The Fraternal Clone Method for CDMA Cell Phones
Contents
1. e Once the phone is detected by BitPim choose View gt View Filesystem Even if BitPim reports that it doesn t detect the phone this may still work BiiPim LG VX5200 Evidence Fle Edt Data View Heb Columns Fhoneabook Preview View protecol logging Clear Logs View Filesystem Phone Info Data Recording Figure 4 BitPim View Filesystem e Next click on the file system icon on the left side of the window Once you see the folder in the middle pane of BitPim click on the plus sign and BitPim will begin to read and display the file system of the phone O BitPim LG VX5700 Evidence Fie Edt Data View Debug Help F Pim ly Phone Phonebook AOE rd BH ve ia Calendar tn Todo eS ee s U Call History Play List 13 Editor Log Figure 5 BitPim View Filesystem expanded Once the file system of the phone is displayed in BitPim right click on the root of the file system and choose Backup entire tree BitPim LG VA5S 00 Evidence File Edit Data View Debug Help Bp of d E ROR A BitPim Backup directory J Phone Phonefook Backup entire tree 9 E media 3 Calendar Refresh Refresh Filesystem OFFline Phone Reboot Phone Go to modam mode a Memo Todo g H Call History or E T9 Editor Log E Wiser Figure 6 Bit Pim Backup Entire Tree BitPim will then allow you to save the file system of the phone to a zip2. 1 0 7 VII VALIDATION OF THE CDMA FRATERNAL CLONE METHOD The CDMA Fraternal Clone method was tested and results successfully replicated at the Champlain College Center for Digital Investigation and by the Cyber Forensics Program College of Technology at Purdue University VII SUMMARY Under circumstances where cell phone forensic tools do not allow the forensic examiner analyst to extract or view the data they need from a device available tools allow the extraction of the file system of a CDMA phone but data contained in the file system is encoded and unreadable or when the phone s LCD screen is broken the phone itself is broken the COMA Fraternal Clone method will allow the forensic examiner analyst to transfer all user created files and current settings from one CDMA phone into another so that the CDMA Fraternal Clone phone can be examined The COMA Fraternal Clone is used to view user created data and settings from the original phone in their native format The CDMA Fraternal Clone process allows the forensic examiner analyst to view and work with the extracted data in a way that emulates the original phone ACKNOWLEDGEMENT The CDMA Fraternal Clone method was developed during the course of an ongoing homicide investigation to address limitations of current phone forensics tools in reporting data extracted from a severely broken phone The author would like to express her gratitude to Richard Mislan Richard Ayers and Gar
3. file on your forensic machine Save the zip file in the proper directory on your forensic computer and make sure to give it an identifiable file name SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL 3 NO 1 JUNE 2009 ISSN 1941 6164 4 Save File As Save in CO WM5200 Evidence iy cache CA Enner biy Recent walpaper biy Documents gs bly Computer File name Cancel We5200 Evidence lt Gave at ype 0 ilies hy Nehwrcrk Figure 7 BitPim Backup Entire Tree Save to zip file TROUBLESHOOTING HINT You may need to copy out each folder individually from the file structure of the phone depending on the make and model of the phone you are working with To do so right click on each folder and save it out to your forensic machine o Once you have successfully obtained a copy of the logical file structure from the phone secure your original evidentiary phone Phase 3 Transfer the data back into the target phone to create the CDMA Fraternal Clone o Set up a BitPim session for the target phone Follow the instructions described in Setting Up BitPim to Extract amp Document Cell Phone Data in Appendix A Following this process carefully will prevent co mingling of data between cases and between phones o Select Edit gt Settings and then uncheck the box titled block writing data to the phone This will allow you to write the data extracted back to the target phone o Att
4. SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL 3 NO 1 JUNE 2009 ISSN 1941 6164 1 The Fraternal Clone Method for CDMA Cell Phones Det Cynthia A Murphy Abstract There are times during the examination of CDMA cell phones where the available phone forensics tools do not allow the forensic examiner analyst to extract the data they need from the device At other times the available tools may allow the forensic examiner analyst to extract the full file system of a CDMA phone but data contained in the file system is encoded in a proprietary manner and cannot be decoded using forensic tools such as EnCase or FTK Additionally there are a number of situations that might preclude a forensic examiner analyst from using a camera to document the data on a phone such as when the phone s LCD screen is broken the phone itself is broken or the forensic examiner analyst wishes to avoid physical manipulation of the phone to the extent possible during the examination The CDMA Fraternal Clone method will allow the forensic examiner analyst to transfer all user created files and current settings from one CDMA phone into another phone so that the target phone CDMA Fraternal Clone can be examined The CDMA Fraternal Clone is used as a means to view the user created data and settings from the original phone in their native format allowing the forensic examiner analyst to view and work with the extracted data in a way that emulates the original pho
5. ach the Target phone to the forensic computer using the correct USB Cable o Choose View gt View Filesystem and view the file system of target phone in BitPim o Right click on the root of the directory and select Restore Locate the backup of the evidentiary zip created earlier and click open gt Caution Because you have disabled the function to block writing data to the phone this will allow you to not only view but also to manipulate the file system of target phone directly BitPim LG YX5200 Fraternal Clone Make subdirectory New File at aangas Backup directory Backup entire tree Restore Refresh A Memo i Todo g ss S Cal History Gee Phr List 19 Ector Refresh Filesystem Faesystem Offline Phone Log Reboot Phone Delete Go to modem mode Figure 8 BitPim Restore from Backup TROUBLESHOOTING HINT If the BitPim restore function does not work each folder or file may need to be added manually To manually restore the file system of the phone unzip the archive you created earlier from the evidence phone and drag and drop the folders and files individually o Once you have successfully restored the files from the original phone to the target phone your CDMA Fraternal Clone is complete Phase 4 Verify the data transferred from the evidence phone to the CDMA Fraternal Clone 1 To ensure that the user data and settings transferred from the eviden
6. age Wizard Select Options Initial Config Settings Use Default Settings Use Current Settings Shortcut Options C Create a shortcut on your Desktop C Create a shortcut in your Start Menu You will now see a box called Selection Summary Check your settings to be sure they are correct and then click Finish If so you have successfully configured the master copy of BitPim New BitPim Storage Wizard Selection Summary Selection Summary Name BitPim Master Dir C Documents and Settings pdcam2 Desktop BitPim Master Use current BitPim settings 10 Once you are finished with the above process EXIT OUT OF BITPIM 11 For each phone that you process you will create a new storage area for the individual phone a Start by opening the BitPim Master that you created above b From the BitPim Master create a new instance of BitPim In the upper right menu bar choose gt Data gt Create New Storage BitPim File Edit Data View Help Get Phone Data Send Phone Data Historical Data s Create New Storage Welcome to BitPim If you are new to BitPim please take th BitPim s homepage is www_bitpim_org You may be interested in upgrade infor If you have any problems or questions p Praise and contributions are always we 12 Create a unique name for the new instance of BitPim Choose a name that will allow you to specifically identify the phone
7. al crimes and other investigations She has successfully utilized her skills in the investigation and prosecution of numerous criminal cases involving digital evidence and has testified as an expert in both state and federal court Det Murphy is also a part time Digital Forensics instructor at Madison Area Technical College SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL 3 NO 1 JUNE 2009 ISSN 1941 6164 6 APPENDIX A 5 Next choose Data gt Create New Storage in the upper right menu bar of BitPim Setting Up BitPim to Extract amp Document Cell Phone Data BitPim software can be set up to store data from multiple phones in separate storage areas preventing the co mingling of data between cases and between phones 1 Install BitPim Software Wwww sourceforge net projects bitpim 2 Create a Master Copy of BitPim The BitPim Master will be the starting point for each phone you process a Create a Folder on your desktop or elsewhere if you want named BitPim Master b Open BitPim 3 Set up BitPim to Block Writing Data to the Phone From the upper right menu bar choose gt Edit gt Settings BitPim Edit Data View Help Gh 4 Goh GhI G Welcome Delete Rename Welcome to BitPim Detect Phone o Todo ra SMS You may be interested in upgrade informe If you are new to BitPim please take the BitPim s homepage is www_bitpim_org lle Cal History If you have any problems or questi
8. ce phone to the CDMA Fraternal Clone are identical create a logical image of the file structure of the fraternal clone phone with BitPim using the back up entire tree option described earlier 2 Using EnCase FTK or another tool that has the ability to analyze hash values compare the hash values of the files from within the archive files of the evidence phone and the CDMA Fraternal Clone phone o You should find that the hash values related to the user created data on the evidence phone and the CDMA Fraternal Clone are identical 3 Those files that are system generated and or protected will not have identical hash values After completion of the above processes the CDMA Fraternal Clone Phone will contain all of the data from the evidence phone and the CDMA Fraternal Clone Phone can be used to view the files extracted from the evidence phone in their native format Note that the archive files from the original phone and the cloned phone will not be identical because they contain the protected system files from the originating phones SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL 3 NO 1 JUNE 2009 ISSN 1941 6164 5 VI ABOUT BITPIM BitPim is an open source tool designed to allow the user to view and manipulate data on cell phones www bitpim org BitPim runs on Windows Linux and Mac The latest version of BitPim can be found at www bitpim org As of the writing of this document the current version of BitPim is
9. hat the data you extract from each individual phone is not co mingled in BitPim
10. his method is not an option for CDMA phones because the data exists on internal storage chips within the phone and not on a SIM card The CDMA Fraternal Clone method will allow the forensic examiner analyst to transfer all user created files and current settings from one CDMA phone into another so that the target phone CDMA Fraternal Clone can be examined The CDMA Fraternal Clone is used as a vehicle to view the user created data and settings from the original phone in their native format The CDMA Fraternal Clone process allows the forensic examiner analyst to view and work with the extracted data in a way that emulates the original phone Figure 1 Using the CDMA Fraternal Clone method it is possible to transfer user data and settings from a broken CDMA phone to an intact one in order to view data from the original phone in its native format II USES AND LIMITATIONS OF THE CDMA FRATERNAL CLONE METHOD The CDMA Fraternal Clone method may be helpful to the forensic examiner analyst under the following circumstances 1 A CDMA cell phone is damaged or broken in a way that does not allow the forensic examiner analyst to view the data displayed on the LCD screen 2 The forensic examiner analyst would like to work with the data extracted from a CDMA phone with minimal physical manipulation of the original evidence 3 Available software tools don t report all of the pertinent data from the broken phone such as the duration of the
11. ices and the network 2 IV HARDWARE AND SOFTWARE REQUIREMENTS In order to successfully complete the CDMA Fraternal Clone process the following hardware and software is necessary e Forensic computer e Correct USB Cable and drivers for the CDMA phone e A CDMA phone of same make model and firmware version of original phone e Cell phone software equipment capable of extracting or creating an image of the file system of the CDMA phone such as BitPim Paraben s Device Seizure or Cellebrite V THE CDMA FRATERNAL CLONE PROCESS The process of creating a CDMA Fraternal Clone phone consists of four phases 1 preparation of the forensic machine and the target phone 2 creation of a full copy of the file structure of the evidentiary phone 3 transfer of the data extracted from the evidentiary phone to the target phone to create the CDMA Fraternal Clone and 4 verification of the integrity of the data transferred from the evidence phone to the CDMA Fraternal Clone Phase I Prepare the forensic machine and target phone e Ensure that all necessary software and drivers are installed on the forensic computer A CDMA device is protected by an Electronic Serial Number ESN which acts as the authentication facility between the devices and the network So in the CDMA world instead of approaching fraud from the ESN side criminals are more likely to try to obtain handsets or network access fraudulently and build their at
12. last call or other data of importance to the investigation 4 Available software tools report conflicting information regarding data on the broken phone Limitations In order for the CDMA Fraternal Clone method to be successful the phone must not be so damaged that the data on the phone isn t accessible electronically and the data port must be functional This method may not be successful on all CDMA based smart phones but does work with some such phones If the forensic examiner analyst is unable to access SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL 3 NO 1 JUNE 2009 ISSN 1941 6164 2 and create a copy of the file structure of the phone this method will not be effective II CREATING A CDMA CELL PHONE FRATERNAL CLONE The goal of creating a CDMA Fraternal Clone is to transfer all of the user settings and user created data from the evidentiary phone into a second phone that is identical in make model and firmware version The resulting Fraternal Clone is so named because although the user data in the fraternal clone will be identical to that in the original phone some system files will differ from phone to phone This is an expected result phone manufactures and service providers protect certain system files such as the Electronic Serial Number ESN as a method of preventing CDMA cloning fraud 1 CDMA devices are protected by Electronic Serial Numbers ESN which acts as the authentication facility between the dev
13. ne Index Terms CDMA Cell Phone CDMA Clone Mobile Phone BitPim broken cell phone broken mobile phone Mobile Phone Forensics Cell Phone Forensics Cell Phone Forensics Techniques CDMA ESN MIN CDMA Protected Files I INTRODUCTION HERE are times during the examination of CDMA cell phones where the available phone forensics tools do not allow the forensic examiner analyst to extract the specific data they need from the device At other times the available tools may allow the forensic examiner analyst to extract the full file system of a CDMA phone but data contained in the file system is still encoded in a proprietary manner and cannot be decoded using forensic tools such as EnCase or FTK When these situations arise a common fall back method is to document the contents of the phone screen by screen using a camera system such as Project A Phone or ZRT There are a number of situations that might preclude an forensic examiner analyst from using a camera to document the data on a cell phone using screenshots such as when the phone s LCD screen is broken the phone itself is broken or the forensic examiner analyst wishes to avoid physical manipulation of the phone to the extent possible during the examination With GSM cell phones a common solution used during the examination of the phone is to clone the SIM card from the evidentiary phone and to insert the cloned SIM card into another GSM phone to complete the examination T
14. ons ple ra Play List i T9 Editor Praise and contributions are always welcq _ Log 4 The Settings screen will appear Click the box Block writing anything to the phone Set Phone type to Other CDMA Phone and Com Port to Auto BitPim Settings Read Only Block writing anything to the phone Disk storage C Documents and Settings cmurphy Desktop Test Config File C Documents and Settings cmurphy Desktop Test bitpim Phone Type Other CDMA phone v Phone Wizard Com Timeout sec 3 0 Check for Update Never v Startup Always start with the Today tab Task Bar Icon C Place BitPim Icon in the System Tray when Minimized Place BitPim Icon in the System Tray when Closed Autodetect at Startup _ Detect phone at bitpim startup SplashScreen Time sec 2 5 BitFling C Enabled Settings 6 7 In the Storage Name box type BitPim Master New BitPim Storage Wizard Select BitPim Storage Name Storage Name BitPirn Master In the Select New Storage Dir box browse to the BitPim Master folder you created earlier New BitPim Storage Wizard Select New Storage Dir Storage Dir C Documents and Settings pdcam2 Desktop BitPim Master Browse SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL 3 NO 1 JUNE 2009 ISSN 1941 6164 7 8 In the Select Options box select Use Current Settings New BitPim Stor
15. refully will prevent co mingling of data between cases and between phones e Attach the evidentiary phone to the forensic computer and ensure that the phone is recognized in BitPim If the phone isn t recognized automatically in BitPim try clicking the Find Phone icon File Edt Data View Help zia o ee fi g af i BaP im L Fy Phone j Phonebook ey Media a calendar Fi hiang Figure 2 BitPim Find Phone e BitPim will notify you when the phone has been detected and will inform you of the phone s status on the bottom panel of the BitPim screen Instructions for resetting CDMA phones to factory default can be found in the user manual for the phone or at phone recycling sites such as http www recellular com recycling data_eraser default SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL 3 NO 1 JUNE 2009 ISSN 1941 6164 3 Fie Edt Data Wew Debug Help Biren i m 2 LL Found x5200 an COMOD BkPie 1 0 6 Latest 1 0 5 G x5200 on COMS Detected Figure 3 BitPim Phone Recognized TROUBLESHOOTING HINTS If the phone isn t recognized automatically in BitPim go to Edit gt Settings and either choose the correct make model of phone or choose Other CDMA Phone Then choose Edit gt Detect Phone You may have to manually set the correct port for the phone in BitPim To set the port manually choose Edit gt Settings gt Browse and find the correct port setting
16. tacks from there It is easier than may be expected to find phones of the same make model and firmware Good sources of target phones are cell phone recycling companies and cell phone donation programs and ebay com Instructions for using BitPim to extract the file structure from CDMA cell phones are described in this document o Applicable cell phone and cable drivers o Chosen software for extracting the logical file system of from the evidentiary cell phone Instructions for using BitPim are included here e Clear the data from the target phone o Ensure that the target phone the eventual CDMA Fraternal Clone is reset to factory default settings o Physically check the target phone to ensure that it contains no remaining user data If there are extra files and folders on the target phone from previous user installed application installations that are not removed by the factory reset process the forensic examiner analyst may wish to delete these files and folders using BitPim prior to beginning the Fraternal Clone Process o The target phone will maintain its original ESN and other manufacture and or carrier protected files Phase2 Create a full copy of the file structure of the evidentiary phone e Using BitPim set up a read only session for the original evidence phone Follow the instructions described in Setting Up BitPim to Extract amp Document Cell Phone Data in Appendix A Following this process ca
17. y Kessler for making themselves available for consultation and advice during the homicide investigation The author recognized that external testing and validation of the method would be necessary in the event of a trial The author would like to thank Jeff Lessard and Gary Kessler at Champlain College Center for Digital Investigation and Matt Levendowski and Richard Mislan in the Cyber Forensics Program College of Technology at Purdue University for their assistance in the testing and validation of the CDMA Fraternal Clone Method The author would also like to acknowledge the contributions of Garilyn Truttschel Sam Brothers and Gary Kessler who reviewed and commented on this document REFERENCES 1 Federal Communications Commission November 2008 FCC consumer advisory cell phone fraud Retreived from htttp www fcc gov cgb consumerfacts cellphonefraud html 2 Henegouwen E B Winter 2008 Protecting mobile networks from fraudulent attack Retreived from www cita org advocacy index cfm AID 11210 Cynthia A Murphy is a Detective with the City of Madison Wisconsin Police Department and has been a law enforcement officer since 1985 She is a certified computer forensic examiner and has directly participated in the forensic examination hundreds of digital devices pursuant to criminal investigations of various types of crimes including homicides missing persons computer intrusions sexual assaults child pornography financi
18. you are working on case number make model property tag or other unique ID x Select BitPim Storage Name Storage Name m 13 Create a unique folder for each cell phone you process Again choose a unique name for the folder case number make model property tag or other unique ID Browse to that storage location in BitPim and then choose Next x Select New Storage Dir Storage Dir co Users Cindy Documents Phones test Browse SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL VOL 3 NO 1 JUNE 2009 ISSN 1941 6164 14 In the Select Options dialog box select Use Current Settings and then choose Next x Select Options Initial Config Settings C Use Default Settings Use Current Settings Shortcut Options Create a shortcut on your Desktop J Create a shortcut in your Start Menu 15 A summary dialog box will appear showing your selections If you want to change anything hit the back button and change the settings accordingly x Selection Summary Jse current BitPim settings 16 Close out of the BitPim Master and open up the new BitPim storage area you created for the phone you are working on Use this instance of BitPim to process the phone While it may seem that this is a lengthy process to go through for each phone once you get a couple of repetitions in it will become second nature This process will ensure t
Download Pdf Manuals
Related Search