MOBILE FORENSICS

AND WI-FI SECURITY

ADITI SINHA
ASSISTANT PROFESSOR
POTENTIAL EVIDENCE STORED ON
MOBILE PHONES
• Address Book: This stores contact names, numbers, e-mail addresses, and so on
• Call History: This contains dialed, received, missed calls, and call durations
• SMS: This contains sent and received text messages
• MMS: This contains media files such as sent and received photos and videos
• E-mail: This contains sent, drafted, and received e-mail messages
• Web browser history: This contains the history of websites that were visited
• Photos: This contains pictures that are captured using the mobile phone camera, those downloaded
from the Internet, and the ones transferred from other devices
• Videos: This contains videos that are captured using the mobile camera, those downloaded from the
Internet, and the ones transferred from other devices
• Music: This contains music files downloaded from the Internet and those transferred from other
devices
• Documents: This contains documents created using the device's applications, those downloaded from
the Internet, and the ones transferred from other devices
• Calendar: This contains calendar entries and appointments
• Network communication: This contains GPS locations Maps: This contains looked-up directions, and
searched and downloaded maps
• Social networking data: This contains data stored by applications, such as Facebook, Twitter, LinkedIn,
Google+, and WhatsApp
• Deleted data: This contains information deleted from the phone
CLASSIFICATION OF DIGITAL EVIDENCE:

(i) VOLATILE: Digital evidence that remains in the digital media till it is powered. Volatile digital evidence
vanishes as soon as the power supply is removed from the storage device, e.g. Random Access Memory
(RAM) Data.

(ii) NON-VOLATILE: A type of digital evidence that remains in the digital storage media even after the power is
removed from the non-volatile digital storage media. Examples: Hard disk, CD/DVD, floppy, Pendrive,
multimedia card, mobile, tablets (PC), PDA, etc.

(i) TANGIBLE EVIDENCE- Tangible evidence refers to concrete, physical objects or materials that can be seen,
touched, measured, or otherwise perceived through the senses.

(ii) INTANGIBLE EVIDENCE- Intangible evidence, on the other hand, refers to evidence that cannot be physically
touched or observed through the senses. It is abstract and non-physical in nature.
 RULES OF EVIDENCE
Courtrooms rely more and more on the information inside a mobile phone as vital
evidence. Prevailing evidence in court requires a good understanding of the rules
of evidence. Mobile forensics is a relatively new discipline and laws dictating the
validity of evidence are not widely known. However, there are five general rules of
evidence that apply to digital forensics and need to be followed in order for
evidence to be useful. Ignoring these rules makes evidence inadmissible, and your
case could be thrown out. These five rules are—
• Admissible
• Authentic
• Complete
• Reliable and
• Believable.
 ADMISSIBLE

This is the most basic rule and a measure of evidence validity and
importance. The evidence must be preserved and gathered in such a
way that it can be used in court or elsewhere. Many errors can be made
that could cause a judge to rule a piece of evidence as inadmissible. For
example, evidence that is gathered using illegal methods is commonly
ruled inadmissible.
 AUTHENTIC

The evidence must be tied to the incident in a relevant way to prove

something. The forensic examiner must be accountable for the origin of

the evidence.
 COMPLETE

When evidence is presented, it must be clear and complete and should

reflect the whole story. It is not enough to collect evidence that just
shows one perspective of the incident. Presenting incomplete evidence
is more dangerous than not providing any evidence at all as it could
lead to a different judgment.
 RELIABLE

Evidence collected from the device must be reliable. This depends on

the tools and methodology used. The techniques used and evidence
collected must not cast doubt on the authenticity of the evidence. If the
examiner used some techniques that cannot be reproduced, the
evidence is not considered unless they were directed to do so. This
would include possible destructive methods for analysis.
 BELIEVABLE

A forensic examiner must be able to explain, with clarity and

conciseness, what processes they used and the way the integrity of the
evidence was preserved. The evidence presented by the examiner must
be clear, easy to understand, and believable to the jury.
 FORENSIC PROTOCOLS TO HANDLE
DIGITAL EVIDENCE

SECURING THE EVIDENCE

With advanced smartphone features and remote wipes, securing a mobile
phone in a way that it cannot be remotely wiped is of great importance. Also,
when the phone is powered on and has service, it constantly receives new data.
To secure the evidence, use the right equipment and techniques to isolate the
phone from all networks. With isolation, the phone is prevented from receiving
any new data that would cause active data to be deleted
 PRESERVING THE EVIDENCE
As evidence is collected, it must be preserved in a state that is acceptable in
court. Working directly on the original copies of evidence might alter it. So, as
soon as you recover a raw disk image or files, create a read-only master copy
and duplicate it. In order for evidence to be admissible, methods shall be used
to verify that the evidence presented is exactly the same as the original
collected. All further processing or examination should be performed on copies
of the evidence. Any use of the device might alter the information stored on
the handset. So, perform only the tasks that are absolutely necessary.
 DOCUMENTING THE EVIDENCE

Be sure to document all the methods and tools that are used to collect
and extract the evidence. Detail your notes so that another examiner
could reproduce them. Your work must be reproducible; if not, a judge
may rule it inadmissible.
CONSIDERATIONS WHEN SECURING MOBILE PHONE EVIDENCE
Mobile devices present a unique forensic challenge due to rapid changes in technology. There are numerous makes and models
of mobile devices in use today. Many of these devices use closed-source operating systems and proprietary interfaces, sometimes
making it difficult to extract digital evidence. Version-specific expertise may be necessary to attain access and may alter
workflows.

Examples encountered are as follows:

• Incoming and Outgoing Signals- Attempts should be made to block incoming and outgoing signals of a mobile device. A
common method includes Radio Frequency (RF blocking containers e.g. Faraday bag or room). REFsignal-blocking containers
may not always be successful. They may drain the battery and failure may result in data alteration.

• Cables- Data cables can be unique to a particular device and forensic tool.

• Destruction of Data - There are methods to destroy data locally and remotely on a mobile device. This is why the device must
be isolated from all networks (e.g., carrier, Wi-Fi, Bluetooth) as soon as possible. Examiners should be cognizant that à mobile
operating system may have automated processes that will destroy data on power-on, or after a specific duration of time and
choose an extraction method or schedule that addresses these concerns, where applicable.
• Drivers- Conflicts may occur due to existing operating system drivers, proprietary drivers, driver version
inconsistencies, and vendor-specific drivers. Ability to find proper drivers may be difficult. Drivers may be
included with a forensic tool or downloaded from a website. Drivers may compete for control for the same
resource if more than one forensic product is installed on the analysis machine.

• Dynamic Nature of the Data- Data on active (powered-on) mobile devices is constantly changing. There are no
write-blocking methods for mobile devices.

• Encryption- Data may be stored in an encrypted state preventing access or analysis.

• Equipment- Equipment used during examinations may not be the most recent version due to a variety of reasons,
such as purchasing/budgeting delays or verification requirements of hardware, firmware, or software.

• Field analysis-Triaging mobile devices is not considered a full examination. However, if triage is performed, the
device should be protected and isolated from all networks.

• Loss of Power- Many mobile devices may lose data or initiate additional security measures once powered off.
• Passwords- Authentication mechanisms can restrict access to a device and its data.
Traditional password-cracking methods can lead to permanent inaccessibility or destruction
of data.

• Removable Media Cards- Processing media cards risks while still inside the device poses
risks (e.g., not obtaining all data including the deleted data, altering date/time stamps)

• Identity module- Identity Module e.g., USIM, CSIM Cards- Lack of removal may prevent the
examiner from accessing data stored on the internal memory of a handset. Inserting an
identity module from another device may cause loss of data.

• Training- The individual collecting, examining, and analyzing a mobile device should be
trained to preserve and maintain data integrity.
FLOW CHART FOR APPLE IOS DEVICE EVIDENCE
ACQUISITION PROCEDURE
FLOW CHART FOR ANDROID DEVICE
EVIDENCE ACQUISITION PROCEDURE
GENERATIONS OF MOBILE PHONES
• 1st Generation- Prior to the nineties, cellular networks used to operate using analog networks, which
is often referred to as the first generation of cellular networks (1G). In that era (1970s-1980s), mobile
phones were bulky devices, which weighed over 1 kg and could only make voice calls.
• 2nd Generation- The 1990s saw the birth of the second generation (2G) of cellular networks, which
used digital technology as opposed to the first generation (1G), which used analog networks.
Furthermore, two new cellular network standards emerged, shaping the mobile industry. For years,
the industry has been striving to go global; specifically, the Global System for Mobile The European
Union's (EU) GSM communications standard, and the Code. The United States developed the CDMA
(Code Division Multiple Access) standard. This enabled service. providers to launch new services like
Short Message Service (SMS), MMS (Multimedia Messaging Service), caller ID, internet access, and
navigation maps, to name a few.
• 3rd Generation- It is the third generation of wireless communication, it provides data transfer rate at
a speed of 200kbit/s. After the 3G it also discharged a new one in 3G with more special info hence it
was named 3.5G and 3.7G which brings us mobile broadband in Mbit/s into smartphones and
modems for laptops. This generation gives assurance for various techniques such as voice
conversation in wireless, mobile web, calls by videos, and TV. The Universal Mobile
Telecommunications System (UMTS) is the new standard of the 3G cellular network, which is based
on the GSM standard.
• 4th Generation- 4G systems are enhanced version of 3G networks that offers higher
data rate and are capable of handling more advanced multimedia services. LTE and
LTE advanced wireless technology used in 4th generation systems. Simultaneous
transmission of voice and data is possible with an LTE system, which significantly
improves the data rate. All services, including voice services, can be transmitted
over IP packets.

• 5th Generation- 5G network is using advanced technologies to deliver ultra-fast

internet and multimedia experience for customers. Existing LTE advanced networks
will transform into supercharged 5G networks in the future.
GENERATIONS OF MOBILE PHONES-
MEMORY EVOLUTION
Mobile devices typically contain one or two different types of non-volatile flash memory- NOR and NAND
flash memories.
Memory configurations among mobile devices have evolved over time. Feature phones were among the
first types of devices that contained NOR flash and RAM memory. System and user data are stored in NOR
and copied to RAM upon booting for faster code execution and access. This is known as the first
generation of mobile device memory configurations.
As smartphones were introduced, memory configurations evolved, adding NAND flash memory. This
arrangement of NOR, NAND, and RAM memory is referred to as the second generation. This generation
of memory configurations stores system files in NOR flash, and user files in NAND, and RAM is used for
code execution.
The latest smartphones contain only NAND and RAM memory (i.e., third generation), due to requirements
for higher transaction speed, greater storage density, and lower cost. To facilitate the lack of space on
mobile device mainboards and the demand for higher density storage space (i.e., 2GB – 128GB) the new
Embedded MultiMedia Cards (eMMC) style chips are present in many of today’s smartphones.
Memory Configurations
NOR and NAND FLASH MEMORY

Memory cell

Source line
• Bit line is where you place the data to be stored during a write operation and from where you read the
stored data during a read operation. Source line connects all the sources to a common ground potential.

• The architectural distinction, which is obvious from the figure above, is that the Bit line and the Source
line are connected to each cell in NOR flash while a string of cells in NAND flash is connected to the Bit
line at one end and source line at the other end through select transistors.

• In the physical design, NOR requires more space for each cell as they all have contact with the Bitline,
making NAND the more compact option. The size consideration in NAND flash has made it popular in
storage applications.

• A direct result of this connection is that a cell in NOR flash can be read faster in comparison with the
NAND flash. NAND memory cell is smaller and cost less, has higher program/erase speed. However, it
has low read speed and does not allow random access.
 eMMC- EMBEDDED MULTIMEDIA CARD
• The term eMMC is short for “embedded Multi-Media Card” and refers to a package consisting of both flash memory
and a flash memory controller integrated on the same silicon die. The eMMC solution consists of at least three
components – the MMC (multimedia card) interface, the flash memory, and the flash memory controller. An
embedded MultiMediaCard (eMMC) is a small storage device made up of NAND flash memory and a simple
storage controller. The technology is intended for use in portable devices such as cell phones and, more recently, for
sensors connected to the Internet of Things (IoT).

• WORKING OF eMMC- The eMMC IC is attached through a connection directly to the main circuit board of whatever
device for which it stores data. By using an integrated controller in the eMMC, the device CPU no longer has to
handle placing data into storage since the controller in the eMMC takes over that function., This frees up the CPU --
a lower speed, lower power chip than ones used in PCs or servers -- for more important tasks.

• The current standard for eMMC storage is v5.1A, which can effectively deliver transfer speeds of up to about
400MB/s. However, it's not just the overall transfer rate that determines how a device's performance will be
affected. eMMC storage usually operates with fewer memory gates than an SSD, meaning it can still deliver at the
same speed, just not at the same volume.
 UNIVERSAL FLASH STORAGE
• UFS is specifically tailored for mobile applications and computing systems

requiring high performance and low power consumption. UFS is positioned as

a replacement for eMMCs and SD cards.

• Faster Data Transfer Speeds. UFS 4.0 can achieve the highest data transfer rate of around 46 Gbps.

• Improved Performance. UFS is designed to improve overall device performance by minimizing latency and

improving data transfer speeds. It also supports advanced features like command queuing and power

gating, which can further improve performance and reduce power consumption.

• Higher Storage Capacity. UFS can support higher storage capacities with 1TB than other storage

solutions, such as eMMC with 256GB. This means that UFS can provide more storage space for the OS,

application software, and data.

 GENERATIONS OF MOBILE PHONES-
PROCESSOR EVOLUTION
• In technical terms, “Processor” is logic circuitry that responds to and processes the basic instructions that drive a
computer or a smartphone. Both the processors in the smartphone and the desktop have a similar function, but they
generate heat. If the processor in the smartphone functions with the same speed as a desktop processor, the generated
heat would melt the smartphone altogether. Therefore, the developers and designers of the devices limit, the speed at
which a mobile processor can run. This means that if a processor is getting hot, it will limit its rate, which equates to
slower performance.

• In today’s age, smartphone and mobile processors are powerful because of their multi-cores. Initially, it was Single-core,
then came Dual-core, and we now have quad-core, Hexa-core, and even Octa-core. Most processors of this age are 64-
bit rather than 32-bit. The processing power of the present-day processors has reached up to 3.0 -3.5 GHz. Alongside,
the ability to include GPU (Graphics Processing Unit) inside mobile processors has enabled devices to churn out the best
graphics picture, 3D capability, Virtual Reality capability, and 4k recording. The improved processor technology also
made today’s modern mobile devices more power efficient.
 HISTORY OF MOBILE PROCESSORS
• The journey of processors started with its first smartphone IBM Simon aka IBM Simon personal communicator,
which is a handheld PDA. It is the first touchscreen device that was developed to send and receive faxes,
emails, and pager texts alongside making and receiving phone calls. This device is equipped with the first
smartphone processor “NEC V30HL” developed by NEC Corporation. It is a 16MHZ, 16bit CPU for mobile
computing.

• In continuation, Nokia, Ericsson, Intel, and Microsoft have started their journeys into the smartphone market.
Nokia came up with its own PDA codenamed “Nokia 9000 communicator” and it was the first product in the
Nokia communicator series. The Nokia 9000 is fitted with Intel’s 24MHZ i386 CPU, which is a 32-bit processor.

• In the year 1999, Qualcomm entered the market with the launch of their own PDA, pdQ Smartphone. The pdQ
smartphone, probably the first smartphone from Qualcomm is the first CDMA smartphone that runs on Palm
OS. It was surprising to know that Qualcomm actually entered the smartphone market through its first CDMA
device and not through the processors

• Later other companies started evolving which completely has taken the smartphone processors making the
industry. The top leaders in smartphone processors makers are “Qualcomm”, “Intel”, “Nvidia”, “Mediatek”,
“HiSilicon” and “Samsung”. processor
COMPARISON BASE OF PROCESSORS

NUMBER OF
ARCHITECTURE TECHNOLOGY FREQUENCY
CORES
 ARCHITECTURE OF PROCESSORS
• Arm does not manufacture its own chips. It has no fabrication facilities of its own. Instead, it
licenses these rights to other companies. They utilize Arm's architectural model as a kind of
template, building systems that use Arm cores as their central processors. These companies
are given the opportunity to design, and possibly manufacture, their systems around these
processors.

• An Arm-based device may be designed to incorporate the processor, perhaps even making
adaptations to its architecture and functionality. Also, it combines many or all high-level
function elements of an electronic device onto a single chip instead of using separate
components mounted to a motherboard, for that reason, rather than a "central processing
unit" (CPU), an Arm processor is instead called a system-on-a-chip (SoC).
BIG COMPANIES INVOLVED IN PROCESSOR
MANUFACTURING
FIRST GENERATION MOBILE DEVICES
Prior to the nineties, cellular networks used to operate using analog networks, which are often
referred to as the first generation of cellular networks (1G). In that era (1970s-1980s), mobile
phones were bulky devices, that weighed over 1 kg, and could only make voice calls.
In 1981, Nordic Mobile Telephone (NMT) was launched in European countries. In 1983,
Ameritech launched 1G mobiles in the USA using Motorola mobile phones. The use of mobile
communication systems was then followed by several countries.
During the 1G era of cellular networks, the information needed to authenticate the subscriber
to the mobile network was stored directly in the mobile phone itself. This information was the
MSISDN which is your phone number, and the Equipment Serial Number (ESN). The approach
had many issues including lack of confidentiality, privacy, and the fact that it was prone to
fraud in which a criminal knowing someone MSISDN and ESN can clone them and make phone
calls as if he/she was the legitimate subscriber.
SECOND GENERATION NETWORK
ARCHITECTURE
 MOBILE STATION COMPONENTS
a. Mobile Equipment (ME)- refers to any device capable of communicating on a GSM cellular
network such as mobile phones, MiFi modems, and pagers.
b. Subscriber Identification Module (SIM): a type of smart card that is used to store information
about the Subscriber such as the IMSI, ICCID, MSISDN, address book and SMSs. Each SIM card
holds a 128-bit key that is used to authenticate the SIM on the cellular network. SIM cards are
used in the 2G cellular network.
c. Universal Integrated Circuit Card (UICC): It is considered the new generation of SIM cards,
which refers to the hardware that is running the USIM. UICC was introduced to support the
functionalities of the 3G cellular networks.
d. Universal Subscriber Identity Module (USIM): refers to the application running on top to the
UICC. It is similar in functionality to SIM but provides enhanced security, supports contactless
payment and is capable of running multiple applications.
e. Subscriber: a registered customer with a specific cellular network operator.
f. User Equipment (UE): a combination of U/SIM and ME.
 ACCESS NETWORK COMPONENTS

a. Base Station Subsystem (BSS): consists of one or more BTS and BSC.

b. Base Transceiver Station (BTS): consists of transceivers and antennas and it is

responsible for handling the radio communications between the UE and the
BSC. Each BTS corresponds to a single Cell.

c. Base Station Controller (BSC): is responsible for controlling multiple BTSs and
perform tasks such as managing the radio channel allocation in addition to
handling the handover of ME from one BTS to another.
 CORE NETWORK COMPONENTS
a. Network Switching Subsystem (NSS): consists of the following main parts (MSC, HLR, VLR, EIR and AuC).
b. Mobile Switching Center (MSC): is the central service delivery component in cellular network responsible for
setting up and releasing the end-to-end connection, in addition to prepaid accounts billing.
c. Home Location Registering (HLR): a central database that stores the information of all the subscribers of the
cellular network operator.
d. Visitor Location Register (VLR): a distributed database that stores the information of roaming MSs (foreigner
subscribers) within an MSC.
e. Authentication Center (AuC): a central database that holds a protected copy of the authentication key, which
is stored on each subscriber’s U/SIM card.
f. Equipment Identity Register (EIR): a central database of band MSs often integrated within HLR and it is used
to block or monitor stolen mobile devices.
 EXTERNAL NETWORK COMPONENTS

a. Public Switched Telephone Network (PSTN): a global system of interconnected

network infrastructure such as telephone landlines, microwave transmission links,

communications satellite links and undersea telephone cables that are controlled by

switching centers, which facilitates national, regional, and local communications.

UMTS- THIRD GENERATION NETWORK
ARCHITECTURE
• UMTS is popularly known as a third-generation (3G) cellular network. It was

seen as a better cellular technology for data transfer than its predecessor.

Today, UMTS is used interchangeably with 3G. Unlike global system for mobile

communications (GSM) – which was widely used before the deployment of

UMTS – UMTS offers faster data transfer, improved cellular capabilities,

greater range/bandwidth, and better radio spectrum efficiency.

1. The access network

• The access network consists of towers to which the mobile station connects. These towers are known as Node B,
intermediates between the mobile station and the rest of the mobile network. There can be one or more Node Bs depending
on the size of the network.

• Another essential component of the access network is the radio network controller (RNC). This is where the intelligence of
the access network lies. It processes the data gotten from Node B connected to it. The Node B and RNC composite structure
is known as UMTS terrestrial radio access network (UTRAN).

2. The core network

• This is the backbone network. It consists of a circuit-switched (CS) domain and packet-switched (PS) domain. The circuit-
switched domain is the part of the network responsible for voice calls, while the packet-switched domain is responsible for
carrying the packet data. The packet-switched domain takes care of the internet services. The CS and PS domains consist of
various databases that hold information necessary for running the system.

• SGSN is the main node that performs packet-switching functions, whereas GGSN is more of a router that connects SGSN to
the external data networks.
FOURTH GENERATION NETWORK
ARCHITECTURE
• The high-level network architecture of LTE is composed of the following three key
components:

1.The User Equipment (UE).

2.The Evolved UMTS Terrestrial Radio Access Network (E-UTRAN).

3.The Evolved Packet Core (EPC).

E-UTRAN

• An eNB, which is a base station that controls mobile devices in one or more cells, and
an eNodeB controls radio communication between an evolved packet core or EPC and
mobile devices. Basically, the eNB sends and receives radio signals to and from all the
mobile devices using the signal processing functions of the LTE air interface.
EPC

• HSS- The central database that contains information about all the network operator’s

subscribers is known as the Home Subscriber Server (HSS).

• MME- Mobility Management Entity. It is used for Authentication, Handover, and Selection of

Serving Gateway

• SGW- Serving gateway-It is used to Routing and Forwarding user data packets.

• PDN-GW Packet Data Network Gateway- It is used for user equipment (UE) IP allocation

• PCRF -Policy and Charging Rule Function- It provides quality of service and charging