As promised to all the examiners out there I say, “cellphone (mobile) forensics”. This roll comes early since we are in a wonderful holding pattern while deciding to land (I love winter). I thought I would just do another promised blog.
I am going to do a little discussion on the idea on adding the word forensic to the examination of a mobile device. @&$@, some say. I want to give my opinion because when we discuss a mobile device extraction we have an understanding as to why, how and who can label this forensic. Let’s go to some far away place not in the distant future…….ok this really happened like a month ago…
I was teaching a very large event and thought I would sit in on an instructor that was was running an introductory class. The instructor conveyed to the group that the extraction of data from a cellular device was just that, “cellular data extraction” and not forensics. This instructor had “been around” and was a very knowledgeable forensic examiner in computer forensics so I thought it was worth an ask since heck, it was one of my classes.
The instructor explained to me that the simple extraction by the cellphone tool was just that, an extraction. To call it forensics was not right since in computer forensics creating an “image”, or bit by bit copy of the evidence, was forensics. A cellphone on the other hand is not capable of giving a bit by bit image they continued. Humm, let’s start first with some definitions.
1. pertaining to, connected with, or used in courts of law or public discussion and debate.
2. adapted or suited to argumentation; rhetorical.
3. forensics, (used with a sing. or pl. v.) the art or study of argumentation and formal debate.
Origin: 1650–60; < L forēns(is) of, belonging to the forum, public (see forum, -ensis) + ic
Ok, as I look at that definition I cannot find “because it does not get a bit by bit image” anywhere in the definition. What I do see though is forensics is to deal with information to be used in court, public discussions and debates. So essentially when using the term computer forensics the term forensics is used as a noun but also when describing what occurred, many of us use forensics as an adjective saying I performed a forensic computer examination. In both instances we see the word argumentation. Now let’s not confuse that word with augmentation as I did with my small brain, but argumentation. Again, below is a definition.
ar·gu·men·ta·tion [ahr-gyuh-men-tey-shuh n]
1. the process of developing or presenting an argument; reasoning.
2. discussion; debate; disputation: The lengthy argumentation tired many listeners.
3. a discussion dealing with a controversial point.
4. the setting forth of reasons together with the conclusion drawn from them.
5. the premises and conclusion so set forth.
6. argument (def. 5).
Origin: 1400–50; late ME argumentacioun (< MF) < L argūmentātiōn- (s. of argūmentātiō). See argument, -ation
Now we are getting to the bottom of forensics, a process to or presenting an argument or the key word REASONING. So a forensic analysis, whether it be a computer, cellphone, goat or pig, must first have a point/direction/preposition/position. The forensics will then cover the process and reasoning to arrive at your conclusion.
Forensics has nothing to do with a tool that is utilized in an examination nor a piece of evidence being examined, but a process of presenting the evidence in a reasonable, accepted and repeatable fashion.
I do agree that many “examiners” in the cellphone community are on thin ice with examinations with no process, but I do and will continue to fight those that abhor using forensic when it comes to a proper cellular phone examination.
Please, your thoughts?
With much respect,