qwertyuiopasdfghjklzxcvbnmqwert

Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

yuiopasdfghjklzxcvbnmqwertyuiopa
sdfghjklzxcvbnmqwertyuiopasdfghj
klzxcvbnmqwertyuiopasdfghjklzxcv
Digital Forensic Small Devices

bnmqwertyuiopasdfghjklzxcvbnmq
Report

wertyuiopasdfghjklzxcvbnmqwerty
Submitted to: Dr Brian Cusack
Submitted By: Mithilesh Patel
uiopasdfghjklzxcvbnmqwertyuiopas
Student ID: 0641800
Paper Name: Cyber Crime & IT Governance

dfghjklzxcvbnmqwertyuiopasdfghjk
Paper Number: 409313
Due Date: 08 April 2010

lzxcvbnmqwertyuiopasdfghjklzxcvb
nmqwertyuiopasdfghjklzxcvbnmqw
ertyuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiopasdf
ghjklzxcvbnmqwertyuiopasdfghjklz
xcvbnmqwertyuiopasdfghjklzxcvbn
mqwertyuiopasdfghjklzxcvbnmrtyu
Page 1

iopasdfghjklzxcvbnmqwertyuiopasd
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

Table of Contents

1. Introduction..............................................................................................................................3

2. Digital Forensics and its core elements....................................................................................4

4. Small Scale Digital Devices Forensics (SSDDF)..........................................................................7

5. Digital Forensic Procedure in Mobile Phone..........................................................................14

6. Case Studies............................................................................................................................17

7. Conclusion..............................................................................................................................18

8. References..............................................................................................................................19

Page 2
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

1. Introduction
Digital Forensic Small Devices is rather new and rapidly changing field of study. The Digital
Forensics Small Devices and the steps that are involved in digital forensics are vague and in
perpetual state of vagueness.

Firstly this report will explain the term digital forensic. Following that it will explain each
phases of digital forensics which are Collection of Data/ Acquisition, Examination/
Extraction, Analyzing and Reporting.

Second section of this report will briefly talk about the framework of “Digital Forensics Small
Devices” and different types of small devices which are available in market. Covering all
devices in this report is out of scope. This report will focus on CDMA cell phones by giving a
background of CDMA, the architecture of cell phones, the two types of acquisition
processes and the different types of software used for digital forensic for cell phones and
SIM.

Third section of this report will cover the best practice steps for forensic investigator to
follow by showing the flow diagram. The steps followed in the procedure of digital forensic
of cell phone are on the basis of ACPO principles.

Finally the report will conclude by summarizing the information which is accumulated
during the process of this report and give my personal opinion about Digital Forensic in
Small Scale Devices.

Page 3
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

2. Digital Forensics and its core elements

Digital forensics mean “The application of computer science and investigative procedures for
a legal purpose involving the analysis of digital evidence after proper search authority, chain
of custody, validation with mathematics, use of validated tools, repeatability, reporting, and
possible expert presentation” Zatyko., K. (2007)

The main aim behind carrying out the forensic activities is to get better understanding of an
incident by searching and investigation the data in relation to the incident. Such procedures
are carried out usually for legal purposes, internal disciplinary actions against an employee
and handling of malware incidents and unusual operational problem. Kent, K., Chevalier, S.,
Grance, T., & Dang, H. (2006)

This section covers the core phases of digital forensics in brief by covering each phases of
the diagram below. (Refer Figure1)

According to NIST report the basic steps to do a digital forensic investigation in any cases
are as follows:

Figure1 (Forensic Processes) Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006)

Page 4
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

1. Collection of Data/ Acquisition: 

“Digital evidence, by its very nature, is fragile and can be altered, damaged, or
destroyed by improper handling or examination.” Hart, S. (n.d.)

In this phase all the evidence related to the case must be recognized first, then labeling
that evidence for identification of it and recording it for maintaining the integrity of the
evidence for future references. Evidence of gadgets such as mobile phones, PDA and
batteries of such devices must be collected in such a way that the integrity of active data
is not lost. E.g. Network Information, information inside those devices, and etc.
Depending on the case this phase also includes other steps of general seizure such as
obtaining warrant, planning seizure, securing the crime scene and transporting it to the
forensic lab for extraction of evidence. Therefore people involved in acquisition phase
must make sure they abide to the rules.

2. Examination/ Extraction: 
“The purpose of the examination process is to extract and analyze digital evidence.
Extraction refers to the recovery of data from its media.” Hart, S. (n.d.)

In this phase all the evidence that are gathered at the crime scene must be examined
using the combination of some manual process with some sophisticated tools or
software to maintain its integrity while extracting the information from those devices.

3. Analyzing: 
“Analysis refers to the interpretation of the recovered data and putting it in a logical and
useful format.” Hart, S. (n.d.)

Analyzing the examination results is one the important phases and proper procedures
should be followed by using proper documentation methods and techniques to ensure
that the obtained useful data addresses the questions that were helpful for collection
and examination.
Page 5
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

4. Reporting: 
“Actions and observations should be documented throughout the forensic processing of
evidence.” Hart, S. (n.d.)

The final phase involves reporting the results of the analysis, which may include
describing actions that are performed, determining what other actions need to be
performed, and recommending improvements to policies, guidelines, procedures, tools,
and other aspects of the forensic process.

In final phase all the gathered data must be reported and may include:

 Explanation of the actions engaged

 Reasoning for selecting tools and procedures
 Addressing what other actions need to be performed
 Suggesting improvements to the forensic processes and also to procedures,
policies, guidelines and tools

As shown at the bottom of the Figure1, the media get convert into evidence. During
first phase data is extracted from media to get examined. The evidence which is
discovered in that phase gets converted into information. This information gets
converted into Evidence. This evidence can be used for legal issues or for some issues
within a company.

Page 6
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

4. Small Scale Digital Devices Forensics (SSDDF)

Digital Devices Forensics has two major categories which are Large Scale Digital Devices and
Small Scale Digital Devices. The SSDDF is the area which was newly introduced in the
forensic world. This area includes newly emerging technologies which are smaller in size
and are multi-purpose. It becomes enormously harder to recognize and investigate such
nature of devices.

People working in this area have different views of which device come under this section. To
solve this issue a Small Scale Digital Device framework was form which shows the ability of
each to device to store information magnetically, optically, flash memory and by devices
getting connected to PC.

Figure2 (Small Scale Digital Device Framework) (Christopher, D., & Mislan, R., 2007)

We at times are unaware of how small scale digital devices like USB, memory cards, mobile
phones, PDA; etc could pose threat to the actions that we perform from day to day. It is
critical that these “small” devices are examined by forensic investigators as most often
crimes or criminal activities are performed via these devices.

Page 7
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

The following table shows different types of Small Scale Digital Devices that are normally
found at any crime scene.

Figure3 (Small Scale Digital Device) (Christopher, D., & Mislan, R., 2007)

All this devices listed above pose threat. It is not possible to cover all the devices which are
listed in Figure3.

Devices which are used more often in crimes are USB Thumb drive, all different sorts of
memory cards, Cell phone, PDA, Smart phones, GPS device and receiver. Small scale devices are
not only limited to the above listed devices. There are more digital small devices which are
there in the market e.g. pen camera, button camera, etc. Day by day the numbers of such
devices are increasing. Flash devices (EEPROM) have more forensic potential then any other
sort of devices as they have a ability of storing information even when then are off.

Page 8
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

Figure 4 (Mobile Device Classification) (Ayers, R. n.d.)

In Figure 4 it shows how GSM device is further divided into handset and SIM. This section
focuses on GSM cell phones and will briefly talk about other small devices like SIM, Memory
Card and Internal Memory which are related to it. It will also explain the two type of acquisition
method, different forensic tools used for cell phone and SIM and shows what areas too look for
evidence.

Ronald van der Knijff of Netherlands Forensic Institute has defined mobile phone as “Mobile =
Portable PC = PDA + Phone + Internet + Navigation + Camera”. As we can see that this
generation cell phones has the ability to store more data, play music, has a camera to take
photos, act a computer and also has GPS system in it. E.g. Black berry Curve 8900, Iphone,
Nokia N96, etc.

We can see from the graph shown below (Figure 5) that the number of subscribers for GSM
network is way more then CDMA. GSM handsets are used in crime because they can steal
handsets and then buy a SIM card or they can have several SIM cards which are bought with
cash. This would make them untraceable in terms of identification by handset, SIM card and
phone number. Drug dealers use this practice and in fact they carry many handset and SIM
cards.

Page 9
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

Figure5 (Number of CDMA and GSM subscribers) (Ayers, R. n.d.)

Cell Phone:
It is necessary to understand the basic architecture of a mobile phone to understand the digital
forensic in mobile phone:

Figure6 (Mobile Phone Architecture) (Willassen, S. Y. 2005)

CPU manages the communication circuits and looks after the communication with the user. It
uses RAM for storing temporary information which gets erased once the cell phone is turned
off. It can be combined with CPU or it can be a different circuit. The new generation mobile has
a secondary non-volatile storage to store information such as contacts, messages, photos,
songs, videos, etc which can be preserved even if the battery dies. Implementation of
secondary storage is done in different ways, but the most common implementation is by having
flash memory circuit on the system board.

Page 10
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

There is no standard for file system structures. So it could acquire a Nokia 1100 and 3100 but
the data is in different locations and stored in different orders. There are not many tools which
can look at the data and carve out txt messages etc. Most of the times data is logically extracted
(complete messages, texts and phone lists) but this has the drawback of not getting any deleted
data.

There are 2 type of acquisition method Physical acquisition and Logical acquisition. Different
phone uses different type of acquisition method.

Figure7 (Difference between Physical and Logical Acquisition)

Mobile devices are somewhat different from computer devices as the phone generally has to be
powered up to do data extraction.  This leads to the possibility of writes to the device but is
unavoidable.  In a perfect world the data extraction would be in RF free rooms, however there
is some benefit from a law enforcement perspective to have the new messages delivered.
 
The software like UFED (Cellebrite) with physical analyzer, XRY, BitPim and a variety of other
software and hardware devices to dump the file systems and hex dumps of mobile devices. 
This process increases the possibility of recovery of trace evidence.
 Valuable evidence is recovered from the handset, SIM cards (in case of GSM phones) and
memory cards.  With mobile devices becoming much more multi-purpose, people tend to save

Page 11
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

more information to the memory card.  The card is analyzed using conventional computer
forensic methodologies which ensure no changes are made to the card.  Programs such as
Encase and FTK are used to analyze the data on the cards.  Deleted SMS messages are
sometimes recovered from the SIM cards and these are analyzed separate from the phone.
There are tools like JTAG which can retrieve all deleted information like photos, messages, and
etc form internal memory.

 The data extraction process for CDMA and GSM phones is similar, however the extraction tools
do not normally extract as complete data on CDMA as GSM.  The investigator needs to
manually go through the phones to ensure relevant data has been extracted.

The best evidence is always the mobile device itself and the data extraction is just a means to
get the data in a friendlier format.  Evidence to recovered using these devices is confirmed by
viewing it on the mobile device. Places where evidence can be find in:

Figure8 (Types of Evidence) (Ayers, R. n.d.), and (Willassen, S. Y. 2003)

Page 12
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

In terms of the forensic procedures different software’s and connection methods are used to
extract data from the phones. There is no one tool does it all.

Examples of tools used for cell phone and SIM card forensic are as follows:

Figure9 (Tools for Cell phone & SIM card forensic)

Ayers, R., Jansen, W., Cilleros, N., & Daniellou, R. (2005)

Page 13
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

5. Digital Forensic Procedure in Mobile Phone

As far as procedures for cell phones are concern, it can be a nightmare and there is no one
procedure that works with all phones. With this in mind we still need to apply best practices
and where possible use write blocking software/hardware and of course create excellent
documentation of your steps and work when examining cell phones.

There are four principles which are formed by ACPO (Association of Chief Police Officers) for
the safe handling of digital evidence.  These principles are designed mainly for law
enforcement agencies and investigators working in conjunction with them. These principles
cover all the core element of digital forensic such as Acquisition, Examination/Extraction,
Analyzing and Reporting. So this section of this report will follow ACPO Principles for best
practice guide for mobile phone seizure and examination.

Figure10 (Four ACPO Principles) (ACPO Guidelines. n.d.)

Page 14
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

Referring to ACPO principles the following diagram will show the procedure followed for
preservation and forensic examination of cell phone in detail. (Digitale Technologie &
Biometrie|Vacaturesite, 2006)

Page 15
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

Page 16
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

6. Case Studies
All the following case studies are taken from a UK based forensic company websites. The
name of the company is CCL Forensics. Following are the example of few cases related to
different crimes involving Mobile phone. (Case Studies - CCL Forensics. n.d.)

 Drugs Importation

A person was arrested by police on doubt of bringing in Class A drugs worth over £100K.
During investigation police found a cell phone of the suspect which was given to CCL for
recovering deleted text messages and call logs from the phone. The man was later
sentenced to 10 years imprisonment.

 Video retrieval

A young boy was suspected for performing a serious assault on another kid while his
friend took pictures on his cell phone. By following the ACPO guide for cell phone
seizure and examination the analyst was able to retrieve pictures and a multimedia text
sent to another child with a picture of assault attached to it.

 Deception

A large group of people were suspected to be involved in bringing in stolen goods. Few
suspected people were arrested in a sting operation by police. In that process police
seized big number of cell phones and handed it in for examination for any evidence.
Evidence such as call logs related to a specific number was discovered.

 Harassment

An acquisition of harassment was made where a victim was receiving phone calls and
text messages from an ex-partner. The suspect was arrested and his cell phone was
seized and was given for examination. A request was made to find if the accused was

Page 17
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

actually calling and sending text in a particular time frame. Evidence such as text
messages and dialed numbers from the accused phone was found.

7. Conclusion
In this report the four core processes of the digital forensics are shown which must be
carried out by any forensic investigator to retrieve the evidence from small devices.

By comparing all different types of small scale devices, I found Cell phones are best
examples of small held devices. As we all know that this day’s cell phones are equivalent to
portable PC. Features like GPS, music player, non-volatile high capacity of storage, camera
and internet. Due to such features of cell phones the crime committed using cell phones are
high. We all know that one device doesn’t do all the work. By looking at figure8 which
shows different places where evidence can be found in cell phone and SIM, anti-forensics
activities get harder on such devices. It leaves behind other digital forensic fields.

The crime related cell phones are very high. Countries like Europe, Germany, Sweden,
France and USA are leading in cell phone crimes and soon enough the activities will double
and the crime.

The ACPO procedures were highlighted in this report as I would say they are the best
forensic practice to follow for acquisition of cell phones and PDA. ACPO principles have
been in actively used by UK Interpol for mobile forensics. They were specifically designed by
keeping the law enforcement and private investigators in mind. ACPO principles also follow
the core principles of digital forensic which I have mentioned above.

The case study has covered some criminal activities performed with the help of cell phones.
In my opinion small scale devices pose huge threat as new devices with advance
applications are evolving day by day. Due to the size and huge storage capacities the
advance application functionalities allow users to perform criminal activities especially in
small held devices.

Page 18
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

According to me focus should be moved to small scale digital devices as in long term storage
devices are going to get smaller in size. Rate at which devices are getting smaller in size are
higher in compare to rate at which forensic tools are getting developed.  

8. References
 Ayers, R. (n.d.). Mobile Device Forensics. Mobile Devices. Retrieved March 26, 2010, from
www.cftt.nist.gov/AAFS-MobileDeviceForensics.pdf
 Ayers, R., Jansen, W., Cilleros, N., & Daniellou, R. (2005). Cell Phone Forensic Tools: An
Overview and Analysis. National Institute if Standards and Technology, NISTIR 7250, 8, 9.
Retrieved April 6, 2010, from http://csrc.nist.gov/publications/nistir/nistir-7250.pdf
 ACPO Guidelines. (n.d.). Forensic Computing Limited. Retrieved April 5, 2010, from
www.forensic-computing.ltd.uk/acpo.htm
 Britz, M. T. (2008). Computer Forensics and Cyber Crime: An Introduction (2nd Edition) (2
ed.). Alexandria, VA: Prentice Hall.
 Case Studies - CCL Forensics. (n.d.). Computer Forensics, Digital Forensics, Computer
Analysis - CCL Forensics. Retrieved April 6, 2010, from http://www.ccl-
forensics.com/235/Case_Studies.html#16
 Christopher, D., & Mislan, R. (2007). A Small Scale Digital Device Forensics ontology.
Retrieved March 27, 2010, from
http://www.ssddfj.org/papers/SSDDFJ_V1_1_Harrill_Mislan.pdf
 Device Forensics, Netherlands Forensic Institute. Retrieved on Mar, 14, 2009 from
http://www.dfrws.org/2007/proceedings/vanderknijff_pres.pdf
 FlowChartForensicMobilePhoneExamination. (2006, May 4). NFI | Digitale Technologie &
Biometrie|Vacaturesite. Retrieved April 7, 2010, from
http://www.holmes.nl/MPF/FlowChartForensicMobilePhoneExamination.htm
 Jansen, W., & Ayers, R. (2007). Recommendations of the National Institute of Standards
and Technology. Guidelines on Cell Phone Forensics, Special Publication 800-101.

Page 19
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

Retrieved March 24, 2010, from http://csrc.nist.gov/publications/nistpubs/800-

101/SP800-101.pdf
 Kent, K., Mislan, S., Grance, T., & Dang, H. (2006). Recommendations of the National
Institute of Standards and Technology. Guide to Integrating Forensic Techniques into
Incident Response, Special Publication 800-86. Retrieved March 6, 2010, from
http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
 Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). Guide to Integrating Forensic
Techniques into Incident Response. National Institute if Standards and Technology,
Special Publication 800-86. Retrieved March 26, 2010, from
http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
 Hart, S. (n.d.). Forensic Examination of Digital Evidence: A Guide for Law Enforcement.
NIJ. Retrieved March 16, 2010, from www.ncjrs.gov/pdffiles1/nij/199408.pdf
 der Knijff, Ronald van. "10 Good Reasons Why You Should Shift Focus to Small Scale
Digital Device Forensics." Prude University Cyber Forensics Lab. N.p., n.d. Web. 22 Mar.
2010, from http://dfrws.org/2007/proceedings/vanderknijff_pres.pdf
 Westman, M. (n.d.). Mobile Forensics World 2009 Chicago, IL. Complete Mobile Phones
Forensic Examination: Why we need both Logical & Physical Extractions. Retrieved March
27, 2010, from
http://mobileforensicsworld.org/2009/presentations/MFW2009_Westman_LogicalandP
hysicalExtractions.pdf
 Willassen, S. Y. (2005). Advances in Digital Forensics: IFIP International Conference on
Digital Forensics, National Center for Forensic Science, Orlando, Florida, February 13-
16, ... Federation for Information Processing) (1 ed.). New York: Springer.
 Willassen, S. Y. "Forensics and the GSM mobile telephone system." Forensics and the
GSM mobile telephone system 2.1 (2003): 11,12. Print.
 Zatyko, K. (n.d.). Computer Forensics. IT/LawSherlock Holmes: Computer Forensics.
Retrieved March 24, 2010, from http://floridalawfirm.com/forensics.html

Page 20
Name: Mithilesh Patel “Digital Forensics Small Devices” Student ID: 0641800

 Zatyko, K. (n.d.). Forensic Magazine® |Commentary: Defining Digital Forensics. Forensic

Magazine®. Retrieved April 7, 2010, from http://www.forensicmag.com/articles.asp?
pid=130

Page 21