Mobile Network Forensics

The sensitive nature of mobile network forensics requires careful organization of the investigative processes and procedures to ensure legal compliance and adequate privacy protection. Investigations in mobile networking environments can be conducted for two main purposes: (1) to reconstruct criminal activities facilitated by a use of a mobile service and (2) to attribute malicious attacks targeting the normal operation of the mobile infrastructure. In both cases, investigators need to know the concepts introduced in the previous chapters to operationalize any mobile network related investigation. This chapter elaborates the legal framework, the general investigative principles, and evidence types characteristic for investigations in mobile network infrastructures.

Mobile Network Forensics

A structured investigative approach is essential for an effective production of credible and admissible mobile network evidence. Chapter 2 discussed the ISO/IEC SC27 digital forensic standardization as an effort that helps in developing a robust investigative process, procedures, and methodologies. This chapter applies the ISO/IEC SC27 family of standards for mobile network forensics investigations. Each of the standards is contextualized with the forensic aspects discussed in Chapter 6 together with examples of investigation scenarios, tools, and methods for forensic processing of the mobile network data. These contexts are of practical significance for investigators, elaborating on the approaches for investigative readiness, the techniques and tools for evidence processing from identification to interpretation, and the best practices in handling mobile network evidence data throughout an investigation.

Network Forensics

In the last few decades, networks have grown to accommodate evolved technologies on every open system for interconnection (OSI) level. On the physical and data link layers, numerous wireless innovations introduced the mobile networks and the interconnection of smart objects. The innovations in network abstraction introduced the cloud- and software-defined networking environments. The high rate and diversity of networking innovations requires adaptations in the forensics approach, so the practice remains capable of uncovering evidence. This chapter explores the operational aspect of both the traditional and the evolved network forensics.

Network Forensics

Network forensics investigations aim to uncover evidence about criminal or unauthorized activities facilitated by, or targeted to, a given networking technology. Understanding the fundamental investigative principles is equally important as understanding each of the modern networking technologies for every forensics scientist or practitioner. This chapter provides an overview of the network forensic fundamentals from a contemporary perspective, accenting the formalization of network investigation, various investigative techniques, and how the network forensics support the legal system.

Mobile Network Architecture

Critical for identification of the potential sources of evidence in every network forensics investigation is the definition of the system architecture. The mobile network architecture has two main definitions, one concerning the network deployments before the 3GPP consolidated the mobile standardization, and one for the 3GPP networks onwards. Forensic investigators need to know both of them; the real-world network deployments include elements from different generations, so the uncovering of mobile network evidence requires knowledge of how every generation operates in practice. This chapter provides a detailed overview of the pre-3GPP network architecture, defining the critical elements for recognizing, acquiring, analyzing, and interpreting potential mobile network evidence.

Mobile Network Forensics

Mobile networks are evolving towards the fifth generation, with radical changes in the delivery of user services. To take advantage of the new investigative opportunities, mobile network forensics need to address several technical, legal, and implementation challenges. The future mobile forensics need to adapt to the novelties in the network architecture, establish capabilities for investigation of transnational crimes, and combat clever anti-forensics methods. At the same time, legislation needs to create an investigative environment where strong privacy safeguards exist for all subjects of investigation. These are rather complex challenges, which, if addressed adequately, will ensure investigative continuity and keep the reputation of mobile network forensics as a highly effective discipline. In this context, this chapter elaborates the next-generation of mobile network forensics.

Mobile Network Systems

Mobile communication systems were initially designed to carry voice traffic with limited support for packet and messaging services. The constant increase in demand for packet traffic evolved the mobile networks to ultimately become data pipes with support for mobility. While the mobile applications changed dramatically over time, the fundamental principles for mobile service delivery remain the same to a large extend in every network generation. These principles are important to form the investigative context and identify the sources of network evidence with the highest probative value. This chapter details the mobile service delivery fundamentals together with the key features implemented in each mobile network generation. In practice, the sources of mobile network evidence belong to network segments from different generations; therefore, the fundamentals are necessary to establish an effective forensics plan and maximize the investigative outcome.

Mobile Network Architecture

The mobile service was globally popularized with the ease of internet access enabled with the 3rd generation of networks and the broadband wireless speeds enabled with the 4th generation known as the long-term evolution (LTE). LTE became the most popular architecture with around 600 commercially launched networks worldwide. This prompted further advancements for hundreds of gigabits per second speeds and connect tens of billions of devices worldwide. The LTE-advanced and LTE-advanced-pro were introduced as intermediary network enhancements towards the future 5th network generation. For the first time, the 3rd generation partnership project (3GPP) architectures included built-in features for conducting mobile network forensics so investigators can structure and coordinate the investigation with maximum safeguards for the quality of the evidence, users' privacy, and network performance. To fully capitalize on the forensics features, this chapter details all the infrastructural, security, and forensics-related aspects of the modern 3GPP networks.