Forensic Examinations of Mobile Phones

Royal Holloway University of London
Forensic Examinations of Mobile Phones

(iPhone Forensics)
Said, Ahmed Mahmoud

Student Number: 100123600
Supervisor: Carlos Cid
Submitted as part of the requirements for the award of the MSc in Information Security at
Royal Holloway, University of London.
I declare that this assignment is all my own work and that I have acknowledged all
quotations from the published or unpublished works of other people. I declare that I have
also read the statements on plagiarism in Section 1 of the Regulations Governing
Examination and Assessment Offences and in accordance with it I submit this project report
as my own work.
Signature: Ahmed Mahmoud Said
Date:
TABLE OF CONTENTS
LIST OF TABLES .............................................................................................. V
LIST OF FIGURES............................................................................................ VI
EXECUTIVE SUMMARY ................................................................................. VII
Chapter 1: Introduction.................................................................................. 1
Chapter 2: Background................................................................................... 3
2.1 Mobile Networks ........................................................................................... 3

2.1.1 GSM Network Architecture ............................................................................... 3
2.1.1.1 The Mobile Station (MS) ............................................................................ 3
2.1.1.2 The Base Transceiver Station (BTS) ............................................................. 4
2.1.1.3 The Base Station Controller (BSC) ............................................................... 4
2.1.1.4 The Mobile Switching Centre (MSC)............................................................ 4
2.1.1.5 The Location Registers ............................................................................... 4
2.1.2 GSM Network Security...................................................................................... 5
2.2 Subscriber Identity Module............................................................................ 5
2.2.2 SIM File System ................................................................................................ 6
2.2.3 File Access Control ............................................................................................ 8
2.3 Mobile Equipment ......................................................................................... 8
2.3.1 Mobile Equipment Architecture ........................................................................ 8
2.3.3 Mobile Equipment Security............................................................................. 10
2.4 Removable Media ........................................................................................ 10
Chapter 3: Mobile Forensics Principles ......................................................... 12
3.1 Digital Evidence ........................................................................................... 12

3.2 Procedural Models....................................................................................... 13
3.2.1 Preservation ................................................................................................... 13
3.2.1.1 Securing and Evaluating the Scene ........................................................... 13
3.2.1.2 Documenting the Scene ........................................................................... 14
3.2.1.3 Collecting the Evidence ............................................................................ 14
3.2.1.4 Packing, Transporting, and Storing the Evidence ....................................... 15
II
3.2.2 Acquisition ..................................................................................................... 17
3.2.2.1 Phone Identification................................................................................. 17
3.2.2.2 Connection Identification ......................................................................... 17
3.2.2.3 Tool Selection .......................................................................................... 17
3.2.2.4 Phone Acquisition .................................................................................... 17
3.2.3 Examination & Analysis .................................................................................. 18
3.2.4 Reporting ....................................................................................................... 19
Chapter 4: Mobile Forensics Tools ............................................................... 20
4.1 U(SIM) Forensic Tools .................................................................................. 21

4.2 Handsets Forensic Tools............................................................................... 23
4.2.1 Phone Manager Software ........................................................................... 23
4.2.2 AT Commands............................................................................................. 25
4.2.3 JTAG Interface ............................................................................................ 25
4.2.4 Flusher Boxes.............................................................................................. 26
Chapter 5: Mobile Forensic Challenges......................................................... 27
5.1 Procedural Challenges ................................................................................. 27

5.1.1 Crime Scene Challenges .................................................................................. 27
5.1.2 Acquisition Challenges .................................................................................... 28
5.2 Integrity Challenges ..................................................................................... 28
5.3 Anti-Forensics .............................................................................................. 29
5.3.1 Anti-Forensics Categories ............................................................................... 29
Chapter 6: iPhone Forensics ......................................................................... 31
6.1 introductions ............................................................................................... 31

6.2 iPhone Overview ......................................................................................... 31
6.2.1 Processor .................................................................................................... 32
6.2.2 Flash Drive .................................................................................................. 32
6.2.3 Operating System. ...................................................................................... 33
6.2.4 iPhone Jailbreaking ..................................................................................... 33
6.2.5 Data Stored ................................................................................................ 34
6.3 iPhone Forensic Methodologies ................................................................... 34
III
6.3.1 Direct Acquisition ....................................................................................... 34
6.3.2 Backup or Logical Copy ............................................................................... 34
6.3.3 Physical bit-by-bit Copy............................................................................... 34
6.4 Testing Condition ......................................................................................... 35
6.5 Oxygen Forensic Suite 2010 ......................................................................... 36
6.5.1 Tool Overview ................................................................................................ 36
6.5.2 Software Installation ...................................................................................... 37
6.5.3 Data Acquisition ............................................................................................. 37
6.5.4 Results and Reporting ..................................................................................... 46
6.5.5 Test Summary ................................................................................................ 51
6.5.6 Conclusion ...................................................................................................... 51
6.6 Zdziarski Technique ..................................................................................... 52
6.6.1 Overview ........................................................................................................ 52
6.6.2 Installation ..................................................................................................... 52
6.6.2.1 Recovery Payload Installation .................................................................. 52
6.6.2.2 Secure Shell Installation ........................................................................... 53
6.6.2.3 Data Description installation .................................................................... 53
6.6.2.4 Network Setup ......................................................................................... 53
6.6.3 Data Acquisition ............................................................................................. 54
6.6.4 Results and Reporting ..................................................................................... 55
6.6.5 Test Summary ................................................................................................ 59
6.6.6 Conclusion ...................................................................................................... 59
Conclusion ................................................................................................... 60
BIBLIOGRAPHY ............................................................................................. 61
Appendix ....................................................................................................... A
IV
LIST OF TABLES
Table 1: Common type of Memory Cards in use with PDA ..................................................... 11
Table 2: iPhone Hardware Components .................................................................................. 32
Table 3: Expected Data ............................................................................................................ 35
Table 5: Oxygen Tool – Test Summery..................................................................................... 51
Table 6: locations of the important data in the iPhone filesystem ......................................... 58
Table 6: Zdziarski Method - Test Summery ............................................................................. 59
V
LIST OF FIGURES
Figure 1: Global mobile cellular subscriptions, total and per 100 inhabitants 2000-2009. ...... 1
Figure 2: GSM Network Architecture......................................................................................... 3
Figure 3: SIM Card ...................................................................................................................... 5
Figure 4: SIM Card Anatomy ...................................................................................................... 6
Figure 5: SIM File System ........................................................................................................... 6
Figure 6: Mobile Phone Forensic Examination – Preservation ................................................ 16
Figure 7: Flowchart of SIMBrush Procedures .......................................................................... 23
Figure 8: Phone Managers Filter Placement ............................................................................ 24
Figure 9: FBUS Protocol Communications ............................................................................... 25
Figure 10: JTAG Interface in Nokia 3310 Phone ...................................................................... 26
Figure 11: Internal Hardware Components, iPhone 3GS......................................................... 31
Figure 12: iPhone Operating System Design............................................................................ 33
Figure 13: Oxygen Connection Wizard .................................................................................... 37
Figure 14: Oxygen Connection Selection ................................................................................. 38
Figure 15: Oxygen Connect Phone via Cable ........................................................................... 39
Figure 16: Oxygen Phone Detected ......................................................................................... 40
Figure 17: Oxygen Data Extraction Wizard .............................................................................. 41
Figure 18: Oxygen Device Identification .................................................................................. 42
Figure 19: Oxygen Device Owner Number .............................................................................. 43
Figure 20: Oxygen Data Type Selection ................................................................................... 44
Figure 21: Oxygen Extraction Setting Confirmation ................................................................ 44
Figure 22: Oxygen Data Extraction Process ............................................................................. 45
Figure 23: Oxygen Extraction Summary................................................................................... 45
Figure 24: Oxygen Device Info Screen ..................................................................................... 46
Figure 25: Oxygen – Phonebook .............................................................................................. 46
Figure 26: Oxygen Calendar ..................................................................................................... 47
Figure 27: Oxygen SMS ............................................................................................................ 47
Figure 28: Oxygen Images ........................................................................................................ 48
Figure 29: Oxygen Melodies .................................................................................................... 48
Figure 30: Oxygen Documents ................................................................................................. 49
Figure 31: Oxygen Application ................................................................................................. 49
Figure 32: Oxygen Database .................................................................................................... 50
Figure 33: Oxygen Other Files .................................................................................................. 50
Figure 34: JailbreakMe Home Screen ...................................................................................... 53
Figure 35: Cydia Home Screen ................................................................................................. 53
Figure 36: OpenSSH Installation Page...................................................................................... 53
Figure 37: iPhone filesystem, dd image creation .................................................................... 54
Figure 38: PhotoRec data recovery .......................................................................................... 55
Figure 39: images recovered by PhotoRec .............................................................................. 56
Figure 40: Recovered screenshot for the settings menu......................................................... 56
Figure 41: Image browsing through HFSExplorer .................................................................... 57
Figure 42: Data extraction using HFSExplorer ......................................................................... 57
Figure 43: Phonebook DB – ABPerson table as displayed on SQLite browser ........................ 58
Figure 44: Call history database as displayed in SQLite browser ............................................ 59
VI
EXECUTIVE SUMMARY
The demand on mobile phones has increased globally, and their functionality may even rival
desktop computers despite of their smaller sizes. This extraordinary design of mobile
phones makes them easy to use in our daily life performing many tasks other than just
sending and receiving phone calls. Mobile phones now are capable of texting, web browsing,
e-mailing, photographing and other business tasks, which increases the importance of data
stored on such devices. These portable data carriers represent a significant source of
evidence in both civil and criminal cases, hence the importance of mobile phone forensics.
In order to retrieve data from mobile phones during a forensic investigation, specialized
tools are required. Various types of forensic toolkits are available with both advantages and
limitations.
Due to the wide range of mobile phone types which are using manufacturer proprietary
standards, mobile forensic examination has become more challenging compared to
computer forensics.
This project provides an overview on mobile phone forensics, different types of forensic
tools as well as different forensic techniques. A practical case study is presented on how to
use two different techniques for the iPhone forensic examination.
VII
Chapter 1: Introduction
According to International Telecommunication Union (ITU), there were over 4.6 billion
mobile phone subscribers worldwide, by the end of 2009, with a percentage of 67.0 of the
global population (ITU Telecom World 2009, 2009 p. 1). On 2007 mobile presentation in
Europe reached 111% of the total European population (International Telecommunication
Union, 2009 p. 3). Figure 1 shows the Global mobile cellular subscriptions from 2000 – 2009.
Figure 1: Global mobile cellular subscriptions, total and per 100 inhabitants 2000-2009.
Source: ( (ITU World Telecommunication)).
Currently, mobile phones available (Smart Phones) is a compact form of computers with a
high performance, large memory capacity, enhanced applications and different ways of
communications. They can be used to perform many tasks like sending/receiving phone calls,
texting, internet browsing, camera, video recording, storing documents, address books,
music players, GPS devices and more. Although they can be used to perform all these
legitimate tasks; they can be also used to accomplish many illegal actions.
Mobile phones were used in the early 1980s by criminals to organize their drug gangs,
prostitution crimes and facilitate everyday operations (Mock, 2002), and now they become
widely used behind the bars by inmates to continue with their crimes through unmonitored
calls to their networks outside the prisons. It is difficult to prevent the flow of cell phones
inside the prisons since inmates got different ways to contraband these phones into the
prisons, either by hiding it inside other materials, i.e. books, cereals boxes or even inside
their bodies, or by using good modified forms of mobile phones, i.e. watches, pens,
walkman radio etc. (Bryan, 2009).
1
Nowadays, enhanced network connectivity and mobile phone security enabled a secure use
of mobile phones in the online transactions such as online shopping, e-banking, and stock
trading. The enhancement of business applications for mobile phones gives them the ability
to be used as mobile offices, storing a lot of corporate data (Marwan, 2006).
Mobile Forensics is the “science of recovering digital evidence from mobile phones under
forensically sound conditions using accepted methods” (Ayers, et al., 2007). Extracting all
important data from mobile phones means a lot of challenges to the investigator due to
many reasons including: the wide range of mobile phone brands, different variety of
embedded operating systems and the compact design. In addition, the battery powered
phones require special hardware tools, cables and chargers.
iPhone was introduced in January, 2007 by Apple as a multimedia and internet enabled
smart phone with a large memory capacity (Zdziarski, 2008). Lately, the public interest in
iPhone has increased; nevertheless it has been generating huge controversies among
consumers, business customers and now the forensic community.
2
Chapter 2: Background
2.1 Mobile Networks

There are different types of digital cellular networks available; the most common two
networks are Global System for Mobile Communication (GSM) and Code Division Multiple
Access (CDMA). Other networks include Time Division Multiple Access (TDMA) and
Integrated Digital Enhanced Network (iDEN) (Jansen, et al., 2007).
2.1.1 GSM Network Architecture

GSM is the worldwide used network; it was designed in Europe in 1988 by a standardization
organization called “Group Special Mobile” (GSM) (Forensics and the GSM mobile telephone
system, 2003). GSM uses a digital link technology where single carrier and the radio channel
are shared by multiple users in turn; every phone exclusively uses the channel for an
allocated time then releases it and waits while other phone is using it.
The second generation GSM (2G) is a fully digital system unlike the first generation where
the analogue signal was used. General Packet Radio Service (GPRS) was standardized to
support packet switching and improve data transmission. The third generation of mobile
networks (3G) is known as Universal Mobile Telecommunication System (UTMS), and it
provides enhanced data transmission and different types of services, including multimedia and
IP based services.
The following Figure 2 illustrates the GSM Network Architecture (Martin, 2009).
Figure 2: GSM Network Architecture.

Source: (Martin, 2009 p. 54)
2.1.1.1 The Mobile Station (MS)
MS is the user equipment. MS is a combination of two things, Mobile Equipment (ME) and
the subscriber data which is stored on the Subscriber Identity Module (SIM Card). SIM
contains the International Mobile Subscriber Identity (IMSI); a 15-digit unique number that
identifies the subscriber. IMSI consists of a 3-digit Mobile Country Code (MCC), 2 or 3 digits
representing Mobile Network Code (MNC) and the remaining of the 15 digits are assigned
by the network operator (Wayne, et al., 2007).
3
SIM card also contains a list of the available networks, encryption and authentication tools,
and storage space for SMS and phone numbers.
2.1.1.2 The Base Transceiver Station (BTS)

BTS is the network equipment responsible for the following important tasks (Nokia
Networks Oy, 2002).
 Air interface signaling: any signaling on a radio channel is interpreted by the BTS, i.e.
calls and non-call signaling, information sent by the MS when it is switched off for
the first time and one more important signaling when the MS has to be informed
about the handover and when the MS acknowledges the handover process.
 Ciphering: BTS and the MS should do encryption/ decryption for the information to
keep it protected whiles the transmission on air.
 Speech processing: BTS has to ensure that all connections with the MS are error free,
including tasks like speech coding, channel coding and burst formatting.
BTS will have antenna with several radio transceivers (TRXs), and each transceiver
communicates on a radio frequency (Forensics and the GSM mobile telephone system,
2003).
2.1.1.3 The Base Station Controller (BSC)

BSC takes control of the radio network for several BTSs; it takes care of different tasks
related to the call setup, location updates, and MS handover (Forensics and the GSM mobile
telephone system, 2003).
2.1.1.4 The Mobile Switching Centre (MSC)

MSC is an ISDN-switch having extra functionality to support the mobile service subscribers.
The main function of the MSC is to connect a mobile network to a fixed network. MSC is
playing an important role in call control, initiation of paging and charging the data collection
(Nokia Networks Oy, 2002).
Due to the lack of standards on GSM operation and management, service providers always
choose BSCs, MSCs and the location registers from one manufacturer (Forensics and the
GSM mobile telephone system, 2003).
2.1.1.5 The Location Registers

Every MSC has to be associated with a Visitor Location Register (VLR). Every VLR can be
associated with more than one MSC. VLR stores the data essential for tracking all customers
who are roaming within the associated MSC area. Customer information usually updated
either through the updates sent from the mobile station through the MSC or through the
Home Location Register (HLR) where all subscribers' information, services and
authentication data are stored. When user roams in another VLR/MSC location, the HLR is
updated. HLR should have a very large data transmission capacity since it should be
accessed every time the mobile stations setup a call or transmit data over the network
(Forensics and the GSM mobile telephone system, 2003).
4
2.1.2 GSM Network Security
GSM networks provide user authentication using challenge response protocol. The
subscriber SIM card has a 128-bit cryptographic key (Ki) generated randomly by the operator
and stored securely on it. The operator will generate a 128-bit random number (RAND) at
the Authentication Centre (AuC) and send it to the subscriber. SIM card uses cryptographic
algorithm (A3) to compute a 32-bit response (SRES), since SRES= A3 (RAND, Ki). SRES will be
sent back to the operator.
GSM operator will perform the same process to calculate the expected response (XRES). The
operator will compare the SRES against the XRES if SRES=XRES then the subscriber is
authenticated (Martin, 2009).
GSM networks provide data confidentiality by encryption. During the authentication the
generated RAND will be used to compute fresh keys. SIM card uses encryption algorithm
(A8) to compute a 64-bit key (Kc), since Kc= A8 (Ki, RAND). All signaling between the MS and
the BTS including the voice and messaging will be encrypted using this key (K c) with a stream
cipher (A5), and a new Kc will be generated for every call (Martin, 2009).
2.2 Subscriber Identity Module

Identity modules are “trusted hardware designed to store, process data and to act as
security token to gain access to the cellular network services” (Jansen, et al., 2009). The
Subscriber Identity Module (SIM Card) is the most common identity module in the second
generation GSM network (2G). UTMS SIM (USIM) is a common identity module for 3G
network with a backward compatibility to 2G networks (TR, 2009).
(U)SIM is a removable smart card contains some essential information about the subscriber
and is used to authenticate the subscriber to the network to gain access to the network
services. (U)SIM also provides a small storage for some information, e.g. phone book,
messages, call logs and service information.
There are two standard sizes for (U)SIM cards but only the smaller size Figure 3 is widely
used in GSM phones now. The chip size is 25mm width, 15mm height and a thickness of
0.76mm (Jansen, et al., 2007).
Figure 3: SIM Card

Source: (Jansen, et al., 2007)
2.2.1 SIM Anatomy

(U)SIM card is a single chip smart card containing microprocessor, 16-128 KB of persistent
Electronically Erasable Programmable Read Only Memory (EEPROM), RAM for program
execution and Read Only Memory (ROM) for operating system, encryption and
5
authentication algorithms (Jansen, et al., 2007). Figure 4 shows the main components of the
(U)SIM card (Stepanov p. 22).
Figure 4: SIM Card Anatomy

Source: (Stepanov)
2.2.2 SIM File System
File systems are stored inside the EEPROM and have a hierarchical structure of three main
components (Jansen, et al., 2009), (Savoldi, et al., 2007).
 Master File (MF)
 Dedicated Files (DF)
 Elementary Files (EF)
Figure 5 illustrates the file system hierarchy of a SIM card (Jansen, et al., 2009)
Figure 5: SIM File System

Master File (MF)

Master file is the root of the file system, it contains one or more DFs and it may contain one
or more EFs.
Dedicated Files (DF)

Dedicated files may be considered as containers or directories. The main difference
between DF and EF is that DF has only a header while the EF has a header and a body.
Headers contain all the metainformation related to the file structure and security
6
information (access rights to the files), but bodies contain information about the
applications for which the card is issued (Savoldi, et al., 2007).
Elementary Files (EF)

Elementary files are below the DF in the hierarchy structure, except for EF placed directly
under the MF. EFs are the files that contain actual data. Usually EF doesn’t have names;
electronic addresses are used instead (Michael, 2007).
EF can hold data in different forms:
- Transparent; where the record is formed of sequence of bytes.
- Linear Fixed; where the record is the basic unit of these files instead of bytes. Every
record from the same file represents the same kind of information.
- Cyclic; where records are queued in sequence, the last-in is the first-out.
As specified by (Savoldi, et al., 2007), there are a lot of important files stored in the (U)SIM
card and can be used as an evidence during the forensic investigations.
 Information about the subscriber: SIM card stores the International Mobile
Subscriber Identity (IMSI) in Elementary file called (EFIMSI). From a forensic point of
view, SIM card stores other important information about the subscriber, for example
a preferred language which is stored on (EFLP) and (EFELP) files could help to
determine the subscriber's nationality. In addition, Mobile Station ISDN (MSISDN)
stored on the (EFMSISDN) file can be used to retrieve call logs.
 Information about acquaintances: The subscriber can store a list of the most
frequently used numbers or important numbers in (EFADN, EFFDN and EFBDN) files. Also
the subscriber can register to “multicalls” groups with one or more subscribers.
 Information about Short Message Service (SMS): Information about sent and
received SMS and whether these SMSs have been read or not is stored on (EFSMS)
elementary file.
 Information about the Subscriber Location: The (EFLOCI) elementary file stores
information about the last area where the subscriber has been registered by the
system.
 Information about calls: Last dialed numbers are stored in the (EFLND) elementary
file; also keys used to encrypt these calls are stored on the (EFKC) file.
 Information about the service provider: Information about the network provider is
stored in the (EFSPN) file, and information about the used networks is stored in the
(EFPLMNsel) while information about forbidden networks is stored in the (EFFPLMN).
 Information about the system: Every SIM card has a unique numeric identifier, it can
be up to 20 digits used to identify the subscriber, it consists of industry identifier (89
7
for telecommunications), followed by country code then issuer identifier number
and individual account identification number (Wayne, et al., 2007). This unique ID is
stored in the (EFICCID) elementary file. The use of this file is open to the operator and
the SIM manufacturer. The (EFICCID) can be used by the forensic examiner to identify
the manufacturer of the SIM card, network operator and the country of issuance.
All services enabled by the subscriber are stored on a file called (EFSST).
2.2.3 File Access Control

SIM cards provide a tamper resistance protection to protect their contents; there are
different levels of rights assigned to DFs and EFs to control the access conditions (Wayne, et
al., 2007).
 Always: Access is allowed without any restrictions.
 Card Holder Verification 1 (CHV1): Access is allowed only after user enters
successful PIN number or in case the PIN verification is disabled.
 Card Holder Verification 2 (CHV2): Access is allowed only after user enters
successful PIN2 or in case the PIN2 verification is disabled.
 Administrative: Access can be performed only after prescribed requirements for
administrative access are fulfilled.
 Never: Access of the file from the mobile equipment interface is forbidden.
Access to the file system managed by the operating system is based on the access rights and
the action attempted (Wayne, et al., 2007). The operating system allows only specific
number of attempts to access the file system by entering the correct CHV (usually three
attempts), any further attempts will be blocked. To reset the attempts counter, user has to
submit the correct PIN Unblocking Key (PUK), if the number of attempts to enter the correct
(PUK) code exceeds a set limit (usually ten attempts), the card will become blocked
permanently.
2.3 Mobile Equipment

“Mobile phones are highly mobile communication devices that perform an array of
functions ranging from that of a simple digital organizer to that of a low-end personal
computer. Designed for mobility, they are compact in size,s battery powered, and have
lightweights” (Jansen, et al., 2007).
2.3.1 Mobile Equipment Architecture

There are standard specifications for the functionality of mobile equipment in the GSM
network when it comes to the interference with the SIM and network. When these
specifications are met, it’s up to the manufacturer to decide what other functions to be
implemented on the mobile equipment (Forensics and the GSM mobile telephone system,
2003). Most of mobile devices have a basic set of hardware components (Jansen, et al.,
8
2007). They have microprocessor to reduce the number of required chips and include high
memory capacity. Read only memory (ROM); where the operating system is stored, can be
erased and reprogrammed using special tools. Random access memory (RAM) which is used
by some models to store user data depends on a battery to be active, radio interface, digital
signal processor, a microphone and speaker, different hardware keys and interfaces and
liquid crystal display (LCD).
Physical and technical specifications differ from device to device; some of them may have
more advanced functions, e.g. camera, GPS, PDA, etc. Generally mobile phones can be
classified into three categories: basic phones with simple functionalities, advanced phones
that offer some extra functionalities and multimedia, and smart phones with merged
functionalities of advanced phones and PDA (Jansen, et al., 2007).
Most of the basic and advanced mobile equipment use the company proprietary operating
system or an embedded operating system designed by other companies especially for the
mobile devices. Smart phones usually use one of the following operating systems: Windows
Mobile, Linux, RIM OS, Mac OSX, Symbian OS or Palm OS. These operating systems are
multitasking, designed specially to match the capabilities of high-end mobile equipment in
addition to the wide range of applications it supports (Jansen, et al., 2007).
Mobile equipment identified by a unique 15 or 17 digital code called International Mobile

Equipment Identifier (IMEI). IMEI used to identify every mobile phone on the mobile
network. The first 14 digits consist of (8 digits) for the Type Allocation Code (TAC), which is
unique number used to identify the model of the mobile device, assigned by the Reporting
Body. And (6 digits) assigned by the TAC holder as a device serial number. The fifteenth
digit is calculated by the TAC holder using Luhn formula (BABT).
IMEI number can be used to report stolen phones and block them from accessing the
network. The owner of a stolen phone can contact the CEIR (Central Equipment Identity
Register) which will register the device as blacklisted in all currently operating networks
(GSM Security, 2009).
2.3.2 Mobile Equipment Contents

These contents of mobile phones can have a value as evidence during the forensic
investigation:
 Text Messages
 Calendar Events
 Phone/Address Book
 Emails
 IMEI number
 Settings (language, tome, volume, date, time...)
 Short Dial Numbers
 Audio Files / Recording
 Documents
9
 Programs
 GPRS, Internet Browsing and Internet settings
2.3.3 Mobile Equipment Security

Manufacturers of mobile phones usually need to access the phone contents to upgrade the
software; this can be done for most of the phones. This procedure requires knowledge of
the programming interface of the phones and some information that manufacturer usually
keeps it secret to themselves. There are a lot of unauthorized tools on the internet called
“flushers” which can be used to access the phone memory contents and allow anyone to
modify the phone contents including the phone operating system (Forensics and the GSM
mobile telephone system, 2003). These modifications are made either to remove the access
restrictions of the phone, like removing the Service Provider Lock, where the phone is
locked to a specific SIM card from a specific service provider, or to change the IMEI number
of the phone which is required to allow the use of stolen phones once they got blocked by
the network providers. Changing the IMEI code make it very difficult to trace the usage of
the flushed phone and even it is not easy to detect that this IMEI has been changed
(Forensics and the GSM mobile telephone system, 2003).
2.4 Removable Media

Removable media is used to extend the storage capacity of the mobile phone, allowing the
users to store more information on their phones. Also it can be used to share information
between users or transfer information between mobile devices and computers. Memory
cards are the main type of removable media available for mobile phones. There are
different storage capacities available for media cards starting form megabytes to gigabytes.
Media cards are usually formatted with FAT and can be handled in a similar way to the disk
drive. Media cards can be imaged and analyzed using computer forensics tools with
compatible media adapter and with write blocker to ensure the consistency of the data
(Ayers, et al., 2007).
Table 2 shows the common types of memory cards used with PDAs (Wayne, et al.)
Matchbook size (length-36.4 mm, width-42.8 mm, thickness-
Compact Flash Card (CF) 3.3 mm for Type I cards and 5mm for Type II cards)
50 pin connector, 16-bit data bus
Postage stamp size (length-32 mm, width-24 mm, and
Multi-Media Card (MMC) thickness-1.4 mm)
7-pin connector, 1-bit data bus
Fingernail size (length-18mm, width-24mm, and thickness-
1.4mm)
Reduced Size MMC 7-pin connector, 1-bit data bus
Requires a mechanical adapter to be used in a full size MMC
slot
10
Postage stamp size (length-32 mm, width-24 mm, and
thickness-2.1mm)
Secure Digital (SD) Card
Features a mechanical erasure-prevention switch
Fingernail size (length-21.5 mm, width-20 mm, and thickness-
1.4 mm)
MiniSD Card 9-pin connector, 4-bit data bus
Requires a mechanical adapter to be used in a full size SD slot
Chewing gum stick size (length-50mm, width-21.45mm,
thickness-2.8mm)
Memory Stick
Partial chewing gum stick size (length-31mm, width-20mm,
thickness-1.6mm)
Memory Stick Duo
Table 1: Common type of Memory Cards in use with PDA
Source: (Wayne, et al.)
11
Chapter 3: Mobile Forensics Principles
3.1 Digital Evidence

According to SWGDE (Scientific Working Group on Digital Evidence, 2007), Digital Evidence
is “information to probative value that is stored or transmitted in binary form”. According
to this definition, digital evidence is not limited to the information stored on computers but
it includes any information from a digital device. Digital evidence naturally is very fragile
evidence, especially evidence obtained from mobile phones since it can be changed or lost
any time the phone is on (Jansen, et al., 2007). Based on The Good Practice Guide for
Computer-Based Electronic Evidence produced by the Association of Chief Police Officer
(ACPO), there are four principles to deal with digital evidence (ACPO, 2003):
 Principle 1: No action taken by law enforcement agencies or their agents should
change data held on a computer or storage media which may subsequently be relied
upon in court.
 Principle 2: In circumstances where a person finds it necessary to access original
data held on a computer or on storage media, that person must be competent to do
so and be able to give evidence explaining the relevance and the implications of their
actions.
 Principle 3: An audit trail or other record of all processes applied to computer-based
electronic evidence should be created and preserved. An independent third party
should be able to examine those processes and achieve the same result.
 Principle 4: The person in charge of the investigation (the case officer) has overall
responsibility for ensuring that the law and these principles are adhered to.
Not all digital evidence can fall into the scope of these principles, for example mobile phone
evidence cannot be compiled to Principle 1 because mobile phone storage is continually
changing automatically even without user interference (ACPO, 2003). The goal of mobile
phone forensics should be to reduce affecting the content of the mobile storage as much as
possible. Principles 2 and 3 from ACPO guide should be followed strictly by involving a
specialist who is competent to understand the software and hardware of the specific phone
and have an expert knowledge of the tools used to acquire the evidence from it, in addition
to generating a detailed audit trial for all applied process in a way that can be replicated by
another third party if necessary (Marwan, 2006).
There are several reliability factors to deal with the digital evidence in the court. These
factors should be kept in mind before applying and reporting any scientific technique used
during the forensic examination (Jansen, et al., 2007).
 Testability: has this technique theoretically been tested?

 Acceptance: has this technique been subject to reviews and publication?
 Error Rate: what is the known error rate?
12
 Credibility: does this technique require a special skills and equipment or it can be
repeated by other experts?
 Clarity: can this technique be explained clearly in the court?
3.2 Procedural Models

There are many digital forensic frameworks proposed, however there is no conclusion made
to state which is the most appropriate framework. Every framework may work with a
specific type of forensic investigation (Ramabhadran, 2007). Every forensic investigation or
incident should be handled in a different way depending on the nature of the incident. As an
example of the mobile forensic framework, here I will summarize a simple framework that is
recommended by the National Institute of Science and Technology (NIST) – Guidelines on
Cell Phone Forensics (Jansen, et al., 2007).
This framework contains four main stages: preservation, acquisition, examination and
analysis, and reporting.
3.2.1 Preservation
Evidence preservation is “the process of seizing suspect property without altering or
changing the contents of data resides on device and removable media” (Jansen, et al., 2007).
Preservation is the first step in the digital evidence acquisition; it occurs prior to the actual
investigation and involves searching, recognizing, documenting and collecting of the digital
evidence. Preservation process consists of the following points (Jansen, et al., 2007).
3.2.1.1 Securing and Evaluating the Scene

Before starting the investigation, the investigator should ensure that he has permission from
the owner or the proper authorization is in place. At this stage, the investigator should
understand the scope of the crime and ensure the safety of everybody in the scene and
protect the integrity of evidences. Other traditional forensic investigation methods such as
DNA or fingerprint or any biological traces (saliva, hair, and skin) could be beneficial to link
between the mobile phone and the owner, any interaction with these materials should be
avoided. All other mobile peripherals such as memory cards, SIM cards, power charger,
cables or personal computer that could be used to sync this phone with; should be a place
of interest for the investigator during the scene evaluation.
Phone user or owner should not be allowed to handle the mobile device or any other
peripherals, since he can change the content of the phone or clear the data using master
code available for most of the phones. During the interview with the phone user,
investigator should request any security codes or passwords needed to gain access to the
phone contents.
Sometimes phones may be found in a potential dangerous state, for example mobile phone
as a component of an explosive device, mobile phone found in a flower container covered
with a corrosive liquid or mobile phone switched on at a place where a real danger of fire or
13
explosion exists (Netherlands Forensic Institute, 2006), in this case the people safety comes
first, in such cases, a specialist should be consulted.
Mobile phones or peripherals may be found in a damaged state, this damage may not
prevent the extraction of data. Undamaged memory may be removed from damaged
equipment, so all these damaged equipment should be taken to the lab for repairing and
restoring to the acceptable state for the examination (Jansen, et al., 2007).
3.2.1.2 Documenting the Scene

Other non-electronic evidences such as packaging material, manuals, and invoices may be
useful during the forensic investigation. It may provide some information about the device,
user, network used and PIN/PUK codes. All evidences should be identified and accounted
carefully with labeling, brief description, collecting date and time, and investigator signature
(Jansen, et al., 2007).
All digital devices should be photographed along with other peripherals such as media cards,
cables, power connections and the environment where they are found. If the phone is on
and the display screen is in the viewable state, then it should be photographed to display
the time, icons, LED status, battery level, network connection and the physical status
(Jansen, et al., 2007).
No attempt should be made to view, record, or determine what is present on the phone at
this stage. Any attempt to view or record anything not under display can affect the content
of the mobile device.
3.2.1.3 Collecting the Evidence

If the phone found was on, isolating it from the radio network is something very important
to avoid data overwriting, for example new SMS or new calls may overwrite the old records.
Some programs available such as LockMe enable remote locking of the phone. Other
malformed messages may be sent to the phone to disable it completely (Jansen, et al.,
2007). Isolation of the the phone from the radio network is a very critical task and it can be
done by one of the following methods (Jansen, et al., 2007):
 Turning the phone off; however, if the phone requires security code to access the
contents (PIN/ Security Code) then it may complicate the process.
 Keeping it on but isolate the radio signal using special containers or bags. In this
method the phone will keep trying to connect to the network which may drain the
phone battery. However, some phones will reset the network data, which may be
useful as evidence, after some period of failure to connect.
 Enabling Airplane mode or disabling all network connections, this method require
physical interaction with the phone which may cause some risk.
Any cables connecting the phone to the computer for synchronization should be unplugged
to prevent any changes on the phone contents.
14
Battery level should be maintained on appropriate charge level till the end of the
examination. Sometimes the user data is stored on the volatile memory, so if the battery
discharged the data will be lost.
Caution should be taken when handling phones that are suspected to have been modified
(Jansen, et al., 2007), for example:
 Phones with Enhanced Security: Some phones available with enhanced
authentication or security mechanisms such as biometric, token based
authentication, and visual logon.
 Malicious Programs: Viruses, Malware or other malicious programs may be loaded
to the phone and it will spread itself over wired or wireless network. Also these
programs could be conditionally activated based on a specific action or key interrupt
to perform malicious action such as wiping or disabling the device completely.
 Key Remapping: Some keys may be programmed to perform different actions than
the default ones, which may cause a risk during the phone examination.
3.2.1.4 Packing, Transporting, and Storing the Evidence

When the phone is ready for examination, it should be packed into secure static proof bag,
signed and dated by the investigator. If the phone is on, portable power charger should be
connected to the phone inside the bag to keep the power level full during the
transportation. During the transportation, the device should be handled carefully in a
protected environment.
Netherland Forensic Institute (NFI) published this simple workflow for preserving mobile
forensic examination (Netherlands Forensic Institute, 2006). Figure 6 illustrates a basic
workflow for the preservation process.
15
Mobile Phone Forensic Examination - Preservation
1.1. Make pictures of the phone and the
location where it is located
1.2. Is the phone a danger for 1.3. Contact a

yes
the examiner? specialist
no
1.4. Is there a need for other

1.5.Contact a
forensic analys methods (e.g. yes
specialist
fingeprints, DNA)?
no
1.6. Is there a need to protect the phone

1.7. Contact a
against electro magnetic fields (isolate the yes
specialist
phone from networks)?
no
1.8. Has the phone been 1.9.Remove the

yes
found in a fluid? battery
no
1.12. Retrieve brand and 1.10.Is it an aggresive fluid

type of the phone (like blood, acid etc.)?
no
1.14. Take measures to not 1.13. Is the phone

yes
interrupt the power supply switched on? 1.11. Store the phone (excluding
battery) in a re-closable glass
basket filled with the same fluid
as in which it has been found.
yes
no
1.15. Seize the phone with all

belonging accessories
Back to basic
workflow
Version: 04-05-2006 13:25:23
Figure 6: Mobile Phone Forensic Examination – Preservation

Source (Netherlands Forensic Institute, 2006)
16
3.2.2 Acquisition
Acquisition is “the process of imaging or obtaining information from the digital device and
its peripheral equipment and media” (Jansen, et al., 2007).
Once the phone has arrived to the laboratory, the acquisition process will start. Acquisition
consists of the following procedures (Jansen, et al., 2007):
3.2.2.1 Phone Identification

Phone has to be identified by the brand, model, and the network service provider. Based on
this information, the examiner can choose the appropriate tool for acquisition. Examiner
can use information obtained from the battery cavity or SIM card to identify the phone i.e.
device IMEI and SIM ICCD.
3.2.2.2 Connection Identification

A phone can be connected to the forensic station either through a cable, Infrared, or
Bluetooth. Selection of connection type depends on the phone, the used tool and the
acquisition conditions.
3.2.2.3 Tool Selection

The capabilities of the selected tool play an important part in the acquisition stage. Tools
selection depends first of all on the device being acquired. But the following points should
be considered by the examiner before selecting a forensic tool (Jansen, et al., 2007).
 Usability: If the tool is able to present a useful data to the investigator.
 Comprehensive: The tool should present all data to the examiner, so he can identify
both inculpatory and exculpatory evidences.
 Accuracy: The tool should be accurate and present high quality output.
 Deterministic: The tool should present the same output when given the same input
and instructions.
 Verifiable: The tool should ensure the accuracy of the output.
3.2.2.4 Phone Acquisition

Usually phones are submitted to the laboratory with a request to recover specific items, in
this case recovering the full data is not required. Recovering the full data may help only to
avoid the redo process again if there is any other data required (Jansen, et al., 2007).
Logical acquisition of the mobile phone using the currently available forensic tools requires
the phone to be powered on. Powering on the phone should be done in radio shielded area
or all phone wireless communications should be disabled. A number of techniques exist to
isolate the radio like the use of a jamming device, a shielded work area, a shielded container,
or the use of a substitute SIM (Jansen, et al., 2007).
If the mobile phone is active, a combined acquisition of the phone and SIM card should be
carried out before performing the forensic acquisition of the SIM and phone separately
(Jansen, et al., 2007). The reason behind this step is that, for direct acquisition of the SIM
card, it has to be removed and inserted to another card reader. To remove the SIM card
17
usually the battery should be unplugged which can result in loss of the non-volatile memory
due to power disconnection Also other concerns may exist like security code, authentication,
and losing the date and time if the power is lost (Jansen, et al., 2007).
Not all viewable data using manual navigation through the menus can be extracted through
logical acquisition. Sometimes draft and archived messages can’t be acquired by forensic
tools. In this case manual navigation through the phone menus can be done with video
recording for the browsing process (Jansen, et al., 2007).
If the mobile phone is shut off and requires successful authentication to gain access to the
phone contents, such as PIN enabled Identity module, phones with missing identity module,
phones with phone lock, phones with password protected memory, and phones with
encrypted contents, the investigator can deal with this type of obstructed phones by any of
the following ways (Jansen, et al., 2007):
 Investigative Method: this method doesn’t require any hardware or software
forensic tools. Investigators have to do more investigations to find out the required
information for example: ask the suspect, review the collected materials if the PIN or
passwords are written somewhere, carefully try common used input, ask the service
provider.
 Software Based Method: this method depends on using software to exploit known
weakness in the authentication mechanism of this specific phone.
 Hardware Based Method: this method involves both hardware and software tools to
break the authentication mechanism and gain access to the phone contents through
hardware backdoor, examine the device memory independently, use automatic
brute force, and monitoring the device characteristics.
3.2.3 Examination & Analysis

Examination is the technical process accomplished by the forensics specialist; analysis
process may be done by investigator or the forensic examiner (Jansen, et al., 2007).
The examiner should study the case and be familiar with all parameters of the crime,
criminals, and the evidence that might be found. Also it is highly recommended for the
examiner to conduct his examination in coordination with the analyst or the investigator, so
that they can provide him with a good understanding of the found evidences and he can
provide them with the means of information that are found on the system (Jansen, et al.,
2007).
Examination may reveal potential evidences directly or uncover useful information such as
passwords, network logon, and internet connectivity which can lead to other sources of
evidence.
18
Mobile phone forensics investigations can be divided into two types (Jansen, et al., 2007).
 Where the incident occurred and offender identity is unknown (e.g.; hacking
incidents)
 Where the incident occurred and the offender identity is known (e.g.; child porn
incidents)
Investigator and analyst should prepare the incident background to accomplish these
objectives (Jansen, et al., 2007):
 Gather information about the involved person (WHO).
 Determine the nature of the evidence (WHAT).
 Determine the events timelines (WHEN)
 Understand the information that explains the motivation of the crime (WHY)
 Find out the tools used to accomplish this crime (HOW)
3.2.4 Reporting
Reporting is the most important step, forensics results need to be presented as a detailed
summery of all the steps taken, and investigation conclusion. Good report should rely on
documentations, photographs, notes, and acquired contents (Jansen, et al., 2007).
Reports may be generated by the forensics tools if it has a built-in reporting tool, which
allow the examiner to select the output format and the type of data to be included in the
report. The final report should include the one generated by the tools, the accomplished
process, summery of actions taken during the investigations, and all supporting documents
such as photographs, notes, and signature of specialists responsible for the report contents.
19
Chapter 4: Mobile Forensics Tools
Various types of mobile forensic toolkits are available. These toolkits differ according to the
range of mobile phones over which they operate, based on the manufacturer platform,
product line, operating system, or hardware architecture. Mobile forensic tools should have
a short product release cycle, so manufacturers can update their tools to keep the coverage
up to date (Jansen, et al., 2007).
Forensic tools can acquire data from mobile phones in one of two ways (Jansen, et al.,
2007):
Physical Acquisition: Physical acquisition performs a bit-by-bit copy of the entire physical
storage e.g., the entire memory chip.
Logical Acquisition: performs a bit-by-bit copy of the logical storage objects e.g., files and
directories.
The advantage of the physical acquisition over logical acquisition is that it allows
examination of the deleted files and any unallocated files or RAM. Physical image acquired
will be imported to the forensic tool for examination and reporting. But there are only few
tools available for physical acquisition of mobile phones. Logical acquisition is much easier
than the physical one since the system and data structure is easier for the tools to extract
and examine. Most of the forensic tools available for mobile phones perform a logical data
acquisition (Jansen, et al., 2007).
There is wide range of information that can be acquired by forensic tools. It is different from
tool to other, and it depends on several factors, such as: (Ayers, et al., 2007)
 The inherent capabilities of the phone implemented by the manufacturer.
 The modification mode on the phone by the service provider.
 The network service used by the user.
 The modification made on the phone by the user.
The main function of a forensic tool is to acquire date from the phone's internal memory
and the removable identity module (SIM Card). Both Forensic and non-forensic tools use the
same protocol to communicate with the device. But non-forensic tools allow a two-way
communication with the device, while this is not acceptable forensically, so forensic tools
are designed to acquire data from the device without changing the phone contents and to
calculate the integrity hashes of the acquired data (Jansen, et al., 2007).
Mobile forensic tools usually categorized based on their target to: tools targeting the SIM
card exclusively, tools targeting the phone device exclusively, and tools targeting both SIM
and device (Jansen, et al., 2007).
20
4.1 U(SIM) Forensic Tools
Exclusive (U)SIM forensic tools used to perform a direct reading of the SIM card using
(U)SIM reader. The type of data acquired varies from tool to other, but most of the tools can
acquire these data (Jansen, et al., 2007):
 International Mobile Subscriber Identity (IMSI)
 Integrated Circuit Card ID (ICCID)
 Abbreviated Dialing Numbers (AND)
 Last Number Dialed (LDN)
 SMS Messages
 Location Information (LOCI)
None of the commercial forensic tools available are capable of extracting the real file system
of the SIM card and to discover the hidden and nonstandard files stored in the (U)SIM card
(Savoldi, et al., 2007).
SIMBrush is an open source tool, designed for windows and links, developed for U(SIM)
forensic analysis to extract the standard and nonstandard files from the (U)SIM cards. It uses
imaging technique to produce a primary image of the (U)SIM card which can be used during
the investigation instead of the original (U)SIM card (Savoldi, et al., 2007). The following
commands are the operations allowed by SIM file system, so the physical device can
interfere with the SIM card during the communication session. SIMBrush uses these
commands, issuing them to the (U)SIM card and wait for the response (Savoldi, et al., 2007).
 SELECT: select the file to use, make the file header available for the interface device.
 GET RESPONSE: interface device should request the SIM response for any issued
command using this command. There is no command to delete or create files on the
file system. Also there is no single command that can be used to browse the SIM file
system such as Dir in DOS.
 READ BINARY: used to read the body contents of the transparent elementary files.
 READ RECORD: reads the atomic record in the elementary files such as linear and
cyclic.
 VERIFY, CHANGE, ENABLE, DISABLE, UNBLOCK CHV: management of CHV1 and
CHV2 authentication codes.
Since there is no two elementary files that can have the same file name, then SELECT
command can be issued for all file names without restriction starting from 0000 to FFFF, and
just wait for the response from the SIM either with a warning that the file is not present in
the file system or with the header if the file name is present in the filesystem. It means that
it is possible to obtain the headers of all files on the file system using SELECT command with
a single scan of the ID space. In fact, there is standard concept called Current File and
Current Directory, which can determine if the files are selectable or not. Current File is the
last selected file. Current Directory is the last selected DF, or the parent DF of the current
file. Current directory determine if the file is selectable or not based on the following rules
(Forensics and SIM Cards: an Overview, 2006):
21
1- MF is always selectable (MF_SET).
2- The current directory is always selectable (CURRENT_SET).
3- The parent of the current directory is always selectable (PARENT_SET).
4- Any immediate child DF of the parent of the current directory is selectable
(DF_BROTHERS_SET).
5- Any immediate child file of the current directory is selectable (SONS_SET).
Using these rules, it is possible to select any elementary file for example “6F3C” file for the
SMS, using two SELECT commands, the first one to select the father directory of this
elementary file (DF7F10) and the second command to select the file.
From the above rules, it is possible to define the selectable files and directories by the
following relationship (Savoldi, et al., 2007):
SELECTABLE_SET = MF_SET ᴜ
CURRENT_SET ᴜ
PARENT_SET ᴜ
DF_BROTHERS_SET ᴜ
SONS_SET
Due to the univocal relation between the possible SELECTABLE_SET and possible current
directory, it is possible to reconstruct the entire filesystem in the SIM card and find the
missing parts of it (the set of sons) (Savoldi, et al., 2007):
SONS_SET = SELECTABLE_SET \
(MF_SET ᴜ
CURRENT_SET ᴜ
PARENT_SET ᴜ
DF_BROTHERS_SET ᴜ
SONS_SET)
From this relationship, it is possible to reconstruct the entire filesystem. Only headers are
extractable, while the body which is more important can be extracted based on the access
control rights. SIMBrush can extract the body of the files with access rights Allow and
CHV1/CHV2 after providing the correct access code. Figure 7 illustrates the flowchart of
SIMBrush procedures (Forensics and SIM Cards: an Overview, 2006).
22
Figure 7: Flowchart of SIMBrush Procedures
Source: (Forensics and SIM Cards: an Overview, 2006)
4.2 Handsets Forensic Tools

There are many ways to acquire the data from the phone internal memory. The most
common way is to use a software tool to communicate with the phone operating system to
acquire the data (Willassen, 2003).
Phone memory should be analyzed directly, which is not an easy task, since the imaging of
the phone contents is more complex. (Willassen, 2003) Suggested two methods for imaging
the phone memory contents:
 Remove the memory chip and access it directly to read its contents.
 Hooking on the phone’s motherboard to access the memory chip.
These methods will bypass the phone operating system and any security mechanism
implemented to access the phone contents.
4.2.1 Phone Manager Software

The phone manager software designed by the manufacturers to allow the users to
synchronize their phone data with the desktops can be used to extract data from the phone
23
devices. However; such tools have some problems from a forensic prospective (Forensics
and the GSM mobile telephone system, 2003):
 It is not possible to recover or extract the deleted items.
 It has read/writes access to the phone memory, which can change the memory
contents.
Phone managers use the same protocols used by the forensic tools to extract the data from
the phone device, but forensic tools use only forensically safe commands of these protocols
to communicate with the phone. Phone managers also can be used in the same way by
applying a filter between the mobile device and the application to block the unsafe
commands from being propagated to the phone device.
Figure 8 shows a general overview of the possible locations to implement the filters (Jansen,
et al., 2008).
Figure 8: Phone Managers Filter Placement

Between the program interface and the library files, between the library files and
communications stack, within the communication stack, or between communication stack
and the phone device.
Nokia PC Suite is a good example of the phone management software with a protocol
filtering; it can be used to copy phone book, images, videos from the phone to the computer,
as well as viewing the SMS messages on the phone device. Nokia PC Suite uses a FBUS
protocol to access phone information such as phonebook, call logs, messages and calendar.
OBEX is another protocol used over the FBUS to extract media files, ringing tones and to
download the installed applications (Jansen, et al., 2008). FBUS is an acknowledged protocol.
Management application will send a request command to the phone device and requests
the phone answer. Phone will use the command identifier to respond to the management
24
application after reversing the source and destination addresses. Every request and
response is followed by an acknowledgement frame to acknowledge the receipt of the
command sent (Jansen, et al., 2008). Figure 9 shows that the filter also should send a receipt
acknowledgment for all blocked commands as a response; otherwise the phone manager
application will keep resending the disallowed frame to the phone device and wait for the
acknowledgment (Jansen, et al., 2008).
Figure 9: FBUS Protocol Communications

4.2.2 AT Commands
AT-Commands are known as Hayes Commands, and designed by Hayes Microsystems in
1980 for controlling modems from the computers. AT-commands can be used to extract the
information from the phone's internal memory through the phone operating system.
Deleted information or files can’t be recovered by AT-Command because it can only extract
the information recognized by the operating system (Willassen).
AT-Command can be used to extract the following information from the mobile phones:
 Phone Brand, Manufacturer, and software version.
 Phone IMEI Number
 SIM Card IMSI
 Phone Book
 Call Logs
 SMS messages
4.2.3 JTAG Interface

Joint Test Action Group (JTAG) standardized by IEEE 1149.1. JTAG designed to be used in
processors, memory, circuit boards. JTAG can be used to access the processor or memory
chip directly and not depending on the operating system. But for JTAG to work it needs to
know the processor and memory instructions, which is usually not publicly known, also JTAG
cables are available only for the phone manufacturers. But there are some tools available
which make use of the JTAG called “flushers” (Wolleschensky, 2007). Figure 10 shows Nokia
3110 JTAG interface.
25
Figure 10: JTAG Interface in Nokia 3310 Phone
Source: google images
4.2.4 Flusher Boxes
Flusher boxes or flushers are service devices used by service providers or mobile phone
shops to recover data from defective phones (Al-Zarouni, 2007). Flushers can be used to
update or replace the mobile phone operating system, remove the service provider settings
and unlock the service provider locks. It can be also used illegally to change the IMEI
number of the mobile device.
Flushers allow the user to access the phone internal memory without installing any software
on the phone device which makes them a good forensic tool. But because flushers are
usually not documented, there is no guarantee that they can provide consistency or even a
good preservation (Al-Zarouni, 2007). Also these devices are neither approved by the mobile
manufacturers nor forensically approved for forensic investigation. So investigators should
be very careful about using these devices in the mobile forensic examinations (Al-Zarouni,
2007).
Flushers can be used to perform Read/Write processes to the phone internal memory and
do not provide a write blocking mechanism, so it can change the phone contents or
overwrite the evidences.
26
Chapter 5: Mobile Forensic Challenges
5.1 Procedural Challenges

A mobile forensics examination is facing many problems and challenges. They are
encountered during the investigation procedures.
5.1.1 Crime Scene Challenges

The first challenge occurs at the crime scene once the mobile phone is found. If the phone is
switched off, investigators shouldn’t worry about it on this stage (Wolleschensky, 2007).
However; if the phone is switched on then investigators will have some challenges, and
switching the phone off has a lot of concerns. If the phone is locked by security or PIN code
the investigator has an extra work to do to find out the security code to unlock the phone
and access the information stored on it.
Switching off the phone may lead to the loss of the data stored on the Random Access
Memory (RAM). Moreover; in some phones switching off the device will cause loss of some
data stored on the SIM card such as call history (Wolleschensky, 2007).
On the other hand, if the phone is left on there is a chance to tamper the evidence by the
criminal. In some phones, it is possible to execute remote wipe command, e.g. RIM
Blackberry; this feature allows the phone owners to securely wipe the data stored on their
phones in case the phone is stolen. Criminals can use this function to wipe the data on the
suspected phone and destroy the evidence. Third party tools are available such as LockMe
and OmiProtect, to enable remote lock of the phone after receiving a formatted SMS.
Evidence in some phones can be overwritten by another data, for example phones that
store certain amount of data such as SMS or call history. Criminals could use this limitation
by sending some meaningless SMSs or calls from random phone numbers to overwrite the
stored data and destroy the evidence (Wolleschensky, 2007).
Another option is to keep the phone switched on but disconnected from the network. This
can be done either by navigating the phone menu and disabling all network connections or
by activating the flight mode, which require the investigator to stay up to date with all new
phone models, and this is not an easy task (Jansen, et al., 2007). Other option is to use
Faraday bags to isolate the phone from the network. In this case the phone will start
searching for the network and this is going to increase the energy consumption and reduces
the battery life.
The second challenge that may come up during this stage is the phone being in a
compromised condition such as when immersed in a liquid. In such case, the battery should
be removed from the phone to protect it from any electrical shorting. The phone itself
should be stored in a container filled with the same liquid and transferred to the
examination lab. Some liquids such as contaminated blood or explosive liquids can be
27
dangerous for the investigator to deal with, and require a specialist consultation (Jansen, et
al., 2007).
5.1.2 Acquisition Challenges

Investigators are facing many challenges during the acquisition stage, and the first one is to
identify the phone before the examination starts. Knowing that there are countless models
of mobile phones available; phone identification becomes a difficult task for the
investigators. There are many ways to identify the phone; it could be done by realizing the
phone's manufacturer logo, knowing the wireless provider or by using some websites which
can help by providing phone models with pictures, e.g. www.gsmarena.com. Nevertheless,
device alteration is another challenge that may face forensic investigators. Alteration of
mobile devices could range from logo replacement to the replacement of the operating
system (Jansen, et al., 2007), which make phone identification even more complicated.
Maintaining the phone's connectivity and power is another challenge for investigators
during the acquisition stage. As mentioned before, if the mobile phone was on it should be
charged during the investigation process. Different phone models by different
manufacturers require different power charger, so the investigator should be ready with
most of the cables in the crime scene and during the acquisition process (Wolleschensky,
2007).
Connecting the phone to the PC for forensic investigation is a bigger problem since there is
no standard interface especially for the older phones. This challenge requires the
investigator to host a big collection of cables (Wolleschensky, 2007). Some forensic software
provide cable kits for the most common phones, but for a rare phone the investigator has to
buy the cable individually if it is not available.
The next challenge is the selection of the forensic tool. There are many forensic tools
available, either software or hardware tools. Every tool has advantages and disadvantages
based on the supported phones and the operating systems. The investigator has to be very
careful before testing any tool with the phone in order not to destroy the evidence. He can
use his previous experience to find the proper tool that can be used with a specific phone.
It is always recommended that the investigator uses a similar phone for testing before
applying the tool to the target device. Also it is recommended not to rely on one tool, so the
investigator can prove to the court that the same results have been obtained using different
tools (Wolleschensky, 2007).
5.2 Integrity Challenges

Most of the currently available forensic tools maintain the integrity of the acquired data by
using either MD5 or SHA1 hash functions, however the operating system of mobile phones
still an issue for data integrity, because it makes the data acquisition process more difficult.
Even if most of the current forensic tools claim that they maintain the evidence integrity,
28
these claims not accurate since these forensic tools are depending on the manufacturer
property operating system to access the phone data.
Mobile phones have two processes which can directly affect the integrity of the forensic
results. First process is the internal clock, which continuously change the data in the
memory (Wolleschensky, 2007). The second process called “Wear Leveling” which is the
process that maximizes the lifetime of the memory cards in the mobile phones. Since
memory cards can be erased and written only for certain amount of times, this process
makes sure that all memory parts are systematically used and keeps the lifetime of the
memory as long as possible (Wolleschensky, 2007). Investigators should be able to prove
the repeatability of the results to the court, the usual way to do so is to use checksum proof.
But both internal clock and wear leveling processes make the checksum meaningless. Since
investigators can’t use the checksum to prove the repeatability, all steps of the forensic
examination should be documented so the opposing party can check the results for
verification.
During the acquisition process, the phone memory and operating system should remain
active which make it impossible to avoid the internal memory changes, even if is very minor
changes but it may affect the evidence integrity for example SMS messages status can be
changed from read to unread.
5.3 Anti-Forensics
Anti-Forensics is an immature field of the digital forensics, especially if we are talking about
mobile phones anti-forensics. Anti-forensics can be identified as “any attempts to
compromise the availability or usefulness of evidence in the forensic process” (Android anti-
forensics through a local paradigm, 2010). Evidence availability can be compromised by
preventing the creation process, manipulating the evidence, or hiding the evidence; while
the usefulness of the evidence can be compromised by tampering with the evidence
integrity or deleting the evidence itself (Android anti-forensics through a local paradigm,
2010).
Direct access to the mobile phones internal memory is one of the main problems in the
mobile forensics field. Even if the removable memory can be removed and analyzed in a
direct manner, the internal memory cannot. This scenario makes the phone internal
memory is an ideal candidate to apply the anti-forensics techniques.
5.3.1 Anti-Forensics Categories

There are four categories of anti-forensics (Android anti-forensics through a local paradigm,
2010):
 Destroying the evidence: there are many tools used for evidence destruction in
order to make it unusable during forensic investigation. These tools usually produce
evidences during their use, which make the forensics process more complicated.
29
 Hiding the evidence: used to hide the evidence from the forensic investigator rather
than the forensic tools by decreasing the visibility of the evidence, or sometimes
make it completely invisible. The efficacy of this technique is strongly depending on
the limitations of the forensic investigators and/or the forensic tool. As for the
previous category, the presence of these tools will generate new evidence.
 Eliminating the source of evidences: this technique is used to prevent evidence
creation rather than hiding or destroying the evidence.
 Counterfeiting the evidence: in order to mislead the forensic investigator, this
technique is used to create fake evidence which is made to produce wrong
information.
30
Chapter 6: iPhone Forensics
6.1 introductions
iPhone was introduced on January, 2007 by Apple (Hoog, et al., 2009)as a multimedia and
internet enabled smart phone with a large memory capacity. Because of the powerful
design of the iPhone, the high technology used and the large number of applications
available, iPhone became so widely used. People usually use the iPhone as a primary device
for communication and storing different forms of data; however, permanently deleting data
from the iPhone is extremely difficult (Zdziarski, 2008).
iPhone has a very active hacking community putting a lot of effort to unlock the device or
developing and installing third party software by Jailbreaking the phone or changing the
phone filesystem.
6.2 iPhone Overview

iPhone contains many hardware modules, only few hardware parts are the company
proprietary, while the other parts are manufactured by other companies such as Samsung,
Toshiba, Infineon, Marvel, Intel, Skyworks, and Philips (Zdziarski, 2008). Figure 11 shows the
main hardware components for the iPhone 3GS.
Figure 11: Internal Hardware Components, iPhone 3GS

Source: http://maltiel-consulting.com/iPhone_3G_S_Components_maltiel_semiconductor-Update.html
Table 3 shows internal hardware components of the iPhone as published by Andrew Hoog in
his guide “iPhone Forensics” (Hoog, et al., 2009).
31
Function Manufacturer Model/Part Number
Application Processor (CPU) Samsung S5L8900B01 – 412 MHz
ARM1176Z(F)-S RISC, 128 Mbytes
of stacked, package-onpackage, DDR
SDRAM
3D graphic acceleration Imagination Technologies Power VR MBX Lite
UMTS power amplifier (PA), TriQuint TQM676031 – Band 1 – HSUPA
duplexer TQM666032 – Band 2 – HSUPA
and transmit filter module TQM616035 – Band 5/6 - WCDMA/
with output power detector HSUPA PA-duplexer
UMTS transceiver Infineon PMB 6272 GSM/EDGE and WCDMA
PMB 5701
Baseband processor Infineon X-Gold 608 (PMB 8878)
Baseband's support memory Numonyx PF38F3050M0Y0CE - 16 Mbytes of
NOR flash and 8 Mbytes of pseudo-
SRAM
GSM/EDGE quad-band amp Skyworks SKY77340 (824- to 915-MHz)
GPS, Wi-Fi, and BT antenna NXP OM3805, a variant of PCF50635/33
Communications Infineon SMARTi Power 3i (SMP3i)
power management
System-level power management NXP PCF50633
Battery charger/USB controller Linear Technology LTC4088-2
GPS Infineon PMB2525 Hammerhead II
NAND flash Toshiba TH58G6D1DTG80 (8 GB NAND
Flash)
Serial flash chip SST SST25VF080B (1 MB)
Accelerometer ST Microelectronics LIS331 DL
Wi-Fi Marvell 88W8686
Bluetooth CSR BlueCore6-ROM
Audio codec Wolfson WM6180C
Touch screen controller Broadcom BCM5974
Link display interface National Semiconductor LM2512AA Mobile Pixel Link
Touch screen Line Driver Texas Instruments CD3239
Table 2: iPhone Hardware Components
(Hoog, et al., 2009)
6.2.1 Processor
iPhone processor is based on the ARM11 core. CPU is 667MHz processor, under clocked to
412MHz to save the battery power (Shimpi, 2009).
6.2.2 Flash Drive

iPhone is available with an internal storage (solid state flash drive). The new models (iPhone
3GS / 4G) come with a storage capacity either 16 GB or 32 GB.
The flash drive is configured with two disk partitions. The first partition (300 MB) is the root
or the system partition where the operating system and all preloaded applications are
stored. This is a read-only partition, and can be accessed only by iTune for software upgrade
without affecting user data. The second partition is the media partition, it uses the
remaining disk space and mounted as /private/var, where all user data is stored. Media
partition is formatted in HFS format (Zdziarski, 2008).
32
6.2.3 Operating System.
iPhone runs a mobile build of Mac OS X (Leopard 10.5), which is almost similar to the
desktop version of Mac OS X except for some differences in the Kernel. The iPhone uses a
secure signed kernel to prevent tampering with the phone operating system. (Zdziarski,
2008). Applications that are installed on the iPhone run on a sandboxed environment, so
any application cannot access the data stored by another application.
Figure 12 illustrates the iPhone operating system design (mobileforensics.wordpress.com,
2008).
Figure 12: iPhone Operating System Design

Source: (mobileforensics.wordpress.com, 2008)
6.2.4 iPhone Jailbreaking

iPhone is communicating with computers using Apple File Communication Protocol (AFC).
This is a serial port protocol which uses the USB cable to connect the iPhone to the desktop.
iTunes is the interface application used to manage the iPhone through the desktop,
synchronizing data, installing application, and operating system upgrades.
AFC and iTunes have a “Jailed” or limited access to a certain area of the phone memory,
they can only access specific files on the iPhone (/private/var/mobile/Media) folder
through a jailed environment (Zdziarski, 2008). The idea of a jailed access to the filesystem is
borrowed from UNIX operating system, and it means that the access to certain areas of the
memory or filesystem is restricted to root or administrative purpose only
(mobileforensics.wordpress.com, 2008).
Jailbreaking means the breaking of this jailed environment to allow the AFC to read/write
files on the entire device memory. For example, JailbreakMe is the Jailbreaking tool
developed by the iPhone developer team and is used to break iPhone iOS v. 4.0 and 4.0.1,
this tool is using a PDF rendering bug in Safari browser to give access to the iOS 4 filesystem.
33
During the Jailbreaking, AFC is used to load a small area of the RAM that acts as disk drive
(RAM Disk) to the iPhone memory. This RAM disk contains the Jailbreaking payload, when
the phone boots, the payload will be copied to the filesystem, and once the phone reboots
the payload will be executed (mobileforensics.wordpress.com, 2008).
6.2.5 Data Stored

Only limited personal data can be accessed through the iPhone user interface, there are a
lot of hidden and deleted data available on the media partition of the iPhone disk and can
be recovered only by physical forensic tools from the raw disk image.
This data includes (Zdziarski, 2008):
 Keyboard Cache: including usernames, password, typed mails, etc.
 Screenshots: screenshot will be taken every time the home button is pressed or the
application is exited.
 Images.
 Address Book.
 Call history.
 Maps.
 Browser Cache.
 Emails, SMS, instant messages.
 Voice Mails.
 Desktop Pairing information.
 Weather.
 Calendar.
 Notes.
6.3 iPhone Forensic Methodologies
6.3.1 Direct Acquisition

This method depends on acquiring the data from the computer where the iPhone was
synched (Hoog, et al., 2009).
6.3.2 Backup or Logical Copy

This method depends on acquiring a logical copy of the iPhone file system using AFC
protocol, and uses a forensic tool to read the acquired image. This method will be only able
to acquire the files synchronized by the protocol. Many of the information is stored in
SQLite database such as, phonebook, SMS, and emails which can be queried directly after
the acquisition (Hoog, et al., 2009).
6.3.3 Physical bit-by-bit Copy

This method uses the concept of computer forensics by creating a bit-by-bit image of the
phone filesystem. This is a complicated method, and requires some modification for the
system partition (Hoog, et al., 2009).
34
6.4 Testing Condition
For the forensic analysis in this chapter, I am using iPhone 3GS 32 GB with firmware iOS
4.0.1. The iPhone is jailbroken using “JailbreakMe1”, and is used for one month including
emails, phone calls, SMS, internet surfing, taking photos, and installation of many
applications. This iPhone is synced with iTunes version 9.2.1.4. I used a laptop with Windows
7 Enterprise Edition during this testing.
As a study case for mobile forensics; here I am going to simulate the data acquisition
process from the above mentioned iPhone 3GS using two different methodologies. I am
using a trial version of the forensic tool, which has some limitations either in reporting or in
the quantity of the extracted information.
For analysis and reporting, I am using the same concept used by Andrew Hoog in his paper
“iPhone Forensics” (Hoog, et al., 2009) by referencing the acquired data to the expected
data from the phone.
Hoog used a ranking mechanism to determine the accuracy of the tool by assigning a
quantitative number for every item of the expected data as shown in table 3.
Hoog’s ranking starts from 0 to 5, as the following:
(0)- The tool failed to recover the data
(1, 2) – The recovered data is less the expected data
(3)- The recovered data meet the expectation
(4, 5)- The recovered data exceed the expected data.
Expected Data
Data Description
Call Logs 43 calls
Phonebook 385 PC Contacts + 584 Exchange Contacts
Favorites Contacts 7 Contacts
SMS 18 messages, 3 deleted
Emails Hundreds of emails in 3 accounts
Calendar 92 events
Images 5 + 2 deleted
Melodies 24 Ringtones
Web history Yes
Videos No
Wireless networks 2 stored wireless networks
Applications 30
Notes 0
Passwords Yes
Phone Information Yes
Other Files Yes
Table 3: Expected Data
1
www.jailbreakme.com, http://jailbreakme.com/faq.html
35
6.5 Oxygen Forensic Suite 2010
6.5.1 Tool Overview

“Oxygen Software Company was found in 2000. It's a Russian technology company
developing PC software for cell phones and smart phones. Oxygen forensic suite 2010 is a
forensic tool for data extraction from more than 1650 devices. The new release of the
Oxygen tool includes password-protected backup reader feature”.
“As per the software information published on the official website, the software operates
with original and jailbroken devices and extracts the following data”: (Source: the product
website http://www.oxygen-forensic.com)
General user activity data

o Phonebook with assigned photos
o Calendar events and notes
o Calls log (dialed, received and missed calls)
o Messages (SMS, e-mails)
o Camera snapshots, video and music
o Voice mail
o E-mail accounts settings
Geo-positioning data
o Latest Google Maps browsed location images
o Google Maps history and routes
o Geo-coordinates of the latest visited location
o Latest GPS position (for iPhone 3G, iPhone 3GS)
Web browsing (via Safari) data
o Bookmarks
o Cookies
o History
o Latest visited page
o Search history
IM and social networks
o ICQ history and settings
o Skype history and settings
o MySpace settings
o Facebook settings and contact list
o YouTube bookmarks and history
Other device data
o Global device settings, including Apple Store Id.
o IMSI/ICCID values.
o Preinstalled and custom applications list and settings
o Developer profiles
36
o Paired Wi-Fi network settings
o Wi-Fi and Bluetooth addresses
Supported devices list: iPhone, iPhone 3G, iPhone 3GS, iPod Touch.
6.5.2 Software Installation

I downloaded the software version 2.8.0.582 from the official website after filling the online
form; they sent an email with the trial activation code. The trial version will work for 30 days
with 27 forensics attempts only.
6.5.3 Data Acquisition

Launching the application will run the connection wizard.
Figure 13: Oxygen Connection Wizard
37
Figure 14: Oxygen Connection Selection
I selected Connect via Cable option; then I connected the iPhone device to the PC.
38
Figure 15: Oxygen Connect Phone via Cable
The connection wizard is searching for the connected phone.
39
Figure 16: Oxygen Phone Detected
The connection wizard found the connected iPhone and displayed the correct device IMEI.
40
Figure 17: Oxygen Data Extraction Wizard
This is the first screen of data extraction wizard. The wizard went through few steps before
starting the data extraction process.
- Device identification
- Selection of the types of data to be extracted
- Extraction customization if required
- Extraction settings confirmation
41
Figure 18: Oxygen Device Identification
This screen allows the examiner to add information about the device, case, and the
inspector. Also the examiner can select the hash algorithm.
42
Figure 19: Oxygen Device Owner Number
This screen allows the examiner to add the owner's phone number that can be helpful in the
data analysis later on. This screen allows up to 4 phone numbers.
43
Figure 20: Oxygen Data Type Selection
This screen can be used to select the data of interest. For testing purpose, I selected all data.
The next screen will confirm the extraction settings
Figure 21: Oxygen Extraction Setting Confirmation
44
Figure 22: Oxygen Data Extraction Process
The wizard will start reading all selected data sections. The next screen will show extraction
summery and it will ask if the examiner want to open the report or customize the report
data before exporting it.
Figure 23: Oxygen Extraction Summary
45
6.5.4 Results and Reporting
Once the acquisition process is over, the results can be displayed either through the
application interface or it can be exported to report.
Figure 24: Oxygen Device Info Screen

First screen is about the device information, photo, and summary of the acquired data.
Figure 25: Oxygen – Phonebook

This screen displays the phonebook recovered data, and the favorites contacts with contacts
images.
46
Figure 26: Oxygen Calendar
Recovered calendar data
Figure 27: Oxygen SMS

Recovered SMS, including the messages status (sent/received), the time stamp, and if the
message has been opened or not.
47
Figure 28: Oxygen Images
Recovered Images
Figure 29: Oxygen Melodies

Recovered melodies and ringtones.
48
Figure 30: Oxygen Documents
Recovered documents including txt, html, pdf, and any document files.
Figure 31: Oxygen Application

Oxygen did not recover any of the installed applications
49
Figure 32: Oxygen Database
Recovered databases such as SQLite database and .db files. I will explain how to recover
these databases during the next test.
Figure 33: Oxygen Other Files

Other files used by applications or iPhone data files such as .Plist files, displayed in xml
format.
50
6.5.5 Test Summary
Data Original Stored Data Recovered by Oxygen Ranking
Call Logs 43 calls No 0
385 PC Contacts + 584
Phonebook 963 3
Exchange Contacts
Favorites Contacts 7 Contacts 7 3
SMS 18 messages, 3 deleted 15 2
Hundreds of emails in 3
Emails No 0
accounts
87 (85 All Day event +2
Calendar 92 events 3
appointments)
Images 5 + 2 deleted 5741 5
Melodies 24 Ringtones 24 3
Web history Yes Yes 3
Videos No No 3
3 with details including SSID, BSSID,
3 stored wireless
Wireless networks RSI, Channel, Last joined time, and 3
networks
Last auto joined time
Applications 30 0 0
Notes 0 0 3
Passwords Yes No 0
Phone Information Yes Yes 3
Other Files Yes Yes 3
Table 4: Oxygen Tool – Test Summery
6.5.6 Conclusion
Oxygen is a fast forensic solution; it can be used to perform logical data acquisition. It is able to
recover most of the expected data. But since I am using a trial version which has some limitation, I
can’t assign a proper ranking to the acquisition process. But I can notice that the tool can’t recover
any of the deleted data.
51
6.6 Zdziarski Technique
Jonathan Zdziarski is an active member in the iPhone development community, he is known
as “Nerve Gas”. He is also a research scientist in machine learning technologies to combat
online fraud and spam. Zdziarski published many books related to the iPhone application
and forensics (www.zdziarski.com), (www.oreillynet.com/pub/au/1861).
6.6.1 Overview
Zdziarski technique is the only method that can be used to perform a bit-by-bit copy of the
iPhone internal disk, and it uses the cryptographic mechanisms to prove that both images
are identical.
This method requires some modifications on the system partition, but as mentioned before,
since this partition is completely isolated from the media partition, this modification will not
affect the user's stored data.
Zdziarski technique is based on building a custom RAM Disk and restoring it to the iPhone
instead of restoring the default phone filesystem. Once the phone is rebooted, the RAM
Disk will be executed to install the recovery payload to the filesystem, which contains some
UNIX traditional tools such as SSH and DD for disk imaging.
Once these recovery payload are installed, the user can establish SSH session to the iPhone
and perform a bit-by-bit copy of the user's media disk (Zdziarski, 2008).
iPhone Forensic book for Zdziarski discussed the forensic examination of iPhones with
firmware v1.1.4 and v2.x. He used “iLiberty+” and “PwnageTool” tolls to install the recovery
payload to the filesystem. Since these tools are not available for the iPhone 3GS with
version 4.0.1, I will use a different tool to perform this test.
6.6.2 Installation
6.6.2.1 Recovery Payload Installation

Since I am using version 4.0.1, I used “JailbreakMe” tool to jailbreak the iPhone and load the
“Cydia2” application which provides the user with applications and tools that are not
available in iPhone AppStore. From the iPhone, go to http://jailbreakme.com and slide the
bar to jailbreak the iPhone.
2
http://www.appleiphoneschool.com/what-is-cydia/
52
Figure 34: JailbreakMe Home Screen Figure 35: Cydia Home Screen
6.6.2.2 Secure Shell Installation

Since I am using a different recovery toolkit than the one used by Zdziarski, OpenSSH has to
be installed separately through Cydia to allow secure access to the iPhone. From Cydia,
search for OpenSSH and select install the application
Figure 36: OpenSSH Installation Page
SSH server/ client should be installed on the desktop which is used for the forensic
examination. I used “Cygwin OpenSSH” for windows. It can be downloaded from
http://chinese-watercolor.com/LRP/printsrv/cygwin-sshd.html.
6.6.2.3 Data Description installation

Data description (DD) is a Unix application used for low level raw disk copying. DD will be
installed as part of Cydia. For windows desktop, I used “dd for windows”, it can be
downloaded from http://www.chrysocome.net/dd.
6.6.2.4 Network Setup

1- Connect the iPhone to secure wireless network. For testing only, I used WEP encrypted
network.
2- Assign static IP address for both iPhone (192.168.0.2) and PC (192.168.0.10).
3- Test the network connectivity from the testing PC to the iPhone.
53
6.6.3 Data Acquisition
To create the disk image, the desktop is connected to the iPhone through a secure SSH
channel, then unmount the /private/var partition and ask the iPhone to perform a bit-by-bit
copy of the partition to the SSH server installed on the examination PC. The following steps
are involved:
1- Establish SSH connection from the desktop to the iPhone by using the Cygwin SSH
interface.
$ ssh -| root 192.168.0.2
2- When it asks for the password, the default password is “alpine”
3- RSA encryption key will be generated for this connection and stored in the iPhone.
4- Unmount then remount the partition as read only. Force unmounting option should
be used since the partition might be in use by the application (Zdziarski, 2008).
# umount –f /private/var
# mount –o ro /private/var
5- Ask the iPhone to perform a bit-by-bit copy of the partition to the SSH server.
# dd if=/dev/rdisk0s2 bs=4096KB | ssh root@192.168.0.10 'dd of=iphone.img'
Where:
dd = to perform dd copy of the user portion.
If = input file (the file to be copied)
rdisk0s2= user or media partition
bs = the block size
192.168.0.10 = SSH server IP address.
Of= output file (where is the image will be created)
6- When it asks for root@192.168.0.10 password, enter the SSH server password.
7- The image will be created on the specified location, and growing. It took around 10
hours to finish the copying process of 32 GB iPhone.
Figure 37: iPhone filesystem, dd image creation
54
6.6.4 Results and Reporting
Once the image has been created, many forensic tools can be used to analyze the acquired
data. iPhone uses HFS/X filesystem, which is not recognized by most of the forensic tools.
Zdziarski used a mechanism to change the image identifier from HX to H+ by changing the
identifier located inside the image on offset 0x400. So any forensic tool can now recognize
the image (Zdziarski, 2008). I choose not to change the identifier but to use data recovery
software called “PhotoRec3” used to recover the lost files from hard disk but it can
understand HFS/X format and recover the data directly.
Another way to read the recovered dd image is to mount the image using a mounting tool
to allow Windows to recognize the HFS/X filesystem. Zdziarski mentioned a useful tool for
windows users called “HFSExplorer4”, which can be used to extract the files from the HFS/X
image and browse the folders and files manually (Zdziarski, 2008). I used this tool to
navigate through the image and export some interesting files and databases, then open it
later using SQLite browsing tool like SQLiteBrowser5.
Figure 38: PhotoRec data recovery
Once PhotoRec image recovery is finished, the recovered data can be explored through
windows explorer, search for specific file extension.
3
http://www.cgsecurity.org/wiki/PhotoRec
4
http://hem.bredband.net/catacombae/hfsx.html
5
http://sqlitebrowser.sourceforge.net
55
Figure 39: images recovered by PhotoRec
Many screenshots can be found in the recovered images, since iPhone creates a screenshot
of all recent actions every time the home button is pressed.
Figure 40: Recovered screenshot for the settings menu
56
Figure 41: Image browsing through HFSExplorer
Figure 42: Data extraction using HFSExplorer
57
Interesting databases and files can be found in different places. These are the locations of
the most interesting files:
Data Location
Phonebook /mobile/Library/AddressBook/AddressBook.sqlitedb
Phonebook Images /mobile/Library/AddressBook/AddressBookImages.sqlitedb
Calendar /mobile/Library/Calendar/Calendar.sqlitedb
Call Logs /wireless/Library/CallHistory/call_history.db
Emails /mobile/Library/Mail/Envelope Index
Email attachments /mobile/Library/Mail/Attachments/
Keyboard cache /mobile/Library/Keyboard/dynamic-text.dat
Cookies /mobile/Library/Cookies/Cookies.plist
SMS /mobile/Library/SMS/sms.db
Notes /mobile/Library/Notes/notes.sqlite
Phone Preferences /mobile/Library/Preferences/
Safari History /mobile/Library/Safari/History.plist
Ringtones /stash/Ringtones
Table 5: locations of the important data in the iPhone filesystem
Since most of the important data is stored in SQLite databases, SQLite Database Browser
can be used to access these databases, and customized queries can be performed to put all
records together.
Figure 43: Phonebook DB – ABPerson table as displayed on SQLite browser
58
Figure 44: Call history database as displayed in SQLite browser
6.6.5 Test Summary

Data Original Stored Data Recovered by Oxygen Ranking
Call Logs 43 calls 51 records 5
385 PC Contacts + 584
Phonebook 969 4
Exchange Contacts
Favorites Contacts 7 Contacts 7 3
SMS 18 messages, 3 deleted 4 1
Hundreds of emails in 3
Emails Yes 365 emails, 3 accounts 5
accounts
Calendar 92 events 85 3
Thousands of JPG, PNG files found in
Images 5 + 2 deleted the dump image, but there are 5 5
photos stored in the SQLite database
Melodies 24 Ringtones 24 3
Web history Yes Yes 3
Videos No No 3
3 stored wireless Yes, 3 wireless networks details +
Wireless networks 4
networks the length of the network key
Applications 30 56 5
Notes 0 0 3
Yes, encrypted and stored in SQLite
Passwords Yes 3
DB
Phone Information Yes Yes 3
Other Files Yes Yes 5
Table 6: Zdziarski Method - Test Summery
6.6.6 Conclusion
Since this technique uses bit-by-bit copy of the internal disk storage, it should be the most
accurate technique for iPhone forensics. But there is a question mark over some issues like
how it is performed, the difficulties of the analysis, and the way of data acquisition (Hoog, et
al., 2009). From a legal point of view, this method is violating ACPO principals and apple
copyrights (mobileforensics.wordpress.com, 2008).
59
Conclusion
With the continued enhancements in mobile phones industry,
With the continued enhancements in mobile phone industry, mobile forensics has become a
growing subject area in computer forensics with a lot of challenges facing forensic
specialists. As discussed in this project, the most challengeable problems for mobile
forensics are the ability to cover all newly available phones, and to ensure the integrity of
the acquired evidence. In my opinion, to solve these problems some type of corporation is
required between the forensic tools manufacturers and the mobile phone manufacturers to
standardize the communication process between mobile phones and forensic tools, as well
as to solve security issues such as authentication and encryption. In this case, forensic tools
should be available for law enforcement agencies only to avoid any misuse of the tool.
A standard model for investigation procedures should exist, in order to ensure the reliability
of the investigations. This again depends on a standardized mobile phone and forensic tools
industry.
Currently available forensic tools can perform an adequate functionality; however, more
research is needed to develop new tools, new methodologies, or to improve the currently
available tools. The rapid growing of mobile phone industry demands a rapid development
in mobile forensic tools to meet the investigation requirements, coverage of new devices,
and to ensure the evidence integrity.
It is important that forensic investigators should comprehend the specifications, functions,

and limitations of the forensic tools.
iPhone is one of the most challengeable devices for the forensic tools manufacturers since
Apple is trying to improve the security of the device through the regular firmware updates
and new software/hardware releases. Consequently, forensic tools manufacturers' job is
becoming more difficult finding a common state to build their tools.
Hacking communities’ research in some cases could be useful for forensic investigators but
it should go under proper legalized channels. In the same time these iPhone hacking
communities are a big challenge to the forensic investigators and forensic tools
manufacturers.
60
BIBLIOGRAPHY
ACPO. 2003. Good Practice Guide for Computer-Based Electronic Evidence. www.7safe.com.
[Online] 2003. [Cited: August 1, 2010.]
http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdf.
Official release version 4.0.
Al-Zarouni, Marwan. 2007. Introduction to Mobile Phone Flusher Device and Considerations
for their Use in Mobile Phone Forensics. School of Computer and Information Science, Edith
Cowan University. 2007. Online Access from
http://scissec.scis.ecu.edu.au/proceedings/2007/forensics/15_Al-Zarouni%20-
%20Introduction%20to%20Mobile%20Phone%20Flasher%20Devices%20and%20Considerati
ons%20for%20their%20Use%20in%20Mobile%20Phone%20Forensics.pdf on 13 June 2010.
Android anti-forensics through a local paradigm. Distefano, Alessandro, Me, Gianluigi and
Pace, Francesco. 2010. Rome : digital Investigation, 2010, ELSEVIER, Vol. 7. Accessed online
from http://www.dfrws.org/2010/proceedings/2010-310.pdf on 20 August 2010. S83eS94.
Ayers, Rick, et al. 2007. Cell Phone Forensic Tools: An Overview and Analysis Update.
Gaithersburg : National Institute of Standards and Technology, 2007. Online Access on 15
July 2010 from http://csrc.nist.gov/publications/nistir/nistir-7387.pdf. NISTIR 7387.
BABT. IMEI Number Structure. British Approvals Board for Telecommunications. [Online]
British Approvals Board for Telecommunications. [Cited: July 28, 2010.]
http://www.babt.com/babt/en/services/imei_number_allocation/number_structure.
Bryan, Sterling. 2009. Mobile Forensics Behind Bars. Washington, D.C. : Office of Security
Technology, Federal Bureau of Prisons, 2009. Online Access on 16th July 2010 from
http://files.sans.org/summit/forensics09/PDFs/0625%20Mobile%20Forensics%20power%20
point(Sterling)Arial%20final%20short.pdf.
Forensics and SIM Cards: an Overview. Casadei, Fabio, Savoldi, Antonio and Gubian, Paolo.
2006. 1, s.l. : International Journal of Digital Evidence, 2006, Vol. 5.
Forensics and the GSM mobile telephone system. Willassen, Svein Yngvar. 2003. 1, s.l. :
International Journal of Digital Evidence, 2003, Vol. 2. Online access on 20 July 2010 from
http://www.utica.edu/academic/institutes/ecii/publications/articles/A0658858-BFF6-C537-
7CF86A78D6DE746D.pdf.
GSM Security. 2009. What is IMEI ? GSM Security. [Online] Network System Architects Inc.,
2009. [Cited: July 28, 2010.] http://www.gsm-security.net/faq/imei-international-mobile-
equipment-identity-gsm.shtml.
61
Hoog, Andrew and Gaffaney, Kyle. 2009. iPhone Forensics. viaForensics.com. s.l. : Andrew
Hoog, 2009. Online Access on 15th July from http://viaforensics.com/wpinstall/wp-
content/uploads/2009/03/iPhone-Forensics-2009.pdf.
International Telecommunication Union. 2009. Measuring the information Society. The ICT
Development Index. Geneva : International Telecommunication Union, 2009. Online Access
on 1st July 2010 from http://www.itu.int/ITU-
D/ict/publications/idi/2009/material/IDI2009_w5.pdf. ISBN 92-61-12831-9.
ITU Telecom World 2009. 2009. THE WORLD IN 2009: ICT FACTS AND FIGURES. Geneva :
International Telecommunication Union, 2009. Online Access on 1st July 2010 from
http://www.itu.int/ITU-D/ict/material/Telecom09_flyer.pdf.
ITU World Telecommunication. ICT Indicators database. Global mobile cellular subscriptions,
total and per 100 inhabitants 2000-2009. [Online] [Cited: July 15, 2010.]
http://www.itu.int/ITU-D/ict/statistics/material/graphs/Global_mobile_cellular_00-09.jpg.
Jansen, Wayne and Ayers, Rick. 2007. Guidelines on Cell Phone Forensics:
Recommendations of the National Institute of Standards and Technology. Gaithersburg,
MD : National Institute of Standards and Technology, 2007. Online Access on 20 July 2010
from http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf. NIST Special
Publication 800-101.
Jansen, Wayne and Delaitre, Aurelien. 2009. Mobile Forensic Referance Materials: A
Methodology and Reification. Gaithersburg, MD : National Institute of Standards and
Technology, 2009. Online Access on 1st May 2010 from
http://www.nist.gov/customcf/get_pdf.cfm?pub_id=903402. NISTR 7617.
Jansen, Wayne, Delaitre, Aurelien and Moenner, Ludovic. 2008. Overcoming Impediments
to Cell Phone Forensics. NIST. Gaithersburg : s.n., 2008. Online Access from
http://csrc.nist.gov/groups/SNS/mobile_security/documents/mobile_forensics/Impediment
s-formatted-final-post.pdf on 1 August 2010.
Martin, Keith. 2009. An Introduction to Cryptography and Security Mechanisms. MSc

Lecture. [Presentation]. s.l., UK : Information Security Group; RHUL, 2009. Vol. 11.
Marwan, Al Zarouni. 2006. Mobile Handset Forensic Evidence: a challenge for Law
Enforcement. School of Computer and Information Science. s.l. : Edith Cowan University,
2006. Online Access on 30 July 2010 from
http://scissec.scis.ecu.edu.au/confs/proceedings/2006/forensics/Al-Zarouni%20-
%20Mobile%20Handset%20Forensic%20Evidence%20-
%20a%20challenge%20for%20Law%20Enforcement.pdf.
62
Michael, Harrington. 2007. General Characteristics of the Subscriber Identity Module File
System. mobileforensics.wordpress.com. [Online] Feb 24, 2007. [Cited: July 23, 2010.]
http://mobileforensics.files.wordpress.com/2007/02/sim-file-system.pdf.
mobileforensics.wordpress.com. 2008. iPhone Forensic Examinations – A Series, Cell Phone

Forensic Tips, Tricks and Tutorials. Mobile Devices Forensics. [Online] September 17, 2008.
[Cited: August 2, 2010.] http://mobileforensics.wordpress.com/2008/09/15/iphone-
forensic-examinations-a-series/.
Mock, Dave . 2002. Wireless Advances the Criminal Enterprise. [Online] Jun 28, 2002. [Cited:
July 1, 2010.]
http://thefeaturearchives.com/topic/Technology/Wireless_Advances_the_Criminal_Enterpr
ise.html.
Netherlands Forensic Institute. 2006. Workflow for Mobile Phone Forensic Examinations .
Flow Chart Forensic Mobile Phone Examination. [Online] May 4, 2006. [Cited: May 2, 2010.]
http://www.holmes.nl/MPF/FlowChartForensicMobilePhoneExamination.htm.
Nokia Networks Oy. 2002. GSM Architecture. TC Finland : Nokia, Jan 2002. Online access on
22 July 2010 from http://www.roggeweck.net/uploads/media/Student_-
_GSM_Architecture.pdf.
Ramabhadran, Anup. 2007. Forensic Investigation Process Model For Windows Mobile
Devices. Security Group. s.l. : Tata Elxis, 2007. Paper. Online Access on 5 July 2010 from
http://www.forensicfocus.com/downloads/windows-mobile-forensic-process-model.pdf.
Savoldi, Antonio and Gubian, Paolo. 2007. SIM and USIM Filesystem: a Forensics
Perspective. Brescia, Italy : University of Brescia Department of Electronics for Automation,
http://pds3.egloos.com/pds/200705/25/00/sim_and_usim_filesystem_a_forensics_perspec
tive.pdf.
Scientific Working Group on Digital Evidence. 2007. SWGDE and SWGIT Digital &
Multimedia Evidence Glossary. s.l. : Scientific Working Group on Digital Evidence, 2007.
Online Access on 30 July 2010 from
http://www.swgde.org/documents/swgde2008/SWGDE_SWGITGlossaryV2.2.pdf.
Shimpi, Anand Lal. 2009. The iPhone 3GS Hardware Exposed & Analyzed. AnandTech.
[Online] October 6, 2009. [Cited: August 22, 2010.] http://www.anandtech.com/show/2782.
63
Stepanov, Max. GSM Security Overview (Part 2). The Rachel and Selim Benin School of
Computer Science and Engineering. [Online] [Cited: July 23, 2010.]
www.cs.huji.ac.il/~sans/students_lectures/GSM%20Security.ppt.
TR, 3GPP. 2009. 3rd Generation Partnership Project; Technical Specification Group Core
Network and Terminals; SIM/USIM internal and external interworking aspects. s.l. : 3GPP TR,
http://www.3gpp.org/ftp/specs/archive/31_series/31.900/31900-800.zip.
Wayne, Jansen A. and Delaitre, Aurelien. 2007. Reference Material For Assessing Forensic
SIM Tools. Gaithersburg, MD : National Institute of Standards and Technology, 2007. ICCST
2007-74.
Wayne, Jansen and Ayers, Rick. An Overview and Analysis of PDA Forensic Tools. s.l. :
National Institute of Standards and Technology. Online Access on 1 May 2010 from
http://csrc.nist.gov/groups/SNS/mobile_security/documents/mobile_forensics/ForensicArti
cle-DI-fin.pdf.
Willassen, Svein. Forensic analysis of mobile phone internal memory. s.l. : Norwegian
University of Science and Technology. Online Access from
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.101.6742&rep=rep1&type=pdf
on 23 July 2010.
Willassen, Svein Y. 2003. Evidence in Mobile Phone Systems. 2003. Online Access from
http://web.archive.org/web/20041126135046/http://www.mobileforensics.com on 1st
August 2010.
Wolleschensky, Lars. 2007. Cell Phone Forensics. s.l. : Ruhr-Universit•at Bochum, 2007.
Online Access from
http://www.crypto.rub.de/imperia/md/content/seminare/itsss07/cell_phone_forensics.pdf
on 1 August 2010.
Zdziarski, Jonathan. 2008. iPhone Forensics. Sebastopol : O'REILLY, 2008. 9780-596-15358-8.
64
Appendix
Email Communications
From: Shannon Moore [mailto:xxxxxx@paraben.com]

Sent: 11 January 2010 6:42 PM
To: Ahmed M. Said
Subject: Paraben
Hello Ahmed:
All of our products have a free trial downloadable demo. I have provided the link for you for to download the
demo along with some product information on Device Seizure. I hope this information helps. Please let me
know if I can be of furhter assistance.
Shannon Moore
Director of Sales
Paraben Corporation
Comprehensive Digital Forensic Solutions
p. xxxxxx f. xxxxx c.xxxxx
Learn about our Comprehensive Solutions at: www.paraben.com
This message is confidential and intended only for the individual named. If you are not that individual, do not disseminate, distribute or copy this e-
mail. If you feel you have received this message in error, please contact the sender immediately and delete this message. Information transmitted by
e-mail is not secure and may be intercepted by a third party. There is no intent on the part of the sender to waive any privilege that may attach to
this communication. Thank you for your cooperation.
Figure A 1: email communications with Paraban Corporation
A
From: Mike Dickinson [mailto:xxxx@msab.com]
Sent: 18 February 2010 11:23 AM
To: Ahmed M. Said
Subject: RE: XRY/XACT
Ahmed,
You are welcome. Please find enclosed a copy of the presentation to assist you with your project
work in the future.
Kind Regards
----------------------------------------------------
Mike Dickinson
Country Manager - UK & Ireland
Mobile: +44 xxxx xxx xxx | Office: xxxx xxx xxxx (UK) | Fax: xxxx xxx xxxx (UK)
E-mail: mike.xxxx@msab.com | Skype: xxxxx | Web: www.msab.com
----------------------------------------------------
-----Original Message-----
From: Ahmed M. Said [xxxx]
Sent: 17 February 2010 22:20
To: Mike Dickinson
Dear Mike,
It was my pleasure to meet you today and attend these interesting presentation and demos. Really
appreciate it and hope to see you shortly.
Thank you very much
Kind Regards,
Ahmed
------------------------------------------------------------
B
From: Mike Dickinson [mailto:xxxx@msab.com]
Sent: 18 February 2010 11:23 AM
To: Ahmed M. Said
Ahmed,
I will pencil in Wed 17th Feb for you at 2pm and hopefully that will match with your supervisor?
Provided you can let me know by 8th Feb at the latest if that date is ok – I am happy to hold it for
you.
Kind Regards
----------------------------------------------------
Mike Dickinson
Mobile: +44 xxxx xxx xxx | Office:xxxx xxx xxxx (UK) | Fax: xxxx xxx xxxx (UK)
E-mail: xxxx@msab.com <mailto:xxxx@msab.com> | Skype: xxxxxx | Web: www.msab.com
<http://www.msab.com/>
----------------------------------------------------
From: Mike Dickinson [mailto:Xxxx@msab.com]
Sent: Wednesday, January 20, 2010 11:27 AM
To: Ahmed M. Said
Ahmed,
I am sorry but our distributor for the Oman region has declined to get involved because you only
wish to evaluate the equipment and the cost in facilitating this means it is uneconomical to achieve
right now.
I suggest the best way forward is to see the equipment when you are in the UK.
Provided you can give me sufficient advance warning then I am sure I can spare a day to show you
the technology and also present to your class if they are interested.
Kind Regards
----------------------------------------------------
Mike Dickinson
C
From: Ahmed M. Said [mailto:xxx]
Sent: 20 January 2010 04:29
To: Mike Dickinson
Hi Mike,
I am going there on 15th Feb. I will talk to my supervisor regarding this I feel this is will be better
than just forwarding him the email. Also I didn’t receive any call from your distributor here in Oman
yet. If you can send me their contact information I will be able to call them.
Thanks
Ahmed Said
--------------------------------------------------

Sent: Thursday, January 14, 2010 9:55 PM
To: Ahmed M. Said
Ahmed,
OK let me know when you have spoken to RHUL and are next in the country and hopefully we can
arrange a presentation to your class.
Kind Regards
----------------------------------------------------
Mike Dickinson
----------------------------------------------------
D
To: Mike Dickinson
Hi Mike,
Thank you again for support, sure I am very interested to be in touch with one of your reseller here
in Oman. But I hope that they will be able to support me during the project..
Regards
Ahmed Said
---------------------------------------------------------------------
Sent: Wednesday, January 13, 2010 2:27 PM
To: Ahmed M. Said
Cc: Thomas Renman
Ahmed
No problem – it sounds like it would be easier for you to deal with our local reseller in Oman?
I can forward this information to them to contact you if you like?
Kind Regards
----------------------------------------------------
Mike Dickinson
----------------------------------------------------

To: Mike Dickinson
Hello Mike,
Thank you very much for your support, unfortunately I am not a full time student reside in UK, I am a
part time modular program student. I am residing in Oman and just visiting UK for classes only which
usually one week per module. So next time I suppose to be there by 14th February. I am planning to
start working on my project by the coming May after the final exams.
Mainly I am interested in Blackberry forensics. I have Blackberry 8230 phone which can be used for
E
this exercise.
Sure I am very interested to attend any of your presentations but I don’t know if there is anything
scheduled during my UK visit.
Thanks and Best Regards
Ahmed Said
---------------------------------------------------------------------

Sent: Tuesday, January 12, 2010 10:29 PM
To: Ahmed M. Said
Subject: FW: XRY/XACT
Ahmed,
I am the UK Country Manager for Micro Systemation and may be able to assist you.
Can you advise me what the phone model is that you wish to trial so I can check that we actually
support it?
I am afraid that I cannot lend you the equipment - but I am prepared to attend the University for the
day and allow you to use the equipment in order to get the results you want.
I regularly do presentations on mobile phone forensics to Universities in the UK so if you think your
lecturers or colleagues at RHUL would be interested in a presentation on mobile forensics, I am
happy to consider that for you as well.
Kind Regards
----------------------------------------------------
Mike Dickinson
----------------------------------------------------
F
Sent: den 11 januari 2010 03:08
To: support
Subject: XRY/XACT
Hi,
I am MSc. information security student at Royal Holloway University of London (RHUL). I am doing
my project on mobile forensics and the tools used for data acquisition.
I am going to do a practical test as a case study on one of phone brands using different tools
available on the market and compare the results based on the hashing technique used, reliability,
integrity.. etc.
I am looking for a trial kit of your tools to help me to go ahead with this exercise.
Your support and advice is highly appreciated..
Regards
Ahmed Said
Figure A 2: email communications with Mike Dickinson – Microsystemation
G
Ahmed,
Thanks for your email, I did something similar for iPhone Forensics which you can download for free
on our website.
With regards to our Android services, unfortunately we release the technique to primarily law
enforcement only and after they attend our training class. If it helps, I am mimic the iPhone white
paper I mentioned above for Android and will test a number to available techniques. Check our
website over the next few weeks to see if we've released it yet.
Thanks and good luck. If you need someone to review when you are done are in draft, let me know.
Andrew Hoog
Chief Investigative Officer
tel: xxx-xxx-xxxx
xxxxxx@viaforensics.com
Figure A 3: email from Andrew Hoog, Chief Officer – viaforensics.com

Forensic Examinations of Mobile Phones

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Forensic Examinations of Mobile Phones

Uploaded by

Copyright:

Available Formats

Royal Holloway University of London

Forensic Examinations of Mobile Phones

Said, Ahmed Mahmoud

Supervisor: Carlos Cid

Signature: Ahmed Mahmoud Said

EXECUTIVE SUMMARY ................................................................................. VII

2.1 Mobile Networks ........................................................................................... 3

Chapter 3: Mobile Forensics Principles ......................................................... 12

3.1 Digital Evidence ........................................................................................... 12

Chapter 4: Mobile Forensics Tools ............................................................... 20

4.1 U(SIM) Forensic Tools .................................................................................. 21

Chapter 5: Mobile Forensic Challenges......................................................... 27

5.1 Procedural Challenges ................................................................................. 27

Chapter 6: iPhone Forensics ......................................................................... 31

6.1 introductions ............................................................................................... 31

2.1 Mobile Networks

2.1.1 GSM Network Architecture

Figure 2: GSM Network Architecture.

2.1.1.2 The Base Transceiver Station (BTS)

2.1.1.3 The Base Station Controller (BSC)

2.1.1.4 The Mobile Switching Centre (MSC)

2.1.1.5 The Location Registers

2.2 Subscriber Identity Module

Figure 3: SIM Card

2.2.1 SIM Anatomy

Figure 4: SIM Card Anatomy

Figure 5: SIM File System

Master File (MF)

Dedicated Files (DF)

Elementary Files (EF)

2.2.3 File Access Control

2.3 Mobile Equipment

2.3.1 Mobile Equipment Architecture

Mobile equipment identified by a unique 15 or 17 digital code called International Mobile

2.3.2 Mobile Equipment Contents

2.3.3 Mobile Equipment Security

2.4 Removable Media

3.1 Digital Evidence

 Testability: has this technique theoretically been tested?

3.2 Procedural Models

3.2.1.1 Securing and Evaluating the Scene

3.2.1.2 Documenting the Scene

3.2.1.3 Collecting the Evidence

3.2.1.4 Packing, Transporting, and Storing the Evidence

1.2. Is the phone a danger for 1.3. Contact a

1.4. Is there a need for other

1.6. Is there a need to protect the phone

1.8. Has the phone been 1.9.Remove the

1.12. Retrieve brand and 1.10.Is it an aggresive fluid

1.14. Take measures to not 1.13. Is the phone

1.15. Seize the phone with all

Version: 04-05-2006 13:25:23

Figure 6: Mobile Phone Forensic Examination – Preservation

3.2.2.1 Phone Identification

3.2.2.2 Connection Identification

3.2.2.3 Tool Selection

3.2.2.4 Phone Acquisition

3.2.3 Examination & Analysis

4.2 Handsets Forensic Tools

4.2.1 Phone Manager Software

Figure 8: Phone Managers Filter Placement

Figure 9: FBUS Protocol Communications

4.2.3 JTAG Interface

5.1 Procedural Challenges