{"id":334,"date":"2015-10-24T18:51:00","date_gmt":"2015-10-24T10:51:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=334"},"modified":"2023-10-30T19:00:28","modified_gmt":"2023-10-30T11:00:28","slug":"mobile-phone-forensics","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/334","title":{"rendered":"Mobile phone forensics"},"content":{"rendered":"\n<p><strong>Mobile phone forensics<\/strong><br>A science of recovering digital evidence from a mobile phone under forensically sound conditions.<\/p>\n\n\n\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Mobile Concept<\/strong><\/h3>\n\n\n\n<p><strong>Common type of mobile OS<\/strong><br>webos<br>symbian os<br>android os: open source<br>apple ios<br>windows phone7<br>rim blackberry os<\/p>\n\n\n\n<p>ps:<br>Blackberry devices:<br>encryption technology of Password Keeper is AES<br>hashing method of password protection is SHA-1<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong>Architecture of cellular network<\/strong><br><strong>Mobile station<\/strong>:\u624b\u6a5f<br>SIM(subscriber identity module)<br><strong>Base station subsystem<\/strong>:\u6a5f\u5730\u53f0<br>BST(base transceiver station)<br>BSC(base station controller)<br><strong>Network subsystem<\/strong>:\u96fb\u4fe1\u6a5f\u623f<br>MSC(mobile services switching center)<br>other as below<br>\u3000HLR(home location register)<br>\u3000VLR(visitor location register)<br>\u3000EIR(equipment identity register)<br>\u3000AUC(authentication center)<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong>\u9451\u8b58\u76ee\u6a19\u4e3b\u8981\u6709<\/strong><br>SIM\u5361<br>mobile device<\/p>\n\n\n\n<p><strong>SIM(subscriber identity module)<\/strong><br>a removable component that contains essential information about the subscriber<br>main funcation entails authenticating the suer of the cell phone<br>it has both volatile and nonvolatile memory<br>the file system of a SIM resides in nonvolatile memory<\/p>\n\n\n\n<p><strong>SIM password<\/strong><br>a PIN(Personal identification Number) code<br>PUK(Personal Unlock Number) can unlock protection of 3 times password failed<\/p>\n\n\n\n<p><strong>SIM file system<\/strong><br>MF(master file):1\u500bMF\u5305\u542b\u591a\u500bDF<br>DF(dedicated file):1\u500bDF\u5305\u542b\u591a\u500bEF<br>EF(elementary files)<\/p>\n\n\n\n<p><strong>ICCID(integrated circuit card identification)<\/strong><br>SIM id<br>20 digit number as below<br>1-2 = industry identifier prefix, 89 for telcommunication<br>3-4 = country code<br>5-10 = issuer identifier number<br>11-20 = individual account identification number<br><br><strong>IMEI(international mobile equipment identifier)<\/strong><br>15 digit number<br>first 8 digit = TAC(type allocation code)<br>it can be obtained by keying in *#06#<\/p>\n\n\n\n<p><strong>ESN(electronic serial number)<\/strong><br>unique 32 bit identifier recorded on a secure chip<\/p>\n\n\n\n<p>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Mobile Forensics Process<\/strong><\/h3>\n\n\n\n<p><strong>Acquire the information<\/strong><br>acquire data from SIM card<br>acquire data from synched devices,memory cards<br>acquire data from obsructed and unobstructed mobile devices,<br>gather data from network operator<br>gather data from sqlite record<\/p>\n\n\n\n<p><strong>Sqlite database<\/strong><br>store vital information by iOS and android<br>information include contacts,SMS,call records<\/p>\n\n\n\n<p><strong>Hex viewer from sqlite record<\/strong><br>1th,record length: 1 byte<br>2th,key: 1byte<br>3th,record header length: 1byte<br>5th,address length:1byte<br>6th,date and time stamp,1byte<br>7~8th,message length: 2byte<br>9th,flag<br><br>&#8230;<\/p>\n\n\n\n<p><strong>Mobile evidence<\/strong><br>SIM in GSM\/UMTS: \u6709\u4f7f\u7528\u8005\u76f8\u95dc\u8cc7\u8a0a<br>Phone Internal Memory(\u624b\u6a5f\u8a18\u61b6\u9ad4): \u6709\u5927\u90e8\u5206\u7684\u901a\u8a71\u7d00\u9304<br>Flash Memory Card(\u8a18\u61b6\u5361): \u5f88\u591a\u624b\u6a5f\u8a18\u61b6\u9ad4\u6216Sim\u5361\u4e2d\u7684\u8cc7\u6599<br>\u627e\u7cfb\u7d71\u5546Call data:\u5305\u62ec\u4f86\u6e90\u865f\u78bc,\u639b\u65b7\u865f\u78bc,\u4f86\u8a71\u8a2d\u5099\u865f\u78bc,\u901a\u8a71\u6642\u9593,\u4f7f\u7528\u670d\u52d9,\u7576\u6642\u57fa\u5730\u53f0&#8230;etc<br><br><strong>\u627e\u624b\u6a5f\u8b49\u64da\u7684\u65b9\u6cd5<\/strong><br>1.\u95dc\u6389\u624b\u6a5f\u907f\u514d\u7834\u58de<br>2.\u5206\u5225\u6aa2\u8996\u624b\u6a5f\u5167\u7684\u8b49\u64da<br>3.\u5f9e\u4f7f\u7528\u8005\u6216\u7cfb\u7d71\u5546\u53d6\u5f97SIM\u5361\u7684\u5b58\u53d6\u78bc\u4e26\u6aa2\u9a57SIM\u5361<br>ex: \u4f7f\u7528\u666e\u901a\u7684Smart Card Reader\u53ef\u4ee5\u627e\u56de\u522a\u6389\u7684\u8cc7\u6599<br>4.\u6aa2\u9a57Flash Memory<br>ex: \u5c07mobile\u63a5\u5230\u96fb\u8166\u4e0a\u7528forensic tool\u5206\u6790, tool\u50cf\u662f EnCase,FTK,SMART,WinHEX<br>5.\u628amobile\u7684\u8a18\u61b6\u9ad4\u4f5cbit stream copy<br>ex: \u53d6\u4e0bMemory Chip\u4e26\u8b80\u5167\u5bb9<br>ex: \u5f9e\u4e3b\u6a5f\u677f\u8b80\u53d6\u5167\u5bb9<\/p>\n\n\n\n<p>refer<br>http:\/\/wenku.baidu.com\/view\/da7fbcd0360cba1aa811da11.html?re=view<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p>Mobile forensics software tools<\/p>\n\n\n\n<p><strong>Popular tool as below<\/strong><br>oxygen forensic suite<br>paraben tool<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mobile phone forensicsA scienc &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[11],"tags":[],"class_list":["post-334","post","type-post","status-publish","format-standard","hentry","category-forensics"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/334","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=334"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/334\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}