Authors: Mark Guido (The MITRE Corporation), Justin Grover (The MITRE Corporation), and Jonathan Buttner (The MITRE Corporation)
DFRWS USA 2016
Commercial mobile forensic vendors continue to use and rely upon outdated physical acquisition techniques in their products. As new mobile devices are introduced and storage capacities trend upward, so will the time it takes to perform physical forensic acquisitions, especially when performed over limited bandwidth means such as Universal Serial Bus (USB). We introduce an automated differential forensic acquisition technique and algorithm that uses baseline datasets and hash comparisons to limit the amount of data sent from a mobile device to an acquisition endpoint. We were able to produce forensically validated bit-for-bit copies of device storage in significantly reduced amounts of time compared to commonly available techniques. For example, using our technique, we successfully achieved an average imaging rate of under 7 min per device for a corpus of actively used, real-world 16 GB Samsung Galaxy S3 smartphones. Current commercially available mobile forensic kits would typically take between one to 3 h to yield the same result. Details of our differential forensic imaging technique, algorithm, testing procedures, and results are documented herein.