Scribd Logo
Upload

Welcome to Scribd!

  • GermanyMobileForensics PDF

    Uploaded by

    hmmohan
    1 views14 pages

    Original Title

    GermanyMobileForensics.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1 views14 pages

    GermanyMobileForensics PDF

    Uploaded by

    hmmohan

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    Forensic Analysis of Cell Phones

    and SIM Cards

    Technical Service Center of Information and


    Communication Services
    Logical and physical analysis of cell phones and
    SIM cards
    Cases:
    qTheft, Murder, Rape, etc.
    qAnd Terrorism
    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    2 / 28

    Logical Analysis in a Nutshell


    Commercial Products:
    qOxygen, .XRY, MobileEdit, etc.

    AT Commands, OBEX Commands


    Manufacturer Software Products
    Hardware: IRDA, USB Cable
    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    3 / 28

    Physical Analysis in a Nutshell


    UFS_HWK, UST PRO II, Flash and Backup, etc.
    Removing memory chips
    Reverse engineering, Scripts
    Commercial products such as CPA, XACT

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    4 / 28

    But...

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    5 / 28

    Analysing the SIM Card


    Card Reader
    SIM Reading Software

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    6 / 28

    Analysing the SIM Card (cont.)


    Looking at the actual SIM Chip
    Different Architectures

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    7 / 28

    Analysing the SIM Card (cont.)


    Cutting the plastic form the other side of the chip
    What do we have?

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    8 / 28

    Analysing the SIM Card (cont.)


    Bond wires intact

    (C) 2008 Katja Koennecke

    Bond wires detached

    Federal Criminal Police Germany

    9 / 28

    Analysing the SIM Card (cont.)


    Result: No Data

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    10 / 28

    Analysing the Cell Phone Case 1

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    11 / 28

    Analysing the Cell Phone Case 1

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    12 / 28

    Analysing the Cell Phone Case 1


    Identifying the memory chip
    ATMEL 2416
    EEPROM

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    13 / 28

    Analysing the Cell Phone Case 1


    Removing the memory chip
    Mounting it onto a board, for dumping the
    EEPROM data

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    14 / 28

    Analysing the Cell Phone Case 1


    Read process, using a common EEPROM
    Reader

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    15 / 28

    Analysing the Cell Phone Case 2


    The phone triggered the explosion and only
    fragments are left.

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    16 / 28

    Analysing the Cell Phone Case 2


    Identifying the chip
    Cleaning the chip with a soldering iron

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    17 / 28

    Analysing the Cell Phone Case 2


    Datasheet_ Chip: Samsung K9F120 NAND
    (64MB)

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    18 / 28

    Analysing the Cell Phone Case 2


    Connecting the chip to a socket-board

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    19 / 28

    and the Professionals...

    Chip & 1 cent

    Workstation
    (C) 2008 Katja Koennecke

    ReadingDevice
    Federal Criminal Police Germany

    20 / 28

    10

    Flash_Dumping
    Bit per bit dumping of the entire memory chip

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    21 / 28

    Interpreting the data


    Example: Picture
    Search file for known headers:
    qJPG: FF D8 FF E#; GIF: 47 49 46 38 39
    qAVI: 52 49 46 46; 3GP: 18 66 74 79 70 33

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    22 / 28

    11

    Interpreting the data


    Example: Picture
    Results not satisfactory
    Reason:
    Storage management of
    phone and chip

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    23 / 28

    Storage Management
    The Storage management results in a storage of
    data into blocks and pages

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    24 / 28

    12

    Storage Management
    If data is larger than 64 Kbytes- the data is
    fragmented

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    25 / 28

    Data_Reconstruction
    Reverse Engeneering of proprietory Cell Phone
    Operating Systems
    qFilesytem of Phone
    qUser Data (Phonebook, Call Logs with date and
    time, Pictures, MMS, SMS, Kalender, etc)
    qIMSI/ICC-ID Log

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    26 / 28

    13

    Data_Reconstruction
    Example Log:

    (C) 2008 Katja Koennecke

    Federal Criminal Police Germany

    27 / 28

    Thank you for your attention!


    Questions?!
    Contact information:
    Katja Koennecke
    Bundeskriminalamt / Federal Criminal Police Germany
    +49 (0)2225 89 23 106
    KatjaVerena.Koennecke@bka.bund.de

    14

    You might also like