To change or not to change: That is the question

Digital forensics has become a prevalent force in the field of computer security; aiding in determining events that may or may not have taken place. Academia has taught computer forensics students that one of the most important elements of the digital forensic process is having a working copy of the original device. Though this concept works well with computers and laptops, it does not with smartphones. At this point, a bit-for-bit image of a smartphone cannot be made. Furthermore, any action taken on a smartphone is logged and therefore, attempting to create a copy would in essence change the state of the device; making the use of hashes null and void. In an effort to realize interesting and unique forensic patterns in the operations of smartphones, two experiments were designed using XRY, DiffMerge, and four smartphone devices: RIM Blackberry 8703e, Blackberry 7103, Blackberry 8530, and Symbian HTC TouchPro 6850. These experiments allowed the researchers to compare and contrast the four smartphones not only by the specific device but by carrier, manufacturer, file size by category, file size by test, and folder size in terms of how the kernel deals with file stores, edits, and deletes after specific user operations. The outcome of the experiments resulted in a process that helps the forensic examiner to manually inspect a device while being aware of the path of contamination introduced to the device through user functions. The goal of this research is to create an open debate in the forensic community about the consideration of different standards when examining smartphones, one of which would be the acceptance of change.