This document discusses mobile device forensics. It explains that mobile devices store a variety of personal information, including calls, texts, emails, photos and more. It also outlines the challenges of investigating mobile devices and describes the components of mobile devices like the IMEI, SIM card, and memory. The document provides details on acquiring data from mobile devices, including identifying the device, isolating it to prevent remote wiping, and extracting data from internal memory, SIM cards and external storage.

1. MOBILE DEVICE FORENSICS

2. Understanding Mobile Device Forensics
 People store a wealth of information on cell phones and mobile devices
 People don’t think about securing their mobile devices
 Items stored on mobile devices:
 Incoming, outgoing, and missed calls
 Text and Short Message Service (SMS) messages
 E-mail
 Instant-messaging (IM) logs
 Web pages
 Pictures
 Personal calendars
 Address books
 Music files
 Voice recordings
 GPS data
 Investigating cell phones and mobile devices is one of the most challenging
tasks in digital forensics

3. Understanding Cellular Connected Mobile
Devices
 A Mobile Switching Center(MSC) is the switching system
for the cellular network. The MSC is also responsible for
communications between mobile and landline phones.
 The Base Transceiver Station(BTS) is the part of the
cellular network responsible fro communications
between mobile phone and network switching
systems.
 The Home Location Register is a database used
by the MSC that contains subscriber and service
information.
 It is related to the VLR for roaming status.

4. Inside Mobile Devices
 IMEI and IMSI
 International Mobile Equipment Identifier
 International Mobile Subscriber Identifier
 Also MEID (Mobile Equipment Identifier) or ESN (electronic
serial number)
 Phones store system data in electronically erasable
programmable read-only memory (EEPROM)
 Enables service providers to reprogram phones without having to
physically access memory chips
 OS is stored in ROM
 Nonvolatile memory

5. Inside Mobile Devices
 Subscriber identity module (SIM) cards
 Found most commonly in GSM(Global System for Mobile
Communications) devices
 GSM refers to mobile phones as “mobile stations” and divides a
station into two parts:
 The SIM card and the mobile equipment (ME)
 Portability of information makes SIM cards versatile
 Integrated Circuit Card Identifier(ICCID)
 Identifies the subscriber to the network
 Stores service-related information
 PIN – unlock the device
 PUK – reset the PIN
 Wipes phone is incorrectly entered > 10 time
 Cipher Algorithm

6. Mobile Device Forensic Analysis Process
 Biggest challenge is dealing with constantly changing
models of cell phones
 When you’re acquiring evidence, generally you’re
performing two tasks:
 Acting as though you’re a PC synchronizing with the device (to
download data)
 Reading the SIM card
 First step is to identify the mobile device
 Question: Why is this important?

7. Understanding Acquisition Procedures for Cell
Phones and Mobile Devices
 The main concerns with mobile devices are loss of
power and synchronization with PCs
 All mobile devices have volatile memory
 Making sure they don’t lose power before you can
retrieve RAM data is critical
 Mobile device attached to a PC via a cable or
cradle/docking station should be disconnected
from the PC immediately
 Communication or system messages might be
received on the mobile device after seizure
 Isolate the device from incoming (RF)signals
 The drawback to using these isolating options is that the
mobile device is put into roaming mode, which
accelerates battery drainage

8. Data Acquisition Procedures for Cell Phones
and Mobile Devices
 Check these areas in the forensics lab :
 Internal memory
 SIM card
 file system is a hierarchical structure
 Removable or external memory cards
 Information that can be retrieved:
 Service-related data, such as identifiers for the SIM card and the subscriber
 Call data, such as numbers dialed
 Message information
 Location information
 If power has been lost, PINs or other access codes might be
required to view files.
 Encryption

9. Access Methods
(6 types according to NIST)
 Manual Extraction
 looking at pages of info directly on the
device
 Logical Extraction
 filesystem dump
 Hex dumping and JTAG
 can work on damaged devices and bypass lock screens. Reads
directly from RAM/ROM
 Chip off
 unsolder or cut flash memory from circuit board
 Micro read
 use a SEM to view data

10. Don’t ignore useful properties
When was the last time this phone was at 2SP?

11. Poke around and you will find…
Encoded Secrets
This has been truncated, the app stores your password

12. Application Data
 Found in plists or sqlite files
 Apps continue to change formats
 Looking primarily for location and message data

13. Rooting
 Usually an alternate OS (may be command injection)
 Removes built-in restrictions on access to data
 Removes or makes possible to add 3rd party applications
 Consumers do it for functionality
 Investigators do it for access to data
 Manufacturers are making this more challenging

14. Summary
 People store a wealth of information on their cell phones
 Various generations of mobile phones
 Data can be retrieved from several different places in
phones
 As with computers, proper search and seizure procedures
must be followed for mobile devices
 To isolate a mobile device from incoming messages, you
can place it in a specially treated paint can, a wave-
blocking wireless evidence bag, or eight layers of
antistatic bags
 SIM cards store data in a hierarchical file structure