Chapter 13
Mobile Country Code
Mobile Country Code (of a SIM user internationally on a GSM network.
Mobile Forensics-includes
Mobile Forensics-includes extraction, recovery, and analysis of data from the internal memory, SD cards, and SIM cards of mobile devices.
iOS Boot Process: cont
3. iBoot is loaded and checks kernel and device tree signatures (Not booted in Device Firmware Upgrade DFU mode) 4. Kernel and device trees load. Kernel checks signatures of all user applications
Android Boot Process: cont
4. Init process launches and is first process on device, parent process. Next init initializes Zygote, runtime, and daemon processes; the Android logo appears
iOS Architecture: cont
5. Media services-audio, video, animation, graphics, etc. OpenGL ES, AL, etc 6. Cocoa Touch layer-framework for app development UIKit 7. Uses C-based libSystem libraries like BSD sockets, POSIX threads, and DNS
Android Boot Process: cont
5. Zygote is used to spin up new VMs for each app that is started; a new DVM with code sharing across the vms. 6. Runtime requests Zygote launch system server; which includes: power manager, battery service, and Bluetooth
The investigator must follow steps before performing a forensic investigation: Build a Mobile Forensics Toolkit
Build a Mobile Forensics Toolkit Investigators require a collection of hardware and software tools to acquire data during the investigation. The investigator needs to use different tools to extract and analyze the data, depending on the make and model of the phone seized.
The investigator must follow steps before performing a forensic investigation: Build the Investigation Team
Build the Investigation Team The investigation team consists of persons who have expertise in responding, seizing, collecting, and reporting evidences from the mobile devices. Includes the expert witness, evidence manager, evidence documenter, evidence examiner/investigator, attorney, photographer, incident responder, decision maker, and incident analyzer.
Cellular Networks Components: Code Division Multiple Access (CDMA)
Code Division Multiple Access (CDMA): dominant cellular network used. It employs spread-spectrum technology where channels for communication are defined in terms of codes.
Communication API
Communication API simplifies the process of interacting with web services and other applications such as email, internet, and SMS.
Dalvik Virtual Machine (DVM)
Dalvik Virtual Machine (DVM) is a type of the Java virtual machine responsible for power management and memory management.
Mobile Forensics-includes: cont
Forensics experts analyze the phone by examining the incoming and outgoing text messages, pictures stored in the memory of the phone, call logs, email messages, SIM data, deleted data, etc., in an attempt to trace the perpetrators of crimes that involve the use of mobile phones.
Cellular Networks Components: General Packet Radio Service (GPRS)
General Packet Radio Service (GPRS): packet-oriented mobile data service available to the users of GSM and IS-136 mobiles.
Cellular Networks Components: Global System for Mobile communications(GSM):
Global System for Mobile communications(GSM): popular cellular network.
Hardware:
Hardware: hardware such as a display device, keypad, RAM, flash, embedded processor, and media processor, which are responsible for mobile operation.
Here are some of the tools a forensic investigator requires as a part of a forensic toolkit: Hardware Tools:
Here are some of the tools a forensic investigator requires as a part of a forensic toolkit: Hardware Tools: • Cellebrite UFED System • Secure ViewKit for Forensics • DS-Device Seizure & Toolbox • USB reader for SIM cards • iGo • DC Lab Power Supply 0-15V/3A • Digital Display with Backlight • Paraben's Phone Recovery Stick
Cellular Networks Components: High-Speed Downlink Packet Access (HSDPA)
High-Speed Downlink Packet Access (HSDPA): This third generation mobile telephony communication protocol allows high data transfer speed for networks based on UMTS.
Cellular Components: Home Location Register (HLR):
Home Location Register (HLR): This is the database at the MSC. It is the central repository system for subscriber data and service information.
Chapter 13 Summary
Identifying cell phone brand, model, OS, and network service provider assists in choosing an appropriate forensics tool for data acquisition
Integrated Circuit Card Identifier (ICCID)
Integrated Circuit Card Identifier (ICCID) is a 19 or 20-digit unique identification/serial number printed on the SIM to identify each SIM internationally. 89 44 245252 001451548 Industry Identifier Country Issuer ID Individual Account ID
Cellular Networks Components: Integrated Digital Enhanced Network (iDEN)
Integrated Digital Enhanced Network (iDEN): developed by Motorola, is the mobile communication technology that provides its users with the benefit of a trunked radio and cellular telephone.
International Mobile Equipment Identifier (IMEI)
International Mobile Equipment Identifier (IMEI) 15-digit GSM-based unique number on handset that identifies mobile equipment. Obtained with *#06# Format is AA BBBBBB CCCCCC D
International Mobile Subscriber Identity (IMSI)
International Mobile Subscriber Identity (IMSI) 15-digit subscriber identification number that defines a subscriber in the wireless world, including the country and mobile network to which the subscriber belongs.
Chapter 13 Summary
Knowledge of mobile OS booting process helps investigators to gain lower level access
Mobile Storage/Evidence : Internal Phone Memory:
Mobile Storage/Evidence Internal Phone Memory: It includes data stored in RAM, ROM, or flash memory. It stores the Mobile phone's OS, applications, and data. The investigator can extract information from internal phone memory using AT 43 commands with the help of a USB cable, infrared, or Bluetooth.
Cellular Components: Mobile Switching Center (MSC)
Mobile Switching Center (MSC): processes calls and messages within a network and routes them between landline and wireless networks.
Mobile international subscriber directory number (MSISDN):
Mobile international subscriber directory number (MSISDN): 15-digit number used for international identification of mobile phone numbers, and it contains the country code and nation-wide destination code.
Mobile network code (MNC)
Mobile network code (MNC) two-digit network identification number used along with the MCC printed on SIM. It is used to identify the SIM user on a mobile phone network.
Chapter 13 Summary
Mobile phone forensics is the science of recovering digital evidence from a mobile phone under forensically sound conditions
Chapter 13 Summary
Mobile storage and evidence locations include: internal memory, SIM card, and external memory
Mobile subscriber identification number (MSIN)
Mobile subscriber identification number (MSIN): It is a 10-digit number MIN (mobile identification number) that helps identify the mobile phone service provider within a mobile carrier network.
Network:
Network: To communicate with the network, the data must pass through various layers to reach the destination. The data travels over network layers to reach its destination.
The investigator must follow steps before performing a forensic investigation:Notify Decision Makers and Acquire Authorization
Notify Decision Makers and Acquire Authorization Decision makers are authorities who implement the policies and procedures for handling an incident. The decision maker must be notified for the authorization when written incident response policies and procedures do not exist.
Operating system:
Operating system: scheduling multiple tasks, memory management tasks, synchronization, and priority allocation. It also provides interfaces for communication between application layers, middleware layers, and hardware.
Phone API
Phone API provides telephony services related to the mobile carrier operator such as making calls, receiving calls, and SMS. All phone APIs appear at the application layer.
Radio interface, gateway, and network interface:
Radio interface, gateway, and network interface: A mobile device communicates with the network operator with some interfaces, such as radio interface, gateway, and network interface, to establish safe and secure communication.
The investigator must follow steps before performing a forensic investigation: Review Policies and Laws
Review Policies and Laws Before starting the investigation process, investigators need to understand the laws pertaining to the investigation. They must also be aware of the potential concerns associated with Federal laws, State statutes, and local policies and laws before beginning the investigation.
The investigator must follow steps before performing a forensic investigation: Risk Assessment
Risk Assessment Risk assessment measures the risk associated with the mobile data, estimating the likelihood and impact of the risk. Risk assessment is an iterative process and it assigns priorities for risk mitigation and implementation plans.
Here are some of the tools a forensic investigator requires as a part of a forensic toolkit: Root Tools Android
Rooting Tools • Android o OneClickRoot o Kingo Android ROOT o Towelroot o RescuRoot
Chapter 13 Summary
Rooting/Jailbreaking provides privileged control (known as "root access") within device's subsystem, enabling data acquisition
Cellular Components: SIM
SIM - Subsciber Indentity Module can store data such as contacts, messages, and time stamps. It also contains technical info like: Integrated Circuit Card Id (ICCID), International Mobile Subscriber Identity (IMSI), last dialed numbers, service provider name, etc.
Mobile Storage/Evidence: SIM Card Memory:
SIM Card Memory: data stored in the SIM card memory like address books, messages, and service-related information
Android Libraries: cont
SQLite: SQLite is the database engine that stores data in Android devices OpenGL/ES and SGL: used to render 2D (SGL) or 3D (OpenGL/ES) graphics to the screen FreeType: It renders the bitmap and vector fonts
Service Provider Network (SPN)
Service Provider Network (SPN) defines SIM card Service Provider
Here are some of the tools a forensic investigator requires as a part of a forensic toolkit: Software Tools
Software Tools: • SEARCH Investigative Toolbar • SIMiFOR ASC • 001Micron Data Recovery • *SIM Explorer • BitPim • *Oxygen Forensics Analyst • Paraben's Sim Card Seizure • *MOBILedit! Forensic • TULP2G • iDEN Phonebook Manager • SUMURI's PALADIN • floAt's Mobile Agent • XRY Logical & XRY Physical • Forensic Explorer- for file carving • Scalpel - file carving for iphone • Phone Image Carver • *Blade Professional
Chapter 13 Summary
Standard tools such as Cellebrite UFED Touch can be used to prepare mobile forensics report
GUI API
The GUI API responsible for creating menus and sub-menus in designing applications. It acts as an interface where the developer has a chance of building other plugins.
The best practices to get authorization and define the course of action are as follows:
The best practices to get authorization and define the course of action are as follows: • An authorized decision maker should be chosen to obtain authorization for conducting the investigation.
Cellular Networks Components: Time Division Multiple Access (TDMA):
Time Division Multiple Access (TDMA): single- frequency channel provided to multiple users over a divided time slot.
Mobile Top Threats
Top Threats Web/network based attacks Malware Social Engineering Resource Abuse Data Loss Data Integrity threats
Cellular Networks Components: Universal Mobile Telecommunications System (UMTS):
Universal Mobile Telecommunications System (UMTS): This is a 3-G mobile phone technology (upgrade to 4-G) that use W-CDMA as the underlying interface.
Cellular Networks Components: Unlicensed Mobile Access (UMA):
Unlicensed Mobile Access (UMA): UMA or the Generic Access Network (GAN) enables mobile services such as voice, IP Multimedia Subsystem/Session Initiation Protocol (IMS/SIP applications), and data to access IP networks.
Cellular Components: Visitor Location Register (VLR):
Visitor Location Register (VLR): This is the database used in conjunction with the HLR for mobile phones roaming outside of their service area. It contains the current location of the mobile user as well as the Temporary Mobile Subscriber Identity (TMSI).
Android Libraries: cont
WebKit: It is the browser engine used to display web pages Libc: It is a C system library tuned for embedded Linux-based devices Core Java provides almost all the functionalities stated in Java software edition libraries
iOS Architecture
iOS Architecture 1. No access directly to hardware 2. OS contains 4 abstraction layers (500MB+) 3. Core OS-low-level services- 4. Core services-foundation to upper layers. iCloud, dispatch, in-app purchases, etc
iOS Boot Process
iOS Boot Process 1. BootRom initializes some components and checks signature of LLB (lower level bootloader) 2. LLB is loaded and checks signature of iBoot (stage-2 boot loader)
The best practices to get authorization and define the course of action are as follows: cont
• All the events occurring and decisions taken at the time of the incident and incident response should be documented. Investigators can use these documents in court proceedings to determine the course of action.
Here are some of the tools a forensic investigator requires as a part of a forensic toolkit: Software Tools: cont
• Autopsy • FTK Imager/EnCase/Smart for imaging • IExplorer - to bypass iPhone passcode • *ViaExtract ADB - bypass Android passcode • SIMIS 2.0 • SIMulate • SIMXtractor • Last SIM • USIM Detective • SIM Query • SQLite Database extraction • Andriller
SIM File System: Dedicate File (DF)
• Dedicate File (DF) - directories that can contain one or more EF's and holds only the header that contains information related to file structure and security
The best practices to get authorization and define the course of action are as follows: cont
• Depending on the scope of the incident and absence of any national security issues or life safety issues, the first priority is to protect the organization from further harm. • After securing the organization, the services are reinstated, and the investigation is carried out for the incident.
SIM File System: Elementary Files (EF)
• Elementary Files (EF) - contains both header and body; which hold actual data. Contains serial number of SIM.
SIM File System: Master File
• Master File - root of filesystem and contains or more DF's and/or one or more EF's. Identified by 3F00
Here are some of the tools a forensic investigator requires as a part of a forensic toolkit: Root Tools IOS
• iOS o PANGU JAIL BREAK o Redsn0w o Sn0wbreeze o GeekSn0w
International Mobile Equipment Identifier (IMEI): cont
AA: Reporting body ID that allocated the Type Allocation Code (TAC) BBBBBB: remainder of the TAC (FAC) CCCCCC: Serial sequence of the Model (SNR) D: Luhn check digit of entire model or 0 (CD)
Abbreviated dialing numbers (ADN)
Abbreviated dialing numbers (ADN): These are three-digit dialing numbers. communication in emergency
Android Boot Process
Android Boot Process 1. Boot ROM is activated and loads Boot Loader into RAM 2. Boot Loader initializes and then starts the Kernel 3. Kernel initializes interrupt controllers, memory protections, caches, and scheduling. System can use virtual memory and launch the user space process (init)
Android Libraries
Android Libraries native library that permits the device to manage various types of data Surface Manager: windows owned by different applications on different processes Media framework: media codecs that allow the record and playback of all the media
Cellular Components:Authentication Center (AuC):
Authentication Center (AuC): stores the user's IMSI, encryption, and authentication keys.
Cellular Components: Base Station Controller (BSC)
Base Station Controller (BSC): It manages the transceiver's equipment and performs channel assignment. It is part of the GSM architecture, which controls one or more base transceiver stations and the cell site's radio signals in order to reduce the load on the switch.
Cellular Components: Base Station Subsystem (BSS):
Base Station Subsystem (BSS): This is one of the major sections of a cellular network. It controls the BSC and BTS units. It is responsible for handling traffic, network switching system and signaling between cell phones.
Cellular Components:Base Transceiver Station (BTS)
Base Transceiver Station (BTS): equipment that facilitates the user with wireless communication between the mobile phone and a network.
The investigator must follow steps before performing a forensic investigation: Build a Forensics Workstation
Build a Forensics Workstation Investigators build forensic workstations to perform forensic investigation on mobile devices. The workstation includes hardware and software tools in the lab such as laptop or desktop computer, USB connector, FireWire, mobile forensics toolkit, cables (including Bluetooth and IR), SIM card reader, and micro-SD memory card reader.
Chapter 13 Summary
Diversity in the mobile OS architecture may impact forensics analysis process
Electronic Serial Number (ESN)
Electronic Serial Number (ESN) unique, 32-bit number attached on a chip inside a CDMA phone by manufacturer. There are two formats: 8 bits manufacturer code and 24 bits for serial number OR 14 bits for manufacturer code and 18 bits serial number
Cellular Networks Components: Enhanced Data Rates for GSM Evolution (EDGE)
Enhanced Data Rates for GSM Evolution (EDGE): Improved data transmission rates are possible through backward-compatible digital mobile phone technology. It delivers high bit-rates per radio channel that is used for any of the packet-switch applications.
Cellular Components: Equipment Identity Register (EIR):
Equipment Identity Register (EIR): database that contains a list of devices with their IMEI numbers. A mobile network operator (MNO) can go through the EIR to track the IMEI of a mobile device and check if it is valid (whitelisted) or (blacklisted) suspected or stolen/blocked (blacklisted) and take action, if required.
Mobile Storage/Evidence: External Memory:
External Memory: data stored in SD card, MiniSD Card, MicroSD, etc. It stores personal information such as audio, video, and images.