Cell Phone/Mobile Device Forensics

Cell Phone/Mobile Device Forensics

Cell phone and mobile device forensics is a rapidly changing field that poses challenges in trying to retrieve information.

Cell phones – items possibly stored on them:

·         Incoming, outgoing, missed calls

·         Text and SMS messages

·         E-mail

·         IM logs

·         Web pages

·         Pictures

·         Personal Calendars

·         Address books

·         Music files

·         Voice recordings

·         photos

·         documents

Cell phone data is being used more and more in court as evidence

Problem – New phones come out every six months and are rarely compatible with previous models:

·         Cables and accessories become obsolete and no two phones have the same cables

Cell phone basics – Digital Networks

Code Division Multiple Access (CDMA)      Sprint and Verizon

Global System for Mobile Communication (GSM)    AT&T and T-Mobile

·         uses TDMA

Time Division Multiple Access (TDMA)       

Integrated Digital Enhanced Network (iDEN)          Nextel

Three main components for cellular phone network:

·         Base transceiver station (BTS) (cell phone tower)

·         Base station controller (BSC) manages the BTS and is connected to the MSC

·         Mobile switching center (MSC) connects calls by routing packets for the network relying on databases to support subscribers

Inside Mobile Devices

            Operating Systems

·         Proprietary

·         Linux

·         Windows mobile

·         RIM OS

·         Palm OS

·         Symbian OS

·         Mac OS X (iPhone)

            Storage

·         Electronically erasable programmable read-only memory (EEPROM)

·         Subscriber identity module (SIM) cards

o   some as big as 1 GB

·         Micro SD cards

Personal Digital Assistants (PDA)

·         Originally non-transmitting devices

·         today the number of PDAs without integrated phones are going the way of the dodo bird

Other peripheral memory devices that you may come across:

·         Compact Flash (CF)

·         Multimedia Card (MMC)

·         Secure Digital (SD)

Understanding Acquisition Procedures for Cell Phones and Mobile Devices

            The main concern with mobile devices is the loss of power and synchronization with PCs.

            Depending upon the court order, time of seizure might be relevant .

            Messages might be received after the device was seized that may not be admissible in court.

            If you turn off the device, not the date/time of this act.  The alternative is to isolate the device from incoming signals:

·         Place the device in a paint can

·         Paraben Wireless Stronghold Bag (Faraday wire cage)

·         8 layers of antistatic bags to block signal

            Checking where data maybe stored:

·         Internal memory

·         SIM

·         Removable storage cards

·         System Server

            Checking a mobile device’s system server requires that your court order include the system server.

            Information that can be retrieved falls into 4 categories:

·         Service related data – ie identifiers

·         Call data

·         Message information

·         Location information (GPS)