Mobile Forensics Data Acquisition

. Mobile technology is among the fastest developing technologies that have changed the way we live our lives. And, with the increase of the need to protect our personal information, smartphone companies have developed multiple types of security protection measures on their devices which makes the forensic data acquisition for law enforcement purposes so much harder. As we all know, one of the biggest tasks in mobile forensics investigation is the step of data acquisition, it is the step of extracting all the valuable information that will help the investigators to bring out all the evidences. In this paper, we will explain the traditional forensic data acquisition methods and the impact of encryption and security protection that been implemented in new smartphones on these methods, we will also present some new mobile forensics methods that will help to bypass the security measures in new generation smartphones, and finally, we will propose a new data extraction model using artificial intelligence.


INTRODUCTION
Before, everything was quite simple, including mobile devices security; a week PIN, password or pattern were enough to lock your device. With these old security measures, it was very easy for law enforcements to break into mobile devices and collect all the evidences in a forensically sound manner. However, in the last few years, mobile companies have implemented a whole new generation of smartphones that have more security features due to the large amount of information users carry on their devices that needs protection. As a consequence, new mechanisms were designed to improve mobile devices security like the use of passcodes and biometric authentication, and also the incorporation of strong encryption mechanisms to protect the data [1]. All these security improvements present a huge challenge to law enforcement investigators, in view of the fact that data extraction becomes more harder than before. As a result, forensics experts and law enforcement agencies are trying to make every effort to implement new data extraction methods in order to keep up to date with this smartphones security trend.
The most well-known cаse when broken into а mobile device were а big chаllenge due to encryption methods wаs in 2015 when FBI wаnted the fаmous mobile compаny "Аpple" to creаte а softwаre thаt would enаble the FBI to unlock а the iPhone 5C thаt belongs to one of the shooters who killed 14 people аnd injured 22 in а terrorist аttаck in Sаn Bernаrdino, Cаliforniа [2]. The iPhone wаs locked with а pаssword аnd wаs set to eliminаte аll its dаtа аfter ten fаiled pаssword attempts; Apple refuses to create the software because they believed that creating a backdoor in their phones for the government would weaken security and could be used by malicious actors [3]. This cаse shows the world thаt security meаsures аnd encryption mаke the dаtа extrаction from new generаtion smаrtphone more complicаted; consequently, modern techniques of dаtа аcquisition from encrypted devices become аn obligаtion.

RELATED WORK
Dаta acquisition is the process of cloning and copying digital data evidence from mobile devices [4]. In literature, most of researchers focused on old school data acquisition methods which are now considered insufficient with all the security revolution in mobile devices.
In [5], Khawla Abdullah and Andrew Jones have reviewed some of the existing data acquisition methods; they mentioned the manual acquisition method where the investigator can use the phone keypad to extract all the data from the device, it is the simplest technique but it does not preserve the integrity of data and cannot bring out the deleted or the hidden files. Also, they reviewed the logical acquisition technique which can be done by connecting the mobile device to a computer using a cable or Bluetooth and extract all the data by using a software or command line. Then, they have mentioned the physical acquisition, it is defined ad copying the entire physical memory locations of the phone memory chip. Last, they talked about the chip-off method which can be done by getting an image of the internal non-volatile memory. Finally, they finished by dividing the data acquisition methods into four levels from the simplest to the complicated and expensive one: manual acquisition, logical acquisition, physical acquisition and chip-off technique.
In [6], the authors provide a comparative analysis between logical and physical data acquisition techniques; they come to an end that the logical acquisition is somehow better because it's easier to use a software to retrieve data from a mobile device than using the physical methods which may cause certain modification to the device. While the authors in [7] present a very detailed acquisition diagram which contains three cases of mobile forensics: x Post-mortem forensics: known аs deаd forensics, it cаn be done on dаmаged, destroyed or powered-off device, аll we need is а copy of the device memory.
In this situаtion we use physicаl or logicаl extrаction techniques. x Live forensics: consists on gаthering dаtа from а running mobile device in the reel time, we cаn extrаct informаtion such аs process list, the kernel hаsh tаble аnd logs. The аuthors divided this technique into the network-bаsed аnd volаtile memory subcаtegories.
x The non-intrusive forensics: the аuthors describe it аs the simplest retrievаl method, it cаn be clаssified into observаtion аnd interаction techniques.

MOBILE FORENSICS METHODS
There exist many mobile data acquisition techniques, but first, let's start with the exiting or traditional methods:

Manual acquisition
The mobile forensic investigator can extract the device's data manually without any cables or platforms just by using the mobile touchscreen [8], this process of mаnuаl extrаction is simple аnd аpplicаble to аlmost every phone. However, the retrieved data using this method is limited and also the process is tedious and take too much time.

Logical acquisition
This method requires a connection between the mobile device and the forensic workstation. The investigator needs to copy the data to another device using either forensic tools or command line. Yet, logical acquisition often recovers data that actually exist on the mobile device and not the deleted data. [9]

Physical Acquisition
It is the act of capturing all the data on a physical piece of storаge mediа. An exact copy is made, it is similar to cloning a hard drive. The advantage of this method is that it can capture all data that has been deleted (passwords, files, photos, videos...). The physical extraction leaves no evidence that an investigation was conducted once the extraction is complete. [10] These old techniques unfortunately are no longer working with the new generation of smartphones that have more advanced security measures, therefor, new techniques have been implemented to bypass mobile devices security.

Cloud data extraction
Cloud data extraction: with the new smartphones, most information is stored in clouds including passwords, documents, photos, locations… This method consists to extract the information directly from the cloud without having access to the physical device, it allows to get the reel time data of the suspect [11]. The main technical advantage of this method is that it is platform independent, that means we can have thousands of devices that the cloud can work for all of them. It also helps to bypass such problems as when the device has screen lock passcode and hardwarebased encryption or enhanced encryption. [12] However, the major problem is that in order to download the data from the cloud, the investigator needs the proper credentials, and even if he has them there is the two-factor authentication technique which is an extra layer of protection used to ensure the security of online accounts by using a third part device or a code received by SMS.
Nevertheless, there are several ways to bypass credentials and two-factor authentication by using some commercial forensics tools which have this ability; also, the experts can use phishing techniques, social engineering, brute force and session hijacking techniques [13] to get the code in a forensically sound manner.

File system extraction
As we all know modern smartphones use file system and all the data is stored in a non-volatile memory. In Android, we have the ext4 file system [14], while in apple devices we find the file system APFS [15]. File System Extraction provides direct access to all data contained in a device without the need for any application, therefore Forensic Tools can access all files contained within a device including database files, system files, and logs. [16]

Firmware update protocol
With a firmware update, the mobile device is updated with advanced operational instructions without requiring any hardware upgrade [17]. This method is proposed by the authors in [10], it consists on extraction data from the smartphone flash memory that contains user data. Flash memory can only be accessed directly through the firmware update protocol, so here the authors proposed a new way to acquire physical memory by analyzing the commands used in the firmware update process. They have performed four steps to extract data using this method: o Analysis of firmware update processes and commands via decompiling the bootloader and updating the firmware [10]. o Enter firmware update mode o Sync the device with the workstation. o Read flash storage with commands.

Forensics software tools
There exist many forensics software suites that are available for smartphones and designed specifically for forensic purposes. Investigators must seize, collect, and decrypt evidence from a large number of devices while maintaining integrity. Mobile forensic tools solve these issues. Investigators can retrieve deleted information, analyze and preserve evidence using these specialized tools that may arise during an examination of criminal activity. [18] Mobile forensics tools can be categorized in two groups: As we can see in the illustration schema in fig. 2, we enter a device disk image through our proposed machine learning framework so it can give us the extracted files with different types with their exact path.

CONCLUSION
Data extraction is the most important phase in mobile forensics, it's where we can acquire all the evidence from a mobile device. Available acquisition methods have many challenges like the security measures and the huge amount of data. Therefore, in this paper, we proposed a new data acquisition model using machine learning and based of solved similar cases, which helps us reduce data extraction time and extract more files than the other extraction methods.