2. Understanding Mobile Device Forensics
People store a wealth of information on cell phones and mobile devices
People don’t think about securing their mobile devices
Items stored on mobile devices:
Incoming, outgoing, and missed calls
Text and Short Message Service (SMS) messages
E-mail
Instant-messaging (IM) logs
Web pages
Pictures
Personal calendars
Address books
Music files
Voice recordings
GPS data
Investigating cell phones and mobile devices is one of the most challenging
tasks in digital forensics
3. Understanding Cellular Connected Mobile
Devices
A Mobile Switching Center(MSC) is the switching system
for the cellular network. The MSC is also responsible for
communications between mobile and landline phones.
The Base Transceiver Station(BTS) is the part of the
cellular network responsible fro communications
between mobile phone and network switching
systems.
The Home Location Register is a database used
by the MSC that contains subscriber and service
information.
It is related to the VLR for roaming status.
4. Inside Mobile Devices
IMEI and IMSI
International Mobile Equipment Identifier
International Mobile Subscriber Identifier
Also MEID (Mobile Equipment Identifier) or ESN (electronic
serial number)
Phones store system data in electronically erasable
programmable read-only memory (EEPROM)
Enables service providers to reprogram phones without having to
physically access memory chips
OS is stored in ROM
Nonvolatile memory
5. Inside Mobile Devices
Subscriber identity module (SIM) cards
Found most commonly in GSM(Global System for Mobile
Communications) devices
GSM refers to mobile phones as “mobile stations” and divides a
station into two parts:
The SIM card and the mobile equipment (ME)
Portability of information makes SIM cards versatile
Integrated Circuit Card Identifier(ICCID)
Identifies the subscriber to the network
Stores service-related information
PIN – unlock the device
PUK – reset the PIN
Wipes phone is incorrectly entered > 10 time
Cipher Algorithm
6. Mobile Device Forensic Analysis Process
Biggest challenge is dealing with constantly changing
models of cell phones
When you’re acquiring evidence, generally you’re
performing two tasks:
Acting as though you’re a PC synchronizing with the device (to
download data)
Reading the SIM card
First step is to identify the mobile device
Question: Why is this important?
7. Understanding Acquisition Procedures for Cell
Phones and Mobile Devices
The main concerns with mobile devices are loss of
power and synchronization with PCs
All mobile devices have volatile memory
Making sure they don’t lose power before you can
retrieve RAM data is critical
Mobile device attached to a PC via a cable or
cradle/docking station should be disconnected
from the PC immediately
Communication or system messages might be
received on the mobile device after seizure
Isolate the device from incoming (RF)signals
The drawback to using these isolating options is that the
mobile device is put into roaming mode, which
accelerates battery drainage
8. Data Acquisition Procedures for Cell Phones
and Mobile Devices
Check these areas in the forensics lab :
Internal memory
SIM card
file system is a hierarchical structure
Removable or external memory cards
Information that can be retrieved:
Service-related data, such as identifiers for the SIM card and the subscriber
Call data, such as numbers dialed
Message information
Location information
If power has been lost, PINs or other access codes might be
required to view files.
Encryption
9. Access Methods
(6 types according to NIST)
Manual Extraction
looking at pages of info directly on the
device
Logical Extraction
filesystem dump
Hex dumping and JTAG
can work on damaged devices and bypass lock screens. Reads
directly from RAM/ROM
Chip off
unsolder or cut flash memory from circuit board
Micro read
use a SEM to view data
10. Don’t ignore useful properties
When was the last time this phone was at 2SP?
11. Poke around and you will find…
Encoded Secrets
This has been truncated, the app stores your password
12. Application Data
Found in plists or sqlite files
Apps continue to change formats
Looking primarily for location and message data
13. Rooting
Usually an alternate OS (may be command injection)
Removes built-in restrictions on access to data
Removes or makes possible to add 3rd party applications
Consumers do it for functionality
Investigators do it for access to data
Manufacturers are making this more challenging
14. Summary
People store a wealth of information on their cell phones
Various generations of mobile phones
Data can be retrieved from several different places in
phones
As with computers, proper search and seizure procedures
must be followed for mobile devices
To isolate a mobile device from incoming messages, you
can place it in a specially treated paint can, a wave-
blocking wireless evidence bag, or eight layers of
antistatic bags
SIM cards store data in a hierarchical file structure
Editor's Notes
Question: It is harder nowadays but what was so great back in the day with SIM cards and phones?
Need software and know how to recover the sim card