Special Topics in Digital Forensics and InvestigationsCPSC 6622Cell Phone and Mobile Devices Forensics

Guide to Computer Forensics and Investigations

*Understanding Mobile Device ForensicsPeople store a wealth of information on smartphones and tabletsPeople dont think about securing them industry estimates somewhere between 30-60% lock their smartphones.iOS simple passcode = 4 digit pinItems stored on mobile devices:Incoming, outgoing, and missed callsText and Short Message Service (SMS) messagesE-mailApp data & passwords - Twitter, facebook, tumbler, Pintrest, etc, etc.Web pagesPicturesPersonal calendarsAddress booksVoicemail recordings

*Understanding Mobile Device ForensicsInvestigating cell phones and mobile devices is one of the more challenging tasks in digital forensicsNo single standard exists for how and where phones store messagesNew phones come out about every six months and they are rarely compatible with previous models

*Mobile Phone BasicsMobile phone technology has advanced rapidlyBy the end of 2008, mobile phones had gone through three generations:AnalogDigital personal communications service (PCS)Third-generation (3G)Fourth-generation (4G) was introduced in 2009Several digital networks are used in the mobile phone industry

*Mobile Phone Basics

*Mobile Phone BasicsThe 3G standard was developed by the International Telecommunications Union (ITU) under the United NationsIt is compatible with CDMA, GSM, and TDMAThe Enhanced Data GSM Environment (EDGE) standard was developed specifically for 3G

*Mobile Phone Basics4G networks can use the following technologies:Orthogonal Frequency Division Multiplexing (OFDM)Mobile WiMAXUltra Mobile Broadband (UMB)Multiple Input Multiple Output (MIMO)Long Term Evolution (LTE)

*Mobile Phone BasicsMain components used for communication:Base transceiver station (BTS)Base station controller (BSC)Mobile switching center (MSC)

*Inside Mobile DevicesMobile devices can range from simple phones to small computersAlso called smart phonesHardware componentsMicroprocessor, ROM, RAM, a digital signal processor, a radio module, a microphone and speaker, hardware interfaces, and an LCD displayMost basic phones have a proprietary OSAlthough smart phones use the same OSs as PCs

*Inside Mobile DevicesPhones store system data in electronically erasable programmable read-only memory (EEPROM)Enables service providers to reprogram phones without having to physically access memory chipsOS is stored in ROMNonvolatile memoryAvailable even if the phone loses power

*Inside Mobile DevicesSubscriber identity module (SIM) cardsFound most commonly in GSM devicesConsist of a microprocessor and internal memoryGSM refers to mobile phones as mobile stations and divides a station into two parts:The SIM card and the mobile equipment (ME)SIM cards come in two sizesPortability of information makes SIM cards versatile

*Inside Mobile DevicesSubscriber identity module (SIM) cards (contd)The SIM card is necessary for the ME to work and serves these additional purposes:Identifies the subscriber to the networkStores service-related informationCan be used to back up the device

*Understanding Acquisition Procedures for Cell Phones and Mobile DevicesThe main concerns with mobile devices are loss of power, synchronization with cloud services, and remote wipingAll mobile devices have volatile memoryMaking sure they dont lose power before you can retrieve RAM data is criticalMobile device attached to a PC via a USB cable should be disconnected from the PC immediatelyHelps prevent synchronization that might occur automatically and overwrite data

*Understanding Acquisition Procedures for Cell Phones and Mobile DevicesDepending on the warrant or subpoena, the time of seizure might be relevantMessages might be received on the mobile device after seizureIsolate the device from incoming signals with one of the following options:Place the device in airplane modePlace the device in a paint canUse the Paraben Wireless StrongHold BagTurn the device off

*Understanding Acquisition Procedures for Cell Phones and Mobile DevicesThe drawback of using these isolating options is that the mobile device is put into roaming modeAccelerates battery drainageSANS DFIR Forensics recommends:If device is on and unlocked - isolate it from the network, disable the screen lock, remove passcodeIf device is on and locked - what you can do varies depending on the type of deviceIf device is off - attempt a physical static acquisition and turn the device on

*Understanding Acquisition Procedures for Cell Phones and Mobile DevicesCheck these areas in the forensics lab :Internal memorySIM cardRemovable or external memory cardsNetwork providerChecking network provider requires a search warrant or subpoenaA new complication has surfaced because backups might be stored in a cloud provided by the carrier or third party

*Understanding Acquisition Procedures for Cell Phones and Mobile DevicesDue to the growing problem of mobile devices being stolen, service providers have started using remote wiping to remove a users personal information stored on a stolen deviceMemory storage on a mobile device is usually a combination of volatile and nonvolatile memoryThe file system for a SIM card is a hierarchical structure

*Understanding Acquisition Procedures for Cell Phones and Mobile DevicesInformation that can be retrieved falls into four categories:Service-related data, such as identifiers for the SIM card and the subscriberCall data, such as numbers dialedMessage informationLocation informationIf power has been lost, PINs or other access codes might be required to view files

*Mobile Forensics EquipmentMobile forensics is an evolving scienceBiggest challenge is dealing with constantly changing phone modelsProcedures for working with mobile forensics software:Identify the mobile deviceMake sure you have installed the mobile device forensics softwareAttach the phone to power and connect cablesStart the forensics software and download information

*Mobile Forensics EquipmentSIM card readersA combination hardware/software device used to access the SIM cardGeneral procedure is as follows:Remove the back panel of the deviceRemove the batteryRemove the SIM card from holderInsert the SIM card into the card reader

*Mobile Forensics EquipmentNIST guidelines list six types of mobile forensics methods:Manual extractionLogical extractionHex dumping and Joint Test Action Group (JTAG) extractionChip-offMicro read

*Mobile Forensics EquipmentRoughly half of Facebook users access their accounts via mobile devices. Most all mobile apps store account authentication information. Following standard procedures, doing a logical acquisition followed by a physical acquisition, can yield solid evidence.

Mobile Forensics Tools in ActionCellebrite is often used by law enforcementYou can determine the devices make and model, hook up the correct cable, turn the device on, and retrieve the dataThere are more than half a million aps for mobile devices and Cellebrite can analyze data from only a few hundredNo one product can do it all, Multiple solutions are needed.*

Mobile Forensics Tools in ActionMany mobile forensics tools are availableMost arent freeMethods and techniques for acquiring evidence will change as market continues to expand and matureSubscribe to user groups and professional organizations to stay abreast of whats happening in the industry*

*Smartphone BasicsOperation Modes - iDevicesNormal ModeRecovery mode activating device, upgrading/downgrading or sometimes to perform a forensic physical acquisition.DFU mode Device Failsafe Utility mode. device firmware upgrades and some physical acquisitions