Scribd Logo
Upload

Welcome to Scribd!

  • Germany Mobile Forensics

    Uploaded by

    poststelle509
    52 views14 pages
    This document discusses forensic analysis techniques for cell phones and SIM cards. It describes logical and physical analysis methods, including commercial software tools and hardware interfaces for extracting data. The document also outlines various challenges in interpreting fragmented phone data and reconstructing files, requiring reverse engineering of proprietary phone operating systems. Reconstruction can provide important evidence such as call logs, photos, and SIM card identification numbers.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses forensic analysis techniques for cell phones and SIM cards. It describes logical and physical analysis methods, including commercial software tools and hardware interfaces for extracting data. The document also outlines various challenges in interpreting fragmented phone data and reconstructing files, requiring reverse engineering of proprietary phone operating systems. Reconstruction can provide important evidence such as call logs, photos, and SIM card identification numbers.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    52 views14 pages

    Germany Mobile Forensics

    Uploaded by

    poststelle509
    This document discusses forensic analysis techniques for cell phones and SIM cards. It describes logical and physical analysis methods, including commercial software tools and hardware interfaces for extracting data. The document also outlines various challenges in interpreting fragmented phone data and reconstructing files, requiring reverse engineering of proprietary phone operating systems. Reconstruction can provide important evidence such as call logs, photos, and SIM card identification numbers.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    Forensic Analysis of Cell Phones and SIM Cards

    Technical Service Center of Information and Communication Services


    Logical and physical analysis of cell phones and SIM cards Cases:
    qTheft, Murder, Rape, etc. qAnd Terrorism
    (C) 2008 Katja Koennecke Federal Criminal Police Germany 2 / 28

    Logical Analysis in a Nutshell


    Commercial Products:
    qOxygen, .XRY, MobileEdit, etc.

    AT Commands, OBEX Commands Manufacturer Software Products Hardware: IRDA, USB Cable
    (C) 2008 Katja Koennecke Federal Criminal Police Germany 3 / 28

    Physical Analysis in a Nutshell


    UFS_HWK, UST PRO II, Flash and Backup, etc. Removing memory chips Reverse engineering, Scripts Commercial products such as CPA, XACT

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    4 / 28

    But...

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    5 / 28

    Analysing the SIM Card


    Card Reader SIM Reading Software

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    6 / 28

    Analysing the SIM Card (cont.)


    Looking at the actual SIM Chip Different Architectures

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    7 / 28

    Analysing the SIM Card (cont.)


    Cutting the plastic form the other side of the chip What do we have?

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    8 / 28

    Analysing the SIM Card (cont.)


    Bond wires intact Bond wires detached

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    9 / 28

    Analysing the SIM Card (cont.)


    Result: No Data

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    10 / 28

    Analysing the Cell Phone Case 1

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    11 / 28

    Analysing the Cell Phone Case 1

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    12 / 28

    Analysing the Cell Phone Case 1


    Identifying the memory chip ATMEL 2416 EEPROM

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    13 / 28

    Analysing the Cell Phone Case 1


    Removing the memory chip Mounting it onto a board, for dumping the EEPROM data

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    14 / 28

    Analysing the Cell Phone Case 1


    Read process, using a common EEPROM Reader

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    15 / 28

    Analysing the Cell Phone Case 2


    The phone triggered the explosion and only fragments are left.

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    16 / 28

    Analysing the Cell Phone Case 2


    Identifying the chip Cleaning the chip with a soldering iron

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    17 / 28

    Analysing the Cell Phone Case 2


    Datasheet_ Chip: Samsung K9F120 NAND (64MB)

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    18 / 28

    Analysing the Cell Phone Case 2


    Connecting the chip to a socket-board

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    19 / 28

    and the Professionals...

    Chip & 1 cent

    Workstation
    (C) 2008 Katja Koennecke

    ReadingDevice
    Federal Criminal Police Germany 20 / 28

    10

    Flash_Dumping
    Bit per bit dumping of the entire memory chip

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    21 / 28

    Interpreting the data Example: Picture


    Search file for known headers:
    qJPG: FF D8 FF E#; GIF: 47 49 46 38 39 qAVI: 52 49 46 46; 3GP: 18 66 74 79 70 33

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    22 / 28

    11

    Interpreting the data Example: Picture


    Results not satisfactory Reason: Storage management of phone and chip

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    23 / 28

    Storage Management
    The Storage management results in a storage of data into blocks and pages

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    24 / 28

    12

    Storage Management
    If data is larger than 64 Kbytes- the data is fragmented

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    25 / 28

    Data_Reconstruction
    Reverse Engeneering of proprietory Cell Phone Operating Systems
    qFilesytem of Phone qUser Data (Phonebook, Call Logs with date and time, Pictures, MMS, SMS, Kalender, etc) qIMSI/ICC-ID Log

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    26 / 28

    13

    Data_Reconstruction
    Example Log:

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    27 / 28

    Thank you for your attention!


    Questions?!
    Contact information: Katja Koennecke Bundeskriminalamt / Federal Criminal Police Germany +49 (0)2225 89 23 106 KatjaVerena.Koennecke@bka.bund.de

    14

    You might also like