20.

4 Forensic Preservation of Mobile Devices 27

cases, the only available option may be to run a software agent in order
to acquire data from a specific mobile device. Digital investigators must
weigh these issues against the benefits of acquiring some information from
a device. In addition, it may be necessary to explain that the acquired digital
evidence is trustworthy despite any concerns raised by the use of a software
agent on the device.

20.4.3 Bootloaders
When a mobile device is powered on, the first code it executes is called a boot
loader. This code has very basic functionality and is comparable to the BIOS
on Intel computers. During normal use of a mobile device, the boot loader
simply launches the operating system to enable the user to interact with the
device. However, the boot loader can be interrupted during the startup process
to prevent the operating system from launching and can then be instructed to
execute custom operations. In this way, forensic tools can use the boot loader
to gain access to memory on a mobile device.

20.4.4 Flasher Boxes

Flasher boxes are devices originally designed to customize the appearance and
operation of the operating system on mobile devices. However, by design, Flasher
boxes can also dump the contents of physical memory from mobile devices.
The Twister Flasher box shown in Figure 20.17 can read the physical memory
from a variety of mobile devices, including many Nokia models. The Twister box
interfaces with many Nokia devices via gold-colored contacts on the circuit board,
shown above left. Once the correct data cable is connected between the mobile
device and Twister box, the Sarasoft software program shown in part above is
used to read data from memory using the proprietary Nokia F-Bus protocol.

FIGURE 20.17
Twister Flasher box can
connect to FBUS interface
on Nokia device to acquire
data using the Sarasoft
program.
28 CHAPTER 20: Digital Evidence on Mobile Devices

20.4.5 JTAG
JTAG (Joint Action Test Group) refers to the IEEE 1149.1 standard (http://
grouper.ieee.org/groups/1149/1/). The JTAG standard specifies an interface
for standardized approaches to test integrated circuits, interconnections
between components, and a means of observing and modifying circuit
activity during a component’s operation (Breeuwsma, 2006). It is a stan-
dard feature found in many mobile phones, as it provides manufacturers
a low-level interface to the device that is not dependent on the operating
system. However, the JTAG specifications for individual phones are not avail-
able outside the manufacturer. JTAG is of interest to forensic investigators
and analysts, as it can theoretically provide direct access to a mobile phone’s
memory without any chance of altering it. However, the time and knowledge
required to achieve this is substantial—not only requiring an understanding
of JTAG for the specific model of phone, but also to reconstruct the resulting
binary comprised of the device’s memory structures. Despite the limitations
in using JTAG as a forensic extraction mechanism, it provides the most com-
mon method of physical extraction. JTAG is common across multiple device
manufacturers and there are multiple devices that extract memory structures
through JTAG.

20.4.6 Chip off Extraction

Extracting the memory chips from a phone and reading them directly is by
far the most exacting extraction method, but has the advantage of interfacing
data in the most direct method. Chip extraction is the most low-level physical
extraction method (Breeuwsma et al., 2007).
The output from chip extraction is forensically the cleanest, relying on no
intermediate communications systems or on the device in any way. Reading
the chip directly returns the memory structures for analysis. However, this
approach suffers from the same issues as JTAG extraction, and will return
only raw memory structures. Additionally, this is the most complex extraction
method and has a failure rate associated. This approach is considered impracti-
cal in many situations where evidence may be returned, in cases where there is
no guilt established or when prosecution does not occur.
Once extracted, extracted flash chips must be read to extract data. Device pro-
grammers are designed to write data to memory chips but can be used to extract
data from the chips for forensic purposes. This acquisition method requires the
mobile device to be dismantled and chip to be removed and is sometimes
referred to as chip off processing. It is generally necessary to obtain a socket
designed to connect a particular make of chip to the device programmer. There
are several commercial device programmers available: Data I/O FlashPAK II
(www.dataio.com), Xeltek SuperPro 5000 (http://www.xeltek.com), and BPM
Microsystems (http://www.bpmmicro.com).
 20.5 Forensic Examination and Analysis of Mobile Devices 29

20.5 FORENSIC EXAMINATION AND ANALYSIS

OF MOBILE DEVICES
The purpose of performing a forensic examination is to find and extract infor-
mation related to an investigation, including deleted data. Whether data from
a mobile device was acquired logically or physically, the general examination
approach is the same as outlined in Chapter 6.

■ Survey the available items to become familiar with the main sources of
information on the mobile device.
■ Recover any deleted items including files, SMS messages, call logs, and
multimedia.
■ Harvest metadata from active and recovered items such as date-time
stamps, file names, and whether messages were read and calls were
incoming, outgoing, or missed.
■ Conduct a search and methodical inspection of the evidence, including
keyword searches for any specific, known details related to the
investigation.
■ Perform temporal and relational analysis of information extracted from
memory, including a timeline of events and link chart.
■ Validate important results because even forensic tools have bugs.
When dealing with active data on a baseline mobile device, it may be pos-
sible to examine all of the acquired messages, call logs, calendar entries, and
other items stored on the device. However, when the complete file system or
a full physical memory dump was acquired from a mobile device, it is gener-
ally infeasible to examine every file or data fragment stored on the device. In
such cases, digital investigators must develop a strategy to find relevant digital
evidence. Surveying the acquired data by looking through folders and viewing
the contents of files on a mobile device can lead to some useful items and may
help with the development of a strategy, but this process is not a substitute
for a methodical forensic examination. A strong forensic examination strat-
egy should take into account what is known about the crime and the types of
information that are being sought. For example, when there is a specific time
period of interest in a case, examining all activities on the mobile device and
reconstructing a timeline of events may be an effective strategy. As another
example, when digital photographs are of interest in a case, an effective strategy
to findings all relevant items on a mobile device may be to employ a combina-
tion of file system examination, keyword searching, and file carving.

20.5.1 File System Examination on Mobile Devices

All mobile devices have some form of file system, ranging from simple, pro-
prietary one to more complex, standard ones. For instance, some Motorola
and LG devices run the BREW (Binary Runtime Environment for Wireless)
30 CHAPTER 20: Digital Evidence on Mobile Devices

operating system developed by Qualcomm, which has its own file system.
The file system on many CDMA devices can be viewed using BitPim as shown
in Figure 20.18. However, using BitPim it may not be possible to view date-
time stamps associated with files or acquire the entire file system for later
examination using other tools. Commercial forensic tools such as Cellebrite
can acquire the full logical file system from many mobile devices, including
metadata such as date-time stamps.

FIGURE 20.18
BitPim used to browse the
file system on a Motorola
CDMA device.

Some mobile devices use the FAT file system to arrange data in memory,
others use Linux ext2/ext3 file systems, and iPhones use HFSX which is
unique to Apple computer systems. As a result, it is often possible to per-
form a forensic analysis of a physical forensic duplicate of mobile devices
using file system forensic tools such as those covered in Chapters 17, 18,
and 19. Figure 20.19 shows a forensic duplicate of an iPhone being exam-
ined using FTK.
 20.5 Forensic Examination and Analysis of Mobile Devices 31

FIGURE 20.19
Examination of iPhone physical forensic duplicate using FTK.

Even when a full copy of physical memory is not possible, for many devices the
complete logical file system can be acquired. Although this generally does not
include deleted items, it can still provide access to substantial digital evidence
including MMS messages, IM fragments, and Web browsing history that are
not displayed automatically by forensic tools. In such situations, the foren-
sic examiners must locate the desired information within the file system and
interpret it themselves. This is one of the main reasons why it is important for
practitioners to have an understanding of the underlying technology and not
be overly reliant on automated tools.
As an example, Figure 20.20 shows a file named “MMS937483931.PDU” that
was extracted from the file system of an LG mobile device. This file contains an
MMS message with a video that can be recovered even after the original video
file was deleted from the device. These MMS files start with an SMIL header that
includes the name of the attached file, followed by the actual content of the
attachment (Casey, 2009).
32 CHAPTER 20: Digital Evidence on Mobile Devices

FIGURE 20.20
File from an LG mobile device containing an MMS message with a video attachment that can be recov-
ered even after the original video has been deleted from the file system.

20.5.2 Data Recovery on Mobile Devices

When common file systems are used such as FAT, HFS, and ext2/3, it may be
possible to recover deleted files using file system forensic tools as discussed in
Chapters 17, 18, and 19. For instance, Figure 20.21 shows EnCase being used to
recover deleted photographs from a FAT file system on a Samsung mobile device.

FIGURE 20.21
Deleted photographs recovered from the reconstructed FAT file system in a physical memory dump of a Samsung mobile device.