Chapter 20 ©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. Forensic Examination of Mobile Devices (online only)

Chapter 20

©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.

Forensic Examination of Mobile Devices (online only)

Figure 1.1

Copyright © 2011 Academic Press Inc.©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved.

FIGURE 20.1 A Nokia device with various identifiers, including its IMEI and part number. The bottom right shows a SIM card with the ICC-ID.

Figure 1.1


FIGURE 20.2 SIM cards of various sizes.

Figure 1.1


FIGURE 20.3 Details from GSMarena for iPhone 4.

Figure 1.1


FIGURE 20.4 SMS messages and other items from a Motorola V3 Razr acquired using BitPim.

Figure 1.1


FIGURE 20.5 Photographs acquired from a Windows Mobile device using XRY showing EXIF header information.

Figure 1.1


FIGURE 20.6 A file from an iPhone containing longitude and latitude of cellular tower locations used by the device.

Figure 1.1


FIGURE 20.7An EXIF header from a digital photograph showing the GPS coordinates of the originating device at the time the photograph was taken.

Figure 1.1


FIGURE 20.8 MobileSpy used to intercept text messages on a mobile device and post them to a Web server.

Figure 1.1


FIGURE 20.9 Amber ABC Converter used to view a Blackberry IPD file.

Figure 1.1


FIGURE 20.10 Flowchart of handling mobile devices.

Figure 1.1


FIGURE 20.12 iDEN backup.

Figure 1.1


FIGURE 20.13 Physical acquisition of broken mobile device using XACT.

Figure 1.1


FIGURE 20.14 XRY Interface showing data acquired from a mobile device.

Figure 1.1


FIGURE 20.15 Cellebrite UFED device.

Figure 1.1


FIGURE 20.16 Acquisition of iPhone using Ixam.

Figure 1.1


FIGURE 20.17 Twister Flasher box can connect to FBUS interface on Nokia device to acquire data using the Sarasoft program.

Figure 1.1


FIGURE 20.18 BitPim used to browse the file system on a Motorola CDMA device.

Figure 1.1


FIGURE 20.19 Examination of iPhone physical forensic duplicate using FTK.

Figure 1.1


FIGURE 20.20 File from an LG mobile device containing an MMS message with a video attachment that can be recovered even after the original video has been deleted from the file system.

Figure 1.1


FIGURE 20.21 Deleted photographs recovered from the reconstructed FAT file system in a physical memory dump of a Samsung mobile device.

Figure 1.1


FIGURE 20.22 Deleted MMS message being recovered from a physical memory dump of a Samsung device using Cellebrite Physical.

Figure 1.1


FIGURE 20.23 Deleted file being recovered from a Motorola device using XACT.

Figure 1.1


FIGURE 20.24 File system, including deleted items, reconstructed from a physical memory dump of a Sony Ericsson mobile device using DFF.

Figure 1.1


FIGURE 20.25A Records in a SQLite database viewed with browser.FIGURE 20.25B Raw record data in SQLite database viewed using a hex viewer.

Figure 1.1


FIGURE 20.26 Deleted SMS messages recovered from physical memory dump of Motorola Z3 device by keyword searching for a 7-bit encoded string.

Figure 1.1


FIGURE 20.27 Information extracted from a SIM card using Paraben Device Seizure.

Figure 1.1


FIGURE 20.28 Original documentation associated with SIM card contains PUK.

Figure 1.1


FIGURE 20.29 Waypoints extracted from a Garmin SatNav device plotted on a map using flags as markers.

Chapter 20 ©2011 Eoghan Casey. Published by Elsevier Inc. All rights reserved. Forensic Examination of Mobile Devices (online only)

Documents

eoghan casey

academic press

windows mobile device

originating device

nokia device

cellebrite ufed device

acquisition of iphone

exif header information