Scribd
Upload
159 views27 pages

Digital Forensics: Cell Phone/PDA Analysis

This document summarizes a lecture on digital forensics relating to cell phone and PDA analysis. It provides an overview of upcoming student presentations on analyzing various devices like cell phones, PDAs, MP3 players and digital cameras. It then details modules on analyzing cell phones and PDAs, describing the external communications, internal structures, functions, data types and locations for each. It concludes with a discussion of general tools and methods for acquisition and analysis, and acknowledges gaps in current forensic capabilities due to rapidly changing technologies.

Uploaded by

Saic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
159 views27 pages

Digital Forensics: Cell Phone/PDA Analysis

This document summarizes a lecture on digital forensics relating to cell phone and PDA analysis. It provides an overview of upcoming student presentations on analyzing various devices like cell phones, PDAs, MP3 players and digital cameras. It then details modules on analyzing cell phones and PDAs, describing the external communications, internal structures, functions, data types and locations for each. It concludes with a discussion of general tools and methods for acquisition and analysis, and acknowledges gaps in current forensic capabilities due to rapidly changing technologies.

Uploaded by

Saic
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Digital Forensics

Lecture 8
0011 0010 1010 1101 0001 0100 1011

Cell Phone/PDA Analysis


This Week’s Presentations

• Maggie Castillo: Cell Phones


0011 0010 1010 1101 0001 0100 1011

• Jim Curry: PDAs


• Ryan Ware: Investigation of Non-traditional
Equipment: Autos, Washers, …
• Nicholas Gallegos: MP3 Players
• Barry Gavrich: Flash Media (EC)
• Ron Prine: Digital Cameras
Next Week Presentations

• Joshua Prusak: Tools for Binary Analysis


0011 0010 1010 1101 0001 0100 1011

• Sage LaTorra: Detection of Malicious


Code
• Rodrigo Lopes: Reverse Engineering
• Chad Cravens: Encrypted Binaries (EC)
News Item
• US
0011 0010 District
1010 Judge0100
1101 0001 William
1011 Wilson has dismissed a class
action lawsuit against data aggregator Acxiom, citing "lack
of standing;" there is no evidence that data stolen from
Acxiom's databases had been used to send spam or junk
mail. Scott Levine was sentenced to eight-years in prison
for unauthorized access to Acxiom computers. Levine ran
a company that had been identified as a spammer, but there
is no evidence the company used the information taken
from the Acxiom databases. An attorney for the plaintiffs
says no decision has been made yet on whether they plan
to appeal the judge's ruling.
Lecture Overview
0011 0010 1010 1101 0001 0100 1011
Legal/Policy
Findings/ Reporting/
Preparation Collection Analysis
Evidence Action

• Cell Phones
• PDA’s
• General Tools and Methods
Module 1
0011 0010 1010 1101 0001 0100 1011

Cell Phones
External Communications
• Cell Phone Network
0011 0010 1010 1101 0001 0100 1011

– Command channel
• Used for registration, call processing, and some data
– GSM/CDMA/AMPS data channel
• GPS
– Used to establish geo-location of unit
• Blue Tooth
– Used for local dialing and audio extension
• IR
– Used for PDA-like inter-unit communication
Internal Structure
• Processor
0011 0010 1010 1101 0001 0100 1011
• Core applications
• User-configured applications
• SIM Card (GSM, can be exchanged between units)
• Application specific hardware (encryption, codecs, etc.)
• Integrated memory
• Expandable memory
• Audio transducers
• Camera lens
• Keypad entry
• Display
• Data port
• External communication interfaces
• Battery
Functions and Features
• Muti-network
0011 0010 cell
1010 1101 0001 phone
0100 1011
• E911
• Web browsing
• Text messenger
• PDA (contacts, calendar, notes, etc.)
• Camera/video
• Voice recorder
• GPS navigator
• Personal audio/video player
• Personalized location-based services (e.g., dating)
• Other personalized services (e.g., sports scores)
Characteristics
• Radio communications
0011 0010 1010 1101 0001 0100 1011

– RF
– CDMA (US), GSM (International)
• Data storage
– Possibly removable
• Run programs
– Web browser, email, timer
Type of Data to Collect
• User Data
0011 0010 1010 1101 0001 0100 1011

– Phone directory, images, movies, email,


documents, bookmarks, Short Message Service
(SMS), call logs
• Operator Data
– Geographic data, SMS parameters, network
priority, network restrictions
• Handset Data
– Active internal parameters
Location of Data
• Handset
0011 0010 1010 1101 0001 0100 1011

– Phone numbers, stored audio/video/images/text


msgs, documents, call logs, programs, calendar,
alarms, various settings
• Network
– Customer name/address, billing info, services,
Call Data Record (stations, type of service,
endpoints of calls)
• SIM (Subscriber Identity Module) (GSM
only)
– Card serial number, various control parameters
Gotcha’s
• Don’t power it off
0011 0010 1010 1101 0001 0100 1011

• Don’t allow it to connect to the network


– Store in faraday cage
• Don’t try to unlock
• Cover IR port, if present
• If off, remove battery but keep with phone
Tools
• Data acquisition, decoding, and translation
0011 0010 1010 1101 0001 0100 1011

– Vary greatly depending on phone


• Data analysis
– Lots of partially working tools
• SIM analysis
– Tools don’t work for Cingular, Axalto
• Technology is changing daily!
Module 2
0011 0010 1010 1101 0001 0100 1011

PDA’s
Characteristics
• Communications
0011 0010 1010 1101 0001 0100 1011

– Wired – USB, serial


– Wireless – IR, WiFi, Bluetooth
• Data storage
– Removable media
– Internal
• Runs programs
– Calendar, email, web browser
Type of Data to Collect
• User Data
0011 0010 1010 1101 0001 0100 1011

– Directory, images, movies, email, documents,


bookmarks
• System Data
– Internal settings
Location of Data
• PDA memory
0011 0010 1010 1101 0001 0100 1011

• Removable media cards


• Synchronizing PC
• PC Backups
• Network owners
Gotcha’s
• Might have to reset auto shutoff mode
0011 0010 1010 1101 0001 0100 1011

• Cover IR port, if present


• Store in faraday cage until acquisition step
Tools
• Data acquisition, decoding, and translation
0011 0010 1010 1101 0001 0100 1011

– EnCase
– PDA Seizure
– Palm Debugger
• Data analysis
– EnCase
– PDA Seizure
– Palm Emulator
(http://www.palmos.com/dev/tools/emulator/)
Module 3
0011 0010 1010 1101 0001 0100 1011

General Tools and Methods


Errata
• PDA’s and cell phones are converging
0011 0010 1010 1101 0001 0100 1011

• Forensic tools are NOT keeping up


Tools
• Some common tools
0011 0010 1010 1101 0001 0100 1011

– Radio frequency limiters (faraday bags/cages)


– Radio frequency disrupters
– Memory card readers
• Multi-purpose tools absent
• Specialized, sometimes to single models
• Most tools not court tested
Methods
• Data acquisition
0011 0010 1010 1101 0001 0100 1011

– Depends on role
– Ask for PIN/PW, exploit known weaknesses
– Access through backdoor
• Analysis
– Similar to computer forensics
– Use to find other pointers
– Don’t forget cell phone network
Gaps
• What are the difficult problems?
0011 0010 1010 1101 0001 0100 1011

– Cell phone technology is not mature


– Cell phone interfaces not standard
– PDA’s and cell phone capabilities merging
– Few products are court tested
• Balancing privacy with security
• Analysis techniques
References
• http://csrc.nist.gov/publications/nistir/nist
0011 0010 1010 1101 0001 0100 1011

ir-7100-PDAForensics.pdf
• http://csrc.nist.gov/publications/nistir/nist
ir-7250.pdf
• http://csrc.nist.gov/publications/nistpubs/
800-72/sp800-72.pdf
• WayneJansen_MobileForensics.pdf
• MobileForensics-NIST.pdf
Questions?
0011 0010 1010 1101 0001 0100 1011

After all, you are an investigator

You might also like