Mobile Forensics

By Kousik Maiti
CDAC Kolkata
 Agenda
 BACKGROUND
 PRESERVATION
 ACQUISITION
 EXAMINATION AND ANALYSIS
 REPORTING
 FORENSIC TOOLS
 Background
 Mobile Device Characteristics
 Memory Considerations
 Identity Module Characteristics
 Cellular Network Characteristics
 Other Communications Systems
Mobile Device Characteristics
Contd...
 Memory Considerations
 Both non-volatile and volatile memory
 One or two different types of non-volatile flash
memory i.e. NAND and NOR
 NOR flash has faster read times, slower write times
than NAND and is nearly immune to corruption and
bad blocks while allowing random access to any
memory location.
 NAND flash offers higher memory storage
capacities, is less stable and only allows sequential
access.
Contd...
 Contd...
 RAM is the most difficult to capture accurately
due to its volatile nature. RAM used for
program execution, information may be of value
to the examiner. Mobile device RAM capture
tools are just beginning to become available.
 NOR flash memory : operating system code,
the kernel, device drivers, system libraries,
memory for executing operating system
applications and the storage of user application
execution instructions. NOR flash will be the
best location for data collection for first
generation memory configuration devices.
 NAND flash memory PIM data, graphics, audio,
video, and other user files. This type of memory
 Identity Module Characteristics
 Identity modules (commonly known as SIM
cards) are synonymous with mobile devices that
interoperate with GSM cellular networks. Under
the GSM framework, a mobile device is referred
to as a Mobile Station
 Have two distinct components: the Universal
Integrated Circuit Card (UICC) and the Mobile
Equipment (ME).
 SIM Card – Evolution & Types
 SIM cards have been in the industry since 1991
and are classified in a range of SIM card sizes;
Full Size SIM, Mini-SIM, Micro-SIM, Nano-SIM,
and embedded SIMs

10
 SIM

C1 +5 VDC power supply input (optional use by the card)

C2 Reset signal, used to reset the card's communications.
C3 Provides the card with a clock signal
C4 AUX1, optionally used for USB interfaces and other uses.
C5 Ground (reference voltage)
C6 Programing voltage input (optional). This contact may be used to supply the
voltage required to program
C7 Input or Output for serial data (half-duplex) to the integrated circuit inside the card.
11
Smart Card File System (ISO7816-4)
 It consists of the following three types of
elements: MF, DF, and EF which are the Master,
Dedicated, and Elementary File systems, in that
order. MF is the root of all file systems and has
DF and EF as its subordinate directories.

12
 Cellular Network Characteristics
 The two most dominant types of digital cellular
networks are known as
 Code Division Multiple Access (CDMA)
 Global System for Mobile Communications (GSM)
networks.
 Other common cellular networks include Time
Division Multiple Access (TDMA) and Integrated
Digital Enhanced Network (iDEN).
TDMA – Time Division Multiple Access
CDMA-Code Division Multiple Access
GPRS- General Packet Radio Service
GSM- Global System for Mobile
Communications
EDGE-Enhanced Data for GSM Evolution
TD SCDMA- time division synchronous code
division multiple access)
OFDM -Orthogonal Frequency Division Multiplexing
MIMO- multiple-input and multiple-output
LTE- Long Term Evoluation
3GPP- 3rd Generation Partnership Project
HSPA - High Speed Packet Access
WiMax- Worldwide Interoperability for Microwave Access
 Other Communications Systems
 Mobile IP Protocol -Wireless Local Area
Network (WLAN), Worldwide Interoperability for
Microwave Access (WiMAX), IP over Digital
Video Broadcasting (DVB) and Broadband
Wireless Access (BWA)
 Satellite Phone Network
Satellite phones are
equipped with a UICC and
provide users with a wide
variety of features (e.g.,
contact list, text messaging,
voicemail, call forwarding,
etc.)
For example, the Iridium
satellite constellation is
made up of 66 Low Earth
Orbiting (LEO) satellites
with spares, providing
worldwide voice and data
communications.
 PRESERVATION
 Securing And Evaluating The Scene
 Documenting The Scene
 Isolation
 Packaging , Transporting , And Storing
Evidence
 On-site Triage Processing
 Generic On-site Decision Tree
 Securing And Evaluating The
Scene
 Correct procedures or proper handling of a
mobile device during seizure
 Mobile device characteristics and issues (e.g.,
memory volatility) and familiarity with tangential
equipment (e.g., media, cables, and power
adapters)
 Sources of evidence include the device, UICC
and associated media
 Requesting any security codes, passwords or
gestures needed to gain access to its contents
 Documenting the Scene
 All digital devices, including mobile devices
have store data, photographed with all
peripherals cables, power connectors,
removable media, and connections.
 If the device’s display is in a viewable state, the
screen’s contents should be photographed and,
if necessary, recorded manually, capturing the
time, service status, battery level, and other
displayed icons.
 Isolation
 Isolating a mobile device from all radio networks
(e.g. WiFi, Cellular and Bluetooth) is important
to keep new traffic, such as SMS messages,
from overwriting existing data.
 The risk of overwriting potential evidence, the
question may arise whether data received on
the mobile device after seizure is within the
scope of the original authority granted.
 Vulnerabilities may exist that may exploit a
weaknesses related to software vulnerabilities
from the web browser and OS, SMS, MMS,
third-party applications and WiFi networks. The
possibility of such vulnerabilities being exploited
may permit the argument that data may have
 Contd...
 Three basic methods for isolating the mobile
device
 Enabling “Airplane Mode”
 Turning off the mobile device
 Keeping the mobile device on, but radio isolated i.e.
put in Farady Container
 Packaging, Transporting, and
Storing Evidence
 Seal the device in an appropriate container and
label it appropriately according to agency
specifications.
 Storage facilities that hold evidence should
provide a cool, dry environment appropriate for
valuable electronic equipment.
 All evidence should be in sealed containers in a
secure area with controlled access.
 On-Site Triage Processing
 Triaging involves performing a data extraction
(i.e., Manual or Logical) on-scene followed
immediately by a preliminary analysis of the
data extracted.
 Logical extraction tools are providing additional
capabilities to use keywords and specific known
hashes alerting the on-scene examiner
immediately to potential issues that need to be
addressed
 Usefulness
 Media most likely to contain evidence
 Those investigations that require a more
detailed and technical examination
 The investigations that could be subject of
limited examination by qualified practitioners
 Material requiring urgent investigation
 Examinations suitable for outsourcing
 The extent of the assistance the unit will need
to provide to an investigation
 Benefits
 Reduced laboratory workload
 Better leveraging of existing resources
 Reduced training costs - Triage tools are
typically designed to require less training than
deeper analysis tools and techniques
 Reduced unit cost
 Live collection opportunity – Devices are often
presented in an unlocked state affording the on-
site examiner the potential to extract more data
before the locking mechanism is activated
eneric On-Site Decision Tree
 ACQUISITION
 Mobile Device Identification
 Tool Selection and Expectations
 Mobile Device Memory Acquisition
 Tangential Equipment
 Cloud Based Services For Mobile Devices
 Mobile Device Identification
 Mobile devices need to be identified by the
make, model, and service provider
 If the mobile device is not identifiable,
photographing the front, back and sides of the
device may be useful in identifying the make,
model and current state
 Knowing the make and model helps to limit the
potential service providers, by differentiating the
type of network the device operates over
 Contd...
 Device Characteristics – the make and
manufacturer of a mobile device may be
identified by its observable characteristics
 Device Interface – the power connector can be
specific to a manufacturer and may provide
clues for device identification.
 Device Label – often lists the make and model
number of the mobile device and also unique
identifiers
 Carrier Identification – The carrier for a mobile
device may have their logo printed on the
exterior.
 Reverse Lookup – The Number Portability
Tool Selection and Expectations
 Fundamental set of requirements for forensic
tools
 Usability – the ability to present data in a form that
is useful to an investigator
 Comprehensive – the ability to present all data to
an investigator so that both inculpatory and
exculpatory evidence can be identified
 Accuracy – the quality of the output of the tool has
been verified
 Deterministic – the ability for the tool to produce the
same output when given the same set of
instructions and input data
 Verifiable – the ability to ensure accuracy of the
output by having access to intermediate translation
Mobile Device Memory Acquisition
 Micro-SD card
 Phone’s internal memory
 Live memory capturing
 Tangential Equipment
 It contains memory and are associated with a
mobile device.
 Three main categories are
 memory cards,
 host computers to which a mobile device has
synchronized its contents
 cloud-based storage.
Memory card
 Cloud Based Services for Mobile
Devices
 User applications and data to be stored on the
cloud (i.e., internet servers) rather than the
mobile device memory.
 Retrieval and analysis of cloud based data
should be done to get the complete insight.
 Examles
 Google Storage
 Dropbox
 Examination and Analysis
 The examination process uncovers digital
evidence, including that which may be hidden or
obscured. It is a technical process that is the
province of a forensic specialist.
 The analysis process differs from examination
in that it looks at the results of the examination
for its direct significance and probative value to
the case. It may be done by roles other than a
specialist, such as the investigator or the
forensic examiner.
Potential Evidence
 Objective of Analysis
 Gather information about the individual(s)
involved {who}.
 Determine the exact nature of the events that
occurred {what}.
 Construct a timeline of events {when}.
 Uncover information that explains the
motivation for the offense {why}.
 Discover what tools or exploits were used
{how}.
 Call and Subscriber Records
 Customer name and address
 Billing name and address (if other than
customer)
 User name and address (if other than customer)
 Billing account details
 Telephone number (MSISDN)
 IMSI
 UICC serial number (ICCID)
 PIN/PUK for the UICC
 Services allowed
 Reporting
 Reporting is the process of preparing a detailed
summary of all the steps taken and conclusions
reached in the investigation of a case.
 Reporting depends on maintaining a careful
record of all actions and observations,
describing the results of tests and
examinations, and explaining the inferences
drawn from the data. A good report relies on
solid documentation, notes,photographs and
tool-generated content.
 Contd...
 Report may include the following information
 Identity of the reporting agency
 Case identifier or submission number
 Case investigator
 Identity of the submitter
 Date of evidence receipt
 Date of report
 Descriptive list of items submitted for examination,
including serial number, make, and model
 Identity and signature of the examiner
 The equipment and set up used in the examination
 Contd...
 Brief description of steps taken during
examination, such as string searches, graphics
image searches, and recovering erased files.
 Supporting materials such as printouts of
particular items of evidence, digital copies of
evidence, and chain of custody documentation
 Details of findings:
 Specific files related to the request
 Other files, including deleted files, that support the
findings
 String searches, keyword searches, and text string
searches
 Internet-related evidence, such as Web site traffic
 Contd...
 Graphic image analysis
 Indicators of ownership, which could include
program registration data
 Data analysis
 Description of relevant programs on the examined
items
 Techniques used to hide or mask data, such as
encryption, steganography, hidden attributes,
hidden partitions and file name anomalies
 Report conclusions
 FORENSIC TOOLS
 The AFLogical tool
 Cellebrite – UFED
 Mobile Check
 Advik CDR
 MOBILedit
 Autopsy
 The AFLogical tool
 AFLogicalis an Android forensics tool
developed byviaForensics. This tool
performs logical acquisition of any Android
device running either Android 1.5 or later
versions. It allows the extracted data to be
saved to the examiner’s SD Cardin CSV
format. There are twoeditions in this tool:
AFLogical Open Source Edition (OSE) and
AFLogical Law Enforcement (LE).

46
 AFLogical Open SourceEdition
 AFLogicalOpen Source Edition is free open
source software. It pulls all available MMS,
SMS, contacts, and call logs from the
Android device. AFLogical OSEis also built
intoSantoku-Linux, the open source,
community-driven OS dedicatedto mobile
forensics,mobile malware, and mobile
security.

47
AFLogical Law Enforcement (LE)
Browser bookmarks IM contacts provider (IM contacts)
Browser searches IM invitations
Calendar attendees IM messages
Calendar events IM providers
Calendar extended properties IM provider settings
Calendar reminders Internal image media
Calendars Internal image thumb media
CallLog calls Internal Videos and Maps-Friends
Contact methods Maps-Friends contacts
Contact extensions Maps-Friends extra
Contact groups MMS
Contact organizations MmsPartsProvider (MMSParts)
Contact phones Notes
Contact settings People
External image media Phone storage deleted by people
External image thumb media (HTC Incredible)
External media external videos Search history
IM account SMS
IM accounts Social contracts activities
IM chats

48
 Cellebrite – UFED
Cellebrite UFED offers severalproducts that
support data acquisition and analysis of
Android devices. Cellebrite is a popular
commercial tool that provides the examiner
with both logical and physical acquisition
support aswell asan analytical platform to
examine data. Cellebrite Physical Analyzer,
the analytical platform, allows the examiner
to keyword search,bookmark, carve data,
and create customized reports to support
their investigation.

49
UFED Physical Analyzer application

50
 Mobile Check
 CDAC's MobileCheck is a digital forensics
solution for acquisition and analysis of Mobile
phones, Smart phones and Personal Digital
Assistants (PDAs)

51
 Features
 Supports more than 1500 phones and PDAs
 Supported smart phones include Windows
Mobiles, BlackBerry, Android and Palm OS
devices.
 Supports basic phones such as Nokia,
Samsung and Sony Ericsson
 Extracts Contacts, Call logs, SMS, E-mails,
Tasks and other phone related data
 Extracts phone file system.
 Supports MD5 hashing
 Generates acquisition report.
52
 Advik CDR Analyzer
 Call Data Record analyzer can import and
analyze CDR/Tower CDR logs of any service
provider in India and generates a
comprehensive report of frequency statistics
including service provider details and subscriber
details (SDR)* of CDR Numbers.
*SDR details will be available when the user
uploads SDR to Advik CDR Analyzer Database.

53
 Features
 Seize and Acquire CDR Logs
 Support CDR/Tower CDR logs of .xls(x),
.csv,.txt, MS Access and .html file formats.
 Support to import SDR of .xls(x), .mdb and .txt
file formats.
 Customisable Preset facility for single click data
import.
 Search and Manage SDR.*
 Call Flow Visualizer.
 Customisable Filters.
 Advanced Search with Scripting support. 54
 MOBILedit
 MOBILedit forensic tool can be usedto
view, search,or retrieve data from a phone,
including call history, phonebook, text
messages, multimedia messages, files,
calendars, notes, reminders, and
application data suchasSkype, Dropbox,
Evernote, and more. It will also retrieve
phone information suchasIMEI, operating
systems, firmware including SIM details
(IMSI), ICCID, and location area information.
Depending on the circumstances,
MOBILedit is also able to retrieve deleted
data from phones and bypass the passcode,
PIN, and phone backupencryption.
55
MOBILedittool results

56
MOBILedittool—Call logs option

57
 Autopsy
 Autopsy, the GUI-based upon the Sleuth
Kit, runs on a Windows forensic
workstation and can be downloaded from
http://www.sleuthkit.org/autopsy/. Autopsy
currently provides analytical support for
Android devices. Both open source and
Law Enforcement modules are available for
Autopsy. These modules provideadditional file
carving and parsingsupport for applications
and files found on Android devices and
SD cards.

58
Autopsy results

59
 Other Tools
 Oxygen Forensics Suite,
 MicrosystemationXRY,

 AccessData MPE+

… Many more....

60
 Challenges
 Operating systems and manufacturers
 Connection issues
 To connect a phone, an expert has to choose the
right model from a long list of thousands of names.
The better smart software tools can make life easier
for the expert and determine the plug-in model type.
 Logical vs. Physical
 Software assessment. Which one tool?

61