SlideShare a Scribd company logo

Cell Phone Forensics Research

H
Houston Rickard

This document discusses mobile device forensics and compares two mobile forensic software tools - Cellebrite UFED 4PC and Lantern 4. It begins with an introduction to the prevalence of mobile devices and how they are often involved in criminal activity, necessitating forensic analysis of mobile evidence. It then provides an overview of mobile device technology and hardware. The document analyzes requirements for core and optional features of forensic software tools. It compares the user interfaces, capabilities, and costs of Cellebrite UFED 4PC and Lantern 4. The document concludes that neither tool is ultimately better and that their specific capabilities suit different situations given an agency's budget.

1 of 28
Download to read offline
Mobile Device Forensics Sean Houston Rickard University of North Carolina at Charlotte ITIS 5250-001 Computer Forensics
Mobile Device Forensics 2 Table of Contents Abstract.......................................................................................................................................... 3 Chapter 1: Introduction ............................................................................................................... 4 The Purpose ............................................................................................................................... 5 Chapter 2: Mobile Device Technology........................................................................................ 6 Current Technology.................................................................................................................. 6 Figure 1Hardware Characterization ............................................................................................ 7 Figure 2Android and iOS comparison ........................................................................................ 9 Chapter 3: Mobile Device Forensics ......................................................................................... 11 Computer Forensic Tool Testing ........................................................................................... 14 Requirements for Core Features........................................................................................ 15 Requirements for Optional Features ................................................................................. 15 Chapter 4: Comparison of UFED 4PC Ultimate and Lantern 4............................................ 18 Cellebrite UFED 4PC.............................................................................................................. 19 Figure 3UFED 4PC User Interface........................................................................................ 21 Lantern 4.................................................................................................................................. 22 Figure 5Lantern 4 User Interface........................................................................................... 24 Chapter 5: Conclusion................................................................................................................ 26 References.................................................................................................................................... 27 Definition of Terms..................................................................................................................... 28
Mobile Device Forensics 3 Abstract As with any business or organization, law enforcement agencies work on a limited budget which must be spread between multiple departments and priorities. With a limited budget, agencies are limited as to what software and tools they may purchase and often must way the capabilities of a specific tool versus the cost. This research paper will attempt to look at the capabilities of mobile forensic software and compare it to the overall cost to determine which software is better. With the ever increasing availability and rapid evolution of mobile devices there is a number of mobile device forensic software on the market today. This research paper will provide a simplistic look at mobile device technology, types of forensic analysis to be performed on mobile devices, and lastly compare two mobile forensic software.
Mobile Device Forensics 4 Chapter 1: Introduction In today’s society, mobile devices have become a major part of everyday life. Approximately “90% of American adults have a cell phone, 58% of American adults have a smartphone, 32% of American adults have an e-reader, and 42% of American adults have a tablet computer” (Pew Research Center, 2014). On almost a daily basis we see technology evolve and more mobile devices become available to the public. With increases in technology also came crime. Mobile devices can be used in a number of different ways to facilitate and commit crime. While there is no real way to track the number of crimes involving mobile devices, in my experience, I believe it can easily be said that well over 80% of crime involves some use of a mobile device. With mobile devices being utilized in some fashion during a large portion of criminal activity, there is a lot of evidence which can be obtained and utilized for a criminal investigation. The need to obtain this evidence had led many organizations to develop software which is available for purchase. Today there is a wide variety of mobile device software available, each providing its on specific platform, capabilities, and cost. Law enforcement agencies across the US are limited due to budget constraints. In 2007, the average annual operating budget per agency for all sheriff’s offices in the US was $9,962,000 (Sheriffs' Office, 2007 - Statistical Tables, 2012). Each agency must prioritize its budget leaving minimal operating cost to expand to new tools and software. As law enforcement agencies modernize and expand to combat crime utilizing technology, inevitably they are faced with decision of what tool or software to purchase given the budget and the tool or software’s capabilities. The Cabarrus County Sheriff’s Office is currently operating Cellebrite UFED 4PC Ultimate and Lantern 4 for mobile device forensics.
Mobile Device Forensics 5 The Purpose The purpose of this study is to determine which software provides the best capabilities for the cost to Cabarrus County Sheriff’s Office. It is my hypothesis that due to each software’s own capabilities and cost to the agency that neither are ultimately better than the other but provide specific needs in specific situations. The only limitation I had for this research was access to the forensic software. Due to time constraints, schedules, and available forensic tools my access was limited to two (2) forensic tools over a period of 2 days. This research paper will provide a simplistic look at mobile device technology, types of forensic analysis to be performed on mobile devices, and lastly compare Cellebrite UFED 4PC Ultimate and Lantern 4.
Mobile Device Forensics 6 Chapter 2: Mobile Device Technology While there are many different mobile devices on the market (cell phones, smart phones, tablet computers, e-readers, mp3 players, ect…) the most common and the first was the cell phone. Cell phones evolved from radio technology which was developed in the early 1900s’. The first documented wireless telephone use was in 1946 by the Swedish Police (Tech-FAQ, n.d.). In 1947, Bell Laboratory proposed the idea of hexagonal cells for modern phones and in 1970 the call handoff system was developed. With the assistance of AT&T the FCC approved and allocated the frequencies of 824-894 MHZ Band to Advanced Mobile Phone Service (AMPS) (Tech-FAQ, n.d.). According to Tech-FAQ (n.d.), in 1983 Motorola unveiled the first truly portable cellular phone, the DynaTAC 8000X. Since then cell phone technology has grown by leaps and bounds. Today cell phones have advanced from being a simple radio to essentially a small computer with a radio. Current Technology Devices today, while very different in function, capabilities, and appearance are composed of the same components: a microprocessor, read only memory (ROM), random access memory (RAM), a radio module, a digital signal processor, a microphone and speaker, a variety of hardware keys and interfaces, and a liquid crystal display (LCD). Cell phones can also support external memory through Secure Digital (SD) memory, and other wireless communication such as infrared, Bluetooth, Near Field Connection (NFC), and WiFi. Depending on the capabilities of a phone it can either be classified as featured phone or a smartphone. Featured phones are cell phones that perform minimal tasks and do not have the features of a smart phone. The Guidelines
Mobile Device Forensics 7 on Mobile Device Forensics (Ayers, Brothers, & Jansen, 2014) presented the following table to demonstrate hardware characterization between feature phones and smartphones: Figure 1Hardware Characterization Mobile device memory, like any other computer contains both non-volatile and volatile memory. Non-volatile memory, like the name suggests, does not change when the device loses power or is overwritten during reboot. Volatile memory or Random Access Memory (RAM) on the other hand is lost when the power is drained from the phone making it difficult to accurately capture. Mobile device memory has evolved with technology. According to Guidelines on Mobile Device Forensics (Ayers, Brothers, & Jansen, 2014): Feature phones were among the first types of devices that contained NOR flash and RAM memory. System and user data are stored in NOR and copied to RAM upon booting for faster code execution and access. This is known as the first generation of mobile device memory configuration. As smartphones were introduced, memory configurations evolved, adding NAND flash memory. This arrangement of NOR, NAND and RAM memory is referred to as the second
Mobile Device Forensics 8 generation. This generation of memory configurations stores system files in NOR flash, user files in NAND and RAM is used for code execution. The latest smartphones contain only NAND and RAM memory (i.e., third generation), due to requirements for higher transaction speed, greater storage density and lower cost. To facilitate the lack of space on mobile device mainboards and the demand for higher density storage space (i.e., 2GB – 128GB) the new Embedded MultiMedia Cards (eMMC) style chips are present in many of today’s smartphones. NOR flash memory includes system data such as: operating system code, the kernel, device drivers, system libraries, memory for executing operating system applications and the storage of user application execution instructions. NOR flash will be the best location for data collection for first generation memory configuration devices. NAND flash memory contains: PIM data, graphics, audio, video, and other user files. This type of memory generally provides the examiner with the most useful information in most cases. (p. 6) Phones may also contain a Subscriber Identity Module (SIM) card. The SIM card’s purpose is to authenticate the mobile phone device to a given network. The SIM card is a smart card that contains a processor and persistent electronically erasable, programmable read only memory (EEPROM). The EEPROM contains RAM for program execution and ROM containing the operating system, user authentication and data encryption algorithms. Personal information, phonebook entries, text messages, the last numbers dialed, and service information may also be in the EEPROM (Ayers, Brothers, & Jansen, 2014). Another major part of a phone that needs to be considered is the operating system. There have been many different operating system through the years such as Blackberry, Windows CE, Symbian, Android, and Apple iOS. In recent years the leading Operating systems have been Android and Apple iOS. According to IDC Corporate USA (n.d.): android shipments lead the global smartphone market, with 283 million units
Mobile Device Forensics 9 shipped and over 84% of the market share in the third quarter of 2014 and iOS continues to drop in market share, down to just 11.7% from 12.8% in the same quarter last year, representing the growing shift of demand toward low-cost smartphones. Android and iOS operating system provide a wide variety of capabilities. Below is a graph I located on Diffen (n.d.) which compares Android and iOS: Figure 2Android and iOS comparison The last major part of a phone is its ability to download and install applications (apps). Android and iOS operating system both have this capability with millions of apps available to each. Apps
Mobile Device Forensics 10 can be made by anyone with the right knowledge and can be made to perform any number of task such as play a game, messaging, phone calls, internet browsing, ect. The possibilites for apps is endless. When an app is downloaded and installed on a mobile device it creates a folder to contain information from that app. All the data saved on the phone is accessible through mobile device forensics depending on the type of analysis which is completed.
Mobile Device Forensics 11 Chapter 3: Mobile Device Forensics According to Ayers, Brothers, and Jansen (2014), “Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods.” Conducting a forensic analysis of a mobile device can be conducted by hand or through the use of one of the many software’s available. The job of a forensic tool is to aquire data from the internal memory and SIM card without altering their content. To begin an analysis of a mobile device you must first determine what time of analysis you want to complete. There are 5 types of mobile device analysis: manual extraction, logical extraction, hex dumping/JTAG, chip-off, and micro read (Ayers, Brothers, & Jansen, 2014). Predominately only manual extraction, logical extraction, and hex dumping/JTAG are performed by law enforcment forensic examiners. Chip-off and micro read examination are intensily involved and require a great deal of knowledge, training, and specialized equipment to perform. The following excert is from the Guidelines for Mobile Device Forensics (Ayers, Brothers, & Jansen, 2014) which gives a detailed description of each:  Manual Extraction – A manual extraction method involves viewing the data content stored on a mobile device. The content displayed on the LCD screen requires the manual manipulation of the buttons, keyboard or touchscreen to view the contents of the mobile device. Information discovered may be recorded using an external digital camera. At this level, it is impossible to recover deleted information. Some tools have been developed to provide the forensic examiner with the ability to document and categorize the information
Mobile Device Forensics 12 recorded more quickly. Nevertheless, if there is a large amount of data to be captured, a manual extraction can be very time consuming and the data on the device may be inadvertently modified, deleted or overwritten as a result of the examination. Manual extractions become increasingly difficult and perhaps unachievable when encountering a broken/missing LCD screen or a damaged/missing keyboard interface. Additional challenges occur when the device is configured to display a language unknown to the investigator; this may cause difficulty in successful menu navigation.  Logical Extraction – Connectivity between a mobile device and the forensics workstation is achieved with a connection using either a wired (e.g., USB or RS-232) or wireless (e.g., IrDA, WiFi, or Bluetooth) connection. The examiner should be aware of the issues associated when selecting a specific connectivity method, as different connection types and associated protocols may result in data being modified (e.g., unread SMS) or different amounts or types of data being extracted. Logical extraction tools begin by sending a series of commands over the established interface from the computer to the mobile device. The mobile device responds based upon the command request. The response (mobile device data) is sent back to the workstation and presented to the forensics examiner for reporting purposes.  Hex Dumping and JTAG – Hex Dumping and Joint Test Action Group (JTAG) extraction methods afford the forensic examiner more direct access to the raw Guidelines on Mobile Device Forensics 18 information stored in flash memory. One challenge with these extraction methods is the ability of a given tool to parse and decode the captured data. Providing the forensic examiner with a logical view of the file system, and reporting
Mobile Device Forensics 13 on other data remnants outside the file system that may be present are challenging. For example, all data contained within a given flash memory chip may not be acquired, as many tools, such as flasher boxes, may only be able to extract specific sections of memory [Bre07]. Methods used at this level require connectivity (e.g., cable or WiFi) between the mobile device and the forensic workstation. Hex Dumping – this technique is the more commonly used method by tools at this level. This involves uploading a modified boot loader (or other software) into a protected area of memory (e.g., RAM) on the device. This upload process is accomplished by connecting the mobile device’s data port to a flasher box and the flasher box is in turn connected to the forensic workstation. A series of commands is sent from the flasher box to the mobile device to place it in a diagnostic mode. Once in diagnostic mode, the flasher box captures all (or sections) of flash memory and sends it to the forensic workstation over the same communications link used for the upload. Some flasher boxes work this way or they may use a proprietary interface for memory extractions. Rare cases exist where extractions can be accomplished using WiFi (i.e., early Jonathan Zdziarski (JZ) Methods) [Zdz12].  JTAG – Many manufacturers support the JTAG standard, which defines a common test interface for processor, memory, and other semiconductor chips. Forensic examiners can communicate with a JTAG-compliant component by utilizing special purpose standalone programmer devices to probe defined test points [Wil05]. The JTAG testing unit can be used to request memory addresses from the JTAGcompliant component and accept the response for storage and rendition [Bre06]. JTAG gives specialists another avenue for imaging devices that are locked or devices that may have minor damage and cannot be properly interfaced otherwise. This method involves attaching a cable (or wiring harness)
Mobile Device Forensics 14 from a workstation to the mobile device’s JTAG interface and access memory via the device’s microprocessor to produce an image [Bre07]. JTAG extractions differ mainly from Hex Dumping in that it is invasive as access to the connections frequently require that the examiner dismantle some (or most) of a mobile device to obtain access to establish the wiring connections. o Flasher boxes are small devices originally designed with the intent to service or upgrade mobile devices. Physical acquisitions frequently require the use of a flasher box to facilitate the extraction of data from a mobile device. The flasher box aides the examiner by communicating with the mobile device using diagnostic protocols to communicate with the memory chip. This communication may utilize the mobile device’s operating system or may bypass it altogether and communicate directly to the chip [Jon10]. Flasher boxes are often accompanied by software to facilitate the data extraction process working in conjunction with the hardware. Many flasher box software packages provide the added functionality of recovering passwords from mobile device memory as well in some configurations. (p.17-18) In most situations, the type of investigation, the type of phone, the type of tool available determines what type of analysis is completed. Ultimately, what information is the investigator looking to gain from the analysis and which acquisition method would obtain that information? Computer Forensic Tool Testing In order to maintain reliability and consistency among mobile device forensic tools the National Institute of Standards and Technology’s (NIST) Computer Forensic Tool Testing
Mobile Device Forensics 15 (CFTT) program routinely test new computer forensic software tools. The CFTT program has developed six (6) core feature requirements and fifteen (15) optional feature requirements which it then tests each new software against. The Smart Phone Tool Specification (National Institute of Standards and Technology, 2010) list the requirements as follows: Requirements for Core Features 1. A cellular forensic tool shall have the ability to recognize supported devices via the vendor-supported interfaces (e.g., cable, Bluetooth, Infrared) 2. A cellular forensic tool shall have the ability to identify non-supported devices 3. A cellular forensic tool shall have the ability to notify the user of connectivity errors between the device and application during acquisition. 4. A cellular forensic tool shall have the ability to provide the user with either a preview pane or generated report view of data acquired. 5. A cellular forensic tool shall have the ability to logically acquire all application supported data objects present in internal memory. 6. A cellular forensic tool shall have the ability to logically acquire supported data objects without changing the data objects present on the device. Requirements for Optional Features 1. A cellular forensic tool shall have the ability to recognize supported SIMs via the vendor supported interface (e.g., PC/SC reader, proprietary reader, internal). 2. A cellular forensic tool shall have the ability to identify non-supported SIMs. 3. A cellular forensic tool shall have the ability to notify the user of connectivity errors between the SIM reader and application during acquisition.
Mobile Device Forensics 16 4. A cellular forensic tool shall have the ability to acquire all application-supported data objects present in the SIM memory. 5. A cellular forensic tool shall have the ability to provide a presentation of acquired data in a human-readable format via a generated report. 6. A cellular forensic tool shall have the ability to provide a presentation of acquired data in a human-readable format via a preview pane view. 7. A cellular forensic tool shall have the ability to provide the user with the opportunity to unlock a password protected SIM before external reader SIM acquisition. 8. A cellular forensic tool shall have the ability to protect previously acquired data objects within a saved case file from modification. 9. A cellular forensic tool shall have the ability to perform a physical acquisition of the device’s internal memory for supported devices. 10. A cellular forensic tool shall have the ability to present data objects containing non- ASCII characters acquired from the internal memory of the device or SIM via the selected interface (i.e., preview pane, generated report). Non-ASCII characters shall be printed in their native representation. 11. A cellular forensic tool shall have the ability to present the remaining number of CHV1/CHV2 PIN unlock attempts. 12. A cellular forensic tool shall have the ability to present the remaining number of PUK unlock attempts. 13. A cellular forensic tool shall have the ability to acquire internal memory data without 14. A cellular forensic tool shall have the ability to compute a hash for individual data objects.
Mobile Device Forensics 17 15. A cellular forensic tool shall have the ability to acquire GPS related data present in the internal memory. (p.6-8) The results of each test completed by CFTT on mobile device forensic software tool is then added to their website database (http://www.cftt.nist.gov/mobile_devices.htm ) for review. This information is very important to law enforcement agencies because it very quickly determines what the capabilities and limitations of the software.
Mobile Device Forensics 18 Chapter 4: Comparison of UFED 4PC Ultimate and Lantern 4 As stated earlier, The Cabarrus County Sheriff’s Office currently utilizes both UFED 4PC by Cellebrite and Lantern 4 by Katana. Detective Brian Schmitt is the primary computer and mobile device forensic examiner for the department. In an interview on November 26, 2014, Det. Schmitt stated, “I utilized both software on a regular basis and choose which software to use depending on the type of phone I am going to exam. Both software are similar in what they will recover, however each have their own pros and cons. Cellebrite is limited to only the devices it says it can run whereas Lantern will run almost any android device and all iOS devices. Although Lantern may run a device that Cellebrite will not sometimes the information that Lantern does recover is limited. Cellebrite says it is the leader in iOS forensics, however; Lantern will run way more because it is ran and developed specifically for iOS devices.” Det. Schmitt went on to show me a specific phone which he examined in Lantern that would not work on Cellebrite. The analysis in Lantern only showed what type of phone it was and no other information. Det. Schmitt went on to say, “I don’t particularly favor one software over the other, it ultimately depends on the device I need to examine. I often run a device through both software just to make sure I don’t miss something.” Comparing the capabilities of both software and the cost will better help determine which software is more cost effective. Since I my time with both systems was limited the comparison of both software will be completed through the use of both software user manuals and CFTT testing.
Mobile Device Forensics 19 Cellebrite UFED 4PC The following information was obtained from UFED Physical Analyzer – User Manual (Cellebrite Ltd., 2014)  Operating System – Microsoft Windows XP with SP3or later  Computer Memory (RAM) required for installation o 32 bit OS – 4GB o 64 Bit – OS 8GB  Number of supported mobile devices o Android Based devices – 1889 o iOS devices– 67 o Total Number of devices – 10,538  UFED Ultimate is made up of three components: o The UFED unit enables logical, password, SIM, file system, and physical extractions from mobile devices, which can then be saved to a USB flash drive, SD memory card, or directly to your PC. o UFED Physical Analyzer application provides an in-depth view of the device's memory using advanced decoding, analysis, and reports. UFED Physical Analyzer can decode all types of extractions created by the UFED Classic unit. o Phone Detective application helps investigators quickly identify a mobile phone by its physical attributes, eliminating the need to start the device and the risk of device lock.  UFED Physical Analyzer has the following key features:
Mobile Device Forensics 20 o Decoding of the extraction with a layered view of memory content  Provides a detailed view of the Hex file  Reconstructs the device file system  Decode various Analyzed data types such as: Contact lists, SMS messages, call logs, device information (IMSI, ICCID, user codes), application information, and more  Provides a view of data files images, videos, databases, and so on  Provides access to both current and deleted data  Reveals device passwords (when applicable) o Powerful extraction for iOS and GPS devices o Provides intuitive and user friendly UI for browsing the extracted information o Powerful analysis and search tools  Instant search for all project content  Advanced search based on multiple parameters  Instant search for data tables content  Watch list for highlighting information based on a predefined list of values  Time line for viewing all the events performed via the mobile device in a single chronological view  Project analytics providing comprehensive activity analysis  Malware scanner to identify malware in the device  Ability to search the Hex by various parameters such as strings, bytes, numbers, dates
Mobile Device Forensics 21  Ability to use regular extraction search (RegEx) to look for specific data strings  Ability to bookmark memory locations for indexing of key areas for later review  Ability to use Python shell commands for data analysis o Plug-ins  Manage installed plug-ins  Write your own plug-ins using Python scripting language o Reports:  Generate reports in various formats  Report customizing and personalizing (logo, header, etc.) This is an example of the user interface for UFED 4PC Figure 3UFED 4PC User Interface
Mobile Device Forensics 22 A review of the UFED v3.9.6.7 Test Report (National Institute of Standards and Technology, 2014) showed that an examination of a variety of android and iOS device, the UFED Physical Analyzer performed better with android based devices. Lantern 4 The following information was obtained from Lantern 4 Manual (Katana Forensics, Inc, 2014).  Operating System – Mac OSX 10.7 higher o Computer Memory (RAM) required for installation – 4 GB  Supported mobile devices Figure 4Lantern 4 Supported Devices  Here are some of the capabilities you will find in Lantern 4.0. o Link Analysis between devices o Recovery from Android Devices o Recover Deleted SMS o Read Gmail & Yahoo E-mail o Parse Skype Calls & Messages o Parse Facebook Data
Mobile Device Forensics 23 o Cellular Sites & WiFi Location Geo Data o WiFi Connections History o Improved Internet History o Geo Locate Videos & Photos o Application Usage Data o Analysis from .dd Images & Backups o Data Carving Images & Videos o Timeline Analysis o Bookmarking o View Data while Processing Acquisition o Physical Image E-mail Analysis o Document Analysis o Additional Geo Location data from physical images o Arbitrary Analysis o File system dump analysis from other applications o Decryption and analysis from other providers o Mac OS X Analysis o Support for the Newest Skype SQlite Format o SMS, MMS, and iMessage for iOS 6 o What’s App analysis o Bookmarks and notation
Mobile Device Forensics 24 This is an example of the user interface of Lantern 4 Figure 5Lantern 4 User Interface No examination has been completed of Lantern 4 by the National Institute of Standards and Technology. During the interview on November 26, 2014 with Det. Schmitt he stated, “As for cost, Cellebrite is by far the most expensive costing approximately $8000, 3 years ago to purchase the product and approximately $3000 in annual maintenance. We just purchased the UFED 4PC license this year which was originally $10,000 but was negotiated down to $4000 after trading in the old unit. As for lantern, it was approximately $900 to purchase the product and $300 in annual maintenance. Both software benefit this department equally and we will continue to use both.” During the short opportunity I had to interact with both UFED 4PC and Lantern 4, I personally favored the UFED 4PC which I felt had a better user interface. To that end, I have an extensive amount of experience with Microsoft based operating systems over iOS which I feel
Mobile Device Forensics 25 affected my preference. Considering the Cabarrus County Sheriff’s Office worked on a $2,282,640 operations budget for fiscal year 2014 (Cabarrus County, 2014) an expense of $10,000 for the UFED 4PC license and a $3000 maintenance cost was a major one compared to only $300 maintenance cost for Lantern. When comparing the overall cost and annual maintenance to capabilities it is easy to see that Lantern 4 is the better product for the cost.
Mobile Device Forensics 26 Chapter 5: Conclusion The need for law enforcement agencies across the US to invest in some form of mobile device forensic software is imperative to keep up to speed with the evolution of crime. Due to many budget constraints it is just as imperative to utilize the most cost effective software which provides the most capabilities. The purpose of this study was to determine which software provides the best capabilities for the cost to Cabarrus County Sheriff’s Office. The only limitation I had for this research was access to the software. Due to time constraints, schedules, and available forensic tools my access was limited to two (2) forensic tools over a period of 2 days. My original assumption that due to each software’s own capabilities and cost to the agency that neither are ultimately better than the other but provide specific needs in specific situations. After reviewing both UFED 4PC and Lantern 4 I found that Lantern 4 was the most cost effective forensic tool. Both UFED 4PC and Lantern 4 both provide similar capabilities just in different formats. Each software has its own pros and cons which make the other better and worse than the other but the cost for each make it immediately clear which is more cost effective.
Mobile Device Forensics 27 References Ayers, R., Brothers, S., & Jansen, W. (2014). NIST Special Publication 800-101, Revision 1: Guidelines on Mobile Device Forensics. National Institute of Standards and Technology. Breeuwsma, M. (2006). Forensic Imaging of Embedded Systems using JTAG (boundary-scan). Digital Investigations, Volume 3, Issue 1, 32-42. Breeuwsma, M., Jongh, M. d., Klaver, C., Knijff, R. v., & Roeloffs, M. (2007). Forensic Data Recovery from Flash Memory. Small Scale Digital Device Forensics Journal Vol. 1, No. 1. Cabarrus County. (2014). Public Safety Budget. Retrieved from Cabarrus County: https://www.cabarruscounty.us/government/departments/finance/budget/Budget/finance_bu dget_public_safety_2015.pdf Cellebrite Ltd. (2014, September). UFED Physical Analyzer - User Manual. Cellebrite Ltd. Diffen. (n.d.). Android Vs iOS. Retrieved from Diffen: http://www.diffen.com/difference/Android_vs_iOS IDC Corporate USA. (n.d.). Smartphone OS Market Share, Q3 2014. Retrieved from IDC: http://www.idc.com/prodserv/smartphone-os-market-share.jsp Jonkers, K. (2010). The forensic use of mobile phone flasher boxes 5. Digital Investigation 6, 168-178. Katana Forensics, Inc. (2014). Lantern 4 Installation and Operation Manual. Washington, DC: Katana Forensics, Inc. National Institute of Standards and Technology. (2010). Smart Phone Tool Specification. Washington, DC: National Institure of Standards and Technology. Retrieved from http://www.cftt.nist.gov/documents/Smart_Phone_Tool_Specification.pdf National Institute of Standards and Technology. (2014). Test Results for Mobile Device Acuisition tool: UFED Physical Analyzer v3.9.6.7. NIST. Pew Research Center. (2014, January). Mobile Technology Fact Sheet. Retrieved from Pew Research Internet Project: http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/ Schmitt, B. (2014, November 26). Detective. (S. H. Rickard, Interviewer) Sheriffs' Office, 2007 - Statistical Tables. (2012, December). Retrieved from Bureau of justice Statistics: http://www.bjs.gov/content/pub/pdf/so07st.pdf Tech-FAQ. (n.d.). The History of Cell Phones. Retrieved from Tech-FAQ: http://www.tech- faq.com/history-of-cell-phones.html Willassen, S. (2005). Forensic Analysis of Mobile Phone Internal Memory. Advances in Digital Forensics, Vol. 194, (p. International Conference on Digital Forensics). 2006. Zdziarski, J. (2012). iOS Forensic Investigative Methods. Retrieved from zdziarski: http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-ForensicInvestigative- Methods.pdf>
Mobile Device Forensics 28 Definition of Terms AMPS – Advanced Mobile Phone Service ASCII – American Standard code for Information Interchange CFTT – Computer Forensic Tool Testing CHV1 – Card Holder Verification 1 CHV2 – Card Holder Verification 2 EEPROM – Electronically Erasable Programmable Read Only Memory FCC – Federal Communication Commission GPS – Global Positioning Satellite ICCID – Integrated Circuit Card ID IMSI – International Mobile Subscriber Identity IrDA – Infrared Data Association JTAG – Joint Test Action Group LCD – liquid crystal display MHZ – megahertz NAND – Non-volatile storage technology that does not require power to retain power NFC – Near Field Connection NIST – National Institute of Standards and Technology NOR – Non-volatile storage technology that does not require power to retain power PIN – Personal Identity Number PUK – PIN Unlock Key RAM – Random Access Memory ROM – Read Only Memory SD – Secure Digital SIM – Subscriber Identity Module USB – Universal Serial Bus WIFI – Local area wireless technology

Recommended

MOBILE DEVICE FORENSICS USING NLP
MOBILE DEVICE FORENSICS USING NLPMOBILE DEVICE FORENSICS USING NLP
MOBILE DEVICE FORENSICS USING NLP
Ankita Jadhao
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Damir Delija
 
Data validation using CDR (Call Detail Records) and real cell tower coverage
Data validation using CDR (Call Detail Records) and real cell tower coverageData validation using CDR (Call Detail Records) and real cell tower coverage
Data validation using CDR (Call Detail Records) and real cell tower coverage
Nicola Chemello
 
Conceptual Study of Mobile Forensics
Conceptual Study of Mobile ForensicsConceptual Study of Mobile Forensics
Conceptual Study of Mobile Forensics
ijtsrd
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensics
noorashams
 
New research directions in the area of
New research directions in the area ofNew research directions in the area of
New research directions in the area of
IJCNCJournal
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
776 s0005
776 s0005776 s0005
776 s0005
oscarh1986
 

Recommended

MOBILE DEVICE FORENSICS USING NLP
MOBILE DEVICE FORENSICS USING NLPMOBILE DEVICE FORENSICS USING NLP
MOBILE DEVICE FORENSICS USING NLP
Ankita Jadhao
 
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Concepts and Methodology in Mobile Devices Digital Forensics Education and Tr...
Damir Delija
 
Data validation using CDR (Call Detail Records) and real cell tower coverage
Data validation using CDR (Call Detail Records) and real cell tower coverageData validation using CDR (Call Detail Records) and real cell tower coverage
Data validation using CDR (Call Detail Records) and real cell tower coverage
Nicola Chemello
 
Conceptual Study of Mobile Forensics
Conceptual Study of Mobile ForensicsConceptual Study of Mobile Forensics
Conceptual Study of Mobile Forensics
ijtsrd
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensics
noorashams
 
New research directions in the area of
New research directions in the area ofNew research directions in the area of
New research directions in the area of
IJCNCJournal
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
abdullah roomi
 
776 s0005
776 s0005776 s0005
776 s0005
oscarh1986
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
FORnSECSolutions
 
A Survey on Mobile Forensic for Android Smartphones
A Survey on Mobile Forensic for Android SmartphonesA Survey on Mobile Forensic for Android Smartphones
A Survey on Mobile Forensic for Android Smartphones
IOSR Journals
 
Preparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
Preparing Testimony about Cellebrite UFED In a Daubert or Frye HearingPreparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
Preparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
Cellebrite
 
On the Availability of Anti-Forensic Tools for Smartphones
On the Availability of Anti-Forensic Tools for SmartphonesOn the Availability of Anti-Forensic Tools for Smartphones
On the Availability of Anti-Forensic Tools for Smartphones
CSCJournals
 
digital forensic examination of mobile phone data
digital forensic examination of mobile phone datadigital forensic examination of mobile phone data
digital forensic examination of mobile phone data
INFOGAIN PUBLICATION
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortressSTO STRATEGY
 
A Comparison Study of Android Mobile Forensics for Retrieving Files System
A Comparison Study of Android Mobile Forensics for Retrieving Files SystemA Comparison Study of Android Mobile Forensics for Retrieving Files System
A Comparison Study of Android Mobile Forensics for Retrieving Files System
CSCJournals
 
Smartphone Forensic Challenges
Smartphone Forensic ChallengesSmartphone Forensic Challenges
Smartphone Forensic Challenges
CSCJournals
 
SOK:An overview of data extraction techniques from mobile phones
SOK:An overview of data extraction techniques from mobile phonesSOK:An overview of data extraction techniques from mobile phones
SOK:An overview of data extraction techniques from mobile phones
Ashish Sutar
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensic
DINESH KAMBLE
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Tools
ijtsrd
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
newbie2019
 
Lessons v on fraud awareness (digital forensics)
Lessons v on fraud awareness (digital forensics)Lessons v on fraud awareness (digital forensics)
Lessons v on fraud awareness (digital forensics)
CA.Kolluru Narayanarao
 
Evidence Gathering and Identification of LINE Messenger on Android Device
Evidence Gathering and Identification of LINE Messenger on Android DeviceEvidence Gathering and Identification of LINE Messenger on Android Device
Evidence Gathering and Identification of LINE Messenger on Android Device
IJCSIS Research Publications
 
File000092
File000092File000092
File000092Desmond Devendran
 
IOT Forensic Challenges
IOT Forensic ChallengesIOT Forensic Challenges
IOT Forensic Challenges
AnukaJinadasa
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
Dhruv Seth
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
newbie2019
 
R15 a0533 cf converted
R15 a0533 cf convertedR15 a0533 cf converted
R15 a0533 cf converted
lillian Kobusingye
 
Digital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collideDigital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collide
ISSA LA
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 

More Related Content

What's hot

Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
FORnSECSolutions
 
A Survey on Mobile Forensic for Android Smartphones
A Survey on Mobile Forensic for Android SmartphonesA Survey on Mobile Forensic for Android Smartphones
A Survey on Mobile Forensic for Android Smartphones
IOSR Journals
 
Preparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
Preparing Testimony about Cellebrite UFED In a Daubert or Frye HearingPreparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
Preparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
Cellebrite
 
On the Availability of Anti-Forensic Tools for Smartphones
On the Availability of Anti-Forensic Tools for SmartphonesOn the Availability of Anti-Forensic Tools for Smartphones
On the Availability of Anti-Forensic Tools for Smartphones
CSCJournals
 
digital forensic examination of mobile phone data
digital forensic examination of mobile phone datadigital forensic examination of mobile phone data
digital forensic examination of mobile phone data
INFOGAIN PUBLICATION
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortressSTO STRATEGY
 
A Comparison Study of Android Mobile Forensics for Retrieving Files System
A Comparison Study of Android Mobile Forensics for Retrieving Files SystemA Comparison Study of Android Mobile Forensics for Retrieving Files System
A Comparison Study of Android Mobile Forensics for Retrieving Files System
CSCJournals
 
Smartphone Forensic Challenges
Smartphone Forensic ChallengesSmartphone Forensic Challenges
Smartphone Forensic Challenges
CSCJournals
 
SOK:An overview of data extraction techniques from mobile phones
SOK:An overview of data extraction techniques from mobile phonesSOK:An overview of data extraction techniques from mobile phones
SOK:An overview of data extraction techniques from mobile phones
Ashish Sutar
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensic
DINESH KAMBLE
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Tools
ijtsrd
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
newbie2019
 
Lessons v on fraud awareness (digital forensics)
Lessons v on fraud awareness (digital forensics)Lessons v on fraud awareness (digital forensics)
Lessons v on fraud awareness (digital forensics)
CA.Kolluru Narayanarao
 
Evidence Gathering and Identification of LINE Messenger on Android Device
Evidence Gathering and Identification of LINE Messenger on Android DeviceEvidence Gathering and Identification of LINE Messenger on Android Device
Evidence Gathering and Identification of LINE Messenger on Android Device
IJCSIS Research Publications
 
IOT Forensic Challenges
IOT Forensic ChallengesIOT Forensic Challenges
IOT Forensic Challenges
AnukaJinadasa
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
Dhruv Seth
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
newbie2019
 
R15 a0533 cf converted
R15 a0533 cf convertedR15 a0533 cf converted
R15 a0533 cf converted
lillian Kobusingye
 

What's hot (19)

Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
 
A Survey on Mobile Forensic for Android Smartphones
A Survey on Mobile Forensic for Android SmartphonesA Survey on Mobile Forensic for Android Smartphones
A Survey on Mobile Forensic for Android Smartphones
 
Preparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
Preparing Testimony about Cellebrite UFED In a Daubert or Frye HearingPreparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
Preparing Testimony about Cellebrite UFED In a Daubert or Frye Hearing
 
On the Availability of Anti-Forensic Tools for Smartphones
On the Availability of Anti-Forensic Tools for SmartphonesOn the Availability of Anti-Forensic Tools for Smartphones
On the Availability of Anti-Forensic Tools for Smartphones
 
digital forensic examination of mobile phone data
digital forensic examination of mobile phone datadigital forensic examination of mobile phone data
digital forensic examination of mobile phone data
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortress
 
A Comparison Study of Android Mobile Forensics for Retrieving Files System
A Comparison Study of Android Mobile Forensics for Retrieving Files SystemA Comparison Study of Android Mobile Forensics for Retrieving Files System
A Comparison Study of Android Mobile Forensics for Retrieving Files System
 
Smartphone Forensic Challenges
Smartphone Forensic ChallengesSmartphone Forensic Challenges
Smartphone Forensic Challenges
 
SOK:An overview of data extraction techniques from mobile phones
SOK:An overview of data extraction techniques from mobile phonesSOK:An overview of data extraction techniques from mobile phones
SOK:An overview of data extraction techniques from mobile phones
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensic
 
Comparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction ToolsComparative Analysis of Digital Forensic Extraction Tools
Comparative Analysis of Digital Forensic Extraction Tools
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
 
Lessons v on fraud awareness (digital forensics)
Lessons v on fraud awareness (digital forensics)Lessons v on fraud awareness (digital forensics)
Lessons v on fraud awareness (digital forensics)
 
Evidence Gathering and Identification of LINE Messenger on Android Device
Evidence Gathering and Identification of LINE Messenger on Android DeviceEvidence Gathering and Identification of LINE Messenger on Android Device
Evidence Gathering and Identification of LINE Messenger on Android Device
 
File000092
File000092File000092
File000092
 
IOT Forensic Challenges
IOT Forensic ChallengesIOT Forensic Challenges
IOT Forensic Challenges
 
Computer Forensic Softwares
Computer Forensic SoftwaresComputer Forensic Softwares
Computer Forensic Softwares
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
 
R15 a0533 cf converted
R15 a0533 cf convertedR15 a0533 cf converted
R15 a0533 cf converted
 

Viewers also liked

Digital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collideDigital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collide
ISSA LA
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registrysomutripathi
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveries
Ibrahim Mosaad
 
Shelton mobile forensics
Shelton mobile forensicsShelton mobile forensics
Shelton mobile forensics
i4box Anon
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
12 006 cell phone forensics
12 006 cell phone forensics12 006 cell phone forensics
12 006 cell phone forensicsTony Castelli
 
Survey & Review of Digital Forensic
Survey & Review of Digital ForensicSurvey & Review of Digital Forensic
Survey & Review of Digital Forensic
Aung Thu Rha Hein
 
DETERMINE THE USE OF SMARTPHONES IN THE CLASSROOM TO ENHANCE STUDENTS LEARNIN...
DETERMINE THE USE OF SMARTPHONES IN THE CLASSROOM TO ENHANCE STUDENTS LEARNIN...DETERMINE THE USE OF SMARTPHONES IN THE CLASSROOM TO ENHANCE STUDENTS LEARNIN...
DETERMINE THE USE OF SMARTPHONES IN THE CLASSROOM TO ENHANCE STUDENTS LEARNIN...
ArtisMcCoy2014
 
Module 20 mobile forensics
Module 20 mobile forensicsModule 20 mobile forensics
Module 20 mobile forensicssagaroceanic11
 
Module 18 investigating web attacks
Module 18 investigating web attacksModule 18 investigating web attacks
Module 18 investigating web attackssagaroceanic11
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 years
Mehedi Hasan
 
Module 19 tracking emails and investigating email crimes
Module 19 tracking emails and investigating email crimesModule 19 tracking emails and investigating email crimes
Module 19 tracking emails and investigating email crimessagaroceanic11
 
Mobile Phone Industries of Bangladesh
Mobile Phone Industries of BangladeshMobile Phone Industries of Bangladesh
Mobile Phone Industries of Bangladesh
Azas Shahrier
 
Shakespeare language powerpoint
Shakespeare language powerpointShakespeare language powerpoint
Shakespeare language powerpointcaromeo
 
Project report of Cell phone detector circuit
Project report of Cell phone detector circuitProject report of Cell phone detector circuit
Project report of Cell phone detector circuitMoin Aman
 
wireless charging of mobile phones using microwave full seminar report
wireless charging of mobile phones using microwave full seminar reportwireless charging of mobile phones using microwave full seminar report
wireless charging of mobile phones using microwave full seminar reportHarish N Nayak
 
Sir francis bacon
Sir francis baconSir francis bacon
Sir francis baconEr Animo
 

Viewers also liked (20)

Digital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collideDigital forensics track schroader-rob when forensics collide
Digital forensics track schroader-rob when forensics collide
 
Computer Forensics & Windows Registry
Computer Forensics & Windows RegistryComputer Forensics & Windows Registry
Computer Forensics & Windows Registry
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Android Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveriesAndroid Mobile forensics with custom recoveries
Android Mobile forensics with custom recoveries
 
Shelton mobile forensics
Shelton mobile forensicsShelton mobile forensics
Shelton mobile forensics
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
12 006 cell phone forensics
12 006 cell phone forensics12 006 cell phone forensics
12 006 cell phone forensics
 
Survey & Review of Digital Forensic
Survey & Review of Digital ForensicSurvey & Review of Digital Forensic
Survey & Review of Digital Forensic
 
DETERMINE THE USE OF SMARTPHONES IN THE CLASSROOM TO ENHANCE STUDENTS LEARNIN...
DETERMINE THE USE OF SMARTPHONES IN THE CLASSROOM TO ENHANCE STUDENTS LEARNIN...DETERMINE THE USE OF SMARTPHONES IN THE CLASSROOM TO ENHANCE STUDENTS LEARNIN...
DETERMINE THE USE OF SMARTPHONES IN THE CLASSROOM TO ENHANCE STUDENTS LEARNIN...
 
Module 20 mobile forensics
Module 20 mobile forensicsModule 20 mobile forensics
Module 20 mobile forensics
 
Module 18 investigating web attacks
Module 18 investigating web attacksModule 18 investigating web attacks
Module 18 investigating web attacks
 
computer forensics
computer forensics computer forensics
computer forensics
 
Digital forensics research: The next 10 years
Digital forensics research: The next 10 yearsDigital forensics research: The next 10 years
Digital forensics research: The next 10 years
 
Module 19 tracking emails and investigating email crimes
Module 19 tracking emails and investigating email crimesModule 19 tracking emails and investigating email crimes
Module 19 tracking emails and investigating email crimes
 
Mobile Phone Industries of Bangladesh
Mobile Phone Industries of BangladeshMobile Phone Industries of Bangladesh
Mobile Phone Industries of Bangladesh
 
Francis bacon
Francis baconFrancis bacon
Francis bacon
 
Shakespeare language powerpoint
Shakespeare language powerpointShakespeare language powerpoint
Shakespeare language powerpoint
 
Project report of Cell phone detector circuit
Project report of Cell phone detector circuitProject report of Cell phone detector circuit
Project report of Cell phone detector circuit
 
wireless charging of mobile phones using microwave full seminar report
wireless charging of mobile phones using microwave full seminar reportwireless charging of mobile phones using microwave full seminar report
wireless charging of mobile phones using microwave full seminar report
 
Sir francis bacon
Sir francis baconSir francis bacon
Sir francis bacon
 

Similar to Cell Phone Forensics Research

ContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docx
richardnorman90310
 
C017211519
C017211519C017211519
C017211519
IOSR Journals
 
A Survey on Mobile Forensic for Android Smartphones
A Survey on Mobile Forensic for Android SmartphonesA Survey on Mobile Forensic for Android Smartphones
A Survey on Mobile Forensic for Android Smartphones
IOSR Journals
 
IRJET - Android based Mobile Forensic and Comparison using Various Tools
IRJET - Android based Mobile Forensic and Comparison using Various ToolsIRJET - Android based Mobile Forensic and Comparison using Various Tools
IRJET - Android based Mobile Forensic and Comparison using Various Tools
IRJET Journal
 
CS 1010, Computer Essentials 1 Course Learning Outcom.docx
CS 1010, Computer Essentials 1 Course Learning Outcom.docx CS 1010, Computer Essentials 1 Course Learning Outcom.docx
CS 1010, Computer Essentials 1 Course Learning Outcom.docx
aryan532920
 
Csec 650 individual assignment i
Csec 650 individual assignment iCsec 650 individual assignment i
Csec 650 individual assignment i
Dominique Briscoe
 
A BRIEF SURVEY OF MOBILE FORENSICS ANALYSIS ON SOCIAL NETWORKING APPLICATION
A BRIEF SURVEY OF MOBILE FORENSICS ANALYSIS ON SOCIAL NETWORKING APPLICATIONA BRIEF SURVEY OF MOBILE FORENSICS ANALYSIS ON SOCIAL NETWORKING APPLICATION
A BRIEF SURVEY OF MOBILE FORENSICS ANALYSIS ON SOCIAL NETWORKING APPLICATIONNana Kwame(Emeritus) Gyamfi
 
Lessons v on fraud awareness (digital forensics) [autosaved]
Lessons v on fraud awareness (digital forensics) [autosaved]Lessons v on fraud awareness (digital forensics) [autosaved]
Lessons v on fraud awareness (digital forensics) [autosaved]
Kolluru N Rao
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challengesSTO STRATEGY
 
cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systems
Mayank Diwakar
 
IRJET- Sniffer for Tracking Lost Mobile
IRJET- Sniffer for Tracking Lost MobileIRJET- Sniffer for Tracking Lost Mobile
IRJET- Sniffer for Tracking Lost Mobile
IRJET Journal
 
03.fnc corporate protect workshop new
03.fnc corporate protect workshop new03.fnc corporate protect workshop new
03.fnc corporate protect workshop newforensicsnation
 
Consumer behaviour towards a smartphone purchasing decision in The United Ara...
Consumer behaviour towards a smartphone purchasing decision in The United Ara...Consumer behaviour towards a smartphone purchasing decision in The United Ara...
Consumer behaviour towards a smartphone purchasing decision in The United Ara...
Mubashir Hassan
 
FNC Corporate Protect Workshop
FNC Corporate Protect WorkshopFNC Corporate Protect Workshop
FNC Corporate Protect Workshopforensicsnation
 
Vulnerabilities in Mobile Devices
Vulnerabilities in Mobile DevicesVulnerabilities in Mobile Devices
Vulnerabilities in Mobile Devices
CSCJournals
 
Ijmet 10 01_095
Ijmet 10 01_095Ijmet 10 01_095
Ijmet 10 01_095
IAEME Publication
 
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
theijes
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)
JIEMS Akkalkuwa
 

Similar to Cell Phone Forensics Research (20)

ContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docx
 
C017211519
C017211519C017211519
C017211519
 
A Survey on Mobile Forensic for Android Smartphones
A Survey on Mobile Forensic for Android SmartphonesA Survey on Mobile Forensic for Android Smartphones
A Survey on Mobile Forensic for Android Smartphones
 
IRJET - Android based Mobile Forensic and Comparison using Various Tools
IRJET - Android based Mobile Forensic and Comparison using Various ToolsIRJET - Android based Mobile Forensic and Comparison using Various Tools
IRJET - Android based Mobile Forensic and Comparison using Various Tools
 
CS 1010, Computer Essentials 1 Course Learning Outcom.docx
CS 1010, Computer Essentials 1 Course Learning Outcom.docx CS 1010, Computer Essentials 1 Course Learning Outcom.docx
CS 1010, Computer Essentials 1 Course Learning Outcom.docx
 
Csec 650 individual assignment i
Csec 650 individual assignment iCsec 650 individual assignment i
Csec 650 individual assignment i
 
A BRIEF SURVEY OF MOBILE FORENSICS ANALYSIS ON SOCIAL NETWORKING APPLICATION
A BRIEF SURVEY OF MOBILE FORENSICS ANALYSIS ON SOCIAL NETWORKING APPLICATIONA BRIEF SURVEY OF MOBILE FORENSICS ANALYSIS ON SOCIAL NETWORKING APPLICATION
A BRIEF SURVEY OF MOBILE FORENSICS ANALYSIS ON SOCIAL NETWORKING APPLICATION
 
Lessons v on fraud awareness (digital forensics) [autosaved]
Lessons v on fraud awareness (digital forensics) [autosaved]Lessons v on fraud awareness (digital forensics) [autosaved]
Lessons v on fraud awareness (digital forensics) [autosaved]
 
Report
ReportReport
Report
 
Blackberry playbook – new challenges
Blackberry playbook – new challengesBlackberry playbook – new challenges
Blackberry playbook – new challenges
 
cyber law and forensics,biometrics systems
cyber law and forensics,biometrics systemscyber law and forensics,biometrics systems
cyber law and forensics,biometrics systems
 
IRJET- Sniffer for Tracking Lost Mobile
IRJET- Sniffer for Tracking Lost MobileIRJET- Sniffer for Tracking Lost Mobile
IRJET- Sniffer for Tracking Lost Mobile
 
03.fnc corporate protect workshop new
03.fnc corporate protect workshop new03.fnc corporate protect workshop new
03.fnc corporate protect workshop new
 
FNC Corporate Protect
FNC Corporate ProtectFNC Corporate Protect
FNC Corporate Protect
 
Consumer behaviour towards a smartphone purchasing decision in The United Ara...
Consumer behaviour towards a smartphone purchasing decision in The United Ara...Consumer behaviour towards a smartphone purchasing decision in The United Ara...
Consumer behaviour towards a smartphone purchasing decision in The United Ara...
 
FNC Corporate Protect Workshop
FNC Corporate Protect WorkshopFNC Corporate Protect Workshop
FNC Corporate Protect Workshop
 
Vulnerabilities in Mobile Devices
Vulnerabilities in Mobile DevicesVulnerabilities in Mobile Devices
Vulnerabilities in Mobile Devices
 
Ijmet 10 01_095
Ijmet 10 01_095Ijmet 10 01_095
Ijmet 10 01_095
 
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
Proposed Workable Process Flow with Analysis Framework for Android Forensics ...
 
4.content (computer forensic)
4.content (computer forensic)4.content (computer forensic)
4.content (computer forensic)
 

Cell Phone Forensics Research

  • 1. Mobile Device Forensics Sean Houston Rickard University of North Carolina at Charlotte ITIS 5250-001 Computer Forensics
  • 2. Mobile Device Forensics 2 Table of Contents Abstract.......................................................................................................................................... 3 Chapter 1: Introduction ............................................................................................................... 4 The Purpose ............................................................................................................................... 5 Chapter 2: Mobile Device Technology........................................................................................ 6 Current Technology.................................................................................................................. 6 Figure 1Hardware Characterization ............................................................................................ 7 Figure 2Android and iOS comparison ........................................................................................ 9 Chapter 3: Mobile Device Forensics ......................................................................................... 11 Computer Forensic Tool Testing ........................................................................................... 14 Requirements for Core Features........................................................................................ 15 Requirements for Optional Features ................................................................................. 15 Chapter 4: Comparison of UFED 4PC Ultimate and Lantern 4............................................ 18 Cellebrite UFED 4PC.............................................................................................................. 19 Figure 3UFED 4PC User Interface........................................................................................ 21 Lantern 4.................................................................................................................................. 22 Figure 5Lantern 4 User Interface........................................................................................... 24 Chapter 5: Conclusion................................................................................................................ 26 References.................................................................................................................................... 27 Definition of Terms..................................................................................................................... 28
  • 3. Mobile Device Forensics 3 Abstract As with any business or organization, law enforcement agencies work on a limited budget which must be spread between multiple departments and priorities. With a limited budget, agencies are limited as to what software and tools they may purchase and often must way the capabilities of a specific tool versus the cost. This research paper will attempt to look at the capabilities of mobile forensic software and compare it to the overall cost to determine which software is better. With the ever increasing availability and rapid evolution of mobile devices there is a number of mobile device forensic software on the market today. This research paper will provide a simplistic look at mobile device technology, types of forensic analysis to be performed on mobile devices, and lastly compare two mobile forensic software.
  • 4. Mobile Device Forensics 4 Chapter 1: Introduction In today’s society, mobile devices have become a major part of everyday life. Approximately “90% of American adults have a cell phone, 58% of American adults have a smartphone, 32% of American adults have an e-reader, and 42% of American adults have a tablet computer” (Pew Research Center, 2014). On almost a daily basis we see technology evolve and more mobile devices become available to the public. With increases in technology also came crime. Mobile devices can be used in a number of different ways to facilitate and commit crime. While there is no real way to track the number of crimes involving mobile devices, in my experience, I believe it can easily be said that well over 80% of crime involves some use of a mobile device. With mobile devices being utilized in some fashion during a large portion of criminal activity, there is a lot of evidence which can be obtained and utilized for a criminal investigation. The need to obtain this evidence had led many organizations to develop software which is available for purchase. Today there is a wide variety of mobile device software available, each providing its on specific platform, capabilities, and cost. Law enforcement agencies across the US are limited due to budget constraints. In 2007, the average annual operating budget per agency for all sheriff’s offices in the US was $9,962,000 (Sheriffs' Office, 2007 - Statistical Tables, 2012). Each agency must prioritize its budget leaving minimal operating cost to expand to new tools and software. As law enforcement agencies modernize and expand to combat crime utilizing technology, inevitably they are faced with decision of what tool or software to purchase given the budget and the tool or software’s capabilities. The Cabarrus County Sheriff’s Office is currently operating Cellebrite UFED 4PC Ultimate and Lantern 4 for mobile device forensics.
  • 5. Mobile Device Forensics 5 The Purpose The purpose of this study is to determine which software provides the best capabilities for the cost to Cabarrus County Sheriff’s Office. It is my hypothesis that due to each software’s own capabilities and cost to the agency that neither are ultimately better than the other but provide specific needs in specific situations. The only limitation I had for this research was access to the forensic software. Due to time constraints, schedules, and available forensic tools my access was limited to two (2) forensic tools over a period of 2 days. This research paper will provide a simplistic look at mobile device technology, types of forensic analysis to be performed on mobile devices, and lastly compare Cellebrite UFED 4PC Ultimate and Lantern 4.
  • 6. Mobile Device Forensics 6 Chapter 2: Mobile Device Technology While there are many different mobile devices on the market (cell phones, smart phones, tablet computers, e-readers, mp3 players, ect…) the most common and the first was the cell phone. Cell phones evolved from radio technology which was developed in the early 1900s’. The first documented wireless telephone use was in 1946 by the Swedish Police (Tech-FAQ, n.d.). In 1947, Bell Laboratory proposed the idea of hexagonal cells for modern phones and in 1970 the call handoff system was developed. With the assistance of AT&T the FCC approved and allocated the frequencies of 824-894 MHZ Band to Advanced Mobile Phone Service (AMPS) (Tech-FAQ, n.d.). According to Tech-FAQ (n.d.), in 1983 Motorola unveiled the first truly portable cellular phone, the DynaTAC 8000X. Since then cell phone technology has grown by leaps and bounds. Today cell phones have advanced from being a simple radio to essentially a small computer with a radio. Current Technology Devices today, while very different in function, capabilities, and appearance are composed of the same components: a microprocessor, read only memory (ROM), random access memory (RAM), a radio module, a digital signal processor, a microphone and speaker, a variety of hardware keys and interfaces, and a liquid crystal display (LCD). Cell phones can also support external memory through Secure Digital (SD) memory, and other wireless communication such as infrared, Bluetooth, Near Field Connection (NFC), and WiFi. Depending on the capabilities of a phone it can either be classified as featured phone or a smartphone. Featured phones are cell phones that perform minimal tasks and do not have the features of a smart phone. The Guidelines
  • 7. Mobile Device Forensics 7 on Mobile Device Forensics (Ayers, Brothers, & Jansen, 2014) presented the following table to demonstrate hardware characterization between feature phones and smartphones: Figure 1Hardware Characterization Mobile device memory, like any other computer contains both non-volatile and volatile memory. Non-volatile memory, like the name suggests, does not change when the device loses power or is overwritten during reboot. Volatile memory or Random Access Memory (RAM) on the other hand is lost when the power is drained from the phone making it difficult to accurately capture. Mobile device memory has evolved with technology. According to Guidelines on Mobile Device Forensics (Ayers, Brothers, & Jansen, 2014): Feature phones were among the first types of devices that contained NOR flash and RAM memory. System and user data are stored in NOR and copied to RAM upon booting for faster code execution and access. This is known as the first generation of mobile device memory configuration. As smartphones were introduced, memory configurations evolved, adding NAND flash memory. This arrangement of NOR, NAND and RAM memory is referred to as the second
  • 8. Mobile Device Forensics 8 generation. This generation of memory configurations stores system files in NOR flash, user files in NAND and RAM is used for code execution. The latest smartphones contain only NAND and RAM memory (i.e., third generation), due to requirements for higher transaction speed, greater storage density and lower cost. To facilitate the lack of space on mobile device mainboards and the demand for higher density storage space (i.e., 2GB – 128GB) the new Embedded MultiMedia Cards (eMMC) style chips are present in many of today’s smartphones. NOR flash memory includes system data such as: operating system code, the kernel, device drivers, system libraries, memory for executing operating system applications and the storage of user application execution instructions. NOR flash will be the best location for data collection for first generation memory configuration devices. NAND flash memory contains: PIM data, graphics, audio, video, and other user files. This type of memory generally provides the examiner with the most useful information in most cases. (p. 6) Phones may also contain a Subscriber Identity Module (SIM) card. The SIM card’s purpose is to authenticate the mobile phone device to a given network. The SIM card is a smart card that contains a processor and persistent electronically erasable, programmable read only memory (EEPROM). The EEPROM contains RAM for program execution and ROM containing the operating system, user authentication and data encryption algorithms. Personal information, phonebook entries, text messages, the last numbers dialed, and service information may also be in the EEPROM (Ayers, Brothers, & Jansen, 2014). Another major part of a phone that needs to be considered is the operating system. There have been many different operating system through the years such as Blackberry, Windows CE, Symbian, Android, and Apple iOS. In recent years the leading Operating systems have been Android and Apple iOS. According to IDC Corporate USA (n.d.): android shipments lead the global smartphone market, with 283 million units
  • 9. Mobile Device Forensics 9 shipped and over 84% of the market share in the third quarter of 2014 and iOS continues to drop in market share, down to just 11.7% from 12.8% in the same quarter last year, representing the growing shift of demand toward low-cost smartphones. Android and iOS operating system provide a wide variety of capabilities. Below is a graph I located on Diffen (n.d.) which compares Android and iOS: Figure 2Android and iOS comparison The last major part of a phone is its ability to download and install applications (apps). Android and iOS operating system both have this capability with millions of apps available to each. Apps
  • 10. Mobile Device Forensics 10 can be made by anyone with the right knowledge and can be made to perform any number of task such as play a game, messaging, phone calls, internet browsing, ect. The possibilites for apps is endless. When an app is downloaded and installed on a mobile device it creates a folder to contain information from that app. All the data saved on the phone is accessible through mobile device forensics depending on the type of analysis which is completed.
  • 11. Mobile Device Forensics 11 Chapter 3: Mobile Device Forensics According to Ayers, Brothers, and Jansen (2014), “Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods.” Conducting a forensic analysis of a mobile device can be conducted by hand or through the use of one of the many software’s available. The job of a forensic tool is to aquire data from the internal memory and SIM card without altering their content. To begin an analysis of a mobile device you must first determine what time of analysis you want to complete. There are 5 types of mobile device analysis: manual extraction, logical extraction, hex dumping/JTAG, chip-off, and micro read (Ayers, Brothers, & Jansen, 2014). Predominately only manual extraction, logical extraction, and hex dumping/JTAG are performed by law enforcment forensic examiners. Chip-off and micro read examination are intensily involved and require a great deal of knowledge, training, and specialized equipment to perform. The following excert is from the Guidelines for Mobile Device Forensics (Ayers, Brothers, & Jansen, 2014) which gives a detailed description of each:  Manual Extraction – A manual extraction method involves viewing the data content stored on a mobile device. The content displayed on the LCD screen requires the manual manipulation of the buttons, keyboard or touchscreen to view the contents of the mobile device. Information discovered may be recorded using an external digital camera. At this level, it is impossible to recover deleted information. Some tools have been developed to provide the forensic examiner with the ability to document and categorize the information
  • 12. Mobile Device Forensics 12 recorded more quickly. Nevertheless, if there is a large amount of data to be captured, a manual extraction can be very time consuming and the data on the device may be inadvertently modified, deleted or overwritten as a result of the examination. Manual extractions become increasingly difficult and perhaps unachievable when encountering a broken/missing LCD screen or a damaged/missing keyboard interface. Additional challenges occur when the device is configured to display a language unknown to the investigator; this may cause difficulty in successful menu navigation.  Logical Extraction – Connectivity between a mobile device and the forensics workstation is achieved with a connection using either a wired (e.g., USB or RS-232) or wireless (e.g., IrDA, WiFi, or Bluetooth) connection. The examiner should be aware of the issues associated when selecting a specific connectivity method, as different connection types and associated protocols may result in data being modified (e.g., unread SMS) or different amounts or types of data being extracted. Logical extraction tools begin by sending a series of commands over the established interface from the computer to the mobile device. The mobile device responds based upon the command request. The response (mobile device data) is sent back to the workstation and presented to the forensics examiner for reporting purposes.  Hex Dumping and JTAG – Hex Dumping and Joint Test Action Group (JTAG) extraction methods afford the forensic examiner more direct access to the raw Guidelines on Mobile Device Forensics 18 information stored in flash memory. One challenge with these extraction methods is the ability of a given tool to parse and decode the captured data. Providing the forensic examiner with a logical view of the file system, and reporting
  • 13. Mobile Device Forensics 13 on other data remnants outside the file system that may be present are challenging. For example, all data contained within a given flash memory chip may not be acquired, as many tools, such as flasher boxes, may only be able to extract specific sections of memory [Bre07]. Methods used at this level require connectivity (e.g., cable or WiFi) between the mobile device and the forensic workstation. Hex Dumping – this technique is the more commonly used method by tools at this level. This involves uploading a modified boot loader (or other software) into a protected area of memory (e.g., RAM) on the device. This upload process is accomplished by connecting the mobile device’s data port to a flasher box and the flasher box is in turn connected to the forensic workstation. A series of commands is sent from the flasher box to the mobile device to place it in a diagnostic mode. Once in diagnostic mode, the flasher box captures all (or sections) of flash memory and sends it to the forensic workstation over the same communications link used for the upload. Some flasher boxes work this way or they may use a proprietary interface for memory extractions. Rare cases exist where extractions can be accomplished using WiFi (i.e., early Jonathan Zdziarski (JZ) Methods) [Zdz12].  JTAG – Many manufacturers support the JTAG standard, which defines a common test interface for processor, memory, and other semiconductor chips. Forensic examiners can communicate with a JTAG-compliant component by utilizing special purpose standalone programmer devices to probe defined test points [Wil05]. The JTAG testing unit can be used to request memory addresses from the JTAGcompliant component and accept the response for storage and rendition [Bre06]. JTAG gives specialists another avenue for imaging devices that are locked or devices that may have minor damage and cannot be properly interfaced otherwise. This method involves attaching a cable (or wiring harness)
  • 14. Mobile Device Forensics 14 from a workstation to the mobile device’s JTAG interface and access memory via the device’s microprocessor to produce an image [Bre07]. JTAG extractions differ mainly from Hex Dumping in that it is invasive as access to the connections frequently require that the examiner dismantle some (or most) of a mobile device to obtain access to establish the wiring connections. o Flasher boxes are small devices originally designed with the intent to service or upgrade mobile devices. Physical acquisitions frequently require the use of a flasher box to facilitate the extraction of data from a mobile device. The flasher box aides the examiner by communicating with the mobile device using diagnostic protocols to communicate with the memory chip. This communication may utilize the mobile device’s operating system or may bypass it altogether and communicate directly to the chip [Jon10]. Flasher boxes are often accompanied by software to facilitate the data extraction process working in conjunction with the hardware. Many flasher box software packages provide the added functionality of recovering passwords from mobile device memory as well in some configurations. (p.17-18) In most situations, the type of investigation, the type of phone, the type of tool available determines what type of analysis is completed. Ultimately, what information is the investigator looking to gain from the analysis and which acquisition method would obtain that information? Computer Forensic Tool Testing In order to maintain reliability and consistency among mobile device forensic tools the National Institute of Standards and Technology’s (NIST) Computer Forensic Tool Testing
  • 15. Mobile Device Forensics 15 (CFTT) program routinely test new computer forensic software tools. The CFTT program has developed six (6) core feature requirements and fifteen (15) optional feature requirements which it then tests each new software against. The Smart Phone Tool Specification (National Institute of Standards and Technology, 2010) list the requirements as follows: Requirements for Core Features 1. A cellular forensic tool shall have the ability to recognize supported devices via the vendor-supported interfaces (e.g., cable, Bluetooth, Infrared) 2. A cellular forensic tool shall have the ability to identify non-supported devices 3. A cellular forensic tool shall have the ability to notify the user of connectivity errors between the device and application during acquisition. 4. A cellular forensic tool shall have the ability to provide the user with either a preview pane or generated report view of data acquired. 5. A cellular forensic tool shall have the ability to logically acquire all application supported data objects present in internal memory. 6. A cellular forensic tool shall have the ability to logically acquire supported data objects without changing the data objects present on the device. Requirements for Optional Features 1. A cellular forensic tool shall have the ability to recognize supported SIMs via the vendor supported interface (e.g., PC/SC reader, proprietary reader, internal). 2. A cellular forensic tool shall have the ability to identify non-supported SIMs. 3. A cellular forensic tool shall have the ability to notify the user of connectivity errors between the SIM reader and application during acquisition.
  • 16. Mobile Device Forensics 16 4. A cellular forensic tool shall have the ability to acquire all application-supported data objects present in the SIM memory. 5. A cellular forensic tool shall have the ability to provide a presentation of acquired data in a human-readable format via a generated report. 6. A cellular forensic tool shall have the ability to provide a presentation of acquired data in a human-readable format via a preview pane view. 7. A cellular forensic tool shall have the ability to provide the user with the opportunity to unlock a password protected SIM before external reader SIM acquisition. 8. A cellular forensic tool shall have the ability to protect previously acquired data objects within a saved case file from modification. 9. A cellular forensic tool shall have the ability to perform a physical acquisition of the device’s internal memory for supported devices. 10. A cellular forensic tool shall have the ability to present data objects containing non- ASCII characters acquired from the internal memory of the device or SIM via the selected interface (i.e., preview pane, generated report). Non-ASCII characters shall be printed in their native representation. 11. A cellular forensic tool shall have the ability to present the remaining number of CHV1/CHV2 PIN unlock attempts. 12. A cellular forensic tool shall have the ability to present the remaining number of PUK unlock attempts. 13. A cellular forensic tool shall have the ability to acquire internal memory data without 14. A cellular forensic tool shall have the ability to compute a hash for individual data objects.
  • 17. Mobile Device Forensics 17 15. A cellular forensic tool shall have the ability to acquire GPS related data present in the internal memory. (p.6-8) The results of each test completed by CFTT on mobile device forensic software tool is then added to their website database (http://www.cftt.nist.gov/mobile_devices.htm ) for review. This information is very important to law enforcement agencies because it very quickly determines what the capabilities and limitations of the software.
  • 18. Mobile Device Forensics 18 Chapter 4: Comparison of UFED 4PC Ultimate and Lantern 4 As stated earlier, The Cabarrus County Sheriff’s Office currently utilizes both UFED 4PC by Cellebrite and Lantern 4 by Katana. Detective Brian Schmitt is the primary computer and mobile device forensic examiner for the department. In an interview on November 26, 2014, Det. Schmitt stated, “I utilized both software on a regular basis and choose which software to use depending on the type of phone I am going to exam. Both software are similar in what they will recover, however each have their own pros and cons. Cellebrite is limited to only the devices it says it can run whereas Lantern will run almost any android device and all iOS devices. Although Lantern may run a device that Cellebrite will not sometimes the information that Lantern does recover is limited. Cellebrite says it is the leader in iOS forensics, however; Lantern will run way more because it is ran and developed specifically for iOS devices.” Det. Schmitt went on to show me a specific phone which he examined in Lantern that would not work on Cellebrite. The analysis in Lantern only showed what type of phone it was and no other information. Det. Schmitt went on to say, “I don’t particularly favor one software over the other, it ultimately depends on the device I need to examine. I often run a device through both software just to make sure I don’t miss something.” Comparing the capabilities of both software and the cost will better help determine which software is more cost effective. Since I my time with both systems was limited the comparison of both software will be completed through the use of both software user manuals and CFTT testing.
  • 19. Mobile Device Forensics 19 Cellebrite UFED 4PC The following information was obtained from UFED Physical Analyzer – User Manual (Cellebrite Ltd., 2014)  Operating System – Microsoft Windows XP with SP3or later  Computer Memory (RAM) required for installation o 32 bit OS – 4GB o 64 Bit – OS 8GB  Number of supported mobile devices o Android Based devices – 1889 o iOS devices– 67 o Total Number of devices – 10,538  UFED Ultimate is made up of three components: o The UFED unit enables logical, password, SIM, file system, and physical extractions from mobile devices, which can then be saved to a USB flash drive, SD memory card, or directly to your PC. o UFED Physical Analyzer application provides an in-depth view of the device's memory using advanced decoding, analysis, and reports. UFED Physical Analyzer can decode all types of extractions created by the UFED Classic unit. o Phone Detective application helps investigators quickly identify a mobile phone by its physical attributes, eliminating the need to start the device and the risk of device lock.  UFED Physical Analyzer has the following key features:
  • 20. Mobile Device Forensics 20 o Decoding of the extraction with a layered view of memory content  Provides a detailed view of the Hex file  Reconstructs the device file system  Decode various Analyzed data types such as: Contact lists, SMS messages, call logs, device information (IMSI, ICCID, user codes), application information, and more  Provides a view of data files images, videos, databases, and so on  Provides access to both current and deleted data  Reveals device passwords (when applicable) o Powerful extraction for iOS and GPS devices o Provides intuitive and user friendly UI for browsing the extracted information o Powerful analysis and search tools  Instant search for all project content  Advanced search based on multiple parameters  Instant search for data tables content  Watch list for highlighting information based on a predefined list of values  Time line for viewing all the events performed via the mobile device in a single chronological view  Project analytics providing comprehensive activity analysis  Malware scanner to identify malware in the device  Ability to search the Hex by various parameters such as strings, bytes, numbers, dates
  • 21. Mobile Device Forensics 21  Ability to use regular extraction search (RegEx) to look for specific data strings  Ability to bookmark memory locations for indexing of key areas for later review  Ability to use Python shell commands for data analysis o Plug-ins  Manage installed plug-ins  Write your own plug-ins using Python scripting language o Reports:  Generate reports in various formats  Report customizing and personalizing (logo, header, etc.) This is an example of the user interface for UFED 4PC Figure 3UFED 4PC User Interface
  • 22. Mobile Device Forensics 22 A review of the UFED v3.9.6.7 Test Report (National Institute of Standards and Technology, 2014) showed that an examination of a variety of android and iOS device, the UFED Physical Analyzer performed better with android based devices. Lantern 4 The following information was obtained from Lantern 4 Manual (Katana Forensics, Inc, 2014).  Operating System – Mac OSX 10.7 higher o Computer Memory (RAM) required for installation – 4 GB  Supported mobile devices Figure 4Lantern 4 Supported Devices  Here are some of the capabilities you will find in Lantern 4.0. o Link Analysis between devices o Recovery from Android Devices o Recover Deleted SMS o Read Gmail & Yahoo E-mail o Parse Skype Calls & Messages o Parse Facebook Data
  • 23. Mobile Device Forensics 23 o Cellular Sites & WiFi Location Geo Data o WiFi Connections History o Improved Internet History o Geo Locate Videos & Photos o Application Usage Data o Analysis from .dd Images & Backups o Data Carving Images & Videos o Timeline Analysis o Bookmarking o View Data while Processing Acquisition o Physical Image E-mail Analysis o Document Analysis o Additional Geo Location data from physical images o Arbitrary Analysis o File system dump analysis from other applications o Decryption and analysis from other providers o Mac OS X Analysis o Support for the Newest Skype SQlite Format o SMS, MMS, and iMessage for iOS 6 o What’s App analysis o Bookmarks and notation
  • 24. Mobile Device Forensics 24 This is an example of the user interface of Lantern 4 Figure 5Lantern 4 User Interface No examination has been completed of Lantern 4 by the National Institute of Standards and Technology. During the interview on November 26, 2014 with Det. Schmitt he stated, “As for cost, Cellebrite is by far the most expensive costing approximately $8000, 3 years ago to purchase the product and approximately $3000 in annual maintenance. We just purchased the UFED 4PC license this year which was originally $10,000 but was negotiated down to $4000 after trading in the old unit. As for lantern, it was approximately $900 to purchase the product and $300 in annual maintenance. Both software benefit this department equally and we will continue to use both.” During the short opportunity I had to interact with both UFED 4PC and Lantern 4, I personally favored the UFED 4PC which I felt had a better user interface. To that end, I have an extensive amount of experience with Microsoft based operating systems over iOS which I feel
  • 25. Mobile Device Forensics 25 affected my preference. Considering the Cabarrus County Sheriff’s Office worked on a $2,282,640 operations budget for fiscal year 2014 (Cabarrus County, 2014) an expense of $10,000 for the UFED 4PC license and a $3000 maintenance cost was a major one compared to only $300 maintenance cost for Lantern. When comparing the overall cost and annual maintenance to capabilities it is easy to see that Lantern 4 is the better product for the cost.
  • 26. Mobile Device Forensics 26 Chapter 5: Conclusion The need for law enforcement agencies across the US to invest in some form of mobile device forensic software is imperative to keep up to speed with the evolution of crime. Due to many budget constraints it is just as imperative to utilize the most cost effective software which provides the most capabilities. The purpose of this study was to determine which software provides the best capabilities for the cost to Cabarrus County Sheriff’s Office. The only limitation I had for this research was access to the software. Due to time constraints, schedules, and available forensic tools my access was limited to two (2) forensic tools over a period of 2 days. My original assumption that due to each software’s own capabilities and cost to the agency that neither are ultimately better than the other but provide specific needs in specific situations. After reviewing both UFED 4PC and Lantern 4 I found that Lantern 4 was the most cost effective forensic tool. Both UFED 4PC and Lantern 4 both provide similar capabilities just in different formats. Each software has its own pros and cons which make the other better and worse than the other but the cost for each make it immediately clear which is more cost effective.
  • 27. Mobile Device Forensics 27 References Ayers, R., Brothers, S., & Jansen, W. (2014). NIST Special Publication 800-101, Revision 1: Guidelines on Mobile Device Forensics. National Institute of Standards and Technology. Breeuwsma, M. (2006). Forensic Imaging of Embedded Systems using JTAG (boundary-scan). Digital Investigations, Volume 3, Issue 1, 32-42. Breeuwsma, M., Jongh, M. d., Klaver, C., Knijff, R. v., & Roeloffs, M. (2007). Forensic Data Recovery from Flash Memory. Small Scale Digital Device Forensics Journal Vol. 1, No. 1. Cabarrus County. (2014). Public Safety Budget. Retrieved from Cabarrus County: https://www.cabarruscounty.us/government/departments/finance/budget/Budget/finance_bu dget_public_safety_2015.pdf Cellebrite Ltd. (2014, September). UFED Physical Analyzer - User Manual. Cellebrite Ltd. Diffen. (n.d.). Android Vs iOS. Retrieved from Diffen: http://www.diffen.com/difference/Android_vs_iOS IDC Corporate USA. (n.d.). Smartphone OS Market Share, Q3 2014. Retrieved from IDC: http://www.idc.com/prodserv/smartphone-os-market-share.jsp Jonkers, K. (2010). The forensic use of mobile phone flasher boxes 5. Digital Investigation 6, 168-178. Katana Forensics, Inc. (2014). Lantern 4 Installation and Operation Manual. Washington, DC: Katana Forensics, Inc. National Institute of Standards and Technology. (2010). Smart Phone Tool Specification. Washington, DC: National Institure of Standards and Technology. Retrieved from http://www.cftt.nist.gov/documents/Smart_Phone_Tool_Specification.pdf National Institute of Standards and Technology. (2014). Test Results for Mobile Device Acuisition tool: UFED Physical Analyzer v3.9.6.7. NIST. Pew Research Center. (2014, January). Mobile Technology Fact Sheet. Retrieved from Pew Research Internet Project: http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/ Schmitt, B. (2014, November 26). Detective. (S. H. Rickard, Interviewer) Sheriffs' Office, 2007 - Statistical Tables. (2012, December). Retrieved from Bureau of justice Statistics: http://www.bjs.gov/content/pub/pdf/so07st.pdf Tech-FAQ. (n.d.). The History of Cell Phones. Retrieved from Tech-FAQ: http://www.tech- faq.com/history-of-cell-phones.html Willassen, S. (2005). Forensic Analysis of Mobile Phone Internal Memory. Advances in Digital Forensics, Vol. 194, (p. International Conference on Digital Forensics). 2006. Zdziarski, J. (2012). iOS Forensic Investigative Methods. Retrieved from zdziarski: http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-ForensicInvestigative- Methods.pdf>
  • 28. Mobile Device Forensics 28 Definition of Terms AMPS – Advanced Mobile Phone Service ASCII – American Standard code for Information Interchange CFTT – Computer Forensic Tool Testing CHV1 – Card Holder Verification 1 CHV2 – Card Holder Verification 2 EEPROM – Electronically Erasable Programmable Read Only Memory FCC – Federal Communication Commission GPS – Global Positioning Satellite ICCID – Integrated Circuit Card ID IMSI – International Mobile Subscriber Identity IrDA – Infrared Data Association JTAG – Joint Test Action Group LCD – liquid crystal display MHZ – megahertz NAND – Non-volatile storage technology that does not require power to retain power NFC – Near Field Connection NIST – National Institute of Standards and Technology NOR – Non-volatile storage technology that does not require power to retain power PIN – Personal Identity Number PUK – PIN Unlock Key RAM – Random Access Memory ROM – Read Only Memory SD – Secure Digital SIM – Subscriber Identity Module USB – Universal Serial Bus WIFI – Local area wireless technology