Chapter 12
With most SIM cards, you have three attempts at entering an access code before the device is locked, which then requires calling the service provider to get the PIN unlock key (PUK) and waiting a certain amount of time before trying again. Common codes to try are ____ or ____
1-1-1-1, 1-2-3-4
Mobile phone technology has advanced rapidly in the past few decades and developed far beyond what its inventors could have imagined. Gone are the days of two-pound cell phones that only the wealthy could afford. By the end of 2008, mobile phones had gone through three generations:
1. Analog 2. Digital personal communications service (PCS) 3. Third-generation (3G)
lthough digital networks use different technologies, they operate on the same basic principles. Geographic areas are divided into cells resembling honeycombs. As described in NIST SP 800-101, three main components are used for communication with these cells:
1. Base transceiver station (BTS) 2. Base station controller (BSC) 3. Mobile switching center (MSC)
List some digital networks:
1. Code Division Multiple Access (CDMA) 2. Global System for Mobile Communications (GSM) 3. Time Division Multiple Access (TDMA) 4. Integrated Digital Enhanced Network (iDEN) 5. Digital Advanced Mobile Phone Service (D-AMPS) 6. Enhanced Data GSM Environment (EDGE) 7. Orthogonal Frequency Division Multiplexing (OFDM)
The SIM card is necessary for the ME to work and serves these additional purposes:
1. Identifies the subscriber to the network 2. Stores service-related information 3. Can be used to back up the device
Depending on your phone's model, the following information might be stored on it:
1. Incoming, outgoing, and missed calls 2. Multimedia Message Service (MMS; text messages) and Short Message Service (SMS) messages 3. E-mail accounts 4. Instant messaging (IM) logs 5. Web pages 6. Photos, videos, and music files 7. Calendars and address books 8. Social media account information 9. GPS data 10. Voice recordings and voicemail 11. Bank account logins 12. Access to your home
You should check the following locations for information, keeping in mind that with mobile devices, often you need manufacturers' tools:
1. Internal memory 2. SIM card 3. Removable or external memory cards 4. Network provider
In many countries, phones are used to:
1. Log in to bank accounts 2. Make deposits 3. Transfer funds from one device to another, which provides even more potential evidence
Search and seizure procedures for mobile devices are as important as procedures for computers. The main concerns are:
1. Loss of power 2. Synchronization with cloud services 3. Remote wiping
The NIST guidelines list six types of mobile forensics methods:
1. Manual extraction 2. Logical extraction 3. Physical extraction 4. Hex dumping and Joint Test Action Group (JTAG) extraction 5. Chip-off 6. Micro read
Mobile devices can range from simple phones to smartphones, tablets, and smartwatches. The hardware consists of a:
1. Microprocessor 2. ROM 3. RAM 4. A digital signal processor 5. A radio module 6. A microphone and speaker 7. Hardware interfaces (such as keypads, cameras, and GPS devices) 8. An LCD display
Although the locations of data vary from one phone model to the next, volatile memory usually contains data that changes frequently, such as:
1. Missed calls 2. Text messages 3. Sometimes even user files
In 2008, the International Telecommunication Union Radio (ITU-R) created the requirements for carriers to be considered 4G. 4G networks can use the following technologies:
1. Orthogonal Frequency Division Multiplexing 2. Mobile WiMAX 3. Ultra Mobile Broadband (UMB) 4. Multiple Input Multiple Output (MIMO) 5. Long Term Evolution (LTE)
The 3G standard was developed by the ____ under the United Nations. It's compatible with CDMA, GSM, and TDMA
International Telecommunication Union (ITU)
____ of information is what makes SIM cards so versatile
Portability
In 2014, the U.S. Supreme Court ruled unanimously in ____ that a search warrant is required before an arresting officer can begin examining a phone's contents
Riley v. California
With GSM phones and many newer models of mobile devices, the next step is accessing the SIM card, which you can do by using a combination hardware/software device called a ____
SIM card reader
What are Secure Digital (SD) cards?
Similar to MMCs but have added security features to protect data; they're now used on smartphones
____ cards are usually found in GSM devices and consist of a microprocessor and internal memory
Subscriber identity module (SIM)
Most Code Division Multiple Access (CDMA) networks conform to IS-95, created by the ____. These systems are referred to as CDMAOne, and when they went to 3G services, they became CDMA2000
Telecommunications Industry Association (TIA)
Explain Mobile switching center (MSC)
This component connects calls by routing digital packets for the network and relies on a database to support subscribers. This central database contains account data, location data, and other key information needed during an investigation. If you have to retrieve information from a carrier's central database, you usually need a warrant or subpoena
Explain Base transceiver station (BTS)
This component is made up of radio transceiver equipment that defines cells and communicates with mobile phones; it's sometimes referred to as a "cell phone tower," although the tower is only one part of the BTS equipment
In addition, collect the laptop and any peripheral devices to determine whether the hard drive contains...
any information that's been transferred and then deleted from the mobile device, including pictures, videos, and other files that have been transferred and then deleted
If the device is off, you should...
attempt a physical static acquisition and then turn the device on, determine whether it's locked, and then follow the procedure for either a locked or unlocked condition
Most PDAs were designed to synchronize with a computer, so they had...
built-in slots for that purpose (whether hard-wired or wireless synchronization)
TDMA also refers to the IS-136 standard, which introduced sleep mode to enhance battery life. TDMA can operate in the...
cell phone (800 to 1000 MHz) or personal communications service (PCS; 1900 MHz) frequency, so it's compatible with several cell phone networks
The file system for a SIM card is a ____ structure
hierarchical
Checking with the service provider has been further complicated because backups might be stored in a cloud provided by the carrier or a third party. For iPods and iPads, syncing and backups tend to occur in the ____; other providers offer a similar cloud backup
iCloud
Older CDMA phones don't use SIM cards; they...
incorporate the card's functions into the phone. Newer TDMA phones in North America do use SIM cards, however, and they are sealed so that users must contact the service provider when changing phones or providers
If it's on and unlocked, you must...
isolate it from the network, disable the screen lock, and remove the passcode, among other tasks
Why have service providers started using remote wiping?
iven how crucial smartphones are now, people who lose them are concerned about the amount of sensitive information that can be gathered from them. Because of the growing problem of mobile devices being stolen, service providers have started using remote wiping to remove a user's personal information stored on a stolen device, and this procedure often results in the loss of valuable information for investigations. Remote wiping is usually done to remove an account so that a thief can't use the phone and rack up charges. It also erases all contacts, the calendar, and other personal information, such as photos and bank logins, stored on the device. In some instances, it restores the device to the original factory settings. Depending on the device and service provider, the device owner or the service provider can do the remote wipe. Remote wiping can be used by device owners trying to protect their information
People store a wealth of information on cell phones and smartphones, and the thought of...
losing your phone and, therefore, the information stored on it can be a frightening prospect
Many phones now include SD cards for external storage. Standard SD cards range from 16 GB to 64 GB and can be part of a mobile device or game console. Other sizes include ____ and ____ cards
miniSD, microSD
Because mobile devices are often designed to synchronize with applications on a user's laptop or tablet, any...
mobile device attached to a PC or tablet via a USB cable or micro USB cable should be disconnected immediately
The OS is stored in ROM, which is ____ memory, so along with other data, it's available even if the phone loses power
nonvolatile
For personal use, ____ have been replaced by iPods, iPads, and other mobile devices. The use of PDAs has shifted to more specific markets, such as medical or industrial PDAs; they're now called "handhelds" and are still sold on sites such as Amazon and eBay
personal digital assistants (PDAs)
GSM carriers, by definition, must accept any GSM phone. CDMA carriers have locked phones and don't have to accept any users who aren't subscribers. Until recently, users who traveled frequently between the United States, Africa, Europe, and parts of Asia needed separate phones for each place. With GSM phones, you simply...
pop in a SIM card for the country you're currently in
SIM cards are similar to standard memory cards, except...
the connectors are aligned differently
If power has been lost, you might need PINs or other access codes to view files. Typically, users keep the original PIN assigned to the SIM card, so when you're collecting evidence at the scene, look for...
users' manuals and other documentation that can help you access the SIM card
All mobile devices have ____ memory, so making sure they don't lose power before you can retrieve RAM data is critical
volatile
If the device is on and locked...
what you can and can't do varies depending on the type of device, such as whether it's a BlackBerry, an iPhone, or an Android
Because of ____, checking providers' servers requires a search warrant or subpoena, so you need one if you want to check voicemail stored by the provider or another third party
wiretap laws
At the investigation scene, determine whether the device is on or off. If it's off, leave it off, but find the charger and attach it as soon as possible. Note this step in your log if...
you can't determine whether the device was charged at the time of seizure. If the device is on, check the display for the battery's current charge level
What are the general procedures for accessing the SIM card?
1. Remove the device's back panel 2. Remove the battery 3. Remove the SIM card from its holder 4. Insert the SIM card into the card reader, which you insert into your forensic workstation's USB port
Nonvolatile memory, on the other hand, contains OS files and stored user data, such as:
1. A personal information manager (PIM) 2. Backed-up files
GSM refers to mobile phones as "mobile stations" and divides a station into two parts:
1. The SIM card 2. Mobile equipment (ME), which is the remainder of the phone
SANS DFIR (Digital Forensics and Incident Response) has a slightly different process that handles other possible problems. It lists three conditions:
1. The device is on and unlocked 2. The device is on and locked 3. The device is off
____ cellular networks, expected to be finalized in 2020, will incorporate emerging technologies, including the ever-expanding cloud and device-to-device networks
Fifth-generation (5G)
iPhone acquisition procedures are similar, and several good tools are available, such as ____, which is designed to deal with iPhones, iPads, iOS, and Mac OS X Lion (now macOS). It can also extract iPhoto information, handle plug-in apps, and pull the user's online history
MacLockPick 3.0
Explain Time Division Multiple Access (TDMA)
This digital network uses the technique of dividing a radio frequency into time slots; GSM networks use this technique. It also refers to a specific cellular network standard covered by Interim Standard (IS) 136
Explain Manual Extraction
This method involves looking at the device's content page by page and taking pictures. It's used if investigators can't do a logical or physical extraction
Explain Multiple Input Multiple Output (MIMO)
This technology, developed by Airgo and acquired by Qualcomm, supports transmission speeds of 312 Mbps and is used by 4G, WiMAX, and other technologies
Global System for Mobile Communications (GSM) uses the ____ technique, in which multiple phones take turns sharing a channel on a round-robin basis
Time Division Multiple Access (TDMA)
As with smartphones, the amount of information on a PDA varied depending on the model. Usually, you could retrieve a user's calendar, address book, Web access, and other items (T/F)
True
What are Compact Flash (CF) cards?
Used for extra storage and work much the same way as PCMCIA cards
Typically, phones store system data in ____, which enables service providers to reprogram phones without having to access memory chips physically. Many users take advantage of this capability by reprogramming their phones to add features or switch to different service providers. Although this reprogramming isn't supported officially by service providers, instructions on how to do so are readily available on the Internet
electronically erasable programmable read-only memory (EEPROM)
Memory resides in the ____ and in the ____, if the device is equipped with one
phone, SIM card
A number of peripheral memory cards were used with PDAs:
1. Compact Flash (CF) 2. MultiMediaCard (MMC) 3. Secure Digital (SD)
Explain Global System for Mobile Communications (GSM)
Another common digital network, it's used by AT&T and T-Mobile in the United States and is the standard in Europe and Asia
Explain Integrated Digital Enhanced Network (iDEN)
This Motorola protocol combines several services, including data transmission, into one network
Explain Base station controller (BSC)
This combination of hardware and software manages BTSs and assigns channels by connecting to the mobile switching center
Explain Enhanced Data GSM Environment (EDGE)
This digital network, a faster version of GSM, is designed to deliver data
Explain the hierarchical structure of a SIM card
This file structure begins with the root of the system (MF). The next level consists of directory files (DF), and under them are files containing elementary data (EF). In this figure, the EFs under the GSM and DCS1800 DFs contain network data on different frequency bands of operation. The EFs under the Telecom DF contain service-related data.
Explain Digital Advanced Mobile Phone Service (D-AMPS)
This network is a digital version of the original analog standard for cell phones
Explain Orthogonal Frequency Division Multiplexing (OFDM)
This technology for 4G networks uses energy more efficiently than 3G networks and is more immune to interference
Explain Mobile WiMAX
This technology uses the IEEE 802.16e standard and Orthogonal Frequency Division Multiple Access (OFDMA) and supports transmission speeds of 12 Mbps. Sprint chose this technology for its 4G network, although some argue it's not true 4G
Explain Long Term Evolution (LTE)
This technology, designed for GSM and Universal Mobile Telecommunications Systems (UMTS) technology, supports 45 Mbps to 144 Mbps transmission speeds. Commonly called "4G LTE."
Similar to smartphones, PDAs housed a microprocessor, flash ROM, RAM, and other hardware components (T/F)
True
Top-of-the-line smartphones are even comparable to current mid-range computers (T/F)
True
____ requires power to maintain its contents, but nonvolatile memory doesn't
Volatile memory
When you're back in the forensics lab, you need to assess what can be retrieved. To determine whether you should do a logical acquisition or physical acquisition, you need to know where information is stored. As with laptops and desktops, a logical acquisition involves...
accessing files and folders as you would see them when looking at them in File Explorer
Many people store more information on smartphones and tablets than on computers. When you consider that smartphones have the same computing power as...
desktops of a few years ago, the amount of information stored on them is often enough to piece together a case's facts
Sprint Nextel introduced the ____ network
fourth-generation (4G)
A ____ is a bit-by-bit acquisition done to find deleted files or folders
physical acquisition
Any people use their smartphones to get Internet access for tablets or laptops, so you might find these devices already connected to the Internet. Disconnecting them immediately helps...
prevent synchronization that might occur automatically on a preset schedule and overwrite data on the device
Furthermore, because phones often contain private or sensitive information, any information that doesn't pertain to the case must be...
redacted from the public record
As devices become more sophisticated, turning them off means...
removing the battery
In addition, because most newer phones and phone plans store voicemail on the phone, you need a ____ for the device, too
search warrant
Depending on the warrant or subpoena, the ____ might be relevant. In addition, messages might be received on the mobile device after seizure that may or may not be admissible in court
time of seizure
iPhones and many Android phones have micro SIM and nano SIM slots. However, some can be accessed only if the phone has been ____
unlocked
____ and ____ were popular models when PDAs came on the market in the 1990s
Palm Pilot, Microsoft Pocket PC
If you determine that the device should be turned off to preserve battery power or prevent a possible attack, note the time and date when you take this step. The alternative is to isolate the device from incoming signals with one of the following options:
1. Place the device in airplane mode, if this feature is available 2. Place the device in a paint can, preferably one that previously contained radio wave-blocking paint 3. Use a Faraday bag that conforms to Faraday wire cage standards. Many allow plugging a unit into a power source 4. Turn the device off
You can retrieve quite a bit of data from a SIM card, depending on whether the phone is GSM or CDMA. The information that can be retrieved falls into four categories:
1. Service-related data, such as identifiers for the SIM card and subscriber 2. Call data, such as numbers dialed 3. Message information 4. Location information
SIM cards come in three sizes:
1. Standard 2. Micro 3. Nano
List the steps that occur in a mobile forensics investigation:
1. The first step is identifying the mobile device. Most users don't alter their devices, but some file off serial numbers, change the display to show misleading data, and so on. When attempting to identify a phone, you can make use of several online source 2. Next, make sure you have installed the mobile device forensics software. As mentioned, not all facilities are equipped with the necessary software because many tools are cost prohibitive. Some vendors offer tools that simply take pictures of screens as you scroll through them. Forensically, this approach isn't the best, but you can use it if no other alternatives are available 3. The next step is to attach the phone to its power supply and connect the correct cables. Most phones now have a combination USB/power cable, and many are interchangeable. For older phones, often you have to rig cables together. Some vendors have toolkits with an array of cables you can use 4. After you've connected the device, start the forensics software and begin downloading the available information. If your forensics software doesn't support the model you're investigating, you might need to acquire other tools. Your main concern should be that the software is forensically sound
Memory storage on a mobile device is usually a combination of:
1. Volatile memory 2. Nonvolatile memory
Most basic phones have a proprietary OS, although smartphones use the same OSs as PCs (or stripped-down versions of them). These OSs include:
1. Windows Mobile 2. RIM OS 3.Android (based on Linux) 4. Google OS 5. iOS (for Apple devices)
____ introduced unheard-of capabilities, such as being able to download while you were walking or in a moving vehicle
3G
Many mobile devices have removable memory cards and up to ____ of internal memory, and Bluetooth and Wi-Fi are included in most mobile devices
64 GB
The best method of retrieving information, of course, is acquiring a forensic image, which enables you to recover deleted text messages and similar data. With Android devices, the process can be as simple as using ____ to perform a logical acquisition and a low-level analysis
AccessData FTK Imager
Explain Ultra Mobile Broadband (UMB)
Also known as CDMA2000 EV-DO, this technology was used by CDMA network providers to switch to 4G and supports transmission speeds of 275 Mbps for downlinks and 75 Mbps for uplinks. It has been replaced by LTE
What is an issue when dealing with text and SMS messages using SIM card readers?
Another problem with SIM card readers is dealing with text and SMS messages that haven't been read yet. After you view a message, the device shows the message as opened or read. For this reason, documenting messages that haven't been read is critical. Using a tool that takes pictures of each screen can be valuable because these screen captures can provide additional documentation
Why does portability make SIM cards so versatile?
By switching a SIM card between compatible phones, users can move their provider usage and other information to another phone automatically without having to notify the service provider. For example, if you travel between neighboring countries often, you could have a GSM phone and two SIM cards. When you travel to another country, you simply switch to the other SIM card. With phones on which this switching is allowed, information such as your contact list is stored on the phone, so when you switch to another carrier, all you have to do is change the SIM card. Another common practice is switching to another SIM card when you have used most of your monthly minutes on your main SIM card
What are MultiMediaCard (MMC) cards?
Designed for mobile phones, but they can be used with PDAs to provide another storage area
Explain Code Division Multiple Access (CDMA)
Developed during World War II, this technology was patented by Qualcomm after the war. One of the most common digital networks, it uses the full radio frequency spectrum to define channels. In the United States, Sprint, U.S. Cellular, and Verizon, for example, use CDMA networks
The ____ standard was developed specifically for 3G
Enhanced Data GSM Environment (EDGE)
____ is an evolving science, with the biggest challenge being constantly changing phone models. What works today might not work on a model that comes out tomorrow
Mobile forensics
Why is investigating smartphones and other mobile devices considered a challenging task?
No single standard exists for how and where phones store messages, although many phones use similar storage schemes. In addition, new phones come out about every six months, and they're rarely compatible with previous models. Therefore, the cables, software, and accessories used for forensics acquisitions can become obsolete in a short time
Because mobile devices are seized at the time of arrest, police used to look through them as a routine matter. The Supreme Courts of ____ and ____, however, ruled that a search warrant is needed to examine these devices because of all the information they can contain
Oregon, Ohio
The ____ technology uses numerous parallel carriers instead of a single broad carrier and is less susceptible to interference
Orthogonal Frequency Division Multiplexing (OFDM)
