You are on page 1of 1

Mobile device forensics

How are mobile devices identified?


Manufacturer, model, carrier, current phone number


15-digit International Mobile Equipment Identifier (IMEI)

18-20-digit Integrated Circuit Card Identification (ICCID)

CDMA 56-bit number Mobile Equipment ID (MEID)

10-digit Mobile Identification Number (MIN)

15-digit International Mobile Equipment Identifier (IMEI)

Direct Connect Number (DCN)

Where is information stored on a mobile device?


PIN secured, and stores contact, SMS and dial history data


Can store applications and data common on modern smart phones


Do not store data, but can indicate what data (e.g. fingerprint/GPS) is available


Oleophobic screen means patterns are often visible, revealing PIN/unlock code


How can information be forensically gathered from a mobile devices memory?

Manual extraction

Recording information on screen when employing the user interface

- Impossible to recover deleted information
- Can be very time intensive to discover and record information
- Uses digital camera to capture evidence
- Language barriers (e.g. menu language) can be an issue
- Broken interfaces (buttons/screen) can prevent access

Logical extraction

Capturing a copy of logical storage objects (e.g., directories and files) that
reside on a logical store (e.g., a file system partition)
- Device connected to forensic workstation via wire/wireless
- Commands sent to device over interface from forensic workstation
- Device sends back requested data and recorded
- Only extracts data that is available through the operating system

Hex dumping

Uploading a modified boot loader (or other software) into a protected area
of memory (e.g., RAM) on the device in order to capture memory
- Device data port connects to forensic workstation via flasher box
- Device placed in diagnostic mode and flash memory captured
- Flasher boxes often require rebooting of device
- Flasher boxes are often very difficult to use and not documented
- Rare cases exist where dump can be accomplished using Wi-Fi


Performing a physical acquisition of mobile device memory in situ

- Device connected to forensic workstation via wire/wireless
- More direct access to the raw information stored in flash memory
- Allows for access to full binary data
- JTAG standard defines a common test interface for chips
- Access to JTAG ports often requires dismantling of device


The physical removal of memory from a mobile device to extract data

- Acquisition of data directly from a mobile devices flash memory
- Requires removal of flash memory chip from device
- Examiner has ability to create a binary image of the removed chip

Micro read

The use of an electron microscope to view the physical state of gates

- Extremely specialised and difficult task to perform