Introduction to Mobile Forensics

● People store a wealth of information on cell phones

–People don’t think about securing their cell phones
● Items stored on cell phones:
–Incoming, outgoing, and missed calls
–Text and Short Message Service (SMS) messages
–E-mail
–Instant-messaging (IM) logs
–Web pages
–Pictures
 Introduction to Mobile Forensics
● Phones store system data in electronically erasable
programmable read-only memory (EEPROM)
–Enables service providers to reprogram phones without having to
physically access memory chips
● OS is stored in ROM
–Nonvolatile memory
 Introduction to Mobile Forensics
● Subscriber identity module (SIM) cards
–Found most commonly in GSM devices
–Microprocessor and from 16 KB to 4 MB EEPROM
● Sometimes even more, up go 1 GB EEPROM
–GSM refers to mobile phones as “mobile stations” and divides a
station into two parts:
● The SIM card and the mobile equipment (ME)
–SIM cards come in two sizes
–Portability of information makes SIM cards versatile
 Introduction to Mobile Forensics
● Subscriber identity module (SIM) cards (continued)
–Additional SIM card purposes:
•Identifies the subscriber to the network
•Stores personal information
•Stores address books and messages
•Stores service-related information
 Introduction to Mobile Forensics
● Personal digital assistants (PDAs)
–Can be separate devices from mobile phones
–Most users carry them instead of a laptop
● PDAs house a microprocessor, flash ROM, RAM, and various
hardware components
● The amount of information on a PDA varies depending on the
model
● Usually, you can retrieve a user’s calendar, address book,
Web access, and other items
 Introduction to Mobile Forensics
● Messages might be received on the mobile device after seizure
● Isolate the device from incoming signals with one of the
following options:
–Place the device in a paint can
–Use the Paraben Wireless StrongHold Bag
–Use eight layers of antistatic bags to block the signal
● The drawback to using these isolating options is that the
mobile device is put into roaming mode
–Which accelerates battery drainage
 Introduction to Mobile Forensics
● Check these areas in the forensics lab :
–Internal memory
–SIM card
–Removable or external memory cards
–System server
● Checking system servers requires a search warrant or
subpoena
● SIM card file system is a hierarchical structure
 Introduction to Mobile Forensics
•MF: root of the system
•DF: directory files
•EF: elementary data
 Introduction to Mobile Forensics
● Information that can be retrieved:
–Service-related data, such as identifiers for the SIM card and the
subscriber
–Call data, such as numbers dialed
–Message information
–Location information
● If power has been lost, PINs or other access codes might be
required to view files
 Common smartphone platforms.
1. iOS
2. Android
3. BlackBerry OS
4. Windows Phone
 GSM and CDMA cellular networks
GSM
•Time Division Multiple Access Based Technology
•200kHz bandwidth per carrier
•Deployed in reuse pattern 3/9, 4/12, 7/21
•Available operating frequency 900, 1800, 1900 MHz
Using SIM Card
 GSM and CDMA cellular networks
CDMA
•Code Division Multiple Access Based Technology
•1.25 MHz bandwidth per carrier
•Reuse factor 1
•Available operating frequency 450, 800, 1900 MHz
•Using RUIM Card
 GSM and CDMA cellular networks
Performance characteristics of GSM
Communication
mobile, wireless communication; support for voice and data services
Total mobility
international access, chip-card enables use of access points of different providers
Worldwide connectivity
one number, the network handles localization
High capacity
better frequency efficiency, smaller cells, more customers per cell
High transmission quality
high audio quality and reliability for wireless, uninterrupted phone calls at higher
speeds (e.g., from cars, trains)
Security functions
access control, authentication via chip-card and PIN
 Performance Characteristics of GSM
Frequency Bands and Spectrum Efficiency
GSM operates in standardized frequency bands such as 900 MHz, 1800
MHz, and 1900 MHz. Efficient use of these frequencies is achieved
through:
● Frequency Division Multiple Access (FDMA): Allocates separate frequency bands
for uplink and downlink communication.
● Time Division Multiple Access (TDMA): Divides each frequency channel into
eight time slots to allow multiple users to share the same frequency.

Advantage: Spectrum efficiency allows a higher number of users in a

given frequency band, improving network capacity and scalability.
 Performance Characteristics of GSM
Data Rates
GSM supports data rates up to 9.6 kbps for circuit-switched data.
Enhanced versions, such as GPRS and EDGE, increase data rates to
56-114 kbps and 384 kbps, respectively.

Advantage: While adequate for voice and basic text communication,

GSM's lower data rates compared to modern technologies limit its
effectiveness for high-speed internet and multimedia applications.
 Performance Characteristics of GSM
Mobility Management
GSM supports handover mechanisms to maintain ongoing calls when
users move between cells. It uses location updates and a hierarchical
cell structure to track and manage mobility.

Advantage: Ensures seamless communication and connection stability,

essential for mobile users.
 Performance Characteristics of GSM
Security
Implements features like Subscriber Identity Authentication and
encryption (A5/1, A5/2 algorithms) to protect user identity and
communication.
Advantage : Improves user trust by safeguarding sensitive
information, though modern technologies may surpass GSM's security
measures.
 Performance Characteristics of GSM
Power Efficiency
GSM uses power control mechanisms to adjust the transmission power
dynamically, reducing battery consumption in mobile devices.
Advantage: Increases the battery life of mobile devices, especially
critical in resource-constrained environments.
 Performance Characteristics of GSM
Network Scalability
GSM networks are scalable due to their hierarchical design and the use
of small cell sizes in densely populated areas (micro, pico cells).
Advantage: Supports a large number of users in urban areas,
improving network performance in high-demand locations.
 Disadvantages of GSM
Disadvantages of GSM

● no end-to-end encryption of user data

● no full ISDN bandwidth of 64 kbit/s to the user, no transparent B-
channel
● reduced concentration while driving
● electromagnetic radiation
● abuse of private data possible
● roaming profiles accessible
● high complexity of the system
● several incompatibilities within the GSM standards
Architecture of GSM
 Main Components of a GSM Network
1. Mobile Station (MS)
● Mobile Equipment (ME)
● Subscriber Identity Module (SIM)
1. Base Station Subsystem (BSS)
● Base Transceiver Station (BTS)
● Base Station Controller (BSC)
1. Network Subsystem (Core Network)
● Mobile Switching Center (MSC)
● Visitor Location Register (VLR)
● Home Location Register (HLR)
● Authentication Center (AUC)
● Equipment Identity Register (EIR)
 Main Components of a GSM Network
4. Gateway Subsystem (GGSN/SGSN)
● Serving GPRS Support Node (SGSN)
● Gateway GPRS Support Node (GGSN)
 Mobile Station (MS)
The Mobile Station is the end-user device, typically a mobile phone, that
communicates with the network. It consists of:

● Mobile Equipment (ME): The physical device (mobile phone, smartphone,

etc.).
● Subscriber Identity Module (SIM): A smart card that stores subscriber
information and encryption keys for authentication and security.
Key Roles:

● Initiates and receives calls and messages.

● Handles encryption and decryption of signals for secure communication.
● Communicates with the Base Station Subsystem (BSS) via radio links.
 Base Station Subsystem (BSS)
responsible for handling the radio communication between the Mobile
Station and the network. It consists of two key components:

Base Transceiver Station (BTS):

The BTS handles radio communication with mobile devices by managing
signals, transmitting, and receiving data. It establishes radio links,
allocates channels, and facilitates seamless data transmission.

Base Station Controller (BSC):

The BSC manages multiple BTS units, ensuring efficient radio resource
utilization. It oversees handovers, frequency allocation, power levels, and
call management between mobile stations and the network.
 Network Subsystem (Core Network)
responsible for managing and routing calls, messages, and data between
different parts of the network. It consists of several components:
Mobile Switching Center (MSC):
The MSC manages call routing, switching, and communication between
mobile users and external networks like the PSTN. It handles call setup,
release, handovers, and maintains call records for billing.

Visitor Location Register (VLR):

The VLR temporarily stores subscriber data, including location and
subscription details, for users within a specific MSC area. It facilitates
faster call setup by caching information from the HLR.
 Base Station Subsystem (BSS)
Home Location Register (HLR):
The HLR is a centralized database storing permanent subscriber
information such as phone numbers, service plans, and authentication
keys. It manages subscription details and user status.

Authentication Center (AUC):

The AUC verifies subscriber identities through authentication procedures
and provides encryption keys to ensure secure communication.
 Base Station Subsystem (BSS)
Equipment Identity Register (EIR):
The EIR is a database containing information about mobile equipment
(IMEI). It tracks authorized, suspicious, and stolen devices, preventing
unauthorized device use on the network.
 Gateway Subsystem (GGSN/SGSN)
In later versions of GSM, especially with the advent of GPRS and EDGE
the Gateway Subsystem is added to support data services.

Serving GPRS Support Node (SGSN):

The SGSN handles data packet transfers between mobile devices and the
network. It manages user mobility and tracks the location of devices
during data sessions.

Gateway GPRS Support Node (GGSN):

The GGSN acts as an interface between the GSM network and external
IP-based networks like the internet. It routes data packets and maps
mobile IP addresses to external network IPs.
 Interaction of Components in GSM
Call Setup (Voice or Data):

● The Mobile Station (MS) initiates the call by sending a signal to the
BTS.
● The BTS sends the request to the BSC, which controls the radio
resources and manages the connection.
● The BSC communicates with the MSC to route the call. If the call is
local, the MSC handles the connection internally; if it’s to an external
network, the MSC interfaces with the PSTN or another mobile
network.
 Interaction of Components in GSM
Authentication:
● The MSC checks the VLR for temporary subscriber information. If
the VLR doesn’t have the data, it queries the HLR for permanent
subscriber data.
● The AUC verifies the subscriber’s identity using encryption keys
stored in the SIM and AUC.

Data Transmission (for GPRS/EDGE services):

● For packet-switched services, the SGSN tracks the mobile station’s
location and manages data sessions.
● The GGSN routes data to and from the internet, enabling the user to
access web pages, email, etc.
 Interaction of Components in GSM
Handovers:
● As a mobile station moves from one cell to another, the BSC manages
handovers between BTS units to maintain call quality and service
continuity.

Call Termination:
● Once the communication is complete, the MSC terminates the call.
The BSC and BTS release the radio channel.
● The MSC communicates with the VLR to update the subscriber's
location, and the call details are logged for billing purposes.
 Triangulation and Trilateration
Triangulation in Mobile Networks:
Principle: Uses the angles at which signals from a mobile device are
received by multiple cell towers.
Method:
When a mobile device communicates with multiple cell towers, the
network measures the Angle of Arrival (AoA) of the signal at each tower.

With at least two cell towers, the angles of the signals received from the
mobile device are used to form geometric triangles.
The exact position of the device is determined using trigonometry, similar
to how it is done in land surveying.
 Triangulation and Trilateration
Triangulation in Mobile Networks:
Accuracy: Depends on precise measurement of angles. Works best with
high-resolution directional antennas and minimal signal reflection (line of
sight).
Resource Requirements:
Directional antennas or AoA measurement equipment.
Multiple base stations with overlapping coverage areas.
Challenges:
Signal reflection or multipath propagation in urban environments can
distort angle measurements.
Limited accuracy in non-line-of-sight (NLOS) conditions.
 Triangulation and Trilateration
Trilateration in Mobile Networks:
Principle: Relies on measuring the distances between the mobile device
and multiple cell towers.
Method:
In trilateration, the mobile network measures the time it takes for a signal
to travel between the mobile device and the nearest cell towers, known as
Time of Arrival (ToA) or Time Difference of Arrival (TDoA).
By calculating the distance from the device to at least three towers, circles
(in 2D) or spheres (in 3D) are drawn around the towers.
The intersection of these circles or spheres represents the mobile device’s
location.
 Triangulation and Trilateration
Trilateration in Mobile Networks:
Accuracy: Generally more reliable than triangulation, especially with accurate
distance measurements. However, accuracy depends on:
● The precision of ToF or RSSI measurements.
● Placement and density of reference points.
Resource Requirements:
● Requires synchronized clocks (for ToF) or calibrated signal strength
measurements (for RSSI).
● Multiple reference points with known positions.
Challenges:
● Multipath effects, signal interference, and environmental factors can distort
distance estimates.
● NLOS conditions reduce accuracy.
 Triangulation and Trilateration Comparison

Triangulation Trilateration

Principle Angles of arrival (AoA) Distances from reference

points

Accuracy High in line-of-sight (LoS) Higher accuracy in dense

conditions; lower in networks, but affected by
multipath environments NLOS and interference

Resource Needs Directional antennas; Accurate distance

overlapping base stations measurement tools;
synchronized clocks

Challenges Multipath propagation; Multipath interference;

angle measurement errors environmental distortions in
distance measurement
 Identifiers on mobile devices,
Device ID
A unique string of letters and numbers that identifies a device. It's stored on the device and can be
used by apps to connect to servers.
Android ID
A unique identifier for a device, user, and app publisher. All apps from the same publisher on the
same device will have the same Android ID.
Advertising ID
A unique 64-bit number generated by Google Play services for advertising purposes. It's used by
app developers and advertisers to track and target users.
 Identifiers on mobile devices,
IMEI and serial number
Unique numbers for each phone or tablet that help ensure the device isn't counterfeit and can
help find it if it's lost or stolen.
Identifier for Vendor (IDFV)
A unique identifier assigned to an app on a device to distinguish it from other apps on the
same device.
Unique Device Identifier (UDID)
A unique identifier for Apple devices running iOS, tvOS, watchOS, and macOS. It's calculated
from different hardware values and sent to Apple servers when a user tries to activate the
device
 Data Extraction on a Mobile Device
Logical Information:
● Contacts
● SMS Data
● SMS Messages
● Location Data
● Call Log Data
● Calendar Information
● Picture Files
● Video Files
● Email Messages
● Web History
● Application Data
 Data Extraction on a Mobile Device
Physical Information:
● Contacts (+deleted)
● SMS Messages (+deleted)
● MMS Messages (+deleted)
● Call Log Data (+deleted)
● Calendar Information
● Picture Files (+deleted)
● Video Files (+deleted)
● Email Messages (+deleted)
● Web History
● Application Data (+deleted)
● User Accounts
● Passwords
● Searched Items
● Installed Applications and Application Data
● File System
● Unallocated Space or Deleted Space
Data Extraction on a Mobile Device
 Data Extraction Types
There are three types of extractions that may be performed on a mobile
device:
1. Logical,
2. Filesystem
3. Physical.
 What is a Logical Extraction?
The forensic tools interact with the operating system of the mobile device
using an API.
Two kinds of the Softwares in a mobile.
1. OS
2. Applications

API (Application Programming Interface) communicates with both the

Softwares i.e., the OS and the Apps.
 What is a Logical Extraction?
● extract most of the live data on the device
e.g. SMSs , call logs, MMS, Apps without password
● Individual items cannot be extracted, the whole class will be
extracted.
e.g. one can choose to extract SMS data, but all SMS will be collected
not just conversations between specific people or phone numbers.
● In Logical Extraction only the live data i.e. the data available in the
device will be extracted.
 What is a Filesystem Extraction?
● Data is approached through the Forensic Tools used by the extractor.
● File System Extraction the access to the data inside a device is direct
and without any API

● Including the database files, system files and logs. File System
Extraction can examine the file structure, the web browsing including
history and downloads and logins, usage of Apps, their history and
chats etc.
 What is a Filesystem Extraction?
● Deleted data remains intact within the database and is recoverable
until the database performs routine maintenance and is cleaned up.
e.g. iMessage, SMS, MMS, Calendar and others, store their
information in database files.
 What is a Physical Extraction?
● least supported extraction method
● because getting full access to the internal memory of a mobile device
is completely dependent upon the operating system and security
measures employed by the manufacturer like Apple and Samsung.

● OS of Samsung phones is based on an open source system called

Android.
● other OS e.g. iOS, Symbian, BlackBerry, Kai OS, Windows Mobile,
Sailfish etc. which are not open source OS
 What is a Filesystem Extraction?
● All iOS 7 onwards are difficult to access the complete Physical
Extraction of the device.
● Now iOS 11 onwards are completely extraction proof OS.
● A physical extraction from a mobile device shares the same basic
concept as the physical forensic imaging of a computer hard drive.
● performs a bit-by-bit copy of the entire contents of the memory of a
device. This extraction allows for the collection of all live data and
also data that has been deleted or is hidden.
 What is a Filesystem Extraction?
● Deleted data can be potentially recovered .This means that data that
resides outside of the active user data and database files, such as:
images, videos, installed applications, location information, emails,
and more are able to be extracted and deleted versions of these items
may be recovered as well.
 Methodology used by Forensic Experts
● In Logical Extraction they use API

● File System Extraction and the Physical Extraction they bypass the OS
of the device. This is done at a stage just before the OS of device
starts to set in. The stage is called BOOTLOADER.
 Methodology used by Forensic Experts
Bootloader
● starts up when a device is turned on.
● is the low-level software on your device that allows the next Software
on your device i.e. OS to run.
● Without a Bootloader your OS will not run and you will not be able to
see the Graphic User Interface (GUI) on your mobile.
 Methodology used by Forensic Experts
Forensic Tools
● The Forensic Experts use their Forensic Tools to disturb the working
of Bootloader.
● In the normal course of working a Bootloader prompts the OS to start.
● But the Forensic Tools used would give a command to the Bootloader
not to prompt the OS of the device rather they force their own
different OS to start and fetch the data available in device.
 Methodology used by Forensic Experts
Data Extraction
everything depends upon the comparative penetrating power of the tools
employed by the Forensic Experts and the structure in which the data of
the device is kept in the internal memory
i.e. the file structure

Even the latest tools are unable to fetch data from some closed source of
OS e.g. iOS, Symbian, BlackBerry.
 Characteristics of methods
1 Logical Extraction File System Extraction Physical Extraction

Process Retrieves data from the user- Creates a snapshot of the entire Accesses the raw storage of the
accessible areas of the device, file system, requiring root/jailbreak device directly, often bypassing the
often using standard protocols access for modern devices. operating system.
(e.g., USB, Wi-Fi).

Method of Data Retrieval Uses the operating system's Copies the entire file system, Copies raw data directly from the
interface to extract visible data. including system files and hidden NAND flash storage (physical
files. memory).

Data Retrieved User-accessible data such as User data, app data (including All data on the device, including
contacts, call logs, text messages, caches), system files, and partially deleted data, unallocated space,
photos, and app data. deleted files. and system files.

Tools Used XRY, Cellebrite UFED, mobile Oxygen Forensic Detective, UFED Chip-off, JTAG, FTK Imager,
device management software. Physical Analyzer, EnCase. Cellebrite Physical Analyzer.

Example Data Text messages, call logs, photos, App caches, system settings, app All data, including deleted text
contacts, calendar events. databases, and partially deleted messages, photos, and
data. unallocated space.
 Tools needed in a Mobile Device Investigation.
● Oxygen Forensic Detective
● Cellebrite UFED
● XRY
● CAINE
● SANS SIFT
● HELIX3
 Oxygen Forensic Detective
● Oxygen Forensic Detective is capable of extracting data from a
number of different platforms, including mobile, IoT, cloud services,
drones, media cards, backups and desktop platforms.

● It uses physical methods to bypass device security (such as screen

lock) and collects authentication data for a number of different mobile
applications.
 Oxygen Forensic Detective
● Oxygen Forensic Detective is capable of extracting data from a
number of different platforms, including mobile, IoT, cloud services,
drones, media cards, backups and desktop platforms.

● It uses physical methods to bypass device security (such as screen

lock) and collects authentication data for a number of different mobile
applications.
 Cellebrite UFED
● Cellebrite offers a number of commercial digital forensics tools, but
its Cellebrite UFED claims to be the industry standard for accessing
digital data.

● The main UFED offering focuses on mobile devices, but the general
UFED product line targets a range of devices, including drones, SIM
and SD cards, GPS, cloud and more. The UFED platform claims to
use exclusive methods to maximize data extraction from mobile
devices.
 XRY
● XRY is a collection of different commercial tools for mobile device
forensics. XRY Logical is a suite of tools designed to interface with
the mobile device operating system and extract the desired data.
● XRY Physical, on the other hand, uses physical recovery techniques
to bypass the operating system, enabling analysis of locked devices.
 CAINE

● CAINE (Computer Aided Investigative Environment) is the Linux

distro created for digital forensics.

● It offers an environment to integrate existing software tools as

software modules in a user-friendly manner. This tool is open-source.
 SANS SIFT

SIFT is another open-source Linux virtual machine that aggregates free

digital forensics tools.

This platform was developed by the SANS Institute and its use is taught in
a number of their courses.
 HELIX3

HELIX3 is a live CD-based digital forensic suite created to be used in

incident response.

It comes with many open-source digital forensics tools, including hex

editors, data carving and password-cracking tools.

If you want the free version, you can go for HELIX3 2009 R 1.