Feature Phone Forensics
A feature phone can be described as a wireless mobile device that has more features than a standard cell phone, but limited capabilities when you compare it with a smartphone.
Feature phones typically provide a calling feature, messaging functionality, and MMS support. They also offer basic multimedia and browsing internet capabilities, as well as other services offered by the selected service providers.
Learn Digital Forensics
Feature phones and basic mobile phones tend to use exclusive software that is custom-designed for a specific user interface. In contrast, smartphones often use a specially designed mobile operating system that shares common traits across devices.
Technologies and hardware seem to be obsolete when considering feature phones, but for a forensic examiner, digital evidence lays the foundation for any investigation. Hence he/she has to be fully equipped with the tools and techniques which support the latest as well as obsolete technologies.
At some point, a forensic examiner may have to face feature phone forensic investigation, especially where people related to terrorism, hacking, secret agents, etc. are involved.
Figure 1: Feature Phone
Figart 2: Smartphone
Feature phones were the initial mobile phones that were developed. These phones had limited facility such as calling, messaging, etc. One could extract data like SMS, contacts, installed applications, GPS data, emails, and deleted data. But there are lots of dependencies and challenges while performing forensics for feature phones. This document will try to cover the forensic aspect of feature phones, considering different feature phone models and vendors.
Digital Evidence is data that supports or refutes a hypothesis about digital events. Collecting, preserving, and analyzing digital evidence to present it in court should be done in a forensically sound manner. Preserving a mobile device without altering data is nearly impossible because the mobile device constantly transmits data using networks, Wi-Fi, or Bluetooth. That is why it is necessary to document every small detail about the steps taken starting from seizure, collection, preservation, and analysis, to presentation in court.
Along with the technological advances, a few of the obsolete features of the smartphones are handed down to feature phones while new technologies are being introduced in the smartphones. The classification table below further simplifies the line between the two types of devices considering their hardware:
Characteristics of a feature phone:
The characteristics of a feature phone can be described by comparing its hardware and software configuration with a smartphone. This will help us understand and give us a more complete understanding of feature phones.
Along with these hardware differences, many things on the software side serve to differentiate between the two. Though a few basic features such as voice calling, text messaging, and a few personal information management applications like the phonebook and calendar are similar, smartphones employ a lot of PC-like activities owing to the high-resolution display, computing capacity, and the wide variety of applications available. The table below differentiates between smartphones and feature phones on the software front.
The operating system in a feature phone is completely closed. No documentation exists for the same from the manufacturer. On the contrary, smartphones run a multitasking operating system which is either proprietary or open source in nature. As feature phone has closed-source operating systems, the development costs for such operating systems are paid for by the company itself, who hires the developers and guides the project.
Anatomy of a Feature Phone
Memory in Feature Phones
Mobile device memory can be categorized into two sections:
Volatile memory- this includes the RAM memory of the device which is accessible to all applications without user permission and is lost when the device loses power.
Non-volatile memory- it is the persistent memory which is not affected due to overwriting or power loss. This is the memory type which stores all of the data in mobile devices
The nonvolatile memory is not further classified into NOR flash and NAND flash memory. Among these, the NOR memory is faster to access and is very much secure while NAND provides high storage capacity and sequential access.
Feature phones were the first mobile devices to neither boast NOR flash memory and RAM. The first generation of memory configuration over mobile devices had both user and system information stored in the NOR memory which was transferred completely to the RAM during boot up for quick operation.
Identity modules (commonly known as SIM cards) are synonymous with mobile devices that interoperate with GSM cellular networks. Under the GSM framework, a mobile device is referred to as a Mobile Station and is partitioned into two distinct components: the Universal Integrated Circuit Card (UICC) and the Mobile Equipment (ME). A UICC commonly referred to as an identity module (e.g., Subscriber Identity Module [SIM], Universal Subscriber Identity Module [USIM], CDMA Subscriber Identity Module [CSIM]), is a removable component that contains essential information about the subscriber. The ME and the radio handset portion cannot fully function without a UICC. The UICC's main purpose entails authenticating the user of the mobile device to the network providing access to subscribed services. The UICC also offers storage for personal information, such as phonebook entries, text messages; last numbers dialed (LND) and service-related information.
The UICC partitioning of a mobile device stipulated in the GSM standards has brought about a form of portability. Moving a UICC between compatible mobile devices automatically transfers the subscriber's identity and some of the associated information (e.g., SMS messages and contacts) and capabilities. In contrast, 2G and 3G CDMA mobile devices generally do not contain a UICC card. Analogous UICC functionality is instead directly incorporated within the device. A UICC can contain up to three applications: SIM, USIM, and CSIM. UICCs used in GSM and UMTS mobile devices use the SIM and UMTS SIM (USIM) applications, while CDMA devices use the CSIM application. A UICC with all three applications provides users with additional portability through the removal of the UICC from one mobile device and insertion into another. Because the SIM application was originally synonymous with the physical card itself, the term SIM is often used to refer to the physical card instead of UICC. Similarly, the terms USIM and CSIM can refer to both the physical card as well as the respective applications supported on the UICC.
At its core, a UICC is a special type of smart card that typically contains a processor and between 16 to 128 KB of persistent electronically erasable, programmable read only memory (EEPROM). It also includes RAM for program execution and ROM for the operating system, user authentication, and data encryption algorithms, and other applications. The UICC's file system resides in persistent memory and stores data such as: as phonebook entries, text messages, last numbers dialed (LND) and service-related information. Depending on the mobile device used, some information managed by applications on the UICC may coexist in the memory of the mobile device. Information may also reside entirely in the memory of the mobile device instead of available memory reserved for it in the file system of the UICC.
The UICC operating system controls access to elements of the file system. Actions such as reading or updating may be permitted or denied unconditionally, or allowed conditionally with certain access rights, depending on the application. Rights are assigned to a subscriber through 4-8-digit Personal Identification Number (PIN) codes. PINs protect core subscriber-related data and certain optional data.
A preset number of attempts (usually three) are allowed for providing the correct PIN code to the UICC before further attempts are blocked completely, rendering communications inoperative. Only by providing a correct PIN Unblocking Key (PUK) may the value of a PIN and its counter be reset on the UICC. If the number of attempts to enter the correct PUK value exceeds a set limit, normally ten, the card becomes blocked permanently. The PUK for a UICC may be obtained from the service provider or network operator by providing the identifier of the UICC (i.e., Integrated Circuit Chip Identifier or ICCID). The ICCID is normally imprinted on the front of UICC, but may also be read from an element of the file system.
UICCs are available in three different size formats. They are Mini SIM (2FF), Micro SIM (3FF), and Nano SIM (4FF). The Mini SIM with a width of 25 mm, a height of 15 mm, and a thickness of .76 mm, is roughly the footprint of a postage stamp and is currently the most common format used worldwide. Micro (12mm x 15mm x .76mm) and Nano (8.8mm x 12.3mm x .67mm) SIMs are found in present smartphone devices (e.g., iPhone 5 uses the 4FF).
Though similar in dimension to a miniSD removable memory card, UICCs follow a different set of specifications with vastly different characteristics. For example, their pin connectors are not aligned along the bottom edge as with removable media cards but instead form a contact pad integral to the smart card chip, which is embedded in a plastic frame, as shown in Figure. UICCs also employ a broad range of tamper resistance techniques to protect the information they contain.
The slot for the UICC card is normally not accessible from the exterior of the mobile device to protect insertion and removal as with a memory card. Instead, it typically is found beneath the battery compartment. When a UICC is inserted into a mobile device handset, and pin contact is made, a serial interface is used for communicating with them.
In most cases, the UICC should be removed from the handset first and read using a Personal Computer/Smart Card (PC/SC) reader. Removal of the UICC provides the examiner with the ability to read additional data that may be recovered (e.g., deleted text messages).
Authenticating a device to a network securely is a vital function performed via the UICC. Cryptographic key information and algorithms within the tamper-resistant module provide the means for the device to participate in a challenge-response dialogue with the network and respond correctly, without exposing key material and other information that could be used to clone the UICC and gain access to a subscriber's services. Cryptographic key information in the UICC also supports stream cipher encryption to protect against eavesdropping on the air interface.
A UICC is similar to a mobile device as it has both volatile and non-volatile memory that may contain the same general categories of data as found on a mobile device. It can be thought of as a trusted sub-processor that interfaces with a device and draws power from it. The file system resides in the non-volatile memory of a UICC and is organized as a hierarchical tree structure.
For example, the SIM applications file system is composed of three types of elements: the root of the file system (MF), subordinate directory files (DF), and files containing elementary data (EF). Figure 3 illustrates the structure of the file system. The EFs under DFGSM and DFDCS1800 contain mainly network related information for different frequency bands of operation. The EFs under DFTELECOM contain service related information.
Various types of digital evidence may exist in elementary data files scattered throughout the file system and be recovered from a UICC. Some of the same information held in the UICC may be maintained in the memory of the mobile device and encountered there as well. Besides the standard files defined in the GSM specifications, a UICC may contain non-standard files established by the network operator.
Data evidence found in standard elementary data files of a UICC are as follows:
- Service-related Information including unique identifiers for the UICC, the Integrated Circuit Card Identification (ICCID) and the International Mobile Subscriber Identity (IMSI)
- Phonebook and call information are known respectively as the Abbreviated Dialing Numbers (ADN) and Last Numbers Dialed (LND).
- Messaging information including both Short Message Service (SMS) text messages and Enhanced Messaging Service (EMS) simple multimedia messages
- The USIM application supports the storage of links to incoming (EFICI) and outgoing (EFOCI) calls. The EFICI and EFOCI are each stored using two bytes. The first byte points to a specific phone book and the second points to an abbreviated dialing number (EFADN) entry3
- Location information including Location Area Information (LAI) for voice communications and Routing Area Information (RAI) for data communications.
List of widely used feature phones:
Nokia: 1616, 1650, 1661, 1661-2b, 1680 Classic, 1800, 2720 fold, 2720a-2b, 2730 Classic, 2760, 3109 Classic, 3110 Classic, 1280
Samsung: SGH-C120, SGH-A127, SGH-M130L, SGH-A137, SGH-T139, SGH-J150, SGH-X150, SGH-X160, SGH-X166, SGH-X168, SGH-C170, GT-E1195, GT-E1230, SGH-E1310B, SGH-B2100
LG: KP175, KP202 i-mode, GB220, KG220, CG225, KG225, GB230 Julia, KG290, NTLG300GB, KG320, KG320S, KG328, L343i, KF350, KF600, KE800, KG800, KE850 Prada, KE970, Shine, C1100, L1100
Motorola: E1 ROKR, C113, C117, C118, C119, C115, C139, C140, V300, V303, V330, W375, E398, V400, V500, V505, V525, V551, V620, V635L, C975, E1000, V1050
Mobile Forensics Tools
Feature phone OSs are typically closed. Closed operating systems make interpreting their associated file system and structure difficult. Many mobile devices with the same operating system may also vary widely in their implementation, resulting in a myriad file system and structure permutations. These permutations create significant challenges for mobile forensic tool manufacturers and examiners.
The types of software available for mobile device examination include commercial and open source forensic tools, as well as non-forensic tools intended for device management, testing, and diagnostics. Forensic tools are typically designed to acquire data from the internal memory of handsets and UICCs without altering their content and to calculate integrity hashes for the acquired data. Both forensic and non-forensic software tools often use the same protocols and techniques to communicate with a device. However, non-forensic tools may allow unrestricted two-way flow of information and omit data integrity hash functions. Mobile device examiners typically assemble a collection of both forensic and non-forensic tools for their toolkit. The range of devices over which they operate is typically narrowed to distinct platforms, a specific operating system family or even a single type of hardware architecture. Short product release cycles are the norm for mobile devices, requiring tool manufacturers to continually update their tools providing forensics examiners with a forensic solution. The task is formidable, and tool manufacturers' support for newer models may lag significantly behind the introduction of a device into the marketplace. Models of older functioning mobile devices, though out of date, can remain in use for years after their initial release. Mobile device models introduced into one national market may also be used in areas by exchanging the UICC of one cellular carrier with that from another carrier. The current state is likely to continue, keeping the cost of examination significantly higher than if a few standard operating systems and hardware configurations prevailed.
List of forensic tools for feature phones
TULIP 2G is a freeware tool developed in the Netherlands. The user interface is not that attractive, but it is relatively simple and easy to use. Link: - http://tulp2g.sourceforge.net/
MOBILedit forensic was developed from a mobile phone manager program. Its report is MD5 hashed, so no tampering is possible. http://www.mobiledit.com/
Oxygen phone manager initially was an agent that was used for editing information present on the mobile device using a computer.
P2K Commander: The P2k Commander can browse a, b, c, and other folders using a data or fax connection mode. It supports a change of file attributes and all operations. It also accesses photos, mp3, packet logging, and works with P2k05 phones over USBLan.
NSSPro: Nokia Service Software Pro is a tool for Windows that can perform various functions related to Nokia using the workstation. It provides detailed phone information, factory reset, Flash, and software updates. It can read and reset the security code of the phones that are supported. It helps to unlock the SIM, test the phone's features, and performs various other tasks.
Phoenix: It is a tool that can perform various functions related to Nokia. It is used for flashing Nokia devices primarily but is also performs various tasks.
Flash and Backup is basically used to upgrade Motorola firmware and restore the original configuration. It enables the examiner to recover all the data and contents from the phone memory. This tool is considered to be efficient to create a backup and recover data from Motorola mobile phones.
Analysis and Examination:
This section mainly deals with the analysis of media, searching string, recovering data, and other forensic detailed analysis.
The examination procedure reveals digital evidence, comprising what might be concealed. The outcomes are increased through applying built up logically based techniques and should depict the content and condition of the information completely, considering the source and the potential significance. Information reduction, differentiating from important from irrelevant data, occurs once the information is uncovered. The investigation procedure varies from examination in that it takes a look at the consequences of the examination for its direct significance and probative value of the case. Examination is a technical procedure that is the area of a forensic specialist. Nonetheless, the examination might be finished by roles rather than an expert, for example, the investigator or the forensic examiner.
The examination procedure starts with a duplicate of the evidence obtained from the mobile device. Luckily, compared with conventional examination of PCs or network servers, the sum of acquired information to examine is significantly less with mobile devices. As a result of the predominance of proprietary case file formats, the forensic toolbox applied for acquisition will normally be the one being used for examination. While interoperability between the acquisition and examination services of various devices is feasible, this feature is supported by a couple of tools. Examination via making use of third party tools are mostly fulfilled by importing a mobile device memory dump into a mobile forensic tool that supports external mobile device images.
The forensic examiner requires data about the case and the parties required to give a beginning point to potential evidence that may be found. Leading the examination is an association between the forensic examiner and the investigator. The investigator gives knowledge of the sorts of data looked for, while the forensic examiner offers the method to discover important data that may be on the system.
The understanding picked up by concentrating on the case gives understanding regarding the kind of information to target and particular keywords or phrases to be used while looking for the acquired information. Contingent upon the sort of case, the technique shifts. For instance, with SMS or videos, the case may start with browsing the majority of the realistic pictures on the system, while a case relating to an Internet related offense may start with browsing of all Internet history documents.
Evidence Acquisition in feature phone:
Fetching the physical phone's memory copy would be a difficult task on a feature phone. None of the tools will be able to reproduce the hash of phone's memory contents. Hashing or checksum is a technique that provides us integrity and makes us sure that the file is not changed depending on some computation.
There are few ways to acquire evidence from a feature phone. One could use a memory dump of the feature phone, direct access to the file system of the phone, and using AT commands.
Devices used: Motorola V620
There are a few tools that can be used for dumping the memory of a feature phone. A more custom designed free tool that supports both the Linux and Windows environments called axon7tool can be download from https://forum.xda-developers.com/axon-7/development/axon7tool-flash-backup-boot-recovery-t3514254
Flash and backup tools can be used for dumping the memory of a feature phone.
This can be downloaded from http://downloads.informer.com/flash-backup/
The examiner can click on Read data. It will show a list of code groups available. Select the appropriate region groups or select all, then you have to choose a backup format. The tool support "SBF" (Single Binary File) will create a single large file, "SMG." (Binary files) will create a separate file for each memory section, CAB-ZIP, and other formats.
Descriptions of regions are as per the above screenshot:
- CG1 (Firmware) contains a hardware level operating system that has minimal data.
- CG2 (Flex) contains application and data on the device –a crucial area for analysis.
- CG3 (DSP Firmware) contains the digital signal processor – firmware responsible for audio conversations.
- CG4 (Langpack) contains fonts.
- CG15 (DRM graphics) contains all the icon files on the device.
- CG18 (Digital Sign) contains the digital signature of the phone.
Accessing and analyzing file system:
File system analysis depends on the file system used by the feature phone. Depending on the file system, the modding community creates file manager applications that support the respective file system.
One of such file system is Paragon 2000 (P2K) used in Motorola feature phones, and the P2K commander is used to recover data from the device.
P2k Commander Version 5 can be downloaded from the following URL http://www.e398mod.com/index.php?option=com_content&view=article&id=60/28/
The P2k Commander can browse a, b, c and other folder using data or fax connection mode.
It supports a change of attributes of the file and all operation on it. It also accesses photos, mp3, logging packet, works with P2k05 phones over USBLan
Once P2k Commander is installed, run P2k with the connected phone. It will take some moment to read all the files on the device in /a root directory.
The accompanying segments examine methods for bypassing an obstructed mobile device that requires successful authentication with the use of a password or different ways to get access to the mobile device. Various ways exist to recover data from an obstructed mobile device. These techniques can be categorized in one of three classes: software based, hardware based, and investigative. A basic obstructed device incorporates those with missing identity modules, PIN-empowered UICCs, or an enabled mobile device lock. Password locked, and encrypted memory cards give a user extra means to secure information. This security may make recovery of such information more mind boggling. Content encryption capabilities are offered as a standard component in numerous mobile devices or might be accessible through added applications. Both software and hardware based techniques are frequently coordinated at a specific device or tapered class of device. As mobile forensic tools have advanced, they have started to give automated functions enabling examiners to sidestep abundant security mechanisms as a piece of their items. For example, a small number of tools give an automated function to recover passwords from a locked mobile device. When building up a technique, the following areas give activities that ought to be considered for deciding possible approaches.
Security Lock bypassing
Fetching Motorola security code:
In most of the cases, it is observed that the phone is locked and the examiner needs to go around the phone. In few of the feature phone, lock system does not completely block access to the file system.
P2k Commander, P2k advanced editor, SmartMoto, Triplets Too Combination, Nokia PC Suite with NSS Pro is some tool that can be used to extract the lock code. A Motorola feature phone has "SEEM" configured, which has Phone_Unlock_Code at 0074; this works on the following versions:
Motorola V3 Razr
In P2k Advanced Editor go to the menu bar: Phone Services>Passwords to get the lock code.
Fetching Nokia security code:
Download Nokia PC Suite and NSS Pro http://www.genieprojects.co.uk/files/NssPro_0.54.zip
Run NssPro.exe. Make sure the phone is detected. There will be a button with the label "User code" under action.
Click on "User code" it will redirect to "init connection…" This is present in the phone management section.
NssPro will begin to read your Nokia phone and try to show your lock code under the Phone Management section as "Possible code."
There are lots of other tools that support flashing, reset, recovery some of which are published by Nokia itself. One of the tools used for such purpose is the Nokia Care Suite (NCS). This is a full-fledged tool that supports Nokia device. Another such tool is JAF from ODEON. J.A.F is used with PKEY emulator on a Windows workstation with Nokia PC Suite and .Net Framework 2.0 installed. We would be demonstrating one way of flashing a Nokia device is by using Phoenix tool (PSS). Install Phoenix on Windows and connect your Nokia phone to it. Once the connection is established click on flashing from the menu bar, select appropriate product code and firmware and then click on 'refurbish.'
Accessing the phone book:
The Motorola phonebook can be accessed from the file system. Just copy everything from /a/mobile directory to the analysis host and run strings on each file. Most likely a file by the name DL_DMH_File is the phone book in Motorola.
Accessing SMS messages from feature phone:
In Motorola, the SMS may contain sensitive information for the examiner. SMS retrieval depends on the location where SMS is stored –namely on the SIM card or phone memory. Generally, Drafts and Outbox are saved in phone's memory.
To get SMS messages from a Motorola phone, we simply have to copy SEEM 007D in P2K commander to the host.
This may contain a list of files such as 007D_0001 to 007D_009F. Once the files are copied to the host machine, it can be searched for data using strings command.
If you would like to know what messages were exchanged between 123456789, you can simply use the following command:
"I was the reason for the ransom ware in the XYZ company."
Accessing SIM card and its data on feature phone:
SIM is used in all mobile devices for uniquely identifying a user over the network. Each SIM card contains a small amount of information. An examiner may look for phonebook entries, SMS, etc. on the SIM card and try to find possible data.
Data from SIM card can be fetched using a SIM card reader. The SIM card reader is able to read the phonebook, SMS and other data present on it.
The SIM card reader reads the SIM and opens up the SIM editor for viewing the Phonebook and SMS entries.
This makes it possible to recover deleted SIM card data.
Accessing recent calls
On a Motorola device, the recent call list is available in the phone's file system. We would require P2K commander to access the particular entry.
The recent call entries are stored in the SEEM 0038 and SEEM 0039 sections.
Accessing calendar of feature phone forensic:
Sometimes the calendar may contain sensitive data regarding meetings, activities, etc. that may be helpful for social engineering.
Accessing the calendar is similar to that of phone book data. In the case of Motorola DL_DMH_File needs to be accessed to identify the calendar events.
Accessing web browser data:
In case a feature phone has web browsing features, that needs to be analyzed.
The device contains several files regarding browsing on a particular path on the device.
The following information and path can be retrieved using P2k commander:
Browser cookies are stored at /a/cookie.txt
Browsing history is stored at /a/final_hist.txt
Browsing history is also stored at /a/mib_vlh
Web browser details /a/uaprof_url.txt
Similar to the phonebook and web browser data accessing method, multimedia content can also be fetched from the file system. The multimedia content is located in different folders under a parent directory /a/mobile.
P2K Commander can be used to copy the content of multimedia from the device.
The following is a list of multimedia folders:
P2ktoolsVS is the easiest tool to use for Motorola forensics. The P2ktoolsVS can be used for Motorola devices that have a lot of features. The software has all plugins integrated and easy to use GUI. Some of the features of P2kToolsVS contain editing tools for the file manager, ringtone editor, gaintable, websession editor, and everything that Motorola P2K GSM would require. It also supports some of the latest models and version of Motorola.
In this document, we have tried to summarize the forensic steps to be taken when feature phones are in question. We have explained in detail different models of feature phones and how to perform forensic examinations on those models. While feature phones are being phased out, it is useful to know how to perform forensic examinations on them.
Learn Digital Forensics