CHAPTER 20 Digital Evidence On Mobile Devices
Contents
1. 44 CHAPTER 20 Digital Evidence on Mobile Devices and share information even when they are in prison and digital investigators can gain significant insights into these groups using information from their mobile devices Information on mobile devices can also be of use in serious crimes when a person of interest may not realize that they are carrying a mobile device or not thinking of it as a source of incriminating digital evidence CASE EXAMPLE POCKET DIAL M FOR MURDER Ronald Williams killed his wife Mariama apparently ina fit The recording on his wife s voicemail captured him stating of rage after learning that she had an affair Unbeknownst that he was going to kill her followed by her screams and to Williams his cell phone pocket dialed his wife s cell their 2 year old daughter pleading with Williams to stop phone during the crime and the call went to voicemail Krueger 2011 The increasing computational power of mobile devices has afforded even greater uses and with that greater potential for misuse For instance some mobile devices are optimized for data acquisition such as credit card scanning and scientific measurements e g voltage temperature acceleration This flexibility has ramifications beyond the manufacturer s intentions and mobile devices have been used to steal credit cards and trigger bombs van der Knijff 2009 Wilson 2006 This chapter demonstrates how mobile devices can be useful as2. Communications documents and multimedia created using a mobile device may be transferred to cloud based services for long term storage Mobile devices that are capable of accessing the Internet can provide further linkage to online social networks such as Facebook which can provide digital inves tigators with further information about who an individual is associated with Therefore digital investigators may find a treasure trove of data on these servers that is no longer available on the mobile device itself Digital investigators can also use information from mobile devices to learn more about the user s social network Even a basic mobile phone can pro vide digital investigators with a wealth of information about the user s social network analysis of contacts and address books provides an indication of an individual s social work and family networks The ability to reconstruct social networks using information from mobile devices is a powerful tool for investigating any criminal organizations including drug dealers gangs human traffickers and terrorists Koschade 2006 CASE EXAMPLE CLEANING THE STREETS Although drug dealers were using cheap disposable mobile addition to linking drug dealers based on call history recov devices to conduct their criminal enterprise digital inves ered from mobile devices digital investigators recovered tigators were able to use information from these devices photographs of individuals doing o
3. grouper ieee org groups 1149 1 The JTAG standard specifies an interface for standardized approaches to test integrated circuits interconnections between components and a means of observing and modifying circuit activity during a component s operation Breeuwsma 2006 It is a stan dard feature found in many mobile phones as it provides manufacturers a low level interface to the device that is not dependent on the operating system However the JTAG specifications for individual phones are not avail able outside the manufacturer JTAG is of interest to forensic investigators and analysts as it can theoretically provide direct access to a mobile phone s memory without any chance of altering it However the time and knowledge required to achieve this is substantial not only requiring an understanding of JTAG for the specific model of phone but also to reconstruct the resulting binary comprised of the device s memory structures Despite the limitations in using JTAG as a forensic extraction mechanism it provides the most com mon method of physical extraction JTAG is common across multiple device manufacturers and there are multiple devices that extract memory structures through JTAG 20 4 6 Chip off Extraction Extracting the memory chips from a phone and reading them directly is by far the most exacting extraction method but has the advantage of interfacing data in the most direct method Chip extraction is the most low level physical
4. messageText summary previewText m GB com_paim_pin_FolderEntry_sync_delete 1268426160343 SMS Test message amp B com palm pim Location 1268507286137 SMS Thisisatest amp GB com palm pim Memo 1268507340875 SMS Outgoingmessage amp GB com palm pim Memo sync delete 1268507556033 Access Gmalo The days of needing your computer to get to your inbox are amp BH com palm pim Part 1268507559144 Import your co You can import your contacts and mail from Yahoo Hotmail amp RB com palm pim Person 1268507559339 Customize Gmai To spice up your inbox with colors and themes check out the E KB com palm pim Person sync delete 1268508388140 Incomingemal Thisisaninboundemail David FIGURE 20 25A Records in a SQLite database viewed with browser Offset 00209472 00209536 00209600 Xye XO Incomingemail Davi 00209664 d Smith G Thisisaninboundemail David Sat 13 Mar 00209728 2010 14 16 38 0500 Incomingemail David Smith NIL david 00209792 smith gmail com David Smith NIL david smith gmail 00209856 l com David Smith NIL david smith gma I M FIGURE 20 25B Raw record data in SQLite database viewed using a hex viewer Some mobile devices use proprietary file formats to store information and these may contain deleted data similar to that described in SQLite databases For instance Windows Mobile devices store communications in a Microsoft proprietary
5. cal analysis of data structures found in memory dump from a Sony Ericsson K800i mobile device www dfrws org The Digital Forensic Framework plug in that was developed in this submission to recover wear leveling tables enables a forensic analyst to reconstruct the most recent flash abstraction layer as well as past states of the device if they still exist in memory Once the desired state of memory has been reconstructed the DFF tool can be used to view various states of the file system including metadata associated with files folders and deleted items as shown in Figure 20 24 20 5 Forensic Examination and Analysis of Mobile Devices cam nodebrowser KB00i Recover nodebrowser View i dt Icon size Smal M Show attributes Name 2 Name Sue Accessedtime Changed time Modified time Module 4 4 SonyEricsson K800i NAND NANDSI2R3A bin def accidat 61 4 4 2010120000 55 99 09 AM 4 4 2010 8 58 54 E File System 4 k800 base AM AM 4 fullfs j LCOM 5 0 seem 120090AM 31 2010 rat File System tition F 4 Tor gin j SA gmail 0 res m 12 00 00 AM nee an Fat File System 4 3 29 2010 3 29 2010 Ce EE M 0 120090AM 129090AM io4948AM Fat File System 4 pati Fat File System part ifs 4 part system 4 partition 4 perti 4 Fat File System 4 4 wap profile 4 4 settings 4 messaging cb 4 email Mv 4 mms temp FIGURE 20 24 File system including deleted items reconstructed from a physica
6. 16 30PM 16 246 16 246 2C C11668 mms C 22 E Photo 0023 ipg 08 31 05 01 16 30PM 08 31 05 01 16 30PM 12 696 12 696 2C C11676 E multimedia C 23 GA Photo 0024 jpg 06 31 05 01 17 30PM 08 31 05 01 17 30PM 15 144 15 144 2C C11682 DEFAULT C 24 ifl Photo 0025 ipg 06 31 05 01 17 30PM 08 31 05 01 17 30PM 11 860 11 880 2C C11688 O IMAGES LI 28 id Photo 0026 ipg 08 31 05 01 17 30PM 08 31 05 01 17 30PM 15 876 15 876 2C C11692 OLE downloaded images 1773 281 GA Photo 0027 jpg 08 31 05 01 17 30PM 08 31 05 01 17 30PM 15 676 15 676 2C C11698 v iri n C 27 i Photo 0028 ipg 08 31 05 01 19 30PM 08 31 05 01 19 30PM 16 740 16 740 2C C9844 c mmm C 28 fl Photo 0029 pg 08 31 05 01 19 30PM 08 31 05 01 19 30PM 16 090 16 090 2C C11647 7 Ee Tume C 29 i Photo 0030 jpg 08 31 05 02 22 30PM 08 31 05 02 22 30PM 6 812 6 812 2C C11675 music G 30 il Photo 0031 ipg 09 02 05 07 39 300M 09 02 05 07 39 30PM 10 426 10 426 2C C11708 PLAYLIST CJ 31 ill Photo 0032 jpg 09 03 05 09 35 30AM 09 03 05 09 35 30AM 14 272 14 272 2C C11712 PLAYLIS souwos dd Amm PSR LEER pac TP SI aE E EA ERR E Tet iex Hex ai Doc A Transcript EE Picture Report C Console R Detais GP Output C Lock E Codepsoe C 0 2299 20 20 20 20 20 20 20 20 20 20 10 18 CA 4A 70 41 32 41 32 00 00 4A 70 41 32 25 00 00 I JpA2A2 JpA2 B 00 00 2E 2E 20 20 20 20 20 20 20 20 20 10 18 7F 4A 70 41 32 41 32 00 00 4A 70 41 32 JpA2A2 JpA2 00 00 00 00 00 ES 67 O0 OO O
7. Flash memory has a limited number of writes and can only be erased block by block and mobile devices generally wait until a block is full before erasing data Furthermore mobile devices use proprietary wear leveling algorithms to spread write erase across Flash memory blocks which can result in deleted data remaining for some time while new data are written to less used portions of memory In order to access and recover older deleted copies of data it is necessary to acquire a full copy of physical memory as covered later in this chapter For all the collection extraction and analysis issues mobile devices present they are an excellent source of digital evidence and can provide insight unavail able from other devices Additionally the personal nature of the device makes it easy to establish the last mile evidence required to tie a device to an individual 20 1 1 Fundamentals of Mobile Device Technology Mobile devices are simple computers with a CPU memory batteries input interfaces such as a keypad or mouthpiece and output interfaces such as a screen or earpiece Data in memory are generally the focus of a forensic examination but some understanding of the input and output components is needed to access these data In some instances it may be sufficient manually to operate a device and read information from the display However to recover deleted data or perform more advanced examination specially designed tools ENS CHAPTER 20 Dig
8. I Block 102870 640 I Block 1e02af0 128 I Block 1e02bf0 640 I Block 1e02e70 128 I Block 1e02f70 640 I Block 1e031f0 128 I Block 1603370 384 I Block 1e034f0 128 Block 1603570 128 eedem Test J Ca i Bod 1609770 640 I Statt at begnring end Cose this dialog Coe I Block 1e03c70 128 Search Up I Block 1e03cf0 128 I Block 1e03d70 640 I Block 1e03ff0 128 Text we are down one z rrr Format GSM No Case 7 bit packed z EA Project Sf Node QU Value QI String 8 14 GSM 7 bit packed no case shifted O bit s Block 1e01bf0 256 8 14 GSM 7 bit packed no case shifted O bit s Block 101470 256 8 14 GSM 7 bit packed no case shifted O bit s Block 1601870 256 8 14 GSM 7 bit packed no case shifted O bit s Block 1fd56f0 256 8 14 GSM 7 bit packed no case shifted O bit s Block 1fd5470 384 8 14 GSM 7 bit packed no case shifted O bit s Block 1fd3a70 384 8 14 GSM 7 bit packed no case shifted O bit s Block 16d37f0 384 8 14 GSM 7 bit packed no case shifted O bit s Block 1fd35f0 384 8 14 GSM 7 bit packed no case shifted O bit s Block 1643370 384 FIGURE 20 26 Deleted SMS messages recovered from physical memory dump of Motorola Z3 device by keyword searching for a 7 bit encoded string Certain data on mobile devices particularly phone numbers are stored in nibble reversed format This means that each byte in the number is stored in reverse order For instan
9. code MCC mobile network code MNC and a serial number of the card These smart cards are used to authenticate users on GSM and UMTS networks The SIM card contains information relating to the network and user including an authentication key called Ki needed to establish a connection with the network the subscriber s personal identification number PIN for BED CHAPTER 20 Digital Evidence on Mobile Devices restricting use of the SIM and the subscriber s phone number which is called the Mobile Subscriber ISDN MSISDN The SIM also contains an International Mobile Subscriber Identity IMSI that is uniquely associated with the subscriber and is comprised of a country code a mobile network code and subscriber identification number A SIM card may also contain a Temporary Mobile Subscriber Identity TMSI and Location Area Identity LAI The TMSI is often used over the radio link to avoid reveal ing the IMSI number to others who may be eavesdropping with radio related interception equipment The TMSI and LAI generally change each time a device moves to a new location area within the mobile network Not all of the information stored on a SIM card is known or easily accessible by the subscriber Notice also the separation between the mobile device and the SIM card a SIM card can easily be transferred to another mobile device 20 2 TYPES OF EVIDENCE ON MOBILE DEVICES The forensic benefit of mobile devices in an investigation varies
10. extraction method Breeuwsma et al 2007 The output from chip extraction is forensically the cleanest relying on no intermediate communications systems or on the device in any way Reading the chip directly returns the memory structures for analysis However this approach suffers from the same issues as JTAG extraction and will return only raw memory structures Additionally this is the most complex extraction method and has a failure rate associated This approach is considered impracti cal in many situations where evidence may be returned in cases where there is no guilt established or when prosecution does not occur Once extracted extracted flash chips must be read to extract data Device pro grammers are designed to write data to memory chips but can be used to extract data from the chips for forensic purposes This acquisition method requires the mobile device to be dismantled and chip to be removed and is sometimes referred to as chip off processing It is generally necessary to obtain a socket designed to connect a particular make of chip to the device programmer There are several commercial device programmers available Data I O FlashPAK II www dataio com Xeltek SuperPro 5000 http www xeltek com and BPM Microsystems http www bpmmicro com 20 5 Forensic Examination and Analysis of Mobile Devices ES 20 5 FORENSIC EXAMINATION AND ANALYSIS OF MOBILE DEVICES The purpose of performing a forensic examination is to f
11. growth areas in the field of digital evidence examination END CHAPTER 20 Digital Evidence on Mobile Devices REFERENCES Borland S 2008 February 2008 Happy slap girl facing jail after conviction The Telegraph Avail able from http www telegraph co uk news uknews 1578776 Happy slap girl facing jail after conviction html Breeuwsma M 2006 Forensic imaging of embedded systems using JTAC Digital Investigation Breeuwsma M de Jongh M Klaver C van der Knjiff R amp Roeloffs M 2007 Forensic data recovery from flash memory Small Scale Digital Device Forensics Journal 1 1 Available from www ssddfj org papers SSDDFJ V1 1 Breeuwsma et al pdf Casey E 2009 Delving into mobile device file systems Available from http blog cmdlabs com category http blog cmdlabs com 2009 12 10 delving into mobile device file systems Casey E Bann M amp Doyle J 2009 Introduction to windows mobile forensics Digital Investigation 6 3 4 Conrad C 2010 October 3 Cell phones cause hang up for police to track drug deals Mail Tribune Available from http www mailtribune com apps pbcs dll article AID 20101003 NEWS 10030336 1 MARKET Jones A 2008 January 21 23 Keynote speech In First International Conference on Forensic Applications and Techniques in Telecommunications Information and Multimedia Adelaide Australia Klaver C 2009 Windows mobile advanced forensics Digital Investi
12. interface Cellebrite Universal Forensic Extraction Device UFED http www cellebrite com is a self contained portable mobile phone logical acquisi tion device The system is self powered and copies data to a USB disk or to a second phone Cellebrite UFED was designed in Israel The Cellebrite UFED is shown in Figure 20 15 Cellebrite also have an additional component UFED Physical Pro that allows physical acquisition of mobile phones and other small scale devices UFED systems are also available in a field ready ruggedized form Logicube CellDEK http www logicubeforensics com is a system designed to acquire data from mobile phones and other small scale devices such as GPS receivers CellDEK conducts logical extraction of data via USB infrared and Bluetooth MOBILedit Forensic http mobiledit com is another logical data acquisi tion tool MOBILedit Forensic can be purchased as a software only tool or as part of a kit including cables and infrared reader 20 4 Forensic Preservation of Mobile Devices E General Information General information about the device 7 items Actual picture Manual Selection Device Name Used Device Profile HTC 5620 Mode T Mobile Dash Revision 4 1 13 34 02 79 90 Mobile Id IMEI 35563402048540202 FIGURE 2013 XRY Interface showing data Device Clock 4 29 2009 2 28 48 PM UTC acquired from a mobile 4 29 2009 12 28 39 AM UTC device FIGURE 20 15 Celleb
13. logical extraction in different ways to ensure all possible content has been extracted The main benefit of acquiring physical memory is that a more complete cap ture of data is obtained including deleted items In addition physical acquisi tion methods can work with damaged mobile devices and generally make fewer alterations to the original device while data are being acquired There are several approaches to acquiring a forensic duplicate of mobile devices at a physical level Some forensic tools transfer and run an executable commonly called a software agent on the mobile device Alternately the boot process of some mobile devices can be interrupted giving access to the system before the main operating system loads and enabling you to interact with the device at a low level via a boot loader More advanced methods of acquiring physical memory involve accessing mobile devices at a hardware level either through the JTAG interface or by reading the Flash memory chips directly However extracting a full dump of physical mem ory does not provide the logical structure of the file system making it necessary to either extract unstructured data or interpret file system information in a raw form Best practice guidelines from the 2000 International Organization on Computer Evidence conference IOCE 2000 state that phones and other elec tronic devices should be examined with methods that minimise loss change of data However acquisition
14. sources of digital evidence describes the basic operation of mobile devices and presents tools and techniques for acquiring and examining digital evidence on these devices Notably mobile devices are just one type of embedded system and there are advanced approaches to extracting information from such devices including JTAG access and chip off extraction A more in depth treatment of embedded systems including GSM mobile telephones is provided in the Handbook of Digital Forensics and Investigation Van der Knijff 2009 and the cmdLabs Web site http www cmdlabs com 20 1 MOBILE DEVICE FORENSICS Mobile devices are dynamic systems that present challenges from a forensic perspective Additionally new models of phones are being developed globally with some experts postulating that five new phone models are released every week Jones 2008 The growing number and variety of mobile devices makes it difficult to develop a single process or tool to address all eventualities In addition to a growing variety of smart phones and platforms including Android systems Blackberry Apple iPhone and Windows Mobile there are a massive number of low end phones using legacy OS systems Furthermore there are some unique considerations when preserving mobile devices as a source of evidence Most mobile devices are networked devices 20 1 Mobile Device Forensics e sending and receiving data through telecommunication systems WiFi access points and
15. system for later examination using other tools Commercial forensic tools such as Cellebrite can acquire the full logical file system from many mobile devices including metadata such as date time stamps T BitPim li DMU iTAP User Dictionary E B Phone VoiceDB B dnp prf 8 PhoneBook brew E brw openwave splash EB Di Media mmcl B WebSession j a T mobile 31 TmpTneDB db imu imag motorola B Synem File d sounds my music rom DEV MAP JJ rin oe B DEF gers NAPDEF rom alert 3 c B MyToneDB db alendar rom vdb 2 Memo 5 MSGDB_msg_data bin B EMS view tmp B EMS scratch tmp B EMS_save tmp B EMS_nf tmp B EMS message 1 bin B EMS message O bin B EMS_concat_info bin DL_FS_FILE_INFO_FILE S DL_FS_DYN_DIR_FILE pL DMH FileInfo Bpom rie P3 e pe P3 Br RM pev pB B BT Params 3 ALARMCLOCK 3 svs FACTORY Some mobile devices use the FAT file system to arrange data in memory others use Linux ext2 ext3 file systems and iPhones use HFSX which is unique to Apple computer systems As a result it is often possible to per form a forensic analysis of a physical forensic duplicate of mobile devices using file system forensic tools such as those covered in Chapters 17 18 and 19 Figure 20 19 shows a forensic duplicate of an iPhone being exam ined using FIK 20 5 Forensic Examination and Analysis of Mobile Devices Evidence Items gt HFS Private Dat
16. 1 31 17 PM 1 25 2011 1 31 17 PM 1 25 2011 1 31 17 PM 1 25 2011 1 31 17 PM 1 25 2011 1 31 28 PM 1 25 2011 1 31 48 PM 1 25 2011 1 31 48 PM 1 25 2011 1 31 48 PM System Uptime 00 10 47 5910000 iXAM bootloader version 2 0 57 running on device iPhone 3G n82ap connected Device serial number is 8383592EY7K Device IMEI is 011742008011300 Device ECID is 000001449C090DCD iBoot Version is 636 66 BootROM Version is iBoot 385 49 Querying iPhone for time and date Device clock set to Tue Jan 25 18 31 33 2011 Device clock is correct Checking partitions on device Partition dev rdisk0s1 registered Partition dev rdisk0s2 registered Software build is Northstar7D11 iPhoneOS Software version is 3 1 2 Device iPhone 36 0303592tv7k Disk 152 2965 Customer CMD Labs T Maguire FIGURE 20 16 Acquisition of iPhone using IXam Build External Release v2 0 5 1720 MASPID 1770050135 Ucense Type Perpetual 20 4 2 Software Agents Some forensic tools transfer and run an executable commonly called a soft ware agent on the mobile device in order to acquire data from the device Using a software agent has advantages from a forensic perspective because it provides a degree of trust and control over the process However if the software agent associated with a forensic tool cannot run on the evidential device no data will be acquired If specific files on a mobile device are inac cessible through the operating system som
17. 800 contains information for 1800 MHz band operation Similarly some Elementary Files have common names For example 3F00 2FE2 is named EFICCID stores the ICC ID and 3F00 7F20 6F07 is named EFIMSI stores the IMSI 20 6 Forensic Acquisition and Examination of SIM Cards com There are many tools for extracting data from SIM cards including TULP2G http tulp2g sourceforge net developed by the Netherlands Forensic Institute and made freely available Although the tool is generally limited to second generation technol ogies it has been updated to extract information from third generation SIM cards To use TULP2G to acquire data from a SIM card first open the SIM Investigation pro file select the Investigation tab and Run the SIM plug in to extract data from card The types of information that may be available on a SIM card are listed in Table 20 3 This includes the location area identifier LAI which is stored in EFLOCI 7F20 6F7E providing the country network and location area iden tifier Each time a mobile device moves to a new area the LAI information is updated on the SIM card Location information may also be available when the GPRS mobile data service is used The EFLOCIGPRS 7F20 6F53 contains GPRS Routing Area Information similar to the LAI information as shown in Figure 20 27 using Paraben s Device Seizure software Table 20 3 Selection of Information that can be Stored on SIM Cards Description L
18. Bluetooth piconets Digital evidence in mobile devices can be lost completely as it is susceptible to being overwritten by new data or remote destruction commands it receives over wireless networks Additionally in order to extract information it is necessary to interact with the device often altering the system s state As with any computer interacting with a mobile device can destroy or alter existing evidence Fortunately by following the processes out lined in Chapters 3 and 6 it is possible to obtain usable digital evidence from mobile devices in a forensically sound manner acceptable to a court of law Mobile devices are challenging from a data recovery and analysis standpoint as well With their increasing functionality and growing data stores mobile devices are becoming analogous to computers with specific functions mainly as a conduit for communications and Internet access Keeping up with all of the various file systems data formats and data sources on mobile devices is an ongoing challenge However a major advantage of mobile devices from a forensic perspective is that they can contain deleted information even after an individual has attempted to render it unrecoverable The underlying reason for this persistence of deleted data on mobile devices is in the use of Flash memory chips to store data Flash memory is physically durable against impact high temperature and pressure making it more difficult to destroy In addition
19. CHAPTER 20 Digital Evidence on Mobile Devices Eoghan Casey and Benjamin Turnbull Mobile devices such as cell phones and smart phones have become an integral part of peoples daily lives and as such they are prone to facilitating criminal activity or otherwise being involved when crimes occur No other computing device is as personal as the mobile phone effectively providing a computer in a pocket Whereas computers laptops servers and game machines might have many users in the vast majority of cases mobile devices generally belong to an individual Although compact these handheld devices can contain personal informa tion including call history text messages e mails digital photographs videos calendar items memos address books passwords and credit card numbers These devices can be used to communicate exchange photographs connect to social networks blog take notes record and consume video and audio sketch access the Internet and much more As the technology develops higher data transmission rates are allowing individuals to transfer more data e g digital video and the computing power in these devices enables us to use them in much the same way as we used laptop systems over the past decade Because these devices fit in a pocket or bag they are often carried wherever a person goes and can be used to determine a person s whereabouts at a particular time This rapid development of mobile computing and communication
20. JTAG is less intrusive than relying on the device operating system but interpreting the extracted binary requires in depth knowledge of the device Physical acquisition via direct memory chip The most low level and potentially complex access acquisition method for mobile devices Involves extracting memory chips from the device and reading the memory structures Can provide access to all device content but requires knowledge of interpreting the raw structures This technique should not be used for cases when the original device must remain operable It is generally advisable to acquire data from a mobile device using two or more of the methods in Table 20 2 in order to compare the results to ensure the information that you are basing your work on is correct A manual examination is sometimes sufficient if investigators only need a particular piece of information from the device Before performing a manual examination of a device it is advisable to become familiar with its operation using an identical test device For this reason and to enable tool testing and tool development forensic laboratories that specialize in this type of examina tion maintain an extensive collection of mobile devices When performing a manual examination it is important to record all actions taken with device to enable others to assess whether the examination was performed satisfactorily PRACTITIONER S TIP Overlooking Evidence During a manual exam
21. O FF FF FF FF FF FF OF OO C4 FF FF FF FF FF FF FF FF FF t Ag YYYYYY yYTYVYYYY FF FF 00 OO FF FF FF FF ES SO 00 68 00 6F 00 74 00 6F OO OF 00 C4 2D 00 30 00 30 00 yyY PyYy P ho t o 0 0 00 31 00 2E 00 00 00 6A 00 70 00 ES 48 4F 54 4F 2D 7E 31 4A SO 47 40 10 1E CF 96 8D jo 1 4p amp HOTO 13PGe I 8D 32 00 00 CF 96 8D 32 94 26 CA OD OO OO ES 67 OO OO OO FF FF FF FF FF FF OF 00 64 j212 1 12 s ag YYYYYY ad FF 00 50 FF 68 031900 ES FF FF FF FF FF FF FF FF FF FF 00 OO FF FF FF FF ES 50 00 69 00 6F 00 74 00 6F 00 f yyy YYYSAP h o t o 64 2D 00 30 00 30 00 30 00 32 00 2E 00 00 00 6A 00 70 00 ES 48 4F 54 4F 2D 7E 32 d 0 0 0 2 3 p HOTO 2 47 00 10 09 C4 66 92 32 92 32 00 00 C4 66 92 32 2B 26 SE OF 00 00 ES 67 00 00 00 JPC f 2 2 f 2 4V ag FF FF FF FF OF O0 04 FF FF FF FF FF PF FF FF FF PF FF FF OO 00 FF FF FF FF ES SO VyYYYY YYYVYYYYYYYY dvdr 00 6F 00 74 00 6F 00 OF 00 04 2D OO 30 OO 30 OO 30 00 33 OO 2E OO 00 OO 6A OO 70 ho to 0 0 0 3 j P 48 4F 54 4F 2D 7E 33 4A 50 47 O0 10 08 24 8A 95 32 95 32 00 00 24 BA 95 32 FE 26 amp HOTO 3J7PC 2 2 266 Deleted photographs recovered from the reconstructed FAT file system in a physical memory dump of a Samsung mobile device 20 5 Forensic Examination and Analysis of Mobile Devices In addition items such as MMS messages that have been deleted may be recoverable as shown in Figure 20 22 using Cellebrite Physical The deleted file containing
22. Port scanners wireless network security analyzers and penetra tion testing frameworks such as Metasploit have all been ported or developed for Apple iPhone and Android devices Although not official these application types do exist and may be used for crime The presence of such applications is of interest in computer misuse investigations Moore 2007 20 2 Types of Evidence on Mobile Devices Monitor BlackBerry iPhone Android more MOBI LE E at Silently Record Text Messages feels eem ata GPS Locations and Call Details o 2 SMS LOGS gt CALL Le gt GPSLOGS SUPPORT gt LOGOUT BLIJ SMS LOGS MOBILE SPY gt View SMS Logs SMS Messages Sent and Received gt View Call Logs gt View GPS Logs gt View URL Logs gt Logs Summary Showing 1 3 of 3 records a Download CSV Show All Outgoing Incoming 3 CSV Format SENDER RECEIVER DIRECTION TEXT MESSAGE TICE Monitored TTT C assess 202een2774 MEMES nomeo pavers a m 2010 01 07 Monitored Transfer complete Awaiting Q 13 56 51 Device 2036452774 Outgoing delivery r4 2010 01 05 Monitored 2 3 Clear All Logs 12 17 20 Davies 2036452774 Outgoing Meet me in 2 at the usual gt Change Password RICE e gt User Settings Select All Deselect All Delete Pageiofi lt lt lt gt Logoff Account gt Search Logs FIGURE 20 8 MobileSpy used to intercept text messages on a mobile device and post them to a Web server 20 2 3 Thinkin
23. a DO HFS Private Directory Data 0A 00 00 00 04 43 67 42 49 PNG H O Applications 66 00 OD 49 48 44 52 P w IHDR D bin 00020 00 00 01 40 00 00 O1 E0 08 06 00 00 00 D4 8C B4 B a DO cores 00030 44 00 00 00 20 63 48 52 4D 00 00 7A 25 00 00 80 D cHRM z DO dev 00040 83 00 00 F4 25 00 00 84 Dl 00 00 6D SF 00 00 E8 MH m Cj Developer 00050 6C 00 00 3C 8B 00 00 1B 58 83 E 07 78 00 00 00 1 lt X x ECC Livery 00060 09 70 48 59 73 00 00 2E 23 00 00 2E 23 01 78 AS pHYs x H O Application Support 00070 3F 76 00 03 95 4D 49 44 41 54 SC BC 77 98 2C 57 v MIDATVew U BC Q3 Audio 00080 75 AF 3D 5C DB 80 Bl C9 22 9A 64 B2 CO 12 08 49 u AU a d I CC Caches 00090 48 22 08 84 90 04 48 42 39 4B 48 47 3A 69 72 CE H HBSKHG iri r C Flesystems 000a0 39 E lC 4E CE 73 66 A6 BB 2B E AA EE 9E 7C B2 9c Nisfi g i 000b0 22 39 18 30 60 OC D8 86 7B CD E 6B E3 6B E3 F7 9 0 G ickaka C2 Internet lug Ins 000cO FB 63 EF AA 19 59 CF D3 CF CC 74 57 D8 7B 85 77 ci Yidiicwa vw c C LaunchAgents 000d0 FD D6 AA D6 29 BO F4 4A B4 AS 3D 04 GE 07 DS CS 0 0 6J Y n CC LaunchDaemons 000e0 lF E3 E4 81 87 08 F4 62 AC F4 4E AC D4 4E 7C BS amp b N Nlu oC C Managed Preferences 000f0 94 F4 Dl 87 79 E8 DE F7 E2 28 ES B8 DA 6E CE AF if y b a 8 Uni DO Printers 00100 74 90 FS EB BO D7 3A 68 1C BC 1E D A8 CO CD l4 t 8 x h X gt Rington
24. a Yew Debug Heb Ss H Aao oI QI From H Celcel 2008 11 27 15 47 49 Callback CHRISO cel 2008 07 25 13 50 30 None Subject None H Celcel 2008 12 2000 23 17 None Date 2008 12 08 00 25 23 H Cecel 2008 12 14 16 23 34 None Priorty Normal CHRISD cell 2008 12 05 22 06 32 None Read Vv H Celcell 2008 11 27 23 49 57 None Locked p CHRISO cel 2008 12 07 18 13 20 None CHRISO cell 2008 12 15 13 22 04 None Eoghan cell 2008 12 08 15 56 46 None i JOHNNY cel 2008 12 01 23 52 20 None Memo B Play List STEELERS kl T9 Edtor CHRISD cel 2008 12 07 18 14 30 None Log H Cecel 2008 11 26 20 30 47 None CHRISO cel 2008 10 08 20 17 31 None JAY home 2008 09 15 01 24 55 None Justin cell 2008 12 09 16 44 34 None FIGURE 20 4 SMS messages and other items from a Motorola V3 Razr acquired using BitPim with messages there is no record of when messages were first read only if they have been accessed and messages may be incomplete if they have been erased from the handset Some acquisition methods may recover deleted messages but this is dependent on the extraction method as discussed later in this chapter Smart phones have baseline phone functionality but are vastly more powerful and extendable and hence have greater evidentiary value Figure 20 5 shows digi tal photographs and other information acquire
25. aG3Iq9I7 Oc J s ugK Iyt e BIS 00000240 uL04 4 608AMi2zIv V rN O6 ISE 22 Gard 195 SIpI aSZz1l FIGURE 20 20 File from an LG mobile device containing an MMS message with a video attachment that can be recov ered even after the original video has been deleted from the file system 20 5 2 Data Recovery on Mobile Devices When common file systems are used such as FAT HFS and ext2 3 it may be possible to recover deleted files using file system forensic tools as discussed in Chapters 17 18 and 19 For instance Figure 20 21 shows EnCase being used to recover deleted photographs from a FAT file system on a Samsung mobile device Startir ated Written Exte C 14 ill Photo 0015 ing 07 02 05 04 11 48PM 07 02 05 04 11 48PM 20 784 2C C11607 CJ 15 ifl Photo 0016 jpg 08 06 05 11 22 32AM 08 06 05 11 22 32AM 12 286 12 286 2C C11615 i C 16 ifl Photo 0017 ipg 08 06 05 01 53 32PM 08 06 05 01 53 32PM 16 008 16 008 2C C11621 OCJ C BROWSER C 17 dll Photo 0018 jpg 08 25 05 08 45 30PM 08 25 05 08 45 30PM 12 356 12 356 2C C11628 poao i CJ 18 gil Photo 0019 jpg 08 27 05 09 18 30AM 08 2705 09 18 30AM 13 968 13 988 2C C11637 d m C 19 ill Photo 0020 ipg 08 30 05 11 41 30AM 08 30 05 11 41 30AM 20 528 20 528 2C C11654 POE IMAGES C 20 ill Photo 0021 pg 08 31 05 01 16 30PM 08 31 05 01 16 30PM 16 242 16 242 2C C11662 D06 JAVA gll Photo 0022 jpg 08 31 05 01 16 30PM 08 31 05 01
26. an MMS message is marked with an X in the bottom left of the screen and the contents of these files can be viewed as shown on the right of the screen As seen in the previous section these MMS files start with an SMIL header that includes the name of the attached file followed by the actual content of the attachment J Physical Analyzer Fle Edt View Tools Report Plugins Help AAO Eo 509s 20900026 mns Wee Estracton Sunmary SS Tert Messages SI Callog 0 Images F gt n Hex view Fie info BB Samsung GSM_SGH T519 SGH T519 fs Extraction Summary E fX MCU 24800000 26000000 bin 6F 6E 20 69 64 3D 22 50 gt lt region id P i 70 3D 22 30 25 22 20 6C icReg top 0 1 1 Ei Samsung FS 68 65 69 67 68 74 3D 22 eft 0 height Mc FSDB 74 68 3D 22 31 30 30 25 100 width 100 amp DFS 64 64 65 6E 22 20 2F 3E fit hidden J FSDB 3E OA 3C 2F 68 65 61 64 lt layout gt lt head 3c 70 61 72 20 64 75 72 gt lt body gt lt par dur JAVA 22 3E OA 3C 69 6D 67 20 10000ms gt lt img 0 M FSDB 33 30 36 22 20 72 65 67 src cid 306 reg amp 3 MMS 65 67 22 20 2F 3E 0A 3C ion PicReg gt lt E mms20900000 mms 6F 64 79 3E OA 3C 2F 73 par gt lt body gt lt s enema 20800001 sone 9E 85 30 38 30 39 30 37 mil gt c r 080907 67 00 8E 30 38 30 39 30 15432 jpg 08090 E mms20900002 mms 70 67 00 AE 13 81 86 30 7 15432 jpg 0 E m
27. ared port USB Primary Features Video GSM 850 900 1800 1900 HSDPA 850 900 1900 2100 2010 June Available Released 2010 June 115 2x 58 6 x 9 3 mm 1379 LED backlit IPS TFT capacitive touchscreen 16M colors 640 x 960 pixels 3 5 inches Scratch resistant oleophobic surface Multi touch input method Accelerometer sensor for auto rotate Three axis gyro sensor Proximity sensor for auto turn off Vibration MP3 ringtones Yes 3 5 mm headset jack Practically unlimited entries and fields Photocall 100 received dialed and missed calls 16 32 GB storage 512 MB RAM No Class 10 4 1 3 2 slots 32 48 kbps Class 10 236 8 kbps HSDPA 7 2 Mbps HSUPA 5 76 Mbps Wi Fi 802 11 b g n Yes v2 1 with A2DP No Yes v2 0 5 MP 2592 x 1944 pixels autofocus LED flash Touch focus geo tagging Yes 720p 30fps LED video light geo tagging At a minimum mobile phones can be expected to contain address books call registers and Short Messaging Service SMS messages also called text mes sages as shown in Figure 20 4 Text messages have the benefit of providing full transcripts unlike call records and date time stamps of received SMS messages are usually accurate because they are inserted by systems operated by the network service provider rather than by the mobile device itself However there are investigative disadvantages 20 2 Types of Evidence on Mobile Devices EE BitPim Ele Edt Dat
28. between workstations and notebook computers and phones almost exclusively view the phone as a satellite device Improved connectivity between phones and other data sources may alter this and provide greater links between connected systems By far the most obvious trend is that mobile devices will continue to be important in forensic analysis and have a large role in both civil and criminal investigations 20 8 SUMMARY There are a growing number of mobile devices for personal organization and communication many with access to the Internet These devices can be a source of digital evidence in any crime containing personal information about an indi vidual including photographs passwords and other useful data or showing where individuals were at a specific time and with whom they were communi cating The information they contain can also be an instrumentality of a crime when they are used to steal intellectual property or create and disseminate child pornography These devices can be an instrumentality of a crime when used to eavesdrop on wireless network traffic In recent years it has become routine for investigators to collect mobile devices as evidence Embedded systems are a challenging source of evidence because the data on them is volatile and different tools are needed to process different devices Currently tools and training in this area are limited but given the rapid increase in their use this is likely to become one of the largest
29. ce the phone number 12036452774 is 2130462577F4 in nibble reversed format where the F is padding To complicate matters some mobile devices e g Motorola store some data in big endian format with the most significant bit first This basically means that the entire data structure is stored in the opposite order than on a little endian system For instance a little endian UNIX date time stamp C7 BE FE 49 which equates to May 4 2009 at 10 09 11 AM would be stored as 49 FE BE C7 on a Motorola device ae CHAPTER 20 Digital Evidence on Mobile Devices In addition to these various data formats mobile devices use specific data structures to represent call logs and other information Researchers and tool developers are delving into such data structures to help digital investigators extract more useful data and correctly interpret the information they obtain correctly For instance as noted in the previous section Windows Mobile devices store communications in Microsoft proprietary embedded databases The structure of these embedded databases has been explored by several digital forensic researchers and tools have been developed to extract information from these database files Casey Bann amp Doyle 2009 Klaver 2009 Rehault 2010 For more instruction on forensic examination and analysis of mobile devices see the cmdLabs Web site http www cmdlabs com 20 6 FORENSIC ACQUISITION AND EXAMINATION OF SIM CARDS When conducting fo
30. d from a Windows Mobile device Pictures Pictures stored on the device or on removable media 534 items EquipMake T Mobile Dash EquipModel T Mobile Dash XResolution 72 IMAGE 002jpg 155 85KB YResolution 72 My Documents My Pictures 4 22 2009 8 47 24 PM UT ResolutionUnit 2 DateTime 2009 04 22 16 47 2 ExifDTOrig 2009 04 22 16 47 Diin AO cn AN AO EquipMake T Mobile Dash EquipModel T Mobile Dash XResolution 72 IMAGE 001jpg 390 44KB YResolution 72 My Documents My Pictures 4 22 2009 8 46 24 PM UT ResolutionUnt 2 DateTime 2009 04 22 16 46 2 ExifDTOrig 2009 04 22 16 45 Feidiaan AAPA an an FIGURE 20 5 Photographs acquired from a Windows Mobile device using XRY showing EXIF header information CHAPTER 20 Digital Evidence on Mobile Devices Photographs audio and video can provide some of the most compelling digital evidence in a case Recall the case of Gaumer described in Chapter 10 involving an accidental voicemail that apparently captured the sounds of the victim being physically assaulted In some cases accomplices use mobile devices to record a crime as occurred in the UK when a 15 year old girl who was found guilty of aiding and abetting manslaughter after she recorded the fatal beating of a man Borland 2008 In other cases perpetrators themselves have filmed their crime CASE EXAMPLE MANCHESTER UK 2010 Investigation into the death of 15 month old Charlie Hunt child The video
31. de useful his torical details that are no longer recoverable from the mobile device itself For example the numbers dialed may connect a suspect with a victim In addition network service providers generally maintain call detail records that can pro vide specific details about each call and message pertaining to a mobile device For more in depth coverage of the types of information that are available from network service providers that can be useful in an investigation see the Wireless Networks in Digital Forensics and Investigation Dario Forte 2009 Data relating to a handheld device can often be found on associated desktop computers For example when a mobile device is synchronized with a desktop computer data are stored in backup files indefinitely Items that have been erased from the device may still exist on the desktop including e mail messages and private data These files may be stored in a proprietary format and it may be necessary to obtain specialized tools to interpret these backup files on the desktop For instance Blackberry backup files are stored in an IPD format that can be viewed using Amber ABC Converter as shown in Figure 20 9 3 Messages 3 Messages i amp xlContacts Ig SMS I SAutoText Ei Calendar ar i83 Contacts 4 Lj SMS 3 jf a 4 zd 73 AutoText 108 Subi T ubject Start End Hai Calendar 4 ny i Memos 0 Meeting 2 12 31 2008 3 00 00 PM 12 31 2008 4 00 00 PM gt Phone Call Logs 0 M
32. depending on the criminal acts being investigated the capability of the mobile device and how it has been used Data associated with mobile phones is found in a number of locations embedded memory attached removable memory and the Subscriber Identity Module SIM card Not all of these components will be available or necessary for all investigations but in some cases there may be multiple SIM cards removable media or even more than one mobile device PRACTITIONER S TIP Concealment Behavior of Mobile Criminals Some criminals are aware of the risks associated with their use of mobile devices To avoid apprehension members of certain organized criminal operations will use multiple SIM cards or prepaid mobile devices that are difficult to trace and inexpensive enough to be effectively disposal a k a burners After a SIM card or mobile device has been used for a prolonged period criminals may attempt to destroy them to thwart data recovery However useful information may be recoverable from damaged mobile devices or SIM cards In addition these people are not immune to technology trends and may also carry high end personal mobile devices that may provide digital investigators with some insights into the criminals activities Not all phones are created equal and what is extractable from a device is dependent on its capabilities Table 20 1 provides a breakdown of phone func tionality The baseline phone information is common across t
33. e important information will not be acquired Finally running a software agent on the device necessar ily alters the device potentially overwriting some data However in certain 20 4 Forensic Preservation of Mobile Devices cases the only available option may be to run a software agent in order to acquire data from a specific mobile device Digital investigators must weigh these issues against the benefits of acquiring some information from a device In addition it may be necessary to explain that the acquired digital evidence is trustworthy despite any concerns raised by the use of a software agent on the device 20 4 3 Bootloaders When a mobile device is powered on the first code it executes is called a boot loader This code has very basic functionality and is comparable to the BIOS on Intel computers During normal use of a mobile device the boot loader simply launches the operating system to enable the user to interact with the device However the boot loader can be interrupted during the startup process to prevent the operating system from launching and can then be instructed to execute custom operations In this way forensic tools can use the boot loader to gain access to memory on a mobile device 20 4 4 Flasher Boxes Flasher boxes are devices originally designed to customize the appearance and operation of the operating system on mobile devices However by design Flasher boxes can also dump the contents of physical memory f
34. e on Mobile Devices As another example of how deleted files can be useful in a forensic context when files are opened on some Motorola mobile devices a temporary artifact is created and subsequently deleted If such items can be recovered as shown in Figure 20 23 they can contain information that is no longer present elsewhere on the mobile device and they can provide evidence that particular informa tion was viewed on the device EL Image Data FLASH 10000000 1 3FFFFFF Flex Lj audio Ll btprint Ll kiava E mib C mms E my5 Ll picture 0 skins Ly system Lj temp Lg eopu x 094 7 txt x 371 S0 txt x 421 10 txt x 511 6 txt x 973 4 bxt X 1DB4K20 nnn GTS Sab P x c fio OAR Is bw duc E mage Data FLASH 10000000 1 3FFFFFF Fle yOy 4 Exif MM I I I iyyil og Forti I gvyll d uyA H TETIT IIEIL IAIIOaIL gIEZINI INS STUVWXYZcdefghi berti nl I TAARCEEEOOOOOX ll amp amp s sced e g bib 5 M7 iK sbu T2 R Wb udxdAuixSSpims hav rps sxidMIHi ully 9IUIISSIE b xJ FIGURE 20 23 1DB4K20 gif 1 cUSEISH6y r ELy 05 Exid Deleted file being recovered from a Motorola device using XACT The abstraction layers and wear leveling associated with Flash memory can make data recovery from mobile devices more difficult but advances are being made in both commercial and open source forensic tools For instance the winning submission for the DFRWS2010 Forensic Challenge provides a techni
35. ecessary when a mobile device has been misused 20 8 FUTURE TRENDS Digital Forensics is a reactive field and as such future trends in mobile phone analysis are largely dependent on trends in the mobile phone industry Phones are becoming much more capable and while there remains a market for phones with only basic functionality phones with greater functionality are the expanding market The term smart phone is ceasing to be relevant as it becomes the standard For forensic investigators and analysts this is positive for two reasons phones will have greater capability and hence will contain more potential evidence and the industry is stabilizing to a smaller number of core operating system platforms The proliferation of high end smart phones in both the consumer and com mercial sectors will ultimately have an impact on forensic investigation The increased capacity of phones will require greater analysis on a per device basis but can provide greater insight Mobile phones are a data store largely abstracted away from individual users and are less likely to be altered or tampered with The number of mobile phone and device operating systems is consolidating to a discrete group largely independent of the hardware This will aid data extraction and analysis in reduced learning curves for different devices as well as a greater understanding of what can be extracted for each platform The need to reverse engineer the idiosyncrasies found in cus
36. ed with your personal data from the SIM card 20 4 Forensic Preservation of Mobile Devices In addition to collecting a mobile device itself it is important to look for associated items that might contain data or help extract data from the device Removable memory and SIM cards can contain more data than the device itself and interface cables and cradles may be needed to connect the device to an evidence collection system As with any other computer document the types of hardware and their serial numbers taking photographs and notes as appropri ate If a device is on when it is found leave it on if possible because turning it off may activate password protection making it more difficult to extract data from the device later Also document any information visible on the display including the date and time of the system clock 20 4 FORENSIC PRESERVATION OF MOBILE DEVICES Given the variety of mobile devices it should come as no surprise that there is no single standardized method of accessing all of them to extract data using software or hardware This is one of the first major hurdles of mobile device forensics because without any means of accessing the data on a device you are left with only one option manual examination When acquiring data from mobile devices there are a variety of options and the specifics of a case and the mobile device will dictate which approach is most suitable A corollary of this fact is that no single t
37. eeting 12 19 2008 12 20 2008 Bj Tasks 0 Meeting 12 15 2008 6 00 00 PM 12 15 2008 3 00 00 PM Phone Hotist 0 Meeting 6 12 13 2008 2 00 00PM 12 13 2008 3 00 00 PM J PIN 0 Ed MMS 0 bl Save As l Fields to export Jone event one c Saved Email Messages Export destination Z Browser Bookmarks 1 PDF Adobe Acrobat DBF dBase C HJT TreePad Browser Urls 1 yet ML Ue KNT KeyNote Lal Pictures 0 HTML L2 XLS MS Excel L2 LIT MS Reader CU RIF CoML t RB Rocket eBook FIGURE 20 9 Amber ABC Converter used to view a Blackberry IPD file Digital investigators can obtain information about online accounts that have been used on mobile devices to connect with cloud based services such as Gmail For instance the following user account information was extracted from a keychain database on an iPhone including accounts on Yahoo Hotmail and Windows Live 20 2 Types of Evidence on Mobile Devices F tools gt sqlite3 exe iPhone2 Keychains keychain 2 db SQLite version 3 6 16 Enter help for instructions Enter SQL statements terminated with a sqlite gt select labl acct svce from genp eric roosterGyahoo com Yahoo token erooster live com erikroostehotmail com theroosterGhotmail com theroosterGhotmail com com apple itunesstored keychain erooster MMODBracketsAccount LumosityBrainTrainer erooster LumosityBrainTrainer
38. eg 19 0 000 GPSLongitudeRef 5 W EXIF SubIFD Absolute 0x000000FE Dir Length Ox000C ExifVersion 02 20 DateTime0riginal 2009 05 30 14 42 38 DateTimeDigitized 2009 05 30 14 42 38 ConponentsConfiguration T F Cb Ur FlashPixVersion 01 00 ColorSpace sRGB ExiflImageWidth 1536 Image RGB DC 12 5 1 8 FIGURE 20 6 A file from an iPhone containing longitude and latitude of cellular tower locations used by the device FIGURE 20 7 An EXIF header from a digital photograph showing the GPS coordinates of the originating device at the time the photograph was taken CHAPTER 20 Digital Evidence on Mobile Devices 20 2 2 Malicious Code on Mobile Devices As mobile devices are being used more to conduct online banking and shopping they are becoming prime targets for computer criminals to steal money or valuable information For instance a fake banking application for Android devices was disseminated to unsuspecting users and sent infor mation to a third party without their consent 2010 Rogue phishing app smuggled onto Android marketplace John Leyden http www theregister co uk 2010 01 11 android phishing app More sophisticated malware allows criminals to intercept SMS messages associated with online banking transactions enabling them to steal money directly from a victim s bank account CASE EXAMPLE ZEUS IN THE MOBILE A malicious Trojan program called ZeuS was designed
39. embedded database named cemail vol which can retain deleted items Casey Bann amp Doyle 2009 20 5 3 Data Formats on Mobile Devices Mobile devices store data in a variety of formats In order to interpret data on mobile devices and verify important results at a low level digital foren sic investigators require some understanding of these formats In addition to understanding binary and hexadecimal numbers practitioners must be inti mately familiar with how these numbers correspond with ASCII and Unicode characters as discussed in Chapter 15 A peculiarity of mobile devices is that they store SMS messages not in ASCII but using a 7 bit alphabet For instance Figure 20 26 shows the results of a key word search for a specific deleted SMS message in physical memory acquired from a Motorola Z3 device The SMS message contained the text We are down one and multiple copies were found in the memory dump as shown in the 20 5 Forensic Examination and Analysis of Mobile Devices bottom panel of the above screenshot Observe that the keyword search had to be performed using 7 bit encoding and that the text of the message is not visible in readable form when viewed using a hex viewer see highlighted data in top right corner of Figure 20 26 ilc li XR eid t l IB A gt cuj i Block 160170 256 I Block 1e01bf0 256 4 ee I Block 1e01d70 256 and I Block 1e022f0 640 a I Block 102570 128 I Block 1e026f0 128
40. entially providing a historical record of the user s whereabouts over a given period For instance iPhones store the locations of recently used cellular towers in a file as shown in Figure 20 6 GPS enabled devices may also contain remnants of past locations and maps that can be useful in an investigation Additionally EXIF data embedded in digital photographs can add additional evidentiary value providing the date and time the photograph was created the device type used to create it and potentially the GPS coordinates of where the photograph was taken as shown in Figure 20 7 Onboard GPS may also provide the user with mapping func tionality and hence provide forensic investigators with waypoints plotted des tinations and routes taken 20 2 Types of Evidence on Mobile Devices foo cells plat celis docal plat w Offset p v 00000000 bplist000 00000040 a 00000080 TA D00000CO0 1 292743253 725_ 72 429 60880503 98 50287208 3000 z 1 00000100 691065 500 amp ANUDE 5 r 0 0 ore Ooms Riber ven Put Cametot ma CD Me Were TH rn Anges Par 1243708959280 JPEGsnoop File Edit Yiew Tools Options Help Deal lie Dir Length O0x000B Make HTC Model T Mobile G1 Orientation Row 0 top Col 0 left XResolution 72 1 EXIF GPSIFD Absolute 0x0000020A Dir Length 0x000B GPSVersionID 2 2 0 0 GPSLatitudeRef N GPSLatitude 39 d
41. es 00110 63 67 OA 71 95 12 9C 74 11 76 B 08 3B SD 88 93 cg q tov gt Updates 00120 29 C4 CD 14 62 67 F6 E2 66 8A 70 95 22 D6 82 4A bg amp f p J BOE Wallpaper 00130 2A 8B AF El 4F OB OA 78 FC EB AF 63 3D 78 86 CD a0 xu c x Do iPhone 00140 7C 37 59 A7 81 C8 A9 63 6D B9 99 95 7C OD 91 53 l7YS Eecn d A T Kursor pos 0 clus 75220 log sec 1203520 B c em zl File Content Properties Hex Interpreter File List 20 lI Baa a we Display Time Zone Eastern Standard Time From local machine 2 Name ttem ext Category L Size Created Modified Accessed Path DE 100 png 6625 png PNG 229 5KB 8 3 20101 57 19 AM 8 3 2010 1 57 19 AM 8 20 2010 6 12 55 PM rdiskt COR 100 thumbnail png 6626 png PNG 8088B 8 3 2010 1 57 20 AM 8 3 2010 1 57 20 AM 8 20 2010 6 12 58 PM rdiskt DE 101 png 6627 png PNG 159 3KB 8 3 2010 1 57 20 AM 8 3 2010 1 57 20 AM 8 20 2010 6 12 56 PM rdiskt FIGURE 20 19 Examination of iPhone physical forensic duplicate using FTK Even when a full copy of physical memory is not possible for many devices the complete logical file system can be acquired Although this generally does not include deleted items it can still provide access to substantial digital evidence including MMS messages IM fragments and Web browsing history that are not displayed automatically by forensic tools In such situations the foren sic examiners must locate the desired information w
42. es as Sources of Evidence Network isolation ensures that the contents of a phone reflect the time at which it was seized disallowing changes that may occur to it after it has been seized Actions over the network that can alter content include receiving phone calls messages network polling activity and the use of remote erasure systems the latter being an enterprise feature designed for corporate smart phones Such network activities can alter the contents of a mobile device potentially adding new data overwriting existing data or unallocated space or erasing the phone contents remotely Some devices can be reconfigured to prevent communication with the network Devices that do not have such a feature can be isolated from radio waves by placing them in Faraday isolation such as radio frequency shielded evidence containers which block network communications Signal jamming systems provide another means for preventing mobile devices from communicating with a network but this type of equipment is illegal in some jurisdictions Network isolation practices must be maintained during forensic analysis and this is achieved with shielded mobile phone examination rooms or extraction cases To protect the device against damage or accidental activation package it in an envelope or bag PRACTITIONER S TIP Mobile Device Triage Given the dynamic and rapidly evolving nature of mobile device forensics it is sometimes nec essary to acquire data the m
43. g Outside of the Device Digital investigators must always keep in mind that mobile devices can con nect to various networks via cellular towers WiFi access points and Bluetooth The networked nature of mobile devices creates opportunities and dangers from a forensic standpoint Connected networks can contain investigatively useful information related to mobile devices but can also enable offenders to obliterate incriminating evidence remotely For instance Apple provides a Web based service to remotely wipe a lost or stolen iPhone and organizations that centrally manage Blackberry devices can remotely wipe a specific device from Blackberry Enterprise Server Network service providers may provide information for consistency with the data extracted from the phone or may be additional to what can be recov ered from the device Billing records are maintained by network service pro viders for many subscribers Customers that have a monthly usage plan will receive an itemized bill showing the calls messages and data activities asso ciated with their mobile device Once subscriber information is retrieved by CHAPTER 20 Digital Evidence on Mobile Devices digital investigators a carrier may provide additional historical call records unretrieved SMS messages billing information and cell towers the device has connected to over time the latter providing an inexact method of physically determining where a phone has been These records can provi
44. gation 6 3 4 Koschade S 2006 A social network analysis of Jemaah Islamiyah The applications to counter terrorism and intelligence Studies in Conflict and Terrorism Krueger C 2011 February 11 Man found guilty of lesser charge in murder recorded on cell phone St Petersburg Times Mislan R Casey E amp Kessler G 2010 The growing need for on scene triage of mobile devices Journal of Digital Investigation 6 Moore H D 2007 September 25 A root shell in my pocket and maybe yours Available from http blog metasploit com 2007 09 root shell in my pocket and maybe yours html Murphy C 2009 The fraternal clone method for CDMA cell phones Small Scale Digital Device Forensics Journal 3 1 Available from http www ssddfj org papers SSDDFJ V3 1 Murphy pdf Rehault E 2010 Windows mobile advanced forensics An alternative to existing tools Journal of Digital Investigation 7 1 2 Wilson C 2006 Improvised Explosive Devices IEDs in Iraq Effects and countermeasures In Congressional Research Service Report for Congress Available from http www history navy mil library online ied htm Williams R 2010 December 02 Baby video torture killer an Evil Monster Sky News Available from http news sky com skynews Home UK News Charlie Hunt Murderer Of Baby Filmed While He Was Tortured Darren Newton Branded Evil Monster Article 201012115845372 f rss
45. he vast major ity of consumer mobile phones whereas the smart phone evidentiary value extends this basic functionality and associated information 20 2 Types of Evidence on Mobile Devices Table 20 1 Potential Evidence Related to Mobile Devices Baseline phone Smart phone Local workstation Carrier SIM card SIM card Hardware User created information Phone created information User created information Internet related information Installed third party applications Transferred information Tracking information Usage information Identifiers Usage information Handset date and time International Mobile Equipment Identity IMEI Address book SMS calendar memos to do lists Call register received sent missed Photographs including EXIF data video audio maps MMS GPS waypoints stored voicemail files stored on system connected computers Online accounts purchased media often discoverable in embedded metadata e mail Internet usage social networking information Alternate messaging and communication systems additional capabilities malware applications penetration testing other applications anything can help provide alibi or tie to an individual Tethered mobile devices backed up phone data backed up third party applications store accounts purchased media Connected cell towers over time location at different times current location inaccurate Billing inf
46. ination of a mobile device it is easy to overlook areas of digital evidence because they are new novel or simply unfamiliar For instance a digital investigator might not realize the significance of an application such as Tigertext www tigertext com that is designed to exchange secret messages via mobile devices As a result the digital investigator might not open the application and review its contents thus missing digital evidence that could be crucial to the case To reduce the risk of overlooking evidence on a mobile device it is important to explore each screen and application methodically and to document the results carefully 20 4 Forensic Preservation of Mobile Devices The most common automated method of accessing devices is using a data cable followed by a wireless means such as Bluetooth Once you have such access to the device the next major hurdle is determining the most effective means of extracting data from the device Some mobile devices support stan dard AT command access but this usually only provides access to a limited selection of data Many mobile devices have proprietary protocols and require manufacturer developer tools to execute Logical acquisition provides context for items such as date time stamps and location within the file system on a mobile device In some instances the information retrievable from a data cable is different from the information extractable via Bluetooth so it may be beneficial to perform
47. ind and extract infor mation related to an investigation including deleted data Whether data from a mobile device was acquired logically or physically the general examination approach is the same as outlined in Chapter 6 m Survey the available items to become familiar with the main sources of information on the mobile device m Recover any deleted items including files SMS messages call logs and multimedia m Harvest metadata from active and recovered items such as date time stamps file names and whether messages were read and calls were incoming outgoing or missed m Conduct a search and methodical inspection of the evidence including keyword searches for any specific known details related to the investigation m Perform temporal and relational analysis of information extracted from memory including a timeline of events and link chart m Validate important results because even forensic tools have bugs When dealing with active data on a baseline mobile device it may be pos sible to examine all of the acquired messages call logs calendar entries and other items stored on the device However when the complete file system or a full physical memory dump was acquired from a mobile device it is gener ally infeasible to examine every file or data fragment stored on the device In such cases digital investigators must develop a strategy to find relevant digital evidence Surveying the acquired data by looking through folders a
48. ital Evidence on Mobile Devices FIGURE 20 1 A Nokia device with various identifiers including its IMEI and part number The bot tom right shows a SIM card with the ICC ID are needed to interface with the device In some situations it is sufficient to acquire specific information of interest from a mobile device via a cable con nected to the data port but in other circumstances it is necessary to attach a specialized connector directly to the circuit board in order to acquire all of the information needed in a case Knowledge of how data are manipulated and stored on handheld devices is sometimes needed to acquire all available digital evidence from handheld devices without altering it and translate it into a human readable form For instance placing a mobile device on a cradle and synchronizing it with a computer to obtain information from the device will not copy all data and may even destroy digital evidence Mobile devices use radio waves to communicate over networks with various frequencies and standard communication protocols Two of the most common mobile communication protocols are GSM and CDMA Another common technology used in the United States and some other countries is iDEN As shown in Figure 20 1 mobile devices can have several identifiers depending on the manufacturer region and technology GSM devices are assigned a unique 20 1 Mobile Device Forensics CH number called the International Mobile Equipment Identit
49. ithin the file system and interpret it themselves This is one of the main reasons why it is important for practitioners to have an understanding of the underlying technology and not be overly reliant on automated tools As an example Figure 20 20 shows a file named MMS937483931 PDU that was extracted from the file system of an LG mobile device This file contains an MMS message with a video that can be recovered even after the original video file was deleted from the device These MMS files start with an SMIL header that includes the name of the attached file followed by the actual content of the attachment Casey 2009 ee CHAPTER 20 Digital Evidence on Mobile Devices FIGURE 20 21 MMS937483931 PDU Offset 00000000 liMapplication smil Ismil Presentation A lt mms smil gt lt smil gt lt head 00000040 gt lt layout gt lt root layout width 399 height 240 region id imag 00000080 e width 320 height 240 left 0 top 0 fit meet region 000000CO0 id text width 399 height 0 left 0 top 240 fit hidden 00000100 gt lt layout gt lt head gt lt body gt lt par dur 5000ms gt lt video src 092009120 00000140 1a 3g2 region image begin ms end Oms gt lt par gt lt body gt lt smi 00000180 1oChI video 3gpp2 10920091201a 3g2 10920091201a 3g2 09200912 000001C0 01a 3g2 ftyp3g2a 3g2a 4imdat lt b AxX8 s8 9E 1510 x 00000200 De EHS L t y 1 T
50. l memory dump of a Sony Ericsson mobile device using DFF PRACTITIONER S TIP Tool Validation Given the complexity of recovering deleted items from Flash memory of mobile devices it is generally advisable to validate important results There are various approaches to validating results including performing a manual examination and comparing the results of logical and physical acquisitions Many smart phones use SQLite databases to store information including iPhone Android and Palm Figure 20 25 shows the contents of a SQLite database from a Palm device running webOS Even after items have been deleted from a smart phone the contents may still exist in the SQLite data base file Although the deleted entry may not be visible using a SQLite browser it can be recovered by examining the database file in a hexadeci mal viewer Reference Casey E Cheval A Lee JY Oxley D Song YJ 2011 Forensic Acquisition and Analysis of Palm webOS on Mobile Devices Digital Investigation in press ae CHAPTER 20 Digital Evidence on Mobile Devices PBsatitespy E Palm web0S images Deleted_Contact_with_Airplain output_PalmDatabase DB3 T NN PK Default Value i MH cot phi jh COendsrE ventAttendes 2j EH com pain pim Fekjer ntry amp B com palm pim Contact amp BB com palm pim Contact sync delete amp BH com palm pim ContactPoint amp GB com palm pin ContactUr TEES H com palm pim FolderEntry devieTme 4 m
51. ms20900003 mms 33 32 2E 6A 70 67 00 cO 80907 15432 jpg E mms20900004 mms FF El 4E 6A 45 78 69 66 lt 306 gt NjExif E mms20900005 mms 08 00 08 O1 OF 00 02 00 E mm 20900006 mms 00 02 00 00 00 OE 00 00 01 00 01 00 00 01 1A 00 Mj m20000007 mme 01 1B 00 05 00 00 00 01 E mms20900008 mms 00 00 01 00 02 00 00 02 Ez mms20900009 mms 00 00 87 69 00 04 00 00 E mms20900010 mms BE 4D F 74 6F 72 F C 67 61 70 69 78 65 6c 00 00 00 48 00 00 00 01 00 00 00 01 68 90 00 00 07 03 00 02 00 00 00 14 00 00 14 00 00 01 84 91 01 00 92 09 00 03 00 00 00 00 00 00 04 30 31 30 30 01 00 00 AO 02 00 04 00 00 04 00 00 00 01 00 00 01 00 00 01 AO A4 01 00 A4 02 00 03 00 00 00 01 00 00 01 00 01 00 00 A4 01 98 A4 06 00 03 00 00 ig mms20900011 mms E mms20900012 mms iz mms20900013 mms E mms20900014 mms E mms20900015 mms E mms20900016 mms E mms20900017 mms iz mms20900018 mms E mms20900019 mms ig mms20900020 mms E mms20900021 mms E mms20900022 mms 03 00 00 00 01 00 00 00 E mms20900023 mms 00 00 00 15 32 30 30 37 EE mms20900024 mms 3A 34 34 3A 31 32 00 32 08 09 22 44 12 2 E mms20900025 mms E mms20900027 mms Commer g Date Modfed 3 24 2016 2 12 30AM UTC Oifockmars 4 Highlights 0 results g gi E Length OxF584 Offset 0x0 Selection 0x0 FIGURE 20 22 Deleted MMS message being recovered from a physical memory dump of a Samsung device using Cellebrite Physical gD c E mobile aa CHAPTER 20 Digital Evidenc
52. nd viewing the contents of files on a mobile device can lead to some useful items and may help with the development of a strategy but this process is not a substitute for a methodical forensic examination A strong forensic examination strat egy should take into account what is known about the crime and the types of information that are being sought For example when there is a specific time period of interest in a case examining all activities on the mobile device and reconstructing a timeline of events may be an effective strategy As another example when digital photographs are of interest in a case an effective strategy to findings all relevant items on a mobile device may be to employ a combina tion of file system examination keyword searching and file carving 20 5 1 File System Examination on Mobile Devices All mobile devices have some form of file system ranging from simple pro prietary one to more complex standard ones For instance some Motorola and LG devices run the BREW Binary Runtime Environment for Wireless a0 CHAPTER 20 Digital Evidence on Mobile Devices FIGURE 20 18 BitPim used to browse the file system on a Motorola CDMA device operating system developed by Qualcomm which has its own file system The file system on many CDMA devices can be viewed using BitPim as shown in Figure 20 18 However using BitPim it may not be possible to view date time stamps associated with files or acquire the entire file
53. ocation SMS TF10 6F3C MSISDN 7F10 6F40 Last Dialed Numbers LDN 7F10 6F44 Abbreviated Dial Numbers ADN 7F10 6F3A IMSI TF20 6F07 LOCI TF20 6F7E LOCIGPRS TF20 6F53 Case IOS f Grid Items C Q GSM SIM Card 0 475 w C G SIM Abbreviated Dialing Numbers 2 LI Packet Temporary Mobile Subscriber Identity TMSI d5 12 d4 57 amp O SIM Fixed Dialing Numbers 1 C Packet TMSI signature value ff w C Gj SIM Last Number Dialed 1 C Routing Area Identifier RAI network code 310041 United States t C G SIM Service Dialing Numbers 1 C Routing Area Identifier RAI location area code 1b 74 w C E Short Messages 1 C RAI routing area code 65 a O C3 SIM IMS 1 C Routing Area Update Status updated E C amp File System 0 468 amp D E MF 13 468 amp O DF TELECOM 22 39 amp 0O E DF GSM 165 L1 55 EF SUME Parsed 0 O 55 EF SST Parsed 60 L1 65 EF PLMNSEL Parsed 28 O M EF PHASE Parsed 1 L1 5 EF LOCI Parsed 5 FIGURE 20 27 Information extracted from a SIM card using Paraben Device Seizure END CHAPTER 20 Digital Evidence on Mobile Devices FIGURE 20 28 Original documentation associated with SIM card contains PUK 20 6 1 SIM Security As with mobile devices security codes can be a barrier to acquiring data from SIM cards Therefore it is important to understand how such security protec tion can be overcome Users can set a per
54. of mobile devices may require some interac tion depending on the type of extraction method used Manual and logical acquisition methods require some degree of interaction and physical acquisi tion methods require either interaction or physical deconstruction JTAG access may be the best middle ground but requires knowledge of the integrated cir cuit which is generally only known to manufacturers There is no single best method to forensically acquire data from mobile phones While logical and physical acquisition methods require the least interaction with the target device it is often not practical to obtain an exact memory image of a device both for logistical and technical reasons Therefore the phone s and SIM card s operating system must be trusted not to alter the memory when read commands are executed If in the course of an examination an analyst finds that an acquisition technique has altered data this must be noted EE CHAPTER 20 Digital Evidence on Mobile Devices Total Files 11 Files Total Size 803 KB Total Files 11 Files Total Size 803 KB FIGURE 20 12 iDEN backup Ideally it would be possible to first acquire the full contents of physical mem ory from a mobile device This gives access to deleted data including SMS data earlier call logs and IMSI numbers from SIM cards that were previously inserted in the mobile device In addition if the user sets a customized lock code for a mobile device thi
55. ogle Earth has a feature to import location information and a standalone tool for plotting various GPS coordinate files on a map is PoiEdit www poiedit com Linth cum 3 Le HeightsT 3 FIGURE 20 29 ha so a n Waypoints extracted from DM eE f a Garmin SatNav device plotted on a map using flags as markers IS CHAPTER 20 Digital Evidence on Mobile Devices Another form of relational analysis is determining how one item of evidence relates to another This form of analysis is often called evaluation of source and may reveal the location origin of an item of evidence the mobile device used to create the evidentiary item or that the evidentiary item was once part of a particular mobile device For example relational questions in a child exploita tion case might include Was a particular mobile device used to take evidential digital photographs Where were the photos taken Was the suspect s SIM card ever placed in the mobile device 20 7 3 Functional Analysis Forensic examiners perform a functional analysis to determine how a particu lar function or program on a mobile device works and how the device was configured at the time of the crime This type of analysis can be performed using emulation software or a physical test device Murphy 2009 The aim of this type of analysis is to gain a better understanding of a crime or a piece of digital evidence Malware forensics is another example of functional analysis that may be n
56. oment it is observed and available In some situations such as mili tary operations or bomb threats there is neither the time nor resources to isolate the device from the network prior to extracting information Furthermore any delays could allow timed security locks to activate or provide a window for remote wiping Effective on scene triage processes and tools may preserve evidence that would otherwise be lost and can make the difference between life and death in certain situations Mislan Casey amp Kessler 2010 After taking precautions to protect data on the device examine it for physi cal damage or suspicious modifications In most cases a cursory examina tion of the exterior of the device will suffice However when dealing with a very technically savvy or dangerous offender some investigative agen cies use X ray or high resolution microscopes to detect physical damage or modifications With the decreasing size of memory modules they can be easily overlooked hidden destroyed or swallowed The microSD card in Figure 20 11 can store 256 MB of data and much larger capacity cards are emerging These storage modules can contain multimedia files SMS MMS messages as well as backups of data from the mobile device CHAPTER 20 Digital Evidence on Mobile Devices FIGURE 20 11 A 1 GB removable storage media card in a G1 mobile device that has a small enough form factor to be overlooked but large enough storage capacity to con
57. ool will cover all mobile devices nor will a single tool cover all situations The current available methods for extracting data from mobile devices are summarized in Table 20 2 Table 20 2 Methods of Extracting Information from Mobile Devices Method Description Manual operation via user interface Examiner manually accesses the phone through the user interface To ensure that all details are documented and the chain of custody is preserved this process is normally photographed or videotaped Only data accessible through the operating System is retrievable The most basic process Logical acquisition via communication port Logical acquisition methods interact with mobile devices using protocols such as AT commands and OBEX OBject Exchange and only extracts data that is accessible through the operating system Physical acquisition via communication port Extracts the memory contents in their or proprietary interface e g Nokia FBUS entirety through the communications port Interpreting the extracted binary is dependent on understanding how the phone stores data in memory structures Continued END CHAPTER 20 Digital Evidence on Mobile Devices Table 20 2 Methods of Extracting Information from Mobile Devices Continued Method Description Physical acquisition via JTAG Uses the JTAG interface to extract the memory contents of the device Allows the extraction of full binaries Acquiring digital evidence via the
58. ormation call register over time Internet data usage messages not delivered after radio isolation be warned SIM cloning does occur and information is not to be taken at face value Subscriber identifier IMSI SIM card identifier ICC ID SMS abbreviated dial names numbers last dialed numbers location areas Given the wide range of potential functionality when dealing with a particular mobile device in a case it is advisable to determine its full functionality to get a better sense of what types of digital evidence it may contain Manufacturer documentation can provide this information and there are Web sites that catalog the capabilities of many mobile devices such as phonescoop com or GSMarena com as shown in Figure 20 3 Inm CHAPTER 20 Digital Evidence on Mobile Devices Apple iPhone 4 GENERAL SIZE DISPLAY it Samsung 19000 Galaxy S vs Apple iPhone 4 Collision course SOUND iU Apple iPhone 4 review Love it or hate it i Apple iOS 4 review MEMORY Getting there k Read opinions Compare Pictures DATA 360 view Related new g ee Manual CHECK PRICE WElectronics Plemix CAMERA Negri Electronics gsmnation com FIGURE 20 3 Details from GSMarena for iPhone 4 2G Network 3G Network Announced Status Dimensions Weight Type Size Alert types Speakerphone Phonebook Call records Internal Card slot GPRS EDGE 3G WLAN Bluetooth Infr
59. r selling drugs Conrad to apprehend over 20 drug dealers in Medford Oregon In 2010 For a single mobile device it is often useful to know whom someone knows but there is additional benefit for large investigations Where multiple devices are involved analysis of overlapping networks can provide leads on common friends or acquaintances and how communication occurs between otherwise unrelated groups Analysis of the call register will add greater insight into the strength of the connections between individuals and can provide a timeline of communication Both the call register and address book on a mobile device can also be used as a way of corroborating or refuting testimony from the phone s primary user CHAPTER 20 Digital Evidence on Mobile Devices 20 3 HANDLING MOBILE DEVICES AS SOURCES OF EVIDENCE In general the same forensic principles that apply to any computing device also apply to mobile devices in order to enable others to authenticate acquired digital evidence Recall that the purpose of a forensically sound process is to document that the evidence is what you claim and has not been altered or substituted since collection At a minimum all steps taken to extract data should be recorded to support transparency and repeatability enabling others to assess and repeat your work In addition the MD5 hash of acquired data should be calculated and documented allowing others to verify that nothing has been altered since the data
60. rensic examinations of GSM UMTS mobile devices it is also important to inspect the contents of associated SIM cards In some cases there might be multiple SIM cards that an individual uses in different coun tries or for different purposes Some devices function with dual SIM cards In addition the storage capacity and utilization of USIM cards is increasing and may contain substantial amounts of relevant information Furthermore when a user deletes items from a SIM card some devices will leave remnants of deleted data on the card like SMS messages The hierarchical storage structure of a SIM card is relatively straightforward and the content of each file is defined in the GSM Technical Specification GSM 11 11 There is one master file that contains references to all other files on the SIM card Each file is addressed using a unique two byte hexadecimal value with the first byte indicating whether it is a master file dedicated file or elementary file 3F Master file MF 7F Dedicated file DF 2F Elementary file under the master file 6F Elementary file under a dedicated file The technical specification designates some files with common names For instance the 3F00 7F10 directory is named DFTELECOM and contains service related information including user created data like SMS messages and last numbers dialed The 3F00 7F20 directory is named DFGSM and contains network related information for GSM 900 MHz band operation DFDCS1
61. rite UFED device END CHAPTER 20 Digital Evidence on Mobile Devices iXAM http www ixam forensics com is a forensic acquisition system specifically for the Apple iPhone and Apple iPod Touch iXAM acquires data via the USB interface but has full physical extraction of data iXAM is a niche system only providing acquisition of a small number of devices from a single manufacturer Figure 20 16 shows iXAM acquiring an Apple iPhone LP QE iXANM Zero Footprint Forensic Acquisition for Apple iOS Devices iPhone 3G n82ap connected Serial Number 8383592EY7K Date Time 1 25 2011 6 31 33 PM correct E Exhibit Details Timestamp 1 25 2011 1 31 16 PM 1 25 2011 1 31 16 PM 1 25 2011 1 31 16 PM 1 25 2011 1 31 16 PM Message Forensic Examiner cmdLabs Forensic Workstation IR Forensic Workstation IP 127 0 0 1 Operating System Microsoft Windows NT 5 1 2600 Service Pack 3 o1 Acquisition Details dev rdisk0s1 500 00MB E dev rdisk0s2 14 64GB All Live Data O Images O video O Music O Telephony Data CJ PIM Data O E Mail Data C Location Data O Internet Data O Captured images O Uploaded Images O Application Data j Hashing Details vos O RiPEMD160 E SHA 1 O sHA 256 Begin Imaging 1 25 2011 1 31 16 PM 1 25 2011 1 31 16 PM 1 25 2011 1 31 17 PM 1 25 2011 1 31 17 PM 1 25 2011 1 31 17 PM 1 25 2011 1 31 17 PM 1 25 2011 1 31 17 PM 1 25 2011 1 31 17 PM 1 25 2011
62. rmation retrievable and only information relevant to the Operating System is available As such information potentially relevant in a forensic investigation might not be acquired information such as deleted items won t be extracted Mobile phones generally have a baseline of extractable data from such tools phone address book call register SMS and photographs but additional information is not guaranteed The limitation to these forms of applications is that it relies on the assump tion that the desktop application and the investigator are assuming that the phone s logic is not making any changes to other areas of the phone s memory However this assumption cannot be verified without the source code and cir cuit schematics of the phone s software and hardware which are rarely if ever publicly available There are several commercial forensic tools specifically designed to acquire data from mobile phones This section introduces some of the more popular commercial tools MicroSystemation XRY http www msab com is one of the market lead ers in mobile device acquisition MicroSystemation sell products to capture mobile phones and other small scale devices logically via USB infrared and Bluetooth XRY also has an additional component XACT that expands capabil ity by performing physical acquisition via the JTAG interface XACT also allows for the acquisition of specific models of GPS receiver Figure 20 14 shows the XRY acquisition
63. rom mobile devices The Twister Flasher box shown in Figure 20 17 can read the physical memory from a variety of mobile devices including many Nokia models The Twister box interfaces with many Nokia devices via gold colored contacts on the circuit board shown above left Once the correct data cable is connected between the mobile device and Twister box the Sarasoft software program shown in part above is used to read data from memory using the proprietary Nokia F Bus protocol pctra octi OCT wo2 885 urs r Flee ond Sip Product RH 12 6230 z peg rig bt wc f IF Enable Fasting F7 CNT Auto peu T Enable acting 7 E ET f BT Hw or f nj Enable Fasting irc mw af rable sons fl m Ul Options 2 P me Usm Ser eee Senos em C7 Show Settings lens UI Factory Defaults O Ul Setting User C Ful Factory Defaults O Ringng Toner Write User Settings Syn T Aux Functions Format Patch Rh 12 6230 GSM S00 1800 1S00EDGEBT aj C GTIASK Apl Format AEA Penh Swedsh Danish Nomegan Rd UEM w UEM FIGURE 20 17 German Iceland i Read PM Abschae Rapu ween Twister Flasher box can noer emea connect to FBUS interface E as Laaer were on Nokia device to acquire m f sw se gata using the Sarasoft pese aa program END CHAPTER 20 Digital Evidence on Mobile Devices 20 4 5 JTAG JTAG Joint Action Test Group refers to the IEEE 1149 1 standard http
64. s apparently taken over a period of months revealed that he had been beaten by his mother s boyfriend showed Newton repeatedly slapping the child on the head Darren Newton over several months Williams 2010 Incrim for extended periods On November 19 the final time that inating evidence was found in the form of videos that Newton Newton assaulted Charlie Hunt the child died Newton was had taken using his mobile device of himself assaulting the sentenced to life in prison for murder Smart phones have Internet capability rivalling that on many computers A more advanced smart phone will additionally store an Internet history Internet cache Internet bookmarks MMS e mail photographs videos and installed third party applications and may be used for transferring computer files Email and Internet browser history and bookmarks can provide great forensic insight and phones provide another source of this data There is also a wealth of infor mation in third party installed applications Although online application mar ketplaces have existed for several years they are now playing an increasing part of the user experience in mobile devices and greatly augment the capability of individual mobile phones 20 2 1 Location Information The ability to determine the location of mobile devices during a period of inter est is a powerful investigative capability Some mobile devices record the loca tion of cellular towers they contacted pot
65. s information can be extracted from a full memory dump and then used to acquire the device logically Unfortunately current forensic tools are not able to acquire physical memory from every type of mobile device and hardware access methods require specialized knowledge and equipment that are not available in many cases Fortunately the unlock code for some mobile devices can be obtained or bypassed using forensic tools that acquire logical data from mobile devices The benefit of acquiring a device logically is that it provides you with additional context of data i e which filename it was associated with and associated metadata e g when the data were created For some devices only the manufacturer s backup utility is cur rently capable of extracting certain items For instance Figure 20 12 shows the Motorola backup utility of iDEN phones obtaining files from a mobile device that could not be acquired using any forensic tools 5 Dec03 0004 jpg Dec03 0005 jpg E Dec03_0003 jpg BS Love You gif E Dec03_0002 jog i ei Typ Fig Dec03_0001 39p 186 KB Video ES Deco3 0001 jpg fis Dec03_0002 39p Dec03 0002 jpg Fis Dec03_0003 39p E Deco3 0003 pg E Deco3 0004 jpg E Dec03 0005 jpg E Love You gif 28 KB image 20 4 Forensic Preservation of Mobile Devices fos PRACTITIONER S TIP Dealing with Password Protection Many mobile devices permit users to set a password to restrict access to the device For cer
66. sonal identification number PIN to restrict access to their SIM card Brute force attacks against the PIN are generally ineffective unless the manufacturer default was never reset by the user because three failed PIN attempts will result in the SIM being locked Fortunately some phones have a PIN unblocking key PUK in their documentation as shown in Figure 20 28 and many network service providers NSP can provide the PUK to get around the PIN or to access a locked SIM card With the proper legal authorization and NSP contact forensic investigators may be able to obtain a PUK in a matter of minutes However not all NSPs retain the PUK for the SIM cards they sell and in some situations it may not be feasible to involve the NSP 20 7 INVESTIGATIVE RECONSTRUCTION USING MOBILE DEVICES Given the variety of information that mobile devices contain about peoples communications movements and online activities these sources of digital evi dence can be instrumental in helping digital investigators reconstruct events surrounding a crime The primary methods covered in Chapter 6 for performing investigative reconstruction are presented here in the context of mobile devices 20 7 1 Temporal Analysis One of the most common forms of temporal analysis is creating a timeline of events to gain a greater understanding of what occurred around the time of a crime and to help investigators identify patterns and gaps potentially leading to other so
67. tain devices it is possible to bypass or recover such protection It is generally inadvisable to guess a lock code or passphrase because some mobile devices will wipe their contents after too many failed attempts Some jurisdictions also provide legislative recourse to acquire passphrases and lock codes from suspects when technical methods are not effective or feasible Such recourse often requires a court order or warrant Be aware that a blank or broken display may simply indicate that the screen is damaged and it may still be possible to extract evidence via cable as shown in Figure 20 13 FIGURE 20 13 Physical acquisition of broken mobile device using XACT 20 4 1 Mobile Device Forensics Tools Forensic tools are in constant development to provide a convenient means of extracting specific data from various mobile devices typically logically via cable infrared and Bluetooth or physically via cable or JTAG All of these tools function in a similar way sending commands to the phone and record ing responses that contain information stored in the phone s memory The information that can be extracted using these methods depends on both the connection mechanism and model of the phone END CHAPTER 20 Digital Evidence on Mobile Devices Logical mobile phone acquisition systems interact with the phone operating system to extract data much in the same way the vendor synchronization systems do As such there are limitations to the info
68. tain useful digital evidence Even experienced forensic practitioners sometimes overlook these small scale storage modules The slot for these storage modules is very difficult to find on some mobile devices like the G1 If while assessing the capabilities of a mobile device you find that the device supports a removable storage card check for the presence of such a card in the evidentiary device right away When you find a removable storage module in a mobile device remove it immediately to preserve the information that it contains These storage media are generally FAT formatted and can be handled in a foren sic manner in the same way as other storage media Specifically document the serial number and any other identifying details examine the media for dam age activate write protection switches if present and then create a forensic duplicate of the contents via a suitable adapter The resulting forensic duplicate can be examined using your forensic software of choice enabling exploration of the file system and recovery of deleted files PRACTITIONER S TIP Evidence Contamination When certain mobile devices are powered on without their SIM card they instruct the user to insert a SIM card Do not insert your personal SIM card since data transfer or data loss may occur For example Windows Mobile devices automatically import the contents of an inserted SIM card So if you were to insert your own SIM card the device will be contaminat
69. technology creates opportunities for criminals and investigators alike The information stored on and associated with mobile devices can help address the crucial questions in an investigation revealing whom an individual has been in contact with what they have been communicating about and where they have been Sexual predators can use a mobile device to make initial con tact with victims exchange photographs or videos and groom victims creating a vivid cybertrail for digital investigators to follow Mobile devices have been instrumental in solving homicides are used by terrorists for reconnaissance and coordination can be used to smuggle contraband across borders and are frequently found in prisons despite being prohibited Members of major criminal organizations and gangs use mobile devices to coordinate activities Digital Evidence and Computer Crime Third Edition 2011 Eoghan Casey Published by Elsevier Inc All rights reserved CONTENTS Mobile Device Forensics 2 Types of Evidence on Mobile Devices 6 Handling Mobile Devices as Sources of Evidence 16 Forensic Preservation of Mobile Devices 19 Forensic Examination and Analysis of Mobile Devices 29 Forensic Acquisition and Examination of SIM Cards 38 Investigative Reconstruction Using Mobile Devices s 40 Future Trends 42 Summary 43 References
70. to device This information was then used to intercept SMS monitor activities of the users on a computer and steal their messages associated with online banking and to capture online banking information A variant of this program tricked mobile transaction authentication numbers used to approve computer users to provide information about their mobile unauthorized bank transactions In addition programs are available to monitor activities on mobile devices including Windows Mobile Blackberry and iPhone These programs are some times called spouseware effectively eavesdropping on the user of the device Details about text messages calls Internet browsing and GPS coordinates are recorded and can be viewed via a Web site by a person with the associated credentials For instance Figure 20 8 list text messages on a Windows Mobile device running MobileSpy This information is only viewable by someone with a username and password associated with that specific installation of MobileSpy These programs leave traces on mobile devices that can be found through forensic examination As people and organizations become more reliant on mobile devices com puter criminals will devote more attention to exploiting these devices to vic timize individuals and break into corporate networks Mobile devices can also be used as a platform to launch attacks against other systems Several computer and network security tools have been ported to mobile devices
71. tom operating systems or individual implementations will decrease over time The future of mobile phone and device forensic analysis will to a greater degree involve the reverse engineering of third party applications Such appli cations are platform dependent written either with native SDKs or through third party tool sets and have differing access to the underlying operating sys tem Understanding the capability and intent of third party applications may be vital to forensic analysts in certain circumstances as they may be malicious in nature indirectly facilitate crime provide communication mechanisms outside of standard on phone systems or store data of forensic value either locally or on externally hosted servers Third party applications are also likely gateways to cloud services which are increasingly catering to mobile devices The forensic implications of cloud computing are beyond the scope of this work but you must be aware of both their existence and the idea that evidence exists beyond the device itself Low end phones with basic functionality will continue to exist in significant num bers From a digital forensic perspective these phones are cheap and disposable and it is difficult to attribute ownership Such analysis needs greater scalability in analysis for situations where an individual may control multiple phones mul tiple groups control a single phone and for large scale social network analysis Current links
72. urces of evidence Given the variety and potentially large quantity 20 7 Investigative Reconstruction Using Mobile Devices of temporal information on mobile devices it is a good practice to maintain a timeline as events are uncovered to ensure that nothing is overlooked and that important events become apparent promptly There are other approaches to analyzing temporal data such as plotting them in a histogram to find repeated events or periods of highest activity When multiple sources of information are being correlated temporal analysis may tie events together based on coincidental timing of their occurrence For instance location based evidence may place the suspect at the scene of a crime at the exact time the offense occurred As such combining details from the various forms of analysis can lead to detailed reconstruction of who did what when and where 20 7 2 Relational Analysis A full relational analysis can include the geographic location of mobile devices and the associated users as well as any communication transaction that occurred between them In a major crime investigation involving a large group of people and devices creating a detailed relational analysis where each party was located and how they interacted can reveal a crucial relationship GPS enabled mobile devices and SatNav systems may store waypoints and other GPS coordinates in a file format that can be imported into mapping tools as shown in Figure 20 29 Go
73. were acquired Any issues encountered during the acquisition process should also be noted even when they are embarrassing or the cause is unknown Documentation must also show continuous posses sion and control throughout its lifetime Therefore it is necessary not only to record details about the collection process but also every time it is transported or transferred and who was responsible Keep in mind that some devices can receive data through wireless networks that might bring new evidence but might overwrite existing data Therefore an investigator must make a calculated decision to either prevent or allow the device to receive new data over wireless networks as depicted in Figure 20 10 Removing the battery from a mobile device will prevent it from communicat ing but may also activate security measures such as lock codes and encryption that could prevent further access to data on the device In addition when using acquisition methods that require the mobile device to be powered on it is necessary to isolate the mobile device from networks Discovery of mobile device Is mobile device on Document what is on screen Leave device on Isolate Device from Network Collect all cables user documentation storage media peripherals and computers used to sync with device Complete evidence FIGURE 20 10 Flowchart of handling mobile devices 20 3 Handling Mobile Devic
74. y IMEI which includes a serial number for the device On CDMA phones the ESN is an 11 digit number with the first three digits designating the manufacturer and the remain der unique to the device The ESN is being replaced with the MEID which is the CDMA equivalent of the IMEI There are tools available online that can be used to interpret many of these numbers e g www numberingplans com In addition some manufacturers assign their own unique serial numbers to mobile devices they make and Bluetooth enabled devices also have a unique hardware MAC address Some mobile devices also have an FCC ID which can be used to search the Web site of the U S Federal Communication Commission http www fcc gov oet ea fccid for details about the device including user manual and photographs 20 1 2 SIM Cards GSM devices use SIM cards to authenticate with the network and store vari ous information including some user generated activities SIM cards follow a standard for what information is stored where on the card However SIM cards come in slightly different shapes and sizes as shown in Figure 20 2 Asa result a SIM card reader may not be able to accommodate or read data from all SIM cards 8986t9Z2 SGCL vI wn 9iqow i FIGURE 20 2 SIM cards of various sizes SIM cards are comprised of a microprocessor ROM and RAM and are assigned a unique Integrated Circuit Card Identifier ICC ID The ICC ID contains the mobile country
Download Pdf Manuals
Related Search