A Forensically Sound Adversary Model for Mobile Devices

In this paper, we propose an adversary model to facilitate forensic investigations of mobile devices (e.g. Android, iOS and Windows smartphones) that can be readily adapted to the latest mobile device technologies. This is essential given the ongoing and rapidly changing nature of mobile device technologies. An integral principle and significant constraint upon forensic practitioners is that of forensic soundness. Our adversary model specifically considers and integrates the constraints of forensic soundness on the adversary, in our case, a forensic practitioner. One construction of the adversary model is an evidence collection and analysis methodology for Android devices. Using the methodology with six popular cloud apps, we were successful in extracting various information of forensic interest in both the external and internal storage of the mobile device.

💡 Research Summary

The paper introduces a novel adversary model specifically designed for digital forensic practitioners working on mobile devices such as Android, iOS, and Windows smartphones. Unlike traditional adversary models that characterize an attacker’s capabilities to evaluate security controls, this model treats the forensic examiner as the “adversary” and embeds the principle of forensic soundness (FS) directly into the model’s constraints. Forensic soundness is defined through four core requirements: (1) evidence integrity (hash verification before and after acquisition), (2) continuity (a verifiable chain of custody for every step), (3) reproducibility (the same procedure yields identical results), and (4) legal admissibility (compliance with jurisdictional statutes and procedural rules).

The model is organized along two axes: “Abilities” (what the examiner can technically achieve) and “Constraints” (what the examiner must not violate because of FS). Abilities include physical access, logical access via ADB, privilege escalation (rooting), memory dumping, file‑system parsing, and network traffic capture. Constraints map each ability to specific FS requirements—for example, even after obtaining root, the examiner may not alter system logs or delete files without documenting the action and preserving original hashes. This explicit separation provides a clear, repeatable workflow that satisfies both technical and legal expectations.

To demonstrate practicality, the authors instantiate the model for Android devices and develop a step‑by‑step evidence collection and analysis methodology. The workflow proceeds as follows:

1. Device Preparation – Enable USB debugging, establish an ADB connection, and record device identifiers and timestamps.
2. Logical Acquisition – Use ADB pull commands to copy accessible partitions while logging each command and its output.
3. Privilege Escalation – Exploit a known kernel vulnerability (or use a vetted rooting tool) to gain super‑user rights, then capture the /data/data directory containing each app’s private storage.
4. Memory Dump – Employ a live‑memory acquisition tool (e.g., LiME) to obtain a raw RAM image, later used to recover in‑memory authentication tokens and encryption keys.
5. Network Capture – Set up a portable Wi‑Fi hotspot or use a USB‑based packet sniffer to record traffic between the device and cloud services during normal app usage.
6. Verification – Compute SHA‑256 hashes for every extracted file, compare them with pre‑acquisition hashes, and store the hash log in a tamper‑evident container.

The methodology was applied to six widely used cloud applications (Google Drive, Dropbox, OneDrive, Box, Mega, and iCloud via web interface). The authors succeeded in extracting a rich set of forensic artifacts:

• File System Artifacts – Metadata (creation, modification, deletion timestamps), file paths, and hash values from both internal storage and external SD cards.
• Application Databases – SQLite databases containing user accounts, shared link information, recent activity logs, and synchronization queues.
• In‑Memory Artifacts – OAuth access tokens, refresh tokens, and encrypted session keys recovered from RAM, enabling authenticated API calls to the cloud services for further data retrieval.
• Network Artifacts – TLS handshake details, server IPs, and timestamps that corroborate device‑side activity logs.
• Deleted Data – Evidence of file deletion events and, in several cases, the ability to reconstruct partially overwritten files using file‑system journal entries.

The authors argue that integrating FS constraints into the adversary model yields several advantages. First, the collection process itself becomes defensible in court because every action is logged, hashes are verified, and no undocumented modifications occur. Second, the modular nature of the model allows rapid adaptation to new OS releases, security patches, or emerging device architectures—practitioners can replace or augment individual “ability” modules without redesigning the entire workflow. Third, by extending the scope to cloud‑linked applications, the model captures evidence that resides beyond the physical device, addressing a common blind spot in mobile forensics.

Limitations are also acknowledged. Obtaining root privileges on newer, hardened devices may be infeasible, reducing access to certain private app data. Legal requirements for search warrants and user consent differ across jurisdictions, meaning the model must be tailored to local law before deployment. Finally, the comprehensive acquisition strategy can be time‑ and resource‑intensive, especially when dealing with large cloud storage volumes or high‑resolution media files.

Future work outlined includes: (1) extending the model to iOS and Windows Mobile platforms, (2) automating the workflow through a unified forensic suite that enforces FS constraints programmatically, and (3) applying machine‑learning techniques to prioritize extracted artifacts based on relevance to investigative hypotheses.

In summary, the paper delivers a theoretically grounded yet practically validated framework that reconciles the technical demands of modern mobile forensics with the stringent evidentiary standards required in legal proceedings. By treating the forensic examiner as a constrained adversary, the model ensures that evidence collection remains both effective against evolving mobile technologies and defensible under the doctrine of forensic soundness.