Figures
Abstract
With the rapid development of technology, mobile phones have become an essential tool in terms of crime fighting and criminal investigation. However, many mobile forensics investigators face difficulties with the investigation process in their domain. These difficulties are due to the heavy reliance of the forensics field on knowledge which, although a valuable resource, is scattered and widely dispersed. The wide dispersion of mobile forensics knowledge not only makes investigation difficult for new investigators, resulting in substantial waste of time, but also leads to ambiguity in the concepts and terminologies of the mobile forensics domain. This paper developed an approach for mobile forensics domain based on metamodeling. The developed approach contributes to identify common concepts of mobile forensics through a development of the Mobile Forensics Metamodel (MFM). In addion, it contributes to simplifying the investigation process and enables investigation teams to capture and reuse specialized forensic knowledge, thereby supporting the training and knowledge management activities. Furthermore, it reduces the difficulty and ambiguity in the mobile forensics domain. A validation process was performed to ensure the completeness and correctness of the MFM. The validation was conducted using two techniques for improvements and adjustments to the metamodel. The last version of the adjusted metamodel was named MFM 1.2.
Citation: Ali A, Abd Razak S, Othman SH, Mohammed A, Saeed F (2017) A metamodel for mobile forensics investigation domain. PLoS ONE 12(4): e0176223. https://doi.org/10.1371/journal.pone.0176223
Editor: Kim-Kwang Raymond Choo, University of Texas at San Antonio, UNITED STATES
Received: September 30, 2016; Accepted: March 17, 2017; Published: April 26, 2017
Copyright: © 2017 Ali et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Data Availability: All relevant data are within the paper and its Supporting Information files.
Funding: The authors received no specific funding for this work.
Competing interests: The authors have declared that no competing interests exist.
1. Introduction
The worldwide use of mobile phone devices is increasing daily. Ericsson President and CEO Hans Vestberg expects that by 2020, 50 billion mobile phones will be connected to the web as compared to five billion now [1]. This confirms an earlier prediction that by 2020 mobile phones will be the primary devices of digital communication [2]. Fig 1 shows that 76 percent of the devices used in 2014 were mobile phones[3]. According to a recent report by Patrik Cerwall (2015), the number of mobile phone users in Q1 2015 was around 7.2 billion, which equals the World’s population[4].
Mobile device forensics is considered a new field compared to other digital forensics such as computer and database forensics. According to authors in [5], Mobile Forensics (MF) is a branch of digital forensics relating to the recovery of digital evidence from a mobile device under forensically sound conditions. The phrase 'mobile device' often applies to mobile phones. However, these devices are currently used for many other activities in our daily lives, for instance, checking e-mails, taking photos, browsing the Internet, business transactions, location data and much more. In contrast to these productive activities, mobile phone crime is on the rise, and cybercrime is now moving to mobile phone devices. For instance, committing fraud via email, harassment through text messages, distribution of child pornography, terrorism and selling drugs. MF has many interacting elements, including people, authority, investigation teams, resources, procedures and policy. The sophistication of the crimes and the variety of mobile phone devices used in these offenses are becoming major challenges to the investigators[6]. In addition, the volume of data and complexity of investigation are among the major issues in MF[7].
Furthermore, the investigators may not have a clear view of which potential evidence to start the investigation with. Previous studies have mostly discussed mobile forensics only in data acquisition terms and only in a problem solving scenario, as a subset to computer forensics. These studies did not take mobile forensics beyond the paradigm that is known as computer forensics. Additionally, they have not addressed the elements of MF comprehensively, and the previous research in the MF domain did not focus on modeling the case domain information involved in investigations [8]. The existing mobile forensic models are not based on any metamodels but rather constitute proprietary solutions, mainly focused on frameworks and other aspects of models. Metamodeling has been promoted by the efforts of the Object Management Group (OMG) [9]. This paper develops a Mobile Forensic Metamodel (MFM) in order to clarify all the necessary activities required by investigators for conducting their task. In addition, it creates a unified view of mobile forensic in the form of a metamodel that can be seen as a language for this domain. A metamodeling approach is applied to ensure that the metamodel which is the outcome is complete and consistent.
The rest of this paper is organized as follows: the background of MF summarized in Section 2; Section 3 presents and describes the development process of our mobile forensic metamodel, based on a metamodeling approach; finally, the conclusion is presented in Section 4.
2. Background
The rapid change in the technology of mobile phones has provided opportunities for criminal activities. The crimes conducted through mobile phones include fraud, drugs and pornography, as discussed in [10] which indicated that these crimes are growing with the increase in numbers of mobile devices. According to the National Institute of Justice [11], many digital crimes are committed annually through mobile phone devices due to the proliferation of these devices in most countries. Thus, mobile phone devices contain a great deal of digital evidence for digital investigation processes[12]. The purpose of extracting digital evidence from mobile phone devices is to use it in court proceedings, as these devices are now frequently used in criminal activities [13]. The extracted evidence from mobile phones has played a significant role in forensics investigation in recent years and many murderer convictions have been partly based on evidence gathered from the mobile phones of the perpetrators or their victims [14]. For instance, mobile phone evidence was used in the prosecution of Ian Huntley who killed two girls, and was also used to locate and arrest suspects in the failed London car bomb attacks in 2007 [12]. Some of the types of crimes conducted through the use of mobiles and the evidence sources contained in the mobile devices are shown in Table 1.
The rapid proliferation of mobile phones on the market caused a demand for forensic examination of the devices, which could not be met by existing computer forensic techniques. Much research has been conducted in the MF domain. While some studies have discussed MF in general devices, the majority of previous studies were concerned with Smartphone forensics. A study in [15] tested and analyzed data remnants for instant messaging from Facebook and Skype to identify evidence from these data. However, validated frameworks and methods to extract mobile phone data are practically non-existent [16]. The rapid development in mobile phone devices has caused difficulties to designing a single forensic tool or standards specific to one platform [12]. Furthermore, the lack of hardware, software and standardization in mobile phone devices are one of the significant difficulties in the MF domain [17]. This fact makes investigation process a hard task. It is also easy to tamper with digital evidence in mobile phones through overwritten or remote commands received from the wireless network [18].
Moreover, the lack of standardization is a major issue in the field of MF. Advanced development in technology, as well as the variety of mobile devices and OSs are making the procedure of developing a common framework or standardization model difficult [17, 19, 20]. In addition, as stated in [21], that the major issue in mobile phone investigation is that there is no standard forensic model nor any standard process for the forensic examination of smart phones. Research by Hoog concluded that digital forensic investigators and security engineers have faced difficulties dealing with mobile phone crimes due to their lack of knowledge management[22].
Additionally, it has been suggested that members of the legal profession need to increase their level of understanding and knowledge of mobile phone forensic terminology, techniques and procedures [13]. Moreover, it has been claimed that a major issue in law enforcement agencies in many countries is the lack of knowledge management [23]. Therefore, forensic investigators are facing difficult challenges when conducting the forensic investigation processes related to digital crimes, particularly for mobile phones. In a recent NIST Mobile Forensics Workshop (2014) [24] conducted by researchers in the MF domain, all the issues related to MF domain were discussed. It was indicated that investigators are struggling with the MF domain because they do not have sufficient knowledge, training and education related to the proper seizure procedures for mobile devices, the appropriate transport procedures and proper forensic examination and analysis [24]. Furthermore, while a number of digital forensic process models have been developed by various organizations worldwide, there are no agreed forensic investigation and legislative delegation procedures to adhere to, especially in the case of dealing with mobile devices with the latest technologies [25]. Recently, several studies have been focused on mobile forensics. However, these were mostly concerned with cloud forensics [26–38].
3. Mobile forensic metamodel
In this paper, the authors use a metamodeling approach to identify the common concepts of the MF domain. This approach has been promoted by the efforts of the Object Management Group (OMG) to create interoperable, reusable and components. This is an activity to generalize a domain through collecting all the domain concepts and partitioning the domain problems into sub-domain-problems [39]. Through this approach we developed our metamodel for MF. Thus, a metamodel is a special kind of a model: It identifies domain features and related concepts (like any other model) but is created with the intent to formally describe the semantics underpinning a formal modelling language. Without a metamodel, the semantics of domain models can be ambiguous [40]. Many previous studies have used metamodeling approach for managing knowledge of domain. The study reported in [39] used this approach to develop a generic metamodel for Multi Agent System (MAS). They used 6-steps to develop their metamodel. Later, a metamodel for managing disaster management knowledge was developed [40], using an 8-step metamodeling creation process. Moreover, the study in [41] used 7-step of metamodeling process to design a comprehensive and general purpose metamodel for metacognition that support artificial intelligence systems. To develop MFM, we used an 8-step metamodeling process adapted from [39], [40] and [41], which are the works most closely related to this study, and which present a thorough and structured process for identifying major concepts and their relationships. Fig 2 illustrates these steps.
3.1 Identification of common phases of domain
The purpose of identifying the common phases of the domain is to facilitate the extraction concepts in the domain. According to [5, 42], the common phases of MF include Preservation, Acquisition, Examination and Analysis and Reporting. National Institute of Standards and Technology (NIST) also recommends these phases. Preservation is a process of securely maintaining custody of property without altering or changing the content of data that reside on devices and removable media. Acquisition is the process of obtaining information from a mobile device and its associated media. In this process, the potential digital evidence is extracted from the sources such as the mobile device’s internal memory, SIM card memory, and SD memory, using acquisition methods. Examination & Analysis are the processes used to uncover digital evidence such as hidden data. The results are obtained through applying established scientifically-based methods and should describe the content and state of the data fully. Finally, Reporting is the process of preparing a detailed summary of all the steps taken and conclusions reached in the investigation of a case.
3.2 Model collection and classification
This step includes collecting several MF models from a variety of sources, including books, journal papers, conference papers and reports that were found from Google Scholar, ScienceDirect, IEEE Xplore, PLOS One, Springer Link and Google. The collection of models was conducted using different keywords such as ‘‘mobile forensics model”, ‘‘smartphone forensics analysis”, ‘‘mobile forensics preservation”, ‘‘mobile forensics acquisition”, ‘‘mobile forensics examination”, ‘‘mobile forensics identification” and ‘‘evidence extraction of mobile device”. Among these collected models, some models cover all four phases of MF, while others cover three, two or even only one phase. Hence, based on the number of phases included, the model can be called either a “general model” or a “specific model”. The model is called “general model” if it can cover at least three phases of MF, otherwise the model is called “specific model”.
For this study, a total of 41 models were collected, from which 31 models were considered as general models and 10 models as specific models. These models were selected based on their clarity and how well domain knowledge is presented through the models. The collected models were then classified into three different sets (Set1, Set V1 and Set V2) for development and validation of the MFM. These sets are formed according to how broadly the models cover the four phases of MF. Set I, which includes 21 general models is used to create the initial metamodel, while Set V1 which includes 10 specific models and Set V2 which includes 10 general models are used for validation of the metamodel in Step 8.
The purpose of this first validation (Set V1) is to identify any missing concepts in the initial metamodel, because the specific models provide more information for each phase of the MF domain than provided by general models. While Set V1 concentrates on validating the MFM against specific MF models, the second validation (Set V2) focuses on generic MF models. It is worth mentioning that including the general models with wider coverage in this set will provide better indication of the frequency of concepts across the models, which is necessary to evaluate the importance of individual concepts included in the MFM. Table 2 shows the models in each set.
3.3 Concept extraction
This step is an important process in the metamodeling approach. The purpose of this process is to identify concepts among the models that could potentially be included in the MFM. Extracting concepts should be performed from the textual contents (main body) of a mobile forensic model in order to avoid any missing or unrelated concepts during extraction process. The main body contains the developed model. For instance, Xian’s model “Symbian smartphones forensic process model” [31] covered a five processes for Symbian smartphones. We extracted the related concepts under each of these processes. The extracted concepts should be related to the MF domain, otherwise, they were excluded. However, similarly to the procedures in [39, 41, 82, 83], the concepts were extracted manually from each model in Set I. We adapted the concept extraction process from [84–87]. A description of the concept extraction process is presented below:
- Concept Recognition: this step is based on a linguistic approach. The concept should contain noun or adjective + noun or compound noun to recognize it. For instance, “Investigator and Court” are a noun; “Faraday Bag, Chain of Custody” are compound noun, whereas “Acquired Data, Volatile Evidence” are adjective + noun.
- Concept categories: candidate concepts of the metamodel are represented as:
- Actor (active concepts) such as (Investigator, Forensic Specialist, Audience).
- Object (passive concepts) such as (Evidence, Source, Result).
- Process (activities) such as (Verification, Extraction, Documentation).
The concept extraction process is shown in Fig 3. The outcomes of the concept extraction are shown in Table 3. We extracted 725 general concepts from Set 1 (including 21 models in total).
3.4 Selection and identification of common concepts
In this step, we identified the common concepts from step 3 (containing 725 concepts in total) based on concepts that have been widely used in the domain of MF. However, some concepts used different name but with similar meaning. For example, the concepts "Incident" in models [43, 50], "Case" in model [52] and "Crime" in models [45, 47, 48, 55, 59, 61] have similar meaning. Hence, we grouped these concepts into one common concept: “Crime”, as shown in Table 4.In addition, the concepts that have a single name such as “Securing Scene” in models [42, 45, 46, 48, 59, 61] are considered as common concept. The remainder of selection of common concepts are shown in S1 Table. For the concepts that shared same meaning, we used the following features: Frequency (occurrence), Generality and Definition to select the name of the common concepts from them. Therefore, if two or more concepts have similar meanings, then the concept name with higher frequency, generality and definition will be selected for inclusion in the metamodel while the other names will be excluded. For example, the shared meaning of the concepts: Classification, Identification and Recognition is: ‘‘used by investigator to identify type of mobile device and its operating system, people in the crime scene, external data storage and potential evidence sources”. The concept ‘‘Identification” is selected as a common concept because it has higher frequency in more models than Classification and Recognition. Hence ‘‘Identification” is included in the metamodel and Classification and Recognition are excluded. Indeed, the main priority for selecting the common concept is the high frequency (occurrence) of the concept among all models. The outcome of this step is selecting 82 common concepts, as shown in S1 Table.
3.5 Short-listing and reconciliation of definitions
In this step, we provide a short list of definitions for every selected concept in step 4. A harmonization of the definitions in the metamodel is required, when two or more concepts have the same definition, or even two or more concepts have the same concept name. The chosen definition for each concept must be a precise definition and widely agreed in the mobile forensic domain [39, 82].
In addition, differences between definitions were reconciled to ensure an internally consistent set of metamodel terms. Definitions were chosen based on consistency with earlier choices, where possible; otherwise, hybrid definitions created from multiple sources were introduced. If there is a different use of concept definition between two or more sources, the process was to select the usage that was most coherent with the rest of the set of chosen concepts trying at all times to preserve generality. For instance, the concept of “Documentation” was defined differently in four models: Kaur [62] defines it as “Document all the steps”. Ayers [42] defines it as “an essential activity in providing individuals the ability to re-create the process from beginning to end and documenting the crime Scene (Photographing, Sketching, and Recording). Dancer [52] defines it as “an activity that takes place within each phase of forensics investigation and therefore should not be a standalone activity in any forensics examination”. Mumba [50] defines it as “a process to improve efficiency by ensuring documentation of all steps is clearly undertaken during a mobile forensic investigation”. Ramabhadran [45] defines it as “a continuous activity required in all the stages and is quite critical for maintaining proper chain of custody”. As a result, the concept of “Documentation” in our metamodel is defined as “a continuous activity required in all the phases of mobile forensic and used for documenting the crime scene through (Photographing, Sketching and Recording)”. A sample of the list of short definitions is shown in Table 5. The rest of the concept definitions are shown in S2 Table.
3.6 Classification of common concept
In this step, selected concepts are classified into one of the MF phases: Preservation, Acquisition, Examination & Analysis and Reporting [5, 42]. Classification into the phases is shown in Table 6.
3.7 Relationship identification among concepts
In this step, we determine the relationships between our MFM concepts. Mobile forensics investigation has four common phases, which are preservation, acquisition, examination and analysis and reporting in. Therefore, the resultant MFM is represented in four different diagrams which are: the Preservation-phase, the Acquisition-phase, the Examination and analysis-phase and the Report-phase. Figs 4–7 illustrate our initial MFM 1.0 diagrams for each phase. The resultant metamodel includes the relationships between concepts and represents the semantics of the MF domain. Therefore, we established the relationships between concepts, based on the semantic language, which were discovered and identified during survey of MF models. We used three symbols of relationships which are Association; Specialization; and Aggregation. Association indicates functional relationships between concepts. Specialization represents hierarchies between concepts using relationship ‘Is A Kind Of’. Aggregation represents relationships between concepts that are composed of other concepts using relationship ‘Is A Group Of’. For example, the Acquisition-phase class (Fig 5) has a central concept, ForensicLab. The aggregation symbol is used to describe relationships between ForensicLab concepts and other concepts including Extraction, ForensicTool and ForensicExaminer. Another example of relationship between concepts is the association. This describes relations between ‘Evidence’ and ‘Presentation’ concepts in the Reporting-phase class (Fig 7). The relationship between ‘InternalMemory’ and ‘VolatileEvidence’ concepts represents using ‘Is A Kind Of’ in the Acquisition-phase class (Fig 5).
MF is a continuous process with activities linking phases at different points. Correspondingly, in our MFM, relationships between concepts are identified not only among concepts within the same phase, but also among concepts from different phases. Concepts from classes in different phases can be linked and a continuous MF process can be formed. Linkages across phases are established either through relationships among concepts from different phases or through common concepts among phases. For example, an association relationship ‘Requires’ can link the concept of “ForensicTool” (from the Acquisition-phase) to the concept “Preparation” (from the Preservation phase). Another example of a relationship that links two concepts across two phases is an association relationship ‘Requires’ that is used to create a link between the concept “Evidence” in the Reporting -phase class and the “Collection” concept in the Preservation -phase class. Table 7 illustrates examples of relationships that link concepts from different phases. Additionally, Linkages across phases are also established through common concepts between phases. The use of the concept “Crime” shows that the investigation task should start from the preservation phase in the mobile forensic investigation process, while the use of the concept “Documentation” shows that the four phases require overlapping sets of documentation for their phase activities.
3.8 Metamodel validation
In this section, we will discuss the validation process of our proposed MFM. The purpose of validation process is to measure the soundness and quality of proposed metamodel [88]. A metamodel requires validation to meet the requirements of generality, expressiveness and completeness of the artifact. In addition, to insure the completeness and correctness of the proposed metamodel, validation of the metamodel is required. For the validation process, the following two commonly used techniques [89, 90] were used:
- Comparison with other Models—This technique is used to verify that each concept of a validation model can be represented with some of the metamodel concepts. In this technique, we added some concepts to the metamodel.
- Frequency-based Selection—The purpose of this validation technique is to verify the frequency of the metamodel concepts appearing in a set of models. In this technique, we deleted some concepts from the metamodel.
These validation techniques are described in the next subsections.
3.8.1 Comparison with other models.
The purpose of this validation technique is to ensure that each model included in Set V1 is represented in MFM (shown in S3 Table). For example, if a concept of some model in Set V1 could not be represented in MFM, then we consider this concept as a candidate concept to add to MFM. In this process, we added four new concepts to MFM. Table 8 illustrates these new concepts. These four were added to MFM: Hypothesis, Imaging, DataExamined and Archiving as shown in Figs 8–11. The relationships between the new concepts and the concepts that comprise the MFM are shown in Table 9. The outcome of this technique was version MFM 1.1.
3.8.2 Frequency-based selection.
We used 10 models (Set V2 in Table 2) to perform this validation. The purpose of this technique is to evaluate the importance of individual concepts in the model developed [91]. This technique preforms two tasks. In the first task, we collect concepts from model Set V2 and compare them with concepts in the MFM 1.1, as shown in S4 Table. From this task, not all phases were changed to the same extent e.g.: the Preservation-phase of MFM 1.1 only gained the Collection concept as shown in Fig 12. The second task of frequency-based selection validation is to score each concept according to its frequency. Concepts which have a low score are revisited and are liable for deletion. To estimate an importance value for each concept in MFM, we used ‘Degree of Confidence (DoC)’. This value identifies the expected probability that a MFM concept is used in a randomly chosen mobile forensic model. Doc is defined as follows:
The following five categories of concepts based on their DoC are defined:
- Very Strong (DoC value: 100–70%).
- Strong (69–50%).
- Moderate (49–30%).
- Mild (29–11%).
- Very Mild (10–0%).
Very Strong refers to a concept that appears many times in Set V 2 models, while Very Mild is the other end of the scale. For example, the MFM concept Identification has a strong DoC value of 80%:
Tables 10–13 have three main parts. Left part of tables contains concepts for each phase in the MFM1.1. The middle part of tables contains 10 models for Set V2 that were used to compare their concepts against concepts of MFM1.1. The right side of tables contains concept frequency (score) for each concept. Each row of these tables contains concepts for each phase in the MFM1.1.
In Tables 10–13, we compared each concept of the Preservation, Acquisition, Examination & Analysis and Reporting phases against the models of Set V2 to find concept frequency for each concept in these models. The results show that the concepts EnvironmentalEffect, FirstResponder, InvestigationStrategy, Sketching and Shock) in preservation-phase (Table 10) have low score, whereas concepts such as Crime, MobileDevice, Documentation and Investigator have a high score. In Table 11, the acquisition-phase has two concepts with low score which are ManualAcquisition and Non-VolatileEvidence concepts. The concepts ForensicTool, Documentation are examples of high score in this phase.
The concepts such as Tampering, HiddenDataAnalysis, TimeframeAnalysis, and PatternMatching have low score in the Examination & Analysis-phase in Table 12, whereas the concepts such as AnalysisData, ExaminationData, ForensicTool and Documentation have a higher score in this phase. In Table 13, the concepts Evidence, Result, Investigator, and CourtOfLaw are examples of concepts with high score, whereas concepts such as Archiving, Conclusion and TechnicalExpert have a low score in the Reporting-phase. The concepts with higher score mean these concepts are more important in the MF domain. In contrast, the concepts that have a low score are revisited and are liable for deletion.
The DoC classification of all MFM concepts is shown in Table 14: 12 concepts in MFM1.1 are categorized as ‘Very Strong’, 16 are ‘Strong’, 35 are ‘Moderate’, 17 are ‘Mild’ and 5 concepts are ‘Very Mild’. The five very mild concepts are EnvironmentalEffect, PatternMatching, TechnicalExpert, LegalExpert and Tampering. Including them in the MFM requires a reassessment. Tampering is deleted because the DoC value of this concept was 'zero', which means this concept is rarely recognized in the mobile forensic models. By revisiting MFM, it is found that the other four (EnvironmentalEffect, PatternMatching, TechnicalExpert and LegalExpert), are to be kept as they are common across varying MF domains.
Because of frequency-based selection, classes for the Preservation and Examination & Analysis phases have been changed, whereas the classes for Acquisition and Reporting phases remain unchanged. Figs 12–15 show the last version of our MFM named MFM1.2.
Many people who are directly (e.g.: forensic investigators, cybersecurity agencies, police officers) or indirectly (e.g.: law enforcement agencies, IT companies) involved in mobile forensic operations generally do not have a complete view of how different mobile forensic activities can be conducted. MFM through its four sets of classes (preservation, acquisition, examination & analysis and reporting) can provide a picture of how all mobile forensic actions should be performed. Additionally, the developed metamodel contributes to the facilitation of sharing MF knowledge. It presents a new a metamodeling-based approach to guide mobile forensics practitioners on how to conduct mobile forensics investigation process properly. This is a specific artifact to describe a mobile forensics language. As the MFM has the ability to offer a modelling guideline to many domain users, various users can quickly find decision solutions from semantic models. Moreover, the resultant metamodel provides investigators with logical and sensible investigation concepts that may be needed during investigation process. Most of the concepts and terminologies of the mobile forensics domain were used in the MFM.
4. Conclusion
The issues and challenges of mobile forensics investigation have been presented and discussed through this paper. Based on our observation, the lack of knowledge management in mobile forensics has led to a certain problems in this domain. These are i) the difficulty of investigation for new investigators, ii) ambiguity in mobile forensics’ concepts and terminologies and iii) the difficulty in understanding the various processes involved in this domain. To overcome these issues, the metamodeling approach has been selected and discussed briefly in this paper. We used 21 models (Set1) for the initial development of MFM. In the second iteration, 10 models (Set V1) were used for validation (using the technique of comparison against other models) to identify any missing concepts in the initial version of the metamodel and to ensure its broad coverage. In the third iteration, we used another 10 models (Set V2) for a second validation (using frequency-based selection) to evaluate the importance of individual concepts. These two validations improved the expressiveness and the completeness of the concepts in MFM. Our MFM contributes to the increase of knowledge for both internal and external stakeholders in the digital forensics domain. Through the MFM, the artifact is hoped to help increase the efficiency of mobile forensic investigation in various forensic agencies. The MFM presents all the required concepts that could assist the designers in modelling all respective aspects when designing a mobile forensic enabled system and service.
Our future work based on results gathered from this paper is to continue to develop a repository based on the MFM to store MF knowledge and to allow a responsive and flexible MF approach.
Supporting information
S3 Table. Validation summary against model set V1.
https://doi.org/10.1371/journal.pone.0176223.s003
(DOCX)
S4 Table. Validation summary against model Set V2.
https://doi.org/10.1371/journal.pone.0176223.s004
(DOCX)
Acknowledgments
The authors would like to thank CyberSecurity Malaysia, Associate Professor Jim Jones, Ms. Eman Badri and Mr. Greg Smith Trewmte for their evaluation this work. We also would like to thank Dr. Mohammed M. Al-Dabbagh for technical assistance.
Author Contributions
- Conceptualization: AA SAR SHO.
- Data curation: AA.
- Formal analysis: AA.
- Investigation: AA SAR SHO AM.
- Methodology: AA SAR SHO.
- Resources: AA.
- Supervision: SAR SHO.
- Validation: AA.
- Visualization: AA SAR SHO AM.
- Writing – original draft: AA.
- Writing – review & editing: AA SAR SHO FS.
References
- 1.
Higginbotham S. Ericsson CEO Predicts 50 Billion Internet Connected Devices by 2020 2010. Available from: https://gigaom.com/2010/04/14/ericsson-sees-the-internet-of-things-by-2020/.
- 2.
Brodkin J. Mobile phones to be primary Internet device by 2020, experts predict 2008. Available from: http://www.networkworld.com/article/2271392/lan-wan/mobile-phones-to-be-primary-internet-device-by-2020—experts-predict.html.
- 3.
Gartner. Apple and Samsung set to continue their duopoly 2014. Available from: http://hotdigitalnews.com/apple-and-samsung-set-to-continue-their-duopoly-in-2014/.
- 4.
Cerwall P. Ericsson Mobility Report. 2015.
- 5. Jansen W, Ayers R. Guidelines on cell phone forensics. NIST Special Publication. 2007;800:101.
- 6.
Sophos. Security Threat Report. 2014.
- 7.
Alzaabi M, editor Ontology-based forensic analysis of mobile devices. Electronics, Circuits, and Systems (ICECS), 2013 IEEE 20th International Conference on; 2013: IEEE.
- 8.
Ali A, Razak SA, Othman SH, Mohammed A, editors. Towards Adapting Metamodeling approach for the Mobile Forensics Investigation Domain. International Conference on Innovation in Science and Technology (lICIST); 2015; UniversitiTeknologi Malaysia, Kuala Lumpur, Malaysia.
- 9.
Alhir SS. Understanding the Model Driven Architecture (MDA) 2003. Available from: http://www.methodsandtools.com/archive/archive.php?id=5.
- 10.
Turnbull B, Taylor R, Blundell B, editors. The Anatomy of Electronic Evidence – Quantitative Analysis of Police E-Crime Data. Availability, Reliability and Security, 2009 ARES '09 International Conference on; 2009 16–19 March 2009.
- 11.
Kristina Rose LOR, Eric H. Holder. Electronic Crime Scene Investigation: An On-the-Scene Reference for First Responders 2009.
- 12.
Casey E. Digital evidence and computer crime: forensic science, computers and the internet: Academic press; 2011.
- 13.
McMillan JER, Glisson WB, Bromby M, editors. Investigating the increase in mobile phone evidence in criminal activities. System Sciences (HICSS), 2013 46th Hawaii International Conference on; 2013: IEEE.
- 14.
Summers C. Mobile phones-the new fingerprints. BBC News Online, December. 2003;18.
- 15. Yang TY, Dehghantanha A, Choo K-KR, Muda Z. Windows instant messaging app forensics: Facebook and Skype as case studies. PloS one. 2016;11(3):e0150300. pmid:26982207
- 16.
Ahmed R, Dharaskar RV. Mobile forensics: an introduction from Indian law enforcement perspective. Information Systems, Technology and Management: Springer; 2009. p. 173–84.
- 17.
Lessard J, Kessler G. Android Forensics: Simplifying Cell Phone Examinations. 2010.
- 18. Casey E, Bann M, Doyle J. Introduction to windows mobile forensics. digital investigation. 2010;6(3):136–46.
- 19.
Jansen WA, Delaitre A. Mobile forensic reference materials: A methodology and reification: US Department of Commerce, National Institute of Standards and Technology; 2009.
- 20. Barmpatsalou K, Damopoulos D, Kambourakis G, Katos V. A critical review of 7 years of Mobile Device Forensics. Digital Investigation. 2013;10(4):323–49.
- 21. Khelalfa HM. Forensics Challenges for Mobile Phone Security. Information Assurance and Security Technologies for Risk Assessment and Threat Management: Advances. 2011:72.
- 22.
Hoog A. Android forensics: investigation, analysis and mobile security for Google Android: Elsevier; 2011.
- 23.
Chang W, Chung P. Knowledge Management in Cybercrime Investigation–A Case Study of Identifying Cybercrime Investigation Knowledge in Taiwan. Intelligence and Security Informatics: Springer; 2014. p. 8–17.
- 24.
Gary Kessler RA, Sam Brothers, Rick Mislan. NIST Mobile Forensics Workshop and Webcast Gaithersburg: National Institute of Standards and Technology (NIST); 2014. Available from: http://www.nist.gov/forensics/mobile_forensics2.cfm.
- 25. Anahita Farjamfar MTA, Mahmod Ramlan and Nur Izura Udzir. A Review on Mobile Device's Digital Forensic Process Models. Research Journal of Applied Sciences, Engineering and Technology 8(3): 358–366,. 2014.
- 26.
Quick D, Martini B, Choo R. Cloud storage forensics: Syngress; 2013.
- 27. Cahyani NDW, Martini B, Choo KKR, Al‐Azhar A. Forensic data acquisition from cloud‐of‐things devices: windows Smartphones as a case study. Concurrency and Computation: Practice and Experience. 2016.
- 28. Daryabar F, Dehghantanha A, Choo K-KR. Cloud storage forensics: MEGA as a case study. Australian Journal of Forensic Sciences. 2016:1–14.
- 29. Teing Y-Y, Dehghantanha A, Choo K-KR, Yang LT. Forensic investigation of P2P cloud storage services and backbone for IoT networks: BitTorrent Sync as a case study. Computers & Electrical Engineering. 2016.
- 30. Ab Rahman NH, Glisson WB, Yang Y, Choo K-KR. Forensic-by-design framework for cyber-physical cloud systems. IEEE Cloud Computing. 2016;3(1):50–9.
- 31. Azfar A, Choo KKR, Liu L. An android communication app forensic taxonomy. Journal of forensic sciences. 2016;61(5):1337–50. pmid:27443418
- 32. Do Q, Martini B, Choo KKR. Is the data on your wearable device secure? An Android Wear smartwatch case study. Software: Practice and Experience. 2016.
- 33. Quick D, Choo K-KR. Big forensic data reduction: digital forensic images and electronic evidence. Cluster Computing. 2016;19(2):723–40.
- 34. Quick D, Choo K-KR. Impacts of increasing volume of digital forensic data: A survey and future research challenges. Digital Investigation. 2014;11(4):273–94.
- 35. Quick D, Choo K-KR. Forensic collection of cloud storage data: Does the act of collection result in changes to the data or its metadata? Digital Investigation. 2013;10(3):266–77.
- 36.
Martini B, Choo K-KR, editors. Remote programmatic vCloud forensics: a six-step collection process and a proof of concept. Trust, Security and Privacy in Computing and Communications (TrustCom), 2014 IEEE 13th International Conference on; 2014: IEEE.
- 37. Martini B, Choo K- KR. Distributed filesystem forensics: XtreemFS as a case study. Digital Investigation. 2014;11(4):295–313.
- 38. Ab Rahman NH, Cahyani NDW, Choo KKR. Cloud incident handling and forensic‐by‐design: cloud storage as a case study. Concurrency and Computation: Practice and Experience. 2016.
- 39. Beydoun G, Low G, Henderson-Sellers B, Mouratidis H, Gomez-Sanz JJ, Pavon J, et al. FAML: a generic metamodel for MAS development. Software Engineering, IEEE Transactions on. 2009;35(6):841–63.
- 40.
Othman SH, Beydoun G. Metamodelling approach to support disaster management knowledge sharing. 2010.
- 41. Caro MF, Josyula DP, Cox MT, Jiménez JA. Design and validation of a metamodel for metacognition support in artificial intelligent systems. Biologically Inspired Cognitive Architectures. 2014;9:82–104.
- 42. Ayers R, Brothers S, Jansen W. Guidelines on Mobile Device Forensics. NIST Special Publication. 2013;800:101.
- 43.
Murphy CA. Developing process for mobile device forensics. Madison; 2009.
- 44.
Yu X, Jiang L-H, Shu H, Yin Q, Liu T- M. A process model for forensic analysis of Symbian smart phones. Advances in Software Engineering: Springer; 2009. p. 86–93.
- 45.
Ramabhadran A. Forensic investigation process model for Windows Mobile devices. Tata Elxsi Security Group. 2007:1–16.
- 46. Goel A, Tyagi A, Agarwal A. Smartphone Forensic Investigation Process Model. International Journal of Computer Science & Security (IJCSS). 2012;6(5):322–41.
- 47.
Lin I-L, Chao H-C, Peng S-H, editors. Research of digital evidence forensics standard operating procedure with comparison and analysis based on smart phone. Broadband and Wireless Computing, Communication and Applications (BWCCA), 2011 International Conference on; 2011: IEEE.
- 48.
Jane MM. Enhanced Mobile Forensic Process Model For Hand-Held Devices–A Case of Smart phones [Master] 2014.
- 49.
Husain MI, Baggili I, Sridhar R. A simple cost-effective framework for iPhone forensic analysis. Digital Forensics and Cyber Crime: Springer; 2011. p. 27–37.
- 50.
Mumba ER, Venter HS, editors. Mobile forensics using the harmonised digital forensic investigation process. 2014 Information Security for South Africa; 2014: IEEE.
- 51.
Marturana F, Me G, Berte R, Tacconi S, editors. A quantitative approach to Triaging in Mobile Forensics. 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications; 2011: IEEE.
- 52.
Dancer FC, Dampier DA, Jackson JM, Meghanathan N. A theoretical process model for smartphones. Advances in Computing and Information Technology: Springer; 2013. p. 279–90.
- 53.
Lutui PR. Digital forensic process model for mobile business devices: smart technologies: Auckland University of Technology; 2015.
- 54.
Martini B, Do Q, Choo K-KR. Conceptual evidence collection and analysis methodology for Android devices. arXiv preprint arXiv:150605527. 2015.
- 55.
Rajendran S, Gopalan N, editors. Mobile Forensic Investigation (MFI) Life Cycle Process for Digital Data Discovery (DDD). Proceedings of the International Conference on Soft Computing Systems; 2016: Springer.
- 56.
Azfar A, Choo K-KR, Liu L, editors. An Android Social App Forensics Adversary Model. 2016 49th Hawaii International Conference on System Sciences (HICSS); 2016: IEEE.
- 57.
Immanuel F, Martini B, Choo K-KR, editors. Android cache taxonomy and forensic process. Trustcom/BigDataSE/ISPA, 2015 IEEE; 2015: IEEE.
- 58.
Di Leom M, DOrazio CJ, Deegan G, Choo K-KR, editors. Forensic collection and analysis of thumbnails in android. Trustcom/BigDataSE/ISPA, 2015 IEEE; 2015: IEEE.
- 59. Ruuhwan R, Riadi I, Prayudi Y. Penerapan Integrated Digital Forensic Investigation Framework v2 (IDFIF) pada Proses Investigasi Smartphone. Jurnal Edukasi dan Penelitian Informatika (JEPIN). 2016;2(1).
- 60.
Parvez S, Dehghantanha A, Broujerdi HG, editors. Framework of digital forensics for the Samsung Star Series phone. Electronics Computer Technology (ICECT), 2011 3rd International Conference on; 2011: IEEE.
- 61. Sadiq M, Iqbal M, Naveed K, Sajad M. MOBILE DEVICES FORENSICS INVESTIGATION: PROCESS MODELS AND COMPARISON. ISJ Theoretical & Applied Science. 2016;1(33):164–8.
- 62.
Kaur R. An Approach for Mobile Forensics Analysis.
- 63. Ahmed R, Dharaskar R, Thakare V. Digital evidence extraction and documentation from mobile devices. ijarcce com. 2013;2(1):1019–24.
- 64.
Akarawita IU, Perera AB, Atukorale A, editors. ANDROPHSY-forensic framework for Android. Advances in ICT for Emerging Regions (ICTer), 2015 Fifteenth International Conference on; 2015: IEEE.
- 65. Do Q, Martini B, Choo K-KR. A Forensically Sound Adversary Model for Mobile Devices. PloS one. 2015;10(9):e0138449. pmid:26393812
- 66. Yitao YANG GS, Weiming GENG, Yong XU. A Mobile Forensics Model Based on Social Relations. Journal of Computational Information Systems. 2014:4375–83.
- 67.
Lee J-H, Park D-W. A Study on Evidence Data Collection through iPhone Forensic. Convergence and Hybrid Information Technology: Springer; 2012. p. 268–76.
- 68.
Votipka D, Vidas T, Christin N. Passe-Partout: a General Collection Methodology for Android Devices. 2013.
- 69. Chanajitt R, Viriyasitavat W, Choo K-KR. Forensic analysis and security assessment of Android m-banking apps. Australian Journal of Forensic Sciences. 2016:1–17.
- 70. Srivastava H, Tapaswi S. Logical acquisition and analysis of data from android mobile devices. Information & Computer Security. 2015;23(5):450–75.
- 71.
Mylonas A, Meletiadis V, Tsoumas B, Mitrou L, Gritzalis D. Smartphone forensics: A proactive investigation scheme for evidence acquisition. Information Security and Privacy Research: Springer; 2012. p. 249–60.
- 72. Shah V, Bansal P. CDCD-5 an Improved Mobile Forensics Model. International Journal of Computer Science and Information Technology & Security. 2012;2(4):739–41.
- 73.
Omeleze S, Venter HS, editors. Testing the harmonised digital forensic investigation process model-using an Android mobile phone. Information Security for South Africa, 2013; 2013: IEEE.
- 74. Yusoff MN, Mahmod R, Dehghantanha A, Abdullah MT. Advances of mobile forensic procedures in Firefox OS. International Journal of Cyber-Security and Digital Forensics (IJCSDF). 2014;3(4):183–99.
- 75. Simão AMdL, Sícoli FC, Melo LPd, Deus FEGd, Sousa Júnior RTd. Acquisition and Analysis of Digital Evidencein Android Smartphones. 2011.
- 76.
PAUL K. GENERIC PROCESS MODEL FOR ANDROID SMARTPHONES LIVE MEMORY FORENSICS. 2014.
- 77.
Alghafli KA, Jones A, Martin TA. Guidelines for the digital forensic processing of smartphones. 2011.
- 78.
Chang C-P, Chen C-T, Lu T-H, Lin I-L, Huang P, Lu H-S, editors. Study on constructing forensic procedure of digital evidence on smart handheld device. System Science and Engineering (ICSSE), 2013 International Conference on; 2013: IEEE.
- 79. Agarwal A, Gupta M, Gupta S, Gupta S. Systematic digital forensic investigation model. International Journal of Computer Science and Security (IJCSS). 2011;5(1):118–31.
- 80.
Dasari Manendra Sai NRGKP, Satish Dekka. The Forensic Process Analysis of Mobile Device International Journal of Computer Science and Information Technologies. 2015;6:4847–50.
- 81. Mohtasebi S, Dehghantanha A. Towards a unified forensic investigation framework of smartphones. International Journal of Computer Theory and Engineering. 2013;5(2):351.
- 82. Othman SH, Beydoun G, Sugumaran V. Development and validation of a Disaster Management Metamodel (DMM). Information Processing & Management. 2014;50(2):235–71.
- 83. Beydoun G, Low G, Mouratidis H, Henderson-Sellers B. A security-aware metamodel for multi-agent systems (MAS). Information and Software Technology. 2009;51(5):832–45.
- 84.
Velardi P, Missikoff M, Basili R, editors. Identification of relevant terms to support the construction of domain ontologies. Proceedings of the workshop on Human Language Technology and Knowledge Management-Volume 2001; 2001: Association for Computational Linguistics.
- 85. Formica A, Missikoff M. Concept similarity in SymOntos: an enterprise ontology management tool. The Computer Journal. 2002;45(6):583–94.
- 86.
Frantzi KT, Ananiadou S, editors. Automatic term recognition using contextual cues. In Proceedings of 3rd DELOS Workshop; 1997: Citeseer.
- 87. Ménard PA, Ratté S. Concept extraction from business documents for software engineering projects. Automated Software Engineering. 2015:1–38.
- 88.
Bermell-Garcia P. A metamodel to annotate knowledge based engineering codes as entreprise knowledge resources. 2007.
- 89.
Sargent RG, editor Verification and validation of simulation models. Proceedings of the 37th conference on Winter simulation; 2005: Winter Simulation Conference.
- 90. Sargent RG. Verification and validation of simulation models. Journal of simulation. 2013;7(1):12–24.
- 91.
De Kok D, editor Feature selection for fluency ranking. Proceedings of the 6th International Natural Language Generation Conference; 2010: Association for Computational Linguistics.