This document discusses mobile device forensics and compares two mobile forensic software tools - Cellebrite UFED 4PC and Lantern 4. It begins with an introduction to the prevalence of mobile devices and how they are often involved in criminal activity, necessitating forensic analysis of mobile evidence. It then provides an overview of mobile device technology and hardware. The document analyzes requirements for core and optional features of forensic software tools. It compares the user interfaces, capabilities, and costs of Cellebrite UFED 4PC and Lantern 4. The document concludes that neither tool is ultimately better and that their specific capabilities suit different situations given an agency's budget.
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Damir Delija
One of draft versios of "Concepts and Methodology in Mobile Devices Digital Forensics Education and Training",
Abstract - This paper presents various issues in digital forensics of mobile devices and how to address these issues in the related education and training process. Mobile devices forensics is a new, very fast developing field which lacks standardization, compatibility, tools, methods and skills. All this drawbacks have impact on the results of forensic process and also have deep influence in training and education process. In this paper real life experience in training is presented, with tools, devices, procedures and organization with purpose to improve process of mobile devices forensics and mobile forensic training and education
Data validation using CDR (Call Detail Records) and real cell tower coverageNicola Chemello
digital forensics acquisition is one of the most important part of any investigation. Granting the results comparing the obtained data with third party information is something the investigator should consider. Fake SMS, wrong parsing of the data, and other issues can be prevented if multiple sources are analysed. In this briefly presentation the results of a correlation with SecurCube Phonelog for the CDR analysis and SecurCube BTS tracker for the real cell towers coverage are highlighted.
The use of digital devices in day to day life has increased tremendously. Mobile devices have become an vital part of our day to day routine and they are prone to facilitating illegal activity or otherwise being involved when crimes occur. Whereas computers, laptops, servers, and gaming devices might have many users, in the vast majority of cases, mobile devices generally belong to an individual. The science behind recovering digital evidence from mobile phones is called mobile forensics. Digital evidence is defined as data and information that is stored on, received, or transmitted by an electronic device that is used for investigations. Digital evidence encompasses any and all digital data that can be used as evidence in a case. Mobile devices present many challenges from a forensic viewpoint. With new models being developed each day, it is extremely difficult to develop a single process or tool to address all the possibilities an investigator may face. Court cases also need to be taken into consideration as mobile devices are being seized and analyzed. Mr. I. A. Attar | Mr. M. M. Kapale "Conceptual Study of Mobile Forensics" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-1 , December 2019, URL: https://www.ijtsrd.com/papers/ijtsrd29476.pdfPaper URL: https://www.ijtsrd.com/computer-science/world-wide-web/29476/conceptual-study-of-mobile-forensics/mr-i-a-attar
Mobile forensics is a branch of digital forensics. Simply, it is a science of recovering different kinds of evidence from mobile phones. It helps investigators significantly to reach to the criminal.
New research directions in the area ofIJCNCJournal
The proliferation of smart mobile phones with diverse features makes it possible to increase their use in
criminal activities. The fast technological evolution and presence of different smart phones and their
proprietary operating systems pose great difficulties for investigators and law enforcement officials to
choose the best tool for forensics examination, accurate recovery and speedy analysis of data present on
smart phones. This paper presents a literature review on smart phone forensic techniques for different
platform. As a result of comprehensive analysis of these techniques, it has been found that there is no
generic forensic technique or tool available which can perform the forensic analysis of all currently
available different smart phones. Further, there is a need to develop a generic technique for forensic
analysis of a variety of different smart phones. This generic technique should perform the forensic of
currently available different smart phones on the crime scene without need to attach the smart phone with
computer. Further, it will help the investigators to do their jobs easily and more efficiently. The proposed
technique need to be implemented and tested on different smart phones to validate its performance and
accuracy.
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Damir Delija
One of draft versios of "Concepts and Methodology in Mobile Devices Digital Forensics Education and Training",
Abstract - This paper presents various issues in digital forensics of mobile devices and how to address these issues in the related education and training process. Mobile devices forensics is a new, very fast developing field which lacks standardization, compatibility, tools, methods and skills. All this drawbacks have impact on the results of forensic process and also have deep influence in training and education process. In this paper real life experience in training is presented, with tools, devices, procedures and organization with purpose to improve process of mobile devices forensics and mobile forensic training and education
Data validation using CDR (Call Detail Records) and real cell tower coverageNicola Chemello
digital forensics acquisition is one of the most important part of any investigation. Granting the results comparing the obtained data with third party information is something the investigator should consider. Fake SMS, wrong parsing of the data, and other issues can be prevented if multiple sources are analysed. In this briefly presentation the results of a correlation with SecurCube Phonelog for the CDR analysis and SecurCube BTS tracker for the real cell towers coverage are highlighted.
The use of digital devices in day to day life has increased tremendously. Mobile devices have become an vital part of our day to day routine and they are prone to facilitating illegal activity or otherwise being involved when crimes occur. Whereas computers, laptops, servers, and gaming devices might have many users, in the vast majority of cases, mobile devices generally belong to an individual. The science behind recovering digital evidence from mobile phones is called mobile forensics. Digital evidence is defined as data and information that is stored on, received, or transmitted by an electronic device that is used for investigations. Digital evidence encompasses any and all digital data that can be used as evidence in a case. Mobile devices present many challenges from a forensic viewpoint. With new models being developed each day, it is extremely difficult to develop a single process or tool to address all the possibilities an investigator may face. Court cases also need to be taken into consideration as mobile devices are being seized and analyzed. Mr. I. A. Attar | Mr. M. M. Kapale "Conceptual Study of Mobile Forensics" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-1 , December 2019, URL: https://www.ijtsrd.com/papers/ijtsrd29476.pdfPaper URL: https://www.ijtsrd.com/computer-science/world-wide-web/29476/conceptual-study-of-mobile-forensics/mr-i-a-attar
Mobile forensics is a branch of digital forensics. Simply, it is a science of recovering different kinds of evidence from mobile phones. It helps investigators significantly to reach to the criminal.
New research directions in the area ofIJCNCJournal
The proliferation of smart mobile phones with diverse features makes it possible to increase their use in
criminal activities. The fast technological evolution and presence of different smart phones and their
proprietary operating systems pose great difficulties for investigators and law enforcement officials to
choose the best tool for forensics examination, accurate recovery and speedy analysis of data present on
smart phones. This paper presents a literature review on smart phone forensic techniques for different
platform. As a result of comprehensive analysis of these techniques, it has been found that there is no
generic forensic technique or tool available which can perform the forensic analysis of all currently
available different smart phones. Further, there is a need to develop a generic technique for forensic
analysis of a variety of different smart phones. This generic technique should perform the forensic of
currently available different smart phones on the crime scene without need to attach the smart phone with
computer. Further, it will help the investigators to do their jobs easily and more efficiently. The proposed
technique need to be implemented and tested on different smart phones to validate its performance and
accuracy.
Preparing Testimony about Cellebrite UFED In a Daubert or Frye HearingCellebrite
The Cellebrite UFED is among the best known and most used mobile forensic extraction and analysis tools in the digital forensics industry. However, its complex technical processes are not as well understood outside of training. The following information is presented in an effort to help U.S.-based attorneys prepare themselves and their witnesses for Daubert, Frye, or related challenges to the admissibility of UFED-extracted mobile device evidence.
On the Availability of Anti-Forensic Tools for SmartphonesCSCJournals
The existence of anti-forensic tools in the context of computing systems is one of the main challenges for forensics investigators in achieving reliable evidence recovery and consequently uncovering crime facts. This is in particular more challenging in emerging smartphone technologies, since data is of highly mobile and volatile nature. In the current paper, we present a brief study of several anti-forensic applications available for smartphones. The applications are ready to use, most of them free, and require no expert technical knowledge. Moreover, these have been proved to be very effective when tested with two commercial forensic tools.
Mobile phones are an integral part of our lives since they have played a vital role in bringing people closer together. They have abundantly been used by people all across the globe as they keep them up-to-date about the happenings in the world. However, these mobile phones have also been used in carrying out various criminal activities for the past few decades, therefore, a new discipline of Mobile Phone Forensics has been introduced which will help a lot in curbing the menace of these crimes by locating the whereabouts of the criminals. This research paper deals with the introduction of this innovative discipline of mobile phone forensics by throwing light on the importance of this discipline. It also deals with the detailed procedure of conducting a formal forensics analysis with the help of these mobile phones.
A Comparison Study of Android Mobile Forensics for Retrieving Files SystemCSCJournals
A comparison study of the Android forensic field in terms of Android forensic process for acquiring and analysing an Android disk image is presented. The challenges of Android forensics, including the complexity of the Android application, different procedures and tools for obtaining data, difficulties with hardware set up, using expensive commercial tools for acquiring logical data that fail to retrieve physical data acquisition are described in this paper. To solve these challenges and achieve high accuracy and integrity in Android forensic processes, a new open source technique is investigated. Manual, Logical and physical acquisition techniques are used to acquire data from an Android mobile device (Samsung Android 4.2.2). The mobile phone is identified by taking photos of the device and its individual components, including the memory expansion card, and labelling them with identifying information. Following the manual acquisition, logical acquisition is conducted using the AFLogical application in the ViaExtract tool (by Now secure) installed on a Santoku Linux Virtual Machine. The image file is then created using the AccessData FTK imager tool for physical acquisition. Four tools are utilized to analyse recovered data: one using ViaExtract on a Santoku Linux Virtual Machine, two using the AccessData FTK Imager, and one using file carving in Autopsy on a Kali Linux Virtual Machine. The results of the analysis demonstrate that the technique can retrieve Contacts, photos, Videos, Call Logs, and SMSs. Also, the EaseUS Data Recovery Wizard Free tool is used for the recovery of files from the LOST.DIRon external memory.
Globally, the extensive use of smartphone devices has led to an increase in storage and transmission of enormous volumes of data that could be potentially be used as digital evidence in a forensic investigation. Digital evidence can sometimes be difficult to extract from these devices given the various versions and models of smartphone devices in the market. Forensic analysis of smartphones to extract digital evidence can be carried out in many ways, however, prior knowledge of smartphone forensic tools is paramount to a successful forensic investigation. In this paper, the authors outline challenges, limitations and reliability issues faced when using smartphone device forensic tools and accompanied forensic techniques. The main objective of this paper is intended to be consciousness-raising than suggesting best practices to these forensic work challenges.
SOK:An overview of data extraction techniques from mobile phonesAshish Sutar
The article gives an overview of data extraction techniques from Mobile phones. This will help to new forensic investigators as well as forensic analysts to learn these techniques in detail subsequently.
Comparative Analysis of Digital Forensic Extraction Toolsijtsrd
Computer forensics Process collecting and examining information present in digital format in civil, criminal, or administrative proceedings for use as evidence. It is also a from data recovery, which involves the recovery of data from a system that has been erased by error or lost during a server crash. Tools are designed to extract evidence from the computer and it is the role of the investigator to check whether the crime or policy violation has been committed by the suspect. Investigators use various kinds of tools based on the area or the kind of information which is lost such as digital data, network compromise, cyber breach, web data, email and many more. Varun H M | Dr. Uma Rani Chellapandy | Srividya B G "Comparative Analysis of Digital Forensic Extraction Tools" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37980.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37980/comparative-analysis-of-digital-forensic-extraction-tools/varun-h-m
Smartphone's usage and their applications become
popular in our society, nowadays. One of the most influential
applications in our social life is the instant messaging application.
LINE messenger is one of the popular instant messaging
applications around Asian country. LINE has about 60 – 70
percent active users per month from 144 million accounts in
Japan, Taiwan, Thailand, and Indonesia. Like most other instant
messengers, LINE services are able to keep their user's personal
files such as text chats, pictures or photos, and video. These files
have the valuables and specific information about the user. In the
law enforcement, this kind of information can be an authentic
evidence to solve crime cases. In this paper will show the ability
of a forensic tool in acquisition digital evidence on Android
device. The work is separated into two tests, the application
analysis acquisition, and full content acquisition. The digital
evidence also has been identified, such as text chats, pictures, the
name of the sender and the recipient, and the chat time
(timestamp).
The Internet of Things (IoT) integrates various sensors, objects and smart nodes that are capable of communicating with each other without human intervention.
The IoT Forensics could be perceived as a subdivision of the Digital Forensics. IoT Forensics is a relatively new and unexplored area. The purpose of the IoT Forensics is similar to the one of the Digital Forensics, which is to identify and extract digital information in a legal and forensically sound manner.
Preparing Testimony about Cellebrite UFED In a Daubert or Frye HearingCellebrite
The Cellebrite UFED is among the best known and most used mobile forensic extraction and analysis tools in the digital forensics industry. However, its complex technical processes are not as well understood outside of training. The following information is presented in an effort to help U.S.-based attorneys prepare themselves and their witnesses for Daubert, Frye, or related challenges to the admissibility of UFED-extracted mobile device evidence.
On the Availability of Anti-Forensic Tools for SmartphonesCSCJournals
The existence of anti-forensic tools in the context of computing systems is one of the main challenges for forensics investigators in achieving reliable evidence recovery and consequently uncovering crime facts. This is in particular more challenging in emerging smartphone technologies, since data is of highly mobile and volatile nature. In the current paper, we present a brief study of several anti-forensic applications available for smartphones. The applications are ready to use, most of them free, and require no expert technical knowledge. Moreover, these have been proved to be very effective when tested with two commercial forensic tools.
Mobile phones are an integral part of our lives since they have played a vital role in bringing people closer together. They have abundantly been used by people all across the globe as they keep them up-to-date about the happenings in the world. However, these mobile phones have also been used in carrying out various criminal activities for the past few decades, therefore, a new discipline of Mobile Phone Forensics has been introduced which will help a lot in curbing the menace of these crimes by locating the whereabouts of the criminals. This research paper deals with the introduction of this innovative discipline of mobile phone forensics by throwing light on the importance of this discipline. It also deals with the detailed procedure of conducting a formal forensics analysis with the help of these mobile phones.
A Comparison Study of Android Mobile Forensics for Retrieving Files SystemCSCJournals
A comparison study of the Android forensic field in terms of Android forensic process for acquiring and analysing an Android disk image is presented. The challenges of Android forensics, including the complexity of the Android application, different procedures and tools for obtaining data, difficulties with hardware set up, using expensive commercial tools for acquiring logical data that fail to retrieve physical data acquisition are described in this paper. To solve these challenges and achieve high accuracy and integrity in Android forensic processes, a new open source technique is investigated. Manual, Logical and physical acquisition techniques are used to acquire data from an Android mobile device (Samsung Android 4.2.2). The mobile phone is identified by taking photos of the device and its individual components, including the memory expansion card, and labelling them with identifying information. Following the manual acquisition, logical acquisition is conducted using the AFLogical application in the ViaExtract tool (by Now secure) installed on a Santoku Linux Virtual Machine. The image file is then created using the AccessData FTK imager tool for physical acquisition. Four tools are utilized to analyse recovered data: one using ViaExtract on a Santoku Linux Virtual Machine, two using the AccessData FTK Imager, and one using file carving in Autopsy on a Kali Linux Virtual Machine. The results of the analysis demonstrate that the technique can retrieve Contacts, photos, Videos, Call Logs, and SMSs. Also, the EaseUS Data Recovery Wizard Free tool is used for the recovery of files from the LOST.DIRon external memory.
Globally, the extensive use of smartphone devices has led to an increase in storage and transmission of enormous volumes of data that could be potentially be used as digital evidence in a forensic investigation. Digital evidence can sometimes be difficult to extract from these devices given the various versions and models of smartphone devices in the market. Forensic analysis of smartphones to extract digital evidence can be carried out in many ways, however, prior knowledge of smartphone forensic tools is paramount to a successful forensic investigation. In this paper, the authors outline challenges, limitations and reliability issues faced when using smartphone device forensic tools and accompanied forensic techniques. The main objective of this paper is intended to be consciousness-raising than suggesting best practices to these forensic work challenges.
SOK:An overview of data extraction techniques from mobile phonesAshish Sutar
The article gives an overview of data extraction techniques from Mobile phones. This will help to new forensic investigators as well as forensic analysts to learn these techniques in detail subsequently.
Comparative Analysis of Digital Forensic Extraction Toolsijtsrd
Computer forensics Process collecting and examining information present in digital format in civil, criminal, or administrative proceedings for use as evidence. It is also a from data recovery, which involves the recovery of data from a system that has been erased by error or lost during a server crash. Tools are designed to extract evidence from the computer and it is the role of the investigator to check whether the crime or policy violation has been committed by the suspect. Investigators use various kinds of tools based on the area or the kind of information which is lost such as digital data, network compromise, cyber breach, web data, email and many more. Varun H M | Dr. Uma Rani Chellapandy | Srividya B G "Comparative Analysis of Digital Forensic Extraction Tools" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37980.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37980/comparative-analysis-of-digital-forensic-extraction-tools/varun-h-m
Smartphone's usage and their applications become
popular in our society, nowadays. One of the most influential
applications in our social life is the instant messaging application.
LINE messenger is one of the popular instant messaging
applications around Asian country. LINE has about 60 – 70
percent active users per month from 144 million accounts in
Japan, Taiwan, Thailand, and Indonesia. Like most other instant
messengers, LINE services are able to keep their user's personal
files such as text chats, pictures or photos, and video. These files
have the valuables and specific information about the user. In the
law enforcement, this kind of information can be an authentic
evidence to solve crime cases. In this paper will show the ability
of a forensic tool in acquisition digital evidence on Android
device. The work is separated into two tests, the application
analysis acquisition, and full content acquisition. The digital
evidence also has been identified, such as text chats, pictures, the
name of the sender and the recipient, and the chat time
(timestamp).
The Internet of Things (IoT) integrates various sensors, objects and smart nodes that are capable of communicating with each other without human intervention.
The IoT Forensics could be perceived as a subdivision of the Digital Forensics. IoT Forensics is a relatively new and unexplored area. The purpose of the IoT Forensics is similar to the one of the Digital Forensics, which is to identify and extract digital information in a legal and forensically sound manner.
Android Mobile forensics with custom recoveriesIbrahim Mosaad
The presentation describes how can we do Android Mobile forensics through custom recovery partitions. It explains that different forensics functionalities can be done on android phones through the custom recovery partition. Some of these functionalities are Logical/Physical data acquisition, PIN/Pattern/Passcode bypass, rooting, adb shell and many other functionalities. The presentation also illustrates how can we build our own custom recoveries.
DETERMINE THE USE OF SMARTPHONES IN THE CLASSROOM TO ENHANCE STUDENTS LEARNIN...ArtisMcCoy2014
The study utilizes three groups of students; two groups which are the sample pool and a third group as the control group. The intent of the project is to determine if the use of smartphones in the classroom enhance students learning the content. To determine this; surveys, interviews, and assessments were used. Host school: Lamar University at
Beaumont, Texas, 2013 by Artis R. McCoy(www.mccoyartis
@yahoo.com).
Digital forensics research: The next 10 yearsMehedi Hasan
Today’s Golden Age of computer forensics is quickly coming to an end. Without a clear strategy for enabling research efforts that build upon one another, forensic research will fall behind the market, tools will become increasingly obsolete, and law enforcement, military and other users of computer forensics products will be unable to rely on the results of forensic analysis. This article summarizes current forensic research directions and argues that to move forward the community needs to adopt standardized, modular approaches for data representation and forensic processing.
@2010 Digital Forensic Research Workshop. Published by Elsevier Ltd. All rights reserved
This report was meant to identify the mobile phone industries of Bangladesh based on major mobile brands in Bangladesh, company analysis, present situation etc.
ContentsMobile Forensic3Introduction3What It Is3How I.docxrichardnorman90310
Contents
Mobile Forensic 3
Introduction 3
What It Is 3
How It's Used 3
Steps in Mobile forensics 4
Seizure 4
Airplane mode 4
Phone jammer 4
Faraday bag 4
Acquisition 5
Examination and analysis 6
Invasive methods 6
Chip-off 6
Micro read 7
Case study 7
CSI wife killers case Ireland 7
Phone evidence settled the conviction of a liar and a wife-killer 7
Mobile records checking 8
Conclusion 9
References 10
Mobile Forensic
Introduction
Mobile forensics is obtaining information on a mobile device such as a smartphone or tablet. The technology has grown in sophistication, and it can be used to uncover hidden content on devices, including text messages, apps and wifi connections. Mobile forensics goes beyond mere wireless security breaches. Today's mobile forensic tools can uncover true digital evidence and unlock devices with few endpoints or no recovery partitions to access."
The importance of mobile forensics is rising in the connected world of today. Discover further regarding mobile forensics, its applications, and the significance and procedures of a mobile investigation with a strong forensic foundation in this course.What It Is
Mobile forensics is a digital forensics subfield that focuses well on data extraction from electronic origin. Recovery of evidence from portable digital devices such as tablets, smartwatches, and smartphones is the focus of mobile forensics. Mobile devices are used by numerous people these days, so it seems reasonable that they would hold a large quantity of evidence that might be helpful to investigators. These gadgets search for data and collect and transmit data (Moreb, 2022).
Mobile devices can reveal numerous important pieces of information, such as messages, GPS data, call logs, and internet search activity that discloses the owner's probable whereabouts anywhere at any given moment.How It's Used
The secret to gathering digital evidence is following forensically sound procedures, regardless of who utilizes mobile forensics or how it is applied. According to Duke University's Electronic Discovery Reference Model, the word "forensically sound" refers to "procedures employed for gathering electronic information in a way that assures it is "as originally discovered" and is dependable enough to be allowed into evidence."
This implies that mobile evidence is treated so that it will be admissible in court and that it is not compromised during the forensic procedure. The idea of being forensically sound is based on the fundamental idea that transportable evidence should be kept in the same condition as when it was first discovered.
A defined procedure that helps to guarantee law enforcement or anyone collecting the data follows best practices for doing so lies behind forensically sound mobile evidence collection. Let's examine those actions (
Kumar, 2021,p.102).
Steps in Mobile forensics
Seizure
The cornerstone of digital forensics is the principle that evid.
CS 1010, Computer Essentials 1
Course Learning Outcomes for Unit I
Upon completion of this unit, students should be able to:
1. Explain the relationship between digital basics and computer hardware.
1.1 Discuss the significance of digitization and its impact on the digital revolution in reference to
data representation, processing, and security.
1.2 Describe the difference between system software, an operating system, application software,
and a computer program.
1.3 Describe personal computer basics, microprocessors and memory, storage devices, input and
output devices, and hardware security.
Reading Assignment
Chapter 1:
Computer and Digital Basics
Chapter 2:
Computer Hardware
Unit Lesson
Today we live in a highly digitized society, which affects our economy, privacy, freedom and democracy, and
intellectual property. The digital revolution consists of four phases, which are identified as data processing,
personal computing, network computing, and cloud computing. Technology has changed as the revolution
has progressed. As users, we expect information to be available 24/7, and most of the time it is just a click
away. Parsons and Ajo (2014) stated that “the digital revolution is an ongoing process of social, political, and
economic change brought about by digital technology, such as computers and the Internet” (p. 4). It has been
said that the digital revolution actually started during World War II. The Internet was developed as a military
project that society relies heavily on today. Without the Internet, where would we be today? Commercial
concerns, academic entities, and research facilities rely heavily on the Internet.
e-Commerce is a product of the digital revolution; some of the popular websites associated with e-commerce
are Amazon and eBay. What a great way to shop by using e-commerce in the comfort of one’s own home.
You do not have to go out and fight the Christmas crowds on Black Friday; you can shop Black Monday
instead online.
Computerized medical health records are another product of the digital revolution. Many doctors use
electronic records and patients can get accounts to view their own information. Social media is another facet
of the digital revolution (e.g., Facebook, Twitter, LinkedIn, and Myspace). Cell phones are a product of this
revolution, also. Cell phones were originally huge devices, unlike how they look today. Today cell phones
have the capability of little computers.
The data processing phase of the digital revolution consisted of big corporate and government computers,
custom applications, Citizens Band Radio (CB) radios, Advanced Research Projects Agency Network
(ARPANET), and arcade games.
Phase two of the revolution consisted of personal computers, including small standalone computers powered
by local software. Other characteristics of personal computing include desktop computers, standalone
applications, dial-up Internet access, Ameri ...
Feel free to read my latest paper and understand how malware intrusion, network intrusion, and insider file deletion can help or hinder a cyber forensic investigation...
All feedback welcome
Mobile devices are no longer just dedicated communication devices and have even exceeded the limits of such, and have become an essential part of our life; they are indispensable. It is through the memory that you can store images and videos and can also connect to social networking; it can also be played by linking to bank accounts. However, we must bear in mind that there are people in this world who are trying, day and night, to get to your private information, to steal from you and either exploit the user or simply to steal his/her money. These people are called hackers, as will be named through our topic for today. We will put in your hands the most important points that make sure that he is spying on your mobile and the mobile penetrative. The biggest obstacle to these investigators, whether spies or hackers' encryption is "full device encryption" or "full data" to be encrypted, and here we must distinguish between the two things, not confusing them. This paper will explain the vulnerabilities of mobile devices and how they can be avoided.
Technology has reshaped the way we interact with the world and access information
with the advent of smartphones. Accordingly, the needs we have and the solutions for our
needs have also changed along with the evolving technology. One of the most affected
matters from technology is communication. With the various options and capabilities,
instant messaging applications have been started to use for communication purpose
which is one of the biggest needs of human being. We can send text messages, video
messages, voice recordings and share locations using these applications. Even further,
we no longer need cell phone calls by GSM operators, and instead prefer these
applications for instant calls, as well as sharing private information with these
applications, not only for personal daily life, also for business need. On the other hand,
these applications bring risks with many benefits. One of them is privacy. We do not want
that these applications can store our personal data as its user. How do our best practices
keep our data? Do they give the necessary attention for privacy? Another fact is that these
applications can be used by criminals to communicate and execute a secret plan. If a
criminal gets caught, what can be obtained as evidence from these messaging
applications? This time we need to know what can be extracted from the mobile device.
This research focuses on forensics analysis of the instant messaging applications on the
Android platform
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...theijes
Nowadays, android smartphones are becoming more popular and the greatest platform for mobile devices which has capability to run millions of mobile phones in about more than 200 countries. It may bring not only convenience for people but also crimes or security issues. Some people are committed the crimes by using the technology and mobile devices. So, android forensics is very important and necessary in cyber-crime investigation. With no doubt, this proposed process flow and framework will definitely support for android forensics in developing countries’ cyber-crime investigation. Because it provides to solve the crimes with applicable guidelines and includes Open Source Tools, Linux command-line utility, Android Debug Bridge (ADB) commands, Freeware tools and Proposed tools. Although forensics tools are non-commercial in this framework, they can cover and support for android forensics process.
1. Mobile Device Forensics
Sean Houston Rickard
University of North Carolina at Charlotte
ITIS 5250-001
Computer Forensics
2. Mobile Device Forensics 2
Table of Contents
Abstract.......................................................................................................................................... 3
Chapter 1: Introduction ............................................................................................................... 4
The Purpose ............................................................................................................................... 5
Chapter 2: Mobile Device Technology........................................................................................ 6
Current Technology.................................................................................................................. 6
Figure 1Hardware Characterization ............................................................................................ 7
Figure 2Android and iOS comparison ........................................................................................ 9
Chapter 3: Mobile Device Forensics ......................................................................................... 11
Computer Forensic Tool Testing ........................................................................................... 14
Requirements for Core Features........................................................................................ 15
Requirements for Optional Features ................................................................................. 15
Chapter 4: Comparison of UFED 4PC Ultimate and Lantern 4............................................ 18
Cellebrite UFED 4PC.............................................................................................................. 19
Figure 3UFED 4PC User Interface........................................................................................ 21
Lantern 4.................................................................................................................................. 22
Figure 5Lantern 4 User Interface........................................................................................... 24
Chapter 5: Conclusion................................................................................................................ 26
References.................................................................................................................................... 27
Definition of Terms..................................................................................................................... 28
3. Mobile Device Forensics 3
Abstract
As with any business or organization, law enforcement agencies work on a limited budget
which must be spread between multiple departments and priorities. With a limited budget,
agencies are limited as to what software and tools they may purchase and often must way the
capabilities of a specific tool versus the cost. This research paper will attempt to look at the
capabilities of mobile forensic software and compare it to the overall cost to determine which
software is better. With the ever increasing availability and rapid evolution of mobile devices
there is a number of mobile device forensic software on the market today. This research paper
will provide a simplistic look at mobile device technology, types of forensic analysis to be
performed on mobile devices, and lastly compare two mobile forensic software.
4. Mobile Device Forensics 4
Chapter 1: Introduction
In today’s society, mobile devices have become a major part of everyday life.
Approximately “90% of American adults have a cell phone, 58% of American adults have a
smartphone, 32% of American adults have an e-reader, and 42% of American adults have a
tablet computer” (Pew Research Center, 2014). On almost a daily basis we see technology
evolve and more mobile devices become available to the public. With increases in technology
also came crime. Mobile devices can be used in a number of different ways to facilitate and
commit crime. While there is no real way to track the number of crimes involving mobile
devices, in my experience, I believe it can easily be said that well over 80% of crime involves
some use of a mobile device. With mobile devices being utilized in some fashion during a large
portion of criminal activity, there is a lot of evidence which can be obtained and utilized for a
criminal investigation. The need to obtain this evidence had led many organizations to develop
software which is available for purchase. Today there is a wide variety of mobile device software
available, each providing its on specific platform, capabilities, and cost. Law enforcement
agencies across the US are limited due to budget constraints. In 2007, the average annual
operating budget per agency for all sheriff’s offices in the US was $9,962,000 (Sheriffs' Office,
2007 - Statistical Tables, 2012). Each agency must prioritize its budget leaving minimal
operating cost to expand to new tools and software. As law enforcement agencies modernize and
expand to combat crime utilizing technology, inevitably they are faced with decision of what tool
or software to purchase given the budget and the tool or software’s capabilities. The Cabarrus
County Sheriff’s Office is currently operating Cellebrite UFED 4PC Ultimate and Lantern 4 for
mobile device forensics.
5. Mobile Device Forensics 5
The Purpose
The purpose of this study is to determine which software provides the best capabilities for
the cost to Cabarrus County Sheriff’s Office. It is my hypothesis that due to each software’s own
capabilities and cost to the agency that neither are ultimately better than the other but provide
specific needs in specific situations. The only limitation I had for this research was access to the
forensic software. Due to time constraints, schedules, and available forensic tools my access was
limited to two (2) forensic tools over a period of 2 days. This research paper will provide a
simplistic look at mobile device technology, types of forensic analysis to be performed on
mobile devices, and lastly compare Cellebrite UFED 4PC Ultimate and Lantern 4.
6. Mobile Device Forensics 6
Chapter 2: Mobile Device Technology
While there are many different mobile devices on the market (cell phones, smart phones,
tablet computers, e-readers, mp3 players, ect…) the most common and the first was the cell
phone. Cell phones evolved from radio technology which was developed in the early 1900s’. The
first documented wireless telephone use was in 1946 by the Swedish Police (Tech-FAQ, n.d.). In
1947, Bell Laboratory proposed the idea of hexagonal cells for modern phones and in 1970 the
call handoff system was developed. With the assistance of AT&T the FCC approved and
allocated the frequencies of 824-894 MHZ Band to Advanced Mobile Phone Service (AMPS)
(Tech-FAQ, n.d.). According to Tech-FAQ (n.d.), in 1983 Motorola unveiled the first truly
portable cellular phone, the DynaTAC 8000X. Since then cell phone technology has grown by
leaps and bounds. Today cell phones have advanced from being a simple radio to essentially a
small computer with a radio.
Current Technology
Devices today, while very different in function, capabilities, and appearance are
composed of the same components: a microprocessor, read only memory (ROM), random access
memory (RAM), a radio module, a digital signal processor, a microphone and speaker, a variety
of hardware keys and interfaces, and a liquid crystal display (LCD). Cell phones can also support
external memory through Secure Digital (SD) memory, and other wireless communication such
as infrared, Bluetooth, Near Field Connection (NFC), and WiFi. Depending on the capabilities of
a phone it can either be classified as featured phone or a smartphone. Featured phones are cell
phones that perform minimal tasks and do not have the features of a smart phone. The Guidelines
7. Mobile Device Forensics 7
on Mobile Device Forensics (Ayers, Brothers, & Jansen, 2014) presented the following table to
demonstrate hardware characterization between feature phones and smartphones:
Figure 1Hardware Characterization
Mobile device memory, like any other computer contains both non-volatile and volatile memory.
Non-volatile memory, like the name suggests, does not change when the device loses power or is
overwritten during reboot. Volatile memory or Random Access Memory (RAM) on the other
hand is lost when the power is drained from the phone making it difficult to accurately capture.
Mobile device memory has evolved with technology. According to Guidelines on Mobile Device
Forensics (Ayers, Brothers, & Jansen, 2014):
Feature phones were among the first types of devices that contained NOR flash and RAM
memory. System and user data are stored in NOR and copied to RAM upon booting for faster
code execution and access. This is known as the first generation of mobile device memory
configuration. As smartphones were introduced, memory configurations evolved, adding NAND
flash memory. This arrangement of NOR, NAND and RAM memory is referred to as the second
8. Mobile Device Forensics 8
generation. This generation of memory configurations stores system files in NOR flash, user files
in NAND and RAM is used for code execution. The latest smartphones contain only NAND and
RAM memory (i.e., third generation), due to requirements for higher transaction speed, greater
storage density and lower cost. To facilitate the lack of space on mobile device mainboards and
the demand for higher density storage space (i.e., 2GB – 128GB) the new Embedded MultiMedia
Cards (eMMC) style chips are present in many of today’s smartphones. NOR flash memory
includes system data such as: operating system code, the kernel, device drivers, system libraries,
memory for executing operating system applications and the storage of user application
execution instructions. NOR flash will be the best location for data collection for first generation
memory configuration devices. NAND flash memory contains: PIM data, graphics, audio, video,
and other user files. This type of memory generally provides the examiner with the most useful
information in most cases. (p. 6)
Phones may also contain a Subscriber Identity Module (SIM) card. The SIM card’s
purpose is to authenticate the mobile phone device to a given network. The SIM card is a smart
card that contains a processor and persistent electronically erasable, programmable read only
memory (EEPROM). The EEPROM contains RAM for program execution and ROM containing
the operating system, user authentication and data encryption algorithms. Personal information,
phonebook entries, text messages, the last numbers dialed, and service information may also be
in the EEPROM (Ayers, Brothers, & Jansen, 2014). Another major part of a phone that needs to
be considered is the operating system. There have been many different operating system through
the years such as Blackberry, Windows CE, Symbian, Android, and Apple iOS. In recent years
the leading Operating systems have been Android and Apple iOS. According to IDC Corporate
USA (n.d.): android shipments lead the global smartphone market, with 283 million units
9. Mobile Device Forensics 9
shipped and over 84% of the market share in the third quarter of 2014 and iOS continues to drop
in market share, down to just 11.7% from 12.8% in the same quarter last year, representing the
growing shift of demand toward low-cost smartphones. Android and iOS operating system
provide a wide variety of capabilities. Below is a graph I located on Diffen (n.d.) which
compares Android and iOS:
Figure 2Android and iOS comparison
The last major part of a phone is its ability to download and install applications (apps). Android
and iOS operating system both have this capability with millions of apps available to each. Apps
10. Mobile Device Forensics 10
can be made by anyone with the right knowledge and can be made to perform any number of
task such as play a game, messaging, phone calls, internet browsing, ect. The possibilites for
apps is endless. When an app is downloaded and installed on a mobile device it creates a folder
to contain information from that app. All the data saved on the phone is accessible through
mobile device forensics depending on the type of analysis which is completed.
11. Mobile Device Forensics 11
Chapter 3: Mobile Device Forensics
According to Ayers, Brothers, and Jansen (2014), “Mobile device forensics is the science of
recovering digital evidence from a mobile device under forensically sound conditions using
accepted methods.” Conducting a forensic analysis of a mobile device can be conducted by hand
or through the use of one of the many software’s available. The job of a forensic tool is to aquire
data from the internal memory and SIM card without altering their content. To begin an analysis
of a mobile device you must first determine what time of analysis you want to complete. There
are 5 types of mobile device analysis: manual extraction, logical extraction, hex dumping/JTAG,
chip-off, and micro read (Ayers, Brothers, & Jansen, 2014). Predominately only manual
extraction, logical extraction, and hex dumping/JTAG are performed by law enforcment forensic
examiners. Chip-off and micro read examination are intensily involved and require a great deal
of knowledge, training, and specialized equipment to perform. The following excert is from the
Guidelines for Mobile Device Forensics (Ayers, Brothers, & Jansen, 2014) which gives a
detailed description of each:
Manual Extraction – A manual extraction method involves viewing the data content
stored on a mobile device. The content displayed on the LCD screen requires the manual
manipulation of the buttons, keyboard or touchscreen to view the contents of the mobile
device. Information discovered may be recorded using an external digital camera. At this
level, it is impossible to recover deleted information. Some tools have been developed to
provide the forensic examiner with the ability to document and categorize the information
12. Mobile Device Forensics 12
recorded more quickly. Nevertheless, if there is a large amount of data to be captured, a
manual extraction can be very time consuming and the data on the device may be
inadvertently modified, deleted or overwritten as a result of the examination. Manual
extractions become increasingly difficult and perhaps unachievable when encountering a
broken/missing LCD screen or a damaged/missing keyboard interface. Additional
challenges occur when the device is configured to display a language unknown to the
investigator; this may cause difficulty in successful menu navigation.
Logical Extraction – Connectivity between a mobile device and the forensics workstation
is achieved with a connection using either a wired (e.g., USB or RS-232) or wireless
(e.g., IrDA, WiFi, or Bluetooth) connection. The examiner should be aware of the issues
associated when selecting a specific connectivity method, as different connection types
and associated protocols may result in data being modified (e.g., unread SMS) or
different amounts or types of data being extracted. Logical extraction tools begin by
sending a series of commands over the established interface from the computer to the
mobile device. The mobile device responds based upon the command request. The
response (mobile device data) is sent back to the workstation and presented to the
forensics examiner for reporting purposes.
Hex Dumping and JTAG – Hex Dumping and Joint Test Action Group (JTAG)
extraction methods afford the forensic examiner more direct access to the raw Guidelines
on Mobile Device Forensics 18 information stored in flash memory. One challenge with
these extraction methods is the ability of a given tool to parse and decode the captured
data. Providing the forensic examiner with a logical view of the file system, and reporting
13. Mobile Device Forensics 13
on other data remnants outside the file system that may be present are challenging. For
example, all data contained within a given flash memory chip may not be acquired, as
many tools, such as flasher boxes, may only be able to extract specific sections of
memory [Bre07]. Methods used at this level require connectivity (e.g., cable or WiFi)
between the mobile device and the forensic workstation. Hex Dumping – this technique is
the more commonly used method by tools at this level. This involves uploading a
modified boot loader (or other software) into a protected area of memory (e.g., RAM) on
the device. This upload process is accomplished by connecting the mobile device’s data
port to a flasher box and the flasher box is in turn connected to the forensic workstation.
A series of commands is sent from the flasher box to the mobile device to place it in a
diagnostic mode. Once in diagnostic mode, the flasher box captures all (or sections) of
flash memory and sends it to the forensic workstation over the same communications link
used for the upload. Some flasher boxes work this way or they may use a proprietary
interface for memory extractions. Rare cases exist where extractions can be accomplished
using WiFi (i.e., early Jonathan Zdziarski (JZ) Methods) [Zdz12].
JTAG – Many manufacturers support the JTAG standard, which defines a common test
interface for processor, memory, and other semiconductor chips. Forensic examiners can
communicate with a JTAG-compliant component by utilizing special purpose standalone
programmer devices to probe defined test points [Wil05]. The JTAG testing unit can be
used to request memory addresses from the JTAGcompliant component and accept the
response for storage and rendition [Bre06]. JTAG gives specialists another avenue for
imaging devices that are locked or devices that may have minor damage and cannot be
properly interfaced otherwise. This method involves attaching a cable (or wiring harness)
14. Mobile Device Forensics 14
from a workstation to the mobile device’s JTAG interface and access memory via the
device’s microprocessor to produce an image [Bre07]. JTAG extractions differ mainly
from Hex Dumping in that it is invasive as access to the connections frequently require
that the examiner dismantle some (or most) of a mobile device to obtain access to
establish the wiring connections.
o Flasher boxes are small devices originally designed with the intent to service or
upgrade mobile devices. Physical acquisitions frequently require the use of a
flasher box to facilitate the extraction of data from a mobile device. The flasher
box aides the examiner by communicating with the mobile device using
diagnostic protocols to communicate with the memory chip. This communication
may utilize the mobile device’s operating system or may bypass it altogether and
communicate directly to the chip [Jon10]. Flasher boxes are often accompanied
by software to facilitate the data extraction process working in conjunction with
the hardware. Many flasher box software packages provide the added
functionality of recovering passwords from mobile device memory as well in
some configurations. (p.17-18)
In most situations, the type of investigation, the type of phone, the type of tool available
determines what type of analysis is completed. Ultimately, what information is the investigator
looking to gain from the analysis and which acquisition method would obtain that information?
Computer Forensic Tool Testing
In order to maintain reliability and consistency among mobile device forensic tools the
National Institute of Standards and Technology’s (NIST) Computer Forensic Tool Testing
15. Mobile Device Forensics 15
(CFTT) program routinely test new computer forensic software tools. The CFTT program has
developed six (6) core feature requirements and fifteen (15) optional feature requirements which
it then tests each new software against. The Smart Phone Tool Specification (National Institute
of Standards and Technology, 2010) list the requirements as follows:
Requirements for Core Features
1. A cellular forensic tool shall have the ability to recognize supported devices via the
vendor-supported interfaces (e.g., cable, Bluetooth, Infrared)
2. A cellular forensic tool shall have the ability to identify non-supported devices
3. A cellular forensic tool shall have the ability to notify the user of connectivity errors
between the device and application during acquisition.
4. A cellular forensic tool shall have the ability to provide the user with either a preview
pane or generated report view of data acquired.
5. A cellular forensic tool shall have the ability to logically acquire all application supported
data objects present in internal memory.
6. A cellular forensic tool shall have the ability to logically acquire supported data objects
without changing the data objects present on the device.
Requirements for Optional Features
1. A cellular forensic tool shall have the ability to recognize supported SIMs via the vendor
supported interface (e.g., PC/SC reader, proprietary reader, internal).
2. A cellular forensic tool shall have the ability to identify non-supported SIMs.
3. A cellular forensic tool shall have the ability to notify the user of connectivity errors
between the SIM reader and application during acquisition.
16. Mobile Device Forensics 16
4. A cellular forensic tool shall have the ability to acquire all application-supported data
objects present in the SIM memory.
5. A cellular forensic tool shall have the ability to provide a presentation of acquired data in
a human-readable format via a generated report.
6. A cellular forensic tool shall have the ability to provide a presentation of acquired data in
a human-readable format via a preview pane view.
7. A cellular forensic tool shall have the ability to provide the user with the opportunity to
unlock a password protected SIM before external reader SIM acquisition.
8. A cellular forensic tool shall have the ability to protect previously acquired data objects
within a saved case file from modification.
9. A cellular forensic tool shall have the ability to perform a physical acquisition of the
device’s internal memory for supported devices.
10. A cellular forensic tool shall have the ability to present data objects containing non-
ASCII characters acquired from the internal memory of the device or SIM via the
selected interface (i.e., preview pane, generated report). Non-ASCII characters shall be
printed in their native representation.
11. A cellular forensic tool shall have the ability to present the remaining number of
CHV1/CHV2 PIN unlock attempts.
12. A cellular forensic tool shall have the ability to present the remaining number of PUK
unlock attempts.
13. A cellular forensic tool shall have the ability to acquire internal memory data without
14. A cellular forensic tool shall have the ability to compute a hash for individual data
objects.
17. Mobile Device Forensics 17
15. A cellular forensic tool shall have the ability to acquire GPS related data present in the
internal memory. (p.6-8)
The results of each test completed by CFTT on mobile device forensic software tool is then
added to their website database (http://www.cftt.nist.gov/mobile_devices.htm ) for review. This
information is very important to law enforcement agencies because it very quickly determines
what the capabilities and limitations of the software.
18. Mobile Device Forensics 18
Chapter 4: Comparison of UFED 4PC Ultimate and Lantern 4
As stated earlier, The Cabarrus County Sheriff’s Office currently utilizes both UFED
4PC by Cellebrite and Lantern 4 by Katana. Detective Brian Schmitt is the primary computer and
mobile device forensic examiner for the department. In an interview on November 26, 2014,
Det. Schmitt stated, “I utilized both software on a regular basis and choose which software to use
depending on the type of phone I am going to exam. Both software are similar in what they will
recover, however each have their own pros and cons. Cellebrite is limited to only the devices it
says it can run whereas Lantern will run almost any android device and all iOS devices.
Although Lantern may run a device that Cellebrite will not sometimes the information that
Lantern does recover is limited. Cellebrite says it is the leader in iOS forensics, however;
Lantern will run way more because it is ran and developed specifically for iOS devices.” Det.
Schmitt went on to show me a specific phone which he examined in Lantern that would not work
on Cellebrite. The analysis in Lantern only showed what type of phone it was and no other
information. Det. Schmitt went on to say, “I don’t particularly favor one software over the other,
it ultimately depends on the device I need to examine. I often run a device through both software
just to make sure I don’t miss something.”
Comparing the capabilities of both software and the cost will better help determine which
software is more cost effective. Since I my time with both systems was limited the comparison of
both software will be completed through the use of both software user manuals and CFTT
testing.
19. Mobile Device Forensics 19
Cellebrite UFED 4PC
The following information was obtained from UFED Physical Analyzer – User Manual
(Cellebrite Ltd., 2014)
Operating System – Microsoft Windows XP with SP3or later
Computer Memory (RAM) required for installation
o 32 bit OS – 4GB
o 64 Bit – OS 8GB
Number of supported mobile devices
o Android Based devices – 1889
o iOS devices– 67
o Total Number of devices – 10,538
UFED Ultimate is made up of three components:
o The UFED unit enables logical, password, SIM, file system, and physical
extractions from mobile devices, which can then be saved to a USB flash drive,
SD memory card, or directly to your PC.
o UFED Physical Analyzer application provides an in-depth view of the device's
memory using advanced decoding, analysis, and reports. UFED Physical
Analyzer can decode all types of extractions created by the UFED Classic unit.
o Phone Detective application helps investigators quickly identify a mobile phone
by its physical attributes, eliminating the need to start the device and the risk of
device lock.
UFED Physical Analyzer has the following key features:
20. Mobile Device Forensics 20
o Decoding of the extraction with a layered view of memory content
Provides a detailed view of the Hex file
Reconstructs the device file system
Decode various Analyzed data types such as: Contact lists, SMS
messages, call logs, device information (IMSI, ICCID, user codes),
application information, and more
Provides a view of data files images, videos, databases, and so on
Provides access to both current and deleted data
Reveals device passwords (when applicable)
o Powerful extraction for iOS and GPS devices
o Provides intuitive and user friendly UI for browsing the extracted information
o Powerful analysis and search tools
Instant search for all project content
Advanced search based on multiple parameters
Instant search for data tables content
Watch list for highlighting information based on a predefined list of values
Time line for viewing all the events performed via the mobile device in a
single chronological view
Project analytics providing comprehensive activity analysis
Malware scanner to identify malware in the device
Ability to search the Hex by various parameters such as strings, bytes,
numbers, dates
21. Mobile Device Forensics 21
Ability to use regular extraction search (RegEx) to look for specific data
strings
Ability to bookmark memory locations for indexing of key areas for later
review
Ability to use Python shell commands for data analysis
o Plug-ins
Manage installed plug-ins
Write your own plug-ins using Python scripting language
o Reports:
Generate reports in various formats
Report customizing and personalizing (logo, header, etc.)
This is an example of the user interface for UFED 4PC
Figure 3UFED 4PC User Interface
22. Mobile Device Forensics 22
A review of the UFED v3.9.6.7 Test Report (National Institute of Standards and Technology,
2014) showed that an examination of a variety of android and iOS device, the UFED Physical
Analyzer performed better with android based devices.
Lantern 4
The following information was obtained from Lantern 4 Manual (Katana Forensics, Inc, 2014).
Operating System – Mac OSX 10.7 higher
o Computer Memory (RAM) required for installation – 4 GB
Supported mobile devices
Figure 4Lantern 4 Supported Devices
Here are some of the capabilities you will find in Lantern 4.0.
o Link Analysis between devices
o Recovery from Android Devices
o Recover Deleted SMS
o Read Gmail & Yahoo E-mail
o Parse Skype Calls & Messages
o Parse Facebook Data
23. Mobile Device Forensics 23
o Cellular Sites & WiFi Location Geo Data
o WiFi Connections History
o Improved Internet History
o Geo Locate Videos & Photos
o Application Usage Data
o Analysis from .dd Images & Backups
o Data Carving Images & Videos
o Timeline Analysis
o Bookmarking
o View Data while Processing Acquisition
o Physical Image E-mail Analysis
o Document Analysis
o Additional Geo Location data from physical images
o Arbitrary Analysis
o File system dump analysis from other applications
o Decryption and analysis from other providers
o Mac OS X Analysis
o Support for the Newest Skype SQlite Format
o SMS, MMS, and iMessage for iOS 6
o What’s App analysis
o Bookmarks and notation
24. Mobile Device Forensics 24
This is an example of the user interface of Lantern 4
Figure 5Lantern 4 User Interface
No examination has been completed of Lantern 4 by the National Institute of Standards and
Technology.
During the interview on November 26, 2014 with Det. Schmitt he stated, “As for cost,
Cellebrite is by far the most expensive costing approximately $8000, 3 years ago to purchase the
product and approximately $3000 in annual maintenance. We just purchased the UFED 4PC
license this year which was originally $10,000 but was negotiated down to $4000 after trading in
the old unit. As for lantern, it was approximately $900 to purchase the product and $300 in
annual maintenance. Both software benefit this department equally and we will continue to use
both.” During the short opportunity I had to interact with both UFED 4PC and Lantern 4, I
personally favored the UFED 4PC which I felt had a better user interface. To that end, I have an
extensive amount of experience with Microsoft based operating systems over iOS which I feel
25. Mobile Device Forensics 25
affected my preference. Considering the Cabarrus County Sheriff’s Office worked on a
$2,282,640 operations budget for fiscal year 2014 (Cabarrus County, 2014) an expense of
$10,000 for the UFED 4PC license and a $3000 maintenance cost was a major one compared to
only $300 maintenance cost for Lantern. When comparing the overall cost and annual
maintenance to capabilities it is easy to see that Lantern 4 is the better product for the cost.
26. Mobile Device Forensics 26
Chapter 5: Conclusion
The need for law enforcement agencies across the US to invest in some form of mobile device
forensic software is imperative to keep up to speed with the evolution of crime. Due to many
budget constraints it is just as imperative to utilize the most cost effective software which
provides the most capabilities. The purpose of this study was to determine which software
provides the best capabilities for the cost to Cabarrus County Sheriff’s Office. The only
limitation I had for this research was access to the software. Due to time constraints, schedules,
and available forensic tools my access was limited to two (2) forensic tools over a period of 2
days. My original assumption that due to each software’s own capabilities and cost to the agency
that neither are ultimately better than the other but provide specific needs in specific situations.
After reviewing both UFED 4PC and Lantern 4 I found that Lantern 4 was the most cost
effective forensic tool. Both UFED 4PC and Lantern 4 both provide similar capabilities just in
different formats. Each software has its own pros and cons which make the other better and
worse than the other but the cost for each make it immediately clear which is more cost effective.
27. Mobile Device Forensics 27
References
Ayers, R., Brothers, S., & Jansen, W. (2014). NIST Special Publication 800-101, Revision 1: Guidelines on
Mobile Device Forensics. National Institute of Standards and Technology.
Breeuwsma, M. (2006). Forensic Imaging of Embedded Systems using JTAG (boundary-scan). Digital
Investigations, Volume 3, Issue 1, 32-42.
Breeuwsma, M., Jongh, M. d., Klaver, C., Knijff, R. v., & Roeloffs, M. (2007). Forensic Data Recovery from
Flash Memory. Small Scale Digital Device Forensics Journal Vol. 1, No. 1.
Cabarrus County. (2014). Public Safety Budget. Retrieved from Cabarrus County:
https://www.cabarruscounty.us/government/departments/finance/budget/Budget/finance_bu
dget_public_safety_2015.pdf
Cellebrite Ltd. (2014, September). UFED Physical Analyzer - User Manual. Cellebrite Ltd.
Diffen. (n.d.). Android Vs iOS. Retrieved from Diffen: http://www.diffen.com/difference/Android_vs_iOS
IDC Corporate USA. (n.d.). Smartphone OS Market Share, Q3 2014. Retrieved from IDC:
http://www.idc.com/prodserv/smartphone-os-market-share.jsp
Jonkers, K. (2010). The forensic use of mobile phone flasher boxes 5. Digital Investigation 6, 168-178.
Katana Forensics, Inc. (2014). Lantern 4 Installation and Operation Manual. Washington, DC: Katana
Forensics, Inc.
National Institute of Standards and Technology. (2010). Smart Phone Tool Specification. Washington, DC:
National Institure of Standards and Technology. Retrieved from
http://www.cftt.nist.gov/documents/Smart_Phone_Tool_Specification.pdf
National Institute of Standards and Technology. (2014). Test Results for Mobile Device Acuisition tool:
UFED Physical Analyzer v3.9.6.7. NIST.
Pew Research Center. (2014, January). Mobile Technology Fact Sheet. Retrieved from Pew Research
Internet Project: http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/
Schmitt, B. (2014, November 26). Detective. (S. H. Rickard, Interviewer)
Sheriffs' Office, 2007 - Statistical Tables. (2012, December). Retrieved from Bureau of justice Statistics:
http://www.bjs.gov/content/pub/pdf/so07st.pdf
Tech-FAQ. (n.d.). The History of Cell Phones. Retrieved from Tech-FAQ: http://www.tech-
faq.com/history-of-cell-phones.html
Willassen, S. (2005). Forensic Analysis of Mobile Phone Internal Memory. Advances in Digital Forensics,
Vol. 194, (p. International Conference on Digital Forensics). 2006.
Zdziarski, J. (2012). iOS Forensic Investigative Methods. Retrieved from zdziarski:
http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-ForensicInvestigative-
Methods.pdf>
28. Mobile Device Forensics 28
Definition of Terms
AMPS – Advanced Mobile Phone Service
ASCII – American Standard code for Information Interchange
CFTT – Computer Forensic Tool Testing
CHV1 – Card Holder Verification 1
CHV2 – Card Holder Verification 2
EEPROM – Electronically Erasable Programmable Read Only Memory
FCC – Federal Communication Commission
GPS – Global Positioning Satellite
ICCID – Integrated Circuit Card ID
IMSI – International Mobile Subscriber Identity
IrDA – Infrared Data Association
JTAG – Joint Test Action Group
LCD – liquid crystal display
MHZ – megahertz
NAND – Non-volatile storage technology that does not require power to retain power
NFC – Near Field Connection
NIST – National Institute of Standards and Technology
NOR – Non-volatile storage technology that does not require power to retain power
PIN – Personal Identity Number
PUK – PIN Unlock Key
RAM – Random Access Memory
ROM – Read Only Memory
SD – Secure Digital
SIM – Subscriber Identity Module
USB – Universal Serial Bus
WIFI – Local area wireless technology