adam's notes

Mobile Forensics

Cellular Device Concepts

Terms

Mobile switching center (MSC) is the switching system for the cellular network.

  • MSCs are used in 1G, 2G, 3G, and GSM communications networks
  • processes all the connections between mobile devices and between mobile devices and landline phones
  • responsible for routing calls between base stations and the public switched telephone network (PSTN)

Base Transceiver Station (BTS) is part of the cellular network responsible for communications between the mobile phone and the network switching system.

Base station system (BSS) is a set of radio transceiver equipment that communicates with cellular services.

  • consists of a BTS and a base station controller (BSC)

Base station controller (BSC) is a central controller coordinating the other pieces of the BSS.

Home location register (HLR) is a database used by the MSC that contains subscriber data and service information.

Subscriber identity module (SIM) is a memory chip that stores the International Mobile Subscriber Identity (IMSI).

  • contains
    • a unique serial number (ICCID)
    • IMSI
    • security authentication
    • ciphering information
    • network information
    • services
    • two passwords
      • personal identification number (PIN)
      • personal unlocking code (PUK)

Electronic serial number (ESN) is a unique identification number developed by the US FCC to identify cell phones.

  • only used in CDMA phones
  • GSM phones use IMEI

International Mobile Equipment Identity (IMEI) is a number, usually unique, that is assiged to identify modern mobile phones.

  • found printed inside the battery compartment
  • can display on screen by pressing *#06# on the dial pad

Personal unlocking code (PUK) is a code used to reset a forgotten PIN.

  • returns the phone to its original state
  • causes loss of most forensic data
  • if entered incorrectly 10 times in a row,
    • devices becomes permanently blocked and unrecoverable

Integrated circuit card identifier (ICCID) identifies each SIM.

  • engraved on the SIM during manufacturing
  • has subsections important to forensics
    • number starts with the issuer identification number (IIN)
      • seven digit number that identifies the country code and issuer
    • variable length individual account identification number
      • identify the specific phone
    • checksum digit

3GPP is a group of related standards organizations.

  • 3rd-Generation Partnership Project
  • standards for
    • GSM
    • UMTS
    • LTE
    • 5G

Networks

Global System for Mobile (GSM) communications is a standard developed by the European Telecommunications Standards Institute (ETSI).

  • essentially is 2G

Enhanced Data Rates for GSM Evolution (EDGE) is considered 2G+.

  • is a bridge between 2G and 3G

Universal Mobile Telecommunications System (UMTS) is a 3G standard based on GSM.

  • improvement of GSM

Long Term Evolution (LTE) is a standard for wireless communications of high-speed data for mobile devices.

  • commonly called 4G

5G is 5th-Generation Wireless Systems which has an expected user data rate of 100 Mbit/s.

Evidence You Can Get From a Cell Phone

  • call history
  • emails, texts, messages
  • photos and videos
  • phone information
  • GPS information
  • Network information

SWGDE Guidelines

  • general overview of types of phone investigations:
    • Mobile Forensics Pyramid
      • The level of extraction and analysis required depends on the request and the specifics of the investigation
      • Higher levels require a more comprehensive examination and additional skills and may not be applicable or possible for every phone or situation
      • Each level of the Mobile Forensics Pyramid has its own corresponding skill set
      • The levels are:
        1. Manual
          • A process that involves the manual operation of the keypad and handset display to document data present in the phone’s internal memory
        2. Logical
          • A process that extracts a portion of the file system
        3. File System
          • A process that provides access to the file system
        4. Physical (Noninvasive)
          • A process that provides physical acquisition of a phone’s data without requiring opening the case of the phone
        5. Physical (Invasive)
          • A process that provides physical acquisition of a phone’s data and requires disassembly of the phone to access the circuit board (e.g., JTAG)
        6. Chip-Off
          • A process that involves the removal and reading of a memory chip to conduct analysis
        7. MicroRead
          • A process that involves the use of a high-power microscope to provide a physical view of memory cells

Types of Information

  • NIST SP800-72 lists 4 different states of a mobile device can be in when you extract data:
    • Nascent state
      • devices are in the nascent state when received from the manufacture
      • device contains no user data
      • has original factory configuration settings
    • Active state
      • devices are powered on, performing tasks, and able to be customized by the user and have file systems populated with data
    • Quiescent state
      • is a dormant mode that conserves battery life while maintaining user data and performing background functions
      • context information for the device is preserved in memory to allow quick resumption of processing upon returning to the active state
    • Semi-active state
      • is a state partway between active and quiescent
      • state is reached by a timer
        • triggered after a period of inactivity
      • allows battery life to be preserved by dimming the display and other actions

Seizing Evidence From a Mobile Device

  • rules
    • ensure phone does not sync with a computer if plugged in
      • important with iPhone, which auto-syncs
    • follow the same advice as with PCs
      • touch evidence as little as possible
      • document all your actions
  • tools specific to phone forensics
    • Oxygen Forensics
    • Cellebrite
      • heavily used by law enforcement
    • MobileEdit
    • Data Doctor
    • Device Seizure
    • Forensic SIM Cloner
      • used to clone SIM cards
  • NIST guidelines on how to write a mobile forensics report
    • Descriptive list of items submitted for examination, including serial number, make, and model
    • Identity and signature of the examiner
    • The equipment and setup used in the examination
    • Brief description of steps taken during examination, such as string searches, graphics image searches, and recovering erased files
    • Supporting materials
      • e.g., printouts of particular items of evidence, digital copies of evidence, and chain of custody documentation
    • Details of findings:
      • specific files related to the request
      • other files, including deleted files, that support the findings
      • String searches, keyword searches, and text string searches
      • Internet-related evidence, such as website traffic analysis, chat logs, cache files, email, and news group activity
      • Graphic image analysis
      • Indicators of ownership, which could include program registration data
      • Data analysis
      • Description of relevant programs on the examined items
      • Techniques used to hide or mask data
        • e.g., encryption, steganography, hidden attributes, hidden partitions, and file name anomalies
    • Report conclusions

SQLite

  • iPhone and Android use SQLite databases
  • is an embedded database software
  • uses .db extension
  • stores entire database as a single cross-platform file on a host machine
    • implements by locking the entire database during writing

The iPhone

  • when a file is deleted on iPhone (iOS), it is actually moved to the .Trashes/501 folder
  • data stays there until overwritten

Graph View

Backlinks