1

Assignment #2: Introduction to Mobile Forensics

Brittany Knapp

University of Maryland Global Campus

CCJS 321-6381: Digital Forensics in the Criminal Justice System

Dr. Timothy Milloff

February 13, 2024

 2

Locard’s Exchange Principle

Locard’s Exchange Principle is the primary basis of all forensic science. It establishes the

theory that whenever two objects come into contact with each other, there is an exchange of

material between them (Salem Press Encyclopedia, 2022. 3p). Anyone who commits a

crime will inevitably leave some sort of evidence at a crime scene that can be traced back to

them. No matter how small or microscopic. This principle is the foundation of all

experimental work conducted in forensic science. It relies on the acquisition of trace

evidence. And much more can be learned from the trace evidence as it relates to the crime,

than just the crime scene alone. It is a matter of unavoidable transfer and finding the trace.

For digital evidence, the principle is as follows: “A criminal action of an individual cannot

occur without leaving a mark”. Evidence in digital forensics includes any information or data

that is stored, received, or transmitted through electronic means. In this area, the primary

categories as to where evidence may be located include mobile devices (smartphones),

internet-based (IoT devices or the cloud), or in standalone devices (such as a laptop

computer or external hard drive). All of these categories include various devices that can

obtain digital marks upon them whenever a transfer takes place, even during the collection

and acquisition process.

As the principle establishes, whenever two objects come into contact, each will leave some

trace or residue on the other that examination can later detect and identify (Salem Press

Encyclopedia of Science, 2023). But to prevent losing the value of potential evidence, it is

imperative that digital forensic practitioners avoid leaving their own “marks” behind. In

addition, they must be cautious and use techniques that will help avoid marks from being

made or the complete removal of data from the device.

Best Practices During Collection and Acquisition

The term forensically sound relates to qualifying and justifying the usage of a particular

forensic technology or methodology (Rohit et al., 2020). A sound forensic examination is

important because it plays a role in accomplishing the goal of digital forensics: extracting
 3

and recovering information from a digital device, the trace evidence, but without altering any

of the data that is already present on the device.

The collection and acquisition process must follow a well standardized process to ensure

that “marks” on the evidence are not left by the digital forensic practitioners. They must be

capable of gaining evidence while ensuring that it remains unaltered. These two stages of

the process come before examination and analysis.

Following the stages of collection and acquisition, examination and analysis will begin. Best

practices also require the ability to validate all results (and the tools used), be aware of

where the data derived, and the capability of proving that the results are in fact an accurate

representation of the data.

Effectively proving this in court would require an expert that has a sufficient level of

knowledge and expertise in the manner in which the data was obtained. And being able to

show this through procedures that can be repeated with the same results, will play a factor in

proving this. Throughout the entire process, a sound forensic examination will remain at the

heart of protecting evidence to ensure that it remains in its original state and thus, unaltered.

There are general steps that can assist in the best practice, ensuring no digital “marks” are

left behind, and maintaining the credibility of evidence for court procedures later on:

1. Proper handling when taking possession

2. Chain of Custody

3. Verify the legal authority and limitations of data to be extracted and searched

4. Complete a detailed digital forensic report

5. All those involved with obtaining, accessing and examining the evidence must testify

in court.

Types of Items and the Digital Marks Left By User

Smartphone: User accounts, emails, location-based data, a timeline of activity, deleted text

messages, internet-browsing history. Additional information can be acquired such as:

 4

address book (contacts may include addresses, email addresses, phone numbers, etc.),

calendar including any saved events, documents, voice message and audio recording,

voicemails, and autofill/saved passwords.

Laptop: Internet browsing history, recent documents and downloads, cache files, cookies,

network connections, USB device history and paired devices, emails.

External Hard Drive: Metadata, access times, location of downloads (devices), file

fragments, files that may be deleted elsewhere.

Evidence From Various Devices During Investigation

Many devices store data locally but can also be paired or linked to other devices as well.

Sometimes that link between devices can also link an individual to a particular incident. For

example, many people pair their smartphone with their vehicle using bluetooth. An individual

who rents a vehicle and decides to pair their phone to the car using bluetooth, could

potentially face trouble if there is a question of liability. If the car is in an accident and there is

a dispute as to who is at fault or what was the cause, there is now an additional blueprint

that can be looked at.

From a physical standpoint, accident reconstruction can be done using simple physics. With

the vehicle's telematics data, information such as speed and other driving maneuvers can be

obtained. And if a cell phone was paired using bluetooth, all of the activity that is logged by

the phone was being shared with the vehicle as well. And the information it was exchanging

at the time of the accident, can help prove (or disprove) allegations under investigation.

It is a matter of finding the additional “connections” and adding them to the equation.

Between the cellular connection from a service provider, the bluetooth, telematic computers

(event data recorders), GPS, and physics - it could be much easier to determine not only

what may have occurred to the rental vehicle, but also narrow down exactly who had been

driving it and what they were doing at the time of the accident. In conclusion, examiners and

investigators can use the information on one device to connect it to information on another
 5

device. And with that, they can use this not only to further gain more evidence, but also

trace it back to a particular person.

Many different devices (even a vehicle) can have information and data stored on them that is

received and transmitted electronically. As unrelated as the devices may seem, they are

inadvertently connected in terms of digital evidence.

Encountering a Running (Live) Laptop

When encountering a live (running) laptop, specific procedures must be followed. A device

that is powered on can hold a treasure trove of easily accessible information. The goal is to

preserve that evidence throughout the collection and acquisition stages. Otherwise, there is

a much higher chance of data being lost or altered. Although a forensic specialist should be

immediately contacted upon encouraging a live laptop, assuming that the first responders

are trained enough, the recommended actions should take place:

1. Document: there should be documentation that reflects the state of the laptop. Also,

take photographs of its location when it was found.

2. Identification and preservation: given that it is in a live state, there is volatile data that

is currently in progress. RAM (random access memory) which is lost whenever a

device is powered off, still remains. It is important to keep the laptop connected to a

power source while capturing the memory that can be overwritten or lost. This

includes whatever processes are running, the network connections, open files or

browsing tabs.

3. Live system analysis: analyzing the computer in real-time allows examiners to gather

any information that is already running in applications, current activity, system logs

and login sessions. An ideal way to document this would be through the use of

screens, recording network traffic, and any other device behavior.

 6

4. Security: to prevent any unintentional changes to the evidence, a forensic analyst

should apply write-blocking. As with the chain of custody process, all of the

information acquired (and how) needs to be documented.

The reasons why a live system is so beneficial is because the state it is in lessens the level

of security that would be employed if it were dead. In addition, the RAM (random access

memory) reflects a perfect example of the usage of that device. Including things that

normally would not be stored on the hard drive but rather, removed upon shut down.

Hash Value

Part of the remaining framework of the investigation involve the following areas: obtaining

the exhibit, creating the forensic copy (or image) of the content, retrieving evidence from the

copy, maintaining preservation of the original to ensure it does not become altered, and

reporting what process was used and the evidence it produced.

A hash value derives from the calculation of hash algorithms. Digital forensic practitioners

will embed the value of the digital data in the same file. This is what it means to hash data.

The process helps to ensure the originality and authenticity of the digital content. It also

shows that the data extracted was done so with integrity.

Digital forensic practitioners will rely on hash values for several reasons. This spans from

before examination begins, to the elimination of “excess” and untargeted data, and the ability

to reflect valuable evidence in court.

An examiner needs to conduct experimentation on the forensic image of the original content.

That means only on the copy. In order to help verify that an identical replica was created,

hash functions can be performed on the evidence obtained. The hash functions should

generate a hash value report that reflects an exact match to that which is obtained from the

clone (Kessler, 2016). If it does not, then the forensic image created is not yet an identical

copy. And the next step in the examination process should not continue until the examiner

knows that they are working on something that portrays the original. Or, determine why there
 7

seems to be a collision in the different hash values. There can not be verifiable results

produced unless the copies created and analyzed are the same as the actual evidence, in its

original state.

Also, in a court proceeding there will be a necessary presentation of documentation proving

that the methods used to extract data were forensically sound. This means with integrity, and

showing originality and authenticity. It will not be considered sound, reliable, repeatable or

(potentially) admissible in court unless the lab work conducted can reflect that it was done on

content that replicates the evidence.

According to the Federal Rules of Evidence, Rule 901(a) states that in order to satisfy the

requirement of authenticating or identifying an item of evidence, the proponent must produce

evidence sufficient to support a finding that the item is what the proponent claims it is

(Federal Rules of Evidence, 2011). This places a significant amount of importance on the

verification process of the forensic copy.

Chain of Custody

According to NIST, chain of custody refers to a process that tracks the movement of

evidence through its collection, safeguarding, and analysis life cycle by documenting each

person who handled the evidence, the date/time it was collected or transferred, and the

purpose of the transfer (Lyle, 2022). It is a method of collection that maintains organization

but also helps reinforce legal guidelines, maintain proper procedures, and document any

findings.

Chain of Custody in the Criminal Justice Process

In the Criminal Justice process, the chain of custody plays a major role in the reliability of

any evidence presented will likely be faced scrutiny and questioned by the defense. For

example, there will need to be thorough documentation proving that it is relevant and

admissible, legally acquired and put through a forensically sound examination to produce its
 8

findings. For every question as to how evidence was seized, acquired, collected, examined,

or analyzed, there must be an answer.

Chain of custody is a running log to account for any of those questions. But it is also a tool

for the examiners and investigators as well. By referring to the documentation, a particular

type of examination may be determined to be justified and likely to produce valuable

information. Especially in the digital era where technology is advancing rapidly, there might

not be an established toolset to process certain evidence at one point in time. But the chain

of custody will also assist in the preservation of the evidence.

Conclusion

Applying Locard’s Exchange Principle to digital forensics, the theory that individuals will

leave behind digital “marks” (artifacts) whenever they interact with electronic devices or there

is an exchange of information between them Johnson, E. (2023). This can also be referred

to as trace evidence. These artifacts can be easily traced back to an individual, connect an

individual to a particular device, and ultimately determine their potential involvement in a

crime.

Given the value of the artifacts that can be found, best practice is crucial to help preserve the

evidence and avoid any digital “marks” from being made by practitioners. There are steps

that assist in the best practice. And it is important that it be adhered to.

Different digital devices can produce various artifacts that can prove or disprove allegations

in an investigation. In order for this evidence to be acquired, through forensic images and

also hold legal weight in court, techniques such as hash should be used. No procedure

should take place on any original, but rather a forensic copy should be made to conduct any

experiment to extract data. The copy used in these experiments must also prove to be

identical to the original, as this will be an important factor in court and also be imperative for

reliable and repeatable data extraction. Using hash also shows the integrity, originality and

authenticity of a forensic image.

 9

One of the most important parts of an investigation is the chain of custody. It should begin at

the very start, when evidence is obtained. And it must remain detailed and consistent - all

the way to the end. For example, a chain of custody needs to reflect exactly what the items

are, the condition, who handled them, where they were located, anyone who made contact

with the item, why they did so, what procedure they may have performed, any findings, and

also the manner in which it is stored. There are many other details that should be maintained

in the chain of custody. But it assists in maintaining the legal value of the evidence and

preserving the evidence as it is cycled through the investigation process.

 10

References

ACCESS Virtual Learning. (n.d.). 5.03 Digital Evidence. Accessdl.state.al.us.

https://accessdl.state.al.us/AventaCourses/access_courses/forensic_sci_ua_v22/05_

unit/05-03/05-03_learn_text.htm#:~:text=Digital%20Exchanges

Ayers, R., Brothers, S., & Jansen, W. (2014). NIST Special Publication 800-101 Revision 1

Guidelines on Mobile Device Forensics (pp. 1–85). National Institute of Standards

and Technology Special Publication.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf

Callaghan, P. (2020). Why Hash Values Are Crucial in Evidence Collection & Digital

Forensics. Pagefreezer.

https://blog.pagefreezer.com/importance-hash-values-evidence-collection-digital-fore

nsics

Crăciunescu, C. (2015). Basic aspects concerning the evidence acquisition in digital

forensic analysis. Forensic Science Forum / Forum Criminalistic, 8(1), 63–68.

https://doi-org.ezproxy.umgc.edu/10.18283/FORUM.VIII.17.12015.315

D. Paul Joseph, & P. Viswanathan. (2023). SDOT: Secure Hash, Semantic Keyword

Extraction, and Dynamic Operator Pattern-Based Three-Tier Forensic

Classification Framework. IEEE Access, 11, 3291–3306.

https://doi-org.ezproxy.umgc.edu/10.1109/ACCESS.2023.3234434

Embar-Seddon, A., & Pass, A. D. (2022). Forensics. Salem Press Encyclopedia.

Federal Rules of Evidence. (2011, December 11). Rule 901(a). Authenticating or Identifying

Evidence. LII / Legal Information Institute; Cornell Law School.

https://www.law.cornell.edu/rules/fre/rule_901

Jaquet-Chiffelle, D.-O., & Casey, E. (2021). A formalized model of the Trace.

Forensic Science International, 327, N.PAG.

https://doi-org.ezproxy.umgc.edu/10.1016/j.forsciint.2021.110941

Johnson, E. (2023). Locard’s exchange principle. Salem Press Encyclopedia of

Science.
 11

Kessler, G. C. (2016). The Impact of Md5 File Hash Collisions on Digital Forensic

Imaging. Journal of Digital Forensics, Security & Law, 11(4), 129–138.

https://doi-org.ezproxy.umgc.edu/10.15394/jdfsl.2016.1431

Lyle, J. R., Guttman, B., Butler, J. M., Sauerwein, K., Reed, C., & Lloyd, C. E. (2022). Digital

Investigation Techniques. Digital Investigation Techniques: A NIST Scientific

Foundation Review.

https://doi.org/10.6028/nist.ir.8354-draft

O'Reilly. (n.d.-a). Acquisition of Evidence - Learn Computer Forensics - Second Edition

[Book]. Www.oreilly.com.

https://learning.oreilly.com/library/view/learn-computer-forensics/9781803238302/Text

/Chapter_3.xhtml?sso_link=yes&sso_link_from=umgc#_idParaDest-66

O'Reilly. (n.d.-b). The Forensic Analysis Process - Learn Computer Forensics - Second

Edition [Book]. Www.oreilly.com. Retrieved February 8, 2024, from

https://learning.oreilly.com/library/view/learn-computer-forensics/9781803238302/Text

/Chapter_2.xhtml?sso_link=yes&sso_link_from=umgc#_idParaDest-40

Soufiane Tahiri. (2016). Mastering mobile forensics: develop the capacity to dig

deeper into mobile device data acquisition. Packt Pub.

The Law Enforcement Cyber Center (LECC). (n.d.). Common Electronic Devices that

Generate Digital Evidence. Law Enforcement Cyber Center.

https://www.iacpcybercenter.org/officers/cyber-crime-investigations/common-electroni

c-devices-that-generate-digital-evidence/