Mobile forensics

Mobile Mobile ForensicForensic

ssYogesh E. Sonawane

[email protected]

Mobile Forensics

• Now-a-days mobile phones are frequently seized as prime crime exhibits.

• Mobile phones are used in the crimes like – Threatening or extortion calls To send/receive/store messages containing obscene picture images or video files Sports betting Terrorist & Naxalite activities

Mobile Forensic

• GSM – Global System for Mobile Communications

• CDMA - Code Division Multiple Access

• SIM (Subscriber Identity Module) - Essentially a small computer on a card that sits within the mobile phone and controls various functions of call making

• IMEI (International Mobile Equipment Identifier) - This is an unique number given to each handset.  This is printed somewhere on the handset, mostly in the battery compartment) [*#06#]

Some Terms Used

To see our own Mobile Number

Specifications

Mobiles phones ranging from basic to high functional features models contains varying hardware and software specifications.• Microprocessor• Random Access Memory (RAM)• Radio Module• Microphone and Speaker• Hardware Keys

Specifications Continued….

• Wireless Communications (Infrared, Bluetooth, Wi-Fi)• The Operating System (eg. Microsoft)• Liquid Crystal Display (LCD)• Built-in Mini Secure Digital (MiniSD), MultiMedia Card • Card slots support removable memory cards

• Cell Brite UME (Universal Memory Exchanger)

• EnCase Neutrino

• Cell Dek Tech

• Oxygen Forensics

•MPE+

•MOBILedit etc.

Tools used for Mobile Forensic Analysis

Mobile Forensic

Tools used for Mobile Forensic AnalysisCell Brite UME (Universal Memory Exchanger)• It to extract mobile phone forensic evidence, working in the field as well as in the lab.

• It is a stand-alone phone memory transfer and backup solution that transfers all forms of content, including pictures, videos, ringtones, SMS, as well as phonebook contact data between a wide range of mobile phones.

Reference : www.cellebrite.com

Tools used for Mobile Forensic AnalysisCell Brite UME (Universal Memory Exchanger)

Continued….

EnCase NeutrinoIt is designed for law enforcement, security analysts and eDiscovery specialists who need to forensically collect data from mobile devices.

Reference : www.guidancesoftware.com

Tools used for Mobile Forensic Analysis

Continued….CellDek TekIt acquires data including missed calls,dialed calls, received calls, phonebook,SMS messages, deleted SMS messages from SIM, Multimedia (MMS) messages (not available from all handsets), calendar, memos, to-do lists, pictures, video, audio and other files.Reference : www.logicubeforensic.com

Tools used for Mobile Forensic Analysis

Continued….

CellDek Tek

Tools used for Mobile Forensic Analysis

Continued….Jammer

Tools used for Mobile Forensic Analysis

Medium used to transfer the data

• Data Cable Wire

• Bluetooth

• Infrared

Scope of Mobile Forensic Analysis

While analyzing suspected mobile phone, for the potential evidence following items are needed to be checked:

• Location Information

• Subscriber and equipment identifiers

• Date/time, language, and other settings

• Phonebook information

• Call log information (Incoming/Outgoing/Dialed/Missed)

Scope of Mobile Forensic Analysis Continued….

• Text Messages (Incoming/Outgoing/Deleted)

• Picture Images, Video Files, Audio Files

• Multimedia Messages

• Emails, Web Browsing Activities

• Documents, Spreadsheets and Presentations

• User created Files or Folders

Limitations

• Forensic tools – To acquire mobile phone data. To generate report of the acquired data.

• The tools supports certain mobile phone models.

• The tools help to extract certain informative items.

Limitations Continued….

• The tools depend on the data cable(support) to extract information.

Sometimes support is available, but still few informative items can be extracted. E.g. Call Log Details Sometimes data is needed to extract but no support is available. E.g. User Created Files or Folders

• Tools are available to break PIN and password of the selected mobile phones.

SMART PHONES

What information is stored on a modern smart phone?

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

SMARTPHONE IS A SMALL PC

SMARTPHONE : CELL PHONE

SMARTPHONE : ADDRESS BOOK

SMARTPHONE : PLANNER

SMARTPHONE : MESSENGER

SMARTPHONE : GPS NAVIGATOR

SMARTPHONE : WEB CLIENT

* - Available for some IM clients

Smartphone : PC

EXTRACTION

What data extraction methods are available for mobile

devices?

THERE ARE 2 STANDARD WAYS TO GET FORENSIC INFORMATION FROM SMARTPHONES: LOGICAL AND PHYSICAL ANALYSIS

(C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com

Standard extraction methods

Standard extraction methods: Summary

Agent application usageGeneral phone information & SIM card dataContacts with all fields and custom field labelsCaller groups & Speed dialsEvent LogCalendar eventsTasks & NotesMessages from standard and custom foldersDeleted messages informationService center timestampCamera snapshots, video clips and voice recordsFile systemGPS & Location tagged informationWeb browser cache & bookmarksIM clients data3rd party applications with their information

- Protected operating system

files- Memory dump