Writing To Mobile Phones Under Examination
There is always the debate as to what amounts to "forensic" processes and whether that can be left to human intervention to do that, whether a device alone can do that or whether it is the combination of human intervention and the device working together that can fulfil the objective? Perhaps germane and relevant to the above question is (1) knowing the potential of each to write to a mobile telephone should be understood first? (2) Whether, as a consequence of using the process, what data are or might be altered/lost? (3) To then decide whether "forensic" is an appropriate and applicable statement to label the process in the first place?
The discussion below starts to address Point 1. When examining mobile telephones there are at least five separate categories under which an examiner can or may write to a mobile telephone due to automated processes (indirect intervention) and/or direct human intervention. The categories and their contents below are not exhaustive, but have been used to illustrate some elements involved with Point 1.
A) Standard powering ON (direct human intervention) a mobile telephone can invoke automated processes (indirect intervention):
SENDING frametype 0x00/length 0x08/8
2 "Sony Ericsson"
RECEIVED frametype 0x00/length 0x1F/31
41A54T2B+43C47G4DM49I0D 0D 0A 53S6Fo6En79y2045
72r69i63c73s73s6Fo6En0D 0A 0D 0A 4FO4BK0D 0A
Manufacturer info received
Sony Ericsson [Manufacturer: Sony Ericsson]
SENDING frametype 0x00/length 0x09/9
SENDING frametype 0x00/length 0x0A/
2 "+CSCS: ("GSM","IRA","8859-1","UTF-8","UCS2")"
RECEIVED frametype 0x00/length 0x40/64
41A54T2B+43C53S43C53S3D=3F?0D 0D 0A
2C,22"55U43C53S32222"29)0D 0A 0D 0A 4FO4BK0D 0A ,
E) Examiners using devices to select (direct human intervention) specific data can cause the operating system of a mobile telephone to handle data in a particular way (indirect intervention):
-some smart phones write to files in order to keep track of data and in some instances shift data around to accommodate the "fetch" request for certain data
Essentially the categories and content illustrated above merely sets the stage to highlight what an examiner faces when seeking to conduct data aquisition from a mobile telephone. Plug and play (PnP) devices cannot be used in isolation, that they need supervision (direct human intervention). Direct human intervention, with ot without a device, can have consequences too. Furthermore the mobile telephone under examination can as a consequence react to direct human intervention, as well as indirect intervention.