A Series of Computer Forensics Notes- This lecture is about Mobile Forensics

1. Intro to Computer Forensics
Mr. Islahuddin Jalal
MS (Cyber Security) – UKM Malaysia
Research Title – 3C-CSIRT Model for Afghanistan
BAKHTAR UNIVERSITY ‫باخترپوهنتون‬ ‫د‬

2. Outlines to be discussed…
• Objective
• Potential Evidence
• Guidelines
• Seizure
• Examination
• Data Extraction
• Documentation
• Tools
• Q & A

3. Objective
• To extract data without changing the phone’s current state, able to
record and explain the investigation processes and preserve the
original evidence.

4. Introduction
Mobile phone forensics is the science of recovering digital
evidence from a mobile phone under forensically sound
conditions using accepted methods.
4

5. Why Mobile Phone Forensics?
• Contain massive volume of information
• Communication (Calls, SMS)
• Calendar
• Logs
• Picture/ Video

6. Smartphone sales statistics 1Q2016/1Q2017

7. Smartphone sales statistics by OS
1Q2016/1Q2017

8. Nokia 5110
Today
Phonebook
Speed dials
Calls history
SMS messages
Monophonic
melodies
General phone
information
Phonebook
Calendar
Tasks
Notes
Caller
groups
Speed dials
Event log
Profiles
Gallery files Java
applications
and games
Multiple contact
fields of the
same type
Personal settings
for contacts
Messages
Message
folders
General
phone
information
Geo event
positioning
(LifeBlog)
GPS
Web
browser IM client
10 years ago
Modern phone
Mobile Phones Evolution
Source:
(C) Oxygen Software, 2000-2009
http://www.oxygen-forensic.com

14. Potential Evidence
• Data of evidential value can be found in 3 principal
areas of a mobile phone:
• Phone’s Memory
• SIM card
• External storage
(MMC, SD, Memory Stick)

15. Phone’s Memory
• International Mobile Equipment Identity (IMEI)
• Phonebook
• Call logs (Received, Dialed, Missed)
• SMS and MMS
• Stored Files (Picture, Video, Audio)
• Stored Executable Programs
• Email, Memo,Calendars
• GPS

16. SIM vs USIM
SIM - Subscriber Identity Module
is a removable smart card
used to communicate on GSM networks
Allows users to change phones by removing the SIM card and inserting it
into another mobile phone
USIM – Universal subscriber identity module
Used to communicate on UMTS/3G networks
A 3G (UMTS) handset equipped with a USIM card can be used to make
video calls within the area covered by a 3G network
USIM has much bigger phonebook than SIM
High speed internet connections
16

17. SIM
• SMS
• Integrated Circuit Card Identifier (ICCID)
• International Mobile Station Identity (IMSI)
• Mobile Subscriber ISDN
• Location Area Code (LAC)
• Phonebook
• Last Dialed Numbers
• Authenticating the user of the Cell phone to the network
The SIM provides storage for personal information, such as phone
book entries and text messages, as well as service-related
information.

18. • ICCID is the serial number of the SIM card
• Up to 18 to 20 digit numbers (10 bytes) that uniquely
identifies each SIM card.
• 896019050877016896
• Can be used with IMEI to acquire log information from
service provider
• It helps to identify the country and network
operator’s name
• If ICCID not exist on SIM, then
use ForensicSIM tool to obtain ICCID.
ICCID (Integrated Circuit Card Identification)

19. International Mobile Station Identity (IMSI)
• International Mobile Subscriber Identity (IMSI) is typically a 15-
digit number (56 bits)
• Its consisting of three parts including the Mobile Country Code,
Mobile Network Code, and Mobile Station Identification Number
which are stored electronically within the SIM.
• The IMSI can be obtained through the analysis of the SIM.
19

20. Mobile Subscriber ISDN
• The Mobile Station International Subscriber Directory
Number (MSISDN) is the phone's 15-digit, globally unique
number.
• The MSISDN follows the International Telecommunication
Union (ITU) Recommendation E.164 telephone numbering
plan, composed of a 1-3 digit country code, followed by a
country-specific number.
20

21. Location Area Code (LAC)
• The served area of a cellular radio network is usually
divided into location areas. Location areas are
comprised of one or several radio cells.
• Each location area is given an unique number within
the network
• This code is used as a unique reference for the
location of a mobile subscriber.
• This code is necessary to address the subscriber in the
case of an incoming call.
21

22. How SMS works?

23. External Storage
• Files
• Backup data
• Deleted Files
• Applications

24. Guidelines
•There are 4 basic steps in mobile phone forensics
investigations:
Seizure
Examination
Data Extraction
• Ensure evidence is not tampered
• Check conditions
• Find phone specs
• Find tools that support
phone
• Extract data in the
phone, SIM and
xternal card
Documentation

25. Copyright © 2010 CyberSecurity
Malaysia
25

26. 1. Note if it is switched on or off.
2. If ‘ON’, pay attention to icons on the phone
 Missed call
 Battery status
 SMS
3. Do not dismantle the phone - Do not take the back off the
phone, or remove the battery
4. Record the time of phone
5. Compare with other time (your watch/ notebook)
Guidelines: Seizure

27. 4. Ask for PIN/ Password if any
5. Search for Phone chargers
6. Before transporting, put the phone in a signal container
bag
 Faraday cage
 Aluminum foil (four layers)
 Arson cans
Seizure (cont…)

28. “Which one should I acquire first if:
• Phone is running?
• Phone is dead?”
Scenario 1

29. EXAMINATION
• Connect phone with appropriate cables or method (Infra-red or Bluetooth)
• Acquire with appropriate software
• If the phone is a GSM phone note IMEI number on screen (by typing *#06#)
• Remove handset from the container bag and turn the phone on. Photograph any startup
screens or messages.
• Power off handset, and remove casing
• Photograph battery, and label behind it once battery removed (usually shows
• IMEI)
• If the phone is a GSM remove SIM and photograph both sides.
• Acquire SIM with forensic software
• Perform of memory cards if present.
• Reassemble handset.
• Reseal and return evidence to property locker
29

30. • SIM cards should be processed separately from the cellular phone
they are installed in to preserve the integrity of the data contained on
the SIM card.
• Deleted data may not be extracted
• Why? SIM/external storage is controlled by OS if the phone is switched
ON
SIM/ External Storage

31. • Record/ photograph IMEI
• IMEI is the unique identity of a
mobile phone
• Printed under battery or press “*#06#”
• 15 digit number
• 353396006345750
• First Eight digits, known as the Type Allocation Code (TAC), give the
model and origin
• Can be used to find phone’s specification and user
guidelines
• http://www.numberingplans.com
• http://www.mobileforensicscentral.com
IMEI

32. Scenario 2
• “I’ve never seen this thing before. I have no idea what phone it is or what it can
do. I need to find out fast!”
• www.gsmarena.com
• http://www.mobileforensicscentral.com

33. gsmarena.com

34. mobileforensicscentral.com

35. • “I’ve retrieved an IMEI (handset serial #)
• and an ICCID (SIM serial #). I want to
• check them out”
• Good for:
• Identifying obscure mobile phones
• Getting PUK from Telco
Scenario 3
http://www.numberingplans.com

36. numberingplans.com

37. • Data is read via SIM card reader and an appropriate
software
SIM

38. • Deleted data is visible when the correct tool is used
SIM

39. • Deleted data is not extracted if the SIM is read while it is
inside the phone
SIM

40. • Careful with hidden places to store media (e.g.: Nokia 3250)
External Storage

41. • Data is extracted from phone in one of three ways:
• Manual Analysis – physical analysis of the phone involving manual manipulation of the keypad
and photographic documentation of data displayed on the screen.
• Logical Analysis - Connect data cable/infrared/bluetooth to the handset and extract data using
suitable software.
• Physical Analysis (Hex Dump) - Dump the memory from phone and analyze the resulting
memory dump.
Phone Memory

42. Logical vs. Physical
Physical analysis
All information can be
extracted
Hard to perform
Very hard to analyze
Expensive software,
special hardware
needed
Logical analysis
Very few information
can be extracted
Easy to perform
Easy to analyze
Affordable software, no
special hardware
needed
Source:
(C) Oxygen Software, 2000-2009
http://www.oxygen-forensic.com

43. Logical Extraction
Connection Type:

44. • Copy out live data (e.g., directories and files) that reside on
a logical store
• Currently, most software are developed to extract data
through logical acquisition
• Not possible to recover deleted information from phone’s
memory
Logical Extraction

45. Tools
 .XRY
 Cellebrite
 Pandora’s Box
 Device Seizure
 Oxygen Phone Manager II for Nokia
(Forensic)
 Oxygen Phone Manager II for Symbian
(Forensic)
 MOBILedit! Forensic
 Hex Workshop (Hex Analysis)
 SIMCon (SIM)
 EnCase (Neutrino module)

46. Oxygen Phone Manager
MOBILedit! Forensic
Logical Extraction

47. .XRY
Logical Extraction

48. • Bit-by-bit copy of an entire physical store (e.g. flash memory
chip)
• Via
• Taking out memory chip
• JTAG interface
• Allows any data remnants (e.g. unused memory space) to
be examined
Physical Extraction

49. JTAG Interface
JTAG Cable
Acquisition Process
Connection Setting
Physical Extraction

50. • Result can be seen by using Hex Editor
Physical Extraction

51. Documentation
The examiner’s notes and documentation should include information such as:
• The date and time the examination was started
• The physical condition of the phone
• Pictures of the phone and individual components (e.g., SIM card and memory
expansion card) and the label with identifying information
• The status of the phone when received (off or on)
• Make, model, and identifying information
• Tools were used during the examination
• What data was documented during the examination
51

52. Conclusion
• New development on mobile phone forensic must be
developed as the mobile phone technologies are growing.
• The consistent and well documented examination processes
are crucial in ensuring that the evidence extracted from each
phone is well documented and the results are defensible in
court.
52

53. REFERENCES
• CHFI (slide notes)
• CyberSecurity Malaysia (slide notes)
• Gartner.com

54. Thank You
For Your Patience