Chapter 12
SIM card readers
A combination hardware/software device used to access the SIM card
Fourth-generation (4G) was introduced in __________
2009
Checking network provider requires a search warrant or subpoena
A new complication has surfaced because backups might be stored in a cloud provided by the carrier or third party
The drawback of using these isolating options is that the mobile device is put into roaming mode
Accelerates battery drainage
Mobile phone forensics tools and methods
AccessData FTK Imager MacLockPick 3.0
Vehicle system forensics
Addresses the many parts that have sensors in cars
Separate personal information from business-related data
Bring your own device (BYOD) practices make it even more difficult
3G is compatible with
CDMA, GSM, and TDMA
Phones store system data in
Electronically erasable programmable read-only memory (EEPROM)
EEPROM (cont'd)
Enables service providers to reprogram phones without having to physically access memory chips
Procedures for working with mobile forensics software:
Identify the mobile device Make sure you have installed the mobile device forensics software Attach the phone to power and connect cables Start the forensics software and download information
SANS DFIR Forensics recommends:
If device is on and unlocked - isolate it from the network, disable the screen lock, remove passcode If device is on and locked - what you can do varies depending on the type of device If device is off - attempt a physical static acquisition and turn the device on
Items stored on cell phones:
Incoming, outgoing, and missed calls, Multimedia Message Service (MMS; text messages) and Short Message Service (SMS) messages, E-mail accounts, Instant-messaging (IM) logs, Web pages & Pictures, video, and music files
Check these areas in the forensics lab :
Internal memory SIM card Removable or external memory cards Network provider
3G was developed by _____________
International Telecommunications Union (ITU)
Evolution from Internet of Thing (IoT) to
Internet of Everything (IoE) to Internet of Anything (IoA)
All mobile devices have volatile memory
Making sure they don't lose power before you can retrieve RAM data is critical
Hardware components
Microprocessor, ROM, RAM, a Digital signal processor, a radio module, a microphone and speaker, hardware interfaces, and an LCD display
Many mobile forensics tools are available
Most aren't free
You can also simply connect a mobile device to a computer to browse the file system and examine and retrieve files
Needs a USB write-blocker
If power has been lost,
PINs or other access codes might be required to view files
People store a wealth of information on cell phones
People don't think about securing their phones
Isolate the device from incoming signals with one of the following options:
Place the device in airplane mode Place the device in a paint can Use a Faraday bag Turn the device off
Information that can be retrieved falls into four categories:
Service-related data, such as identifiers for the SIM card and the subscriber Call data, such as numbers dialed Message information Location information
Their use has shifted to more specific markets
Such as medical or industrial PDAs
SIM card readers (cont'd)
A variety of SIM card readers are available Some are forensically sound and some are not
Most basic phones have a proprietary OS
Although smartphones use the same OSs as PCs
By the end of 2008, mobile phones had gone through three generations:
Analog, Digital personal communications service (PCS) & Third-generation (3G)
Main components used for communication
Base transceiver station (BTS), Base station controller (BSC), Mobile switching center (MSC)
Mobile forensics is an evolving science
Biggest challenge is dealing with constantly changing phone models
Items stored on cell phones: (cont'd)
Calendars and address books, Social media account information, GPS data, Voice recordings and voicemail, Bank account logins & Access to your home
Peripheral memory cards used with PDAs:
Compact Flash (CF) MultiMediaCard (MMC) Secure Digital (SD)
Cellebrite is often used by law enforcement
You can determine the device's make and model, learn what has to be done before connecting a mobile device to the UFED device, and then retrieve the data
In general, tools designed to edit information
although they are user friendly, usually aren't forensically sound
IoE adds features that aren't tangible
but are widespread on the Internet Google search engine and YouTube
IoA includes cars, homes, pets, livestock, and applications
for making all these things work together Eventually will include 5G smart devices
Personal digital assistants (PDAs) have been mostly replaced by
iPods, iPads, and other mobile devices
The main concerns with mobile devices in acquisitions are
loss of power, synchronization with cloud services, and remote wiping
Memory storage on a mobile device is usually a combination of
volatile and nonvolatile memory
Methods and techniques for acquiring evidence
will change as market continues to expand and mature
Subscriber identity module (SIM) cards
Found most commonly in GSM devices Consist of a microprocessor and internal memory GSM refers to mobile phones as "mobile stations" and divides a station into two parts: The SIM card and the mobile equipment (ME) SIM cards come in three sizes Portability of information makes SIM cards versatile
Mobile device attached to a PC via a USB cable should be disconnected from the PC immediately
Helps prevent synchronization that might occur automatically and overwrite data
NIST guidelines list six types of mobile forensics methods:
Manual extraction Logical extraction Physical extraction Hex dumping and Joint Test Action Group (JTAG) extraction Chip-off Micro read
Depending on the warrant or subpoena, the time of seizure might be relevant b/c
Messages might be received on the mobile device after seizure
Several digital networks are used in the ______ _______ ____________
Mobile phone industry
Investigating cell phones and mobile devices is a challenging tasks in digital forensics
No single standard exists for how and where phones store messages, New phones come out about every six months and they are rarely compatible with previous models
OS is stored in ROM
Nonvolatile memory, Available even if the phone loses power
Some tools are designed for updating files
Not retrieving data
4G networks use the following technologies
Orthogonal Frequency Division Multiplexing (OFDM), Mobile WiMAX, Ultra Mobile Broadband (UMB), Multiple Input Multiple Output (MIMO), Long Term Evolution (LTE)
5G devices introduce new challenges for digital forensics:
People-to-device communications (P2D) Device-to-device (D2D) communications Device-to-cloud (D2C) communications
Many phones now include
SD cards for external storage
Mobile devices can range from
Simple phones to smartphones, tablets, and smartwatches
Paraben Software offers several tools:
E3:DS - for mobile device investigations
Fifth-generation (5G) cellular networks
Expected to be finalized in 2020, will incorporate emerging technologies
Most Code Division Multiple Access (CDMA) networks conform to IS-95
These systems are referred to as CDMAOne, When they went to 3G services, they became CDMA 2000
Documenting messages that haven't been read yet is critical
Use a tool that takes pictures of each screen
Global System for Mobile Communications (GSM)
Uses the Time Division Multiple Access (TDMA) technique
Enhanced Data GSM Environment (EDGE)
Was developed specifically for 3G
MOBILedit Forensic
contains a built-in write- blocker
EEPROM
electrically erasable programmable read-only memory
5G devices categories:
enhanced Mobile Broadband (eMBB) Ultra-reliable and Low-latency Communications (uRLLC) massive Machine Type Communications (mMTC)
Wearable computers will pose many new challenges
for investigators
DataPilot
has a collection of cables that can interface with phones from different manufacturers
The file system for a SIM card is a
hierarchical structure
Software tools differ in the
information they display and the level of detail
Due to the growing problem of mobile devices being stolen,
service providers have started using remote wiping to remove a user's personal information stored on a stolen device
Subscribe to user groups and professional organizations
to stay abreast of what's happening in the industry
BitPam
used to view data on many CDMA phones
Cellebrite UFED Forensic System
works with smartphones, PDAs, tablets, and GPS devices
In 2010, VMware and BlackBerry were developing
• Type 2 hypervisors for mobile devices • Useful for security and protecting personal information but will add another level of complexity to forensics investigations
You need to be in a forensics lab equipped with appropriate antistatic devices
General procedure is as follows: Remove the device's back panel Remove the battery Remove the SIM card from holder Insert the SIM card into the card reader
Subscriber identity module (SIM) cards (cont'd)
The SIM card is necessary for the ME to work and serves these additional purposes:• Identifies the subscriber to the network Stores service-related information Can be used to back up the device
Three options for data extraction:
LogicalFile system • Physical
Internet of Things (IoT)
The number of devices that connect to the Internet is higher than the amount of people That number is expected to reach 50 billion in the next few decades