(PDF) Multi-platform Process Flow Models and Algorithms for Extraction and Documentation of Digital Forensic Evidence from Mobil

East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 East African Journal of Information Technology eajit.eanso.org Volume 5, Issue 1, 2022 EAST AFRICAN NATURE & Print ISSN: 2707-5346 | Online ISSN: 2707-5354 SCIENCE Title DOI: https://doi.org/10.37284/2707-5354 ORGANIZATION Original Article Multi-platform Process Flow Models and Algorithms for Extraction and Documentation of Digital Forensic Evidence from Mobile Devices Gilbert Gilibrays Ocen1*, Ocident Bongomin2, Gilbert Barasa Mugeni3, Stephen Makau Mutua4 & Twaibu Semwogerere1 1 Busitema University, P. O. Box 236, Tororo, Uganda. 2 Moi University, P. O. Box 3900 – 30100, Kesses, Eldoret, Kenya. 3 Communication Authority of Kenya, P. O. Box, 14448 – 00800, Nairobi, Kenya. 4 Meru University of Science and Technology, P. O. Box 972 – 60200, Meru, Kenya. * Correspondence ORCID ID: https://orcid.org/0000-0002-2204-291X; email:

. Article DOI: https://doi.org/10.37284/eajit.5.1.830 Date Published: ABSTRACT 07 September 2022 The increasing need for the examination of evidence from mobile and portable gadgets increases the essential need to establish dependable measures for the Keywords: investigation of these gadgets. Many differences exist while detailing the requirement for the examination of each gadget to help detectives and examiners Model in guaranteeing that any kind of evidence extracted/ collected from any mobile Development, device is well documented and the outcomes can be repeatable, a reliable and well- Extraction, documented investigation process must be implemented if the results of the Multiplatform examination are to be repeatable and defensible in courts of law. In this paper, we Model, developed a generic process flow model for the extraction of digital evidence in Model Validation, mobile devices running on Android, Windows, iOS, and Blackberry operating Algorithms, systems. The research adopted a survey approach and extensive literature review Operating Systems as a means to collect data. The models developed were validated through expert opinion. Results of this work can guide solution developers in ensuring the standardization of evidence extraction tools for mobile devices. APA CITATION Ocen, G. G., Bongomin, O. Mugeni, G. B. Mutua, S. M. & Semwogerere, T. (2022). Multi-platform Process Flow Models and Algorithms for Extraction and Documentation of Digital Forensic Evidence from Mobile Devices. East African Journal of Information Technology, 5(1), 84-105. https://doi.org/10.37284/eajit.5.1.830 CHICAGO CITATION Ocen, Gilbert Gilibrays., Ocident Bongomin, Gilbert Barasa Mugeni, Stephen Makau Mutua and Twaibu Semwogerere. 2022. “Multi-platform Process Flow Models and Algorithms for Extraction and Documentation of Digital Forensic Evidence from Mobile Devices”. East African Journal of Information Technology 5 (1), 84-105. https://doi.org/10.37284/eajit.5.1.830. 84 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 HARVARD CITATION Ocen, G. G., Bongomin, O. Mugeni, G. B. Mutua, S. M. & Semwogerere, T. (2022) “Multi-platform Process Flow Models and Algorithms for Extraction and Documentation of Digital Forensic Evidence from Mobile Devices”, East African Journal of Information Technology, 5(1), pp. 84-105. doi: 10.37284/eajit.5.1.830. IEEE CITATION G. G. Ocen., O. Bongomin G. B. Mugeni S. M. Mutua & T. Semwogerere “Multi-platform Process Flow Models and Algorithms for Extraction and Documentation of Digital Forensic Evidence from Mobile Devices”, EAJIT, vol. 5, no. 1, pp. 84-105, Sep. 2022. MLA CITATION Ocen, Gilbert Gilibrays., Ocident Bongomin, Gilbert Barasa Mugeni, Stephen Makau Mutua & Twaibu Semwogerere “Multi- platform Process Flow Models and Algorithms for Extraction and Documentation of Digital Forensic Evidence from Mobile Devices”. East African Journal of Education Studies, Vol. 5, no. 1, Sep. 2022, pp. 84-105, doi:10.37284/eajit.5.1.830. INTRODUCTION relevant material and records that are stored, delivered, or transmitted via an electronic device. Attempts to use a range of mobile forensic tools and process models to extract information from multiple The steady industrial growth and growing devices have yielded conflicting results [1]–[3]. popularity of mobile digital devices amplify the Therefore, special attention should be paid to ensure challenges, conditions and scenarios for that the methods are correct so that usability investigators and prosecutors around the world. The improvement can be achieved [4]. The overriding existence of different tools and systems with importance of documentation approaches is that different process models makes it difficult even for they can allow an investigator to remember the steps a trained investigator to select a suitable forensic taken to gather information, which in turn reduces tool to seize internal files of mobile devices [14]. allegations of mishandling [5]. Many forensic models emphasize auditing of certain operating system platforms [15], ignoring a more The scientific work of most researchers confirms critical aspect of consistency and documentation of that forensic science suffers from a lack of the approaches and steps taken. While [16] listed documentation and transparency [6]. Therefore, many forensic techniques for preserving evidence standard and well-researched approaches to from the point of view of efficiency in the general documentation and extraction are key. The purpose forensic context for extracting and documenting of the documentation is to facilitate the extraction evidence from mobile devices. Little effort has been process in legally acceptable ways [7], [8]. While made regarding the methodological documentation the investigator would do well to extract the and the consistency of the process models followed necessary information using the tools available, when extracting this information. While [17] notes further details on the information could only be that despite growing awareness and research on useful for judicial proceedings [9]. forensic practice, explanation and implementation are still inconsistent in the digital forensic The term digital forensics refers to the process of community, a topic supported by recent research retrieving and examining documents from digital such as [9], [18], [19]. devices, primarily involving computer crime or cybercrime [10], [11]. The role of forensic science Continuously changing technological and industry is to use investigative methodologies, measures, and developments, coupled with the myriad of frameworks to extract, preserve, collect, analyze, complexities caused by today's demand for and provide [12] scientific and technical scraps of information from mobile devices, present evidence to criminal or civil courts and tribunals. to forensic investigators with serious adaptive organize a good documentation of the prosecutions. challenges to standardize and adopt acceptable On the other hand, digital forensics is the practice of models that can be used to detect this in order finding, securing, examining and presenting to counter the growing demand [20], [21]. evidence in a legally acceptable manner [12]. These definitions are supported by [13] who state that The reliability of the evidence is directly anchored digital evidence is considered investigatively to the investigative processes adopted. Therefore, 85 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 choosing to avoid a step can lead to insufficient used to collect evidence on mobile devices. In evidence and increase the risk of denying that step general, the literature specifies the requirements that in a legal proceeding [22]. Currently, no standard or guide and measure the process of extracting digital universally accepted process model has been evidence in mobile devices and their performance. developed that can be used to obtain evidence from These include reliability and validity, guidelines, mobile devices, and the vibrant expansion of smart extraction methods, nature of data, type of data, devices suggests that every forensic investigator technical documentation, and forensic extraction will need to use all independent models needed to tools. gather information and keep [23]. METHODOLOGY Existing models cannot meet the growing demands for digital evidence resulting from the growing use The present study was performed in four steps of mobile devices and the complexity that persistent depicted in Figure 1. In the first phase, the literature criminals bring to the use of these devices. on specific email security techniques was reviewed, Therefore, some of these models focus on a specific in phase two, the algorithm was developed and in step of the mining process or depend on the phase three, the algorithm was evaluated using operating system platform [24], Based on existing questionnaires selected from the participants and a research in digital forensics, process models can be SWOT analysis was carried out in the last phase. Figure 1: Methodology Approach. Phase Method/Activity • Study area, design, and period 1. Field survey • Target population and sample size • Data collection • Data quality assurance • Ethical consideration • Statistical analysis 2. Development of Muti-platform • Process flow model for IOS, model Windows • Extraction algorithms 3. Validation of the Model Applicability of the model Comparison with the existing model 86 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 Field Survey Uganda (NITA-U), a business community made up of telecommunications operators such as Mobile Study Area, Design and Period Telecommunication Network (MTN-Uganda), Airtel Uganda as these are the largest The research was conducted in Kampala, Uganda, telecommunications service providers offering as this is where the researcher found most of the financial services, banks such as Stanbic Bank, respondents with knowledge of the subject. From Centenary Bank, Barclay's Bank Uganda and this position, the investigator was able to identify Standard Chartered Bank, as these are the largest law enforcement such as police, bailiffs, computer providers of online transaction systems using some forensics experts and professionals, evidence of the mobile digital devices in their operations. In mining and computer forensics investigators, addition to the snowball sampling tool, mobile telecommunications, and banking sectors targeted/forensic sampling was used to complement that have various forms of crime /fraud. departments targeted sampling, especially when examining for investigating crimes related to the use of different operating system platforms, technology. The cross-sectional study design was inconsistencies and from the technical used in this study over a one-year period from 2018 documentation of mining process models, while to 2019. simple random and stratified sampling was used for probability sampling because the researcher Population and Sample Size collected data from different sectors and classified them into different strata and sampling simple The study population was comprised of law random has been applied. The sample population enforcement respondents, specifically Uganda was determined using the sample table of Krejcie Police (Crime Intelligence and Investigation and Morgan [26] derived from the formula. Krejcie Department (CIID), the prosecution service), court and Morgan's sample size calculation presented in officials (lawyers, registrars, judges and Table 1 was based on p = 0.05, where the probability magistrates) , policy makers, people regulators such of making a Type I error is less than 5% or p < 0.05 as; Uganda Communications Commissions (UCC), [26]. National Information Technology Authority Table 1: Sample size determination using Krejcie and Morgan sampling technique Sector Population size Sample size Law Enforcement Agencies 10 7 Regulatory Authorities 20 11 ICT experts 100 63 ICT Researchers 20 11 Policymakers 30 16 Business communities 70 31 Total 200 130 It is clear that the population size of 10 was Data Collection considered for law enforcement agencies, and the sample size of 7 was used. While large number of Questionnaires and interviews were used in this the respondents came from ICT experts with the study. The questionnaires covered a wide range of sample population of 100 and the sample size of 63. segments of the selected population, provided a This was followed by the business community consistent form of response, reduced bias, did not (people in the banking industry, telecommunication make people anxious, and were completed at the agencies) with the population size of 70, and the discretion of the respondent [27]. Questionnaires sample size of 31. were designed for different categories of respondents such as policymakers, law enforcement, researchers, ICT experts, regulators 87 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 and the business community to obtain different Data Quality Assurance types of data from these categories of respondents. Questionnaires were developed based on The term "reliability" is used to describe the understanding gained from the literature reviewed "repeatability" or "consistency" of the measure [28]. in areas such as mobile devices, operating systems, The internal consistency reliability methodology platforms, technical documentation, inconsistency was used in this study. According to Chen [29], the and complexity of process models as independent internal consistency method uses a single measure variables, and a cross-platform digital extraction administered once to a group of people to estimate process model for mobile device forensic evidence. reliability. The reliability of the tool is assessed by The questionnaires were designed using the estimating how well elements with the same standard five-point Likert scale ranging from construct produce comparable results. Cronbach's strongly agree to strongly disagree. The interviews alpha (α) coefficient was chosen as the best were used to complement the questionnaires and approximation to estimate the reliability of the were tightly structured, conducted primarily for constructs by examining the internal consistency of information and communication technology (ICT) the measure. As indicated by Spencer [30], there are experts within law enforcement, policy makers, four types of reliability coefficients α; excellent regulators and industry, as well as for those in the reliability (α> = 0.90), high reliability (0.70 <α data recovery and forensic departments of agencies <0.90), moderate reliability (0.50 <α <0.70) and low such as telecommunications networks, the banking reliability (α <= 0.50). All constructs used in this sector and researchers in the field of digital study passed the reliability test as shown in Table 2. banknote forensics. Table 2: Reliability Test of constructs using Cronbach’s coefficient (alpha) Construct No. of Items Cronbach’s Alpha Policy Factors (PF) 7 0.591 Operating system platform (MDF) 4 0.741 Device factors (DF) 4 0.640 Extraction Method factors (EM) 15 0.781 Data type factors (DT) 11 0.807 Nature of data factors (ND) 5 0.778 Forensics Extraction tools (FET) 9 0.850 Forensics Documentation process (FDP) 10 0.640 In this study, the highest Cronbach's alpha (α) of and 0.967. Therefore, it was observed that the 0.850 was achieved by the FET constructs, while the content validity coefficients were >0.6 and therefore lowest was achieved by the PF constructs (α = the scales used to measure the study variables were 0.591). As reported by Perry et al [28], these figures consistent. Moreover, it is valid because a indicate that out of 8 constructs, 5 had high fidelity, Cronbach's alpha greater than 0.5 is considered while three 3 had moderate fidelity, implying that moderate validity and greater than 0.90 excellent the constructs were internally consistent. Therefore, validity. In this study, all variables were greater than all elements of each construct were measured 0.50, indicating good to excellent validity, meaning equally. Although the validity of the instruments that all constructs and sub-indices in this study was determined using the Content Validity Index passed the validity tests. (CVI), it was performed on the constructs to ensure that the elements of the scale were meaningful to the Ethical Consideration sample and to record the measured problems. The measurement tools were then tested to ensure their Ethical approval for the survey was obtained from quality and validity; This happened after conducting the Institutional Research Ethics Board of Busitema a pilot study with 30 questionnaires. The content University and informed consent from respondents validity indices of the three experts are 0.982, 0.964 prior to their voluntary enrolment in the study. 88 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 Ethical aspects such as data protection and device evidence extraction process models. respondent confidentiality were ensured [31]. Regression analysis was done with consistency Additionally, the letter was acquired by the metric (CM) as the dependent variable and university, which served as an introductory constructs including EM, FET, PF, DF, ND, and document for various organizations and individuals DTF as independent variables. involved in this research. It has also been guaranteed that the developed mining model does Model Development not perform any unintended/unknown activity on users' devices. Multi-Platform Flow Model Statistical Analysis The model design and validation involving the use of the business process, model development, The analysis was performed using Statistical analytical hierarchy approach (AHA), and Package Software for Social Scientist (SPSS) experimental and experts’ opinion used to validate version 20.0 (SPSS, Chicago, Illinois) and the developed model. An experimental setup was descriptive statistics were used to extract results conducted to test the process model developed to from the analysis of all study variables. Descriptive check for consistency in the extraction process statistic was performed for all the constructs to models. The process flow for the multi-platform determine their significance using the mean model is depicted in Figure 2. The individual flow responses. This was then used to obtain the ranking models for the iOS and Windows mobile devices are as per the number of responses from the participants presented in Figure 3 and Figure 4, respectively. who were contributors to inconsistencies in mobile 89 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 Figure 2: Process flow for the multi-platform model. 90 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 Figure 3: Process flow model for the case of IOS 91 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 Figure 4: Process flow of multi-platform model for the case of Window OS Description of Extraction Algorithms power, Wi-Fi connection and cellular network. This action is performed on all gadgets to ensure that First and foremost, the gadget is seized for evidence each gadget has power and does not have network extraction. A check is made to determine what type connection issues. After this check, Universal Serial of operating system it is running. In case of Android Bus debugging is enabled through developer OS, the Android extraction process is performed options, screen timeout is prolonged, and root under the Extract From Android (SiezedDevice). It access is achieved. Then, different directories/ starts with checking the status of the gadget like 92 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 locations are browsed to obtain the SQLite database Zune software, the windows phone device manager. that can be opened to collect evidence that is The gadget status checking is done. Once the gadget documented using Documents (directory is connected to the workstation, the automatic dictionary). The procedure is followed in similar installation of Touch Xperience on the phone is steps, while the documentation is guaranteed to follows. This allows various directories to be allow for consistency. browsed and several files accessed, and the documentation is followed by Documents (directory In the case of an iOS, as depicted in Figure 5, dictionary). Extract From iOS (SiezedDevice) is trailed with the same action of having the gadget status checked; Finally, for BlackBerry-based gadgets, there are however, the difference with this extraction happens relatively small variations from other devices; when connecting to a personal computer where a Extract from BlackBerry (SiezeDevice) is done, and trusted code is required between the device and information /data is acquired from backup files as computer for the cases of iOS11 and above. opposed to the device itself since its security Documentation occurs through (directory, complexity. BlackBerry Desktop Software is dictionary). During extraction from Windows installed and opened, which detects a blackberry devices, as shown in Figure 6, Extract From device and creates backup files. The files are Windows (SiezedDevice) is activated, which browsed for evidence which is documented in necessitates installing windows phone SDK and Documents (directory dictionary). Figure 5: Extraction algorithm for IOS 93 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 Figure 6: Extraction algorithm for Window OS. Validation of the Model approach was through comparison with the previous models in the literature. The developed model was validated using two approaches, namely, experts’ opinions and literature Applicability and Functionality of the Model comparison. In the first approach, expert opinion was based on the model applicability and Descriptive statistics were used to assess the functionality. The experts used were purposely applicability of the model in measuring the state of selected from information technology, information process models (digital forensic evidence security and computer forensic and network security extraction) for mobile devices, based on the fields, law enforcement agencies, solution feedback from the experts in the fields of digital developers as well as researchers in the field of forensic evidence extraction. The model validation computer and digital forensics. The second based on applicability using descriptive statistics is depicted in Table 3. Table 3: Model validation based on the applicability Variables SD/D/NS A/SA f % f % 1. Do you understand this model with ease? 3 20.0 12 80.0 2. Can you use/apply this model with ease? 3 20.0 12 80.0 3. Do you consider the factors leading to the measuring of the digital 0 0.0 15 100.0 forensic evidence extraction process model logically arranged? 4. Is the explanation of the various modules within this model clear? 4 26.7 11 73.3 5. Is there independence among these modules? 2 13.7 13 86.3 6. Does the model guide the measuring of digital forensic evidence 0 0.0 15 100.0 extraction process models for mobile devices? Average 0.8 13.4 13 86.6 SD= Strongly Disagree, D = Disagree, NS= Not Sure, A= Agree and SA= Strongly Agree 94 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 The analysis of all elements within the applicability devices, with 86.6% embracing it. On the other of the developed model shows that 86.6% of the hand, the functionality of the developed Digital participants confirmed the applicability of the Forensic Evidence Extraction Process Model was developed digital forensic evidence extraction validated as depicted in Table 4. It was observed model in driving the digital forensic evidence that 6.4% of the respondents had a positive view extraction process for mobile devices. On the other about the model’s ease of use. In the same way 8.5% hand, only 13.4% of the participants disagreed on of the participants confirmed independence among the applicability of this model in digital forensic the several modules within the model and that the evidence extraction process models for mobile model is applicable in the digital forensic evidence devices. The results amply demonstrate the extraction process for mobile devices, and that it applicability of the model in the process of uses a simple language. extracting digital forensic evidence for mobile Table 4: Model validation based on the functionality Variables f % 1. Can you use this model with ease? 3 6.4 2. Is there interactivity of the various modules within this model? 13 27.7 3. Is there independence among these modules? 4 8.5 4. Is the model above applicable in a developing country? 4 8.5 5. Is the model easy to understand? 5 10.6 6. Does it use simple language? 6 12.8 7. Does the model guide measurement of digital forensic evidence extraction process models for mobile devices? 13 27.7 Comparison Analysis that the current model exceeds the models discussed in the literature. Therefore, the proposed model is A comparative analysis was performed between this suitable for extracting digital forensic evidence in developed metric and a model with existing models mobile devices managed by the four operating and metrics discussed in the literature. It was found system platforms (Android, Windows, Apple iOS and Blackberry), as shown in Table 5. Table 5: The differences between the existing models with the proposed model Process/Phases in the NIST HDFI DEFSOP SDFIM MFP SFIM DFRWS Proposed model Guidelines model Device status check ✓ ✓ ✓ ✓ ✓ Preparation ✓ ✓ ✓ ✓ ✓ Identify evidence ✓ ✓ ✓ ✓ ✓ ✓ Recover data Forensic analysis ✓ ✓ ✓ ✓ ✓ ✓ Verification Documentation ✓ ✓ ✓ NIST-National Institute of Science and Technology, investigation model, DFRWS- Digital Forensics HDFI-Harmonized Digital Forensic investigation, Research Workshop DEFSOP- Digital Evidence Forensic Standard Operating Procedure, SDFIM- Systematic Digital Based on the steps included in the reviewed process Forensic Investigation Model, MEP- Modelling the models, it can be concluded that the proposed model Forensic Process, SFIM- Smartphone Forensic is the most appropriate as it summarizes most of the phases and steps proposed in the previous models and shows the complexity of the reviewed models. 95 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 For example, examination of the NIST guidelines the experimenter applies a logical, manual, physical shows that there are very few steps which are not or brute force approach when examining a device suitable enough to perform in-depth digital evidence mobile, play an important role in ensuring extraction. The Harmonized Digital Forensic consistency. Likewise, the forensic documentation investigation model presents the preparation, process has emerged as an important contribution to identification, and documentation stages which this ensuring the consistency of the processes followed proposed model also addresses; however, critical during the extraction of evidence, requiring the consideration of device status checks is ignored in documentation of certain stages or stages of the this model. Forensic analysis, recovery of data, and extraction process if the results are repeatable and verification which are key concerns in digital defensible in court. This therefore justifies the evidence extraction have also not been addressed. choice of the constructs used in this study with the support of the literature and therefore the results of Although the Digital Evidence Forensic Standard this study generate several questions that may be of Operating Procedure, The Systematic Digital interest to ICT professionals, researchers, law Forensic Investigation Model, and modelling the enforcement agencies, regulators. and industry to Forensic Process all present several phases or steps have a clear understanding of the factors causing to be followed, it can be noted that there are several inconsistencies in extracting digital forensic repetitions in these stages and all of them evidence on mobile devices [19], [32]-[34]. Once concentrate more on the investigation itself other these factors are clearly understood, taking these than extraction which the proposed model addresses factors into consideration when developing right from device seizure to evidence extraction. solutions for solution developers and paying attention to them during an investigation by forensic The Smartphone Forensic investigation model is investigators or investigators would speed up the close to the proposed model, except that it focuses process of collecting, storing and submitting more on the investigation than on extracting evidence to the courts. for law enforcement legal evidence which misses the phases of checking the assistance. status of the device and data retrieval, as highlighted by the proposed model as one of the main crucial whether the examiner applied a logical, manual, issues in digital evidence extraction in mobile physical, or brute force approach during the process devices. of examining a mobile device, will play a significant role in ensuring the issues of consistency. Similarly, RESULTS AND DISCUSSION the forensic documentation process came out as a key contributor to ensuring consistency in the Reliability Testing processes followed during evidence extraction, whereby certain stages or phases in the extraction The Cronbach α value of the various constructs process ought to be documented if the results are to between 0.591 and 0.850 demonstrated the ability to be repeatable and defensible in courts of law. This, measure the internal consistency of the constructs therefore, justifies the choice of the constructs used used in this study ensuring that none of the in this study having support from the literature and constructs fell below the medium-high confidence therefore, the results of this study generate several test. The predictive power of the regression model issues that may be of interest to ICT practitioners, of this study, with adjusted R-squared 0.848, researchers, law enforcement authorities, indicates an appropriate level of variance explained Regulatory Authorities, and the business [28]. This implies that the independent variables and community to have a clear understanding of the constructs used in this study are significant for factors that cause inconsistencies in digital forensics understanding the causes of inconsistencies in the evidence extraction in mobile devices [19], [32]- model of the digital evidence extraction process in [34]. Once these factors are clearly understood, mobile devices with different operating systems and factoring them during solution development for platforms. For example, the study results showed solution developers and paying attention to them that the extraction methods used during the during an investigation by forensic examiners or extraction and analysis of evidence, such as whether investigators would aid the process of collecting, 96 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 preserving, and presenting evidence to courts of law extracting digital evidence from mobile devices. for law enforcement agencies. This is followed by the forensic documentation process, suggesting concordance with recent studies Descriptive Statistics for the Constructs indicating a lack of clear technical documentation of existing mobile device process models and methods The descriptive statistics presented in Table 6 for extracting digital evidence [6]. Forensic provide a clear picture of how these constructs rank extraction tools are the last of the eight constructs, based on mean responses, with PF coming out this can be attributed to the fact that there are several significantly with a mean response of 4.36, followed digital evidence extraction tools and most by FDP and FET with the lowest mean response. investigators face challenges in choosing the right This means that if there is a clear policy regarding digital evidence extraction tool on mobile devices, the handling, acquisition, storage, documentation depending on the mobile device platform they are and presentation of digital evidence, there should be on [20]. minimal inconsistencies in the process model for Table 6: Descriptive Statistics for constructs and their rankings Construct N Mean Std. Dev. Rank Policy Factors (PF) 85 4.36 .386 1 Device Factors (DF) 85 4.21 .556 2 Forensic Documentation Process (FDP) 85 4.11 .434 3 Data Type Factors (DTF) 85 4.11 .564 4 Extraction Method Factors (EM) 85 4.01 .456 5 Nature of Data (ND) 85 3.90 .624 6 operating System Platform (MDF) 85 3.80 .855 7 Forensic Extraction Tools (FET) 85 3.08 .946 8 Valid N (listwise) 85 Policy Factor (PF) construct are presented in Table 7. In this table, seven items are used to measure this construct, The means and standard deviations of the aggregate ranging from PF1 to PF7. measures for the seven items used to measure the PF Table 7: Descriptive statistics for policy constructs. Item Mean Std Dev. N PF1 4.64 .574 85 PF2 4.31 .637 85 PF3 4.40 .876 85 PF4 4.32 .582 85 PF5 4.49 .684 85 PF6 4.09 .750 85 PF7 4.31 .887 85 Strong agreement was reached for the construct of evidence extraction (PF5) (M = 4.49, Std Dev = the political factor with the mean score of (Mean = .684), Creation of a mobile digital forensic evidence 4.36, Std Dev = 4.99) with the element on the processing unit within the organization that reduces definition of the political guidelines which is the inconsistencies in extracting digital forensic most agreed, PF1 (M = 4.64, SD = 0.574), followed evidence from mobile devices (PF3) (M = 4.40, Std by Personal training on current digital forensic Dev = 0.876 ), Recruitment of skilled personnel to evidence technologies for mobile devices has a process digital forensic evidence for mobile devices positive effect on inconsistencies in digital forensic has a positive effect on inconsistencies in evidence 97 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 extraction PF4 (M = 4.32, Std Dev = .582), Actual therefore, the higher the average correlation Imp. Policy implementation leads to a coherent between elements, the higher the construct's proces so of extraction of digital forensic evidence reliability coefficient, Cronbach's alpha (α), PF2 (M = 4.31, Std Dev = .637) and PF6 (M = 4.09, depending on keeping the number of elements Std Dev = .750) is the least agreed element for this constant [28]. Table 8 shows the correlation construct. The average correlation between between items for items used to measure the policy elements determines the reliability of the construct; factor (PF) constructs. Table 8: Inter-item correlation matrix for Policy Factors (PF) constructs Item PF1 PF2 PF3 PF4 PF5 PF6 PF7 PF1 1.000 .211 .554 .173 .161 .081 .081 PF2 .211 1.000 .141 .217 .059 .064 .170 PF3 .554 .141 1.000 .168 .203 .232 .132 PF4 .173 .217 .168 1.000 .050 .395 .179 PF5 .161 .059 .203 .050 1.000 .024 .062 PF6 .081 .064 .232 .395 .024 1.000 .243 PF7 .081 .170 .132 .179 .062 .243 1.000 Most items had acceptable correlation between formulation of policy guidelines for extracting items (r> = 0.2). The least agreed elements, i.e., the digital forensic evidence for mobile devices, which passing of laws governing mobile devices, the led to a consistent element for retrieving digital extraction of digital forensic evidence has a positive forensic evidence (PF1) and the establishment of a effect on inconsistencies in the extraction of forensic evidence for the mobile device unit within evidence (PF6) and the development of strategies the organization reduces inconsistencies in and frameworks for examining the digital forensic extracting digital forensic evidence from mobile evidence for mobile devices has a positive effect. on devices (PF3) (r = 0.55), as well as a low correlation the inconsistency of evidence extraction in mobile between the recruitment of qualified personnel to devices (PF7) was also the least correlated with the handle mobile devices digital forensic evidence has rest of the elements, while setting policies for a positive effect on inconsistencies in evidence extracting digital forensic evidence from mobile extraction (PF4) and in enacting laws for mobile devices leads to a consistent process for retrieval of devices, digital forensic evidence extraction has a digital forensic evidence PF1, Creating digital positive effect on inconsistencies in evidence forensic evidence Mobile evidence processing unit extraction (PF6) (r = 0.395). We can therefore within the organization reduces inconsistencies in conclude that the elements selected to measure the mobile devices Extraction of digital forensic policy factor (PF) were suitable for the measure. evidence PF3 and recruitment of qualified personnel to manage mobile devices Digital forensic evidence Device Factor has a positive effect on inconsistencies in the extraction of evidence PF4 was positively correlated The average and standard deviations of the with the rest of the items for the co-instructor. There aggregate measures for the three items used to was a moderate relationship (r> = 0.55) between the measure the DF construct are shown in Table 9. Table 9: The mean and standard deviation for DF construct items Item Mean Std. Dev N DF1 4.45 .627 85 DF2 4.27 .662 85 DF3 4.09 .908 85 DF4 4.04 .957 85 98 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 Strong agreement was obtained for the DF items had an acceptable inter-item correlation constructs, the average score (mean = 4.21, standard (r>=0.2). The least agreed item was mobile device deviation = 3.15) for the mobile device state item type (DF2) and was least correlated with mobile during of obtaining evidence being the most device version (DF3) (r = 0.155). There was a consensual, the state of the mobile device during the moderate relationship (r>=0.568) between mobile examination. proof taking DF1 (mean=4.45, Std- device type (DF2) and device connection Dev=0.627), followed by type of mobile devices parameters (DF4) (r=0.331), and a weak correlation DF2 (mean=4.27, Std-Dev=0.662), versions of between mobile device status. mobile device during mobile devices DF3 (Mean=4 .09, Std Dev = 0.908) evidence collection (DF1) and (DF2) and (DF3) and DF4 (mean = 4.04, standard deviation = 0.957) with (r > 0.279 but < 0.386). We can therefore is the least agreed item for this construct. Table 10 conclude that the elements selected for the shows the inter-item correlation for the items used measurement of the DF were suitable for the to measure the DF construct. As observed, most measurement of this construct [28], [35]. Table 10: The correlation for the DF construct Item DF1 DF2 DF3 DF4 DF1 1.000 .279 .385 .331 DF2 .279 1.000 .155 .568 DF3 .385 .155 1.000 .229 DF4 .331 .568 .229 1.000 Extraction Method Factor the item Physical acquisition, l 'most commonly assumed item, EMF3 (mean=4.46, StdDev=0.716), The means and standard deviations of the followed by EMF1 (mean=4.39, SD=0.773), EMF5 aggregated measurements for the ten items used to (mean=4.14, standard deviation=0.789), Logical measure the construction of the EMF. From Table EMF2 capture, where (mean=4.11, standard 11, there is strong agreement for the factorial deviation=0.772), EMF4 brute force capture construction of the extraction method, with an (mean=3.96, SD=0.763), and EMF6 architecture average score of (Mean = 4.12, StdDev = 0.83) for (mean=3.91, Std Dev=0.959) is the least agreed element for this construct. Table 11: Descriptive statistics for Extraction Method factors construct items Item Mean Std. Dev N EMF1 4.39 .773 85 EMF2 4.11 .772 85 EMF3 4.46 .716 85 EMF4 3.96 .763 85 EMF5 4.14 .789 85 EMF6 3.91 .959 85 EMF7 3.93 1.021 85 EMF8 4.25 1.022 85 EMF9 4.09 .840 85 EMF10 3.85 1.160 85 Similarly, in Table 12, the correlation between instant messaging applications (EMF10). items for several factors and most of the items had Subsequently, they were less correlated with acceptable inter-item correlation (r> = 0.2). The manual acquisition (EMF1), logical acquisition least agreed upon Architecture (EMF6), file system (EMF2) and physical acquisition (EMF3) with (r <= (EMF8), data storage mechanism (EMF9) and 0.2). There was a moderate relationship (r> = 0.589) 99 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 between (EMF1) and EMF2, as well as a low conclude that the elements selected for the EMF correlation between (EMF3) and (EMF2) and measurement were suitable for the measured (EMF10) with (r> 0.2 but <0.386). We can therefore construct. Table 12: Inter-item correlation for Extraction Method Factors (EMF) construct Item EMF1 EMF2 EMF3 EMF4 EMF5 EMF6 EMF7 EMF8 EMF9 EMF10 EMF1 1.000 .589 .126 .266 .143 -.014 .322 -.002 .016 .001 EMF2 .589 1.000 .213 .593 .190 -.002 .251 .087 .021 .071 EMF3 .126 .213 1.000 .357 .411 -.058 -.183 -.092 .086 .100 EMF4 .266 .593 .357 1.000 .345 .174 .088 .057 .135 .236 EMF5 .143 .190 .411 .345 1.000 .159 .367 .325 .303 .050 EMF6 -.014 -.002 -.058 .174 .159 1.000 .370 .230 .159 .030 EMF7 .322 .251 -.183 .088 .367 .370 1.000 .348 .063 -.200 EMF8 -.002 .087 -.092 .057 .325 .230 .348 1.000 .111 .153 EMF9 .016 .021 .086 .135 .303 .159 .063 .111 1.000 .394 EMF10 .001 .071 .100 .236 .050 .030 -.200 .153 .394 1.000 Nature of Data factors nature of data factors (ND) constructs are shown in Table 13. The means and standard deviations of the aggregate measures for the five items used to measure the Table 13: Descriptive statistics for nature of data factors Item Mean Std. Dev N ND1 4.32 .790 85 ND2 3.79 .773 85 ND3 4.19 .794 85 ND4 3.69 .859 85 ND5 3.53 1.042 85 Strong agreement was reached for the ND with the 0.794), internal but hidden ND2 (mean = 3.79, mean score of (mean = 3.90, Std Dev = 0.851) on standard dev = 0.773), external but hidden ND4 the item, with the most similar internal and visible (mean = 3.69, Std Dev = 0.859) and encrypted data data, ND1 (mean = 4.32, Std Dev = 0.790), followed ND5 (Mean = 3.53, Std Dev = 1.04) is the least by external and visible ND3 (mean = 4.19, SD = agreed upon for this construct. Table 14: The correlation for Nature of Data Factors Item ND1 ND2 ND3 ND4 ND5 ND1 1.000 .540 .549 .355 .328 ND2 .540 1.000 .395 .421 .303 ND3 .549 .395 1.000 .295 .353 ND4 .355 .421 .295 1.000 .648 ND5 .328 .303 .353 .648 1.000 Referring to Table 14, most items had an acceptable correlated with external but hidden ND4 (r =0.353). inter-item correlation (r>=0.2). The least agreed There was a moderate relationship (r>=0.540) item was ND5 encrypted data and the least between internal and visible (ND1) and external and 100 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 visible ND3 (r>=0.549), and a weak correlation construct showed significant correlation with iOS between external but hidden (ND4) and external and and Blackberry OS with 0.524 and 0.667, visible (ND3) with (r<=0.295). We can therefore respectively. Windows came in third with 0.285 and conclude that the items chosen to measure ND were Android followed with 0.178. Data types showed appropriate for the measurement. correlation between all four operating system platforms, closely followed by policy factors. The Correlation of individual OS and Constructs implication is that FET, FDP, EM, and ND are more important factors in understanding how they affect Table 15 shows how the different single OS the extraction of evidence on mobile devices platforms relate to different constructs; this table running those OS platforms, while each of the four indicates that the FDP has a significant correlation OS platforms provide the same or different types of with iOS (0.404), closely followed by Android data, such as ex. logs, browsing history, short post (0.268), Windows (0.229), while Blackberry has the services, or videos, may explain why the data type least significant correlation at .008. The FET posted the least significant correlation. Table 15: Correlation of individual operating systems and independent constructs Item PF DF EM DTF ND FET FDP Android Pearson Correlation -.034 .101 .210 .036 .130 .178 .268* Sig. (2-tailed) .755 .357 .054 .741 .237 .104 .013 N 85 85 85 85 85 85 85 Window Pearson Correlation .132 .199 .421** .221* .236* .285** .229* Sig. (2-tailed) .230 .068 .000 .042 .030 .008 .035 N 85 85 85 85 85 85 85 Apple iOs Pearson Correlation .073 .364** .496** .032 .318** .524** .404** Sig. (2-tailed) .507 .001 .000 .768 .003 .000 .000 N 85 85 85 85 85 85 85 Blackberry operating system Pearson Correlation -.116 .190 .306** -.221* .325** .667** .008 Sig. (2-tailed) .291 .081 .004 .042 .002 .000 .944 N 85 85 85 85 85 85 85 PF- Policy Factor, DF- Device Factors, EM- independent variables. The analysis revealed a Extraction Method, DTF-Data Type Factors, ND- significant pattern with corrected R-squared .848, Nature of Data, FET- Forensic Extraction Tool and which equates to 84.8% and thus the predictive FDP Forensic Documentation Process variable included in the analysis was found to be significant. The total F = 79,238 Sig. = .000b on Regression Analysis extraction methods, data type, nature of data, political factors, forensic documentation, forensic According to Perry et al. [28], Linear regression extraction tools and device factors. The results (LR) is a method used to model the linear indicate that the model is statistically significant, relationship between a dependent variable and one valid and suitable. The validity of the model means or more independent variables. Dependent variable that the consistency metric predicts a significant is sometimes called predictor and independent relationship with the extraction inconsistencies. variables are called predictors. Linear regression is From now on, the model was sufficiently suited to based on the method of least squares: the model is arrive at conclusions and recommendations. The adjusted to minimize the sum of the squares of the regression model reveals adjusted R-squared = differences between the observed and predicted 0.848, which means that the consistency metric is values based on six basic assumptions. Regression strongly influenced by factors such as policy, data analysis was performed using the consistency type, nature of data, extraction method, and forensic metric (CM) as the dependent variable and documentation process. With an adjusted R-squared constructs (EM, FET, PF, DF, ND, and DTF) as of 0.848, which represents 84.8% of the constructs 101 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 used to predict the consistency metrics to be used in at B = 1.030 and the device factor at B = 0.078; these the evidence extraction process model for those positive values indicate that as independent mobile devices running on the four mobile variables increase the consistency metric, even a operating systems, namely Android, Windows, iOS dependent variable increases it, this is supported by and Blackberry OS. This model adaptation confirms the literature [28]. The coefficient of determination what the literature has revealed about factors such also indicates that as some independent variables as documentation, extraction methods are the main increase, the consistency decreases and the standard causes of inconsistencies in mobile devices, error decreases. For example, the nature of the data evidence extraction process models [4], [36]-[38] B = -0.029 and Beta = -0.037 with sig. to 0.443. The and then other factors such as policies [32], [39], implication here is that these factors do not [40], nature of data [41] and type of data [15], [42] significantly contribute to the consistency metric have a small contribution to inconsistencies in the and therefore have less impact on the consistency evidence extraction process. From this Table 16, process model when extracting evidence on mobile two factors emerged in a very significant way, devices with the four OS platforms used in this namely the factor of the extraction method which is study. Table 16: Regression analysis with consistency metric as the dependent variable Model Unstandardized Standardized T Sig. Coefficients Coefficients B Std. Error Beta 1 (Constant) -.649 .347 -1.870 .065 EM 1.030 .054 .897 18.963 .000 ND -.029 .037 -.037 -.771 .443 DTF .009 .039 .011 .231 .818 EMF .016 .046 .016 .346 .730 DF .078 .039 .092 1.975 .052 PF .040 .050 .035 .797 .428 The results of this study showed that forensic The present study showed that the extraction extraction tools, extraction methods, nature of the method factor is a metric for specifying a consistent data, type of device, and forensic documentation digital forensic evidence extraction pattern for the process are the main factors contributing to four OS-based mobile devices. The results of the inconsistencies in extraction. These findings study revealed that the nature of data factors are support the findings of recent studies that have measures to specify a consistent model of digital revealed discrepancies in retrieving and reporting forensic evidence extraction for mobile devices data residing on a device from previous tool tests based on the four OSs. This is convenient for Brian and updates or new versions of the tool. This is in Cusack [43], who posits that the high-level process line with the results of the interviews, which showed of digital forensics involves collecting data from a that the type of data, the nature of the data and the source, data analysis and evidence extraction, as method of extraction are a major cause of well as the storage and presentation of evidence. inconsistency in mobile device forensic evidence This study found that forensic extraction tools are models. Furthermore, the study results established measures to specify a consistent pattern of digital that the political factor is a benchmark for forensic evidence extraction for mobile devices specifying a consistent model of digital forensic based on the four OSs. While the forensic evidence extraction for mobile devices based on documentation process is part of the measures to Android, Windows, iOS and Blackberry OS. In specify a consistent digital forensic evidence addition, the device factor is part of the metrics to extraction model for mobile devices. specify a consistent model of digital forensic evidence extraction for mobile devices based on the four Operating systems (OSs). 102 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 CONCLUSION [2] C. A. Murphy, “Developing Process for Mobile Device Forensics” Accessed on, Vol. 11. 2013. The extraction process model developed borrowed the principles of consistency, repeatability, and [3] J. Son, “Social Network Forensics: evidence standardization as presented in earlier studies of the extraction tool capabilities,” (Doctoral generalized forensic framework from previous dissertation, Auckland University of studies. This model goes further to enumerate Technology), 2012. sequentially each step that should be followed in evidence extraction for each of the mobile operating [4] J. T. Ami-Narh and P. A. H. Williams, “Digital systems, thereby ensuring that there are forensics and the legal system: A dilemma of our consistencies at every step of the extraction process. times,” 6th Aust. Digit. Forensics Conf., pp. 30– These sequential or chronological steps (stages) 40, 2008. followed will yield positive results across the four [5] S. Saleem, O. Popov, and A. Kubi, “Evaluating mobile operating systems and it is believed that this and Comparing Tools for Mobile Device model can act as a standard for any other mobile Forensics using Quantitative Analysis,” Digit. operating system platform that has not been part of Forensics Cyber Crime Lect. Notes Inst. this study, considering that the architecture of Comput. Sci. Soc. Informatics Telecommun. mobile devices does not differ significantly in terms Eng., vol. 114, no. 1, pp. 264–282, 2013. of storage, processing, and application. The Smartphone Forensic investigation model is close to [6] T. Mehrotra and B. M. Mehtre, “Forensic the proposed model except that it concentrates more analysis of Wickr application on android on the investigation other than evidence extraction devices,” 2013 IEEE Int. Conf. Comput. Intell. and critically lacks the device status check and data Comput. Res. IEEE ICCIC 2013, pp. 2–7, 2013. recovery phases, as pointed out in the proposed model as one of the key critical issues in digital [7] S. Almulla, Y. Iraqi, and A. Jones, “A evidence extraction in mobile devices. Future work distributed snapshot framework for digital should focus on practically testing these models and forensics evidence extraction and event comparing the results for consistency across reconstruction from cloud environment,” Proc. different operating system platforms. Int. Conf. Cloud Comput. Technol. Sci. CloudCom, vol. 1, pp. 699–704, 2013. Data Availability [8] B. Martini and K. K. R. Choo, “An integrated Research data underlying the findings of the study conceptual digital forensic framework for cloud can be accessed upon request from the computing,” Digit. Investig., vol. 9, no. 2, pp. corresponding author. 71–80, 2012. Conflict of Interest [9] M. A. Frempong and K. K. Hiran, “Awareness and Understanding of Computer Forensics in the The authors declare that there is no conflict of Ghana Legal System,” Int. J. Comput. Appl., vol. interest regarding the publication of this paper. 89, no. 20, pp. 975–8887, 2014. Funding Statement [10] R. Ayers, S. Brothers, and W. Jansen, “NIST Special Publication 800-101 Revision 1: This study received no external funding Guidelines on Mobile Device Forensics,” NIST Spec. Publ., vol. 1, no. 1, p. 85, 2014. REFERENCES [11] A. Srivastava and P. Vatsal, “Forensic [1] ITU, “HIPCAR Establishment of Harmonized Importance of SIM Cards as a Digital Evidence,” Policies for the ICT Market in the ACP countries J. Forensic Res., vol. 07, no. 02, pp. 2–5, 2016. Cybercrime/e-Crimes: Model Policy Guidelines & Legislative Texts Geneva, 2013 CARICOM.”. [12] D. B. Garrie, J. D. Morrissy, Z. Ellman, and K. Llp, “Digital Forensic Evidence in the 103 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 Courtroom: Understanding Content and [22] F. Jafari and R. S. Satti, “Comparative Analysis Quality,” Northwest. J. Technol. Intellect. Prop., of Digital Forensic Models,” J. Adv. Comput. vol. 12, no. 2, pp. 122–128, 2014. Networks, vol. 3, no. 1, pp. 82–86, 2015. [13] S. Daware, S. Dahake, and V. M. Thakare, [23] R. S. Satti and F. Jafari, “Reviewing Existing “Mobile forensics: Overview of digital forensic, Forensic Models to Propose a Cyber Forensic computer forensics vs mobile forensics and Investigation Process Model for Higher tools,” Int. J. Comput. Appl., vol. 2012, pp. 7–8, Educational Institutes,” Int. J. Comput. Netw. 2012. Inf. Secur., vol. 7, no. 5, pp. 16–24, 2015. [14] S. Rahman, Shaheed Zulfikar Ali Bhutto [24] S. Karthick and S. Binu, “Android security Institute of Science and Technology, Islamabad, issues and solutions,” in IEEE International Pakistan, and M. N. A. Khan, “Digital forensics Conference on Innovative Mechanisms for through application behavior analysis,” Int. j. Industry Applications, ICIMIA 2017 - mod. educ. comput. sci., vol. 8, no. 6, pp. 50–56, Proceedings, pp. 686–689, 2017. 2016. [25] M. Elyas, S. B. Maynard, A. Ahmad, and A. [15] F. Freiling and M. Gruhn, “What is Essential Lonie, “Towards a Systematic Framework for Data in Digital Forensic Analysis?,” 2015 Ninth Digital Forensic Readiness,” J. Comput. Inf. Int. Conf. IT Secur. Incid. Manag. IT Forensics, Syst., vol. 54, no. 3, pp. 97–105, 2014. pp. 40–48, 2015. [26] R. V Krejcie and D. W. Morgan, “Determining [16] R. Ahmed, R. Dharaskar, and V. Thakare, Sample Size for Research Activities Robert,” “Digital evidence extraction and documentation Educ. Psychol. Meas., vol. 38, no. 1, pp. 607– from mobile devices,” Int. J. Adv. Res. Comput. 610, 1970. Commun. Eng., vol. 2, no. 1, pp. 1019–1024, 2013. [27] C. Kothari, Research methodology: methods and techniques. 2004. [17] S. L. Garfinkel, “Effective Digital Forensics Research is nvestigator-centric,” Digit. Investig., [28] C. B. Perry R, Hinton, Isabella McMurray, vol. 7, pp. S64–S73, 2010. SPSS Explained Second Edition. 2014. [18] J. M. Klein and D. Baker, “American bar [29] L. Cohen, L. Manion, and K. Morrison, association,” vol. 46, no. 3, pp. 373–378, 2000. Research methods in education, 3rd ed. London, England: Routledge, 1989. [19] M. Yates and H. Chi, “A framework for designing benchmarks of investigating digital [30] L. Spencer, J. Ritchie, J. Lewis, and L. Dillon, forensics tools for mobile devices,” Proc. 49th “Quality in qualitative evaluation: a framework Annu. Southeast Reg. Conf. - ACM-SE ’11, p. for assessing research evidence (supplemetary 179, 2011. Magenta Book guidance),” Natl. Cent. Soc. Res., no. December, 2003. [20] S. Yadav, K. Ahmad, and J. Shekhar, “Analysis of Digital Forensic Tools and Investigation [31] I. M. Kisembo et al., “An Algorithm for Process,” High Perform. Archit. Grid, pp. 435– Improving Email Security on the Android 441, 2011. Operating System in the Industry 4.0 Era,” J. Eng., vol. 2021, pp. 1–8, Nov. 2021. [21] O. Bongomin, G. Gilibrays Ocen, E. Oyondi Nganyi, A. Musinguzi, and T. Omara, [32] ITU-HIPCAR, “Cybercrime/e-Crimes: Model “Exponential Disruptive Technologies and the Policy Guidelines & Legislative Texts,” 2012. Required Skills of Industry 4.0,” J. Eng., vol. 2020, pp. 1– 17, 2020. https://doi.org/10.1155/2 [33] D. C. A. Murphy, “Developing Process for 020/4280156 Mobile Device Forensics,” 2009. 104 | This work is licensed under a Creative Commons Attribution 4.0 International License. East African Journal of Information Technology, Volume 5, Issue 1, 2022 Article DOI: https://doi.org/10.37284/eajit.5.1.830 [34] L. Aouad, T. Kechadi, and J. Trentesaux, “Chapter 11 An Open Framework For Smartphone,” in In: Peterson G., Shenoi S. (eds) Advances in Digital Forensics VIII., IFIP Advan., Springer, Berlin, Heidelberg, 2012, pp. 159–166. [35] A. Holliday, Doing and Writing Qualitative Research Second edition, Thousand Oaks, CA: SAGE Publications, 2007. [36] “Report on 2016 Inspection of Ernst &amp; Young LLP Public Company Accounting Oversight Board, This is A Public Version of A Pcaob Inspection Report Portions of the Complete Report are Omitted from this Document in Order to Comply with Sections 104(G)(2) An,” 2017. [37] D. Abalenkovs et al., “Mobile Forensics: Comparison of extraction and analyzing methods of iOS and Android,” Gjovik University College, Gjovik, Norway, pp. 1–13, 2012. [38] M. Huber, B. Taubmann, S. Wessel, H. P. Reiser, and G. Sigl, “A flexible framework for mobile device forensics based on cold boot attacks,” Eurasip J. Inf. Secur., vol. 2016, no. 1, p. 17, 2016. [39] S. P. Framework, “Assessment G rid for E valuating Strategic Policy Frameworks for Digital Growth & Next Generation Network P lans,” pp. 1–7, 2014. [40] C. Grobler and B. Louwrens, “Digital Forensics: A Multi-Dimensional Discipline,” Proc. ISSA 2006, 2006. [41] M. M. N. Umale, P. A. B. Deshmukh, and P. M. D. Tambhakhe, “Mobile Phone Forensics Challenges and Tools Classification: A Review,” Int. J. Recent Innov. Trends Comput. Commun., vol. 2, no. 3, pp. 622–626, 2014. [42] K. Kent, S. Chevalier, T. Grance, and H. Dang, “Guide to integrating forensic techniques into incident response,” NIST Spec. Publ., no. August, pp. 800–886, 2006. [43] R. L. Brian Cusack, “Up-dating investigation models for smart phone procedures | Semantic Scholar,” 2014. 105 | This work is licensed under a Creative Commons Attribution 4.0 International License.