More Related Content
Similar to File000093 (20)
More from Desmond Devendran (20)
File000093
- 1. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3477 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator (CHFI)
Module XXXVIII: Cell Phone Forensics
Exam 312-49
- 2. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3478 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
News: Mountain of Evidence on Alleged ‘SMS-blitz’
A date has yet to be announced for the resumption of public hearings of the provincial commission of
inquiry into the city's surveillance of councillor Badih Chaaban.
Hearings for the Erasmus Commission would have started yesterday but were suspended after Mayor
Helen Zille claimed the process was illegal and unconstitutional.
Premier Ebrahim Rasool agreed to put the hearings on hold pending legal advice about the process. The
commission's mandate has been extended to the end of April and hearings could be postponed until then,
but it is still gathering written and recorded evidence.
The investigation of the alleged "SMS blitz" by DA councillor Pat Hill shortly before the party's federal
congress in May is included in the latest bundle of evidence to be released to the public.
Hill was accused of sending SMS messages saying that the election of Zille as party leader would be the
"final nail in the coffin for Afrikaners".
He was later cleared by the DA, with federal chairman James Selfe saying the SMS "definitely" did not
come from Hill's phone.
But a forensic investigation by George Fivas & Associates, appointed by George Municipality on March 12,
2007, found that the SMS was sent from Hill's phone.
Hill reportedly said the SMS had been sent by someone who had either taken his SIM card or used his
handset to send the message.
But the investigators found that at "no stage after April 4, 2003" was the SIM card used in any other
handset.
The report noted that more information was needed before it could be established whether Hill's
cellphone had been "hacked" or if the SMS had been sent by him.
- 3. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3479 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module Objective
This module will familiarize you with:
Hardware Characteristics of Mobile Devices
Cellular Network
Different OS in Mobile Phone
What a Criminal Can do with Mobiles
Mobile Forensics
Subscriber Identity Module
Cell phone Forensics steps
Cell phone Forensics Tool
Challenges for Forensic Efforts
- 4. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3480 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
- 5. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3481 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Mobile Phone
The mobile phone or cellular phone is a short-range, electronic device used for mobile voice or data
communication over a network of specialized base stations that are offered by various network providers.
It is a personal device for an individual who uses it for his personal and professional purposes. Earlier it
was just used for communication through voice or via SMS, but now the meaning of mobile phone has
entirely changed for its users. The user buys the mobile phone according to the features he/she is
interested in. Features of a mobile phone are as follows:
Voice and text messaging, usually termed as calls and service messages
Personal Information Management (PIM) where the user can schedule his/her day
SMS and MMS messaging, which is nothing but text, image, or video clip messaging
Receiving emails, chatting, and browsing via cell phone as network providers are offering users
access to the Internet
Ability to store images, audio, and videos depending on the memory’s size
Provision of downloading and playing games
Camera with a video recorder
- 6. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3482 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Hardware Characteristics of Mobile Device
Table 38-1: Hardware Characteristics of Mobile Device (Source: http://csrc.nist.gov)
Software Characteristics of Mobile Devices
Table 38-2: Software Characteristics of Mobile Device (Source: http://csrc.nist.gov)
- 7. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3483 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Components of Cellular Network
Source: http://csrc.nist.gov/
A cellular network is a network made up of cells that are served by a transmitter. It helps the user to
connect and communicate with another person where the network provider holds the cellular network
responsibility. For a complete cellular network, the network provider requires a base station subsystem
and a network subsystem. These subsystems internally make use of few components. Those various
components are as follows:
Mobile Switching Center (MSC): Switching system for the cellular network. It connects the call by
switching data packets from one network path to another network path
Base Transceiver Station (BTS): Radio transceiver equipment that facilitates the user with
wireless communication between the mobile phone to a network
Base Station Controller (BSC): Manages the transceiver’s equipment and performs channel
assignment. It is the part of GSM architecture that controls one or more base transceiver stations
and the cell site’s radio signals in order to reduce the load on the switch
Base Station Subsystem (BSS) One of the major sections of a cellular network. It controls BSC and
BTS units. It is responsible for:
o Handling traffic
o Signaling between cell phone and network switching system
Home Location Register (HLR): Database at MSC. It is the central repository system for
subscriber data and service information
Visitor Location Register (VLR): Database used in conjunction with the HLR for mobile phones
roaming outside of their service area
- 8. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3484 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Cellular Network:
Figure 38-1: Cell Network
- 9. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3485 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Different Cellular Networks
Cellular networks differ from each other according to the service providers, geographical location, and
enhancement in techniques. Different types of cellular networks are as follows:
Code Division Multiple Access (CDMA): One of the dominant types of cellular network used. It
employs spread spectrum technology where channels for communication are defined in terms of
codes
Enhanced Data Rates for GSM Evolution (EDGE): Backwards-compatible digital mobile phone
technology that allows improved data transmission rates. It delivers high bit-rates per radio
channel that is used for any of the packet switch applications
Integrated Digital Enhanced Network (iDEN): iDEN, developed by Motorola, is the mobile
communication technology that provides its users with the benefit of trunked radio and cellular
telephone
General Packet Radio Service (GPRS): Packet oriented mobile data service. It is available to the
users who are GSM and IS-136 mobiles. It uses the technology of frequency division duplex and
time division multiple access
Global System for Mobile communications (GSM): Major and popularly used cellular network
High-Speed Downlink Packet Access (HSDPA): Third generation mobile telephony
communication protocol that allows high data transfer speed for networks based on UMTS
Time Division Multiple Access (TDMA): Channel access network where the users have to share
the same frequency channel by dividing the signal into time slots
Unlicensed Mobile Access (UMA): UMA, also referred as GAN (Generic Access Network), is a
telecommunication system that extends mobile services, voice, data, and IP Multimedia
Subsystem/Session Initiation Protocol (IMS/SIP) applications over IP access networks
Universal Mobile Telecommunications System (UMTS): 3-G mobile phone technology (upgraded
to 4-G) that uses W-CDMA as underlying air interface
- 10. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3486 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Different OS in Mobile Phones
Different operating systems in mobile phones are as follows:
Windows Mobile: Compact operating system combined with a suite of basic applications for
mobile devices based on the Microsoft Win32 API
Symbian OS: Operating system designed for mobile devices, with associated libraries, user
interface frameworks, and reference implementations of common tools, produced by Symbian Ltd
Linux: Operating system that is prevalent for computer systems. Since the Microsoft and Symbian
OS are a little complex, an alternative, Linux operating system, can be used for the future mobile
phones. Its benefit is cost reduction as it is an open source OS
Figure 38-2: Different operating systems in mobile phones (Source: www.linuxdevices.com)
- 11. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3487 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
What a Criminal Can do with Mobiles
Every device has its pros and cons, and so do mobiles. When the gadget with various features falls into the
wrong hands (criminal), it has various adverse affects on its users. A criminal can indulge in the following
things using the stolen mobile:
Harassing or threatening other users
Sending viruses and Trojans to other users using the identity of the user
Illegal distribution of porn videos and images
Data theft
Storing and transmitting personal corporate information
Sending dangerous or offensive SMS and MMS
Cloning the SIM data for illicit use
- 12. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3488 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Mobile Forensics
Mobile phone forensics refers to the recovery of digital evidence from a mobile phone under forensically
sound conditions using accepted methods. It includes recovery and analysis of data from mobile devices
and SIM cards. The Aim of mobile forensics is to catch the criminal who has done the illegal acts using the
mobile.
- 13. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3489 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Forensics Information in Mobile Phones
Mobile phones allow the user to save different information depending upon his/her requirement. The
information in the mobile phones can be used for forensic purposes as follows:
SIM card information
Phonebook
Call history
SMS and MMS
GPRS, WAP, and Internet settings
IMEI
Photos and video
Sound files
Network information, GPS location
Phone info (CDMA serial number)
Emails, memos, calendars, documents, etc.
- 14. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3490 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Subscriber Identity Module (SIM)
Source: http://csrc.nist.gov/
Subscriber identity module, often referred to as a SIM card, is a component that allows the user to
connect or communicate with the other user. It is a removable component that contains essential
information about the subscriber. Its main function entails authenticating the user of the cell phone to the
network to gain access to the subscribed services. It provides the user with a number of identities.
SIM comes in two sizes:
1. 85.60 mm × 53.98 mm x 0.76 mm: The size of the first SIM card, which was about the size of a
credit card.
2. 25 mm × 15 mm: New and the current SIM card whose width is 25 mm and has a height of 15
mm. Its thickness is 0.76 mm.
SIM avails the user with the benefit of storing information such as phone numbers and messages. It has
both volatile and non-volatile memory where the file system of a SIM resides in the non-volatile memory.
Figure 38-3: SIM
- 15. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3491 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
SIM File System:
Figure 38-4: SIM File System
- 16. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3492 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Integrated Circuit Card Identification (ICCID)
ICCID is the 19 or 20 digit serial number of the SIM card, which is identified internationally. It consists of
an industry identifier prefix (89 for telecommunications), followed by a country code, an issuer identifier
number, and an individual account identification number. This code helps to identify the country and the
network operator’s name.
These ICCID’s are stored in the SIM cards and also printed on the SIM card. If ICCID does not exist on
the SIM, get it by using a (U)SIM acquisition tool such as ForensicSIM Toolkit.
Figure 38-5: ICCID
- 17. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3493 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
International Mobile Equipment Identifier (IMEI)
IMEI (International Mobile Equipment Identifier) is a 15-digit number that indicates the manufacturer,
model type, and country of approval for GSM devices. It is different for every GSM, UMTS, and iDEN
mobile phone, and is usually printed and found on the battery of the mobile phone.
In 15 digits of IMEI, the first 8-digits are known as the Type Allocation Code (TAC), which gives
information about the model and origin. For powered on GSM and UMTS phones, the IMEI can be
obtained by keying in *#06#. The IMEI number is used for valid reasons. It is used by GSM to identify the
device and even stop the accessing of the mobile phone if it has been stolen.
Figure 38-6: International Mobile Equipment Identifier (Source: http://www.s60tips.com)
- 18. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3494 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Electronic Serial Number (ESN)
ESN is a unique 32-bit identifier recorded on a secure chip in a mobile phone by the manufacturer. The
first 8-14 bits identify the manufacturer and the remaining bits identify the assigned serial number. These
numbers are used with AMPS, TDMA, and CDMA phones. The uses of ESN are as follows:
• It helps in identifying the stolen cell phone even though it is provided with a new subscription
identifier
• It proves that the particular mobile is used for making a call (used as evidence for court
proceedings)
• It is used as an input to CAVE authentication
• It provides ANSI-41 validation and access probe timing
Figure 38-7: Electronic Serial Number (Source: http://wireless.agilent.com)
- 19. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3495 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
- 20. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3496 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Precautions to be Taken before Investigation
Every investigation requires a criterion and to achieve success or to solve the case, it is necessary to follow
certain guidelines and the precautions while investigating. The precautions that are to be taken by an
investigator before investigating a cell phone are as follows:
Handle cell phone evidence properly to maintain physical evidences such as fingerprints
To avoid unwanted interaction with devices found on the scene, turn off wireless interfaces such
as Bluetooth and Wi-Fi radios
Photograph the crime scene including mobile phones, cables, cradles, power connectors,
removable media, and connections
If the device’s display is in a viewable state, the screen’s contents should be photographed and, if
necessary, recorded manually, capturing the time, service status, battery level, and other
displayed icons
Collect other sources of evidence such as (U)SIM, media, and other hardware in the phone but do
not remove them from the device
If the phone is in a cradle or connected to the PC with cable, then seize the phone with cable and
cradles, because unplugging the device from computer may eliminate the data transfer or
overwrite the synchronization
If the phones are found in a compromised state such as immersed in a liquid, remove the battery
to prevent electrical shorting and seal the remainder of the mobile phone in a proper container
filled with the same liquid, which should not be caustic
Isolate the phone from the radio network, which helps to keep new traffic from overwriting the
existing data
Isolate the phones from other synchronized devices, which keeps the new data from affecting the
existing data
Some of the mobile communication devices use alkaline batteries as a power source; replace such
batteries in transit to minimize the risk of data loss due to complete battery discharge
Investigator should not perform any action which alters the data in evidence
All the actions including seizure, access, storage, or transfer of evidence must be fully
documented, preserved, and available for review
- 21. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3497 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Points to Remember while Collecting the Evidence
Evidence gathering plays a major role in the investigation. The points to be remembered while collecting
the evidence are as follows:
1. If the device is “ON”, do not turn it “OFF”:
a. Cell phones have a locking feature that is activated as soon as it is switched OFF, so make sure
not to activate the lockout feature
b. Document the information that is present on the display of the cell phone. If possible,
describe or place a screenshot of the photograph that is on the display.
c. If the cell phone is not charged, due to low battery power, it gets switched off. In order to
overcome this, make sure to charge the battery and thus protect it from tampering.
d. If you are not familiar with the device, ensure that you do not press any key, as it can lead to
data loss from the mobile
2. If the device is “OFF”, leave it “OFF”
a. If the device is turned ON, it could alter the evidence on the device, so do not switch ON the
mobile
b. When a battery is removed from the mobile device, not all but some of the content is lost from
the device, which is a drawback. So, do not remove the battery from the device even if it is in
OFF state. For example, consider a Nokia device. If the battery is removed from it, the
time/date is lost and this should be assigned to the device as per the user requirement. In a
case where this device is required as evidence with the call log, i.e., its time and date and the
battery is removed; it is obvious that the evidence is lost.
- 22. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3498 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Acquire the Information
Source: http://csrc.nist.gov/
Acquisition of data at the scene avoids loss of information due to battery depletion, damage during
transportation, and storage. But due to lack of controlled setting, appropriate equipment, and other
prerequisites, this process is not possible at the scene; however, it can be achieved in the laboratory
setting.
Try to acquire the data from images of the evidence such as SIM cards or directly from the mobile device
itself. Use data acquiring tools such as SIM Card Data Recovery and SIMCon to recover the data from
evidence (SIM cards), which is often easy and beneficiary.
- 23. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3499 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Acquire Data from SIM Cards
Source: http://csrc.nist.gov/
SIM contains important information related to the forensics investigation, which can be as follows:
Service related information such as unique identifiers for the (U)SIM, the Integrated Circuit Card
Identification (ICCID), and the subscriber, the International Mobile Subscriber Identity (IMSI)
Phonebook and call information such as Abbreviated Dialling Numbers (ADN) and Last Numbers
Dialled (LND)
Messaging information including SMS, EMS, and multimedia messages
Location Information, including Location Area Information (LAI) for voice communications and
Routing Area Information (RAI) for data communications
To access the SIM, a PIN code (Personal Identification Number) is required. Failure to enter a valid PIN
in three attempts blocks the card and then an 8-digit PUK (Personal Unlock Number) must be entered
where this 8 digit number is provided by the network operator and cannot be changed by the user. If the
user fails to enter the correct PUK in 10 attempts, SIM will be disabled permanently. So, in order to hold
the information present in the SIM, the investigator should ask the network operator for PUK to gain
access to it.
- 24. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3500 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Acquire Data from Unobstructed Mobile Devices
Source: http://csrc.nist.gov/
An unobstructed device means the device that does not require a password or other authentication
technique to access to the device and perform an acquisition. They typically refer to devices that are shut
off and require successful authentication to gain access. Example: CDMA phones, freestanding (U)SIMs,
and GSM phones containing a (U)SIM.
Steps to acquire data from these devices are as follows:
Note down the time and date in the phone that is used as evidence
Check the contacts, call logs, SMS, and other entries
Use different data recovery tools such as Cell Phone Analyzer to recover the deleted information
from the device
Recover the information from such devices using the following techniques:
o Ask the victim or suspect for PIN
o Review the seized non-electronics materials such as notes or print outs
- 25. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3501 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
o Contact the service provider
o Contact the device manufacturer and service provider for information on known backdoors
and vulnerabilities that might be exploited
o Contact the device maintenance and repair companies, as well as commercial organizations
that provide architecture information on handheld device products
o Use different forensics tools such as Cell Phone Analyzer
o Use some data recovery tools such as SIM Analyzer and SIMCon
- 26. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3502 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Memory Considerations in Mobiles
Source: http://csrc.nist.gov/
A mobile phone has a memory which is either volatile or non-volatile in nature and the size of this
memory depends upon the model of the cell phone. It stores several kinds of data, including:
Operating system code
Kernel
Device drivers
System libraries
Memory for executing operating system applications
Storing and executing user applications loaded onto the device
Text
Image, audio, and video
Other data files, including PIM application data
Certain phone memory is divided and dedicated to data such as call log, phone book, entries, messages,
and calendar entries, where an amount of memory is allocated for common sharing of information (it is
assigned dynamically from a common shared pool of memory).
- 27. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3503 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Acquire Data from Memory Cards
Source: http://csrc.nist.gov/
Removable media extends the storage capacity of mobile phones, allowing individuals to store additional
files beyond the device’s built-in capacity and to share data between compatible devices. Mobile phone
supports Secure Digital (SD), MultiMedia Cards (MMC), and other types of removable media containing
significant amounts of data.
Recover the data from removable media and memory cards with the use of a media reader and a Memory
Card Data Recovery. Various types of memory cards with their characteristics are given below:
Name Characteristics
Compact Flash Card (CF) Matchbook size (length-36.4 mm, width-42.8 mm, thickness-3.3 mm
for Type I cards and 5mm for Type II cards)
50-pin connector, 16-bit data bus
MMCplus (compatible with
original MultiMedia Card or
MMC)
Postage stamp size (length-32 mm, width-24 mm, and thickness-1.4
mm)
13-pin connector, 1, 4, or 8 bit data bus
(7-pin connector, 1-bit data bus, MCC compatibility)
MMCmobile (compatible
with original Reduced Size
MMC or RS-MMC)
Thumbnail size (length-18 mm, width-24 mm, and thickness-1.4 mm)
13-pin connector, 1, 4, or 8 bit data bus
(7-pin connector, 1-bit data bus, RS-MMC compatibility)
Requires a mechanical adapter to be used in a full size MMCplus slot
MMCmicro Contact lens size (length-14 mm, width-12 mm, and thickness-1.1 mm)
10-pin connector and a 1 or 4-bit data bus
Requires a mechanical adapter to be used in a full size MMCplus slot
Secure Digital (SD) Card Postage stamp size (length-32 mm, width-24 mm, and thickness-
2.1mm)
- 28. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3504 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
9-pin connector, 1 or 4-bit data bus
Features a mechanical erasure-prevention switch
MiniSD Card Thumbnail size (length-21.5 mm, width-20 mm, and thickness-1.4
mm)
9-pin connector, 1 or 4-bit data bus
Requires a mechanical adapter to be used in a full size SD slot
MicroSD (formerly
Transflash)
Contact lens size (length-15 mm, width-11 mm, and thickness-1 mm)
6-pin connector, 1 or 4-bit data bus
Requires a mechanical adapter to be used in a full size SD slot
Memory Stick Chewing gum stick size (length-50 mm, width-21.45 mm, thickness-
2.8 mm)
10-pin connector, 1-bit data bus
Features a mechanical erasure-prevention switch
Memory Stick Duo Partial chewing gum stick size (length-31mm, width-20 mm,
thickness-1.6 mm)
10-pin connector, 4-bit data bus
Features a mechanical erasure-prevention switch
Requires a mechanical adapter to be used in a full size Memory Stick
slot
Memory Stick Micro Contact lens size (length-12.5 mm, width-15 mm, and thickness-1.2
mm)
11-pin connector, 4-bit data bus
Requires a mechanical adapter to be used in a full size Memory Stick
slot
Table 38-3: Types of memory cards
- 29. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3505 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Acquire Data from Synched Devices
Source: http://csrc.nist.gov/
Mobile phones are synchronized with the computer system in order to resolve the differences in certain
data. It is similar to that of maintaining a backup for the information that is residing on the cell phone.
Though it is an advantage to the user, it is a drawback for the culprit. A significant amount of evidence on
a mobile phone may also be present on the suspect’s laptop or personal computer (as it synchronized with
the device), so search for various evidence including contacts, SMS, email details, images, and videos.
- 30. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3506 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Gather Data from Network Operator
Source: http://www.soc.staffs.ac.uk/
Gather detailed information from the network operator including calls made/received, message traffic,
data transferred, and connection location/timing.
According to www.searchnetworking.techtarget.com, “Home Location Register (HLR) is the main
database of permanent subscriber information for a mobile network”. It provides:
Customer’s name and address
Billing name and address (if other than customer)
User’s name and address (if other than customer)
Billing account details
Telephone Number (MSISDN)
IMSI
SIM serial number (as printed on the SIM-card)
PIN/PUK for the SIM
Subscriber Services allowed
- 31. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3507 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Check Call Data Records (CDRs)
Call data record is the computer record of all the calls and SMS information that is produced by telephone
exchange. These CDR files are in the Mobile Switching Center (MSC), which records the information
about:
Originating MSISDN
Terminating MSISDN
Originating and terminating IMEI
Initial serving base station (BTS)
Connection time
Time when the call was disconnected
Disconnecting reason
DLCI (Data Link Connection Identifier) field to identify the originating PRI, and the bearer (B)
channel used
Table 38-4: Call data record
- 32. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3508 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Analyze the Information
Source: http://csrc.nist.gov/
The information in the cell phone should be analyzed in various ways, so that it can be used for further
investigation. The information that can be analyzed is as follows:
Subscriber and equipment identifiers
Date/time, language, and other settings
Phonebook information
Appointment calendar information
Text messages
Dialed, incoming, and missed call logs
Electronic mail
Photos
Audio and video recordings
- 33. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3509 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Multi-media messages
Instant messaging and web browsing activities
Electronic documents
Location information
Steps to analyze the above information are as follows:
Identify the individuals who created, modified, or accessed a file: Cell phone is the gadget that is
used by and accessed by a single person. But there are chances of misusing it, so it is necessary to
identify the person who has created the file, then who modified or accessed the particular file
Determine when events occurred by analyzing call logs, the date/time, and content of messages
and email: It is for analyzing the date/ time the event occurred. This can be achieved by checking
out the time of receiving or sending the message and time and duration of call (whether it is a
missed, dialed, or received call)
Track the timeline of the events: Get familiar with the time at which the event occurred and thus
analyze and relate them with the event so as to catch hold of the culprit
Recover the hidden information: Most of the information, such as SMS and call logs are deleted
for confidentiality purposes, but this information can be extracted with the help of tools that
recover the information
If the entries such as SMS, contacts, emails, etc. are encrypted, then use cryptanalysis tools such
as crank. For securing the information, the information such as SMS, contacts, emails, email ids,
and recordings are encrypted. These can be decrypted using cryptanalysis tools such as crank,
thus revealing the information
Use password cracking tools such as Hydra to read the password protected information: To hide
information or protect the cell phone from misuse, users make their cell phones password
protected so as to get the protected information.
Try to find out the geographical location of the attacker: Cell phone has the feature of GPRS,
which allows the user to trace out the attacker. This can help in tracking out the geographical
location of the attacker
- 34. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3510 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Cell Phone Forensics Tools
- 35. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3511 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
SIM Analyzer
Source: http://cpa.datalifter.com/
SIM Analyzer is a cell phone forensics tool that recovers the contents from SIM cards of different mobiles
It recovers:
Last number dialed, abbreviated dialing numbers
Active and deleted text (SMS) messages
All the general files found in the Telecom group as defined in the GSM 11.11v6 standards
Figure 38-8: SIM Analyzer Screenshot
- 36. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3512 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
SIMCon – SIM Card Recovery
Source: http://www.simcon.no/
SIMCon is a program that allows the user to securely image all files on a GSM/3G SIM card to a computer
file with the SIMCon forensic SIM card reader. The user can subsequently analyze the contents of the card
including stored numbers and text messages
Features of SIMCon are as follows:
Read all available files on a SIM card and store in an archive file
Analyze and interpret content of files including text messages and stored numbers
Recover deleted text messages stored on the card but not readable on phones
Manage PIN and PUK codes
Compatible with SIM and USIM cards
Print report that can be used as evidence based on user selection of items
Secure file archive using MD5 and SHA1 hash values
Export items to files that can be imported in popular spreadsheet programs
Support international charsets
- 37. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3513 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 38-9: SIMCon Screenshot
SIM Card Data Recovery Software
Source: http://www.datadoctor.in/
SIM Card Data Recovery Software recovers accidentally deleted data from mobile phone SIM cards. It
provides full backup of your cell phone’s erased SIM memory. For recovery, user needs a phoenix type
USB SIM card reader or PC/SC Standards based SIM card reader and a PC having Microsoft Windows
operating system.
Features of SIM card data recovery software are as follows:
Retrieves all deleted contact numbers (phone numbers), unreadable messages, corrupt phone
book directory
Undeletes both viewed and unread inbox text SMSes, outbox messages and draft save favorite text
messages sent items that have been deleted from SIM card memory
Provides full details about SIM card like its provider and ICC –ID
Tool Support recovery on Windows XP, 2003, XP Media Center2005, Longhorn, Vista, 2000, NT,
ME, and 98
It is Read only and Non- Destructive SIM card data recovery utility
- 38. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3514 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Print option provides recovered data on paper in text format
Software also shows the provider name and ICC identification number of SIM card
Utility provides full backup of corrupt or damaged SIM card memory
Figure 38-10: SIM Card Data Recovery Software
- 39. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3515 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Memory Card Data Recovery
Source: http://www.datadoctor.in
Memory Card Data Recovery recovers lost deleted pictures, lost images/photos, formatted audio/video
files and folders, and encrypted data from the corrupted memory card storage devices. It is useful in
restoring, recovering, retrieving accidentally deleted, damaged, formatted, erased, picture, image, photo,
audio, video files even if the media is corrupted and you cannot access it or the memory card being pulled
out while the camera or other device was on.
Features of memory card data recovery are as follows:
Reveals missing files and directories lost due to battery failure, formats, or corruption caused by
hardware or software malfunction
Restores all wav, mpg, mpeg, mp3, jpg, jpeg, bmp, midi, etc. graphical files
Supports all major memory card devices including compact flash, multimedia card, secure digital
card, PDA, Pocket PC drive, external Mobile phone storage card, and other similar flash drives
Compatible with all major memory card brands like Kodak, Konica, Minolta, Nikon, Ricoh,
Samsung, Sony, Toshiba, etc.
Supports all types of USB port memory card reader
Supports memory card in major storage capacity drives including 128MB, 256MB, 512MB, 1GB, 2
GB, 4GB and other higher capacity drives
- 40. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3516 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 38-11: Memory Card Data Recovery
- 41. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3517 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Device Seizure
Source: http://www.paraben-forensics.com
Device seizure is a digital forensics tool that supports GSM SIM cards with the use of a SIM card reader. It
acquires and analyzes data from over 1,950 mobile phones, PDAs, and GPS devices including iPhones.
Features of device seizure are as follows:
30 plug-ins for the acquisition and analysis of 15 types of devices including cell phones,
Smartphones, PDAs, GPS devices, and SIM cards
Support of more than 1,900 devices
USB and serial support
Verification of file integrity using MD5 and SHA1 hash values
Deleted data recovery
Encrypted image files to guarantee image integrity
Built-in file viewing of proprietary files
Built-in searching and bookmarking
Text and Hex viewing options available for data
Analyzes PDA data files stored on PCs
Built-in recovery Palm password
Windows CE registry viewer
Acquires complete GSM SIM card information including deleted data
Full flash download for certain models of cell phones
Image viewing for graphic information, including data carving for multi-media files for most
devices
Import of databases acquired with PDA Seizure, Cell Seizure ,and SIM Card Seizure
- 42. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3518 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 38-12: Device seizure Screenshot
SIM Card Seizure
Source: http://www.paraben-forensics.com
SIM Card Seizure recovers deleted SMS/text messages and performs comprehensive analysis of SIM card
data. It takes the SIM card acquisition and analysis components from Paraben's Device Seizure and puts it
into a specialized SIM card forensic acquisition and analysis tool. It includes the software as well as a
Forensic SIM Card Reader.
Features of SIM Card Seizure are as follows:
Forensic SIM card reader included
Calculates MD5 & SHA1 Hash values
Recovers deleted SMS data
Extracts data from SIM card:
SST SIM service table
ICCID serial number
LP preferred languages variable S
PN Service provider name
- 43. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3519 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
MSISDN Subscriber phone number and short dial number
Figure 38-13: SIM Card Seizure Screenshot
- 44. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3520 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Cell Phone Analyzer
Source: http://cpa.datalifter.com/
Cell Phone Analyzer is a cell phone forensics tool that recovers deleted items. It is a data interpreter for
cell phone flash files built to fulfill the gap in current mobile phone analysis tools.
Features of cell phone analyzer are as follows:
Process BlackBerry IPD files - includes date and time support for Call logs, Email and Hotlists
Nokia - both PM (Permanent memory) and Full flash support
Motorola
Samsung
Sony Ericsson
SIM card analysis
Create "Safety SIM"(TM) to preserve call log data and keep the phone off the network
LIVE Video capture support
- 45. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3521 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Oxygen Forensic Suite
Source: http://www.oxygen-forensic.com/
Oxygen Forensic Suite is mobile forensic software that goes beyond standard logical analysis of cell
phones, Smartphones, and PDAs. It recovers:
Phone basic information and SIM-card data
Contacts list (including mobile, wireline, fax numbers, postal addresses, contact photos, and other
contact information)
Missed/Outgoing/Incoming calls
SIM card data
Caller Groups information
Organizer (calendar meetings, appointments, memos, call reminders, anniversaries and
birthdays, to-do tasks)
Text notes
SMS Messages (messages, log, folders, deleted messages with some restrictions)
Multimedia Messages (log only)
E-mail Messages (e-mails log and folders)
GPRS, EDGE, CSD, HSCSD, and Wi-Fi traffic and sessions log
Photos and gallery images
Video clips and films
Voice records and audio clips
All files from phone memory as well as from flash card, including installed applications and their
data
FM Radio Stations database (as a part of File Browser)
Lifeblog activity: all main events with geographical coordinates
- 46. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3522 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 38-14: Oxygen Forensic Suite Screenshot
BitPim
Source: http://www.bitpim.org/
BitPim is a program that allows viewing and manipulating data on many CDMA phones from LG,
Samsung, Sanyo, and other manufacturers. This data includes the Phonebook, Calendar, Wallpapers,
Ringtones, and the File system for most Qualcomm CDMA chipset-based phones.
- 47. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3523 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 38-15: BitPim Screenshot
- 48. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3524 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
MOBILedit! Forensic
Source: http://www.mobiledit.com/
MOBILedit! Forensic is forensic software for mobile phone investigations. It collects all possible data
from the mobile phone and generates an extensive report onto a PC that can be stored or printed. It has
changed the way the evidence is obtained and presented.
Features of MOBILedit! Forensic are as follows:
Analyze phones via Bluetooth, IrDA, or cable connection
Analyze phonebook, last dialed numbers, missed calls, received calls, SMS messages, multimedia
messages, photos, files, phone details, calendar, notes, tasks, and more
Large quantity of phones supported
Frequent updates and upgrades with new features and more phones
Direct SIM analyzer through SIM readers
Reads deleted messages from the SIM card
Reports Generator based on your templates
Print reports ready for courtroom
Reports generated in any language
Make backup now and reports when needed
Manual investigation mode
Secure and tamper-proof using MD5 hash
Compliant with Word or any other RTF editor
View formatted reports in browser including original pictures
Exports to Word, Excel/XLS, browser, XML/XSL
Complete solution including specific phone cables and SIM readers
XML export - seamlessly connect MOBILedit! Forensic data with other systems
Preferred/forbidden networks
Hex dump viewer
- 49. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3525 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Free access to forensic forum
Figure 38-16: MOBILedit Screenshot
- 50. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3526 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
PhoneBase
Source: http://www.phonebase.info/
PhoneBase is a mobile phone analysis system that extracts data from any standard SIM card using SIM
Card reader. It recovers content of SIM cards and phone memories including lists of phone numbers and
associated names, recently made calls, and text messages.
Features of PhoneBase are as follows:
Minimal handling of Telephone equipment
Extracts data from any standard SIM card using a SIM Card Reader.
Reads phone memory using the optional Phone memory module
Figure 38-17: PhoneBase Screenshot
- 51. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3527 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Secure View
Source: http://mobileforensicsnew.susteen.com/
Secure View for Forensics is the software and hardware solution that provides law enforcement, corporate
security, and forensics consultants with logical data extraction of the content stored in the mobile phone.
For investigators, it provides easy access to vital information in seconds without the need to wait for crime
reports. It acquires cell phone data via USB, Bluetooth, IrDA, and SIM Card Reader.
It acquires:
Serial Numbers: IMEI (for GSM phones), and ESN (for CDMA) phones·
Recent Calls: Received Calls, Dialed Calls, & Missed Calls
Contacts (internal phone memory, as well as SIM card on supported GSM phones)
Calendar and To Do lists
Pictures & Wallpapers
Ringtones & Music
Video & Movies
- 52. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3528 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 38-18: Secure View for Forensics Screenshot
- 53. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3529 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
XACT
Source: http://www.msab.com/
XACT is the tool that performs physical data investigations from confiscated phones and allows recovery
of the deleted information.
Features of XACT are as follows:
It allows you to acquire data from locked phones
It recovers deleted SMS recovered from the SIM card and other information
It recovers deleted information
Figure 38-19: XACT Tool Screenshot
- 54. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3530 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
CELLDEK
Source: http://www.forensic.gov.uk
CellDEK is the portable handset data extraction kit designed for use at the scene of a crime and all
working environments associated with on-going investigations. It can access, read, and copy stored data
from GSM, CDMA, TDMA, iDen handsets, SIM cards, PDAs, and 15 types of flash cards.
Features:
Extracts handset time and date, serial numbers (IMEI, IMSI), dialed calls, missed calls, received
calls, phonebook (both handset and SIM), SMS (both handset and SIM), deleted SMS from SIM,
calendar, memos, and to do lists
Built-in SIM card reader and SIM card-reading software
Data extraction from GSM, CDMA, TDMA, and iDen devices
Data produced in XML format enabling database import
Provides HTML reports (printable at the scene)
In-built MD5 functionality to prevent data manipulation
Connection and control of external jammer to prevent loss of data
Time-stamped forensic audit trail records data sent and received from target device
- 55. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3531 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 38-20: CellDEK Tool Screenshot
- 56. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3532 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Forensic Card Reader (FCR)
Source: http://www.bkforensics.com/
The Forensic Card Reader (FCR) allows a forensically clean method of extracting data from a SIM
card. The FCR accesses the area beyond the capability of standard SIM readers with its patented
reading heads and software.
It does not alter any data including data and time stamps of SMS, and read/unread tags. It reads deleted
flagged SMS.
It reads the following entries on a SIM card:
ICC-ID
IMSI
ADN
FDN (Fixed Dialing Numbers)
Hidden entries
LND
MSISDN
Deleted SMS
TMSI (Temporary Mobile Subscriber Identity)
LAI information indicating a cell or a set of cells
- 57. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3533 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 38-21: Forensic Card Reader Screenshot
- 58. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3534 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
ForensicSIM Toolkit
Source: http://www.radio-tactics.com/
ForensicSIM Toolkit recovers digital evidence from GSM SIM and 3G USIM cards. It allows acquisition,
analysis, and reporting. Features of ForensicSIM Toolkit are as follows:
Recovers Operator identity number
Recovers Start / end time and date stamp
Perform MD5 checksum of acquired data
Recovers Data storage card serial number and production batch date
Figure 38-22: ForensicSIM Toolkit
- 59. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3535 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
SIMIS 3G
Source: http://www.3gforensics.co.uk/
SIMIS 3G is a tool for the recovery of data from a SIM card. It allows the examiner to view recovered data
including phonebook contacts and numbers, SMS text messages, deleted text messages, time and date
information, and more. It secures the recovered data against tampering using both MD5 and SHA-1
hashing techniques.
SIMIS3G comprises:
USB Card readers (PCSC Industry standard)
PC software on CDROM
Mini sim adapter and USIM storage card
License
Features of SIMIS 3G are as follows:
Read-only access to system and user data held on the SIM card
Correctly handles PIN and PUK entry under controlled conditions
Presents data in an easily readable web page format
Produces retrieved data in a printable format for reports
Creates and verifies the MD5 and SHA hash for each output file generated
Correctly handles and displays foreign language text messages
Builds a database with unique file references for each SIM Card read
Searchable database with appropriate index categories
Facility to read data from the SIMIS Mobile card interrogation unit
Facility to retrieve data from some mobile subscriber equipment
Provides commented RAW DATA in a standard format for use in third-party applications
- 60. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3536 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 38-23: SIMIS 3G Screenshot
- 61. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3537 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
UME-36Pro - Universal Memory Exchanger
Source: http://www.cellebrite.com/
UME-36Pro - Universal Memory Exchanger is a phone memory transfer and backup solution that
transfers all forms of content, including pictures, videos, ringtones, SMS, as well as phonebook contacts
data between a wide range of mobile phones, smart phones, and PDAs.
Features and capabilities of UME-36Pro are as follows:
Based on Windows CE
Supports transfer of content across all mobile handset technologies - GSM, CDMA, UMTS, 3G,
TDMA, IDEN, and more
Transfer of phone’s internal memory and SIM card content
Transfer of phonebooks, pictures, videos, ring-tones, and SMS
Supports multiple language encodings
Available connectivity: USB, Serial, IrDA, and Bluetooth connections to phones
Transfer, backup, and restore of mobile phone content
Supports Symbian, Microsoft Mobile Palm, and Blackberry operating systems
Integrated SIM/Smart Card reader
Integrated PC connection allowing content backup and management
Stand-alone device or an integrated PC solution
User-friendly and self-explanatory
Easily upgraded through software file downloads
How it works:
Cellebrite UME is used as a channel or intermediary means for transferring data from a source phone to a
target phone, without storing any records of data on the UME unit itself. It prompts the user to select and
define a set of parameters for the transfer process consisting of identifying the source phone and target
phone makes and models, the Memory from which the contents will be copied to and from (phone
memory, SIM card), and the available Link option such as cable or IrDA. Once the parameters are
defined, the UME displays the number of cables that must be connected to the mobile phones or IR
- 62. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3538 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
connection. Then, at the press of a button, the data flows from the source phone, through the UME, to the
target phone.
When necessary, the UME automatically manipulates data formats and fields in order to be compatible
with the target phone.
Figure 38-24: UME-36Pro Screenshot
- 63. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3539 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Cellebrite UFED System – Universal Forensic Extraction Device
Source: http://www.cellebrite.com/
The Cellebrite UFED (Universal Forensic Extraction Device) forensic system is the device that can be used
in the field as well as in the forensic lab. It supports:
CDMA, GSM, IDEN, and TDMA technologies, and it is compatible with any wireless carrier
95% of all cellular phones including Smartphones and PDA devices
All known cellular device interfaces, including serial, USB, infrared, and Bluetooth
Features of Cellebrite UFED system are as follows:
It extracts data from most all cell phones or PDAs: phonebook, pictures, videos, text messages,
call logs, ESN, and IMEI information
It is a kit, with no computer required for extraction
It generates complete, MD5 verified evidence reports
It supports over 1,400 handset models
Figure 38-25: Cellebrite UFED Screenshot
- 64. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3540 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
ZRT
Source: http://www.fernico.com/
ZRT is the cell phone forensic investigation solution that supports all phones and can be used on its own
or in conjunction with existing tools. It is easy to use, fast, and offers manual examination.
It includes the following:
ZRT software
Camera: Canon A640 10-megapixel camera
Mount: Flexible arm and desk clamp
Power: Canon wired power supply
Accessory: Non-slip mat
Features of ZRT are as follows:
It completely streamlines the process of taking high-resolution photographs of screen displays
It merges photos into custom designed report templates
- 65. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3541 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Neutrino
Source: http://www.forensics.ie/
Neutrino is the mobile device acquisition tool that integrates with EnCase v6. It allows analyzing both
mobile devices and computer evidence at the same time.
Features of the Neutrino are as follows:
Examine multiple devices and correlate with computer evidence at the same time
Share Neutrino acquired logical evidence files with other EnCase v6 examiners
Carry entire tool set, organized and stored in a single field kit
Access unallocated space on selected devices
Possess hardware support and parsing capabilities for more than 75 of the most common devices,
with new devices being added regularly
It includes Wave Shield signal blocking bag, delivering reliable wireless signal blocking protection
even with close proximity to cell towers
Figure 38-26: Neutrino Screenshot
- 66. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3542 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
ICD 5005
Source: http://www.projectaphone.com/
ICD 5005 is a project-a-Phone product designed for forensic investigations of cell phones. With a USB 2.0
camera, it captures display screens at up to 3 megapixel resolution. It also lets the user record video clips
and displays a live image on the computer screen.
Features of ICD 5005 are as follows:
It captures evidence in cell phone forensics
It offers live meetings where you want to present from a computer
It provides web-based demonstrations
It can take screen shots for print marketing materials or documentation
It helps to display evidence in the court room
Specifications:
Takes screen shots of up to 3.15 megapixels
Delivers up to 30 frames per second at VGA resolution
Accommodates screens up to 7.5 cm wide and 5.5 cm tall
System Requirements:
Pentium 333 megahertz CPU or higher
Windows 2000, XP, ME, or Vista (32-bit only)
1 available USB 2.0 port per device
- 67. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3543 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 38-27: ICD 5005
- 68. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3544 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
ICD 1300
Source: http://www.projectaphone.com/
ICD 1300 is a project-a-Phone product designed for forensic investigations of cell phones. It captures and
displays screens at up to a 1.3 megapixel resolution.
Features of ICD 1300 are as follows:
It offers recording forensic evidence
It offers screenshots for digital marketing materials or documentation
It offers training and software testing
It provides internal meetings and web demonstrations
Specifications of ICD 1300 are as follows:
Native 1280 x 960 sensor
Delivers and records up to 30 frames per second at VGA resolution
Accommodates screens up to 8.5 cm wide and 6.5 cm tall
System requirements:
Pentium 333 megahertz CPU or higher
Windows 2000, XP, ME, or Vista, Mac O/S
1 available USB 2.0 port per device
- 69. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3545 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Figure 38-28: ICD 1300
- 70. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3546 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Challenges for Forensic Efforts
Source: http://www.htcia-ne.org/
Challenges faced by investigators in cellphone forensics are as follows:
Often a disposable solution for criminals; i.e., they can precisely change their way of attack as
soon as they get a clue that the attack is exposed
Tools or devices may not widely support forensic solutions
No contract and no identity tied to the device or service contact
No single standardized approach to investigate the mobile devices
Different forensic tools are only able to operate on a particular handset, specific platforms for a
specific product, a distinct operating system, or specific hardware architecture
Ever-changing advancement of mobile devices increases the complexity of mobile device
examinations
- 71. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3547 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Summary
Mobile phone forensics refers to the recovery of digital evidence from a mobile phone under
forensically sound conditions using accepted methods
SIM is a removable component that contains essential information about the subscriber
IMEI is a 15-digit number that indicates the manufacturer, model type, and country of approval
for GSM devices
Network operator provides the information including calls made/received, message traffic, data
transferred, and connection location/timing
ESN is a unique 32-bit identifier recorded on a secure chip in a mobile phone by the manufacturer
- 72. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3548 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Exercise:
1. What are the various components of a cellular network?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
2. Write a note on different types of cellular networks.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
3. List what type of information can be retrieved from the mobile phone.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
4. Write a note on International Mobile Equipment Identifier (IMEI) and its importance.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
5. List all the precautions to be taken before forensic investigation.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
6. How is the data from a SIM card acquired?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
- 73. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3549 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
7. Discuss how to check call data records.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
8. Explain how to analyze the information in the cell phone.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
9. Discuss the various cell phone forensic tools.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
10. What are the challenges faced by investigators?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
- 74. Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3550 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Hands On
1. Visit http://searchmobilecomputing.techtarget.com/ and read about the Threats faced by an
organizations due to mobile devices
2. Visit http://www.soc.staffs.ac.uk/ and read the Techniques for retrieving the Forensics
Information in Mobile Phones.
3. Visit http://faculty.colostate-pueblo.edu/ and read about NSLEC Mobile Phone Examination
Guidelines
4. Download the OXYGEN Forensic Suite from http://www.oxygen-forensic.com/en, run, and check
the results
5. Download the FORENSIC CARD READER from http://www.bkforensics.com/FCR.html, run,
and check the results