All posts by admin

New Era of Computer Forensics to Data Recovery Easily

In this increasingly digital world, computers and mobile phones allow us to complete a range of processes wherever we are in the world, such as checking our bank balance, uploading photographs and chatting with our friends. Unfortunately, there are some individuals who illegally take advantage of this technology, using it to aid them in a variety of criminal activities. In criminal cases, it is vital that a computer forensic professional analyses digital data found on these devices, to help the police to maintain the chain of evidence between the device and those involved to the crime.

Digital Forensics Expert

Computer forensics is a much wider conception and theory which investigates the transgressions upon computers by virus or cybercriminals. Several acts have been brought into force in order to monitor the criminal activities, yet there are a lot more that still exist. It is very difficult to uncover such activities due to lack of enough proof or substantiation. All these complex situations can be controlled with the assistance of computer forensics. They search for and through both existing and previously existing, or deleted data. Forensic software can help in the data recovery process. They can retrieve data in relation to a crime, and obviously, the culprit does not want the data to be found.

The key dictum of computer forensic specialists is to not simply find the illicit but to also find the facts and evidence. The arrangement of the substantiation is done in a manner that leads the criminal to face legal action.

Digital Forensics Expert

The need for computer forensics expert becomes all the more important when one considers the fact that the only data that matters is in electronic form. Along with some useful information he can uncover gigabytes of other information that has no relevance on the case. It is for him to resurrect and reconstruct data and extract only the meaningful part, all done using a method that does not tamper or alter the original data in the system in any way. This calls for specialized techniques, use of a well-equipped lab and knowledge.

Knowledge of extraction of meaningful data is, of course, a prime consideration but what is more important is that the computer forensic professional also has full knowledge of the law and be able to extract and present evidence in a way that is acceptable in court. Cybercrime today is not limited to one geographic location. Computer Forensics makes it easy for the controlled, structured and cautious detection of offense and misuse cases. The computer forensics specialists possess adequate knowledge of data retrieval software as well as hardware technicalities and should have the skill and experience to execute the job.

Cyber Forensic Services

Computer forensics specialists conduct a structured investigation, documenting evidence that enables the court to determine what has happened to the IT system – and who is responsible for it. They investigate the identity or identification of the offender, the period and extent of the crime, and information on the motivation and execution of the crime. They can recover all types of data.

Mamas, don’t let your babies grow up to be criminals

vm escape
Let’s put this simply to begin: you don’t want your children to search the deep web or dive in the dark net. These would be, generally speaking, bad things.
In recent years, though, it’s gotten progressively easier to hide on the dark web. The code for The Onion Router (TOR) is getting a revamp in 2017, with the goal being stronger encryption — and letting administrators easily create full dark net sites that can only be discovered by a long string of essentially-unguessable characters. This could signal a next generation of hidden services. In the past, some of these sites have used a .onion address and declared that to hidden service directories. Now, it appears there will be an unique cryptographic key, and said key will be given to TOR hidden service directories. It’ll be a way for the dark net to become a bit easier to stay dark.
In the context of all this, how do you best protect your family? While some dark net sites are primarily in existence to avoid censorship in countries like China, there is a lot of non-family-friendly material on the dark web. You don’t want your children seeing a good portion of this content. How do you ensure that?
There is a fine line in these discussions, because it does involve some monitoring of your children’s activity online — and some parents don’t want to cross that line. But because of an increasing amount of pedophiles and illegal drugs on the dark web, vigilance is crucial. Some approaches include:
  • Be aware of what your kids search for/talk about with their friends
  • Check with their school to see how Internet research is being taught and monitored
  • Use the right software and trackers (I can be asked about some good options if you’d like)
  • Talk to them about the different types of content one comes across on the web
  • Explain to them explicitly what the dark web is vs. the “normal” web
  • Talk to them about the realities of cyber-bullying, which often occurs in dark web formats
Also bad, although less-discussed: many students use the dark web to cheat their way through high school, so have realistic discussions with your kids about what is happening in all their classes and how they view it contextually. If they don’t have good answers or backgrounds about what they’re learning, ask how they’re completing some of their work. If they stumble over those answers, there’s a chance dark web sites might be involved — and then you know it’s time to look at their histories.

Why I like Forensic ToolKit (FTK)

James FTK

Sometimes I get asked what software I use most in computer forensics. I promise I’m not a paid spokesperson here, but I’m a big fan of AccessData’s Forensic Toolkit (FTK). I’ve been using different versions since about 2001, and I consider it the primary workhorse in my forensic tool arsenal. The current version is 6.1, which was released in October 2016. (Well, it’s the current one as of the initial posting of this article in February 2017.)

A couple of the key aspects of FTK I enjoy:

Multiple installations: FTK can be installed on multiple computers. To operate on a specific computer, you need a security dongle that you physically attach to that computer. If you want to work on another computer that has FTK installed, though, you can move the dongle and do it — it’s very easy. A lot of computer forensics programs don’t make this easy, which I think is one of the bigger value-adds of the FTK software.

Consistent search results: If you’re in the investigating phase or performing document review — and if you’re searching in FTK or a program like Summation — you can get consistent search results delivered quickly. This is a huge time-saver.

Fairly simple: With so many different tools on the market (for anything, really), I keep coming back to the idea that simplicity is key. FTK is powerful, but it’s deceptively simple. For example: all digital evidence gets shared in one case database. Anyone who needs to access the information has it all in one place. With some other forensics programs, there are multiple datasets — which increases the time and complexity you need to deal with, especially if you’re looping new people or new teams into the process.

Support and training: Their training and support options are world-class.

Visualization: We supposedly live in this era of “Big Data,” which I think is mostly true. But one of the things we miss about Big Data is that when we’ve put together lots of information, we still need a way to present it to people effectively. Many human beings are visual creatures, which makes the visualization aspect of FTK a huge value-add. I can automatically construct timelines and graphically illustrate relationships among parties of interest in a case; I can also use cluster graphs, pie charts, and geolocations. When I’m done with the different visualizations, I can then generate reports that are easily consumed by attorneys, CIOs or other investigators. This is absolutely amazing — and makes the back-and-forth aspect of this work much easier.

That’s my vote, then: FTK. I’ve been around it almost two decades and I don’t see that changing anytime soon. Had a different experience with FTK, or have another forensics program you want to extol the virtues of? I’d love to hear.

Do users have a reasonable expectation of privacy on TOR?

On January 26, 2017, I testified in Federal court as an expert witness for the defense in a case.
The testimony was regarding The Onion Router (TOR), Dark Net, and Playpen.  The case involved Network Investigative Technique (NIT); the FBI had engaged in their Operation Pacifier, wherein, a Search and Seizure Warranted allowed FBI to seize and operate the server that hosted Playpen.  The FBI had then employed NIT to place Malware on the computer of visitors to the server that hosted Playpen.
I’ve testified in other cases before, but this was an interesting one because it brought up a lot of questions that are paramount for the current era. Namely: when a computer user uses TOR, do they have an expectation of privacy? Is that legally relevant? And should the general public look at TOR and assume an expectation of privacy?
Ultimately, the judge in this case (and others) said that users don’t have a reasonable expectation of privacy on TOR. VICE explained this in a recent article too. The judge’s ruling was, in part, predicated on the idea that users give their IP address to connect to TOR; thus, the judge said, the IP address is “public information that … eventually would have been discovered.”
Now, the law is one of the slower-moving entities in terms of reacting to, and understanding, technology. I’ve seen this for years. In true form, then, they missed the boat on the TOR ruling. Users do reveal their IP address via a guard node when they log on, yes. But then TOR bounces data around the globe via different nodes, so no ISP can correlate which IP address is visiting which site.
You can technically identify a specific TOR user with advanced traffic correlation protocols, but to do so you’d have to control a massive number of nodes. It’s virtually impossible. The judge’s ruling seems to indicate that the government would have found another way to get IP addresses from TOR users, but then doesn’t talk about how that could have possibly happened. In fact, in this case the only reason the FBI was using NIT to begin with was because it couldn’t find another way to determine the true users of hidden sites.
I’m not going to come out and say that I’m a huge fan of TOR — some legitimately bad stuff happens on there hourly. But TOR users should have a legitimate expectation of privacy, and the general public should assume that expectation as well. Part of this is because people don’t understand how TOR works, and part is because of hyper-sensitivity these days around privacy issues as mobile and digital continue to scale globally. But there absolutely should be a legitimate expectation of privacy on TOR networks.

Why should you know about Spyware on Android devices?

Spyware Android
I frequently get asked to find Spyware on Android phone devices. While I’m not normally one to turn down business, these cell phone forensic searches are expensive — they start at $2,500 per phone plus an eight percent sales tax — and oftentimes, they don’t turn up much. People are usually not spying on you via your mobile phone.
Anti Spy Mobile is free to place on Android devices, and there are other antivirus and antispyware programs for Androids. You can also simply remove the battery for a time and that usually renders the spying concept moot. This is also a decent primer for determining whether your Android device has Spyware on it.
Couple Tracker – Mobile Monitor, which is admittedly designed for couples to securely exchange information, is actually a very good tracking app for Android. Couple Tracker Pro – Phone Monitor is the more comprehensive version.
Of course, if this is a legitimate concern for you and you’d like me to run cell phone forensics, I am more than happy to do it for you. There is a cost, as noted above.

 ICFECI: The Best Digital Forensic Service Provider

A mix of competence, skill, knowledge, integrity, and reliability is what you will get once you put your trust in what ICFECI does. In a world where digital evidence gets increasingly sought after, they will help you get the help you need in a manner most professional. With a list of credentials and positive reviews Dan James, the founder is the man who mobilizes a team that works night and day just to collect data that helps prove your case. He is a certified cell phone examiner and fraud examiner. Most importantly, he deals with computer and cell phone forensics, criminal investigations, federal rules of criminal procedure as well as criminal justice services. Thus, if you have a case related to any of these, Dan’s company is a necessary additive to your legal team.

Computer and cell phone forensics: the company does everything as per Title 18, USC, Sec 3006A. Mind you; forensic science has proven quite steadfast in helping solve cold cases within short periods of time. Other than the mainstream child pornography and corruption, drug-related cases and sex violations; ICFECI goes further to provide unique solutions as pertains to alleged fraud cases linked to securities, tax evasion, mortgage, misrepresentation, healthcare and email scams.

Criminal investigations: other than being the only organization of its kind in northern Texas, the company boasts a well-equipped computer lab. It, therefore, has the capability of transforming complex data extracted from computers and mobile devices into simpler, easily interpretable formats presentable in courts of law.

Federal rules of criminal procedure: other than collecting, analyzing and summarizing data for use by the courts of law, the company goes ahead to provide experts as witnesses if need be. They are committed to ensuring that clients get fully represented in line with what the law provides. They can go as far as providing conducting interrogations and discreet surveillance. All in a bid to help acquit you from any accusations leveled against you.


Here is a summarized list of what ICFECI offers to its wide range of clients.
Computer and cell phone forensic examinations.
Consultancy on sex crimes, child pornography, assault, murder, and crime of violence.
Certified fraud examinations in the healthcare, insurance and tax centers.
While collar frauds, Ponzi schemes, civil frauds, bank frauds, and criminal litigation cases.
Criminal Justice Act services where applicable.

However, what matters most is the manner in which your case gets handled. In collaboration with your defense team, the experts involved have only one goal in mind. Theirs is to come up with compelling, yet reasonable evidence. The technique has been proven to work as cases, which almost seemed unsolvable got brought to conclusive ends in favor of clients. You too can solve a case with their help, just like others did. Furthermore, if you do not trust the reviews, you can always put your confidence in the resources and highly self-trained individuals who have known nothing but mining data most of their lives.

Dedicated and Fully Committed Criminal Litigation Services Help Defendants Resolve Their Case

Anyone can be charged with a crime he did not commit and face criminal prosecution. Though the US Constitution does have provisions deeming an accused not guilty until his “crime” is proven beyond reasonable doubt it does not always work that way. An accused has the right to a speedy trial according to Amendment VI and Amendment V safeguards him against self-incrimination. An accused may remain silent during questioning. Amendment IV prohibits unreasonable searches and seizures. All these protections notwithstanding an accused may be convicted purely on the basis of circumstantial evidence, especially in cases where digital evidence is involved. Prosecution may not be able to unravel digital evidence or may simply ignore it. It is for the defendant to hire a competent attorney well versed in getting to the root of the matter and even being able to unravel digital data and present it in a form that stands up as compelling evidence disproving the accusations and circumstantial evidence against the defendant.

Technology is here since quite some time. However, attorneys are more focused on various aspects of the law and may be quite unfamiliar with handling digital data, especially in instances of cyber crimes such as Ponzi schemes, bank frauds and white collar crimes. This is where services of an expert in computer and digital forensics prove to be invaluable.

Litigation, whether civil or criminal, is a drawn out and expensive affair. If, at the end, a wrongly charged defendant loses, he stands to spend time in prison, pay a hefty fine or both. In addition, his reputation is besmirched and he loses his social standing as well as his job. If convicted, once returned to society he cannot regain his previous status. He is marked forever. This may never have happen if he had the benefit of expert investigative assistance. Employing experts in examining witnesses, compiling testimony, unraveling digital data and even appearing on the witness stands can turn the tables in favor of the defendant.

One such organization committed to helping wrongly accused defendants is ICFECI. Dan James, an expert in computer forensics and a certified fraud examiner powers ICFECI and pursuance of its goals to provide investigative and adequate representation of defendant services under Title 18 of the United States Code, Section 3006A. If any one is embroiled in a criminal case as accused and has retained a lawyer for criminal litigation services then ICFECI provides indispensable investigative support that will help the lawyer defend the case for his client. Dan has a BS in criminal justice, is a licensed private investigator and has a wealth of experience in conducting investigations as well as compiling evidence. He and his team of experts at ICFECI diligently pursue every lead in order to prepare a rock solid defense. ICFECI’s expertise in computer and digital forensics proves especially invaluable in cases where digital data is involved. An individual may be wrongly involved through indirect, circumstantial inferences by authorities but Dan and his team unravels digital data to disprove such allegations.

Computer forensics is but one part of compiling evidence to support defendants by ICFECI criminal litigation services; examining witnesses and pursuing a paper trail as well as appearing on the stand as an expert witness are the other aspects. ICFECI and its team never give up even if the case appears to be hopeless. People wrongly accused of crimes have trusted ICFECI and have been acquitted.

Introduction to Digital Documents

With the influx of digital expertise, the character and perpetration of white collar crime is undergoing stern change. Unfortunately, this has brought down some decisive security vulnerabilities that put digital credentials at menace. In the space of just 40 years we have gone from the Selectric — arguably the most technologically advanced typewriter of its day — to the computer age. A document creation system that had just two parts in 1961 (typewriter and element) can now have multiple components — some based in software and some in hardware.

We live in the Information Age, a time when information is being generated, published, and stored at an ever-increasing rate, and computers play an integral role in all three of these activities. Digital images are misused for plentiful reasons with and without a criminal intent. Images are cropped, rotated and compacted to make them fit for a document. In the days before imaging software became so widely accessible, creating adjustments to image data in the darkroom mandated considerable endeavor and proficiency. But now with the help of Photoshop it is very simple, and consequently tempting, to adjust or modify digital image files. Therefore, stating the genuineness of a document is becoming more and more difficult these days since scanners, printers and computers are good enough to generate fraud documents.

A number of clues can be used for detection of manipulation by visual assessment, like discrepancies in lighting, intensity levels, color distributions, edges, noise patterns and compression artifacts in the conversion among the tampered and original parts of the questioned image. The availability of powerful digital image processing programs, such as Photoshop, makes it comparatively easy to generate digital forgeries from one or numerous images. Cases of manipulated hard and soft copies of documents are frequently encountered due to their large acceptance in both business and legal matters. These types of forgeries have become remarkably frequent position in today’s scenario. Which is why, it is necessary for the forensic document examiners (FDE’s) to evaluate the authenticity of the digitized and hard copied documents and reveal evidence of manipulation if present. Therefore, it is also essential for the forensic document examiners to stay abreast of the latest scientific advancement in the field so that they can meet the challenges of the future and address new forms of evidence.

This article provides a boiled-down version of what is believed to be the most important information for those engaged in the forensic exami­nation of computer-generated documents.

The Pre-Examination Evaluation

The examination of digitally prepared documents should begin with the same pre­cautions and care that would be prudent with any type of examination. The pre-examination evaluation of digital documents is no different than document examinations of any type.

Examination Procedures

The well-established principle that documents should be thoroughly scru­tinized on both sides, corner to corner, is just as valid for modern, computer-generated documents as it has been since the dawn of forensic document examination.

Is the Document an Original or a Copy?

This is a question that may seem trivial to a new FDE, but daunting to the experienced practitioner. It may be difficult to deter­mine if the evidence is an original machine-printed document or a machine copy. Modern computer technology can blur how we define an original vs. a copy as well as the physical distinctions between an original and a copy. For instance, it is possible for multiple original versions of the same electronic docu­ment to be printed on different printers. This occurs daily in the modern world when e-mail attachments are printed out by the recipients. A preparer sends a policy change to individual employees in branch offices, who then print out the text on their machines. Each can lay claim to having an original document, even though some originals may have been printed on inkjet printers and some on laser printers. From a forensic standpoint, the problem is that the same machine that was used to print an original document may later be used to copy it. Original machine printed documents can have machine-rendered sig­natures. Several companies can take one’s original signatures and convert them into True Type fonts. Because these signatures are scalable fonts, they can be smoothly resized, bolded, and italicized to give them visually different appear­ances. A toner or inkjet signature appearing on a document, therefore, is not necessarily proof that the document itself is a reproduction.

Can the Printing Technology Be Identified?

It is a common practice for document examiners to step through their examinations attempting to first determine class characteristics, followed by efforts to ascertain more individual, identifiable features. Following this formula, the starting point for an examination of a computer-generated document will usually involve a micro­scopic examination of the printed text in order to determine the most general type of evidence — what technology was used to print the document.

The classifications that can be made from visual (microscopic) examinations will initially revolve around three basic determinations: Has the document been printed (1) in black and white or color, (2) using an impact or non-impact process, or (3) with toner, wet ink, or other medium?

Has More Than One Technology Been Used to Prepare the Document?

In some instances it may not be possible (without chemical or instrumental analysis) to determine much beyond the technology that was used to produce a computer-generated document. Depending on how the document was allegedly produced, however, this may be all that is necessary to resolve the issue. The two types of cases where this information can be of considerable importance are reinsertion and page substitution. In the first situation, a document is placed back into a printer after the parties have signed and agreed to the terms in the document. If a questioned passage is printed with a different type of printer than the surrounding text, it can be considered proof that the document was changed by reinsertion. An example of this occurred in a patent case, in which all of the unquestioned text had been printed on a dot matrix printer while the questioned assignment of the patent had been inserted with an inkjet printer at the bottom of a page that began with dot matrix printing. In the second type of case (page substitution), one or more pages of the original document are removed and different ones are inserted. This situation arises frequently in probate matters where the signature page of a will is left intact, but the preceding pages are replaced. Depending on what stories the various parties tell concerning the creation of a questioned document, merely being able to determine that more than one printer technology was used may be sufficient to resolve the litigation.

Is there Evidence that One or More Pages are Prepared Differently than the Others or that Text has been Altered

If there is a possibility that alteration has taken place, features such as font changes, formatting, paper type, etc., must be considered. In the case of computer printing technology there are several approaches that one can take to help determine if text (or entire pages) have been added, removed, or altered. The first step should be an attempt to determine if the same printing technology was used throughout the document.

In this regard, literally everything that is printed on the document should be examined, including the printing process used to prepare the letterhead.

Even if only one technology was used to create a document there may be evidence that passages were created on different machines. In some cases it may be possible to make this determination non-destructively; in other instances only destructive testing such as ink and toner analyses will provide definitive evidence in this regard.

Assessing Alignment, Spacing, and Copy Distortion

Various measurement techniques can be employed, including glass or plastic measuring templates or the use of scanning and graphics software. Regardless of the method employed, the FDE must be cognizant of any distortion, linear or otherwise, that may be present. This is especially true for multi-generation or fax copies, in which it is not uncommon to see the text baseline undulate across the page. In such circumstances, only very general measurements can be made. To properly assess any distortion present, multiple line mea­surements should be made. It would be a mistake to focus solely on the entry in question relative to the lines immediately above and below. Differences in line and margin spacing are only relevant if the surrounding text is consistently spaced.

Whether evaluating a facsimile reproduction, photocopy, or computer-generated text, Adobe Photoshop® or other similar software can be a valuable tool in assessing line ori­entation. The document is scanned into Photoshop, where the measurement tool is used in concert with the Rotate Arbitrary function to bring the document to a right angle based on a selected line of text. Once this is done, the same set of tools is used to obtain information about each line’s orientation.

Digital Manipulation Detection Methods

Various methods have been proposed to detect alteration done in computer generated documents which include automatically detecting and localizing duplicated regions in digital images, pixel- based techniques that detect statistical anomalies introduced at the pixel level, format-based techniques that leverage the statistical correlations introduced by a specific lossy compression scheme, camera-based techniques that exploit artifacts introduced by the camera lens, sensor, or on-chip post processing, physically based techniques that explicitly model and detect anomalies in the three-dimensional interaction between physical objects, light, and the camera and geometric-based techniques that make measurements of objects in the world and their positions relative to the camera.


It is safe to say that just as the technological methods used to create modern documents continue to change, so the forensic examination of computer-generated documents will continue to evolve. For instance, many laboratories around the world are currently doing research to determine if an analysis of toners, inkjet inks, and other media can be individ­ualized to a particular manufacturer. Devices used by the electronic printing industry itself to determine output quality and image banding are beginning to see their way into the forensic arena as identification tools.

As we can see a new field is emerging for forensic document examination in which not only the knowledge or experience in document examination but also good knowledge of modern computers and materials used to prepare computer generated documents is needed. This is because of the effect of computers in almost every aspect of our lives and their use in daily routine. Thus a fusion of computerized technology and documents is needed to deliver the justice in the modern times.

Shabnampreet Kaur
Research Fellow
Department of Forensic Science,
Punjabi University, Patiala


Technology and the internet have provided a wide platform for cyber as well as white collar crimes. Crime involving the use of computers and technology is rising in unprecedented proportions. In light of this, the field of forensic investigation has introduced cutting edge tools and equipments in order to remain at par with the criminals. From retinal scanning to tracing evidence on internet servers, computer forensics has improvised technology to solve sophisticated crimes involving the use of modern day resources like computers, laptops, cell phones and tablets.

The basic functionality of Computer forensic tools is to extract and analyze vast amount of data and zero –in on the relevant facts and evidence beneficial to the criminal or civil litigation at hand.

While the acquisition of digital evidence and the process of presenting it at courts is a complex task carried out by expert Computer Forensic Investigators, there are countless tools available to aid the procedure. However, among the wide range of cool technologies available, forensic experts rely on software and equipments that are court –incited platforms and helps them investigate efficiently and effectively. The state of the art tools selected by digital forensic investigators must be platforms accepted by a court of law. This increases the reliability and the admissibility of the evidence. Here we have tried to focus on the use of specific tools, their benefits and advantages over other forensic equipments available.

Forensic Toolkit (FTK)
FTK or Forensic toolkit is a digital forensic tool approved by court and designed for analyzing vast repository of data with uncontested speed. It is characterized by stability, ease of use and speed which makes it reliable as a source of digital evidence. It efficiently searches, filters, analyzes, indexes and points out relevant facts and evidence pertaining to the case. Owing to the comprehensive architecture, FTK can be used for collaborative analysis and web based case management. However, the most important aspect of FTK that makes it a favorite among computer forensic investigators is the speed with which it filters relevant evidence from a heap of data.

Mobile Phone Examiner Plus (MPE+)
Selecting a tool for cell phone forensic examination is a challenging task. Investigators are required to choose a Cell Phone Analysis tool that meets the ever changing mobile phone technology. Mobile Phone Examiner Plus is a stand-alone investigative solution for digital cell phone forensic analysis. It presents a unique approach to cell phone data extraction thus easily zeroing on the key facts and evidence. Plus, it supports the analysis of more than 7000 mobile phone models, including GSM/CDMA devices and using versatile technologies like Blackberry, Android, iOS and Windows. MPE+ has robust tools built into its architecture thus providing a single solution for multiple platforms and thus making the investigation a cost effective process.

dtSearch is one of the most common effective search tool used by computer forensic examiners. It is deployed by most forensic investigators owing to its ability to reduce data search time. It primarily helps in imaging, hashing, searching and indexing data on drivers and other digital storage media devices. dtSearch is a pivotal element of modern forensic investigation due to its ability to search through a variety of document types such as HTML, PDFs, PSTs, Unicode and common files like word documents, excel sheets and more. Instantaneous identification of key facts say file names and strings reduces the overall time frame of analysis thus providing accurate desired results that assist in finding successful resolution on a case.

The role of a computer forensic investigator and that of forensic tool is complementary in an investigation. High end, user friendly and effective tools are imperative to the successful resolution of a case and effective representation of clients involved. Similarly, competent and experienced analysts should also be employed who can operate and extract required information from these complex equipments and present them as admissible evidence.


Technology paved the way for development and also opened the door for criminals to commit crimes without being caught for years. Presently the mobile phones are a double-edged sword; it creates innovative security risks whilst offering valuable sources of verification for cell phone forensics investigator. Their competent capabilities make mobile devices more like computers that serve us to navigate the world. It uses information hoard on and generated by mobile devices to restructure our communications, movements and other personal details.
Cell phone forensics, being an integral part of digital forensics is vital to accurate investigations associated with criminal and civil litigation’s. It comprises of SMS recovery, locations tracking and recovery of multimedia files, contact records of a cell phone, date and time of incoming and outgoing call records. If anybody is intentionally engaged in illegal activities, he will take predictable precautions to hide their tracks. Some of the protective measures adopted by criminals to avoid being caught are listed below:

Encrypting data
Wiping tools
Secure deletion tools
Remote data storage devices
Digital data compression

The cell phone forensics requires a lot to extract information from smartphones, cell phones and other devices. We, as forensic investigators of cell phones generally adopt 7 ways to extract and determine cell phone activity as listed below:

Bypassing Security Codes
With the help of specialized tools, digital forensic investigators can haul out the security code from some locked mobile devices. This bypass security code facilitates in acquiring data with forensic software from the device.

Safe SIM Card
The confidential data in memory is destroyed if the wrong SIM card is inserted in a cell phone. Keeping in mind this issue, investigators create “safe” SIM cards for inspection purposes.

Live acquisition
The valuable and confidential proofs might be destroyed if the battery is removed from the mobile phones before the performance of forensic acquisition. In few cases, to make sure that all evidence and useful information is conserved, investigators can leave the mobile device powered on until the forensic operation can be performed, in order to avoid external influences, it’s mandatory to take some precautions beforehand.

Trusted Time Source
Though the clock on the device shows incorrect time, still the network generated system functions properly and offer the accurate data. As an example, the time shown in SMS is generated by SMS service center, not by the phone.

Tracking movements
Several mobile devices store site-based data related to actions and bound media on the device. The investigators will recover this data to perceive this information to conclude the geographic location at a particular time on a mobile device.

Recovering Deleted Data
Accidentally or intentionally deleted information related to call logs may be easily recoverable by the investigators with the help of certain ready to use forensic tools. Such tools offer detailed information of missed, dialed and received calls.

Getting Physical
It is easier for the investigators to recover the extensive amount of deleted data from rising number of mobile devices by analyzing and acquiring the complete memory contents.