Digital Forensics

Lecture 10
Mobile Forensics
 Objectives
• Explain the basic concepts of mobile
device forensics
• Describe procedures for acquiring data
from cell phones and mobile devices
• Identify Mobile Forensics Tools
• Discuss Mobile Forensics Challenges
 Introduction
• Criminals use mobile phones, laptop computers
and network servers in the course of
committing their crimes.
• Mobile phone forensics is the science of
recovering digital evidence from a mobile
phone under forensically sound conditions.
• It includes recovery and analysis of data from
mobile devices’ internal memory,SD cards and
SIM cards.
• Data from GSMA Intelligence (2023) shows that
there were 14.08 million cellular mobile
connections in Zimbabwe at the start of 2023.
Mobile Device Forensics Overview
Cell Phone Forensics Short History
• Originated in Europe and focused on the GSM
SIM card. Roaming of Devices from Network and
Spectrum Required - I.D. Info on SIM – Also SMS,
Phonebooks, and Last Numbers Dialled on SIM
• Terrorist use of phones as IED detonators
Increased the demand for mobile forensics. Mobile
device forensics is making a real impact in the war on
terror.
• Adoption Has Moved Quickly.
Mobile Device Forensics Overview
Mobile Device Forensics Today

Now Used Widely Around the World

 80% of All Criminal Investigations in
Europe Involve Mobile Device Forensics
 90% of All Criminal Investigations in UK
 70% in US (estimate and growing)

Quickly Becoming The Necessary Part of Every

Investigation!
 Understanding Mobile Device
Forensics
• A search warrant is needed to examine mobile
devices because they can contain so much
information
• Data Protection Act [Section 3, Chapter
11:12]
• Unlawful acquisition of data
The offence is committed when a person unlawfully and intentionally intercepts any
private transmission of computer data to, from or within a computer network, computer
device, database or information system or electromagnetic emissions from a computer or
information system carrying such computer data; overcomes or circumvents any
protective security measure intended to prevent access to data.

The offence is also committed when an individual acquires data within a computer
system or data which is transmitted to or from a computer system. The offence attracts a
fine not exceeding level 14 or imprisonment for a period not exceeding five years or both
a fine and imprisonment.
Mobile Forensics - Cellular Networks

Mobile • The switching system for the cellular

switching network
center (MSC)
Base • The part of the cellular network responsible
transceiver for communications between the mobile
phone and the network switching system
station (BTS)

Home location • A database used by the MSC that contains

subscriber data and service information
register (HLR)
Mobile Forensics - Cellular Networks

Subscriber • A memory chip that stores the International

identity Mobile Subscriber Identity (IMSI)
module (SIM)
Electronic • A unique identification number developed
serial number by the U.S. Federal Communications
Commission (FCC) to identify cell phones
(ESN)
Personal
unlocking • A code used to reset a forgotten PIN

code (PUK)
 Typical Network Structure
Network Structure
b EIR – Equipment Identity Register -
Holds Phone Identity. Can Be Used to Locate Stolen Devices

b MSC – Mobile Switching Center HLR

b BSC – Base Station Control
b BTS – Base Transceiver Station EIR
MSC

VLR
BSC

BTS

b HLR - Home Location Register

MS b VLR – Visitor Location Register
These Hold User Info Where Records
SIM
Are Stored. Used Today for Traffic Jam
Reporting
 Inside Mobile Devices
• Hardware components
– Microprocessor, ROM, RAM, a digital signal
processor, a radio module, a microphone and
speaker, hardware interfaces, and an LCD
display
– In the case of a GSM network, a Subscriber
Identity Module (SIM).
• Most phones have a proprietary OS
– Stored in ROM
• Peripheral memory cards used with PDAs:
– Compact Flash (CF), MultiMediaCard (MMC),
Secure Digital (SD)
 Inside Mobile Devices
 An International Mobile
Equipment Identity (IMEI)
number uniquely identifies
the mobile equipment or
handset. The initial six or
eight digits of the IMEI are
the Type Allocation Code.
 The Type Allocation Code
(TAC) identifies the type of
wireless device.
 Subscriber identity module (SIM)
cards
• In GSM devices that consist of a microprocessor
and internal memory
• SIM cards come in three sizes
• Portability of information makes SIM cards
versatile
• The SIM card is necessary for the Mobile
Equipment (ME) to work and serves these
additional purposes:
– Identifies the subscriber to the network
– Stores service-related information
– Used to back up the device
 SIM Directory
Structure
• The file system for a
SIM card is a
hierarchical structure
– Master File (MF) that
is the root of the file
system
– Dedicated Files
(DFs), which are
basically directories
– Elementary Files
(EFs), where the data
is held
 eSIM
• An Embedded SIM is a digital version of the
physical SIM card—identifying your device
virtually to provide network connection.
• The eSIM standard was first released in 2016;
and is beginning to replace physical SIM.
• An eSIM consists of software installed onto an
eUICC (Embedded Universal Integrated Circuit
Card) chip permanently attached to a device.
• If the eSIM is eUICC-compatible, it can be
remotely re-programmed with new SIM
information. Otherwise, the eSIM is programmed
with its ICCID/IMSI and other information at the
time it is manufactured, and cannot be changed.
eSIM
 Mobile Device Operating
Systems - Android
• Android: Linux-based operating system,
completely open source, first released in 2003
– Versions of Android named after sweets, such
as Version 1.5 Cupcake and Version 4.1–4.2
Jelly Bean. Similarity across versions
– Can perform similar forensic examinations on
different versions
– A SQLite database is frequently found on
mobile devices.
Mobile Device Operating Systems - iOS
• Derived from OS X
• Interface based on touch and gestures
• In normal operations, iOS uses HFS+ file system
• Can use FAT32 when communicating with a PC
• Four layers:
– Core OS layer: The heart of the operating
system
– Core Services layer: Where applications interact
with the iOS
– Media layer: Is responsible for music, video, and
so on
– Cocoa Touch layer: Responds to gestures
 Mobile Device Operating
Systems - iOS
• Contains several elements in data
partition:
– Calendar entries
– Contacts entries
– Note entries
– iPod_control directory (hidden)
– iTunes configuration
– iTunes music
• iPod_control\device\sysinfo folder contains
model number and serial number
 Acquisition Procedures for Cell
Phones and Mobile Devices
• The main concerns with mobile devices are loss
of power, synchronization with cloud services,
and remote wiping
• All mobile devices have volatile memory
– Making sure they don’t lose power before you
can retrieve RAM data is critical
• Mobile device attached to a PC via a USB cable
should be disconnected from the PC
immediately
– Helps prevent synchronization that might
occur automatically and overwrite data
 Acquisition Procedures for Cell
Phones and Mobile Devices (Cont.)
• Depending on the warrant or subpoena,
– the time of seizure might be relevant
– Messages might be received after seizure
• Isolate the device from incoming signals with one of the
following options:
– Place the device in airplane mode
– Place the device in a paint can
– Use container such as MFI shield cloth or the Paraben
Wireless StrongHold Bag
– Turn the device off
• The drawback of using these isolating options
– The mobile device is put into roaming mode that
accelerates battery drainage
 RF Protection – Required To Protect Device
From The Network.

Faraday Box and Bag

RF Protection – Today Relying on Faraday Bags or Getting Devices in

Airplane Mode Immediately and Keep Charged.
 Acquisition Procedures for Cell
Phones and Mobile Devices (Cont.)
• SANS DFIR Forensics recommends:
– If device is on and unlocked - isolate it from
the network, disable the screen lock, remove
passcode
– If device is on and locked - what you can do
varies depending on the type of device
– If device is off - attempt a physical static
acquisition and turn the device on
• Check these areas in the forensics lab :
– Internal memory
– SIM card
– Removable or external memory cards
– Network provider
 Acquisition Procedures for Cell
Phones and Mobile Devices (Cont.)
• Checking network provider requires a
search warrant or subpoena
• Due to the growing problem of mobile
devices being stolen, service providers
have started using remote wiping to
remove a user’s personal information
stored on a stolen device
 Mobile Device Forensics Acquisition
What Can Be Pulled from the Device

From Today’s iPhone / iPod / iPad

• Getting Image of iPhone and Analyzing for Data.
• Logical Tools Getting Contacts, Call logs, SMS, MMS,
Pics – Much more.
• Facebook Contacts, Skype, YouTube data
• Myspace Username and Passwords
• Location from GPS, Cell Towers and Wi-Fi networks
 Mobile Device Forensics Acquisition
What Can Be Pulled from the Device

From Today’s Android Device

• Logical Tools Acquiring Call Logs, Pics,
Phonebooks
• SIMs on many Androids Providing Last Numbers
Dialled and SMS messages
• Physical Access improving. Practioners Rooting
Device to Obtain More Data – Parsing Required.
• Most actively pursued device by mobile forensic
tool players.
 Mobile Device Forensics Overview
Beyond the Device - Essential Areas of
Mobile Device Forensics Investigations:
Call Data Records
Call Data Records Show Call History - Incoming, Outgoing,
SMS Info Sent and Received – Not Data – Unless Very Soon
After Event
Data is Not Kept Long! Only History.
Texting During Driving – Used to Show What Caused
Accidents.
Tower Information As To Where Calls Originated or Received.
Most Data Relative to What The Network Bills Us For
Mobile Device Forensics Overview
Other Data Available For Investigators
Call Data Records “CDR”
Data Acquired From Call Data Records
b Number Called and Received
b Switch Center / Server Identification (2G/3G Network

Interface)
b Call Type for Billing Purposes (Day/Night +
Weekend)
b Length of Call
b Start and Stop Time
b Location Area Code (LAC)
b Cell Identity – Start CI and Finish CI

Can Also Include:

b Tower Location Name and GPS Coordinates
b Voicemail Call Number
b SMS Service Center Number… and more
 Mobile Device Forensics Overview
Start with the SIM on GSM Phones
FROM GSM and iDEN Phone SIM Cards (Partial List):
• IMSI: International Mobile Subscriber Identity
• ICCID: Integrated Circuit Card Identification (SIM Serial No.)
• MSISDN: Mobile Station Integrated Services Digital Network (phone number)
• Network Information
• LND: Last Number Dialled (sometimes, not always, depends on the phone)
• ADN: Abbreviated Dialled Numbers (Phonebook)
• SMS: Text Messages, Sent, Received, Deleted, Originating Number, Service Center (also
depends on Phone)
• SMS Service Center Info: GPRS Service Center Info:
• Location Information: The GSM channel (BCCH) and Location Area Code (LAC) when
phone was used last.
* When SIM Locked – Cannot Be Cracked without Network Operator Assistance.
Not on SIM, but Exclusive To GSM Devices
• IMEI: International Mobile Equipment Identity. - To Find IMEI,
Type #*06#. IMEI is on the Device, registers with the network, along with IMSI.
IMSI+IMEI+MSISDN the most detailed identity information of user.

A PIN Locked SIM is Not Accessible Without PIN – Requires PUK From Carrier
 Data Capture Options
• Screen Captures: The simplest way. Use a camera to take pictures of
what’s on the screen. Reporting tools available. Sometimes this is the
only way.

• Logical Analysis: – Extracting the data on the device that you see and
can access on the device. No deleted information with this method. Call
logs, phone books, sms messages, pictures, email, browsing etc. The
“active” information on the device can be extracted using a “Logical”
extraction tool. This is the standard method today. Plenty of tools and
easy to use.
• Physical Analysis: – The practice of extracting data from the physical
memory of the device, and removable memory. Like PC forensics, you
are getting the raw binary / hex data. Requires decoding and
understanding of language and techniques used by device
manufacturers. Physical analysis is the way to deleted information, but it
is difficult and sparsely supported. Only a few tools. Mostly Nokia
supported. Early days of the new standard.
• Chip Level Analysis: - Analysis of the chips in the phone by removing
them from the device and probing for data, or rebuilding another phone.
Extremely technical. Broken SIMs analyzed this way.
 Cell Site Analysis
Other Data Available For Investigators -
Cell Site Analysis
What Is It?
The Analysis of a Mobile Network’s Radio
Signal Coverage Relative to Its Users
 Cell Site Analysis
Other Data Available For Investigators -
Cell Site Analysis
How Is It Useful?
Cell Site Analysis Shows the Real Coverage of the
Network’s Signal – Used In Conjunction with
Network Call Data Records to Prove / Disprove
Users Location on the Network.

Gives Examiners the “Real Picture”

Of the Network Coverage.
Standard Operating Procedures
• Containing a cell phone should be a careful but
expeditious process. According to the U.S. Department
of Justice (NIJ) guidelines, investigators should follow
these steps:
– Securing and evaluating the scene: Steps should be taken to ensure
the safety of individuals and to identify and protect the integrity of
potential evidence.
– Documenting the scene: Investigators should create a permanent
record of the scene, accurately recording both digital-related and
conventional evidence.
– Evidence collection: Traditional and digital evidence should be
collected in a manner that preserves its evidentiary value.
– Packaging, transportation, and storage: Investigators should take
adequate precautions when packaging, transporting, and storing
evidence to maintain the chain of custody.
 Retrieve Evidence from a
Smartphone
• Information that can be retrieved falls into
four categories:
– Service-related data, such as identifiers for
the SIM card and the subscriber
– Call data, such as numbers dialed
– Message information
– Location information
• If power has been lost, PINs or other
access codes might be required to view
files
 Mobile Forensics Acquisition
• Mobile forensics is an evolving science
• Biggest challenge is dealing with constantly
changing phone models
• Procedures for working with mobile forensics
software:
– Identify the mobile device
– Make sure you have installed the mobile
device forensics software
– Attach the phone to power and connect
cables
– Start the forensics software and download
information
 Acquisition Methods
• NIST guidelines list six types of mobile
forensics methods:
– Manual extraction
– Logical extraction
– Hex dumping and Joint Test Action Group
(JTAG) extraction
– Chip-off
– Micro read
Logical Acquisition

“Logical” Acquisition
Pulls the “Active”
Data off the device…
Basically, anything
you can see or
access using the
keypad.
 Static Acquisition

Today’s Top
Tools:

XRY
Physical

And

UFED Physical

“Physical” Acquisition Accesses the Internal Memory and Pulls the Raw Data
from the Memory. Formats and Storage Differ From Manufacturer to
Manufacturer.
 Seizing Evidence from an iPhone
• iPhone has four-digit pin
– Use automated process to break, e.g., XRY
• If forensic workstation has iTunes:
– Plug iPhone into the workstation, and use
iTunes to extract device information
 Information from an iPhone device
image
• Library_CallHistory_call_history.db
– Contains entire call history
• Library_Cookies_Cookies.plist
– Contains cookies (history of the user’s Internet
activities)
• Library_Preferences_com.apple.mobileemail.plist
– Information about e-mail sent and received from the
phone
• Library_Preferences_com.apple.mobilevpn.plist
– Indicates if user used device to communicate
over a VPN
• Deleted files are in .Trashes\501
 Mobile Forensics Tools
• Mobile phone forensics tools
– Andriod: AccessData FTK Imager
– iOS: MacLockPick 3.0
• Paraben Software offers several tools:
– Device Seizure - used to acquire data from a
variety of phone models
– Device Seizure Toolbox - contains assorted
cables, a SIM card reader, and other
equipment
• BitPam – Can view data on many CDMA phones
• Cellebrite UFED Forensic System - works on
smartphones, PDAs, tablets, and GPS devices
• MOBILedit Forensic - contains a built-in write-
blocker
 Mobile Forensics Tools (Cont.)
• SIMcon used to recover files on a GSM/3G SIM
or USIM card and includes the following
features:
– Reads files on SIM cards
– Analyzes file content
– Recovers deleted text messages
– Manages PIN codes
– Generates reports that can be used as evidence
– Archives files with MD5 and SHA-1 hash values
– Exports data to files that can be used in spreadsheets
– Supports international character sets
Mobile Forensic Tools
 Mobile Forensics Tools
Android Devices iOS Devices

• Autopsy • iPhone Backup Analyzer

– Android Module • iExplorer
• WhatsApp Extract • iBackupBot
– wa.db and msgstore.db • Scalpel
• Scalpel • SQLite Browser
• SQLite Browser • Plist Editor
• Hex Editor • WhatsApp Extract
• Anything capable of mounting – Contacts.sqlite and
EXT ChatStorage.sqlite
• FTK Imager • Manual examination
• Customized scripts • Customized scripts
• Manual examination
 Mobile Forensics Tools
Commercial tools are expensive
• They still miss data
• They don’t parse third party applications
completely
• They omit relevant databases when
extracting data
• They don’t support all devices
 SIM Card Readers
• A combination hardware/software device used to
access the SIM card
• Used in a forensics lab equipped with
appropriate antistatic devices
• General procedure is as follows:
– Remove the back panel of the device
– Remove the battery
– Remove the SIM card from holder
– Insert the SIM card into the card reader
• Documenting messages that haven’t been read
yet is critical
 SIM ID Cloning

• Cloning SIM Card – Reinsertion of Cloned SIM

Card with No Network Connection Ability.

• Tricks Phone Into Thinking Proper SIM is In. No

Data Loss.

• Best Option When Phone is Dead or no PIN is

Set.
Physical Acquisition – Flasher Boxes

Used Primarily For

“Unlocking” Phones from
the Network – Many have
ability to dump raw data,
and have been adopted by
digital examiners for
acquiring and validating
data.
Physical Acquisition – Flasher Boxes

Interfaces Are Complicated – Not Made For

Forensics. Require Proper Education

Risk of Destroying Phone!

Proceed With Extreme Caution!
 Mobile Forensics Tools in Action
• Cellebrite is often used by law
enforcement
– You can determine the device’s make and
model, hook up the correct cable, turn the
device on, and retrieve the data
– There are more than half a million aps for
mobile devices and Cellebrite can analyze
data from only a few hundred
Cellebrite Mobile Forensics
Andriod File System
SMS outgoing text messages
Mobile Device Forensics Challenges

• Many mobile forensics tools are available

– Most aren’t free
• Methods and techniques for acquiring
evidence will change as market continues
to expand and mature
• Subscribe to user groups and professional
organizations to stay abreast of what’s
happening in the industry
 Mobile Device Forensics Challenges

• The number of devices that connect to the

Internet is higher than the amount of people
– That number is expected to grow even larger as more
devices are being developed to attach to the Internet
• Internet of Things (IoTs) and Wearable
computers will pose many new challenges for
investigators
Mobile Device Forensics Challenges
• Proprietary operating systems
• Differing firmware implementations
• Changing network communication protocols
• Evolving data storage methods
• Lack of knowledge about hardware, operating
systems and file systems of mobile devices
• Mobile forensics investigation requires
specialized skills beyond normal digital forensics
Thank You!