A quantitative approach to Triaging in Mobile Forensics

Forensic study of mobile devices is a relatively new field, dating from the early 2000s. The proliferation of phones (particularly smartphones) on the consumer market has caused a growing demand for forensic examination of the devices, which could not be met by existing Computer Forensics techniques. As a matter of fact, Law enforcement are much more likely to encounter a suspect with a mobile device in his possession than a PC or laptop and so the growth of demand for analysis of mobiles has increased exponentially in the last decade. Early investigations, moreover, consisted of live analysis of mobile devices by examining phone contents directly via the screen and photographing it with the risk of modifying the device content, as well as leaving many parts of the proprietary operating system inaccessible. The recent development of Mobile Forensics, a branch of Digital Forensics, is the answer to the demand of forensically sound examination procedures of gathering, retrieving, identifying, storing and documenting evidence of any digital device that has both internal memory and communication ability [1]. Over time commercial tools appeared which allowed analysts to recover phone content with minimal interference and examine it separately. By means of such toolkits, moreover, it is now possible to think of a new approach to Mobile Forensics which takes also advantage of "Data Mining" and "Machine Learning" theory. This paper is the result of study concerning cell phones classification in a real case of pedophilia. Based on Mobile Forensics "Triaging" concept and the adoption of self-knowledge algorithms for classifying mobile devices, we focused our attention on a viable way to predict phone usage's classifications. Based on a set of real sized phones, the research has been extensively discussed with Italian law enforcement cybercrime specialists in order to find a viable methodology to determine the likelihood that a mobile phone has been used to commit the specific crime of pedophilia, which could be very relevant during a forensic investigation.