Smartphones as Distributed Witnesses for Digital Forensics

  • Heloise Pieterse
  • Martin Olivier
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 433)


Smartphones have become an integral part of people’s lives. Their wide range of capabilities and support of diverse applications result in a wealth of data being stored in smartphone memory. Although tools are available to extract and view the data stored in smartphones, no comprehensive process exists for event reconstruction using the extracted data. Data in smartphones is typically stored in SQLite databases and can, therefore, be easily transformed. To perform event reconstruction, multiple SQLite databases have to be integrated. This paper proposes a novel mobile event reconstruction process that allows for event reconstruction by querying the integrated SQLite databases collected from multiple smartphones. The process can create detailed accounts of the events that took place before, during and after an incident.


Smartphones event reconstruction distributed databases 


  1. 1.
    AccessData, Mobile Phone Examiner Plus (MPE+), Lindon, Utah (
  2. 2.
    A. Arnes, P. Haas, G. Vigna and R. Kemmerer, Digital forensic reconstruction and the virtual security testbed ViSe, Proceedings of the Third International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, pp. 144–163, 2006.CrossRefGoogle Scholar
  3. 3.
    A. Caithness, The Forensic Implications of SQLite’s Write Ahead Log, CCL Group, Stratford-upon-Avon, United Kingdom (, 2012.Google Scholar
  4. 4.
    E. Casey, Digital Evidence and Computer Crime, Elsevier, Waltham, Massachusetts, 2011.Google Scholar
  5. 5.
    F. Cohen, Digital Forensic Evidence Examination, Fred Cohen & Associates, Livermore, California, 2009.Google Scholar
  6. 6.
    K. Curran, A. Robinson, S. Peacocke and S. Cassidy, Mobile phone forensic analysis, International Journal of Digital Crime and Forensics, vol. 2(3), pp. 15–27, 2010.CrossRefGoogle Scholar
  7. 7.
    A. Elmagarmid, M. Rusinkiewicz and A. Sheth (Eds.), Management of Heterogeneous and Autonomous Database Systems, Morgan Kaufmann Publishers, San Francisco, California, 1999.Google Scholar
  8. 8.
    M. Eltabakh, Data Integration, CS561-Spring 2012, Department of Computer Science, Worcester Polytechnic Institute, Worcester, Massachusetts (, 2012.Google Scholar
  9. 9.
    Forensic Science Central, Crime Scene and Accident Scene Reconstruction (, 2005.
  10. 10.
    A. Gal, A. Trombetta, A. Anaby-Tavor and D. Montesi, A model for schema integration in heterogeneous databases, Proceedings of the Seventh International Database Engineering and Applications Symposium, pp. 2-11, 2003.CrossRefGoogle Scholar
  11. 11.
    P. Gladyshev, Formalizing Event Reconstruction in Digital Investigations, Ph.D. Dissertation, Department of Computer Science, University College Dublin, Dublin, Ireland, 2004.Google Scholar
  12. 12.
    P. Gladyshev and A. Patel, Finite state machine approach to digital event reconstruction, Digital Investigation, vol. 1(2), pp. 130–149, 2004.CrossRefGoogle Scholar
  13. 13.
    H. Halvorsen, Structured Query Language, Department of Electrical Engineering, Information Technology and Cybernetics, Telemark University College, Porsgrunn, Norway (, 2012Google Scholar
  14. 14.
    S. Jeon, J. Bang, K. Byun and S. Lee, A recovery method of deleted record for SQLite database, Personal and Ubiquitous Computing, vol. 16(6), pp. 707–715, 2012.CrossRefGoogle Scholar
  15. 15.
    MD’s Technical Sharing, Raw access to SMS/MMS database on Android phones (, February 14, 2012.
  16. 16.
    J. Morris, Crime Analysis Charting: An Introduction to Visual Investigative Analysis, Palmer Enterprises, Loomis, California, 1982.Google Scholar
  17. 17.
    Oxygen Forensics, Oxygen Forensic Suite, Alexandria, Virginia (
  18. 18.
    M. Ozsu and P. Valduriez, Principles of Distributed Database Systems, Springer, New York, 2011.Google Scholar
  19. 19.
    C. Parent and S. Spaccapietra, Issues and approaches of database integration, Communications of the ACM, vol. 41(5), pp. 166–178, 1998.CrossRefGoogle Scholar
  20. 20.
    P. Patodi, Database Recovery Mechanism for Android Devices, Ph.D. Dissertation, Department of Computer Science and Engineering, Indian Institute of Technology Bombay, Bombay, India, 2012.Google Scholar
  21. 21.
    M. Prasad and Y. Satish, Reconstruction of events in digital forensics, International Journal of Engineering Trends and Technology, vol. 4(8), pp. 3460–3467, 2013.Google Scholar
  22. 22.
    B. Schneier, Attack trees, Dr. Dobb’s Journal of Software Tools, vol. 24(12), pp. 21–29, 1999.Google Scholar
  23. 23.
    SQLite, About SQLite, Charlotte, North Carolina (
  24. 24.
    SQLite, The SQLite Database File Format, Charlotte, North Carolina (
  25. 25.
    SQLite, Write-Ahead Logging, Charlotte, North Carolina (, 2013.
  26. 26.
    P. Stephenson, Modeling of post-incident root cause analysis, International Journal of Digital Evidence, vol. 2(2), 2003.Google Scholar
  27. 27.
    The iPhone Wiki, Messages (, August 16, 2013.
  28. 28.
    viaForensics, viaExtract, Oak Park, Illinois (

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Heloise Pieterse
    • 1
  • Martin Olivier
    • 1
  1. 1.University of PretoriaPretoriaSouth Africa

Personalised recommendations