Mobile phone forensics

Mobile phone forensics
A science of recovering digital evidence from a mobile phone under forensically sound conditions.


Mobile Concept

Common type of mobile OS
symbian os
android os: open source
apple ios
windows phone7
rim blackberry os

Blackberry devices:
encryption technology of Password Keeper is AES
hashing method of password protection is SHA-1

Architecture of cellular network
Mobile station:手機
SIM(subscriber identity module)
Base station subsystem:機地台
BST(base transceiver station)
BSC(base station controller)
Network subsystem:電信機房
MSC(mobile services switching center)
other as below
 HLR(home location register)
 VLR(visitor location register)
 EIR(equipment identity register)
 AUC(authentication center)

mobile device

SIM(subscriber identity module)
a removable component that contains essential information about the subscriber
main funcation entails authenticating the suer of the cell phone
it has both volatile and nonvolatile memory
the file system of a SIM resides in nonvolatile memory

SIM password
a PIN(Personal identification Number) code
PUK(Personal Unlock Number) can unlock protection of 3 times password failed

SIM file system
MF(master file):1個MF包含多個DF
DF(dedicated file):1個DF包含多個EF
EF(elementary files)

ICCID(integrated circuit card identification)
SIM id
20 digit number as below
1-2 = industry identifier prefix, 89 for telcommunication
3-4 = country code
5-10 = issuer identifier number
11-20 = individual account identification number

IMEI(international mobile equipment identifier)
15 digit number
first 8 digit = TAC(type allocation code)
it can be obtained by keying in *#06#

ESN(electronic serial number)
unique 32 bit identifier recorded on a secure chip


Mobile Forensics Process

Acquire the information
acquire data from SIM card
acquire data from synched devices,memory cards
acquire data from obsructed and unobstructed mobile devices,
gather data from network operator
gather data from sqlite record

Sqlite database
store vital information by iOS and android
information include contacts,SMS,call records

Hex viewer from sqlite record
1th,record length: 1 byte
2th,key: 1byte
3th,record header length: 1byte
5th,address length:1byte
6th,date and time stamp,1byte
7~8th,message length: 2byte

Mobile evidence
SIM in GSM/UMTS: 有使用者相關資訊
Phone Internal Memory(手機記憶體): 有大部分的通話紀錄
Flash Memory Card(記憶卡): 很多手機記憶體或Sim卡中的資料
找系統商Call data:包括來源號碼,掛斷號碼,來話設備號碼,通話時間,使用服務,當時基地台…etc

ex: 使用普通的Smart Card Reader可以找回刪掉的資料
4.檢驗Flash Memory
ex: 將mobile接到電腦上用forensic tool分析, tool像是 EnCase,FTK,SMART,WinHEX
5.把mobile的記憶體作bit stream copy
ex: 取下Memory Chip並讀內容
ex: 從主機板讀取內容


Mobile forensics software tools

Popular tool as below
oxygen forensic suite
paraben tool