A Review of Mobile Forensic Investigation Process Models

Mobile Forensics (MF) field uses prescribed scientific approaches with a focus on recovering Potential Digital Evidence (PDE) from mobile devices leveraging forensic techniques. Consequently, increased proliferation, mobile-based services, and the need for new requirements have led to the development of the MF field, which has in the recent past become an area of importance. In this article, the authors take a step to conduct a review on Mobile Forensics Investigation Process Models (MFIPMs) as a step towards uncovering the MF transitions as well as identifying open and future challenges. Based on the study conducted in this article, a review of the literature revealed that there are a few MFIPMs that are designed for solving certain mobile scenarios, with a variety of concepts, investigation processes, activities, and tasks. A total of 100 MFIPMs were reviewed, to present an inclusive and up-to-date background of MFIPMs. Also, this study proposes a Harmonized Mobile Forensic Investigation Process Model (HMFIPM) for the MF field to unify and structure whole redundant investigation processes of the MF field. The paper also goes the extra mile to discuss the state of the art of mobile forensic tools, open and future challenges from a generic standpoint. The results of this study find direct relevance to forensic practitioners and researchers who could leverage the comprehensiveness of the developed processes for investigation.


I. INTRODUCTION
Mobile Forensics (MF) as a branch of science is concerned with the recovery of digital evidence from mobile devices using prescribed and appropriate scientific forensic conditions [1]. Furthermore, this branch has become essential, owing to the increased demand for mobile-based services, increased users, and the sporadic changes that have been witnessed in mobile technologies like ubiquity, pervasiveness, and the fast-growing Internet of Things (IoT) technology that demands device connectivity. As a result, there is a growth in the popularity of mobile computing and the transactions tend to be scaling in an upward trajectory.
The associate editor coordinating the review of this manuscript and approving it for publication was Longxiang Gao . Current research trends are mainly focused on exploring the MF professionals' perception regarding the lack of digital investigation processes that can be used to prepare forensic reports applicable to court cases. Digital forensics is gradually becoming a complex discipline, especially with the proliferation of mobile devices in society. This is further complicated with the trend towards a digital interconnected society and industry 4.0 era. With this digitalisation comes the enormity and complexity of digital crimes, a phenomenon that the community of digital forensic professionals (researchers, practitioners, and standardisation organisations) is required to address. However, the complexity of investigating mobile devices is considerably different from investigating the other types of digital devices; as a result, the present study selected 24 MFIPMs proposed in the literature to offer VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ an up-to-date and comprehensive background of existing research on the MF process models and the related challenges that may arise for newcomers and also discuss possible methods that can be used to solve these issues effectively. From this study, a review of literature has revealed the need for standardized models unifying the related concepts and terminologies in a way that can allow to decrease confusion and organize existing knowledge that is pertinent to the field of MF. This article has three main objectives: 1) present a broad literature review of the MF domain that will assist field researchers to comprehend MF from different perspectives; 2) discuss the issues and drawbacks of the MF domain; and, 3) suggest some solutions for the discovered limitations. The rest of the paper is structured as follows: Section 2 provides the study background and related works. Section 3 presents the research methodology. Section 4 presents the results and discussions. Section 5 discusses open problems and future challenges, while Section 6 concludes this article.

II. BACKGROUND AND RELATED WORKS
In literature, several models proposed by different scholars on forensic investigation processes have been observed, which deal with various mobile devices (e.g., BlackBerry, Personal Digital Assistants (PDAs), Cellular mobile, GSM, Mobile phone Linux and Windows platforms, Huawei, Korea CDMA, Symbian, iPhone, etc.). However, these models can be only applied to certain specific mobile devices with varied investigation processes. Figure 1 provides a synopsis of the mobile phone forensic perspective, and the composition of this study. Although, this synopsis could be construed to include the general notion of mobile device forensics which encompasses diverse variance of mobile smart devices. However, this study limits the scope to mobile phone forensics which is hereinafter referred to as mobile forensics (MF). In [2], the authors proposed an adaptive forensic process model for smartphones of the Symbian type based on various versions of Symbian smartphones. Their model comprised of five forensic processes, namely the preparing and identifying the version, acquiring remote evidence, acquiring internal evidence, analyzing, presenting, and reviewing. Nevertheless, their model was entirely centered on Symbian smartphone's forensic investigation and the set of activities provided in the model is rather incomplete. The authors in [3] introduced an innovative forensic process model that its focus was on the issues related to the Windows mobile device forensic investigations and approaching standardized. This model comprised 12 investigation processes as follows: preparing, securing the scene, survey, and recognition, documentation of the scene, communication shielding, collecting volatile evidence, collecting non-volatile evidence, preserving, examining, analyzing, presenting, and reviewing. It can be said that this model initiated a step toward filling the existing gap between digital investigation and models law enforcement ones. Although very pertinent, the set of activities provided in this model still stands as incomplete. In [4], a model of the Windows mobile device forensic process was designed. The model consisted of 12 investigation processes: preparing, securing the scene, documenting the scene, collecting volatile evidence, collecting non-volatile evidence, off-set, analyzing cell site, preserving, examination, analyzing, presenting, and reviewing. It showed two main advantages: 1) serving as a benchmark and a reliable reference for those who investigate Smartphones regarding criminal cases, and 2) providing a generalized solution and addressing the challenging issue of digital technological scenarios that are highly vulnerable and change quickly. In [5], an investigation process model was introduced for Smartphone DEFSOP in a way to give necessary help to investigators and provide a way for preventing the destruction of digital evidence. In this model, four investigation phases are taken into account: conception phase, the preparation phase, operation phase, and reporting phase. Its operation phase, in turn, comprises three processes: collection, analysis, and forensics. In their model, law and principles are taken into consideration as the first phase, aiming at the provision of help for the other phases and authentic digital evidence. Unlike the NIST model, this one involves training and preparation processes before the forensics process. According to the designers of the above-mentioned model, issues such as Acquisition and Examination/Analysis are completely technical; as a result, they are better to be placed in a single phase, which is the operation phase in this model. Due to taking into account the digital evidence legitimacy, they maintain that their proposed model is of higher reliability compared to NIST. Researchers in [6] proposed a simple and low-cost framework to analyze iPhone forensic. It can extract digital evidence from an iPhone. Three processes are involved in this model: acquiring data, analyzing the data, and reporting the data. In [7], the researchers introduced a new synthesized process model referred to as the Integrated Digital Forensic Process Model (IDFPM), which included a physical investigation component, and Harmonized Digital Forensic Investigation (HDFI) process model. Nevertheless, their model needs to be tested extensively and verified technologically in a way to confirm that the high-level process flow offered by the scholars is a practical, forensically comprehensive, and generally applicable characteristic. The model is composed of five investigation processes: identifying the device, acquisitions, triage, analyzing, and reporting. In another study [8], a methodology was introduced applicable to collecting evidential data from Android devices. Their method contained five investigation processes as follows: identifying the device and preserving the evidence, collecting the evidence, examining and analyzing, and reporting and presentation. To make sure that there is forensic soundness, this methodology makes minimum possible changes to the evidence source device. After this change is realized it gets discrete. This way, it can be simply taken into account by investigating forensic practitioners. After identifying the device in hand and doing the preservation techniques (for instance, making sure the device is radio suppressed, which aims at preventing the remote wiping), the initial technique setting up the device in a way to boot a live collection OS from volatile memory (RAM) of the device.
In [9], the authors introduced an adversary model applicable to social App forensics of Android OS. The model was capable of examining five prevalent Android social apps (i.e., Twitter, Snapchat, POF Dating, Pinterest, and Fling). In their model, App security was offered in addition to an overall understanding of capacities of an adversary model regarding forensic communities and the best practices for informing mobile app design. The model involved four investigation processes as follows: collecting, examining, analyzing, and reporting. In another project [10], the researchers introduced a method with the capacity of collecting and analyzing thumbnails from Android devices. The proposed model contained four 4 investigation processes: identifying, preserving, analyzing, and presenting. They evaluated their methodology with the use of a case study. In that case study, they attempted to identify the thumbnail characteristics aiming for the customisation of existing file carving tools in a way to recover effectively the thumbnails from the forensic image (Through decreasing the number of irrelevant files). In [11], an investigation framework was constructed with a sole aim of applying it to the Samsung Star 3G. It comprised six processes as follow: authorisation process, first response process, device transportation process, live acquisition process, maintenance process, and analysis of evidence. Their proposed framework is practical, and some processes offered are also applicable to other phones and portable devices, particularly the transportation process wherein aluminum foil is suggested to be used. An experiment was carried out by the researcher to verify this statement. The obtained experimental results showed that the material was completely efficient in the protection of signals; for this reason, it was suggested as an alternate solution for the cases where signal insulation bags are not accessible. The authors in [12] introduced a common process model to guide the forensic examiners when conducting a required investigation upon an Android smartphone notwithstanding its manufacturer. Their model contained four processes: pre-incidence readiness, collecting the evidence, examining and analyzing, and VOLUME 8, 2020 information diffusion. It should be noted that their model lacked real application to an actual scenario. The UML usecase diagram was utilized for demonstrating the proposed model efficiency. In another research [13] focused on Firefox OS, a methodology of mobile forensic procedures was proposed for forensic investigations. It was composed of three processes of preparing, preserving, and acquiring. They made use of a basic approach and configured the model specifically for Firefox OS. Among the wide variety of files and analyses, it was constructed to hold only some certain targeted data checklist in a way to determine pertinent data align with specific analyses. It is possible to update the above-noted checklist occasionally. Authors in [14] proposed a method of investigating in a way to effectively acquire data and analyze Android smartphones. Their method considered the techniques currently used to examine the computers and cellphones in a forensic way. They also considered issues such as an adaptation of the method to certain characteristics of Android, the structure provided for data storage purposes, applications of high popularity, and also the question of under what conditions the device is sent to forensic examiners. Without mentioning the tools or techniques explicitly, the method was broadly defined. It involved only two investigation processes: acquisition and examination. In another project conducted in [15], the researchers introduced a commonly-used investigation process of digital evidence forensic on smartphones. It comprised four investigation phases as follows: principle concept, preparation, operation, and reporting. In [16], a new methodology was suggested for the examination of mobile electronic devices. It involved the techniques, tools, and procedures that are necessary for collecting data from various commonly-utilized devices. Four investigation processes were included in this method: seizure, acquiring, analyzing, and reporting. A common process for gathering data of Android devices was introduced by the authors in [17]. The process they suggested was useful in recovering the partition and accompanying recovery mode of an Android device for data gathering purposes. In [18], a novel approach was introduced to acquire live data in addition to data stored within the external or internal memory of Android mobile devices. It comprised only one process, i.e., live data collection. The authors in [19] proposed a proactive smartphone investigation scheme centering upon ad hoc acquisition of evidence from a smartphone. Their scheme includes six processes as follows: engagement in the investigation, selecting the evidence type, collecting the evidence, transmitting the evidence, storing the evidence, and completing the investigation. This scheme was applicable to the examination of the technological aspects of proactive smartphone digital forensics. In another study [20], the authors introduced a well-organized generalized forensics framework in order to extract and document the evidence from Android devices. With the use of hashing algorithms, the attempt was to achieve a comprehensive and reliable snapshot of Android devices with high integrity verification. It contained two processes: extracting the evidence and documenting it. In [21], a forensic adversary model was introduced to be applied to forensic contexts. In this model, two processes were involved: collecting the evidence and analyzing the evidence. The study carried out by [22] proposed a layered architecture applicable to mobile forensic analyses in such a way to make the investigation process as easy as possible. It comprised seven layers as follows: preparing and strategizing, detecting the crime scene, seizure and preservation, extracting and acquiring the data, examining and analyzing, and reporting and documenting. To acquire data, it makes use of different forensic tools such as Bulk extractor and MOBILedit. In another research [23], a new framework was introduced by authors in order to validate the digital forensics software data particularly to apply to smartphones. The framework is mainly centered upon iOS apps; the process of gathering data is performed on iOS devices, then the collected data is transferred onto a laptop to do the validation processes.

III. METHODOLOGY
A systematic review research design was conceptualized for this study. However, given the diversity of the field of mobile forensics, a mixture of database-driven and forward snowballing approach was considered. The methodology for this study was adapted from that of [24], [152], as further depicted in Figure 2. The method used here consisted of three phases: i) The selection of a topic and development of keywords/phrases; ii) The selection of online databases using specific institutional database and further literature extraction based on in-article citation, and compilation of related literature; iii) Reviewing the current literature on the selected topic.
In this article, the currently-used MFIPMs are studied in detail in such a way to find out the common challenges and problems that arise in this field.

PHASE I: SELECTION OF A TOPIC
The topic for the present study was selected using questions in relation to the main subject of the research and considering the background of the topic of focus. Three fundamental questions outline the whole research, which are: 1. What MFIPMs exist currently in literature? 2. Does literature consist of any common process model/framework for the MF field? 3. What are the limitations of the currently-used MFIPMs? Based on these questions, appropriate keywords and keyphrases were developed. One core component of this process is the use of conjunction to join multiple keywords. Sample of the keywords and the conjunctions used to combine multiple keywords is further presented in Table 1. This was carried out on the selected databases. The process of selecting the databases and the selected databases are further discussed in the next section.

PHASE II: SELECTION OF ONLINE DATABASES AND FINDING RELATED LITERATURE
To perform this phase, a definite scope was defined for reviewing the literature. The term ''Mobile Forensics'' was searched in such a way to collect the models proposed in the MF field. In this phase, the knowledge sources were gathered to be used. The Web of Science, IEEE Explore, Scopus, Springer Link, ACM, and Google Scholar were the popular digital libraries that were searched through in order to find the papers related to the MF field. To this end, we made use of the term 'Mobile Forensics' as the searching keywords. In regard to the time duration, the search was confined to the period of time between 2000 and 2020. For the purpose of the present paper, documents like the research articles, conference papers, dissertations, books, and book chapters were taken into account, whereas the other types of documents were left out. In addition, the duplicate, the articles related to public health and medicine, and screening the topic and abstracts were removed, and also the articles discussing Deoxyribonucleic Acid (DNA) were removed. Table 2 summarizes the details of the search protocols employed in this study. Finally, 100 out of 2229 articles were identified to be completely focused upon the topic of MF processes and technology perspectives in this field.

PHASE III: REVIEWING THE CURRENT LITERATURE
A review of the literature revealed that scholars and developers generally approach to the MF field through various perspectives like the Investigation process, Operating Systems, Mobile devices, and mobile forensic tools. The present paper is focused on the investigation process. Using the forward snowballing approach, the study observed that most in-paper referenced articles have been identified in the respective databases which are considered. This was however not a surprise as the database selection process considered both specific institution (subscribed) and context-free database (Google Scholar in this case) as shown in Table 2. In the following, the MF field is discussed in detail.

A. MOBILE FORENSICS INVESTIGATION PROCESS MODELS
Totally, 100 documents were found in the process of literature review, which were centered completely upon the MF topic from various perspectives as noted before (see Table 3).
For instance, the authors in the [25] carried out examined the wireless devices for BlackBerry from a forensic perspective. On the other hand, in [26], the researchers introduced an innovative instrument called PDD for forensic analysis and memory imaging purposes of devices that run the Palm OSs for PDAs. In [27]- [29], several procedures, tools, and guidelines were proposed to be applied to GSM, PDAs, and Cellular mobile phones. In another study [30], a novel method was developed to extract the evidence from SIM card and internal memory of Mobile phones, GPSs, as well as PDAs. The authors in [31] designed a SIMbrush tool for the extraction of the full files system for Mobile phones, Linux, and Windows platforms. On the other hand, in [32], and the on-phone forensic tool was presented that was shown capable of extracting evidence from active files on mobile. The researchers in [33] introduced a tool for the extraction of evidence from the internal flash memory of CDMA mobile phones manufactured in Korea. In [34], a detailed discussion is presented regarding the flasher devices of mobile phones. The authors in [35] attempted to develop a database-driven  approach for the evaluation of the tools proposed for mobile phone acquisition. In [36], some guidelines are offered for cell phones, which discuss all of the acquisition types that are present in literature. In another research [37], an innovative recovery approach is introduced for the extraction of videos and/or images from the mobile phones flash memories. In [38], a recovery method was proposed to extract evidence (of both file and video types) deleted already from the NAND flash memories. The researchers in [39] proposed two new approaches: (1) Phone manager protocol filtering, and (2) Identity module programming for SIM card. In [40], a physical acquisition method is introduced that applies to the iPhone. In another project [41], and inclusive discussion is presented regarding assessing the mobile internal acquisition tools and logical acquisition. In [42], hashing techniques are suggested to be used for MF purposes. The authors in [43] addressed the Symbian forensics and all acquisition approaches. In another study [44], Windows Mobile and Symbian forensic processes were compared to each other. In [45], a process model is introduced for forensic analyses of Symbian smartphones in five phases. The researchers in [46] presented a detailed discussion concerning all of the acquisition techniques that have been presented in literature in case of iPhone. Reference [47], an innovative methodology is presented, which makes use of data reverse-engineering in the case of Symbian devices. In another study [48], a new model was suggested by the researchers to extract phone contacts, call recordings, SMS, documents, scheduling, as well as all of the acquisition methods available in literature in the case of Windows Mobile. The authors in [49] attempted to develop a model for the extraction of evidence from wireless connections in the case of Windows mobile phones. On the other hand, in [50], logical acquisition for Blackberry devices was argued. In [51], a novel technique, as well as a tool, were introduced to acquire data from a memory card (SD, mini SD, MMC) in the case of the Windows Mobile and Symbian devices. The researchers in [52] examined the physical acquisition mechanisms upon smartphones with the use of pseudo-physical acquisition proposed for Windows Mobile devices. In [53], the authors suggested the first research into the Android from a forensics point of view and provided a comprehensive discussion about all methods available in the literature for acquiring data from the Android devices.
In [54], the authors discuss physical methods for acquiring data, which are implemented only in devices without password protection with the use of pseudo-physical acquisition for the Windows mobile phones. The study conducted by authors in [62] has attempted to present the methods generally applied to the extraction of evidence from GPS of mobile phones. In another research [66], the authors carried out a number of experiments through the use of physical and logical techniques of acquisition on the Sony Xperia 10i. The researchers in [14] attempted to design a framework for forensic acquisition and analysis, which can be applicable effectively to Android devices. In [74], four methods of extracting data were presented and discussed, which were SMS, mobile image, photo, and logical acquisition. The authors in [80] presented a discussion on all acquisition methods with a certain focus upon recovering the data that have been already removed from smartphones. Besides, they introduced innovative methods applicable to analyzing the fragmented flash memory. In [81], a novel method is introduced together with a toolset for physically acquiring and extracting evidence from volatile Android memory. In another study [89], the researchers attempted to analyze the popular application of WhatsApp upon Android Smartphones from a forensics perspective. On the other hand, in [92], the logical acquisition method was introduced in the case of a Blackberry device. In [97], several techniques were proposed for the extraction of evidence from Android smartphones that have been encrypted. The researchers' aim in [104] was the development of support systems to efficiently preserve evidence from an Android phone. In [107], the forensic acquisition methods proposed in literature for Android devices were compared to each other. In [109], the focus of the researchers was on developing techniques for the interpretation of the contents of raw NAND flash memory images. In another research [110], a discussion is provided about how to analyze the WhatsApp chat performed with Android smartphones in such a way to effectively identify the messages that have been already removed from the phone. The authors in [21], on the other hand, introduced an adversary model that can be used in facilitating the forensic investigations on mobile devices with systems such as iOS, Android, and Windows. They attempted to design their model in a way to be simply adapted to the latest technologies offered for mobile devices. In [117], a model was proposed integrating the criminal profiling and suspicious pattern detection method to be applied to two criminal activities with a moderate-to-heavy involvement of mobile devices, cyberbullying, and low-level drug dealing. In another project [23], the researchers attempted to develop a new approach to the validation of the data stored in a device and also the tools employed in MF field of study. Reference [124] introduced an improved mobile cloud forensic investigation process model for social network applications for enhancing the cloud action traceability. The improved forensic investigation process includes the time synchronization process and inter and intra-application analysis in addition to the traditional forensic investigation processes. Time synchronization allowed forensic analysis of the mobile device enhances the evidence traceability in the cloud and therefore, achieves the investigation performance rapidly. However, a common forensic investigation model for the mobile cloud traceability that supports all kinds of mobile cloud applications is still missing. Reference [159] proposed a mobile cloud forensic readiness process model to recognize the elements and organize the data that efficiently encourages forensic examinations. The proposed process model includes requirements for the mobile cloud forensics from various views with the purpose of creating the forensic-ready approach.
As a result, the mainstream of research carried out between 2000 and 2020 into smartphone forensics have been particularly centered on iPhone and Android. Moreover, these studies have been focused upon acquiring and analyzing required evidence from these devices and also the practical implementations. On the other hand, the above-mentioned studies have overlooked the fundamental concept of MF investigations. Additionally, it should be noted that in these studies, other MF investigation processes like preserving, examining, and reporting have not received adequate attention. Furthermore, issues such as management of knowledge and activities of each phase in the MF field were overlooked.
Apart from various MF knowledge, there are also quite a several forensic techniques have previously addressed on how mobile forensics tools can be used to prove facts in the wake of potential security incidents. We explore the state of the art of mobile forensic tools, which has helped the authors to coin a discussion.
Research by [123] has conducted an experiment using the available Belkasoft Evidence tool by utilizing NIST forensic techniques. The focus of this research is to extract What-sApp artifacts using a mobile forensic tool. By adopting the four Investigation processes from NIST, the technique was evaluated and the extraction of the artifacts has been able to meet the validation test with ease. Next, an enhances forensic process that is more focused on improving mobile cloud traceability for cloud-based mobile applications can maintain a timeline of chronological evidence, which allows potential digital evidence correlation for mobile cloud [124]. Another pertinent research by [125], [126], has focused on the following aspects: Proposing a mobile forensic readiness model that utilizes agent solutions to conduct forensic readiness through a collection of evidence from mobile devices, which counters cyber-bullying. This is applied in conditions when the mobile device is used as an instrument of crime. Based on this model, the extraction of potential digital evidence from the mobile has been used as a way of achieving incidental preparation. Notably, a study on mobile forensic tools by the Law Enforcement Agencies (LEAs) during forensic investigations has revealed that many mobile applications are not supported by current forensic tools, which tend to extract artifacts manually in the long run [127]. Next, an analysis of SQLite schema evaluation that is aimed to assist digital forensic tool developers has been used to map different ways of keeping mobile tools compatible with the iOS version. In this study, an SQLite Database Comparison Analyzer tool has been developed that has the capability of locating the existing differences on two distinct SQLite schemas in an automated way. Eventually, this tool has been able to be executed forensically based on the knowledge that is gathered by the SQLDCA [128]. This has been followed by a comparative analysis study on Andriod mobile forensic tools on opensource and commercial tools using two popular tools (Autopsy and Belkasoft Evidence) that have been utilized in the acquisition of data given there are currently exist quite a several huge numbers of models from a different manufacturer. Most of these tools have different approaches when it comes to conducting digital forensic investigations. Based on that, it is worth to point that, artifacts, digital data, and the structure of different devices are different and they may pose a challenge during investigations [129], [130]. Consequently, the changes that have occurred on Android and iOS over the last decade has meant that more research is needed to stay up to date with the changing forensic techniques of these Operating Systems (OS), given that they currently are widely used [131]. Additionally, most of the current tools use the available widely used logical techniques, however, this does not also give direct access to mobile phone file systems during forensic investigations [132]. More so, current tools and investigation processes emphasize analysing the plurality that comes with devices and investigation processes. This allows tools to conduct an extensive scan of the digital artifacts in memory, processes of devices, changes, and reconstructing current data-which is an important aspect of the mobile forensic technique [133], [134]. Additionally, a software tool named AnForA that can automate a different set of activities that need to undergo forensic activities has different properties (evidence precision, effectiveness, and repeatability) and this tool shows that it is possible to monitor the changes in file systems [135]. A synopsis of some common MF tools is presented in table 4.
Having explored the state of the art on mobile forensic tools (as distilled in Table 4), in the next section, the authors give a discussion that emanates from the aforementioned works.

IV. RESULTS AND DISCUSSION
Through this review, MF field has suffered from several issues as shown previously in Figure 3: 1. Lack of standardized investigation model: Several specific investigation process models have been proposed in the literature. Each MF has a specific investigation process model, which are largely at variance with other models. 2. Redundancy of processes and concepts: Several investigation processes and concepts have been proposed which make MF field ambiguous amongst forensic practitioners. The choice of what specific process or concept to select for a given investigation is laced with diverging perspective, which could result to inappropriate process selection. An investigator might simply resort to select at random, or even choose a process by order of occurence. 3. Different mobile devices infrastructures: One of the main drawbacks facing MF developers and researchers is the varying structure of mobile device infrastructure. Each mobile device has a different physical and logical infrastructure. 4. Different forensic artifacts: Due to the variety of the mobile device infrastructures, different forensic artifacts which have similar meanings and activities have been offered with different names, which produced confusion among MF forensic practitioners. Consequently, a lack of standardized format for forensic artifacts extracted for MF.
Therefore, this study proposes a Harmonized Mobile Forensic Investigation Process Model (HMFIPM) for MF field. To develop the HMFIPM, the Design Science Research (DSR) has been adapted from [149]- [152]. The DSR is useful in solving a problem that has been unsolved before or solving a known problem in a more effective or efficient manner. According to [153], DSR is a methodology which is suitable for developing a model that contributes to the growth of knowledge in the domain. Thus, four steps have been adapted to develop the HMFIPM as shown in Fig 4: 1. Identify and Select MF models: Several MF models have been discussed in the Section III, Phase III. Models selection for development the HMFIPM is based on the coverage perspectives that were identified in previous research [153], [154]. A coverage of investigation processes are required to fulfill the aim of developing a HMFIPM. Using coverage metric quickly provides an indication of sourced models' applicability. The models which have covered investigation processes of the MF field were selected as a development process models, whereas the models which have not covered investigation process were neglected. Thus, 24 MF models identified and selected for development process, and 76 models were neglected.  i. Titles, abstracts, related works, and conclusions were excluded: the investigation process was either extracted from the diagram or from the main textual model. ii. The investigation process must have a definition, activity, or task; to recognize the purpose and meaning of the process. iii. Irrelevant investigation processes not related to conducting MF were excluded. iv. Include explicit and implicit investigation processes from models. As shown in Table 6 it was discovered there are 108 investigation processes from the 24 MF models. Most of these 108 investigation processes are redundant and need to be merged in order to produce common/harmonized investigation processes for MF field. Next section discusses the merging process 3. Mapping Extracted Investigation Process: Since some of these processes overlap, it is necessary to consider the activities and tasks performed in each of the investigative processes and not to rely solely on naming conventions [156]- [158]. The mapping process is adapted to select the more frequent investigation process for every investigation process. Table 6 shows the mapping process of extracted forensic investigation processes. 4. Propose harmonized Investigation Process: Obviously, 7 investigation processes have a high frequency than other investigation processes which are: preparation, data acquisition, preservation, examination, analysis, reporting, and presentation. Figure 5 displays the HMFIPM. The preparation process is the first MF investigation process that is used to prepare a clean forensic investigation environment and a verifiable forensic techniques, as well as allowing the investigation team to isolate the mobile device enough from the network to prevent users from tampering and capturing volatile and non-volatile data. The preservation process is used to protect the integrity of the mobile device and data. The data acquisition process is a process that utilized to gather/ acquire volatile and non-volatile data from a suspected mobile device. It consists of two sub-processes: live acquisition, and dead acquisition. A live acquisition is a kind of data acquisition that occur when the OS being analyzed is still running while the analysis is being performed. A dead acquisition process involves copying data from the non-volatile memory of the moile system under investigation, while the system is shut down. The examination process is used to ensure that the data acquired is authentic VOLUME 8, 2020 and has not been tampered with. Output from this process is fed into the analysis process. The analysis process is used to analyze examined data, activity reconstruction and data recovery using special forensic techniques to reveal who is tampering, when and where the tampering happened and how the tampering happened. The reporting process is used to document the whole investigation stages. Two feedback processes are further considered in the proposed HMFIPM -examination and analysis feedback. The examination feedback provide a means for knowledge re-intregation and re-evalaution. In some cases, the initial outcome of the examination might be revised to accommodate perceived discrepancies, or the need to update the examination process. Given that the examination process feeds into the analysis, the output of the analysis process could require further reevalaution. Changes in this regard will, however, be required to follow the standardized chain of evidence and custody process. In instances where 'new-found knowledge' scenario is observed, the entire investigation process might be required. Therefore, knowledge from these feedback loops could be a cache of useful knowledge for post-investigation processes, as well as investigation repeatability enhancement. Finally, the presentation process is used to present the investigation stages and submit the results to the court.
The authors next explore some of the open and future challenges as a result of conducting this research study.

V. OPEN PROBLEMS AND FUTURE CHALLENGES
A concise description of the observed lingering challenges and the potential future research direction for MF discipline is presented in this section. Most of the mobile forensic tools do not support or do not have capabilities that can enable integration of application artifacts with known encodings like PDF or MS-Word. It would be important if machine learning approaches would be used in this context so that it would assist to classify and apply known encoding in forensic tools accordingly. While different artifacts are extracted using different forensic processes, the behavior analysis of these artifacts and how specifically the user-information is normalized continues to be an area that is least explored. Also, the perspective on how data analysis is conducted and the relationship that exist between artifact analysis and location analysis is a potential area that could be explored to explore anti-forensic problems [136]. Nevertheless, many mobile forensic approaches have not incorporated incidental planning and preparation (Readiness) as is highlighted by [137], [138]. Mainly, it defeats the purpose of mobile devices given that in the recent past, their proliferations [139] have been one of the enablers of the rise of Internet of Things (IoT). Realistically, IoT environment connectivity is as a result of mobile devices, hence, forensic readiness is a key concern for mobile devices. Also, the techniques that can be used for data acquisition for mobile devices presents a challenge because they are not able to synchronize the metadata and the flash storage memory type, if addressed this could give investigators a forensic breakthrough. The variety of operating systems have also introduced diversity in the investigation process. This, however, implies that there is a need for an integrated investigation model which is context independent. Addressing this challenge could provide a baseline for the development of a standardized process model for conducting mobile forensics. Additionally, the lack of a standardized approach which can scale beyond OS-specific requirement presents a major limitation in developing an MF investigation process model that can scale legal scrutiny. Furthermore, this inefficiency implies the lack of well-structured and unified model that can facilitate, manage, share, and reuse the knowledge created in the MF field among all practitioners. Studies have established the propensity of human behavioral consistencies with the use of technology [140]- [143]. An exploration of these qualities as a component of investigation framework could present a novel platform in user attribution. Attribution as a forensic component is major research challenge which has led to the adoption of some scientific evidence (or the lack of it) in litigation. However, till date, the scientific committee continue to grabble with the development of a reliable process model for user and device attribution in digital forensics [144]- [147]. That notwithstanding, with the changing nature of how data keeps changing with changing technologies, a more resilient cognitive model is projected to be a future challenge given that the forensic investigation of mobile architecture still remains complicated [148]. Attempts to develop an investigative process model applicable for mobile forensics remains a research gap that requires special attention. Approach to develop a formal feedback collection and format is also a potential open challenge. Whilst investigators would need such knowledge to enahnce the investigation process, a formal approach and format would be required to define modalities to do so. One logic would be to leave the process to the context of the investigation. However, this could also implies that the investigator can provide such feedback based on their biases. Arguably, this will remain an open challenge which has the potential to escalate to other forensic disciplie. Till date, there is no formal approach to address this feedback process.

VI. CONCLUSION
This article reviewed totally 100 MF models. Using different terminologies, the scholars in this field have made use of various approaches regarding the number of phases in the investigation process. As confirmed by a review of the literature, the majority of MF process models are centered upon particular mobile events, which makes available low-level details. In addition, since models had a variety of perspectives, it was not possible to mark out a single model as a 'standardized' one. A significant contribution of the present study to the MF field is conducting a comprehensive review of MF-related literature, which can help effectively the field researchers to further comprehend MF. This article started with reviewing all existing MF studies; then, it discussed the challenges, limitations, and drawbacks of the field, and suggested a number of solutions to the limitations identified. In the following, some ideas are recommended for future research in the MF field: 1) improving and validating the proposed investigation process model (HMFIPM); 2) Development of a meta-modeling language that can be applied to structuring, managing, organizing, sharing, and reusing the created MF knowledge; and 3) Development of a definite MF source for the purpose of storing and retrieving the knowledge formed in the MF field. SHUKOR ABD RAZAK (Member, IEEE) is currently an Associate Professor with Universiti Teknologi Malaysia. His research interests include the security issues for mobile ad hoc networks, mobile IPv6, vehicular ad hoc networks, and network security. He also actively conducts several types of research in digital forensic investigation, wireless sensor networks, and cloud computing. He is the author or coauthor of many journals and conference proceedings at national and international levels.
RICHARD ADEYEMI IKUESAN (Member, IEEE) received the M.Sc. and Ph.D. degrees (Hons.) in computer science from Universiti Teknologi Malaysia. He is an Active Researcher currently pioneering a digital policing and forensic project for developing nations, using Nigeria and South Africa as a hub for West Africa and Southern Africa. He is an Assistant Professor with the IT Department, Cyber Security Section, Community College of Qatar.
VICTOR R. KEBANDE received the Ph.D. degree in computer science in the area of information and computer security architectures and digital forensics from the University of Pretoria, Hatfield, South Africa. He previously belonged to ICSA and DIgiFORS Research Groups, University of Pretoria. He is currently a Cyber and Information Security Postdoctoral Researcher with the Internet of Things and People (IoTaP) Center, Department of Computer Science and Media Technology, Malmö University, Sweden. His main research interests include cyber, information security, and digital forensics in the area of the IoT, (mainly IoT security), digital forensics-incident response, cyber-physical system protection, critical infrastructure protection, adversarial motives and detecting in the IoT infrastructures, cloud security, computer systems, distributed system security, threat hunting and modeling and cyber-security risk assessment, blockchain technologies, and privacy preserving techniques. He also serves as an Editorial Board Member of Forensic Science International: Reports Journal. He serves as a reviewer and an editor for number of well reputed journals.
KAMRAN SIDDIQUE (Member, IEEE) received the Ph.D. degree in computer engineering from Dongguk University, South Korea. He is currently an Associate Professor with Xiamen University Malaysia. His research interests include cybersecurity, machine learning, and big data processing. VOLUME 8, 2020