-pin connector, 1 or 4-bit data bus Requires a mechanical adapter to be used in a full size SD slot

MicroSD (formerly Dime size (length-15 mm, width-11 mm, and thickness-1 mm) Transflash) and

6-pin connector, 1 or 4-bit data bus

microSDXC Memory Stick Micro

Dime size (length-12.5 mm, width-15 mm, and thickness-1.2 mm) 11-pin connector, 4-bit data bus