File000093

Computer Hacking Forensic Investigator Exam 312-49
Cell Phone Forensics
Module XXXVIII Page | 3477 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Computer Hacking Forensic Investigator (CHFI)
Module XXXVIII: Cell Phone Forensics
Exam 312-49


 News: Mountain of Evidence on Alleged ‘SMS-blitz’
A date has yet to be announced for the resumption of public hearings of the provincial commission of
inquiry into the city's surveillance of councillor Badih Chaaban.
Hearings for the Erasmus Commission would have started yesterday but were suspended after Mayor
Helen Zille claimed the process was illegal and unconstitutional.
Premier Ebrahim Rasool agreed to put the hearings on hold pending legal advice about the process. The
commission's mandate has been extended to the end of April and hearings could be postponed until then,
but it is still gathering written and recorded evidence.
The investigation of the alleged "SMS blitz" by DA councillor Pat Hill shortly before the party's federal
congress in May is included in the latest bundle of evidence to be released to the public.
Hill was accused of sending SMS messages saying that the election of Zille as party leader would be the
"final nail in the coffin for Afrikaners".
He was later cleared by the DA, with federal chairman James Selfe saying the SMS "definitely" did not
come from Hill's phone.
But a forensic investigation by George Fivas & Associates, appointed by George Municipality on March 12,
2007, found that the SMS was sent from Hill's phone.
Hill reportedly said the SMS had been sent by someone who had either taken his SIM card or used his
handset to send the message.
But the investigators found that at "no stage after April 4, 2003" was the SIM card used in any other
handset.
The report noted that more information was needed before it could be established whether Hill's
cellphone had been "hacked" or if the SMS had been sent by him.

Module Objective
This module will familiarize you with:
 Hardware Characteristics of Mobile Devices
 Cellular Network
 Different OS in Mobile Phone
 What a Criminal Can do with Mobiles
 Mobile Forensics
 Subscriber Identity Module
 Cell phone Forensics steps
 Cell phone Forensics Tool
 Challenges for Forensic Efforts

Module Flow

 Mobile Phone
The mobile phone or cellular phone is a short-range, electronic device used for mobile voice or data
communication over a network of specialized base stations that are offered by various network providers.
It is a personal device for an individual who uses it for his personal and professional purposes. Earlier it
was just used for communication through voice or via SMS, but now the meaning of mobile phone has
entirely changed for its users. The user buys the mobile phone according to the features he/she is
interested in. Features of a mobile phone are as follows:
 Voice and text messaging, usually termed as calls and service messages
 Personal Information Management (PIM) where the user can schedule his/her day
 SMS and MMS messaging, which is nothing but text, image, or video clip messaging
 Receiving emails, chatting, and browsing via cell phone as network providers are offering users
access to the Internet
 Ability to store images, audio, and videos depending on the memory’s size
 Provision of downloading and playing games
 Camera with a video recorder

Hardware Characteristics of Mobile Device
Table 38-1: Hardware Characteristics of Mobile Device (Source: http://csrc.nist.gov)
Software Characteristics of Mobile Devices
Table 38-2: Software Characteristics of Mobile Device (Source: http://csrc.nist.gov)

 Components of Cellular Network
Source: http://csrc.nist.gov/
A cellular network is a network made up of cells that are served by a transmitter. It helps the user to
connect and communicate with another person where the network provider holds the cellular network
responsibility. For a complete cellular network, the network provider requires a base station subsystem
and a network subsystem. These subsystems internally make use of few components. Those various
components are as follows:
 Mobile Switching Center (MSC): Switching system for the cellular network. It connects the call by
switching data packets from one network path to another network path
 Base Transceiver Station (BTS): Radio transceiver equipment that facilitates the user with
wireless communication between the mobile phone to a network
 Base Station Controller (BSC): Manages the transceiver’s equipment and performs channel
assignment. It is the part of GSM architecture that controls one or more base transceiver stations
and the cell site’s radio signals in order to reduce the load on the switch
 Base Station Subsystem (BSS) One of the major sections of a cellular network. It controls BSC and
BTS units. It is responsible for:
o Handling traffic
o Signaling between cell phone and network switching system
 Home Location Register (HLR): Database at MSC. It is the central repository system for
subscriber data and service information
 Visitor Location Register (VLR): Database used in conjunction with the HLR for mobile phones
roaming outside of their service area

Cellular Network:
Figure 38-1: Cell Network

 Different Cellular Networks
Cellular networks differ from each other according to the service providers, geographical location, and
enhancement in techniques. Different types of cellular networks are as follows:
 Code Division Multiple Access (CDMA): One of the dominant types of cellular network used. It
employs spread spectrum technology where channels for communication are defined in terms of
codes
 Enhanced Data Rates for GSM Evolution (EDGE): Backwards-compatible digital mobile phone
technology that allows improved data transmission rates. It delivers high bit-rates per radio
channel that is used for any of the packet switch applications
 Integrated Digital Enhanced Network (iDEN): iDEN, developed by Motorola, is the mobile
communication technology that provides its users with the benefit of trunked radio and cellular
telephone
 General Packet Radio Service (GPRS): Packet oriented mobile data service. It is available to the
users who are GSM and IS-136 mobiles. It uses the technology of frequency division duplex and
time division multiple access
 Global System for Mobile communications (GSM): Major and popularly used cellular network
 High-Speed Downlink Packet Access (HSDPA): Third generation mobile telephony
communication protocol that allows high data transfer speed for networks based on UMTS
 Time Division Multiple Access (TDMA): Channel access network where the users have to share
the same frequency channel by dividing the signal into time slots
 Unlicensed Mobile Access (UMA): UMA, also referred as GAN (Generic Access Network), is a
telecommunication system that extends mobile services, voice, data, and IP Multimedia
Subsystem/Session Initiation Protocol (IMS/SIP) applications over IP access networks
 Universal Mobile Telecommunications System (UMTS): 3-G mobile phone technology (upgraded
to 4-G) that uses W-CDMA as underlying air interface

 Different OS in Mobile Phones
Different operating systems in mobile phones are as follows:
 Windows Mobile: Compact operating system combined with a suite of basic applications for
mobile devices based on the Microsoft Win32 API
 Symbian OS: Operating system designed for mobile devices, with associated libraries, user
interface frameworks, and reference implementations of common tools, produced by Symbian Ltd
 Linux: Operating system that is prevalent for computer systems. Since the Microsoft and Symbian
OS are a little complex, an alternative, Linux operating system, can be used for the future mobile
phones. Its benefit is cost reduction as it is an open source OS
Figure 38-2: Different operating systems in mobile phones (Source: www.linuxdevices.com)

 What a Criminal Can do with Mobiles
Every device has its pros and cons, and so do mobiles. When the gadget with various features falls into the
wrong hands (criminal), it has various adverse affects on its users. A criminal can indulge in the following
things using the stolen mobile:
 Harassing or threatening other users
 Sending viruses and Trojans to other users using the identity of the user
 Illegal distribution of porn videos and images
 Data theft
 Storing and transmitting personal corporate information
 Sending dangerous or offensive SMS and MMS
 Cloning the SIM data for illicit use

 Mobile Forensics
Mobile phone forensics refers to the recovery of digital evidence from a mobile phone under forensically
sound conditions using accepted methods. It includes recovery and analysis of data from mobile devices
and SIM cards. The Aim of mobile forensics is to catch the criminal who has done the illegal acts using the
mobile.

 Forensics Information in Mobile Phones
Mobile phones allow the user to save different information depending upon his/her requirement. The
information in the mobile phones can be used for forensic purposes as follows:
 SIM card information
 Phonebook
 Call history
 SMS and MMS
 GPRS, WAP, and Internet settings
 IMEI
 Photos and video
 Sound files
 Network information, GPS location
 Phone info (CDMA serial number)
 Emails, memos, calendars, documents, etc.

 Subscriber Identity Module (SIM)
Subscriber identity module, often referred to as a SIM card, is a component that allows the user to
connect or communicate with the other user. It is a removable component that contains essential
information about the subscriber. Its main function entails authenticating the user of the cell phone to the
network to gain access to the subscribed services. It provides the user with a number of identities.
SIM comes in two sizes:
1. 85.60 mm × 53.98 mm x 0.76 mm: The size of the first SIM card, which was about the size of a
credit card.
2. 25 mm × 15 mm: New and the current SIM card whose width is 25 mm and has a height of 15
mm. Its thickness is 0.76 mm.
SIM avails the user with the benefit of storing information such as phone numbers and messages. It has
both volatile and non-volatile memory where the file system of a SIM resides in the non-volatile memory.
Figure 38-3: SIM

SIM File System:
Figure 38-4: SIM File System

 Integrated Circuit Card Identification (ICCID)
ICCID is the 19 or 20 digit serial number of the SIM card, which is identified internationally. It consists of
an industry identifier prefix (89 for telecommunications), followed by a country code, an issuer identifier
number, and an individual account identification number. This code helps to identify the country and the
network operator’s name.
These ICCID’s are stored in the SIM cards and also printed on the SIM card. If ICCID does not exist on
the SIM, get it by using a (U)SIM acquisition tool such as ForensicSIM Toolkit.
Figure 38-5: ICCID

 International Mobile Equipment Identifier (IMEI)
IMEI (International Mobile Equipment Identifier) is a 15-digit number that indicates the manufacturer,
model type, and country of approval for GSM devices. It is different for every GSM, UMTS, and iDEN
mobile phone, and is usually printed and found on the battery of the mobile phone.
In 15 digits of IMEI, the first 8-digits are known as the Type Allocation Code (TAC), which gives
information about the model and origin. For powered on GSM and UMTS phones, the IMEI can be
obtained by keying in *#06#. The IMEI number is used for valid reasons. It is used by GSM to identify the
device and even stop the accessing of the mobile phone if it has been stolen.
Figure 38-6: International Mobile Equipment Identifier (Source: http://www.s60tips.com)

 Electronic Serial Number (ESN)
ESN is a unique 32-bit identifier recorded on a secure chip in a mobile phone by the manufacturer. The
first 8-14 bits identify the manufacturer and the remaining bits identify the assigned serial number. These
numbers are used with AMPS, TDMA, and CDMA phones. The uses of ESN are as follows:
• It helps in identifying the stolen cell phone even though it is provided with a new subscription
identifier
• It proves that the particular mobile is used for making a call (used as evidence for court
proceedings)
• It is used as an input to CAVE authentication
• It provides ANSI-41 validation and access probe timing
Figure 38-7: Electronic Serial Number (Source: http://wireless.agilent.com)

 Precautions to be Taken before Investigation
Every investigation requires a criterion and to achieve success or to solve the case, it is necessary to follow
certain guidelines and the precautions while investigating. The precautions that are to be taken by an
investigator before investigating a cell phone are as follows:
 Handle cell phone evidence properly to maintain physical evidences such as fingerprints
 To avoid unwanted interaction with devices found on the scene, turn off wireless interfaces such
as Bluetooth and Wi-Fi radios
 Photograph the crime scene including mobile phones, cables, cradles, power connectors,
removable media, and connections
 If the device’s display is in a viewable state, the screen’s contents should be photographed and, if
necessary, recorded manually, capturing the time, service status, battery level, and other
displayed icons
 Collect other sources of evidence such as (U)SIM, media, and other hardware in the phone but do
not remove them from the device
 If the phone is in a cradle or connected to the PC with cable, then seize the phone with cable and
cradles, because unplugging the device from computer may eliminate the data transfer or
overwrite the synchronization
 If the phones are found in a compromised state such as immersed in a liquid, remove the battery
to prevent electrical shorting and seal the remainder of the mobile phone in a proper container
filled with the same liquid, which should not be caustic
 Isolate the phone from the radio network, which helps to keep new traffic from overwriting the
existing data
 Isolate the phones from other synchronized devices, which keeps the new data from affecting the
existing data
 Some of the mobile communication devices use alkaline batteries as a power source; replace such
batteries in transit to minimize the risk of data loss due to complete battery discharge
 Investigator should not perform any action which alters the data in evidence
 All the actions including seizure, access, storage, or transfer of evidence must be fully
documented, preserved, and available for review

 Points to Remember while Collecting the Evidence
Evidence gathering plays a major role in the investigation. The points to be remembered while collecting
the evidence are as follows:
1. If the device is “ON”, do not turn it “OFF”:
a. Cell phones have a locking feature that is activated as soon as it is switched OFF, so make sure
not to activate the lockout feature
b. Document the information that is present on the display of the cell phone. If possible,
describe or place a screenshot of the photograph that is on the display.
c. If the cell phone is not charged, due to low battery power, it gets switched off. In order to
overcome this, make sure to charge the battery and thus protect it from tampering.
d. If you are not familiar with the device, ensure that you do not press any key, as it can lead to
data loss from the mobile
2. If the device is “OFF”, leave it “OFF”
a. If the device is turned ON, it could alter the evidence on the device, so do not switch ON the
mobile
b. When a battery is removed from the mobile device, not all but some of the content is lost from
the device, which is a drawback. So, do not remove the battery from the device even if it is in
OFF state. For example, consider a Nokia device. If the battery is removed from it, the
time/date is lost and this should be assigned to the device as per the user requirement. In a
case where this device is required as evidence with the call log, i.e., its time and date and the
battery is removed; it is obvious that the evidence is lost.

 Acquire the Information
Acquisition of data at the scene avoids loss of information due to battery depletion, damage during
transportation, and storage. But due to lack of controlled setting, appropriate equipment, and other
prerequisites, this process is not possible at the scene; however, it can be achieved in the laboratory
setting.
Try to acquire the data from images of the evidence such as SIM cards or directly from the mobile device
itself. Use data acquiring tools such as SIM Card Data Recovery and SIMCon to recover the data from
evidence (SIM cards), which is often easy and beneficiary.

 Acquire Data from SIM Cards
SIM contains important information related to the forensics investigation, which can be as follows:
 Service related information such as unique identifiers for the (U)SIM, the Integrated Circuit Card
Identification (ICCID), and the subscriber, the International Mobile Subscriber Identity (IMSI)
 Phonebook and call information such as Abbreviated Dialling Numbers (ADN) and Last Numbers
Dialled (LND)
 Messaging information including SMS, EMS, and multimedia messages
 Location Information, including Location Area Information (LAI) for voice communications and
Routing Area Information (RAI) for data communications
To access the SIM, a PIN code (Personal Identification Number) is required. Failure to enter a valid PIN
in three attempts blocks the card and then an 8-digit PUK (Personal Unlock Number) must be entered
where this 8 digit number is provided by the network operator and cannot be changed by the user. If the
user fails to enter the correct PUK in 10 attempts, SIM will be disabled permanently. So, in order to hold
the information present in the SIM, the investigator should ask the network operator for PUK to gain
access to it.

 Acquire Data from Unobstructed Mobile Devices
An unobstructed device means the device that does not require a password or other authentication
technique to access to the device and perform an acquisition. They typically refer to devices that are shut
off and require successful authentication to gain access. Example: CDMA phones, freestanding (U)SIMs,
and GSM phones containing a (U)SIM.
Steps to acquire data from these devices are as follows:
 Note down the time and date in the phone that is used as evidence
 Check the contacts, call logs, SMS, and other entries
 Use different data recovery tools such as Cell Phone Analyzer to recover the deleted information
from the device
 Recover the information from such devices using the following techniques:
o Ask the victim or suspect for PIN
o Review the seized non-electronics materials such as notes or print outs

o Contact the service provider
o Contact the device manufacturer and service provider for information on known backdoors
and vulnerabilities that might be exploited
o Contact the device maintenance and repair companies, as well as commercial organizations
that provide architecture information on handheld device products
o Use different forensics tools such as Cell Phone Analyzer
o Use some data recovery tools such as SIM Analyzer and SIMCon

 Memory Considerations in Mobiles
A mobile phone has a memory which is either volatile or non-volatile in nature and the size of this
memory depends upon the model of the cell phone. It stores several kinds of data, including:
 Operating system code
 Kernel
 Device drivers
 System libraries
 Memory for executing operating system applications
 Storing and executing user applications loaded onto the device
 Text
 Image, audio, and video
 Other data files, including PIM application data
Certain phone memory is divided and dedicated to data such as call log, phone book, entries, messages,
and calendar entries, where an amount of memory is allocated for common sharing of information (it is
assigned dynamically from a common shared pool of memory).

 Acquire Data from Memory Cards
Removable media extends the storage capacity of mobile phones, allowing individuals to store additional
files beyond the device’s built-in capacity and to share data between compatible devices. Mobile phone
supports Secure Digital (SD), MultiMedia Cards (MMC), and other types of removable media containing
significant amounts of data.
Recover the data from removable media and memory cards with the use of a media reader and a Memory
Card Data Recovery. Various types of memory cards with their characteristics are given below:
Name Characteristics
Compact Flash Card (CF) Matchbook size (length-36.4 mm, width-42.8 mm, thickness-3.3 mm
for Type I cards and 5mm for Type II cards)
50-pin connector, 16-bit data bus
MMCplus (compatible with
original MultiMedia Card or
MMC)
Postage stamp size (length-32 mm, width-24 mm, and thickness-1.4
mm)
13-pin connector, 1, 4, or 8 bit data bus
(7-pin connector, 1-bit data bus, MCC compatibility)
MMCmobile (compatible
with original Reduced Size
MMC or RS-MMC)
Thumbnail size (length-18 mm, width-24 mm, and thickness-1.4 mm)
13-pin connector, 1, 4, or 8 bit data bus
(7-pin connector, 1-bit data bus, RS-MMC compatibility)
Requires a mechanical adapter to be used in a full size MMCplus slot
MMCmicro Contact lens size (length-14 mm, width-12 mm, and thickness-1.1 mm)
10-pin connector and a 1 or 4-bit data bus
Requires a mechanical adapter to be used in a full size MMCplus slot
Secure Digital (SD) Card Postage stamp size (length-32 mm, width-24 mm, and thickness-
2.1mm)

9-pin connector, 1 or 4-bit data bus
Features a mechanical erasure-prevention switch
MiniSD Card Thumbnail size (length-21.5 mm, width-20 mm, and thickness-1.4
mm)
Requires a mechanical adapter to be used in a full size SD slot
MicroSD (formerly
Transflash)
Contact lens size (length-15 mm, width-11 mm, and thickness-1 mm)
Requires a mechanical adapter to be used in a full size SD slot
Memory Stick Chewing gum stick size (length-50 mm, width-21.45 mm, thickness-
2.8 mm)
Memory Stick Duo Partial chewing gum stick size (length-31mm, width-20 mm,
thickness-1.6 mm)
Requires a mechanical adapter to be used in a full size Memory Stick
slot
Memory Stick Micro Contact lens size (length-12.5 mm, width-15 mm, and thickness-1.2
mm)
Requires a mechanical adapter to be used in a full size Memory Stick
slot
Table 38-3: Types of memory cards

 Acquire Data from Synched Devices
Mobile phones are synchronized with the computer system in order to resolve the differences in certain
data. It is similar to that of maintaining a backup for the information that is residing on the cell phone.
Though it is an advantage to the user, it is a drawback for the culprit. A significant amount of evidence on
a mobile phone may also be present on the suspect’s laptop or personal computer (as it synchronized with
the device), so search for various evidence including contacts, SMS, email details, images, and videos.

 Gather Data from Network Operator
Source: http://www.soc.staffs.ac.uk/
Gather detailed information from the network operator including calls made/received, message traffic,
data transferred, and connection location/timing.
According to www.searchnetworking.techtarget.com, “Home Location Register (HLR) is the main
database of permanent subscriber information for a mobile network”. It provides:
 Customer’s name and address
 Billing name and address (if other than customer)
 User’s name and address (if other than customer)
 Billing account details
 Telephone Number (MSISDN)
 IMSI
 SIM serial number (as printed on the SIM-card)
 PIN/PUK for the SIM
 Subscriber Services allowed

 Check Call Data Records (CDRs)
Call data record is the computer record of all the calls and SMS information that is produced by telephone
exchange. These CDR files are in the Mobile Switching Center (MSC), which records the information
about:
 Originating MSISDN
 Terminating MSISDN
 Originating and terminating IMEI
 Initial serving base station (BTS)
 Connection time
 Time when the call was disconnected
 Disconnecting reason
 DLCI (Data Link Connection Identifier) field to identify the originating PRI, and the bearer (B)
channel used
Table 38-4: Call data record

 Analyze the Information
The information in the cell phone should be analyzed in various ways, so that it can be used for further
investigation. The information that can be analyzed is as follows:
 Subscriber and equipment identifiers
 Date/time, language, and other settings
 Phonebook information
 Appointment calendar information
 Text messages
 Dialed, incoming, and missed call logs
 Electronic mail
 Photos
 Audio and video recordings

 Multi-media messages
 Instant messaging and web browsing activities
 Electronic documents
 Location information
Steps to analyze the above information are as follows:
 Identify the individuals who created, modified, or accessed a file: Cell phone is the gadget that is
used by and accessed by a single person. But there are chances of misusing it, so it is necessary to
identify the person who has created the file, then who modified or accessed the particular file
 Determine when events occurred by analyzing call logs, the date/time, and content of messages
and email: It is for analyzing the date/ time the event occurred. This can be achieved by checking
out the time of receiving or sending the message and time and duration of call (whether it is a
missed, dialed, or received call)
 Track the timeline of the events: Get familiar with the time at which the event occurred and thus
analyze and relate them with the event so as to catch hold of the culprit
 Recover the hidden information: Most of the information, such as SMS and call logs are deleted
for confidentiality purposes, but this information can be extracted with the help of tools that
recover the information
 If the entries such as SMS, contacts, emails, etc. are encrypted, then use cryptanalysis tools such
as crank. For securing the information, the information such as SMS, contacts, emails, email ids,
and recordings are encrypted. These can be decrypted using cryptanalysis tools such as crank,
thus revealing the information
 Use password cracking tools such as Hydra to read the password protected information: To hide
information or protect the cell phone from misuse, users make their cell phones password
protected so as to get the protected information.
 Try to find out the geographical location of the attacker: Cell phone has the feature of GPRS,
which allows the user to trace out the attacker. This can help in tracking out the geographical
location of the attacker

Cell Phone Forensics Tools

 SIM Analyzer
Source: http://cpa.datalifter.com/
SIM Analyzer is a cell phone forensics tool that recovers the contents from SIM cards of different mobiles
It recovers:
 Last number dialed, abbreviated dialing numbers
 Active and deleted text (SMS) messages
 All the general files found in the Telecom group as defined in the GSM 11.11v6 standards
Figure 38-8: SIM Analyzer Screenshot

 SIMCon – SIM Card Recovery
Source: http://www.simcon.no/
SIMCon is a program that allows the user to securely image all files on a GSM/3G SIM card to a computer
file with the SIMCon forensic SIM card reader. The user can subsequently analyze the contents of the card
including stored numbers and text messages
Features of SIMCon are as follows:
 Read all available files on a SIM card and store in an archive file
 Analyze and interpret content of files including text messages and stored numbers
 Recover deleted text messages stored on the card but not readable on phones
 Manage PIN and PUK codes
 Compatible with SIM and USIM cards
 Print report that can be used as evidence based on user selection of items
 Secure file archive using MD5 and SHA1 hash values
 Export items to files that can be imported in popular spreadsheet programs
 Support international charsets


Figure 38-9: SIMCon Screenshot
 SIM Card Data Recovery Software
Source: http://www.datadoctor.in/
SIM Card Data Recovery Software recovers accidentally deleted data from mobile phone SIM cards. It
provides full backup of your cell phone’s erased SIM memory. For recovery, user needs a phoenix type
USB SIM card reader or PC/SC Standards based SIM card reader and a PC having Microsoft Windows
operating system.
Features of SIM card data recovery software are as follows:
 Retrieves all deleted contact numbers (phone numbers), unreadable messages, corrupt phone
book directory
 Undeletes both viewed and unread inbox text SMSes, outbox messages and draft save favorite text
messages sent items that have been deleted from SIM card memory
 Provides full details about SIM card like its provider and ICC –ID
 Tool Support recovery on Windows XP, 2003, XP Media Center2005, Longhorn, Vista, 2000, NT,
ME, and 98
 It is Read only and Non- Destructive SIM card data recovery utility

 Print option provides recovered data on paper in text format
 Software also shows the provider name and ICC identification number of SIM card
 Utility provides full backup of corrupt or damaged SIM card memory
Figure 38-10: SIM Card Data Recovery Software

 Memory Card Data Recovery
Source: http://www.datadoctor.in
Memory Card Data Recovery recovers lost deleted pictures, lost images/photos, formatted audio/video
files and folders, and encrypted data from the corrupted memory card storage devices. It is useful in
restoring, recovering, retrieving accidentally deleted, damaged, formatted, erased, picture, image, photo,
audio, video files even if the media is corrupted and you cannot access it or the memory card being pulled
out while the camera or other device was on.
Features of memory card data recovery are as follows:
 Reveals missing files and directories lost due to battery failure, formats, or corruption caused by
hardware or software malfunction
 Restores all wav, mpg, mpeg, mp3, jpg, jpeg, bmp, midi, etc. graphical files
 Supports all major memory card devices including compact flash, multimedia card, secure digital
card, PDA, Pocket PC drive, external Mobile phone storage card, and other similar flash drives
 Compatible with all major memory card brands like Kodak, Konica, Minolta, Nikon, Ricoh,
Samsung, Sony, Toshiba, etc.
 Supports all types of USB port memory card reader
 Supports memory card in major storage capacity drives including 128MB, 256MB, 512MB, 1GB, 2
GB, 4GB and other higher capacity drives

Figure 38-11: Memory Card Data Recovery

 Device Seizure
Source: http://www.paraben-forensics.com
Device seizure is a digital forensics tool that supports GSM SIM cards with the use of a SIM card reader. It
acquires and analyzes data from over 1,950 mobile phones, PDAs, and GPS devices including iPhones.
Features of device seizure are as follows:
 30 plug-ins for the acquisition and analysis of 15 types of devices including cell phones,
Smartphones, PDAs, GPS devices, and SIM cards
 Support of more than 1,900 devices
 USB and serial support
 Verification of file integrity using MD5 and SHA1 hash values
 Deleted data recovery
 Encrypted image files to guarantee image integrity
 Built-in file viewing of proprietary files
 Built-in searching and bookmarking
 Text and Hex viewing options available for data
 Analyzes PDA data files stored on PCs
 Built-in recovery Palm password
 Windows CE registry viewer
 Acquires complete GSM SIM card information including deleted data
 Full flash download for certain models of cell phones
 Image viewing for graphic information, including data carving for multi-media files for most
devices
 Import of databases acquired with PDA Seizure, Cell Seizure ,and SIM Card Seizure

Figure 38-12: Device seizure Screenshot
 SIM Card Seizure
Source: http://www.paraben-forensics.com
SIM Card Seizure recovers deleted SMS/text messages and performs comprehensive analysis of SIM card
data. It takes the SIM card acquisition and analysis components from Paraben's Device Seizure and puts it
into a specialized SIM card forensic acquisition and analysis tool. It includes the software as well as a
Forensic SIM Card Reader.
Features of SIM Card Seizure are as follows:
 Forensic SIM card reader included
 Calculates MD5 & SHA1 Hash values
 Recovers deleted SMS data
 Extracts data from SIM card:
 SST SIM service table
 ICCID serial number
 LP preferred languages variable S
 PN Service provider name

 MSISDN Subscriber phone number and short dial number
Figure 38-13: SIM Card Seizure Screenshot

 Cell Phone Analyzer
Source: http://cpa.datalifter.com/
Cell Phone Analyzer is a cell phone forensics tool that recovers deleted items. It is a data interpreter for
cell phone flash files built to fulfill the gap in current mobile phone analysis tools.
Features of cell phone analyzer are as follows:
 Process BlackBerry IPD files - includes date and time support for Call logs, Email and Hotlists
 Nokia - both PM (Permanent memory) and Full flash support
 Motorola
 Samsung
 Sony Ericsson
 SIM card analysis
 Create "Safety SIM"(TM) to preserve call log data and keep the phone off the network
 LIVE Video capture support

 Oxygen Forensic Suite
Source: http://www.oxygen-forensic.com/
Oxygen Forensic Suite is mobile forensic software that goes beyond standard logical analysis of cell
phones, Smartphones, and PDAs. It recovers:
 Phone basic information and SIM-card data
 Contacts list (including mobile, wireline, fax numbers, postal addresses, contact photos, and other
contact information)
 Missed/Outgoing/Incoming calls
 SIM card data
 Caller Groups information
 Organizer (calendar meetings, appointments, memos, call reminders, anniversaries and
birthdays, to-do tasks)
 Text notes
 SMS Messages (messages, log, folders, deleted messages with some restrictions)
 Multimedia Messages (log only)
 E-mail Messages (e-mails log and folders)
 GPRS, EDGE, CSD, HSCSD, and Wi-Fi traffic and sessions log
 Photos and gallery images
 Video clips and films
 Voice records and audio clips
 All files from phone memory as well as from flash card, including installed applications and their
data
 FM Radio Stations database (as a part of File Browser)
 Lifeblog activity: all main events with geographical coordinates

Figure 38-14: Oxygen Forensic Suite Screenshot
 BitPim
Source: http://www.bitpim.org/
BitPim is a program that allows viewing and manipulating data on many CDMA phones from LG,
Samsung, Sanyo, and other manufacturers. This data includes the Phonebook, Calendar, Wallpapers,
Ringtones, and the File system for most Qualcomm CDMA chipset-based phones.

Figure 38-15: BitPim Screenshot

 MOBILedit! Forensic
Source: http://www.mobiledit.com/
MOBILedit! Forensic is forensic software for mobile phone investigations. It collects all possible data
from the mobile phone and generates an extensive report onto a PC that can be stored or printed. It has
changed the way the evidence is obtained and presented.
Features of MOBILedit! Forensic are as follows:
 Analyze phones via Bluetooth, IrDA, or cable connection
 Analyze phonebook, last dialed numbers, missed calls, received calls, SMS messages, multimedia
messages, photos, files, phone details, calendar, notes, tasks, and more
 Large quantity of phones supported
 Frequent updates and upgrades with new features and more phones
 Direct SIM analyzer through SIM readers
 Reads deleted messages from the SIM card
 Reports Generator based on your templates
 Print reports ready for courtroom
 Reports generated in any language
 Make backup now and reports when needed
 Manual investigation mode
 Secure and tamper-proof using MD5 hash
 Compliant with Word or any other RTF editor
 View formatted reports in browser including original pictures
 Exports to Word, Excel/XLS, browser, XML/XSL
 Complete solution including specific phone cables and SIM readers
 XML export - seamlessly connect MOBILedit! Forensic data with other systems
 Preferred/forbidden networks
 Hex dump viewer

 Free access to forensic forum
Figure 38-16: MOBILedit Screenshot

 PhoneBase
Source: http://www.phonebase.info/
PhoneBase is a mobile phone analysis system that extracts data from any standard SIM card using SIM
Card reader. It recovers content of SIM cards and phone memories including lists of phone numbers and
associated names, recently made calls, and text messages.
Features of PhoneBase are as follows:
 Minimal handling of Telephone equipment
 Extracts data from any standard SIM card using a SIM Card Reader.
 Reads phone memory using the optional Phone memory module
Figure 38-17: PhoneBase Screenshot

 Secure View
Source: http://mobileforensicsnew.susteen.com/
Secure View for Forensics is the software and hardware solution that provides law enforcement, corporate
security, and forensics consultants with logical data extraction of the content stored in the mobile phone.
For investigators, it provides easy access to vital information in seconds without the need to wait for crime
reports. It acquires cell phone data via USB, Bluetooth, IrDA, and SIM Card Reader.
It acquires:
 Serial Numbers: IMEI (for GSM phones), and ESN (for CDMA) phones·
 Recent Calls: Received Calls, Dialed Calls, & Missed Calls
 Contacts (internal phone memory, as well as SIM card on supported GSM phones)
 Calendar and To Do lists
 Pictures & Wallpapers
 Ringtones & Music
 Video & Movies

Figure 38-18: Secure View for Forensics Screenshot

 XACT
Source: http://www.msab.com/
XACT is the tool that performs physical data investigations from confiscated phones and allows recovery
of the deleted information.
Features of XACT are as follows:
 It allows you to acquire data from locked phones
 It recovers deleted SMS recovered from the SIM card and other information
 It recovers deleted information
Figure 38-19: XACT Tool Screenshot

 CELLDEK
Source: http://www.forensic.gov.uk
CellDEK is the portable handset data extraction kit designed for use at the scene of a crime and all
working environments associated with on-going investigations. It can access, read, and copy stored data
from GSM, CDMA, TDMA, iDen handsets, SIM cards, PDAs, and 15 types of flash cards.
Features:
 Extracts handset time and date, serial numbers (IMEI, IMSI), dialed calls, missed calls, received
calls, phonebook (both handset and SIM), SMS (both handset and SIM), deleted SMS from SIM,
calendar, memos, and to do lists
 Built-in SIM card reader and SIM card-reading software
 Data extraction from GSM, CDMA, TDMA, and iDen devices
 Data produced in XML format enabling database import
 Provides HTML reports (printable at the scene)
 In-built MD5 functionality to prevent data manipulation
 Connection and control of external jammer to prevent loss of data
 Time-stamped forensic audit trail records data sent and received from target device

Figure 38-20: CellDEK Tool Screenshot

 Forensic Card Reader (FCR)
Source: http://www.bkforensics.com/
The Forensic Card Reader (FCR) allows a forensically clean method of extracting data from a SIM
card. The FCR accesses the area beyond the capability of standard SIM readers with its patented
reading heads and software.
It does not alter any data including data and time stamps of SMS, and read/unread tags. It reads deleted
flagged SMS.
It reads the following entries on a SIM card:
 ICC-ID
 IMSI
 ADN
 FDN (Fixed Dialing Numbers)
 Hidden entries
 LND
 MSISDN
 Deleted SMS
 TMSI (Temporary Mobile Subscriber Identity)
 LAI information indicating a cell or a set of cells

Figure 38-21: Forensic Card Reader Screenshot

 ForensicSIM Toolkit
Source: http://www.radio-tactics.com/
ForensicSIM Toolkit recovers digital evidence from GSM SIM and 3G USIM cards. It allows acquisition,
analysis, and reporting. Features of ForensicSIM Toolkit are as follows:
 Recovers Operator identity number
 Recovers Start / end time and date stamp
 Perform MD5 checksum of acquired data
 Recovers Data storage card serial number and production batch date
Figure 38-22: ForensicSIM Toolkit

 SIMIS 3G
Source: http://www.3gforensics.co.uk/
SIMIS 3G is a tool for the recovery of data from a SIM card. It allows the examiner to view recovered data
including phonebook contacts and numbers, SMS text messages, deleted text messages, time and date
information, and more. It secures the recovered data against tampering using both MD5 and SHA-1
hashing techniques.
SIMIS3G comprises:
 USB Card readers (PCSC Industry standard)
 PC software on CDROM
 Mini sim adapter and USIM storage card
 License
Features of SIMIS 3G are as follows:
 Read-only access to system and user data held on the SIM card
 Correctly handles PIN and PUK entry under controlled conditions
 Presents data in an easily readable web page format
 Produces retrieved data in a printable format for reports
 Creates and verifies the MD5 and SHA hash for each output file generated
 Correctly handles and displays foreign language text messages
 Builds a database with unique file references for each SIM Card read
 Searchable database with appropriate index categories
 Facility to read data from the SIMIS Mobile card interrogation unit
 Facility to retrieve data from some mobile subscriber equipment
 Provides commented RAW DATA in a standard format for use in third-party applications

Figure 38-23: SIMIS 3G Screenshot

 UME-36Pro - Universal Memory Exchanger
Source: http://www.cellebrite.com/
UME-36Pro - Universal Memory Exchanger is a phone memory transfer and backup solution that
transfers all forms of content, including pictures, videos, ringtones, SMS, as well as phonebook contacts
data between a wide range of mobile phones, smart phones, and PDAs.
Features and capabilities of UME-36Pro are as follows:
 Based on Windows CE
 Supports transfer of content across all mobile handset technologies - GSM, CDMA, UMTS, 3G,
TDMA, IDEN, and more
 Transfer of phone’s internal memory and SIM card content
 Transfer of phonebooks, pictures, videos, ring-tones, and SMS
 Supports multiple language encodings
 Available connectivity: USB, Serial, IrDA, and Bluetooth connections to phones
 Transfer, backup, and restore of mobile phone content
 Supports Symbian, Microsoft Mobile Palm, and Blackberry operating systems
 Integrated SIM/Smart Card reader
 Integrated PC connection allowing content backup and management
 Stand-alone device or an integrated PC solution
 User-friendly and self-explanatory
 Easily upgraded through software file downloads
How it works:
Cellebrite UME is used as a channel or intermediary means for transferring data from a source phone to a
target phone, without storing any records of data on the UME unit itself. It prompts the user to select and
define a set of parameters for the transfer process consisting of identifying the source phone and target
phone makes and models, the Memory from which the contents will be copied to and from (phone
memory, SIM card), and the available Link option such as cable or IrDA. Once the parameters are
defined, the UME displays the number of cables that must be connected to the mobile phones or IR

connection. Then, at the press of a button, the data flows from the source phone, through the UME, to the
target phone.
When necessary, the UME automatically manipulates data formats and fields in order to be compatible
with the target phone.
Figure 38-24: UME-36Pro Screenshot

 Cellebrite UFED System – Universal Forensic Extraction Device
Source: http://www.cellebrite.com/
The Cellebrite UFED (Universal Forensic Extraction Device) forensic system is the device that can be used
in the field as well as in the forensic lab. It supports:
 CDMA, GSM, IDEN, and TDMA technologies, and it is compatible with any wireless carrier
 95% of all cellular phones including Smartphones and PDA devices
 All known cellular device interfaces, including serial, USB, infrared, and Bluetooth
Features of Cellebrite UFED system are as follows:
 It extracts data from most all cell phones or PDAs: phonebook, pictures, videos, text messages,
call logs, ESN, and IMEI information
 It is a kit, with no computer required for extraction
 It generates complete, MD5 verified evidence reports
 It supports over 1,400 handset models
Figure 38-25: Cellebrite UFED Screenshot

 ZRT
Source: http://www.fernico.com/
ZRT is the cell phone forensic investigation solution that supports all phones and can be used on its own
or in conjunction with existing tools. It is easy to use, fast, and offers manual examination.
It includes the following:
 ZRT software
 Camera: Canon A640 10-megapixel camera
 Mount: Flexible arm and desk clamp
 Power: Canon wired power supply
 Accessory: Non-slip mat
Features of ZRT are as follows:
 It completely streamlines the process of taking high-resolution photographs of screen displays
 It merges photos into custom designed report templates

 Neutrino
Source: http://www.forensics.ie/
Neutrino is the mobile device acquisition tool that integrates with EnCase v6. It allows analyzing both
mobile devices and computer evidence at the same time.
Features of the Neutrino are as follows:
 Examine multiple devices and correlate with computer evidence at the same time
 Share Neutrino acquired logical evidence files with other EnCase v6 examiners
 Carry entire tool set, organized and stored in a single field kit
 Access unallocated space on selected devices
 Possess hardware support and parsing capabilities for more than 75 of the most common devices,
with new devices being added regularly
 It includes Wave Shield signal blocking bag, delivering reliable wireless signal blocking protection
even with close proximity to cell towers
Figure 38-26: Neutrino Screenshot

 ICD 5005
Source: http://www.projectaphone.com/
ICD 5005 is a project-a-Phone product designed for forensic investigations of cell phones. With a USB 2.0
camera, it captures display screens at up to 3 megapixel resolution. It also lets the user record video clips
and displays a live image on the computer screen.
Features of ICD 5005 are as follows:
 It captures evidence in cell phone forensics
 It offers live meetings where you want to present from a computer
 It provides web-based demonstrations
 It can take screen shots for print marketing materials or documentation
 It helps to display evidence in the court room
Specifications:
 Takes screen shots of up to 3.15 megapixels
 Delivers up to 30 frames per second at VGA resolution
 Accommodates screens up to 7.5 cm wide and 5.5 cm tall
System Requirements:
 Pentium 333 megahertz CPU or higher
 Windows 2000, XP, ME, or Vista (32-bit only)
 1 available USB 2.0 port per device

Figure 38-27: ICD 5005

 ICD 1300
Source: http://www.projectaphone.com/
ICD 1300 is a project-a-Phone product designed for forensic investigations of cell phones. It captures and
displays screens at up to a 1.3 megapixel resolution.
Features of ICD 1300 are as follows:
 It offers recording forensic evidence
 It offers screenshots for digital marketing materials or documentation
 It offers training and software testing
 It provides internal meetings and web demonstrations
Specifications of ICD 1300 are as follows:
 Native 1280 x 960 sensor
 Delivers and records up to 30 frames per second at VGA resolution
 Accommodates screens up to 8.5 cm wide and 6.5 cm tall
System requirements:
 Pentium 333 megahertz CPU or higher
 Windows 2000, XP, ME, or Vista, Mac O/S
 1 available USB 2.0 port per device

Figure 38-28: ICD 1300

 Challenges for Forensic Efforts
Source: http://www.htcia-ne.org/
Challenges faced by investigators in cellphone forensics are as follows:
 Often a disposable solution for criminals; i.e., they can precisely change their way of attack as
soon as they get a clue that the attack is exposed
 Tools or devices may not widely support forensic solutions
 No contract and no identity tied to the device or service contact
 No single standardized approach to investigate the mobile devices
 Different forensic tools are only able to operate on a particular handset, specific platforms for a
specific product, a distinct operating system, or specific hardware architecture
 Ever-changing advancement of mobile devices increases the complexity of mobile device
examinations

Summary
 Mobile phone forensics refers to the recovery of digital evidence from a mobile phone under
forensically sound conditions using accepted methods
 SIM is a removable component that contains essential information about the subscriber
 IMEI is a 15-digit number that indicates the manufacturer, model type, and country of approval
for GSM devices
 Network operator provides the information including calls made/received, message traffic, data
transferred, and connection location/timing
 ESN is a unique 32-bit identifier recorded on a secure chip in a mobile phone by the manufacturer

Exercise:
1. What are the various components of a cellular network?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
2. Write a note on different types of cellular networks.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
3. List what type of information can be retrieved from the mobile phone.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
4. Write a note on International Mobile Equipment Identifier (IMEI) and its importance.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
5. List all the precautions to be taken before forensic investigation.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
6. How is the data from a SIM card acquired?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

7. Discuss how to check call data records.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
8. Explain how to analyze the information in the cell phone.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
9. Discuss the various cell phone forensic tools.
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
10. What are the challenges faced by investigators?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

Hands On
1. Visit http://searchmobilecomputing.techtarget.com/ and read about the Threats faced by an
organizations due to mobile devices
2. Visit http://www.soc.staffs.ac.uk/ and read the Techniques for retrieving the Forensics
Information in Mobile Phones.
3. Visit http://faculty.colostate-pueblo.edu/ and read about NSLEC Mobile Phone Examination
Guidelines
4. Download the OXYGEN Forensic Suite from http://www.oxygen-forensic.com/en, run, and check
the results
5. Download the FORENSIC CARD READER from http://www.bkforensics.com/FCR.html, run,
and check the results

File000093

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to File000093

Similar to File000093 (20)

More from Desmond Devendran

More from Desmond Devendran (20)

Recently uploaded

Recently uploaded (20)

File000093