Mobile Forensics

Omveer Singh, GCFA

Additional Director / Scientist E

Cyber Forensics Lab Indian Computer Emergency Response Team (CERT-In) Department of Information Technology Ministry of Communications & Information Technology Government of India New Delhi
23/03/2012 CERT-India 1

Agenda
Mobile Phone Basics Seizure of Mobile phone Mobile Phones Data Acquisition Mobile Forensic Toolkits / Equipments Forensic Analysis of Digital Evidence from Mobile Phones References

23/03/2012

CERT-India

On-line Transactions by mobile phones

On-line shopping Mobile banking Stock trading Flight reservations, confirmations and checkin Hotel reservations & confirmations

23/03/2012

CERT-India

Mobile Phone Investigation for?

23/03/2012

Users name & address Deleted messages Affairs Deleted Call records Contacts Employee dishonesty Frauds Theft Locked Phones
CERT-India 4

Inside a Mobile Phone

Hardware
CPU, Flash Memory, digital signal processor, radio module, microphone and speaker, data communication interfaces, keyboard, LCD display

SIM Card Battery (rechargeable) Operating System (OS) as Firmware

Basic / feature phones: proprietary OS smart phones: OS just like PCs

23/03/2012

CERT-India

Mobile Phone Features

Call history Address book Calendar / organiser Digicam Audio, Video, Music E-mail Internet
23/03/2012

Data storage Bluetooth / Infrared USB Short Messaging Service (SMS) Multimedia Messaging Service (MMS)

CERT-India

Data searched from the mobile phones in :

Phone Memory SIM Cards External Memory Cards

23/03/2012

CERT-India

Data Stored in Mobile Phone Memory

23/03/2012

Phone settings IMEI (GSM) / ESN (CDMA) Calendar information SMS / MMS Phonebook Contacts Call logs Date & Time Ring tones Applications
CERT-India 8

Data Stored in SIM Cards

IMSI (International Mobile Subscriber Identity)
SIM cards globally unique identifier (GSM/UMTS) 15 digit number

It provide the users network / mobile service provider information Language Settings Currency information (from call charge counters) Most recent location of the mobile phone. Phonebook Contacts SMS: Sent and received Call Logs dialled/received/missed
23/03/2012 CERT-India 9

SIM Card
Used most commonly in GSM devices / phones; now in CDMA too (called R-UIM card) Smart card; Size: Std (credit Card), Mini (mostly used now), Micro (smart phones iPhone, etc) Flash Memory - 16 KB to 4 MB Contains subscriber information, as stored by the service provider Can be transferred from one phone to another (if not locked) May contain address book, call history and text messages (SMS)
23/03/2012 CERT-India

10

Mini SIM Card & Micro SIM Card

23/03/2012

CERT-India

11

Data Stored in Removable Memory Cards

Images (Photos; .jpg) Video Files (.mp4) Audio Files (.mp3)

23/03/2012

CERT-India

12

Removable Memory Cards

Peripheral memory cards are used with PDAs MicroSD Secure Digital (SD) Compact Flash (CF) Multi-Media Card (MMC) MemoryStick MemoryStick Duo MemoryStick Pro Duo XD
23/03/2012 CERT-India 13

Extended Memory Cards (contd)

23/03/2012

CERT-India

14

Memory Cards
Increasingly common in new handsets, digicams PC-compatible FAT file system widely adopted May contain pictures, movies, .mp3, .mp4, etc. Deleted data retrievable with established computer forensic techniques and tools like Foremost, Scalpel, PhotoRec, XACT, EnCase or FTK etc.
23/03/2012 CERT-India 15

Mobile Phones: Guidelines & Precautions

Main concerns with mobile phones are loss of power and synchronization with PCs All mobile phones have volatile memory
Make sure they dont lose power before critical RAM data is retrieved

Suspected mobile phones, if connected to a PC (via cable, bluetooth, or infrared) should be disconnected immediately from the PC Depending on the warrant, the time & date of seizure must be relevant
23/03/2012 CERT-India 16

Mobile Phones: Guidelines & Precautions (contd)

Calls & SMSs received after seizure date & time may not be admissible in court, however the same could be a crucial evidence New call / SMS received oldest call / SMS details out from phone logs So current state of the mobile phone is maintained by isolating the device from linking it to the MSPs mobile tower

23/03/2012

CERT-India

17

Mobile Phones: Guidelines & Precautions (contd)

mobile phone is isolated from the incoming calls / SMS by either of the following : Place the device into a Faradays Bag (shielded from electromagnetic / radio waves) Wrap the device into a thicker or a few layers of Aluminium foil to block the radio signal Change the mobiles profile to Flight mode (no radio link)
23/03/2012 CERT-India 18

Mobile Phones: Guidelines & Precautions (contd)

The drawback of using any of these isolating options is that the mobile phone is put into network searching mode & do not go to standby mode
accelerates battery drainage

If mobile is switched off due to draining out of battery, PINs or other access codes may be required to retrieve data

23/03/2012

CERT-India

19

Mobile Phones
Basic Mobile Phones
Nokia, Samsung, LG, Sony Ericsson

Smart Phones
Blackberry, iPhone (Apple), Galaxy (Samsung)

Chinese Mobile Phones

Many, not a standard product ?? Not from any well known manufacturer Support / literature providing hardware & OS software design details not available from manufacturers
23/03/2012 CERT-India

20

23/03/2012

CERT-India

21

Mobile Forensics Investigation Toolkit

Mobile Forensic Workstation (Laptop) Read-only Cables
(data pilot secure view)

USB SIM Card Reader (for GSM) Digital Video Camera with desktop tripod Faradays Bag Jammer (10 m radius) MOBILedit! Forensic (Mobile Forensic s/w GSM, CDMA) BitPim (Mobile Forensic s/w CDMA)
23/03/2012 CERT-India 22

Mobile Phones Forensics Investigation Process

1. Seizure

2. Isolation
3. Acquisition

4. Examination / Analysis
5. Documentation

23/03/2012

CERT-India

23

Seizure of Mobile Phones

Legal authority to: Seize the device Examine / analyse the device & its contents Search the site (Warrant) Other Formalities: Evidence seizure note
Witnesses to sign

23/03/2012

CERT-India

24

What to Seize?
Communication Equipment (Mobile Phone) Power Adapter Accessories Communication cable Hands free audio set (if necessary) Desktop / Laptop PC to which the mobile phone is usually connected, if any

23/03/2012

CERT-India

25

Documentation during Seizing

Photograph the phone, showing time setting, state (on/off; connected/disconnected from network), characteristics Mobile applications installed / running? Document all the actions in log book with date & time chronologically

23/03/2012

CERT-India

26

Isolation of the Mobile Phone from remote access & network; Why?
User can alter, change and delete / wipe phones data remotely using bluetooth, infrared connectivity or by calling it by other phone If remain connected to network: new calls & SMS will replace the oldest one (new in, oldest out)

23/03/2012

CERT-India

27

Isolation of Mobile Phone

Faradays bag RF shielded box / room Cellphone jammers (if legal) Achieve & maintain the isolation

23/03/2012

CERT-India

28

Extracting Data from Mobile Phones

It is important to extract data from a mobile phone without any change in the phone memory All analysis must be done in the shielded environment from radio waves

23/03/2012

CERT-India

29

Basic Evidence
Phone Data Call Registers and SMS
MSISDN, Make, Model, IMEI, SIM No, IMSI Numbers dialled (handset) Calls Received Missed Calls Phone Book Text Messages stored on handset

23/03/2012

CERT-India

30

Data Available from Phone Memory

Phone identity Speed-dial numbers Text messages (SMS) Phone settings Stored audio recordings Calendar Images, Video from camera or MMS Stored computer files Call history Stored Application Internet settings E-mail

23/03/2012

CERT-India

31

Wealth of Information Stored in Mobile Phones

Call history SMS & MMS E-mail addresses PINs of ATM, Debit, Credit Cards Pictures, Photographs Personal calendars, date of birth Address/contact info Music/voice/video recordings Net Banking details A/c Nos. (bank, stock) User-IDs & Passwords
CERT-India 32

23/03/2012

Acquisition of Phones Data

Logical (phones file system) Physical (flash) Manual (using phones user interface) External memory (flash memory cards) Internal memory (flash)

23/03/2012

CERT-India

33

Interface with Mobile Forensic Workstation for Data Acquisition

Wired Connection (best)
Serial, USB

Wireless connection
Infrared, bluetooth

23/03/2012

CERT-India

34

General Procedure for Data Acquisition from a Mobile Phone

1. Identify the cell phone/mobile device 2. Install all related software on forensic workstation 3. Attach device to power supply & connect cables 4. Begin forensics program and download available information
23/03/2012 CERT-India 35

Logical Acquisitions & Memory Cards

Logical tools can recover live data from memory cards within handsets But the phone never provides deleted files during a logical acquisition Memory card should be accessed directly to retrieve deleted data How to pullback deleted files from FAT?
use computer forensic toolkit
23/03/2012 CERT-India 36

If SIM Card is in the phone, then

Remove & read it through SIM card reader Image the SIM Card Clone the SIM Card Install the cloned SIM Card in the seized phone and do a logical extraction of the phones data through a tool Log all the information as available in the log book Use photography to support the documentation

23/03/2012

CERT-India

37

Cloning of the SIM Card

Most of the Mobile Forensic Equipments provide this facility Useful in extracting data from a mobile phone: Isolates the phone from the mobile networks PIN protected phones Mobile phones without a SIM Card

23/03/2012

CERT-India

38

If seized phone is without SIM card, then

Extract the phones data through logical extraction using tool and examine If required, a dummy cloned SIM Card may be installed (does not have any data)

23/03/2012

CERT-India

39

Physical Extraction
Bit by bit copy of the entire physical flash memory Phones file system, firmware, unallocated data Costly & time consuming If the mobile forensic tool support the make & model of the mobile phone and it can be interfaced / connected with the mobile forensic workstation then carryout the physical extraction of the phones data Examine / analyse the parsed data from the physical extraction Carve out files (images, media, text) from the raw data
23/03/2012 CERT-India 40

Tools for Physical Extraction

UFED Physical Pro (Cellebrite) XRY Oxygen Forensic Suite 2011 v.3.5 Mobile Phone Examiner Plus (MPE+; AccessData)
Supports +3500 phones Image acquisition - physical & logical for:
iPhone, iPad, iPod Touch Android, Windows Mobile, Blackberry devices

23/03/2012

CERT-India

41

Physical Evidence from a Mobile

Users DNA Loose cheek cells on microphone Skin flakes near buttons, earpiece User Fingerprints from Mobile body/cover/screen SIM Card

23/03/2012

CERT-India

42

Mobile Phones: Investigation

Examine these areas in the forensics lab :
Internal memory SIM card Removable or external memory cards PC System, to which phone is usually connected

Examining a system requires users written consent / search warrant ? SIM card have a hierarchical file system

23/03/2012

CERT-India

43

Mobile Phones: Investigation

Information that can be retrieved: Service-related data, such as identifiers for the SIM card and the subscriber Call data, such as numbers dialled Message information Location information

23/03/2012

CERT-India

44

Mobile Phone Forensics

People store a wealth of information on cell phones
But people never think about securing their cell phones

Investigating cell phones and mobile devices is one of the most challenging tasks in digital forensics

23/03/2012

CERT-India

45

Mobile Phone Forensics: Problems

No accepted standards to acquire and store data in mobile devices until today Various hardware and software designs
Many models from each of the manufacturers, but all distinct

Different network technologies in use

CDMA (Code Division Multiple Access) GSM (Global System for Mobile communication) 3G (UMTS)

23/03/2012

CERT-India

46

Mobile Phone Forensics: Problems

(contd)

Mobile phone forensics is more complex than Computer Forensics Difficulties with data preservations for mobile phones Wide variety of cables and connectors Battery based mobile digital device, power adapters for charging Unique File System

23/03/2012

CERT-India

47

Mobile Phone Forensics Equipment

Mobile Phone forensics is a new science Biggest challenge is dealing with constantly changing models of cellphones When youre acquiring evidence, generally youre performing two tasks: Connecting the phone to a PC (to download data) Reading the SIM card

23/03/2012

CERT-India

48

Mobile Phone Forensics Equipment

(contd)

Make sure you have installed the mobile phone forensic tool on your forensic workstation Attach the phone to its power supply and connect it through the correct cable After youve connected the phone Start the mobile phone forensic tool and begin downloading the available information

23/03/2012

CERT-India

49

Mobile Phone Forensics Equipment

(contd)

SIM card readers

A combination of hardware & software device is used to access the SIM card You should be in a forensics lab equipped with appropriate antistatic devices General procedure is as follows:
Remove the back panel of the device Remove the battery Under the battery, remove the SIM card from holder Insert the SIM card into the card reader
23/03/2012 CERT-India 50

USB SIM Card Reader

23/03/2012

CERT-India

51

Mobile Forensics Equipment (contd)

SIM card readers (continued) A variety of SIM card readers are in the market
Some are forensically sound and some are not

Documenting the messages, that are yet to be read, is critical

Use a tool that takes pictures of each screen

Mobile forensics tools Device Seizure Toolbox (Paraben) BitPim (CDMA, freeware)
23/03/2012 CERT-India 52

Mobile Phone Forensics Equipment

(contd)

Mobile forensics tools (continued) MOBILedit! SIMCon Software tools differ in the items they display and the level of details they capture or recover

23/03/2012

CERT-India

53

Five Levels of Mobile Phone Analysis

1. Manual Analysis 2. Logical Analysis 3. Physical Analysis:
Hex Dump More time required for Analysis Memory Read More technical analysis Micro Read More forensically sound
23/03/2012 CERT-India

54

Level 1: Manual Analysis

Process
Review phone documentation and browse using handset buttons to view data by hand.

Tools available
Project-a-Phone ZRT (http://www.fernico.com/zrt.html)

Pros
Can work on every phone No cable needed and easy to use

Cons
Cant get deleted information No report generation; Time consuming Cant be used for keypad damaged, broken handsets, non-working mobile phones
23/03/2012 CERT-India

55

Level 2: Logical Analysis Logical Memory Retrieval

Live SIM card data can be retrieved Live Handset data can be retrieved Deleted SMSes only from the SIM card can be retrieved (using a SIM card reader) Deleted Handset data can not be retrieved

23/03/2012

CERT-India

56

Level 2: Logical Analysis Extracting Data from Phone Memory

Access the memory chip directly; or Access the memory chip through motherboard (e.g. JTAG interface); or Extract data from memory chip through mobile forensic analysis tools using interface for data communication:
Serial, USB (Wired / Data Cable, best) Infrared, bluetooth (Wireless)
23/03/2012 CERT-India 57

Level 2: Logical Analysis

Process
Connect the handset to the PC through data cable. Extract data using AT, OBEX (Infrared), BREW (Binary Runtime Environment for Wireless), FBUS (Nokia), etc. commands / protocols

Tools available
Lot of tools available; refer http://www.e-evidence.info

Pros
Fast, easy to use, lot of information available Consistent report format, actions are repeatable

Cons
Writing data to handset Lot of cables required for connecting the handsets to the mobile forensic workstation Cannot recover deleted files
23/03/2012 CERT-India

58

Level 3: Physical Analysis

Process
Connect data cable to the handset. Extract data using commands communicating with handset processor

Tools available
UFS-3 (http://www.ufsexplorer.com/products.php#mobile) SmartClip (http://www.smart-clip.com/) COM Port Unibox; 187 Pcs GSM+CDMA Cables (http://www.ipmart.com/main/product/COM,Port,Unibox,With, 187,pcs,GSM,CDMA,Cable,in,Package,23718.php?prod=23 718)

Pros
Can recover deleted data. Extract data hidden from handset menus; inexpensive

Cons
Inconsistent report format and required data conversion Difficult to use; limited to specific manufacturer
23/03/2012 CERT-India

59

Level 4: Physical Analysis (Memory Read)

Process Connect directly to the handset memory and extract data by directly communicating with memory (bypassing the handset processor) Tools available SDKs Pros Can extract all data from handset. Gives better picture of what is going on phone. Cons This includes de-soldering Inconsistent report format and required data conversion Difficult to use
23/03/2012 CERT-India

60

Level 4: Physical Analysis (Memory Read)

JTAG (Joint Test Action Group) interface Pros Non destructive Ability to dump RAM (PDA) Cons Expansive equipment Advanced JTAG technology knowledge required JTAG test points must be located on cell phone Many mobile phones may not support/activate JTAG interface We can access not only nonvolatile, but also volatile memory
23/03/2012 CERT-India 61

JTAG Interface
Goal: To test the assembled PCB Standardization of chip test : IEEE Standard 1149.1
The test uses TAP (Test Access Port) with Boundary-Scan Architecture

Most of the Mobile Phone Manufacturers have provided it to their handsets

serial interface

23/03/2012

CERT-India

62

Tools for Forensic Analysis: HW / SW

For GSM
PhoneBase (Envisage) Phone Manager II (Oxygen) XRY (Micro Systemation) Cell Seizure (Paraben) UFED Physical Pro (Cellebrite) CellDek Tek (Logicube) QPST (Qualcomm Product Support Tool) PhoneManager (LG cellular phone) eBookMaker (Motorola) BitPim (Freeware)

For CDMA

23/03/2012

CERT-India

63

Analysis Tools: Screenshots

23/03/2012

CERT-India

64

QPST
Qualcomm Product Support Tool
QPST is a set of Windows tools designed to interface with, control, and test CDMA phones

23/03/2012

CERT-India

65

QPST: Phone Connected for Analysis

23/03/2012

CERT-India

66

QPST: Analysis in progress..

23/03/2012

CERT-India

67

Documentation
Log all the activities in log book with date & time chronologically Time difference, if any, with the standard time must be recorded Have a digicam handy and photograph equipments, connectivity, handset and any relevant specific information identified When connected to a mobile forensic workstation for analysis, take screenshots of your relevant findings
23/03/2012 CERT-India 68

Conclusion
Its very important to acquire data as soon as possible after seizing the mobile phone All binary information in the memory including external memory cards must be acquired without changing the contents To analyze the binary information, we must know about file systems of the mobile phones

23/03/2012

CERT-India

69

Summary
People store a wealth of information on their cell phones Data can be retrieved from several different places in phones As with computers, proper search and seizure procedures must be followed for mobile devices

23/03/2012

CERT-India

70

References
Mobile Forensics : an Overview, Tools, Future trends and Challenges from Law Enforcement perspective by Ahmed and Dharaskar Mobile Forensics: Guidelines and Challenges in Data Preservation and Acquisition by Shivankar Raghav and Ashish Kumar Saxena

Guidelines on Cell Phone Forensics: Recommendations of NIST by Jansen and Ayers

Wikipedia The Free Encyclopedia http://en.wikipedia.org/ Forensic Analysis of Mobile Phones by Paul McCarthy Forensics Tools; http://www.forinsect.de/index.html
23/03/2012 CERT-India

71

References (contd..)
http://www.mobileforensicsworld.org Mobile Phone Forensics: Challenges, Analysis and Tools Classification by Zareen and Baig Computer Forensics An Overview by Dorothy A. Lunn, SANS Institute; Course Contents : SANS SEC508

23/03/2012

CERT-India

72

23/03/2012

CERT-India

73

23/03/2012

CERT-India

74