Chapter 12

SIM card readers

A combination hardware/software device used to access the SIM card

Fourth-generation (4G) was introduced in __________

2009

Checking network provider requires a search warrant or subpoena

A new complication has surfaced because backups might be stored in a cloud provided by the carrier or third party

The drawback of using these isolating options is that the mobile device is put into roaming mode

Accelerates battery drainage

Mobile phone forensics tools and methods

AccessData FTK Imager MacLockPick 3.0

Vehicle system forensics

Addresses the many parts that have sensors in cars

Separate personal information from business-related data

Bring your own device (BYOD) practices make it even more difficult

3G is compatible with

CDMA, GSM, and TDMA

Phones store system data in

Electronically erasable programmable read-only memory (EEPROM)

EEPROM (cont'd)

Enables service providers to reprogram phones without having to physically access memory chips

Procedures for working with mobile forensics software:

Identify the mobile device Make sure you have installed the mobile device forensics software Attach the phone to power and connect cables Start the forensics software and download information

SANS DFIR Forensics recommends:

If device is on and unlocked - isolate it from the network, disable the screen lock, remove passcode If device is on and locked - what you can do varies depending on the type of device If device is off - attempt a physical static acquisition and turn the device on

Items stored on cell phones:

Incoming, outgoing, and missed calls, Multimedia Message Service (MMS; text messages) and Short Message Service (SMS) messages, E-mail accounts, Instant-messaging (IM) logs, Web pages & Pictures, video, and music files

Check these areas in the forensics lab :

Internal memory SIM card Removable or external memory cards Network provider

3G was developed by _____________

International Telecommunications Union (ITU)

Evolution from Internet of Thing (IoT) to

Internet of Everything (IoE) to Internet of Anything (IoA)

All mobile devices have volatile memory

Making sure they don't lose power before you can retrieve RAM data is critical

Hardware components

Microprocessor, ROM, RAM, a Digital signal processor, a radio module, a microphone and speaker, hardware interfaces, and an LCD display

Many mobile forensics tools are available

Most aren't free

You can also simply connect a mobile device to a computer to browse the file system and examine and retrieve files

Needs a USB write-blocker

If power has been lost,

PINs or other access codes might be required to view files

People store a wealth of information on cell phones

People don't think about securing their phones

Isolate the device from incoming signals with one of the following options:

Place the device in airplane mode Place the device in a paint can Use a Faraday bag Turn the device off

Information that can be retrieved falls into four categories:

Service-related data, such as identifiers for the SIM card and the subscriber Call data, such as numbers dialed Message information Location information

Their use has shifted to more specific markets

Such as medical or industrial PDAs

SIM card readers (cont'd)

A variety of SIM card readers are available Some are forensically sound and some are not

Most basic phones have a proprietary OS

Although smartphones use the same OSs as PCs

By the end of 2008, mobile phones had gone through three generations:

Analog, Digital personal communications service (PCS) & Third-generation (3G)

Main components used for communication

Base transceiver station (BTS), Base station controller (BSC), Mobile switching center (MSC)

Mobile forensics is an evolving science

Biggest challenge is dealing with constantly changing phone models

Items stored on cell phones: (cont'd)

Calendars and address books, Social media account information, GPS data, Voice recordings and voicemail, Bank account logins & Access to your home

Peripheral memory cards used with PDAs:

Compact Flash (CF) MultiMediaCard (MMC) Secure Digital (SD)

Cellebrite is often used by law enforcement

You can determine the device's make and model, learn what has to be done before connecting a mobile device to the UFED device, and then retrieve the data

In general, tools designed to edit information

although they are user friendly, usually aren't forensically sound

IoE adds features that aren't tangible

but are widespread on the Internet Google search engine and YouTube

IoA includes cars, homes, pets, livestock, and applications

for making all these things work together Eventually will include 5G smart devices

Personal digital assistants (PDAs) have been mostly replaced by

iPods, iPads, and other mobile devices

The main concerns with mobile devices in acquisitions are

loss of power, synchronization with cloud services, and remote wiping

Memory storage on a mobile device is usually a combination of

volatile and nonvolatile memory

Methods and techniques for acquiring evidence

will change as market continues to expand and mature

Subscriber identity module (SIM) cards

Found most commonly in GSM devices Consist of a microprocessor and internal memory GSM refers to mobile phones as "mobile stations" and divides a station into two parts: The SIM card and the mobile equipment (ME) SIM cards come in three sizes Portability of information makes SIM cards versatile

Mobile device attached to a PC via a USB cable should be disconnected from the PC immediately

Helps prevent synchronization that might occur automatically and overwrite data

NIST guidelines list six types of mobile forensics methods:

Manual extraction Logical extraction Physical extraction Hex dumping and Joint Test Action Group (JTAG) extraction Chip-off Micro read

Depending on the warrant or subpoena, the time of seizure might be relevant b/c

Messages might be received on the mobile device after seizure

Several digital networks are used in the ______ _______ ____________

Mobile phone industry

Investigating cell phones and mobile devices is a challenging tasks in digital forensics

No single standard exists for how and where phones store messages, New phones come out about every six months and they are rarely compatible with previous models

OS is stored in ROM

Nonvolatile memory, Available even if the phone loses power

Some tools are designed for updating files

Not retrieving data

4G networks use the following technologies

Orthogonal Frequency Division Multiplexing (OFDM), Mobile WiMAX, Ultra Mobile Broadband (UMB), Multiple Input Multiple Output (MIMO), Long Term Evolution (LTE)

5G devices introduce new challenges for digital forensics:

People-to-device communications (P2D) Device-to-device (D2D) communications Device-to-cloud (D2C) communications

Many phones now include

SD cards for external storage

Mobile devices can range from

Simple phones to smartphones, tablets, and smartwatches

Paraben Software offers several tools:

E3:DS - for mobile device investigations

Fifth-generation (5G) cellular networks

Expected to be finalized in 2020, will incorporate emerging technologies

Most Code Division Multiple Access (CDMA) networks conform to IS-95

These systems are referred to as CDMAOne, When they went to 3G services, they became CDMA 2000

Documenting messages that haven't been read yet is critical

Use a tool that takes pictures of each screen

Global System for Mobile Communications (GSM)

Uses the Time Division Multiple Access (TDMA) technique

Enhanced Data GSM Environment (EDGE)

Was developed specifically for 3G

MOBILedit Forensic

contains a built-in write- blocker

EEPROM

electrically erasable programmable read-only memory

5G devices categories:

enhanced Mobile Broadband (eMBB) Ultra-reliable and Low-latency Communications (uRLLC) massive Machine Type Communications (mMTC)

Wearable computers will pose many new challenges

for investigators

DataPilot

has a collection of cables that can interface with phones from different manufacturers

The file system for a SIM card is a

hierarchical structure

Software tools differ in the

information they display and the level of detail

Due to the growing problem of mobile devices being stolen,

service providers have started using remote wiping to remove a user's personal information stored on a stolen device

Subscribe to user groups and professional organizations

to stay abreast of what's happening in the industry

BitPam

used to view data on many CDMA phones

Cellebrite UFED Forensic System

works with smartphones, PDAs, tablets, and GPS devices

In 2010, VMware and BlackBerry were developing

• Type 2 hypervisors for mobile devices • Useful for security and protecting personal information but will add another level of complexity to forensics investigations

You need to be in a forensics lab equipped with appropriate antistatic devices

General procedure is as follows: Remove the device's back panel Remove the battery Remove the SIM card from holder Insert the SIM card into the card reader

Subscriber identity module (SIM) cards (cont'd)

The SIM card is necessary for the ME to work and serves these additional purposes:• Identifies the subscriber to the network Stores service-related information Can be used to back up the device

Three options for data extraction:

LogicalFile system • Physical

Internet of Things (IoT)

The number of devices that connect to the Internet is higher than the amount of people That number is expected to reach 50 billion in the next few decades