MOBILE DEVICE FORENSICS

Understanding Mobile Device Forensics

People store a wealth of information on cell phones and mobile devices People don’t think about securing their mobile devices

Items stored on mobile devices: Incoming, outgoing, and missed calls Text and Short Message Service (SMS) messages E-mail Instant-messaging (IM) logs Web pages Pictures Personal calendars Address books Music files Voice recordings GPS data

Investigating cell phones and mobile devices is one of the most challenging tasks in digital forensics

Understanding Cellular Connected Mobile Devices A Mobile Switching Center(MSC) is the switching system for

the cellular network. The MSC is also responsible for communications between mobile and landline phones.

The Base Transceiver Station(BTS) is the part of the cellular network responsible fro communications between mobile phone and network switching systems.

The Home Location Register is a database used by the MSC that contains subscriber and service information. It is related to the VLR for roaming status.

Inside Mobile Devices

IMEI and IMSI International Mobile Equipment Identifier International Mobile Subscriber Identifier Also MEID (Mobile Equipment Identifier) or ESN (electronic serial

number) Phones store system data in electronically erasable programmable

read-only memory (EEPROM) Enables service providers to reprogram phones without having to physically

access memory chips OS is stored in ROM

Nonvolatile memory

Inside Mobile Devices

Subscriber identity module (SIM) cards Found most commonly in GSM(Global System for Mobile Communications)

devices GSM refers to mobile phones as “mobile stations” and divides a station into two

parts: The SIM card and the mobile equipment (ME)

Portability of information makes SIM cards versatile Integrated Circuit Card Identifier(ICCID) Identifies the subscriber to the network Stores service-related information PIN – unlock the device PUK – reset the PIN

Wipes phone is incorrectly entered > 10 time Cipher Algorithm

Mobile Device Forensic Analysis Process

Biggest challenge is dealing with constantly changing models of cell phones

When you’re acquiring evidence, generally you’re performing two tasks: Acting as though you’re a PC synchronizing with the device (to

download data) Reading the SIM card

First step is to identify the mobile device Question: Why is this important?

Understanding Acquisition Procedures for Cell Phones and Mobile Devices

The main concerns with mobile devices are loss of power and synchronization with PCs

All mobile devices have volatile memory Making sure they don’t lose power before you can retrieve RAM

data is critical Mobile device attached to a PC via a cable or

cradle/docking station should be disconnected from the PC immediately

Communication or system messages might be received on the mobile device after seizure Isolate the device from incoming (RF)signals The drawback to using these isolating options is that the mobile

device is put into roaming mode, which accelerates battery drainage

Data Acquisition Procedures for Cell Phones and Mobile Devices Check these areas in the forensics lab :

Internal memory SIM card

file system is a hierarchical structure Removable or external memory cards

Information that can be retrieved: Service-related data, such as identifiers for the SIM card and the subscriber Call data, such as numbers dialed Message information Location information

If power has been lost, PINs or other access codes might be required to view files.

Encryption

Access Methods (6 types according to NIST)

Manual Extraction looking at pages of info directly on the

device Logical Extraction

filesystem dump Hex dumping and JTAG

can work on damaged devices and bypass lock screens. Reads directly from RAM/ROM

Chip off unsolder or cut flash memory from circuit board

Micro read use a SEM to view data

Don’t ignore useful properties

When was the last time this phone was at 2SP?

Poke around and you will find…

Encoded Secrets

This has been truncated, the app stores your password Base64 encoded

Application Data

Found in plists or sqlite files Apps continue to change formats Looking primarily for location and message data

Rooting

Usually an alternate OS (may be command injection) Removes built-in restrictions on access to data Removes or makes possible to add 3rd party applications Consumers do it for functionality Investigators do it for access to data Manufacturers are making this more challenging

Summary

People store a wealth of information on their cell phones Various generations of mobile phones Data can be retrieved from several different places in phones As with computers, proper search and seizure procedures

must be followed for mobile devices To isolate a mobile device from incoming messages, you can

place it in a specially treated paint can, a wave-blocking wireless evidence bag, or eight layers of antistatic bags

SIM cards store data in a hierarchical file structure