ICS-FMSIS-NDA ICS-FMSIS-NDA

MOBILE FORENSIC TECHNIQUES

DFS 718

PRESENTER: MR SAIFULLAHI SADI SHITU

8/15/2024 DFS 718 (Mobile Forensic Techniques)

ICS-FMSIS-NDA

OBJECTIVES:
• Mobile Forensic – Overview
• Mobile Devices – Overview
• Mobile Device – Platform
• Mobile Devices Operating System
• Types of Mobile Device
• Mobile Device Characteristics
• Memory Considerations
• Identity Module Characteristics
• Cellular Network Characteristics
8/15/2024 DFS 718 (Mobile Forensic Techniques) 2
ICS-FMSIS-NDA

Mobile Forensic - Overview

• A lot of information can be discovered by analyzing a criminal’s

phone. That’s why mobile forensics and digital forensics as a whole
are becoming valuable assets for law enforcement and intelligence
agencies worldwide.

• By analyzing the malicious processes, investigators can conclude the

motivations behind the attack, along with its consequences.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 3

ICS-FMSIS-NDA

Mobile Forensic – Overview (Cont…)

What is mobile forensics?

• Mobile forensics is the process of recovering digital evidence from
mobile devices using accepted methods.
• Unlike traditional digital forensics processes, mobile forensics solely
focuses on retrieving information from mobile devices such as
smartphones, smart watches, smart pens and tablets.
• Mobile devices contain an abundance of information from text
messages and web search history to location data, so they can be
extremely useful for an investigation by law enforcement.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 4

ICS-FMSIS-NDA

Mobile Forensic – Overview (Cont…)

What is an example of mobile forensics?

• Forensic investigators must track activities across multiple devices to
get the full picture of events.

• For example, a hacker may have used a vulnerable device to gain

access to the network and spread it across other, more sensitive
devices. Investigators must know how all these devices work and
interconnect to be able to accurately assess the course of events.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 5

ICS-FMSIS-NDA

Mobile Forensic – Overview (Cont…)

Why is mobile forensics important?

• Mobile devices carry a significant amount of information that can be
necessary to understand the full picture and scope of a digital attack, which
makes mobile forensics extremely important.
• As of 2024, there are approximately 8.31 billion mobile devices worldwide.
This includes both smartphones and feature phones. The amount of data
stored across these devices is astounding.
• One significant difference between mobile and traditional computer
forensics is that systems are no longer isolated and absolute. Commonly
used devices like phones, cars, cameras, doorbells, and even refrigerators
are interconnected and can operate under one network.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 6

ICS-FMSIS-NDA

Mobile Device - Overview

• Let’s us start by having some fun. Take a look at the following list.
You can easily relate to these essential chores that we invariably have
to face in today’s busy and hectic lifestyle:

• I want to pay my electricity bill.

• I need to communicate with my manager and submit my reports urgently.
• I want to buy new clothes for my kid, but I don't have the time to go to a
store.
• Oh...it's 10 PM; I am running late for my flight. Where is my cab?
• I have been in this city for the first time; which hotel should I book?

8/15/2024 DFS 718 (Mobile Forensic Techniques) 7

ICS-FMSIS-NDA

Mobile Device - Overview

• Now answer yourself. What do you need to perform these activities in

a fraction of second? The answer would be:

• A smartphone,
• Internet connectivity, and
• A mobile app to do the job.

• This makes us realize the importance of a mobile device and a mobile

app in today’s era. Everything is being done in a smart way through
your smart phone. Each day, we get to know about a new app or tool
being launched to ease our life.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 8

ICS-FMSIS-NDA

Mobile Device - Platforms

• It's always advisable to understand the basics of mobile platforms,

before jumping to mobile forensic. This mainly includes the operating
system of the mobile, type of the device, and type of the mobile app.

• Having sufficient knowledge about each of these will help us conduct

robust forensic planning in the long run.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 9

ICS-FMSIS-NDA

Mobile Operating
Systems Operating Developed by Popularity Latest available
System (Low, version
Medium,
The following table High)
gives an overview Android Google Inc High Android 14
of some of the
popular mobile iOS Apple Inc High iOS 16
operating systems
Blackberry Blackberry Ltd Low Blackberry 10.2.1
available in market:
Windows Microsoft Inc Medium Windows 10
Mobile
Symbian Symbian Low Discontinued
Foundation

8/15/2024 DFS 718 (Mobile Forensic Techniques) 10

ICS-FMSIS-NDA

Types of Mobile
Device
Device Tablets E-book Readers Smartphones

Tablets are portable E-book readers—also A smartphone is a

Mobile devices are typically computer devices. called e-readers—are powerful mobile
Unlike traditional similar to tablet phone that is
handheld computers. They have computers, they don’t computers, except designed to run a
many variants based on their What it is have keyboards or they are mainly variety of applications
mouse, however the
characteristics such as physical entire screen is touch
designed for reading in addition to
e-books (digital, providing phone
dimension, hardware and sensitive. downloadable books). service.
software capability, what are
Almost all the jobs Web browsing,
they meant for, etc. which we can do with watching videos,
Used for traditional computers Reading e-books reading e-books, and
Take a look at the following or desktops. playing games
table. It differentiates tablets, e-
Sony smartphones,
book readers, and smartphones Amazon Kindle,
Samsung
based on their characteristics. Example Samsung Tablets Barnes & Noble
Nook.
smartphones, Apple
iPhone.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 11

ICS-FMSIS-NDA

Types of the Mobile Apps

• A critical factor that you have to consider while doing mobile forensic
is checking the Mobile Application type.

• You will mainly come across three types of mobile applications:

• Mobile Web,
• Native App, and
• Hybrid App.
• The classification is based on the development efforts and App
redistribution strategy. Let's understand each of them in detail.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 12

ICS-FMSIS-NDA

Mobile Web

• Web apps are not real applications; they are actually websites that
open in your smartphone with the help of a web browser. Mobile
websites have the broadest audience of all the primary types of
applications.
• Benefits:
• Easy access.
• Easy Development − Developing responsive design and restructuring the
content to be properly displayed on a smaller screen/hardware will make any
desktop website mobile friendly.
• Easy update − Just update in one location and all the users automatically have
access to the latest version of the site.
• No installation required, as compared to native or hybrid app.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 13

ICS-FMSIS-NDA

Mobile Web (Cont…)

• Downside:

• Mobile websites cannot use some of the features. For example, access to the
file system and local resources isn’t available in websites.
• Many existing websites don’t support offline capabilities.
• Users won’t have the app’s icon on their home screen as a constant reminder.
The website needs to be opened in a web browser only.
• While native and hybrid apps appear on the App Store and Google Play, web
apps won’t. So redistribution is not that sensible.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 14

ICS-FMSIS-NDA

Native App

• A native app is developed specifically for one platform. It can be installed through
an application store (such as Google Play Store or Apple’s App Store).
• Example: WhatsApp, Facebook, Instagram, Financial bank apps etc.
• Benefits:
• Native Apps live on the device and are accessed through icons on the device home screen.
• They can take full advantage of all the device features − they can use the camera, the GPS, the
accelerometer, the compass, the list of contacts, and so on. Native apps can use the device’s
notification system and can work offline.
• Publishers can make use of push-notifications, alerting users every time a new piece of content
is published or when their attention is required.
• Native Apps maintain UI design of each operating system, thus they offer the best user
experience. For example, a Native App can have a left-aligned header in Android and a centre-
aligned header in iOS.
• Redistribution is easy, as it is found in app store.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 15

ICS-FMSIS-NDA

Native App (Cont…)

• Downside:

• High cost for building the app : Native apps developed for one platform will
not run on another platform. An App built for Android will not run on iOS. We
need to build a different App altogether for iOS. Because of this reason, we
need to maintain multiple versions of the App.
• Even though you might publish native Apps, you’ll want to keep the mobile
website well maintained, as mobile brings more traffic. So maintenance is
higher.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 16

ICS-FMSIS-NDA

Hybrid App

• Hybrid Apps are a way to expose content from existing websites in

App format. They can be well described as a mixture of Web App and
Native App.
• Example: Instagram, Wikipedia.
• Benefits:
• Developing a Hybrid App is cheaper than developing a Native App. It can be
built for cross-platforms, i.e., reduced cost for App development.
• Maintenance is simple, as there are not many versions to be maintained.
• It can take advantage of a few features available in the device.
• It can be found in the App Store, which makes the distribution easy.
• It has a browser embedded within the app only.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 17

ICS-FMSIS-NDA

Hybrid App (Cont…)

• Downside:
• Graphics are less accustomed with the operating system as compared to Native
Apps.
• Hybrid Apps are slower than Native Apps.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 18

ICS-FMSIS-NDA

Mobile Device Characteristics

• Mobile devices perform an array of functions ranging from a simple

telephony device to those of a personal computer.
• Designed for mobility, they are compact in size, battery-powered, and
lightweight.
• Most mobile devices have the following:
• microprocessor,
• read only memory (ROM),
• random access memory (RAM),
• radio module,
• digital signal processor,
• microphone and speaker,
• variety of hardware keys and interfaces, and
• liquid crystal display (LCD).

8/15/2024 DFS 718 (Mobile Forensic Techniques) 19

ICS-FMSIS-NDA

Mobile Device Characteristics (Cont…)

• The operating system (OS) of a mobile device may be stored in either

NAND or NOR memory while code execution typically occurs in RAM.

• Currently, mobile devices are equipped with system-level microprocessors

that reduce the number of supporting chips required and include
considerable internal memory capacity currently up to 1TB.

• Built-in Secure Digital (SD) memory card slots, such as one for the micro
Secure Digital eXtended Capacity (microSDXC), may support removable
memory with capacities ranging from 64GB to 2TB of storage.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 20

ICS-FMSIS-NDA

Mobile Device Characteristics (Cont…)

• Non-cellular wireless communications such as infrared (i.e., IrDA),

Bluetooth, Near Field Communication (NFC), and WiFi may also be
built into the device and support synchronization protocols to
exchange other data (e.g., graphics, audio, and video file formats).

• Different mobile devices have different technical and physical

characteristics (e.g., size, weight, processor speed, memory capacity).
Mobile devices may also use different types of expansion capabilities
to provide additional functionality.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 21

ICS-FMSIS-NDA

Mobile Device Characteristics (Cont…)

• Overall, mobile devices can be classified as follows:

• Feature phones: These are basic phones with limited capabilities,

primarily used for making calls and sending text messages.

• Smartphones: These are the most common type of mobile device,

combining phone functionality with advanced computing capabilities.
They feature touchscreen interfaces, high-speed internet connectivity,
and a vast array of apps.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 22

ICS-FMSIS-NDA

Mobile Device Characteristics (Cont…)

Feature Phone Smartphone
Processor Limited speed (¬52Mhz) Superior speed (¬1Ghz dual-core)

Memory Limited capacity (¬5MB) Superior capacity (¬128GB)

Display Small size color, 4k-260k (12- Large size color, 16.7 million (¬24-
bit to 18-bit) bit)
Card slots None, MicroSD MicroSDXC
Camera Still, Video Still, PNOR, ND Video (HD)
Text input Numeric Keypad, QWERTY- Touch screen, handwriting
style keyboard Recognition, QWERTY-style
keyboard
8/15/2024 DFS 718 (Mobile Forensic Techniques) 23
ICS-FMSIS-NDA

Mobile Device Characteristics (Cont…)

Feature Phone Smartphone

Voice input None Voice Recognition (Dialling and
Control)
Cell Interface Voice and Limited Data Voice and High Speed Data ($G
LTE)
Positioning None, GPS receiver GPS receiver
Wireless IrDA, Bluetooth Bluetooth, WiFi, and NFC
Battery Fixed/Removable, Fixed/Removable, Rechargeable
Rechargeable Li-ion polymer Li-ion polymer

8/15/2024 DFS 718 (Mobile Forensic Techniques) 24

ICS-FMSIS-NDA

Mobile Device Characteristics (Cont…)

8/15/2024 DFS 718 (Mobile Forensic Techniques) 25

ICS-FMSIS-NDA

Memory Considerations

• Mobile devices contain both non-volatile and volatile memory.

• Volatile memory (i.e., RAM) is used for dynamic storage and its
contents are lost when power is drained from the mobile device.

• Non-volatile memory is persistent as its contents are not affected by

loss of power or overwriting data upon reboot. For example, solid-
state drives (SSD) that stores persistent data on solid-state flash
memory.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 26

ICS-FMSIS-NDA

Memory Considerations (Cont…)

• Mobile devices typically contain one or two different types of non-

volatile flash memory.

• These types are NAND and NOR.

• NOR flash has faster read times, slower write times than NAND and is
nearly immune to corruption and bad blocks while allowing random
access to any memory location. NAND flash offers higher memory
storage capacities, is less stable and only allows sequential access.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 27

ICS-FMSIS-NDA

Memory Considerations (Cont…)

• Memory configurations among mobile devices have evolved over time.

Feature phones were among the first types of devices that contained NOR
flash and RAM memory. System and user data are stored in NOR and
copied to RAM upon booting for faster code execution and access. This is
known as the first generation of mobile device memory configurations.
• As smartphones were introduced, memory configurations evolved, adding
NAND flash memory. This arrangement of NOR, NAND and RAM
memory is referred to as the second generation. This generation of memory
configurations stores system files in NOR flash, user files in NAND and
RAM is used for code execution.
• The latest smartphones contain only NAND and RAM memory (i.e., third
generation), due to requirements for higher transaction speed, greater
storage density and lower cost.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 28

ICS-FMSIS-NDA

Memory Considerations (Cont…)

8/15/2024 DFS 718 (Mobile Forensic Techniques) 29

ICS-FMSIS-NDA

Memory Considerations (Cont…)

• RAM is the most difficult to capture accurately due to its volatile nature.
Since RAM is typically used for program execution, information may be of
value to the examiner (e.g., configuration files, passwords, etc.). Mobile
device RAM capture tools are just beginning to become available.

• NOR flash memory includes system data such as: operating system code,
the kernel, device drivers, system libraries, memory for executing operating
system applications and the storage of user application execution
instructions.
• NOR flash will be the best location for data collection for first generation
memory configuration devices.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 30

ICS-FMSIS-NDA

Memory Considerations (Cont…)

• NAND flash memory contains: PIM data, graphics, audio, video, and other
user files. This type of memory generally provides the examiner with the
most useful information in most cases.
• NAND flash memory may leave multiple copies of transaction-based files
(e.g., databases and logs) due to wear leveling algorithms and garbage
collection routines. Since NAND flash memory cells can be re-used for only
a limited amount of time before they become unreliable, wear leveling
algorithms are used to increase the life span of Flash memory storage, by
arranging data so that erasures and re-writes are distributed evenly across
the SSD.
• Garbage collection occurs because NAND flash memory cannot overwrite
existing data, the data must first be erased before writing to the same cell

8/15/2024 DFS 718 (Mobile Forensic Techniques) 31

ICS-FMSIS-NDA

Identity Module Characteristics

• Identity modules (commonly known as SIM cards) are synonymous

with mobile devices that interoperate with GSM cellular networks.
Under the GSM framework, a mobile device is referred to as a Mobile
Station and is partitioned into two distinct components:

• the Universal Integrated Circuit Card (UICC) and

• the Mobile Equipment (ME).

8/15/2024 DFS 718 (Mobile Forensic Techniques) 32

ICS-FMSIS-NDA

Identity Module Characteristics

• A UICC, commonly referred to as an identity module (e.g., Subscriber

Identity Module [SIM], Universal Subscriber Identity Module
[USIM], CDMA Subscriber Identity Module [CSIM]), is a removable
component that contains essential information about the subscriber.

• The ME and the radio handset portion cannot fully function without a
UICC. The UICC’s main purpose entails authenticating the user of the
mobile device to the network providing access to subscribed services.
The UICC also offers storage for personal information, such as
phonebook entries, text messages, last numbers dialed (LND) and
service-related information.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 33

ICS-FMSIS-NDA

Cellular Network Characteristics

• The two most dominant types of digital cellular networks are known
as Code Division Multiple Access (CDMA) and Global System for
Mobile Communications (GSM) networks.

• Other common cellular networks include Time Division Multiple

Access (TDMA) and Integrated Digital Enhanced Network (iDEN).
• iDEN networks use a proprietary protocol designed by Motorola,
while the others follow standardized open protocols. A digital version
of the original analog standard for cellular telephone phone service,
called Digital Advanced Mobile Phone Service (D-AMPS), also exists.
8/15/2024 DFS 718 (Mobile Forensic Techniques) 34
ICS-FMSIS-NDA

Cellular Network Characteristics (Cont…)

• CDMA refers to a technology designed by Qualcomm in the U.S.,

which employs spread spectrum communications for the radio link.
Rather than sharing a channel as many other network air interfaces do,
CDMA spreads the digitized data over the entire bandwidth available,
distinguishing multiple calls through a unique sequence code assigned.
• Different versions of CDMA are: IS-95 (cdmaOne), CDMA2000, the
4G LTE.
• GSM is a cellular system used worldwide that was designed in Europe,
primarily by Ericsson and Nokia. The GSM network carriers uses a
TDMA air interface.
8/15/2024 DFS 718 (Mobile Forensic Techniques) 35
ICS-FMSIS-NDA

Cellular Network Characteristics (Cont…)

• TDMA refers to a digital link technology whereby multiple phones

share a single carrier, radio frequency channel by taking turns – using
the channel exclusively for an allocated time slice, then releasing it
and waiting briefly while other phones use it.
• A packet switching enhancement to GSM called General Packet Radio
Service (GPRS) was standardized to improve the transmission of data.
The next generation of GSM, commonly referred to as the third
generation or 3G, is known as Universal Mobile Telecommunications
System (UMTS) and involves enhancing GSM networks with a
Wideband CDMA (WCDMA) air interface. 4G LTE is also available
to GSM mobile devices providing higher data transmission rates to its
customers.
8/15/2024 DFS 718 (Mobile Forensic Techniques) 36
ICS-FMSIS-NDA

Cellular Network Characteristics (Cont…)

• TDMA is also used to refer specifically to the standard covered by IS-136.

Using the term TDMA to refer to a general technique or a specific type of
cellular network can be a source of confusion. For example, although GSM
uses a TDMA air interface (i.e., the general technique), as does iDEN,
neither of those systems is compatible with TDMA cellular networks that
follow IS-136.

• Many mobile forensic tools refer to these devices as iDEN/TDMA phones.

Mobile devices operating over the iDEN network often utilize a Push-To-
Talk (PTT) function provide subscribers with the ability to communicate
with one another over a cellular network in a “walkie-talkie” fashion.
8/15/2024 DFS 718 (Mobile Forensic Techniques) 37
ICS-FMSIS-NDA

Cellular Network Characteristics (Cont…)

• The main components of cellular networks technology are

• The radio transceiver equipment that communicates with mobile devices,
• The controller that manages the transceiver equipment and performs channel
assignment, and
• The switching system for the cellular network.
• The technical names for these components are respectively Node B,
representing a Base Transceiver Station (BTS), the Radio Network
Controller (RNC), and the Mobile Switching Center (MSC). The
RNCs and the Node B units controlled are sometimes collectively
referred to as a Radio Access Network (RAN).

8/15/2024 DFS 718 (Mobile Forensic Techniques) 38

ICS-FMSIS-NDA

Cellular Network Characteristics (Cont…)

8/15/2024 DFS 718 (Mobile Forensic Techniques) 39

ICS-FMSIS-NDA

Cellular Network Characteristics (Cont…)

• Each MSC controls a set of RNCs and manages overall

communications throughout the cellular network, including
registration, authentication, location updating, handovers, and call
routing.
• An MSC interfaces with the public switch telephone network (PSTN)
via a Gateway MSC (GMSC).
• To perform its tasks, an MSC uses several databases. A key database is
the central repository system for subscriber data and service
information, called the Home Location Register (HLR).

8/15/2024 DFS 718 (Mobile Forensic Techniques) 40

ICS-FMSIS-NDA

Cellular Network Characteristics (Cont…)

• Another database used in conjunction with the HLR is the Visitor

Location Register (VLR), which is used for mobile devices roaming
outside of their service area.

• An SGSN (Serving GPRS Support Node) performs a similar role as

that of MSC/VLR, but instead supports General Packet Radio Service
(GPRS) (i.e., packet-switched services) to the Internet.
• Likewise, GGSN (Gateway GPRS Support Node) functionality is
close to that of a GMSC, but for packet-switched services.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 41

ICS-FMSIS-NDA

Cellular Network Characteristics (Cont…)

• Account information, such as data about the subscriber (e.g., a billing

address), the subscribed services, and the location update last
registered with the network are maintained at the HLR and used by the
MSC to route calls and messages and to generate usage records called
Call Detail Records (CDR).

• The subscriber account data, CDRs, and related technical information

obtained from the network carrier are often a valuable source of
evidence in an investigation.

8/15/2024 DFS 718 (Mobile Forensic Techniques) 42