Mobile Forensics

D Musundire, Mr (@taona2)

Computer Science Department

National University of Science and Technology
Bulawayo, ZW

2019
Contents

1 Introduction

2 SIM Forensics

3 Stages of mobile forensics

4 Acquisition Methods

DM @taona2 Mobile Forensics

Contents

1 Introduction

2 SIM Forensics

3 Stages of mobile forensics

4 Acquisition Methods

DM @taona2 Mobile Forensics

Of what value are mobile devices?

Smart phones are used less for calling and more for
socializing; this has resulted in smart phones holding a lot
of sensitive data about their users.
What more can we find? photos,IM, browsing history,
browser logs and cached geo-location information;
pictures and videos taken with the phone’s camera;
passwords to cloud services, forums, social networks,
on-line portals, and shopping websites; stored payment
data

DM @taona2 Mobile Forensics

Mobile Forensics

MobileForensics = SIMForensics + MEForensics

DM @taona2 Mobile Forensics

Contents

1 Introduction

2 SIM Forensics

3 Stages of mobile forensics

4 Acquisition Methods

DM @taona2 Mobile Forensics

SIM Forensics

The SIM (Subscriber Identity Module) is a smart card

that is used in mobile phones to store user data and
network information that is required to activate the
handset for use.
USIM cards used for 3G technologies, enables it to handle
several mini-applications and video calls if it is supported
by the network and the handset.
USIM has stronger encryption; phonebook is much
bigger, with the ability to store thousands of richer
contacts that might contain email addresses, photos, and
several additional phone numbers.

DM @taona2 Mobile Forensics

SIM Forensics

The SIM (Subscriber Identity Module) is a smart card

that is used in mobile phones to store user data and
network information that is required to activate the
handset for use.
USIM cards used for 3G technologies, enables it to handle
several mini-applications and video calls if it is supported
by the network and the handset.
USIM has stronger encryption; phonebook is much
bigger, with the ability to store thousands of richer
contacts that might contain email addresses, photos, and
several additional phone numbers.

DM @taona2 Mobile Forensics

SIM Forensics

The SIM (Subscriber Identity Module) is a smart card

that is used in mobile phones to store user data and
network information that is required to activate the
handset for use.
USIM cards used for 3G technologies, enables it to handle
several mini-applications and video calls if it is supported
by the network and the handset.
USIM has stronger encryption; phonebook is much
bigger, with the ability to store thousands of richer
contacts that might contain email addresses, photos, and
several additional phone numbers.

DM @taona2 Mobile Forensics

SIM Card File System Hierarchy

DM @taona2 Mobile Forensics

Information we can gather...

ICCID: up to twenty digits long, this Integrated Circuit

Card Identifier uniquely identifies a SIM card and is
mainly divided into two parts: the Issuer Identification
Number (IIN) and the Account Identification Number
(AIN). The Issuer identification is interpreted as follows:
The first two digits are reserved for the Major Industry
Identifier (MII) (i.e., 89 for the SIM telecommunications
industry), followed by a two-digit Country Code, in
addition to a three-digit Issuer Identifier Number. The
Account Identification Number includes four digits for the
manufacturing month/year, two digits for the
Configuration Code, six-digits for the Individual SIM
Number, and finally a checksum digit for error-detection.

DM @taona2 Mobile Forensics

...cont

IMSI: A fifteen-digit long number, the International

Mobile Subscriber Identifier is primarily used for signaling
and messaging over a GSM network. Similar to the
ICCID,the IMSI is structured as follows: three-digits for
the Mobile County Code (MCC), plus two to three digits
for the Mobile Network Code (MNC), and the rest is an
allocated sequential serial number that pinpoints the
Mobile Subscriber Identity Number (MSIN).
Also MSISDN,SPN and SDN, TMSI, ADN and SMS

DM @taona2 Mobile Forensics

...cont

IMSI: A fifteen-digit long number, the International

Mobile Subscriber Identifier is primarily used for signaling
and messaging over a GSM network. Similar to the
ICCID,the IMSI is structured as follows: three-digits for
the Mobile County Code (MCC), plus two to three digits
for the Mobile Network Code (MNC), and the rest is an
allocated sequential serial number that pinpoints the
Mobile Subscriber Identity Number (MSIN).
Also MSISDN,SPN and SDN, TMSI, ADN and SMS

DM @taona2 Mobile Forensics

Contents

1 Introduction

2 SIM Forensics

3 Stages of mobile forensics

4 Acquisition Methods

DM @taona2 Mobile Forensics

Stages of mobile forensics

Stage 1 – device seizure

Stage 2 – data acquisition
Stage 3 – data analysis

DM @taona2 Mobile Forensics

Contents

1 Introduction

2 SIM Forensics

3 Stages of mobile forensics

4 Acquisition Methods

DM @taona2 Mobile Forensics

Acquisition Methods

Over-the-air acquisition
Logical acquisition - Acquiring evidence from mobile
backups
Physical acquisition – availability and applicability
JTAG,
In-System Programming
and chip-off

DM @taona2 Mobile Forensics