History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
Lect 6 computer forensics
1. Intro to Computer Forensics
Mr. Islahuddin Jalal
MS (Cyber Security) – UKM Malaysia
Research Title – 3C-CSIRT Model for Afghanistan
BAKHTAR UNIVERSITY باخترپوهنتون د
2. Outlines to be discussed…
• Objective
• Potential Evidence
• Guidelines
• Seizure
• Examination
• Data Extraction
• Documentation
• Tools
• Q & A
3. Objective
• To extract data without changing the phone’s current state, able to
record and explain the investigation processes and preserve the
original evidence.
4. Introduction
Mobile phone forensics is the science of recovering digital
evidence from a mobile phone under forensically sound
conditions using accepted methods.
4
5. Why Mobile Phone Forensics?
• Contain massive volume of information
• Communication (Calls, SMS)
• Calendar
• Logs
• Picture/ Video
8. Nokia 5110
Today
Phonebook
Speed dials
Calls history
SMS messages
Monophonic
melodies
General phone
information
Phonebook
Calendar
Tasks
Notes
Caller
groups
Speed dials
Event log
Profiles
Gallery files Java
applications
and games
Multiple contact
fields of the
same type
Personal settings
for contacts
Messages
Message
folders
General
phone
information
Geo event
positioning
(LifeBlog)
GPS
Web
browser IM client
10 years ago
Modern phone
Mobile Phones Evolution
Source:
(C) Oxygen Software, 2000-2009
http://www.oxygen-forensic.com
9.
10.
11.
12.
13.
14. Potential Evidence
• Data of evidential value can be found in 3 principal
areas of a mobile phone:
• Phone’s Memory
• SIM card
• External storage
(MMC, SD, Memory Stick)
16. SIM vs USIM
SIM - Subscriber Identity Module
is a removable smart card
used to communicate on GSM networks
Allows users to change phones by removing the SIM card and inserting it
into another mobile phone
USIM – Universal subscriber identity module
Used to communicate on UMTS/3G networks
A 3G (UMTS) handset equipped with a USIM card can be used to make
video calls within the area covered by a 3G network
USIM has much bigger phonebook than SIM
High speed internet connections
16
17. SIM
• SMS
• Integrated Circuit Card Identifier (ICCID)
• International Mobile Station Identity (IMSI)
• Mobile Subscriber ISDN
• Location Area Code (LAC)
• Phonebook
• Last Dialed Numbers
• Authenticating the user of the Cell phone to the network
The SIM provides storage for personal information, such as phone
book entries and text messages, as well as service-related
information.
18. • ICCID is the serial number of the SIM card
• Up to 18 to 20 digit numbers (10 bytes) that uniquely
identifies each SIM card.
• 896019050877016896
• Can be used with IMEI to acquire log information from
service provider
• It helps to identify the country and network
operator’s name
• If ICCID not exist on SIM, then
use ForensicSIM tool to obtain ICCID.
ICCID (Integrated Circuit Card Identification)
19. International Mobile Station Identity (IMSI)
• International Mobile Subscriber Identity (IMSI) is typically a 15-
digit number (56 bits)
• Its consisting of three parts including the Mobile Country Code,
Mobile Network Code, and Mobile Station Identification Number
which are stored electronically within the SIM.
• The IMSI can be obtained through the analysis of the SIM.
19
20. Mobile Subscriber ISDN
• The Mobile Station International Subscriber Directory
Number (MSISDN) is the phone's 15-digit, globally unique
number.
• The MSISDN follows the International Telecommunication
Union (ITU) Recommendation E.164 telephone numbering
plan, composed of a 1-3 digit country code, followed by a
country-specific number.
20
21. Location Area Code (LAC)
• The served area of a cellular radio network is usually
divided into location areas. Location areas are
comprised of one or several radio cells.
• Each location area is given an unique number within
the network
• This code is used as a unique reference for the
location of a mobile subscriber.
• This code is necessary to address the subscriber in the
case of an incoming call.
21
24. Guidelines
•There are 4 basic steps in mobile phone forensics
investigations:
Seizure
Examination
Data Extraction
• Ensure evidence is not tampered
• Check conditions
• Find phone specs
• Find tools that support
phone
• Extract data in the
phone, SIM and
xternal card
Documentation
26. 1. Note if it is switched on or off.
2. If ‘ON’, pay attention to icons on the phone
Missed call
Battery status
SMS
3. Do not dismantle the phone - Do not take the back off the
phone, or remove the battery
4. Record the time of phone
5. Compare with other time (your watch/ notebook)
Guidelines: Seizure
27. 4. Ask for PIN/ Password if any
5. Search for Phone chargers
6. Before transporting, put the phone in a signal container
bag
Faraday cage
Aluminum foil (four layers)
Arson cans
Seizure (cont…)
28. “Which one should I acquire first if:
• Phone is running?
• Phone is dead?”
Scenario 1
29. EXAMINATION
• Connect phone with appropriate cables or method (Infra-red or Bluetooth)
• Acquire with appropriate software
• If the phone is a GSM phone note IMEI number on screen (by typing *#06#)
• Remove handset from the container bag and turn the phone on. Photograph any startup
screens or messages.
• Power off handset, and remove casing
• Photograph battery, and label behind it once battery removed (usually shows
• IMEI)
• If the phone is a GSM remove SIM and photograph both sides.
• Acquire SIM with forensic software
• Perform of memory cards if present.
• Reassemble handset.
• Reseal and return evidence to property locker
29
30. • SIM cards should be processed separately from the cellular phone
they are installed in to preserve the integrity of the data contained on
the SIM card.
• Deleted data may not be extracted
• Why? SIM/external storage is controlled by OS if the phone is switched
ON
SIM/ External Storage
31. • Record/ photograph IMEI
• IMEI is the unique identity of a
mobile phone
• Printed under battery or press “*#06#”
• 15 digit number
• 353396006345750
• First Eight digits, known as the Type Allocation Code (TAC), give the
model and origin
• Can be used to find phone’s specification and user
guidelines
• http://www.numberingplans.com
• http://www.mobileforensicscentral.com
IMEI
32. Scenario 2
• “I’ve never seen this thing before. I have no idea what phone it is or what it can
do. I need to find out fast!”
• www.gsmarena.com
• http://www.mobileforensicscentral.com
35. • “I’ve retrieved an IMEI (handset serial #)
• and an ICCID (SIM serial #). I want to
• check them out”
• Good for:
• Identifying obscure mobile phones
• Getting PUK from Telco
Scenario 3
http://www.numberingplans.com
37. • Data is read via SIM card reader and an appropriate
software
SIM
38. • Deleted data is visible when the correct tool is used
SIM
39. • Deleted data is not extracted if the SIM is read while it is
inside the phone
SIM
40. • Careful with hidden places to store media (e.g.: Nokia 3250)
External Storage
41. • Data is extracted from phone in one of three ways:
• Manual Analysis – physical analysis of the phone involving manual manipulation of the keypad
and photographic documentation of data displayed on the screen.
• Logical Analysis - Connect data cable/infrared/bluetooth to the handset and extract data using
suitable software.
• Physical Analysis (Hex Dump) - Dump the memory from phone and analyze the resulting
memory dump.
Phone Memory
42. Logical vs. Physical
Physical analysis
All information can be
extracted
Hard to perform
Very hard to analyze
Expensive software,
special hardware
needed
Logical analysis
Very few information
can be extracted
Easy to perform
Easy to analyze
Affordable software, no
special hardware
needed
Source:
(C) Oxygen Software, 2000-2009
http://www.oxygen-forensic.com
44. • Copy out live data (e.g., directories and files) that reside on
a logical store
• Currently, most software are developed to extract data
through logical acquisition
• Not possible to recover deleted information from phone’s
memory
Logical Extraction
45. Tools
.XRY
Cellebrite
Pandora’s Box
Device Seizure
Oxygen Phone Manager II for Nokia
(Forensic)
Oxygen Phone Manager II for Symbian
(Forensic)
MOBILedit! Forensic
Hex Workshop (Hex Analysis)
SIMCon (SIM)
EnCase (Neutrino module)
48. • Bit-by-bit copy of an entire physical store (e.g. flash memory
chip)
• Via
• Taking out memory chip
• JTAG interface
• Allows any data remnants (e.g. unused memory space) to
be examined
Physical Extraction
50. • Result can be seen by using Hex Editor
Physical Extraction
51. Documentation
The examiner’s notes and documentation should include information such as:
• The date and time the examination was started
• The physical condition of the phone
• Pictures of the phone and individual components (e.g., SIM card and memory
expansion card) and the label with identifying information
• The status of the phone when received (off or on)
• Make, model, and identifying information
• Tools were used during the examination
• What data was documented during the examination
51
52. Conclusion
• New development on mobile phone forensic must be
developed as the mobile phone technologies are growing.
• The consistent and well documented examination processes
are crucial in ensuring that the evidence extracted from each
phone is well documented and the results are defensible in
court.
52
These are the content I will be covering today, which is objective of the mobile phone forensic, the potential evidence, guidelines and last but not least tools/equipment that we use . Even, i put the Q&A session in the end of this slide, feel free to stop me if u need to ask question.
The objective is u must ensure that u cannot tampered the evidence in what ever u r doing. U also hve to record everything as you can't get a exact copy of a cell phone.it is not like making a copy of a hard disk that will be explain by my colleague after this. Even though you are not technically modifying the phone in any way,
There are 4 most important information contain in the phone that we need to consider which are communication (calls, SMS,MMS), calendar (important date or meeting) logs, and picture or video
This slide is to show the evolution of mobile phones. The comparison is between nokia 5110 and iphone… 10 years ago we just use phone to communicate with other people.. It hve all the basic things (phonebook and sms) but now, the modern phone like iphone we can get use it no only to communicate for example..(gps, games, internet)
Data of evidential value can be found in the phone itself, SIM card, an external storage such as mmc and sd card
What actually can we get from the phone memory?
IMEI- International Mobile Equipment Identity -This IMEI number is used by to identify valid devices and therefore it can be used to stop the stolen phone from accessing the network in that country.
Others are call logs, sms n mms, stored files, executable files and calendar
These are all the details that u can get from the SIM
Iccid its lie u ic number for SIM card..every sim card has its own iicid number
IMSI is used to identify the network the IMSI belongs to
To each location area, a unique number called a "location area code" is assigned. The location area code is broadcast by each base station
ICCID – up to 20 digit numbers
E.g.: 896019050877016896
89 = ISO standard (SIM)
60 = Country Code (Malaysia)
19 = network code – celcom
The rest is the serial number
Network name: CELCOM
Operator name: Celcom (Malaysia) Sdn Bhd
Country or global network: Malaysia
MCC-MNC: 502-13
We used to know the Telco, but now not anymore!
These are all the things that u can get from the SD card
Existing files, backup data if any, deleted files such as pictures and videos and application likes games
Like i said earlier, the objective is to ensure that we not change any data or evidence in the exhibit... So this are the steps that we have to take..first..seizure
This is what u should do when the phone is on...pay attention to icons on the phone such as mis call, the battery status and sms..record all of this on ur note with the time of that phone so it can be compared with ur watch..this is to avoid any problem related to timestamp..
We need to ask for the password if any because if our tools cannot extract any phone that pasword protected...we have to put the phone in a signal container bag to avoid any incoming signal that can tampered the evidence..for example, aluminium foil that need at least four layers to block the signal..
This is the commom question..when the phone is on u need to acquire the phone first...it will save you if suddenly the phone dead n u dont hve the password..
Before do the analysis this is the most important thing that u should know..
U shoul not do the analysis while sim card still inside the phone because it will avoid u to get the deleted data
First we must record/photograph the IMEI and to get the IMEI there are two ways
1st- its printed under the battery and the 2nd one is u can just press *#06#
U also can refer to these websites to find phone’s specification and user guidelines
35 = reporting body
339600 = type approval code
634575 = serial number
0 = Luhn Code (checksum)
IMEI can be compared (under battery and via OS) to determine that the mobile phone is a cloned phone
If neverr seen the phone before n don’t hve any idea what phone it is u can always check at these two websites
This is the example of iphone specs search using gsmarena.com
The other example of phone specs search using mobileforensicscentral.com
What should u do when u hve the imei and iccid?...u should check them in this website because it can identify obscure mobile phones and also getting PUK number from telco
How to get data from sim card..u need sim card reader n suitable software..like this example, mobiledit..
U can get the data even it is deleted.. The word del here represent the deleted data
N u shoul know that the deleted data is not extracted while it is inside the phone because the sim is control by the phone OS which the OS will ask SIM to show only the active data..
U have to carefully check the phone before u can declare that the phone dont hve any external
Data cab be extracted from phone in two ways..
By doing the logical extraction u can use these type of connection
Cable and bluetooth…we will use the cable for old mobile phone model as it don’t hve bluetooth connection..bluetooth is the best way but it takes a long time to finish
AT Command - Also known as Hayes commands, are a set of commands
which were originally developed for controlling modems. The ‘AT’ refers to the
process where two devices determine the correct speed at which to
communicate with each other.
FBUS Nokia - proprietary protocol which enables a PC to access the data
stored in a Nokia mobile phone. FBUS also provides the ability to use the
phone’s network functionality, for example, to send and receive SMS
messages.
OBEX (Object Exchange) - A transport protocol, originally developed for use
over Infrared, which enables generic transport of data over a communication
medium.
IRMC (Infrared Mobile Communications) - A synchronization protocol, originally
designed for use over Infrared, which enables information stored in a mobile
device, such as calendar entries and contacts, to be synchronized with that
stored in a PC application such as Microsoft Outlook.
SyncML (Synchronization Markup Language) - A synchronization protocol
which is replacing IRMC as the standard for phone – PC synchronization.
For the conclusion, logical analysis just can give u basic such as sms n call logs.. So its not possible for us to recover deleted data using this type of analysis..
Logical storage - live data (data that user sees when phone is switched on/alive)
- data loaded for display on phone is controlled by OS, so deleted data is not visible to user
Logical storage - live data (data that user sees when phone is switched on/alive)
- data loaded for display on phone is controlled by OS, so deleted data is not visible to user
Here are the list of software/ tools that we can use for logical ananlysis and the top two are the software that we currently use in our lab.
Snapshot taken while acquisition of a Nokia phone …using .XRY
FBUS – from the picture, it is used for Analyzing Calls, Reading Contacts
FBUS Nokia - proprietary protocol which enables a PC to access the data
stored in a Nokia mobile phone. FBUS also provides the ability to use the
phone’s network functionality, for example, to send and receive SMS
messages.
For physical analysis, its more complicated as we will copy bit by bit the entire physical store by using either taking out the chip or usng jtag interface..
For this presentation, i will only cover on JTAG interface
First, we have to connect the phone to the PC using suitable JTAG cable, as u can see here..then u can proceed with the acquisition process
The result is not readable by human..so we need hex editor to translate it for us, as u can see here there are some word that we believed was the deleted SMS. If u know what u are looking for, then it will be easier as u can just search the keyword using the search option instead to find it yourself