keywords
Huaxin International Investigation (HII)Investigation Services in China
1 Introduction
The Smartphone provides more convenient and various functions than the mobile phone does. It is possible to obtain necessary information at any time at any place by accessing the internet via Wi-Fi or 3G mobile communication network. In addition, it enables us to download and execute various free and pay applications posted in online markets and easily establish a social relation such as free communication and information sharing and making personal connections through SNS including Kakao Talk or My People etc. Now the number of Smart phone subscribers is reported to be 30 million as of September 2012 increasing suddenly since it has passed 5 million, a datum point of popularization in October 2010 [1, 2]. So, as the Smart phone becomes gradually generalized and expands its influence on our daily life, the digital evidential matter could be an important clue to prove criminal charge in the forensic process of criminal accident. Though it is difficult for the digital evidence to obtain a probative power under Criminal Procedure Act, but requirements for the seizure, search and verification are highly reinforced in Criminal Procedure Act Revision in January 2012, so the collection of digital evidence in the scene of accident may play an important role in the case [3].
This paper is composed as follows. Section 2 explains about the digital forensic and classifies evidential matters by criminal type through cases. Section 3 proposes behavior patterns of the investigator when it seizes searches and verifies the Smart phone in the scene of criminal accident by supplementing the forensic procedure and demonstrates whether necessary information could be substantially collected by establishing a database with relative evidential matters of criminal charges. Section 4 shall draw a conclusion.
2 Digital Forensic and Evidential Matter
Crimes in the computing environment
|
Name of crime |
Potential computer evidence |
|---|---|
|
Child abuse |
-Internet history logs. -Chat logs. -Internet searches. -Images. -Movies files. -calendars/notes |
|
Murder |
-Calendars/notes. -Internet history logs. -Address books. -Images. -Financial/asset records. -Medical records. -Reproductions of signature |
|
Harassment |
-calendars/notes. -Internet history logs. -Address books. -Images. -Financial/asset records. -Internet searches about victims |
|
Identity theft |
-Credit card information. -Electronic money transfer. -Financial records. -Online banking software. -Reproductions of signature. -Forged document |
|
Counterfeiting |
-Credit card information -Financial records. -Reproductions of signature |
|
Narcotics |
-Credit card information -Electronic money transfers. -Financial records. -Fictitious identification. -Photographs of drugs and accomplices. -Unfilled prescriptions |
|
Terrorism |
-Credit card information -Electronic money transfers. -Financial records. -Fictitious identification. -VOIP software |
Digital forensic is defined by DFRWS (Digital Forensics Research Workshop), a popular academic society in the field of digital forensic [4, 5]. As digital apparatuses become various and generalized, the data in digital apparatus are used as evidence and are referred to terms such as Computer Forensic, Network Forensic, Mobile Forensic and Smart phone Forensic according to objects of survey. In addition, objects of survey shall be the activated data, file system, database, code and hidden data; various log data and the trace of using application programs according to type of data.
3 Forensic Evidence Collection Procedures of Smartphone
The regulation for digital evidence collection and its analysis of Supreme Prosecutor’s office in Korea presents following procedure. Seizure, search and verification of digital apparatus and collection of digital evidential matters shall be conducted by a digital forensic investigator. When it seizes an information processing system such as a computer, it shall seize the storage medium only removing it from the information processing system in principle, but may seize the whole information processing system when it is not possible to achieve the purpose of investigation by seizing only a storage medium or the digital apparatus or digital materials could be damaged or lost. An identification paper shall be prepared and attached to confiscated articles which shall be sealed and confirmed by the signature of owner [6].
3.1 Procedure to Collect Digital Evidence of Smartphone
The regulation for digital evidence collection and its analysis of Supreme Prosecutor’s Office in Korea presents following procedure. Seizure, search and verification of digital apparatus and collection of digital evidential matters shall be conducted by a digital forensic investigator. When it seizes an information processing system such as a computer, it shall seize the storage medium only removing it from the information processing system in principle, but may seize the whole information processing system when it is not possible to achieve the purpose of investigation by seizing only a storage medium or the digital apparatus or digital materials could be damaged or lost. An identification paper shall be prepared and attached to confiscated articles which shall be sealed and confirmed by the signature of owner [7].
Procedure to collect digital evidence of smartphone
Confiscation of Smart phone: The investigator shall obtain the signature of participant on the agreement and check any failure or significance of the Smart phone confiscated. In addition, it shall collect information such as type, OS and password of the Smart phone with the user [9].
Check the Battery: The investigator shall prevent the Smart phone confiscated from being used by initializing the Smart phone by factory set and removing batteries in the scene because just cutting the power off while power on may erase the data which could be the digital evidential matters or cause a fragmentation of file storage space to make it difficult to analyze them afterward [10]. So, with this reason, alternative batteries shall be connected to the Smart phone in order that the Smart phone may keep the power.
Isolation of Frequency: The investigator shall prevent damage of integrity of the Smart phone against vicious transfer of Bluetooth, WI-Fi, 3G or other unexpected frequency using the frequency isolation device.
Analysis of Collected Evidences: It needs to collect the part where there exists criminal relation out of digital evidential matters when collecting evidences and concurrently to conduct the imaging work for original data of collected digital evidence. In addition, it needs to collect and analyze the digital evidential matters by minimizing damage of evidence in order to maintain the atomicity and integrity of collected data.
3.2 Collecting Criminal Charges according to Pattern
The investigator shall collect the data which may provide relation to the accident from potential evidential matters using the case pattern search.
Dump Image: With characteristics of Smart phone, it has a specific part which is difficult to access in ordinary way when collecting evidences. Thus, such a method including Android Rooting or iPhone Jailbreak shall be needed. In this case, a Dump Image needs to be created before collecting and analyzing evidences in order to prevent spoil and damage of digital evidences. For this Dump Image, the investigator shall obtain the signature of participant in order to verify the identity and integrity by applying Hash Function. The original copy shall be preserved and the analysis work shall be conducted with duplicate copy which has the same Hash Function value.
Collecting the latest Update List of Smart phone: Since there are many manufacturers of Smart phones, various OS, and vulnerable data according to type of application. It needs above all to promptly collect the latest update lists of Smart phone at the scene.
Collecting System Log of Smart phone: Collecting the system log of Smart phone could be made at the stage of detailed analysis after transfer from the scene of accident because it has a strong element of non-vulnerability but doing it at the scene may prepare a clue to solve the accident by setting a direction to investigate in the initial investigation and presuming the suspect by obtaining criminal related digital evidential data quickly.
3.3 Data Acquisition
After implemented application is connected to smart phones, if Dump image is extracted and analyzed, items are shown on the screen as shown in figure. Pre- analysis is carried out based on table related to criminal charge. These methods can reduce the entire analysis time. Data such as smart phone basic information, a list of contacts, call list/log, SMS/MMS, memos/events and traces of using the Internet (URL, cookies, and bookmarks) can be found easily using the pattern search.
In matching process, the evidential matter collects object data information continuously from the Crime Scene and periodically sends to the “Send Information” in a binary (digital) data format. Here, send Information indicates the data sender. In offline mode, “Send Information” extracts all feature points from the binary image data. After that it sends these feature data, directly to the “Pattern Modeling and Analysis Tool” for matching and waits for the result.
4 Conclusions
For Smart phone which has a high usability in the scene of criminal accident, it has a merit to contain many data to secure but a demerit to have a high potential to spoil and fabricate data more easily than the general digital evidential matter. Provisions related to the evidence of criminal out of provisions of Criminal Procedure Act Revision in Korean and foreign countries reflect the significance of collecting digital evidences related to the criminal in the initial scene of accident. Therefore, in this Paper, methods to secure criminal related evidences promptly according to clear procedure are presented when the investigator collects evidences related to the criminal in the initial scene of accident by supplementing general digital forensic procedure considering characteristics of Smart phone. We found that it shall be easier to collect data if they search patterns of criminal through the application after establishing a database by creating a criminal charge related table. It is highly recommended to supplement this paper by conducting a professional verification on a criminal charge related table and applying various patterns in future study.