The use of Smartphone worldwide is increasing and is set to overtake the penetration of other digital devices. It is presently seen that the mobile phone amounts to about 80 percent of the digital devices worldwide. By the end of year 2020, it is expected that, 50 billion mobile phones will be connected to the World Wide Web. This confirms an earlier prediction that by 2020 mobile phones will be the primary devices of digital communication. The estimate is that by the next five years and also with the advent of the 5G communication, each individual on the earth will own two smartphone, and so is the demand for IP assigning; this then is also facilitated by the availability of unique IPs by the proliferation of the IPv6 regime. It is also reported that the Share of 5G-Capable Phones will increase to 56% by year 2023, thereby increasing the penetration and over-taking of the Desktops/Tablets/Laptops by the Smartphone.
This will result in challenges, for the otherwise less prominent Non-Smartphone digital forensics field, in which in the present day is dominated by Computer and Database forensics. The Advent of this Smartphone regime will increase the scope of Smartphone Forensics.
The Question of Integrity of ‘Forensic Hash Value’ for Smartphone even if content is not changed (both with the SIM Card on and Without the SIM Card within the Smartphone), in different state of the device, has been bothering the Cyber Forensic Experts time and again. The question is also extended, on Different Hash Values for Smartphone, while the device is switched-on or restarted, once the Hash is generated. (For academic purposes, we at Cyber Secure India, assume that the nature of Hash being MD5, SHA-1, SHA-2, etc, is not of significance).
The Forensic Hash Vale of a Smartphone and its Criteria
The Hash Value of data is a very important attribute in “Digital Forensics Evidence Management”, as it checks the Integrity of data. Hash Value is a fixed length variable, created using Mathematical Hash Function to check Integrity of a digital data or device. Hash Value is also called Fingerprint. We see that the Hash of a Digital Evidence changes even if a small change like changing font type, font color, file rename, changing different extension, etc, are carried out in any of the Algorithm; be it MD5 (Message Digest 5), SHA-1(Secure Hash Algorithm 1), SHA-256 (Secure Hash Algorithm 256) and SHA-512 (Secure Hash Algorithm 512).
As noted here; there are several hashing algorithms that are commonly used, such as MD5, SHA1, SHA256, and others. MD5 is a 128 bit 32 character algorithm and is the most commonly used hashing algorithm. There are other hashing algorithms available for encryption; however forensics primarily focuses on MD5, SHA1, SHA256 and SHA 512. The Hashing methodology is also used for many other usages and in different areas of digital study such as download confirmation, encryption, etc.
To be eligible for a hash, a function needs to meet these six criteria: Compression, Being Unique for a set of Data, Pre-Image Resistance, One-Way, Resistance to Weak Collision, and Resistance to Strong Collision.
- Compression: All hash functions exhibit compression, whereby an output that is much smaller than its input is produced. More formally, the size of the range (i.e. output) is much smaller than the size of the domain (i.e. input).
- Being Unique for a set of Data: The Application of the Algorithmic on the set of data should return a unique string and is directly related to the bits and the pattern of the bits that the data type contains.
- Pre-Image Resistance: If given the output of a function, pre-image resistance implies that it is difficult to find the input which produced that output.
- One-Way Hash: The properties of the string so generated, not able to recreate content from a Hash Value.
- Weak Collision Resistance: The properties of the created Hash in which Algorithms ability to generate a different Hash Value for a different file and that no two hash is the same. For example, Robert sends a Message and a Hash Value of the message to Juliet so Juliet should not be able to create the same Hash Value of Original Message by tempering the Message that Juliet has already received.
- Strong Collision Resistance: The property in which it is difficult to find any two messages that hash to the same value. The properties of the function in which two digital file should not the same Hash Value.
Data Integrity related to Flash Memory Attributes
All Smartphone use Flash Memory; be it the ‘Internal Device Primary Memory’ or the ROM, the ‘Random Access Memory’ (RAM) or the Secure Digital (SD) Card, that is also inherent to the Smartphone. Flash memory is a solid-state chip that maintains stored data without any external power source. Inside the flash chip, data is stored in cells protected by floating gates. Tunneling electrons change the gate’s electronic charge in “a flash” (hence the name), clearing the cell of its contents so it can be rewritten. The NOR flash is used to store Smartphones’ Operating Systems. The NAND flash, reads and writes sequentially at high speed, handling data in small blocks called pages (this is used both the ROM and also in the SD Cards).
Since the Flash Memory is not storage on ‘Magnetic Medium’, it is dynamic and is subject to Data Integrity changes while at rest or while on provision of power. The very fact that the Smartphone is also an interface that seeks ‘Look-up’ is also a factor that provides a dynamic Hash Value on Instance Basis or on Switching ON/OFF of the device.
Like in all the properties of the Flash Memory, we find that the Smartphones also run various functions that alter the Hash like TRIM, Garbage Collection and Wear Leveling. The execution of these commands inherently, will influence a change in Hash, even without the user enforcing any change to the data.
Data Integrity of Smartphone in Storage
The Flash Memory in Smartphone Devices is susceptible to changes in data even if they are not supplied with power. The changes in Hash is also influenced by the fact that over times the ‘bad blocks’ on the Flash Memory are bound to increases even on storage. This change in ‘bad block’ is then mapped on the next ‘RE_BOOT’ (or for that matter when the device is connected for subsequent imaging or forensic copying). This action then alters the HASH.
The Concept of “Memory Leak” is also applicable to Flash Memory. The charge of NAND flash storage transistors do leak. Again, as said earlier, NAND Flash is designed around the concept of the floating-gate transistor. For most transistor applications, the hot-electron effect severely degraded the life-time of integrate circuits as electrons would be ejected from the drain end of the transistor into the gate oxide. Once there, these electrons caused all sorts of trouble, creating fixed charge that messes with the transistor operation, leading to circuit failure. Thus, resulting in Leaks, and loss of data, thereby altering Hash.
Exposure to moisture is also another cause of change in Hash. The effect of moisture here directly affects the electronic charge of the Doped Semiconductor. Also it is pertinent to mention that, the alignment of the Zero and One is unlike that of the ‘Magnetic Storage’ and hence is directly influenced by moisture.
Beyond the Android 4.3 version, Google did sneaked in a feature of ‘Android TRIM support’ that ensured sanity, thereby providing the inherent cleaning of its android device. Subsequently the Android TRIM support was extended to the SD Cards that were introduced by the user into the Android Device. This feature is generally triggered on Shutdown, and this running of ‘TRIM’ has by default and is a reason for a different Hash on its next ‘Power-On’.
Data Integrity in Restart of a Smartphone Device
Data Integration has been questioned time and again by Judiciary when it comes to Smartphones. The very fact that the Smartphone also caters for an “SD Card” that is removable, is also a factor that the Judiciary has questioned. As also with regard to the physical security of the removable. It is but certain that the matter of admissibility is questionable form the Integrity point of view, due to the inherent behavior of the Smart Device. A few of the scenarios are discussed below (but not limited to) to contemplate on the phenomenon of change in ‘Forensic HASH value’ of the Smartphone on its RESTART:
- The OS on the Smartphone is said to be based on the Dalvik VM in android and app managed in iOS Phones. Both have their inherent ‘Look-up’ on RESTART, thus altering the HASH.
- Android RunTime (ART) on Android Smartphones is optimised to take advantage of the target processors as much as possible and is highly dependent on Memory Management on the garbage collector This again is executed on RESTART, thus providing a different HASH, from that generated prior to SWITCH-OFF.
- In Android 9 and in in iOS 13, we see that the inherent app of the versions is augmented to help ensure the system resources are made available to the apps that need them the most. This is also activated on RESTART and also appends the HASH, from what it was on previous SHUT-DOWN.
- The features related to Wi-Fi scans, GPRS Scan, Location Scan, etc, are all undergo a change in its related logs while on RESTART, even without user instructions. The behavior is different in both the cases; when there is a SIM in the Smartphone and when there is NO SIM in the Smartphone.
- Both in the Android and Apple Smartphone the use of ICU Library (International Components for Unicode Library) is made more dynamic and is made to fetch many attributes like ‘Date/Time Format’, ‘Emoji’, etc on RESTART.
- The simple act of Screen rotation changes is also logged and if the user RESTARTS the Smartphone in rotated mode (different from the pattern while SWITCHING-OF) will append the log and will generate a different HASH.
- Certain Apps installed in the Smartphone, also have the inherent behavior of ‘Look-up’ on RESTART and this will then provide a different HASH.
- The presence of Virus or Malware Infection in both the Primary Device or in the Flash Memory will result in a undesired act on RESTART. This is also a cause a cause of concern for provision of a consistent HASH.
The inherent property of the Smartphone is seen to be the cause of a non-consistent ‘Forensic Hash Value’, in so far as considering the Device as a Digital Evidence for Judicial purposes. The HASH once generated for Forensic Integrity verification, is only possible on the image first obtained and hence the admissibility should be restricted to its HASH verification of the ‘first copy’ to its subsequent ‘Copy’, rather than to the Primary Device.