Mobile device and cell phone forensics is a field of Digital Forensics that is growing by leaps and bounds. Mobile phone data can be used as evidence in court, as occurred during the recent murder trial of Scott Peterson and sexual assault scandal  at Duke University.

Another example: in 2013, five drug-addicted robbers invaded the house of a woman in Madison, Wisconsin. They looted a considerable amount of money and committed assault. The robbers used a Nokia Lumia 520, running Windows Phone 8, when they planned this robbery. This cell phone was discovered from a co-conspirator and contained very useful information such as SMS texts, Facebook messages, and recent phone calls. Investigators also found a video of the gun used in the crime scene. In a nutshell, the data extracted from a Nokia Lumia 520 helped the criminal investigators and forensic specialists to reach a conclusive end.

The forensic analyst may encounter different types of mobile device hardware during an investigation process. Every mobile company releases different models with variation in size, features, and technical specifications. Mobiles may have different operating systems such as Apple iOS, Android, and Windows Phone. An operating system is a primary factor during the analysis and data acquisition of a cell phone.

What hardware components are a part of mobile devices?

The hardware components of mobile devices include Central Processing Unit (CPU), batteries, Random Access Memory (RAM), Read Only Memory (ROM), removable storage such as memory cards, input components such as mouthpiece or keyboard, and output components such as earpiece or screen. The study of these components is helpful in the CCFP exam.

Students need to know that the relevant data for forensic purposes is stored in memory. To access this data, the understanding of input and output interfaces is necessary. In some cases, the data is retrieved manually from the device. However, to perform advanced analysis or to recover deleted data, specific tools are required to interact with the mobile device.

In some circumstances, important information is accessed from a cell phone through a cable connected to the data port. But in other situations, a connector must be directly attached to mobile circuit board to attain all the necessary pieces of information required in the court.

SIM Cards

When carrying out a forensic examination on a GSM mobile device, it is important to investigate the contents of its associated Subscriber Identity Module, or SIM card. SIM cards consist of microprocessor, and 16KB to 4MB and even 1 GB Electronically Erasable Programmable Read Only Memory (EEPROM).Some mobile devices feature dual SIM cards with increasing data storage capacity. SIM cards may contain important pieces of information for forensic analysis. Additionally, many mobile devices leave useful remnants of files when users delete data from SIM cards.

SIM cards feature a relatively straightforward and hierarchical data storage structure. There is a one Master File (MF) on the SIM card that includes references to all other files on the same SIM card. The address of each file is represented by using a unique 2-byte hexadecimal value. The First byte indicates whether it is a Master File (MF), Elementary File (EF), or Dedicated File (DF).

Figure 1 shows SIM file structure: The Elementary Files (EFs) under GSM and DCS1800 under Dedicated Files (DFs) that contain network data on different frequency bands.

The technical specification of GSM (GSM 11.11) defines the contents of each file and gives some of them a common name. For example, the directory 3F00:7F11 is named as DFTELECOM and includes service-related information, containing last numbers dialed and user-created SMS messages. Likewise, the common names are also attributed to some Elementary files. For instance, 3F00:7F20:6F06 is named as EFIMSI (stores IMSI) and 3F00:2FE1 is named as EFICCID (stores ICC-ID).

Data can be extracted from the SIM cards through some tools available for this purpose. For example, Netherland Forensic Institute developed a freeware tool named TULP2G in this regard.

Table 1 shows the useful pieces of information and their location on the SIM cards that are demanded during forensic examination.

The evidence cannot be collected if the power of the mobile device has been lost, because it may require a PIN code to restart. In fact, most users assign the original PIN code to the SIM card and that code is necessary to access useful information. In this case, the user manual and other important documentation are used to access the SIM card.

What are the types of Mobile Networks?

While traditional forensic analysis of mobile data, network examination can produce very useful information. Forensic analysts collect data, such as user’s actions, by finding out connection logs and other empirical evidence. However, the understanding of the types of mobile networks is necessary in this regard. Mobile phone industry uses many digital networks. The most popular networks include GSM, EDGE, UMTS, LTE, and iDEN.

GSM, or Global System for Mobile Communication, was developed in Europe, especially by Nokia and Ericsson. T-Mobile and AT&T use GSM network in the United States and is standard in Asia and Europe.

EDGE, or Enhanced Data GSM Environment, is the speediest version of GSM and is developed to transmit data quickly. AT&T first initiated EDGE in the United States in 2003

UMTS, or Universal Mobile Telecommunications System, is a 3rd generation mobile network based on GSM standards. UMTS offers an excellent bandwidth and efficiency to mobile users by using Wideband Code Division Multiple Access (W-CDMA) technology. Unlike Edge, UMTS needs new frequency allocation and new base stations.

4G LTE, or 4G Long Term Evolution, is the successor to UMTS and GSM. LTE shares several architectural and administrative elements with its predecessors, UMTS and GSM. The operators have the choice to run multi-RAT services, such as 4G, 3G, and 2G, in parallel. LTE, now, has become world’s most dominant 4G technology.

iDEN, or Integrated Digital Network, is Motorola’s protocol that combines various services, including data transmission into one network.

What are the types of Mobile Operating Systems?

An operating system has a paramount importance during data acquisition of a mobile device. It offers a lot of features starting from a low-end mobile device to smartphone. The mobile operating system directly affects how the investigator can access the mobile phone. For instance, Android operating system provides terminal-level access, while iOS doesn’t provide this option. Presently, there is a variety of mobile devices with different mobile operating systems that make mobile forensics a complex task, because some forensic techniques may be effective for particular operating system versions, but they may be useless for their successors.

The most dominating operating systems in the mobile industry include Google Android, Windows Phone, and Apple iOS.

Android is a Google’s open source platform designed for mobile devices and was released in 2007. It is widely used mobile operating system in the handsets industry. The Android operating system runs on a Linux-based kernel which supports core functions, such as power management, network infrastructure, and device drivers. Android’s Software Development Kit (SDK) contains a very significant tool for generic and forensic purposes, namely, Android Debug Bridge (ADB). ADB employs USB connection between a computer and a mobile device. Furthermore, ADB offers a terminal interface that can perform rooting and memory image extraction. After rooting the device, a third-party forensic tool can easily be installed.

Apple iOS is the UNIX-based operating system first released in 2007. It is a universal OS for all Apple’s mobile phones, such as iPhone, iPod touch, and iPad. An iOS embedded device retrieved from a crime scene can be a rich source of empirical evidence. According to various news sources, the iPad device of Oscar Pistorius was inspected by forensic specialist and presented in the court during his girlfriend’s murder trial.

There are different data acquisition methods for iOS phones that include:

  • Potential bypasses and password protection
  • Logical acquisition
  • File system acquisition
  • Physical acquisition
  • Operating modes of iOS device

Data acquisition for iOS can be performed on a Mac as well as on a Windows system. The forensic tools, compatible with Mac and Windows operating systems, leverage iTunes during the data acquisition process. Before every investigation, iTunes’ fresh installation is necessary to prevent cross-contamination of data.

Windows Phone, developed by a Microsoft, is a proprietary mobile operating system for Pocket PCs and smartphones. It was first introduced in 2010. Like Windows OS, Windows phone also maintains registry entries, a database where environment variables are stored on the OS. While inspecting the Windows phone, the forensic analyst would like to look at the files and directories, such as NTUSER.dat, SECURITY, SOFTWARE, SYSTEM, SAM, and DEFAULT directories.

Computer Forensics Training

Need Some Help?

If you are trying for the Certified Cyber Forensics Professional (CCFP) and CCFE examination, InfoSec Institute grants you an Authorized Computer Forensics Boot Camp Course that teaches you the necessary skills to examine the computer crimes and threats.

InfoSec also provides thousands of articles on security topics.

Be Safe

Section Guide

Fakhar
Imam

View more articles from Fakhar

You'll leave InfoSec Institute's Computer Forensics course with 3 industry certifications!

Section Guide

Fakhar
Imam

View more articles from Fakhar
[i]
[i]