320 Chapter9·ForensicAnalysisofMobileMalware This means that it is running and operating as if nothing had changed, which can be prob- lematic. Rutkowska (2007) demonstrated that the system is altered in any live analysis. This makes it difficult to establish that forensic processes have been followed. Similarly, dead analysis suffers from issues of its own. Many mobile device systems (for example, the iPhone) load a separate image into RAM from the ROM on each boot. This enables these devices to ensure the integrity of the operating system, but likewise complicate the forensic process. Operating Systems (OS) and File Systems (FS) The forensic process varies greatly from computer devices to mobile devices due to the nature of the storage medium. Most mobile devices in current deployment use volatile memory to store user data. Computers generally use nonvolatile memory in the form of hard drives for their storage medium (although this is changing in some cases with many newer model devices integrating large format nonvolatile memory to enable the storage of music and video files). When a device that uses nonvolatile memory is turned off, little generally happens to the storage medium. Devices that use volatile memory sources (such as most mobile devices currently in use) lose data when powered off. Even modern flash storage devices that are