Dr.

Zunera Jalil
Email: [email protected]
 Understanding Mobile Devices 2

• The term “mobile devices” encompasses a wide array of gadgets

ranging from mobile phones, smart phones, tablets, MP3 Players,
Smartwatches and GPS units to wearables, Drones, PDAs and many
more.
• Small-sized digital devices collect huge quantities of data on a daily
basis, which can be extracted to facilitate the investigation.
• Successful examination of mobile devices requires special knowledge
and skills of mobile forensics experts.
• Fast changes in the technology challenge experts in their daily
business.
 Understanding Mobile Devices 3

 Dealing with diverse range devices constitutes a challenge for the digital
forensics examiner, as he needs to know the specialties of each device to
successfully extract as much data from it as possible.
 When the examiner become familiar with a platform and how to extract and
analyze it, manufacturers of operating systems make changes in their
security concept and the vicious circle starts again.
Manufacturers:
• The first step in the investigational process is the identification of the
phone.
 Not easy…hundreds of device manufacturers.
• Mobile phones can sometimes be identified by removing the device´s
battery, but that also indicates the risk of forcing a user lock or losing
data of volatile memory
 Understanding Mobile Devices 4

 Identifying a smartphone only by looking at it can be extremely hard even for

mobile forensics experts.
 Mobile forensics toolkits offer the possibility to identify devices automatically when
they are connected.
Connectors
 To connect a phone successfully, an expert must choose the appropriate plug. The
next step is to find the appropriate driver to establish a connection to the computer.
 Common mobile forensics toolkits do the work automatically. If one computer has
several mobile forensics toolkits installed, the examiner must be careful, as the driver
packs from different vendors can interfere with each other.
 If the USB connection doesn’t work, there’s also the possibility of using wireless
connection like Bluetooth to retrieve data from a mobile device.
 Understanding Mobile Devices 5

Operating Systems:
 Market shares of mobile OS manufacturers can change extremely fast. Every year new mobile
devices are released, which can easily change the constellation of the OS market shares.
 Operating systems offer mostly the same functions but differ extremely in terms of data storage,
security concepts and other characteristics.
 Android is used by different manufacturers, and it’s often customized.
 Smartphone OS receive frequent major updates nearly every month.
 New security policies, new features, or changes in data storage of the OS constitute immense
challenges for mobile forensics experts.
6
7
Android OS 8
 Understanding Mobile Device 9

Applications
• Apps often store most information in SQLite databases, so those databases will contain a
major part of the case data. Mobile forensics toolkits decode databases automatically and
display them in a structured way
• Depending on the toolkit, only a few hundred different apps are supported, which is a
comparatively small number, as there were about 4 million apps available
 Understanding Mobile Device 10

Cloud Data
• An increasing amount of data containing information very valuable to forensic
investigations, is never saved on mobile devices in the first place but in cloud storage
instead – be it by the devices OS or third- party apps data.
• Cloud backups also offer the chance to recover data deleted by the user or the
data of locked, broken or wiped devices.
• However, acquiring this data is not only difficult because of legal constraints,
depending on the country the investigation takes place in, but also because of
security mechanisms like separate passwords and 2-factor authentication methods.
• Specialized software is required to acquire cloud data in a forensically way
 Mobile Device Forensics 11

• People store a wealth of Information on Cell Phones but hardly think

about securing their phones
• A search warrant might be needed to examine mobile devices
• Lots of private information

• Items stored on cell phones

• Incoming, outgoing, and missed calls • Web pages

• Multimedia Message Service (MMS)
messages and Short Message Service
(SMS) messages
• E-mail accounts
• Instant-messaging (IM) logs
• Pictures, video, and music files
• Calendars and address books
• Social media account information
• GPS data (Nav maps )
• Voice recordings and voicemail
 Why Mobile Device Forensic is Challenging? 1/3 12

• Hardware differences - The market is flooded with different

models of mobile phones from different manufacturers
 Different models, sizes, OS & features
• A range of different types of OS
 Apple's iOS, Google's Android, RIM's BlackBerry OS, Microsoft's
Windows Mobile, HP's webOS, Nokia's Symbian OS
• Security features
 Modern mobiles contains built-in features for security and
privacy
 Why Mobile Device Forensic is Challenging? 2/3 13

• Lack of Resources
 Market diversity is leading to a bigger set of accessories that
need to be maintained by forensic examiners
 Cables, batteries, chargers etc.
• Generic state of the device
 Even if a device appears to be in an off state, background
processes may still run
• Anti-forensic techniques
 Data hiding, data obfuscation, data forgery, and secure
wiping, make investigations on digital media more difficult
 Why Mobile Device Forensic is Challenging? 3/3 14

• Dynamic nature of evidence

 Digital evidence may be easily altered either intentionally or
unintentionally
• Reset Functionality
 can be reset to factory status
• Legal issues
 Mobile devices might be involved in crimes, which can cross
geographical boundaries
 Cellular Communication System 15

Cellular technology has advanced rapidly

 Cellular Communication System 16

• Most Code Division Multiple Access

(CDMA) networks conform to :-

• These systems are referred to as CDMAOne

• When they went to 3G services, they
became CDMA2000

• Global System for Mobile

Communications (GSM) uses the
Time Division Multiple Access
(TDMA) technique in which multiple
phones take turns sharing a
channel
Cell Site Analysis 17
Cell Site Analysis 18
 Cellular Communication Systems 19

Main components used for communication:

• Base transceiver station (BTS)

• Cell phone tower and associated equipment

• Base station controller (BSC)

• Hardware & software that controls the BTS

• Mobile switching center (MSC)

• Routes calls
• Has a database of subscribers with account and location data
Cellular Communication Systems 20
 Mobile Device Basics 21

• Mobile devices can range from simple phones to small

computers
 Also called smart phones
• Hardware components
 Microprocessor, ROM, RAM, a digital signal processor, a
radio module, a microphone and speaker, hardware
interfaces, LCD display, sensors, camera etc.
• Most basic phones have a proprietary OS
 Mobile Device Basics 22

• What can be pulled from the device

• Logical tools acquiring call logs, pics,
phonebooks
• SIMs on many androids providing last
numbers dialled and SMS messages
• Physical access is improving.
• Practitioners rooting device to obtain more
data – parsing required.
 Inside Mobile Device- Memory 23

• Mobile devices contain both non-volatile and volatile memory

 Non-volatile memory is a type of EEPROM
• Enables service providers to reprogram phones without having to
physically access memory chips
• Mobile devices contain 1 / 2 different types of non-volatile flash
memory
 NAND and NOR
• NOR flash has faster read times but slower write times than NAND
 NOR flash is nearly immune to corruption and bad blocks while allowing
random access to any memory location
 Inside Mobile Device- Memory 24

• NAND flash offers higher memory storage capacities, is less stable

and only allows sequential access
• Feature Phone – 1G memory configuration
 NOR System and user data
 RAM – Run time execution
• Smartphone – 2G memory configuration
 NOR, NAND & RAM
• Smartphone – 3G memory configuration
 NAND & RAM
 Inside Mobile Device- Memory 25

• RAM is the most difficult to capture accurately due to its volatile

nature

• NOR memory is best location for 1G memory devices

 operating system code, the kernel, device drivers, system libraries,
memory for executing operating system applications

• NAND memory is also useful in almost all modern smart phones

 PIM data (calendars, contacts etc), graphics, audio, video, and other
user files
Mobile Forensics Process 26
 Acquisition Procedure for Mobile Device 27

• Depending on the warrant or subpoena, the time of

seizure might be relevant
• Messages might be received on the mobile device after seizure

• Isolate the device from incoming signals with one of the

following options:
• Place the device in airplane mode
• Use the Paraben Wireless StrongHold Bag
• Turn off the device
 SANS DFIR Recommendations 28

 If device is on and unlocked

• isolate it from the network, disable the screen lock, remove passcode

 If device is on and locked

• what you can do varies depending on the type of device

 If device is off
• attempt a physical static acquisition and turn the device on
 Mobile Device Isolation Techniques 29

• Jamming
 The jammers are devices, also known as radio jammers, used to block the use
of mobile phones sending radio waves with the same frequency used by
mobile phones. This causes an interference, which inhibits the communication
between mobiles and BTS, paralyzing every phone activity in its range of
action.
• Airplane mode
 The airplane mode is one of the options that can be used to protect the
mobile collected into the crime scene to avoid in and out radio transmission.
 It is a risky option because it is necessary to interact with the mobile phone,
and possible only if the phone is not protected with Passcode.
 Mobile Device Isolation Techniques 30

• Activation of debug USB:

 Activation of this option allows a major access on the device with Android
Debug Bridge (ADB) connection. This option will be a great tool for the forensic
examiner during the extraction data process.
 On Android devices, this option can be found in Settings | Development
 Acquisition from Mobile Device 31

• Check these location for Information

 Internal memory
 SIM card
 Removable or external memory cards
 Network provider
 Choice of logical or physical (bit-by-bit) acquisitions is also critical
• Physical acquisitions can recover deleted files
 Acquisition from Mobile Device 32

• Basic Information that can be retrieved falls into four categories

 Service-related data
• Identifiers for the SIM card and the subscriber
 Call register e.g. dialed, received and missed calls
 Message information
 Location information
• Modern smartphones have several other critical data
 Pictures, videos, WhatsApp and Facebook logs etc.
• If power has been lost, PINs or other access codes might be required
to view files
 Mobile Forensics Equipment 33

• SIM card readers

• A combination hardware/software device used to access the SIM card
• You need to be in a forensics lab equipped with appropriate antistatic devices
• A variety of SIM card readers are available
Mobile Forensics – Tool Classification Pyramid
 Mobile Forensics Equipment 35

NIST guidelines list types of data extraction

1. Manual extraction
2. Logical extraction
3. Physical Acquisition
4. Hex dumping and Joint Test Action Group (JTAG) extraction
5. Chip-off
6. Micro read
 Manual Extraction Method
• Viewing the data content stored on a mobile device via LCD screen
 requires the manual manipulation of the buttons, keyboard or
touchscreen to view the contents of the mobile device

• Language problems might also occur

 Phone might be displaying a different language unknown to investigator

• If there is a large amount of data, a manual extraction can be very

time consuming
 Carrying the danger of modifying, deleting or overwriting as a result of the
examination
 Logical Extraction
• Mobile device and the forensics workstation are connected with a
wire (e.g., USB or RS-232) or wireless (e.g., IrDA, WiFi, or Bluetooth)

• The examiner should be aware of the issues associated with each

connection type
 Associated protocols may result in data being modified
Logical Extraction
 Physical Acquisition

• Today Top Tools: XRY Physical & UFED Physical

• Flasher Box
 Used Primarily For “Unlocking” Phones from the Network – Many have ability
to dump raw data, and have been adopted by digital examiners for
acquiring and validating data’s
 Hex Dumping

• Hex Dumping (FWS + Flasher Box + Mobile Phone)

• A software is uploaded to mobile device via its data port which brings
it in diagnostic mode
• A series of commands is then sent by Flasher box to extract flash
memory contents
• Which then are sent to Forensic Workstation
 Need a cable connection
• In rare cases WiFi can also be used
 JTAG

• JTAG - Joint Test Action Group

• defines a common test interface for processor, memory, and other
semiconductor chips
• JTAG testing unit
• used to request memory addresses from the JTAG-compliant
component and accept the response for storage and rendition
• Proper training is required for extracting and analyzing binary
images with JTAG
 Chip-Off

 refer to the acquisition of data directly from a mobile device’s flash

memory
 Requires the physical removal of flash memory

• Chip-Off provides examiners with the ability to create a binary

image of the removed chip
• Identical to hard disk imaging
• Extensive training is required in order to successfully perform
extractions at this level
 Micro Read 43

• Involves recording the physical observation of the gates on

a NAND or NOR chip with the use of an electron
microscope

• Extreme level of technicalities are involved

 only be attempted for high profile cases equivalent to a
national security crisis
 Forensic Analysis 44

• Analyzing acquired data

 File System Analysis
 SQLite Analysis
 Directory Structure
 FAT Analysis
 SD Card Analysis
Passcode Types 45
New Passcode Types 46
 Mobile Forensic Tools 47

• Paraben Software offers several tools:

 Device Seizure - used to acquire data from a variety of phone models
 Device Seizure Toolbox - contains assorted cables, a SIM card reader, and
other equipment
• BitPim - used to view data on many CDMA phones
• Cellebrite UFED Forensic System - works on smartphones, PDAs, tablets,
and GPS devices
• MOBILedit Forensic - contains a built-in write-blocker
• SIMcon used to recover files on a GSM/3G SIM or USIM card
 Mobile Forensic Tools 48

• Cellebrite is often used by law enforcement

• Can determine the device’s make and model, hook up the correct
cable, turn the device on, and retrieve the data
• Limitation
 There are more than half a million aps for mobile devices and Cellebrite
can analyze data from only a few hundred
 Challenges 49

• Many mobile forensics tools are available (many not free)

• Methods and techniques for acquiring evidence will change as
market continues to expand and mature
• Type 2 hypervisors for mobile devices are under development and will
add another level of complexity to forensics investigations
• Number of devices that connect to the Internet is higher than the
amount of people
 That number is expected to grow even larger as more devices are being developed to
attach to the Internet

• Wearable computers will pose many new challenges for investigators

 Inside Mobile Device 50

• GSM refers to mobile phones as “mobile stations” and divides a

station into two parts
1. Universal Integrated Circuit Card (UICC)
2. Mobile equipment (ME)
• UICC is known as Identity modules
 Subscriber Identity Module [SIM], Universal Subscriber Identity
Module [USIM], CDMA Subscriber Identity Module [CSIM]
• UICC’s main purpose - authenticating the user to the network
 also offers storage for personal information e.g. contacts, text
messages
 Inside Mobile Device 51

• UICC stands for Universal Integrated Circuit Card.

• It is a new generation SIM (Subscriber Identification Module) included
in cell phones or notebooks used in some high speed wireless 3G.
• The UICC identifies you to your wireless carrier so they know your plan
and services.
• It can store your contacts and enables a secure and reliable voice
and multi-media data connection, global roaming and remotely
adding new applications and services.
• The UICC is the best and only universal application delivery platform
that works with any 3G or 4G device
 Inside Mobile Device 52

• A UICC can contain up to three applications: SIM, USIM and CSIM

 UICC usually refers to a physical card

• UICC is a special type of smart card

 Processor and memory (EEPROM, ROM & RAM)

• The UICC’s file system resides in persistent memory and stores data
e.g. phonebook entries, messages
 UICC operating system controls access to elements of the file system
53
Mobile Forensic Tools OSForensics 54

Video
 Mobile Forensic Tools 55

At National Cybercrimes & Forensics Lab

PROFYLER-A Mobile Forensic Toolkit

 Crimes Committed Through Mobile Phones 56

• Blue jacking: Sending of messages from a Bluetooth device to another Bluetooth

enabled device. ...
• Blue Bugging
• Vishing
• Smishing (SMS Phishing)
• Malware
• Mobile phone as bomb trigger
• Banker
• Spyware
 Reading Task for Quiz 4 57

Current and Future Trends in Mobile Device Forensics: A Survey

by
KONSTANTIA BARMPATSALOU, TIAGO CRUZ, EDMUNDO MONTEIRO, and
PAULO SIMOES, University of Coimbra

Uploaded on GCR
 References 58

• https://www.forbes.com/sites/quora/2019/06/04/how-are-criminals-using-smart-devices-to-
commit-crimes/?sh=477b57f427b8
• https://www.cellebrite.com/en/series/sans-digital-forensics-and-incident-response-summit
• https://www.securitynewspaper.com/2020/11/17/list-of-all-smart-phone-forensics-tools-2020-
edition-part-i/
• https://www.nist.gov/news-events/news/2020/01/nist-tests-forensic-methods-getting-data-
damaged-mobile-phones
• https://www.forbes.com/sites/quora/2019/06/04/how-are-criminals-using-smart-devices-to-
commit-crimes/?sh=477b57f427b8
• https://www.zdnet.com/article/burn-drown-or-smash-your-phone-forensics-can-extract-data-
anyway/
ANY QUESTIONS