DOCSLIB.ORG

Cell Phone Forensics in a Correctional Setting: Guidebook

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

The author(s) shown below used Federal funds provided by the U.S. Department of Justice and prepared the following final report: Document Title: Cell Phone Forensics In A Correctional Setting: Guidebook Author(s): John S. Shaffer, Ph.D. Document No.: 248466 Date Received: October 2014 Award Number: 2010-IJ-CX-K003 This report has not been published by the U.S. Department of Justice. To provide better customer service, NCJRS has made this Federally- funded grant report available electronically. Opinions or points of view expressed are those of the author(s) and do not necessarily reflect the official position or policies of the U.S. Department of Justice. Available for download at www.JUSTNET.org CELL PHONE FORENSICS IN A CORRECTIONAL SETTING GUIDEBOOK CELL PHONE FORENSICS IN A CORRECTIONAL SETTING GUIDEBOOK Prepared for National Institute of Justice, through the National Law Enforcement and Corrections Technology Center (NLECTC), Corrections Technology Center of Excellence By John S. Shaffer, Ph.D., Institutional Corrections Program Manager, Corrections Technology Center of Excellence October 2014 This publication was prepared by the National Law Enforcement and Corrections Technology Center’s Corrections Technology Center of Excellence, supported by Cooperative Agreement 2010-IJ-CX-K003 awarded by the U.S. Department of Justice, National Institute of Justice (NIJ). Points of view or opinions contained within this document are those of the authors and do not necessarily represent the official position or policies of the U.S. Department of Justice. Please note that providing information on law enforcement and corrections technology or the mention of specific manufacturers, products or resources does not constitute the endorsement of the U.S. Department of Justice or its component parts. Agencies are encouraged to gather as much information as possible, from multiple sources, and make their own determinations regarding solutions that best fit their particular needs. TABLE OF CONTENTS Foreword ...........................................................................................................................................................7 Executive Summary ..........................................................................................................................................8 Methodologies ...........................................................................................................................8 Chapter Review ........................................................................................................................8 Chapter 1: Statement of the Problem ...................................................................................................10 Chapter 2: What Agencies Need to Know About Cell Phone Forensics ......................................12 Chapter 3: Technology ..............................................................................................................................14 Chapter 4: Establishing a Cell Phone Forensics Capability .............................................................. 18 Assessing Resource Needs Based on Historical and Projected Data ...................... 18 Funding Needed for Start-up and Ongoing Operations ............................................... 19 Issues Related to Procuring Technology Tools ................................................................ 19 Software/Hardware ............................................................................................................... 20 Photo Documenting .............................................................................................................. 21 Staff Resources Required ..................................................................................................... 21 Training Requirements .......................................................................................................... 22 Physical Site Requirements .................................................................................................. 23 Chapter 5: Implementation ....................................................................................................................... 25 Legal Issues and Case Law ................................................................................................... 25 Law Enforcement Coordination ......................................................................................... 25 Prioritizing Evidence to Prevent Backlogs ........................................................................ 26 CELL PHONE FORENSICS IN A CORRECTIONAL SETTING GUIDEBOOK 3 Evidence Collection and Retention Issues ....................................................................... 26 Importance of Policies and Procedures ............................................................................ 26 Lessons Learned and Success Stories ............................................................................... 27 Chapter 6: Conclusions .............................................................................................................................29 Appendix A: Sample Policies and Procedures and Forensic Lab Contact Information..................32 Appendix B: References ...............................................................................................................................34 Appendix C: List of Acronyms.....................................................................................................................35 Appendix D: Glossary of Terms ..................................................................................................................37 4 CELL PHONE FORENSICS IN A CORRECTIONAL SETTING GUIDEBOOK EXHIBITS Exhibit 1. California Department of Corrections and Rehabilitation Total Cell Phones Found 2006 – 2012 ...................................................... 10 Exhibit 2. Frequently Cited Reasons for the Increase in Contraband Cell Phones ........................................................................................................ 11 Exhibit 3. Illegal Communications That Occur Through Contraband Cell Phones ........................................................................................................ 12 Exhibit 4. Documented Adverse Events Perpetrated by Inmates With Contraband Cell Phones ........................................................................................................ 13 Exhibit 5. Mobile Forensics Tool Classification .................................................................................... 14 Exhibit 6. Tool Classification – Going Up ............................................................................................. 16 Exhibit 7. Tool Classification – Going Down........................................................................................ 16 Exhibit 8. Options for Data Recovery ................................................................................................... 17 Exhibit 9. Map of Regional Computer Forensics Laboratory Locations ........................................ 18 Exhibit 10. Photograph of Example Mobile Field Kit ............................................................................ 20 Exhibit 11. Photograph of Cellebrite Device .......................................................................................... 20 Exhibit 12. Sophisticated Forensic Examination Workstation ............................................................. 23 Exhibit 13. Photograph of Typical RF Bags ............................................................................................... 23 CELL PHONE FORENSICS IN A CORRECTIONAL SETTING GUIDEBOOK 5 Exhibit 14. Photograph of Typical Portable RF Blocking Tent .............................................................. 23 Exhibit 15. Tabletop RF Blocking Tent ...................................................................................................... 24 Exhibit 16. Frequently Asked Questions (FAQs) ................................................................................... 25 Exhibit 17. Maryland Department of Public Safety and Correctional Services Policy DP SCS.110.0008, Contraband – Cellular Telephones, (10/14/11) (excerpt) .......................................................................... 26 Exhibit 18. New Jersey Department of Corrections Successful Prosecutions ............................... 27 Exhibit 19. Summary of Cell Phone Threats and Concerns ................................................................ 29 Exhibit 20. Practitioner Response to the Poll Question: “If technology such as managed access was used to defeat inmate calls would there still be a need to recover the phones?” .............................................................................. 30 Exhibit 21. Practitioner Response to the Poll Question: “Does your agency have the internal capability to perform forensics on recovered cell phones?” .......................................................................................................... 30 Exhibit 22. Cell Phone Cases Referred for Prosecution ...................................................................... 31 6 CELL PHONE FORENSICS IN A CORRECTIONAL SETTING GUIDEBOOK FOREWORD This guidebook was developed by the National Law evaluations and conducting, facilitating and coordi- Enforcement and Corrections Technology Center nating demonstrations with corrections agencies. (NLECTC) System’s Corrections Technology Center
Recommended publications
  • Guidelines on Mobile Device Forensics

    Guidelines on Mobile Device Forensics

    NIST Special Publication 800-101 Revision 1 Guidelines on Mobile Device Forensics Rick Ayers Sam Brothers Wayne Jansen http://dx.doi.org/10.6028/NIST.SP.800-101r1 NIST Special Publication 800-101 Revision 1 Guidelines on Mobile Device Forensics Rick Ayers Software and Systems Division Information Technology Laboratory Sam Brothers U.S. Customs and Border Protection Department of Homeland Security Springfield, VA Wayne Jansen Booz-Allen-Hamilton McLean, VA http://dx.doi.org/10.6028/NIST.SP. 800-101r1 May 2014 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3541 et seq., Public Law (P.L.) 107-347. NIST is responsible for developing information security standards and guidelines, including minimum requirements for Federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate Federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A- 130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A- 130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority.
  • Guidelines on Mobile Device Forensics

    Guidelines on Mobile Device Forensics

    NIST Special Publication 800-101 Revision 1 Guidelines on Mobile Device Forensics Rick Ayers Sam Brothers Wayne Jansen http://dx.doi.org/10.6028/NIST.SP.800-101r1 NIST Special Publication 800-101 Revision 1 Guidelines on Mobile Device Forensics Rick Ayers Software and Systems Division Information Technology Laboratory Sam Brothers U.S. Customs and Border Protection Department of Homeland Security Springfield, VA Wayne Jansen Booz Allen Hamilton McLean, VA http://dx.doi.org/10.6028/NIST.SP. 800-101r1 May 2014 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3541 et seq., Public Law (P.L.) 107-347. NIST is responsible for developing information security standards and guidelines, including minimum requirements for Federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate Federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A- 130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A- 130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority.
  • A Usability Analysis of the Autopsy Forensic Browser

    A Usability Analysis of the Autopsy Forensic Browser

    Proceedings of the Second International Symposium on Human Aspects of Information Security & Assurance (HAISA 2008) A Usability Analysis of the Autopsy Forensic Browser D.J. Bennett and P. Stephens Department of Computing (Academic), Canterbury Christ Church University, Canterbury, United Kingdom e-mail: {david.bennett, paul.stephens}@canterbury.ac.uk Abstract This paper reviews the usability of the Autopsy Forensic Browser. Two expert-based usability review techniques are used: Cognitive Walkthrough and Heuristic Evaluation. The results of the evaluation indicate that there are many areas where usability could be improved and these are classified into areas of eight overlapping areas. Examples from each area are presented, with suggestions as to methods to alleviate them. The paper concludes with a future work proposal to effect the changes suggested and retest the current and the replacement system with a user-based evaluation. Keywords Usability, Human-Computer Interaction, Interface Design, Autopsy Forensic Browser, The Sleuth Kit, Cognitive Walkthrough, Heuristic Evaluation 1. Introduction This paper reviews the usability of the Autopsy Forensic Browser tool. The reasoning for this is to improve future versions of the tool. In many ways forensic analysis tools are no different to any other mission critical software in terms of the need for usability. However, failure in usability in such tools could lead to outcomes which deny liberty to innocent persons, or enable criminals to continue with criminal activity should an investigation fail in some way. 1.1. Forensics and the Autopsy Forensic Browser Gottschalk et al. (2005) define computer forensics as the identification, preservation, investigation, and documentation of computer systems data used in criminal activity.
  • About the AAFS

    About the AAFS

    American Academy of Forensic Sciences 410 North 21st Street Colorado Springs, Colorado 80904 Phone: (719) 636-1100 Email: [email protected] Website: www.aafs.org @ AAFS Publication 20-2 Copyright © 2020 American Academy of Forensic Sciences Printed in the United States of America Publication Printers, Inc., Denver, CO Typography by Kathy Howard Cover Art by My Creative Condition, Colorado Springs, CO WELCOME LETTER Dear Attendees, It is my high honor and distinct privilege to welcome you to the 72nd AAFS Annual Scientific Meeting in Anaheim, California. I would like to thank the AAFS staff, the many volunteers, and everyone else who have worked together to create an excellent program for this meeting with the theme Crossing Borders. You will have many opportunities to meet your colleagues and discuss new challenges in the field. There are many workshops and special sessions that will be presented. The Interdisciplinary and Plenary Sessions will provide different views in forensic science—past, present, and future. The Young Forensic Scientists Forum will celebrate its 25th Anniversary and is conducting a workshop related to the meeting theme. More than 1,000 presentations are scheduled that will provide you with more insight into the developments in forensic science. The exhibit hall, always interesting to explore, is where you will see the latest forensic science equipment, technology, and literature. The theme Crossing Borders was chosen by me and my colleagues at the Netherlands Forensic Institute (NFI). We see many definitions of crossing borders in forensic science today. For the 2020 meeting, six words starting with the letters “IN” are included in the theme.
  • Graduate Prospectus2014 Institute of Space Technology

    Graduate Prospectus2014 Institute of Space Technology

    Graduate Prospectus2014 Institute of Space Technology we HELP YOU ACHIEVE YOUR AMBITIONS P R O S P E C T U S 2 141 INSTITUTE OF SPACE TECHNOLOGY w w w . i s t . e d u . p k To foster intellectual and economic vitality through teaching, research and outreach in the field of Space Science & Technology with a view to improve quality of life. www.ist.edu.pk 2 141 P R O S P E C T U S INSTITUTE OF SPACE TECHNOLOGY CONTENTS Welcome 03 Location 04 Introduction 08 The Institute 09 Facilities 11 Extra Curricular Activities 11 Academic Programs 15 Department of Aeronautics and Astronautics 20 Local MS Programs 22 Linked Programs with Beihang University 31 Linked Programs with Northwestern Polytechnic University 49 Department of Electrical Engineering 51 Local MS Programs 53 Linked Programs with University of Surrey 55 Department of Materials Science & Engineering 72 Department of Mechanical Engineering 81 Department of Remote Sensing & Geo-information Science 100 w w w . i s t . e d u . p k Department of Space Science 106 ORIC 123 Admissions 125 Fee Structure 127 Academic Regulations 130 Faculty 133 Administration 143 Location Map 145 1 20 P R O S P E C T U S 2 141 INSTITUTE OF SPACE TECHNOLOGY w w w . i s t . e d u . p k 2 141 P R O S P E C T U S INSTITUTE OF SPACE TECHNOLOGY Welcome Message Vice Chancellor The Institute of Space Technology welcomes all the students who aspire to enhance their knowledge and specialize in cutting edge technologies.
  • Comparing Two Tools for Mobile-Device Forensics

    Comparing Two Tools for Mobile-Device Forensics

    NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS COMPARING TWO TOOLS FOR MOBILE-DEVICE FORENSICS by Casandra M. Martin September 2016 Thesis Advisor: Neil C. Rowe Second Reader: Approved for public release. Distribution is unlimited. THIS PAGE INTENTIONALLY LEFT BLANK REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704–0188 Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202–4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188) Washington DC 20503. 1. AGENCY USE ONLY (Leave Blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED September 2016 Master’s Thesis 09-20-2015 to 09-23-2016 4. TITLE AND SUBTITLE 5. FUNDING NUMBERS COMPARING TWO TOOLS FOR MOBILE-DEVICE FORENSICS 6. AUTHOR(S) Casandra M. Martin 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION REPORT NUMBER Naval Postgraduate School Monterey, CA 93943 9. SPONSORING / MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING / MONITORING AGENCY REPORT NUMBER N/A 11. SUPPLEMENTARY NOTES The views expressed in this document are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.
  • Forensic Toolkit (FTK)

    Forensic Toolkit (FTK)

    Forensic Toolkit (FTK) User Guide | 1 AccessData Legal and Contact Information Document date: January 31, 2018 Legal Information ©2018 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. AccessData Group, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, AccessData Group, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, Inc. reserves the right to make changes to any and all parts of AccessData software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. AccessData Group, Inc. 588 West 400 South Suite 350 Lindon, UT 84042 USA AccessData Trademarks and Copyright Information The following are either registered trademarks or trademarks of AccessData Group, Inc. All other trademarks are the property of their respective owners. AccessData® AD Summation® Mobile Phone Examiner Plus® AccessData Certified Examiner® (ACE®) Discovery Cracker® MPE+ Velocitor™ AD AccessData™ Distributed Network Attack® Password Recovery Toolkit® AD eDiscovery® DNA® PRTK® AD RTK™ Forensic Toolkit® (FTK®) Registry Viewer® LawDrop® Summation® | 2 A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc.
  • Comparative Evaluation of Mobile Forensic Tools

    Comparative Evaluation of Mobile Forensic Tools

    See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/322250449 Comparative Evaluation of Mobile Forensic Tools Chapter in Advances in Intelligent Systems and Computing · January 2018 DOI: 10.1007/978-3-319-73450-7_11 CITATIONS READS 0 486 6 authors, including: John Alhassan Sanjay Misra Federal University of Technology Minna Covenant University Ota Ogun State, Nigeria 40 PUBLICATIONS 16 CITATIONS 302 PUBLICATIONS 1,059 CITATIONS SEE PROFILE SEE PROFILE Adewole Adewumi Rytis Maskeliunas Covenant University Ota Ogun State, Nigeria Kaunas University of Technology 51 PUBLICATIONS 46 CITATIONS 94 PUBLICATIONS 164 CITATIONS SEE PROFILE SEE PROFILE Some of the authors of this publication are also working on these related projects: Learning from Failure: Evaluation of Agent Dyads in the Context of Adversarial Classification Game View project Biohashing based on Boolean logic operations View project All content following this page was uploaded by Rytis Maskeliunas on 08 January 2018. Provided by Covenant University Repository The user has requested enhancement of the downloaded file. CORE Metadata, citation and similar papers at core.ac.uk Comparative Evaluation of Mobile Forensic Tools J. K. Alhassan1(&), R. T. Oguntoye1, Sanjay Misra2, Adewole Adewumi2, Rytis Maskeliūnas3, and Robertas Damaševičius3 1 Federal University of Technology, Minna, Nigeria [email protected] 2 Covenant University, Otta, Nigeria [email protected] 3 Kaunas University of Technology, Kaunas, Lithuania [email protected] Abstract. The rapid rise in the technology today has brought to limelight mobile devices which are now being used as a tool to commit crime. Therefore, proper steps need to be ensured for Confidentiality, Integrity, Authenticity and legal acquisition of any form of digital evidence from the mobile devices.
  • AD-Ediscovery-Product-Review-From

    AD-Ediscovery-Product-Review-From

    eDiscovery Full eDiscovery Suite Empowering Excellence from Data Collection to Analysis for Endpoint & Remote Data Collection, Forensic Imaging, Document Review, and Much More AD eDiscovery is Company Name Brand challenges for over 30 years. For example, AccessData Group, Inc. one of the more difficult tasks is collecting a single, integrated data from remote computers which has Product Name Brand(s) become even more prevalent in the platform for preservation, AD eDiscovery work-from-home environments we find litigation holds, collection, AD Enterprise ourselves these days. Fortunately, Forensic Toolkit (FTK) AccessData stands out as one of the few data processing, and Quin-C companies that offers tools and platforms AD QBlaze that allow customers to successfully assessment, along with Summation retrieve and process electronically stored legal review and information from anywhere. Latest Developments and Updates production.” • Collect from Microsoft Office 365, Teams, The Comprehensive eDiscovery Mimecast email management, and Family from AccessData Proofpoint cybersecurity. AccessData is a comprehensive provider of • Speed data collection and analysis with computer forensics and litigation support automated tasks. technologies and boasts a broad spectrum • Remotely collect data from Apple macOS of stand-alone and enterprise-grade Catalina and Mojave operating systems. software platforms. • The new AD QBlaze platform simplifies processing and review in an easy-to- One of their flagship products, AD access SaaS model. eDiscovery, supports an end-to-end discovery process across the entire There are many uncertainties one Electronic Discovery Reference Model encounters when attempting to be (EDRM). A single SQL database serves all proficient at eDiscovery processes and components and supports seamless, procedures but there is a company that connected workflows in a forensically has aptly and consistently addressed those sound environment.
  • D3.2 Legal Analysis of the Use of Evidence Material

    D3.2 Legal Analysis of the Use of Evidence Material

    Ref. Ares(2018)5822033 - 14/11/2018 Advanced Cyber-Threat Intelligence, Detection, and Mitigation Platform for a Trusted Internet of Things Grant Agreement: 786698 D3.2 Legal analysis of the use of evidence material Work Package 3: Legal issues: data protection and privacy Document Dissemination Level P Public ☒ CΟ Confidential, only for members of the Consortium (including the Commission Services) ☐ Document Due Date: 31/10/2018 Document Submission Date: 02/11/2018 Co-funded by the Horizon 2020 Framework Programme of the European Union D3.2 Legal analysis of the use of evidence material Document Information Deliverable number: D3.2 Deliverable title: Legal analysis of the use of evidence material Deliverable version: 1.2 Work Package number: 3 Work Package title: Legal issues: data protection and privacy Due Date of delivery: 31.10.2018 Actual date of delivery: 02.11.2018 Dissemination level: PU Editor(s): Olga Gkotsopoulou (VUB) Paul Quinn (VUB) Contributor(s): Liza Charalambous (ADITESS) Dimitris Kavallieros (KEMEA) Xenia Pouli (MTN) Reviewer(s): Emanuele Bellini (MATHEMA) Clément Pavué (SCORECHAIN) Project name: Advanced Cyber-Threat Intelligence, Detection, and Mitigation Platform for a Trusted Internet of Things Project Acronym Cyber-Trust Project starting date: 1/5/2018 Project duration: 36 months Rights: Cyber-Trust Consortium Version History Version Date Beneficiary Description 0.01 20.08.2018 VUB DDP and ToC circulated to partners 0.02 27.08.2018 VUB Sections 1 and 2 0.021 04.09.2018 ADITESS Contribution – clarifications integrated
  • FTK in Action

    FTK in Action

    The Forensic Process Examined: Creating cases for classroom use Yvonne LeClaire Lewis University MSIS 68-595 Table of Contents Introduction ................................................................................................................................................. 4 Digital Evidence ........................................................................................................................................... 5 Computers.................................................................................................................................................. 5 Storage Devices ......................................................................................................................................... 5 Handheld Devices ...................................................................................................................................... 6 Peripheral Devices ..................................................................................................................................... 6 Network Devices ....................................................................................................................................... 7 Miscellaneous Possible Sources ................................................................................................................ 7 Determining the Course of Action ............................................................................................................. 7 Uses for Digital Evidence ...........................................................................................................................
  • Performance of Android Forensics Data Recovery Tools

    Performance of Android Forensics Data Recovery Tools

    This is author accepted copy; for final version please refer to: B.C. Ogazi-Onyemaechi, Ali Dehghantanha, Kim-Kwang Raymond Choo, “Performance of Android Forensics Data Recovery Tools”, Pages 91-110, Chapter 7, (Elsevier) Contemporary Digital Forensic Investigations Of Cloud And Mobile Applications Performance of Android Forensics Data Recovery Tools Bernard Chukwuemeka Ogazi-Onyemaechi1, Ali Dehghantanha1; Kim-Kwang Raymond Choo2 1School of Computing, Science and Engineering, University of Salford, Manchester, United Kingdom 2 Information Assurance Research Group, University of South Australia, Australia [email protected]; [email protected]; [email protected] Abstract- Recovering deleted or hidden data is among most important duties of forensics investigators. Extensive utilisation of smartphones as subject, objects or tools of crime made them an important part of residual forensics. This chapter investigates the effectiveness of mobile forensic data recovery tools in recovering evidences from a Samsung Galaxy S2 i9100 Android phone. We seek to determine the amount of data that could be recovered using Phone image carver, Access data FTK, Foremost, Diskdigger, and Recover My File forensic tools. The findings reflected the difference between recovery capacities of studied tools showing their suitability in their specialised contexts only. Keywords: Data recovery, digital forensics, deleted file recovery, mobile forensics, Android forensics. 1 1.0 INTRODUCTION Smart mobile devices, particularly smartphones, are increasingly popular in today’s Internet-connected society (1–4). For example, few years ago in 2010, shipments of smartphone grew by 74 percent to 295 million units (3,4). Unsurprisingly, sales of smartphones have been increasing since then (5,6), and it has been estimated that 1.5 billion smartphones will be sold by 2017 and 1 billion mobile subscribers by 2022 (7–15).