Chapter 12

With most SIM cards, you have three attempts at entering an access code before the device is locked, which then requires calling the service provider to get the PIN unlock key (PUK) and waiting a certain amount of time before trying again. Common codes to try are ____ or ____

1-1-1-1, 1-2-3-4

Mobile phone technology has advanced rapidly in the past few decades and developed far beyond what its inventors could have imagined. Gone are the days of two-pound cell phones that only the wealthy could afford. By the end of 2008, mobile phones had gone through three generations:

1. Analog 2. Digital personal communications service (PCS) 3. Third-generation (3G)

lthough digital networks use different technologies, they operate on the same basic principles. Geographic areas are divided into cells resembling honeycombs. As described in NIST SP 800-101, three main components are used for communication with these cells:

1. Base transceiver station (BTS) 2. Base station controller (BSC) 3. Mobile switching center (MSC)

List some digital networks:

1. Code Division Multiple Access (CDMA) 2. Global System for Mobile Communications (GSM) 3. Time Division Multiple Access (TDMA) 4. Integrated Digital Enhanced Network (iDEN) 5. Digital Advanced Mobile Phone Service (D-AMPS) 6. Enhanced Data GSM Environment (EDGE) 7. Orthogonal Frequency Division Multiplexing (OFDM)

The SIM card is necessary for the ME to work and serves these additional purposes:

1. Identifies the subscriber to the network 2. Stores service-related information 3. Can be used to back up the device

Depending on your phone's model, the following information might be stored on it:

1. Incoming, outgoing, and missed calls 2. Multimedia Message Service (MMS; text messages) and Short Message Service (SMS) messages 3. E-mail accounts 4. Instant messaging (IM) logs 5. Web pages 6. Photos, videos, and music files 7. Calendars and address books 8. Social media account information 9. GPS data 10. Voice recordings and voicemail 11. Bank account logins 12. Access to your home

You should check the following locations for information, keeping in mind that with mobile devices, often you need manufacturers' tools:

1. Internal memory 2. SIM card 3. Removable or external memory cards 4. Network provider

In many countries, phones are used to:

1. Log in to bank accounts 2. Make deposits 3. Transfer funds from one device to another, which provides even more potential evidence

Search and seizure procedures for mobile devices are as important as procedures for computers. The main concerns are:

1. Loss of power 2. Synchronization with cloud services 3. Remote wiping

The NIST guidelines list six types of mobile forensics methods:

1. Manual extraction 2. Logical extraction 3. Physical extraction 4. Hex dumping and Joint Test Action Group (JTAG) extraction 5. Chip-off 6. Micro read

Mobile devices can range from simple phones to smartphones, tablets, and smartwatches. The hardware consists of a:

1. Microprocessor 2. ROM 3. RAM 4. A digital signal processor 5. A radio module 6. A microphone and speaker 7. Hardware interfaces (such as keypads, cameras, and GPS devices) 8. An LCD display

Although the locations of data vary from one phone model to the next, volatile memory usually contains data that changes frequently, such as:

1. Missed calls 2. Text messages 3. Sometimes even user files

In 2008, the International Telecommunication Union Radio (ITU-R) created the requirements for carriers to be considered 4G. 4G networks can use the following technologies:

1. Orthogonal Frequency Division Multiplexing 2. Mobile WiMAX 3. Ultra Mobile Broadband (UMB) 4. Multiple Input Multiple Output (MIMO) 5. Long Term Evolution (LTE)

The 3G standard was developed by the ____ under the United Nations. It's compatible with CDMA, GSM, and TDMA

International Telecommunication Union (ITU)

____ of information is what makes SIM cards so versatile

Portability

In 2014, the U.S. Supreme Court ruled unanimously in ____ that a search warrant is required before an arresting officer can begin examining a phone's contents

Riley v. California

With GSM phones and many newer models of mobile devices, the next step is accessing the SIM card, which you can do by using a combination hardware/software device called a ____

SIM card reader

What are Secure Digital (SD) cards?

Similar to MMCs but have added security features to protect data; they're now used on smartphones

____ cards are usually found in GSM devices and consist of a microprocessor and internal memory

Subscriber identity module (SIM)

Most Code Division Multiple Access (CDMA) networks conform to IS-95, created by the ____. These systems are referred to as CDMAOne, and when they went to 3G services, they became CDMA2000

Telecommunications Industry Association (TIA)

Explain Mobile switching center (MSC)

This component connects calls by routing digital packets for the network and relies on a database to support subscribers. This central database contains account data, location data, and other key information needed during an investigation. If you have to retrieve information from a carrier's central database, you usually need a warrant or subpoena

Explain Base transceiver station (BTS)

This component is made up of radio transceiver equipment that defines cells and communicates with mobile phones; it's sometimes referred to as a "cell phone tower," although the tower is only one part of the BTS equipment

In addition, collect the laptop and any peripheral devices to determine whether the hard drive contains...

any information that's been transferred and then deleted from the mobile device, including pictures, videos, and other files that have been transferred and then deleted

If the device is off, you should...

attempt a physical static acquisition and then turn the device on, determine whether it's locked, and then follow the procedure for either a locked or unlocked condition

Most PDAs were designed to synchronize with a computer, so they had...

built-in slots for that purpose (whether hard-wired or wireless synchronization)

TDMA also refers to the IS-136 standard, which introduced sleep mode to enhance battery life. TDMA can operate in the...

cell phone (800 to 1000 MHz) or personal communications service (PCS; 1900 MHz) frequency, so it's compatible with several cell phone networks

The file system for a SIM card is a ____ structure

hierarchical

Checking with the service provider has been further complicated because backups might be stored in a cloud provided by the carrier or a third party. For iPods and iPads, syncing and backups tend to occur in the ____; other providers offer a similar cloud backup

iCloud

Older CDMA phones don't use SIM cards; they...

incorporate the card's functions into the phone. Newer TDMA phones in North America do use SIM cards, however, and they are sealed so that users must contact the service provider when changing phones or providers

If it's on and unlocked, you must...

isolate it from the network, disable the screen lock, and remove the passcode, among other tasks

Why have service providers started using remote wiping?

iven how crucial smartphones are now, people who lose them are concerned about the amount of sensitive information that can be gathered from them. Because of the growing problem of mobile devices being stolen, service providers have started using remote wiping to remove a user's personal information stored on a stolen device, and this procedure often results in the loss of valuable information for investigations. Remote wiping is usually done to remove an account so that a thief can't use the phone and rack up charges. It also erases all contacts, the calendar, and other personal information, such as photos and bank logins, stored on the device. In some instances, it restores the device to the original factory settings. Depending on the device and service provider, the device owner or the service provider can do the remote wipe. Remote wiping can be used by device owners trying to protect their information

People store a wealth of information on cell phones and smartphones, and the thought of...

losing your phone and, therefore, the information stored on it can be a frightening prospect

Many phones now include SD cards for external storage. Standard SD cards range from 16 GB to 64 GB and can be part of a mobile device or game console. Other sizes include ____ and ____ cards

miniSD, microSD

Because mobile devices are often designed to synchronize with applications on a user's laptop or tablet, any...

mobile device attached to a PC or tablet via a USB cable or micro USB cable should be disconnected immediately

The OS is stored in ROM, which is ____ memory, so along with other data, it's available even if the phone loses power

nonvolatile

For personal use, ____ have been replaced by iPods, iPads, and other mobile devices. The use of PDAs has shifted to more specific markets, such as medical or industrial PDAs; they're now called "handhelds" and are still sold on sites such as Amazon and eBay

personal digital assistants (PDAs)

GSM carriers, by definition, must accept any GSM phone. CDMA carriers have locked phones and don't have to accept any users who aren't subscribers. Until recently, users who traveled frequently between the United States, Africa, Europe, and parts of Asia needed separate phones for each place. With GSM phones, you simply...

pop in a SIM card for the country you're currently in

SIM cards are similar to standard memory cards, except...

the connectors are aligned differently

If power has been lost, you might need PINs or other access codes to view files. Typically, users keep the original PIN assigned to the SIM card, so when you're collecting evidence at the scene, look for...

users' manuals and other documentation that can help you access the SIM card

All mobile devices have ____ memory, so making sure they don't lose power before you can retrieve RAM data is critical

volatile

If the device is on and locked...

what you can and can't do varies depending on the type of device, such as whether it's a BlackBerry, an iPhone, or an Android

Because of ____, checking providers' servers requires a search warrant or subpoena, so you need one if you want to check voicemail stored by the provider or another third party

wiretap laws

At the investigation scene, determine whether the device is on or off. If it's off, leave it off, but find the charger and attach it as soon as possible. Note this step in your log if...

you can't determine whether the device was charged at the time of seizure. If the device is on, check the display for the battery's current charge level

What are the general procedures for accessing the SIM card?

1. Remove the device's back panel 2. Remove the battery 3. Remove the SIM card from its holder 4. Insert the SIM card into the card reader, which you insert into your forensic workstation's USB port

Nonvolatile memory, on the other hand, contains OS files and stored user data, such as:

1. A personal information manager (PIM) 2. Backed-up files

GSM refers to mobile phones as "mobile stations" and divides a station into two parts:

1. The SIM card 2. Mobile equipment (ME), which is the remainder of the phone

SANS DFIR (Digital Forensics and Incident Response) has a slightly different process that handles other possible problems. It lists three conditions:

1. The device is on and unlocked 2. The device is on and locked 3. The device is off

____ cellular networks, expected to be finalized in 2020, will incorporate emerging technologies, including the ever-expanding cloud and device-to-device networks

Fifth-generation (5G)

iPhone acquisition procedures are similar, and several good tools are available, such as ____, which is designed to deal with iPhones, iPads, iOS, and Mac OS X Lion (now macOS). It can also extract iPhoto information, handle plug-in apps, and pull the user's online history

MacLockPick 3.0

Explain Time Division Multiple Access (TDMA)

This digital network uses the technique of dividing a radio frequency into time slots; GSM networks use this technique. It also refers to a specific cellular network standard covered by Interim Standard (IS) 136

Explain Manual Extraction

This method involves looking at the device's content page by page and taking pictures. It's used if investigators can't do a logical or physical extraction

Explain Multiple Input Multiple Output (MIMO)

This technology, developed by Airgo and acquired by Qualcomm, supports transmission speeds of 312 Mbps and is used by 4G, WiMAX, and other technologies

Global System for Mobile Communications (GSM) uses the ____ technique, in which multiple phones take turns sharing a channel on a round-robin basis

Time Division Multiple Access (TDMA)

As with smartphones, the amount of information on a PDA varied depending on the model. Usually, you could retrieve a user's calendar, address book, Web access, and other items (T/F)

True

What are Compact Flash (CF) cards?

Used for extra storage and work much the same way as PCMCIA cards

Typically, phones store system data in ____, which enables service providers to reprogram phones without having to access memory chips physically. Many users take advantage of this capability by reprogramming their phones to add features or switch to different service providers. Although this reprogramming isn't supported officially by service providers, instructions on how to do so are readily available on the Internet

electronically erasable programmable read-only memory (EEPROM)

Memory resides in the ____ and in the ____, if the device is equipped with one

phone, SIM card

A number of peripheral memory cards were used with PDAs:

1. Compact Flash (CF) 2. MultiMediaCard (MMC) 3. Secure Digital (SD)

Explain Global System for Mobile Communications (GSM)

Another common digital network, it's used by AT&T and T-Mobile in the United States and is the standard in Europe and Asia

Explain Integrated Digital Enhanced Network (iDEN)

This Motorola protocol combines several services, including data transmission, into one network

Explain Base station controller (BSC)

This combination of hardware and software manages BTSs and assigns channels by connecting to the mobile switching center

Explain Enhanced Data GSM Environment (EDGE)

This digital network, a faster version of GSM, is designed to deliver data

Explain the hierarchical structure of a SIM card

This file structure begins with the root of the system (MF). The next level consists of directory files (DF), and under them are files containing elementary data (EF). In this figure, the EFs under the GSM and DCS1800 DFs contain network data on different frequency bands of operation. The EFs under the Telecom DF contain service-related data.

Explain Digital Advanced Mobile Phone Service (D-AMPS)

This network is a digital version of the original analog standard for cell phones

Explain Orthogonal Frequency Division Multiplexing (OFDM)

This technology for 4G networks uses energy more efficiently than 3G networks and is more immune to interference

Explain Mobile WiMAX

This technology uses the IEEE 802.16e standard and Orthogonal Frequency Division Multiple Access (OFDMA) and supports transmission speeds of 12 Mbps. Sprint chose this technology for its 4G network, although some argue it's not true 4G

Explain Long Term Evolution (LTE)

This technology, designed for GSM and Universal Mobile Telecommunications Systems (UMTS) technology, supports 45 Mbps to 144 Mbps transmission speeds. Commonly called "4G LTE."

Similar to smartphones, PDAs housed a microprocessor, flash ROM, RAM, and other hardware components (T/F)

True

Top-of-the-line smartphones are even comparable to current mid-range computers (T/F)

True

____ requires power to maintain its contents, but nonvolatile memory doesn't

Volatile memory

When you're back in the forensics lab, you need to assess what can be retrieved. To determine whether you should do a logical acquisition or physical acquisition, you need to know where information is stored. As with laptops and desktops, a logical acquisition involves...

accessing files and folders as you would see them when looking at them in File Explorer

Many people store more information on smartphones and tablets than on computers. When you consider that smartphones have the same computing power as...

desktops of a few years ago, the amount of information stored on them is often enough to piece together a case's facts

Sprint Nextel introduced the ____ network

fourth-generation (4G)

A ____ is a bit-by-bit acquisition done to find deleted files or folders

physical acquisition

Any people use their smartphones to get Internet access for tablets or laptops, so you might find these devices already connected to the Internet. Disconnecting them immediately helps...

prevent synchronization that might occur automatically on a preset schedule and overwrite data on the device

Furthermore, because phones often contain private or sensitive information, any information that doesn't pertain to the case must be...

redacted from the public record

As devices become more sophisticated, turning them off means...

removing the battery

In addition, because most newer phones and phone plans store voicemail on the phone, you need a ____ for the device, too

search warrant

Depending on the warrant or subpoena, the ____ might be relevant. In addition, messages might be received on the mobile device after seizure that may or may not be admissible in court

time of seizure

iPhones and many Android phones have micro SIM and nano SIM slots. However, some can be accessed only if the phone has been ____

unlocked

____ and ____ were popular models when PDAs came on the market in the 1990s

Palm Pilot, Microsoft Pocket PC

If you determine that the device should be turned off to preserve battery power or prevent a possible attack, note the time and date when you take this step. The alternative is to isolate the device from incoming signals with one of the following options:

1. Place the device in airplane mode, if this feature is available 2. Place the device in a paint can, preferably one that previously contained radio wave-blocking paint 3. Use a Faraday bag that conforms to Faraday wire cage standards. Many allow plugging a unit into a power source 4. Turn the device off

You can retrieve quite a bit of data from a SIM card, depending on whether the phone is GSM or CDMA. The information that can be retrieved falls into four categories:

1. Service-related data, such as identifiers for the SIM card and subscriber 2. Call data, such as numbers dialed 3. Message information 4. Location information

SIM cards come in three sizes:

1. Standard 2. Micro 3. Nano

List the steps that occur in a mobile forensics investigation:

1. The first step is identifying the mobile device. Most users don't alter their devices, but some file off serial numbers, change the display to show misleading data, and so on. When attempting to identify a phone, you can make use of several online source 2. Next, make sure you have installed the mobile device forensics software. As mentioned, not all facilities are equipped with the necessary software because many tools are cost prohibitive. Some vendors offer tools that simply take pictures of screens as you scroll through them. Forensically, this approach isn't the best, but you can use it if no other alternatives are available 3. The next step is to attach the phone to its power supply and connect the correct cables. Most phones now have a combination USB/power cable, and many are interchangeable. For older phones, often you have to rig cables together. Some vendors have toolkits with an array of cables you can use 4. After you've connected the device, start the forensics software and begin downloading the available information. If your forensics software doesn't support the model you're investigating, you might need to acquire other tools. Your main concern should be that the software is forensically sound

Memory storage on a mobile device is usually a combination of:

1. Volatile memory 2. Nonvolatile memory

Most basic phones have a proprietary OS, although smartphones use the same OSs as PCs (or stripped-down versions of them). These OSs include:

1. Windows Mobile 2. RIM OS 3.Android (based on Linux) 4. Google OS 5. iOS (for Apple devices)

____ introduced unheard-of capabilities, such as being able to download while you were walking or in a moving vehicle

3G

Many mobile devices have removable memory cards and up to ____ of internal memory, and Bluetooth and Wi-Fi are included in most mobile devices

64 GB

The best method of retrieving information, of course, is acquiring a forensic image, which enables you to recover deleted text messages and similar data. With Android devices, the process can be as simple as using ____ to perform a logical acquisition and a low-level analysis

AccessData FTK Imager

Explain Ultra Mobile Broadband (UMB)

Also known as CDMA2000 EV-DO, this technology was used by CDMA network providers to switch to 4G and supports transmission speeds of 275 Mbps for downlinks and 75 Mbps for uplinks. It has been replaced by LTE

What is an issue when dealing with text and SMS messages using SIM card readers?

Another problem with SIM card readers is dealing with text and SMS messages that haven't been read yet. After you view a message, the device shows the message as opened or read. For this reason, documenting messages that haven't been read is critical. Using a tool that takes pictures of each screen can be valuable because these screen captures can provide additional documentation

Why does portability make SIM cards so versatile?

By switching a SIM card between compatible phones, users can move their provider usage and other information to another phone automatically without having to notify the service provider. For example, if you travel between neighboring countries often, you could have a GSM phone and two SIM cards. When you travel to another country, you simply switch to the other SIM card. With phones on which this switching is allowed, information such as your contact list is stored on the phone, so when you switch to another carrier, all you have to do is change the SIM card. Another common practice is switching to another SIM card when you have used most of your monthly minutes on your main SIM card

What are MultiMediaCard (MMC) cards?

Designed for mobile phones, but they can be used with PDAs to provide another storage area

Explain Code Division Multiple Access (CDMA)

Developed during World War II, this technology was patented by Qualcomm after the war. One of the most common digital networks, it uses the full radio frequency spectrum to define channels. In the United States, Sprint, U.S. Cellular, and Verizon, for example, use CDMA networks

The ____ standard was developed specifically for 3G

Enhanced Data GSM Environment (EDGE)

____ is an evolving science, with the biggest challenge being constantly changing phone models. What works today might not work on a model that comes out tomorrow

Mobile forensics

Why is investigating smartphones and other mobile devices considered a challenging task?

No single standard exists for how and where phones store messages, although many phones use similar storage schemes. In addition, new phones come out about every six months, and they're rarely compatible with previous models. Therefore, the cables, software, and accessories used for forensics acquisitions can become obsolete in a short time

Because mobile devices are seized at the time of arrest, police used to look through them as a routine matter. The Supreme Courts of ____ and ____, however, ruled that a search warrant is needed to examine these devices because of all the information they can contain

Oregon, Ohio

The ____ technology uses numerous parallel carriers instead of a single broad carrier and is less susceptible to interference

Orthogonal Frequency Division Multiplexing (OFDM)