Professional Documents
Culture Documents
Submitted as part of the requirements for the award of the MSc in Information Security at
Royal Holloway, University of London.
I declare that this assignment is all my own work and that I have acknowledged all
quotations from the published or unpublished works of other people. I declare that I have
also read the statements on plagiarism in Section 1 of the Regulations Governing
Examination and Assessment Offences and in accordance with it I submit this project report
as my own work.
Date:
TABLE OF CONTENTS
LIST OF TABLES .............................................................................................. V
LIST OF FIGURES............................................................................................ VI
Chapter 1: Introduction.................................................................................. 1
Chapter 2: Background................................................................................... 3
II
3.2.2 Acquisition ..................................................................................................... 17
3.2.2.1 Phone Identification................................................................................. 17
3.2.2.2 Connection Identification ......................................................................... 17
3.2.2.3 Tool Selection .......................................................................................... 17
3.2.2.4 Phone Acquisition .................................................................................... 17
3.2.3 Examination & Analysis .................................................................................. 18
3.2.4 Reporting ....................................................................................................... 19
Conclusion ................................................................................................... 60
BIBLIOGRAPHY ............................................................................................. 61
Appendix ....................................................................................................... A
IV
LIST OF TABLES
Table 1: Common type of Memory Cards in use with PDA ..................................................... 11
Table 2: iPhone Hardware Components .................................................................................. 32
Table 3: Expected Data ............................................................................................................ 35
Table 5: Oxygen Tool – Test Summery..................................................................................... 51
Table 6: locations of the important data in the iPhone filesystem ......................................... 58
Table 6: Zdziarski Method - Test Summery ............................................................................. 59
V
LIST OF FIGURES
Figure 1: Global mobile cellular subscriptions, total and per 100 inhabitants 2000-2009. ...... 1
Figure 2: GSM Network Architecture......................................................................................... 3
Figure 3: SIM Card ...................................................................................................................... 5
Figure 4: SIM Card Anatomy ...................................................................................................... 6
Figure 5: SIM File System ........................................................................................................... 6
Figure 6: Mobile Phone Forensic Examination – Preservation ................................................ 16
Figure 7: Flowchart of SIMBrush Procedures .......................................................................... 23
Figure 8: Phone Managers Filter Placement ............................................................................ 24
Figure 9: FBUS Protocol Communications ............................................................................... 25
Figure 10: JTAG Interface in Nokia 3310 Phone ...................................................................... 26
Figure 11: Internal Hardware Components, iPhone 3GS......................................................... 31
Figure 12: iPhone Operating System Design............................................................................ 33
Figure 13: Oxygen Connection Wizard .................................................................................... 37
Figure 14: Oxygen Connection Selection ................................................................................. 38
Figure 15: Oxygen Connect Phone via Cable ........................................................................... 39
Figure 16: Oxygen Phone Detected ......................................................................................... 40
Figure 17: Oxygen Data Extraction Wizard .............................................................................. 41
Figure 18: Oxygen Device Identification .................................................................................. 42
Figure 19: Oxygen Device Owner Number .............................................................................. 43
Figure 20: Oxygen Data Type Selection ................................................................................... 44
Figure 21: Oxygen Extraction Setting Confirmation ................................................................ 44
Figure 22: Oxygen Data Extraction Process ............................................................................. 45
Figure 23: Oxygen Extraction Summary................................................................................... 45
Figure 24: Oxygen Device Info Screen ..................................................................................... 46
Figure 25: Oxygen – Phonebook .............................................................................................. 46
Figure 26: Oxygen Calendar ..................................................................................................... 47
Figure 27: Oxygen SMS ............................................................................................................ 47
Figure 28: Oxygen Images ........................................................................................................ 48
Figure 29: Oxygen Melodies .................................................................................................... 48
Figure 30: Oxygen Documents ................................................................................................. 49
Figure 31: Oxygen Application ................................................................................................. 49
Figure 32: Oxygen Database .................................................................................................... 50
Figure 33: Oxygen Other Files .................................................................................................. 50
Figure 34: JailbreakMe Home Screen ...................................................................................... 53
Figure 35: Cydia Home Screen ................................................................................................. 53
Figure 36: OpenSSH Installation Page...................................................................................... 53
Figure 37: iPhone filesystem, dd image creation .................................................................... 54
Figure 38: PhotoRec data recovery .......................................................................................... 55
Figure 39: images recovered by PhotoRec .............................................................................. 56
Figure 40: Recovered screenshot for the settings menu......................................................... 56
Figure 41: Image browsing through HFSExplorer .................................................................... 57
Figure 42: Data extraction using HFSExplorer ......................................................................... 57
Figure 43: Phonebook DB – ABPerson table as displayed on SQLite browser ........................ 58
Figure 44: Call history database as displayed in SQLite browser ............................................ 59
VI
EXECUTIVE SUMMARY
The demand on mobile phones has increased globally, and their functionality may even rival
desktop computers despite of their smaller sizes. This extraordinary design of mobile
phones makes them easy to use in our daily life performing many tasks other than just
sending and receiving phone calls. Mobile phones now are capable of texting, web browsing,
e-mailing, photographing and other business tasks, which increases the importance of data
stored on such devices. These portable data carriers represent a significant source of
evidence in both civil and criminal cases, hence the importance of mobile phone forensics.
In order to retrieve data from mobile phones during a forensic investigation, specialized
tools are required. Various types of forensic toolkits are available with both advantages and
limitations.
Due to the wide range of mobile phone types which are using manufacturer proprietary
standards, mobile forensic examination has become more challenging compared to
computer forensics.
This project provides an overview on mobile phone forensics, different types of forensic
tools as well as different forensic techniques. A practical case study is presented on how to
use two different techniques for the iPhone forensic examination.
VII
Chapter 1: Introduction
According to International Telecommunication Union (ITU), there were over 4.6 billion
mobile phone subscribers worldwide, by the end of 2009, with a percentage of 67.0 of the
global population (ITU Telecom World 2009, 2009 p. 1). On 2007 mobile presentation in
Europe reached 111% of the total European population (International Telecommunication
Union, 2009 p. 3). Figure 1 shows the Global mobile cellular subscriptions from 2000 – 2009.
Figure 1: Global mobile cellular subscriptions, total and per 100 inhabitants 2000-2009.
Source: ( (ITU World Telecommunication)).
Currently, mobile phones available (Smart Phones) is a compact form of computers with a
high performance, large memory capacity, enhanced applications and different ways of
communications. They can be used to perform many tasks like sending/receiving phone calls,
texting, internet browsing, camera, video recording, storing documents, address books,
music players, GPS devices and more. Although they can be used to perform all these
legitimate tasks; they can be also used to accomplish many illegal actions.
Mobile phones were used in the early 1980s by criminals to organize their drug gangs,
prostitution crimes and facilitate everyday operations (Mock, 2002), and now they become
widely used behind the bars by inmates to continue with their crimes through unmonitored
calls to their networks outside the prisons. It is difficult to prevent the flow of cell phones
inside the prisons since inmates got different ways to contraband these phones into the
prisons, either by hiding it inside other materials, i.e. books, cereals boxes or even inside
their bodies, or by using good modified forms of mobile phones, i.e. watches, pens,
walkman radio etc. (Bryan, 2009).
1
Nowadays, enhanced network connectivity and mobile phone security enabled a secure use
of mobile phones in the online transactions such as online shopping, e-banking, and stock
trading. The enhancement of business applications for mobile phones gives them the ability
to be used as mobile offices, storing a lot of corporate data (Marwan, 2006).
Mobile Forensics is the “science of recovering digital evidence from mobile phones under
forensically sound conditions using accepted methods” (Ayers, et al., 2007). Extracting all
important data from mobile phones means a lot of challenges to the investigator due to
many reasons including: the wide range of mobile phone brands, different variety of
embedded operating systems and the compact design. In addition, the battery powered
phones require special hardware tools, cables and chargers.
iPhone was introduced in January, 2007 by Apple as a multimedia and internet enabled
smart phone with a large memory capacity (Zdziarski, 2008). Lately, the public interest in
iPhone has increased; nevertheless it has been generating huge controversies among
consumers, business customers and now the forensic community.
2
Chapter 2: Background
The second generation GSM (2G) is a fully digital system unlike the first generation where
the analogue signal was used. General Packet Radio Service (GPRS) was standardized to
support packet switching and improve data transmission. The third generation of mobile
networks (3G) is known as Universal Mobile Telecommunication System (UTMS), and it
provides enhanced data transmission and different types of services, including multimedia and
IP based services.
The following Figure 2 illustrates the GSM Network Architecture (Martin, 2009).
3
SIM card also contains a list of the available networks, encryption and authentication tools,
and storage space for SMS and phone numbers.
4
2.1.2 GSM Network Security
GSM networks provide user authentication using challenge response protocol. The
subscriber SIM card has a 128-bit cryptographic key (Ki) generated randomly by the operator
and stored securely on it. The operator will generate a 128-bit random number (RAND) at
the Authentication Centre (AuC) and send it to the subscriber. SIM card uses cryptographic
algorithm (A3) to compute a 32-bit response (SRES), since SRES= A3 (RAND, Ki). SRES will be
sent back to the operator.
GSM operator will perform the same process to calculate the expected response (XRES). The
operator will compare the SRES against the XRES if SRES=XRES then the subscriber is
authenticated (Martin, 2009).
GSM networks provide data confidentiality by encryption. During the authentication the
generated RAND will be used to compute fresh keys. SIM card uses encryption algorithm
(A8) to compute a 64-bit key (Kc), since Kc= A8 (Ki, RAND). All signaling between the MS and
the BTS including the voice and messaging will be encrypted using this key (K c) with a stream
cipher (A5), and a new Kc will be generated for every call (Martin, 2009).
There are two standard sizes for (U)SIM cards but only the smaller size Figure 3 is widely
used in GSM phones now. The chip size is 25mm width, 15mm height and a thickness of
0.76mm (Jansen, et al., 2007).
5
authentication algorithms (Jansen, et al., 2007). Figure 4 shows the main components of the
(U)SIM card (Stepanov p. 22).
Figure 5 illustrates the file system hierarchy of a SIM card (Jansen, et al., 2009)
6
information (access rights to the files), but bodies contain information about the
applications for which the card is issued (Savoldi, et al., 2007).
As specified by (Savoldi, et al., 2007), there are a lot of important files stored in the (U)SIM
card and can be used as an evidence during the forensic investigations.
Information about the subscriber: SIM card stores the International Mobile
Subscriber Identity (IMSI) in Elementary file called (EFIMSI). From a forensic point of
view, SIM card stores other important information about the subscriber, for example
a preferred language which is stored on (EFLP) and (EFELP) files could help to
determine the subscriber's nationality. In addition, Mobile Station ISDN (MSISDN)
stored on the (EFMSISDN) file can be used to retrieve call logs.
Information about acquaintances: The subscriber can store a list of the most
frequently used numbers or important numbers in (EFADN, EFFDN and EFBDN) files. Also
the subscriber can register to “multicalls” groups with one or more subscribers.
Information about Short Message Service (SMS): Information about sent and
received SMS and whether these SMSs have been read or not is stored on (EFSMS)
elementary file.
Information about the Subscriber Location: The (EFLOCI) elementary file stores
information about the last area where the subscriber has been registered by the
system.
Information about calls: Last dialed numbers are stored in the (EFLND) elementary
file; also keys used to encrypt these calls are stored on the (EFKC) file.
Information about the service provider: Information about the network provider is
stored in the (EFSPN) file, and information about the used networks is stored in the
(EFPLMNsel) while information about forbidden networks is stored in the (EFFPLMN).
Information about the system: Every SIM card has a unique numeric identifier, it can
be up to 20 digits used to identify the subscriber, it consists of industry identifier (89
7
for telecommunications), followed by country code then issuer identifier number
and individual account identification number (Wayne, et al., 2007). This unique ID is
stored in the (EFICCID) elementary file. The use of this file is open to the operator and
the SIM manufacturer. The (EFICCID) can be used by the forensic examiner to identify
the manufacturer of the SIM card, network operator and the country of issuance.
All services enabled by the subscriber are stored on a file called (EFSST).
Access to the file system managed by the operating system is based on the access rights and
the action attempted (Wayne, et al., 2007). The operating system allows only specific
number of attempts to access the file system by entering the correct CHV (usually three
attempts), any further attempts will be blocked. To reset the attempts counter, user has to
submit the correct PIN Unblocking Key (PUK), if the number of attempts to enter the correct
(PUK) code exceeds a set limit (usually ten attempts), the card will become blocked
permanently.
8
2007). They have microprocessor to reduce the number of required chips and include high
memory capacity. Read only memory (ROM); where the operating system is stored, can be
erased and reprogrammed using special tools. Random access memory (RAM) which is used
by some models to store user data depends on a battery to be active, radio interface, digital
signal processor, a microphone and speaker, different hardware keys and interfaces and
liquid crystal display (LCD).
Physical and technical specifications differ from device to device; some of them may have
more advanced functions, e.g. camera, GPS, PDA, etc. Generally mobile phones can be
classified into three categories: basic phones with simple functionalities, advanced phones
that offer some extra functionalities and multimedia, and smart phones with merged
functionalities of advanced phones and PDA (Jansen, et al., 2007).
Most of the basic and advanced mobile equipment use the company proprietary operating
system or an embedded operating system designed by other companies especially for the
mobile devices. Smart phones usually use one of the following operating systems: Windows
Mobile, Linux, RIM OS, Mac OSX, Symbian OS or Palm OS. These operating systems are
multitasking, designed specially to match the capabilities of high-end mobile equipment in
addition to the wide range of applications it supports (Jansen, et al., 2007).
IMEI number can be used to report stolen phones and block them from accessing the
network. The owner of a stolen phone can contact the CEIR (Central Equipment Identity
Register) which will register the device as blacklisted in all currently operating networks
(GSM Security, 2009).
10
Postage stamp size (length-32 mm, width-24 mm, and
thickness-2.1mm)
Secure Digital (SD) Card
9-pin connector, 4-bit data bus
Features a mechanical erasure-prevention switch
Fingernail size (length-21.5 mm, width-20 mm, and thickness-
1.4 mm)
MiniSD Card 9-pin connector, 4-bit data bus
Features a mechanical erasure-prevention switch
Requires a mechanical adapter to be used in a full size SD slot
Chewing gum stick size (length-50mm, width-21.45mm,
thickness-2.8mm)
Memory Stick
10-pin connector, 1-bit data bus
Features a mechanical erasure-prevention switch
Partial chewing gum stick size (length-31mm, width-20mm,
thickness-1.6mm)
Memory Stick Duo
10-pin connector, 4-bit data bus
Features a mechanical erasure-prevention switch
Table 1: Common type of Memory Cards in use with PDA
Source: (Wayne, et al.)
11
Chapter 3: Mobile Forensics Principles
Not all digital evidence can fall into the scope of these principles, for example mobile phone
evidence cannot be compiled to Principle 1 because mobile phone storage is continually
changing automatically even without user interference (ACPO, 2003). The goal of mobile
phone forensics should be to reduce affecting the content of the mobile storage as much as
possible. Principles 2 and 3 from ACPO guide should be followed strictly by involving a
specialist who is competent to understand the software and hardware of the specific phone
and have an expert knowledge of the tools used to acquire the evidence from it, in addition
to generating a detailed audit trial for all applied process in a way that can be replicated by
another third party if necessary (Marwan, 2006).
There are several reliability factors to deal with the digital evidence in the court. These
factors should be kept in mind before applying and reporting any scientific technique used
during the forensic examination (Jansen, et al., 2007).
12
Credibility: does this technique require a special skills and equipment or it can be
repeated by other experts?
Clarity: can this technique be explained clearly in the court?
3.2.1 Preservation
Evidence preservation is “the process of seizing suspect property without altering or
changing the contents of data resides on device and removable media” (Jansen, et al., 2007).
Preservation is the first step in the digital evidence acquisition; it occurs prior to the actual
investigation and involves searching, recognizing, documenting and collecting of the digital
evidence. Preservation process consists of the following points (Jansen, et al., 2007).
Phone user or owner should not be allowed to handle the mobile device or any other
peripherals, since he can change the content of the phone or clear the data using master
code available for most of the phones. During the interview with the phone user,
investigator should request any security codes or passwords needed to gain access to the
phone contents.
Sometimes phones may be found in a potential dangerous state, for example mobile phone
as a component of an explosive device, mobile phone found in a flower container covered
with a corrosive liquid or mobile phone switched on at a place where a real danger of fire or
13
explosion exists (Netherlands Forensic Institute, 2006), in this case the people safety comes
first, in such cases, a specialist should be consulted.
Mobile phones or peripherals may be found in a damaged state, this damage may not
prevent the extraction of data. Undamaged memory may be removed from damaged
equipment, so all these damaged equipment should be taken to the lab for repairing and
restoring to the acceptable state for the examination (Jansen, et al., 2007).
All digital devices should be photographed along with other peripherals such as media cards,
cables, power connections and the environment where they are found. If the phone is on
and the display screen is in the viewable state, then it should be photographed to display
the time, icons, LED status, battery level, network connection and the physical status
(Jansen, et al., 2007).
No attempt should be made to view, record, or determine what is present on the phone at
this stage. Any attempt to view or record anything not under display can affect the content
of the mobile device.
Any cables connecting the phone to the computer for synchronization should be unplugged
to prevent any changes on the phone contents.
14
Battery level should be maintained on appropriate charge level till the end of the
examination. Sometimes the user data is stored on the volatile memory, so if the battery
discharged the data will be lost.
Caution should be taken when handling phones that are suspected to have been modified
(Jansen, et al., 2007), for example:
Phones with Enhanced Security: Some phones available with enhanced
authentication or security mechanisms such as biometric, token based
authentication, and visual logon.
Malicious Programs: Viruses, Malware or other malicious programs may be loaded
to the phone and it will spread itself over wired or wireless network. Also these
programs could be conditionally activated based on a specific action or key interrupt
to perform malicious action such as wiping or disabling the device completely.
Key Remapping: Some keys may be programmed to perform different actions than
the default ones, which may cause a risk during the phone examination.
Netherland Forensic Institute (NFI) published this simple workflow for preserving mobile
forensic examination (Netherlands Forensic Institute, 2006). Figure 6 illustrates a basic
workflow for the preservation process.
15
Mobile Phone Forensic Examination - Preservation
1.1. Make pictures of the phone and the
location where it is located
no
no
no
no
no
Back to basic
workflow
16
3.2.2 Acquisition
Acquisition is “the process of imaging or obtaining information from the digital device and
its peripheral equipment and media” (Jansen, et al., 2007).
Once the phone has arrived to the laboratory, the acquisition process will start. Acquisition
consists of the following procedures (Jansen, et al., 2007):
If the mobile phone is active, a combined acquisition of the phone and SIM card should be
carried out before performing the forensic acquisition of the SIM and phone separately
(Jansen, et al., 2007). The reason behind this step is that, for direct acquisition of the SIM
card, it has to be removed and inserted to another card reader. To remove the SIM card
17
usually the battery should be unplugged which can result in loss of the non-volatile memory
due to power disconnection Also other concerns may exist like security code, authentication,
and losing the date and time if the power is lost (Jansen, et al., 2007).
Not all viewable data using manual navigation through the menus can be extracted through
logical acquisition. Sometimes draft and archived messages can’t be acquired by forensic
tools. In this case manual navigation through the phone menus can be done with video
recording for the browsing process (Jansen, et al., 2007).
If the mobile phone is shut off and requires successful authentication to gain access to the
phone contents, such as PIN enabled Identity module, phones with missing identity module,
phones with phone lock, phones with password protected memory, and phones with
encrypted contents, the investigator can deal with this type of obstructed phones by any of
the following ways (Jansen, et al., 2007):
Investigative Method: this method doesn’t require any hardware or software
forensic tools. Investigators have to do more investigations to find out the required
information for example: ask the suspect, review the collected materials if the PIN or
passwords are written somewhere, carefully try common used input, ask the service
provider.
Software Based Method: this method depends on using software to exploit known
weakness in the authentication mechanism of this specific phone.
Hardware Based Method: this method involves both hardware and software tools to
break the authentication mechanism and gain access to the phone contents through
hardware backdoor, examine the device memory independently, use automatic
brute force, and monitoring the device characteristics.
The examiner should study the case and be familiar with all parameters of the crime,
criminals, and the evidence that might be found. Also it is highly recommended for the
examiner to conduct his examination in coordination with the analyst or the investigator, so
that they can provide him with a good understanding of the found evidences and he can
provide them with the means of information that are found on the system (Jansen, et al.,
2007).
Examination may reveal potential evidences directly or uncover useful information such as
passwords, network logon, and internet connectivity which can lead to other sources of
evidence.
18
Mobile phone forensics investigations can be divided into two types (Jansen, et al., 2007).
Where the incident occurred and offender identity is unknown (e.g.; hacking
incidents)
Where the incident occurred and the offender identity is known (e.g.; child porn
incidents)
Investigator and analyst should prepare the incident background to accomplish these
objectives (Jansen, et al., 2007):
Gather information about the involved person (WHO).
Determine the nature of the evidence (WHAT).
Determine the events timelines (WHEN)
Understand the information that explains the motivation of the crime (WHY)
Find out the tools used to accomplish this crime (HOW)
3.2.4 Reporting
Reporting is the most important step, forensics results need to be presented as a detailed
summery of all the steps taken, and investigation conclusion. Good report should rely on
documentations, photographs, notes, and acquired contents (Jansen, et al., 2007).
Reports may be generated by the forensics tools if it has a built-in reporting tool, which
allow the examiner to select the output format and the type of data to be included in the
report. The final report should include the one generated by the tools, the accomplished
process, summery of actions taken during the investigations, and all supporting documents
such as photographs, notes, and signature of specialists responsible for the report contents.
19
Chapter 4: Mobile Forensics Tools
Various types of mobile forensic toolkits are available. These toolkits differ according to the
range of mobile phones over which they operate, based on the manufacturer platform,
product line, operating system, or hardware architecture. Mobile forensic tools should have
a short product release cycle, so manufacturers can update their tools to keep the coverage
up to date (Jansen, et al., 2007).
Forensic tools can acquire data from mobile phones in one of two ways (Jansen, et al.,
2007):
Physical Acquisition: Physical acquisition performs a bit-by-bit copy of the entire physical
storage e.g., the entire memory chip.
Logical Acquisition: performs a bit-by-bit copy of the logical storage objects e.g., files and
directories.
The advantage of the physical acquisition over logical acquisition is that it allows
examination of the deleted files and any unallocated files or RAM. Physical image acquired
will be imported to the forensic tool for examination and reporting. But there are only few
tools available for physical acquisition of mobile phones. Logical acquisition is much easier
than the physical one since the system and data structure is easier for the tools to extract
and examine. Most of the forensic tools available for mobile phones perform a logical data
acquisition (Jansen, et al., 2007).
There is wide range of information that can be acquired by forensic tools. It is different from
tool to other, and it depends on several factors, such as: (Ayers, et al., 2007)
The inherent capabilities of the phone implemented by the manufacturer.
The modification mode on the phone by the service provider.
The network service used by the user.
The modification made on the phone by the user.
The main function of a forensic tool is to acquire date from the phone's internal memory
and the removable identity module (SIM Card). Both Forensic and non-forensic tools use the
same protocol to communicate with the device. But non-forensic tools allow a two-way
communication with the device, while this is not acceptable forensically, so forensic tools
are designed to acquire data from the device without changing the phone contents and to
calculate the integrity hashes of the acquired data (Jansen, et al., 2007).
Mobile forensic tools usually categorized based on their target to: tools targeting the SIM
card exclusively, tools targeting the phone device exclusively, and tools targeting both SIM
and device (Jansen, et al., 2007).
20
4.1 U(SIM) Forensic Tools
Exclusive (U)SIM forensic tools used to perform a direct reading of the SIM card using
(U)SIM reader. The type of data acquired varies from tool to other, but most of the tools can
acquire these data (Jansen, et al., 2007):
International Mobile Subscriber Identity (IMSI)
Integrated Circuit Card ID (ICCID)
Abbreviated Dialing Numbers (AND)
Last Number Dialed (LDN)
SMS Messages
Location Information (LOCI)
None of the commercial forensic tools available are capable of extracting the real file system
of the SIM card and to discover the hidden and nonstandard files stored in the (U)SIM card
(Savoldi, et al., 2007).
SIMBrush is an open source tool, designed for windows and links, developed for U(SIM)
forensic analysis to extract the standard and nonstandard files from the (U)SIM cards. It uses
imaging technique to produce a primary image of the (U)SIM card which can be used during
the investigation instead of the original (U)SIM card (Savoldi, et al., 2007). The following
commands are the operations allowed by SIM file system, so the physical device can
interfere with the SIM card during the communication session. SIMBrush uses these
commands, issuing them to the (U)SIM card and wait for the response (Savoldi, et al., 2007).
SELECT: select the file to use, make the file header available for the interface device.
GET RESPONSE: interface device should request the SIM response for any issued
command using this command. There is no command to delete or create files on the
file system. Also there is no single command that can be used to browse the SIM file
system such as Dir in DOS.
READ BINARY: used to read the body contents of the transparent elementary files.
READ RECORD: reads the atomic record in the elementary files such as linear and
cyclic.
VERIFY, CHANGE, ENABLE, DISABLE, UNBLOCK CHV: management of CHV1 and
CHV2 authentication codes.
Since there is no two elementary files that can have the same file name, then SELECT
command can be issued for all file names without restriction starting from 0000 to FFFF, and
just wait for the response from the SIM either with a warning that the file is not present in
the file system or with the header if the file name is present in the filesystem. It means that
it is possible to obtain the headers of all files on the file system using SELECT command with
a single scan of the ID space. In fact, there is standard concept called Current File and
Current Directory, which can determine if the files are selectable or not. Current File is the
last selected file. Current Directory is the last selected DF, or the parent DF of the current
file. Current directory determine if the file is selectable or not based on the following rules
(Forensics and SIM Cards: an Overview, 2006):
21
1- MF is always selectable (MF_SET).
2- The current directory is always selectable (CURRENT_SET).
3- The parent of the current directory is always selectable (PARENT_SET).
4- Any immediate child DF of the parent of the current directory is selectable
(DF_BROTHERS_SET).
5- Any immediate child file of the current directory is selectable (SONS_SET).
Using these rules, it is possible to select any elementary file for example “6F3C” file for the
SMS, using two SELECT commands, the first one to select the father directory of this
elementary file (DF7F10) and the second command to select the file.
From the above rules, it is possible to define the selectable files and directories by the
following relationship (Savoldi, et al., 2007):
SELECTABLE_SET = MF_SET ᴜ
CURRENT_SET ᴜ
PARENT_SET ᴜ
DF_BROTHERS_SET ᴜ
SONS_SET
Due to the univocal relation between the possible SELECTABLE_SET and possible current
directory, it is possible to reconstruct the entire filesystem in the SIM card and find the
missing parts of it (the set of sons) (Savoldi, et al., 2007):
SONS_SET = SELECTABLE_SET \
(MF_SET ᴜ
CURRENT_SET ᴜ
PARENT_SET ᴜ
DF_BROTHERS_SET ᴜ
SONS_SET)
From this relationship, it is possible to reconstruct the entire filesystem. Only headers are
extractable, while the body which is more important can be extracted based on the access
control rights. SIMBrush can extract the body of the files with access rights Allow and
CHV1/CHV2 after providing the correct access code. Figure 7 illustrates the flowchart of
SIMBrush procedures (Forensics and SIM Cards: an Overview, 2006).
22
Figure 7: Flowchart of SIMBrush Procedures
Source: (Forensics and SIM Cards: an Overview, 2006)
Phone memory should be analyzed directly, which is not an easy task, since the imaging of
the phone contents is more complex. (Willassen, 2003) Suggested two methods for imaging
the phone memory contents:
Remove the memory chip and access it directly to read its contents.
Hooking on the phone’s motherboard to access the memory chip.
These methods will bypass the phone operating system and any security mechanism
implemented to access the phone contents.
23
devices. However; such tools have some problems from a forensic prospective (Forensics
and the GSM mobile telephone system, 2003):
It is not possible to recover or extract the deleted items.
It has read/writes access to the phone memory, which can change the memory
contents.
Phone managers use the same protocols used by the forensic tools to extract the data from
the phone device, but forensic tools use only forensically safe commands of these protocols
to communicate with the phone. Phone managers also can be used in the same way by
applying a filter between the mobile device and the application to block the unsafe
commands from being propagated to the phone device.
Figure 8 shows a general overview of the possible locations to implement the filters (Jansen,
et al., 2008).
Nokia PC Suite is a good example of the phone management software with a protocol
filtering; it can be used to copy phone book, images, videos from the phone to the computer,
as well as viewing the SMS messages on the phone device. Nokia PC Suite uses a FBUS
protocol to access phone information such as phonebook, call logs, messages and calendar.
OBEX is another protocol used over the FBUS to extract media files, ringing tones and to
download the installed applications (Jansen, et al., 2008). FBUS is an acknowledged protocol.
Management application will send a request command to the phone device and requests
the phone answer. Phone will use the command identifier to respond to the management
24
application after reversing the source and destination addresses. Every request and
response is followed by an acknowledgement frame to acknowledge the receipt of the
command sent (Jansen, et al., 2008). Figure 9 shows that the filter also should send a receipt
acknowledgment for all blocked commands as a response; otherwise the phone manager
application will keep resending the disallowed frame to the phone device and wait for the
acknowledgment (Jansen, et al., 2008).
4.2.2 AT Commands
AT-Commands are known as Hayes Commands, and designed by Hayes Microsystems in
1980 for controlling modems from the computers. AT-commands can be used to extract the
information from the phone's internal memory through the phone operating system.
Deleted information or files can’t be recovered by AT-Command because it can only extract
the information recognized by the operating system (Willassen).
AT-Command can be used to extract the following information from the mobile phones:
Phone Brand, Manufacturer, and software version.
Phone IMEI Number
SIM Card IMSI
Phone Book
Call Logs
SMS messages
25
Figure 10: JTAG Interface in Nokia 3310 Phone
Source: google images
4.2.4 Flusher Boxes
Flusher boxes or flushers are service devices used by service providers or mobile phone
shops to recover data from defective phones (Al-Zarouni, 2007). Flushers can be used to
update or replace the mobile phone operating system, remove the service provider settings
and unlock the service provider locks. It can be also used illegally to change the IMEI
number of the mobile device.
Flushers allow the user to access the phone internal memory without installing any software
on the phone device which makes them a good forensic tool. But because flushers are
usually not documented, there is no guarantee that they can provide consistency or even a
good preservation (Al-Zarouni, 2007). Also these devices are neither approved by the mobile
manufacturers nor forensically approved for forensic investigation. So investigators should
be very careful about using these devices in the mobile forensic examinations (Al-Zarouni,
2007).
Flushers can be used to perform Read/Write processes to the phone internal memory and
do not provide a write blocking mechanism, so it can change the phone contents or
overwrite the evidences.
26
Chapter 5: Mobile Forensic Challenges
Switching off the phone may lead to the loss of the data stored on the Random Access
Memory (RAM). Moreover; in some phones switching off the device will cause loss of some
data stored on the SIM card such as call history (Wolleschensky, 2007).
On the other hand, if the phone is left on there is a chance to tamper the evidence by the
criminal. In some phones, it is possible to execute remote wipe command, e.g. RIM
Blackberry; this feature allows the phone owners to securely wipe the data stored on their
phones in case the phone is stolen. Criminals can use this function to wipe the data on the
suspected phone and destroy the evidence. Third party tools are available such as LockMe
and OmiProtect, to enable remote lock of the phone after receiving a formatted SMS.
Evidence in some phones can be overwritten by another data, for example phones that
store certain amount of data such as SMS or call history. Criminals could use this limitation
by sending some meaningless SMSs or calls from random phone numbers to overwrite the
stored data and destroy the evidence (Wolleschensky, 2007).
Another option is to keep the phone switched on but disconnected from the network. This
can be done either by navigating the phone menu and disabling all network connections or
by activating the flight mode, which require the investigator to stay up to date with all new
phone models, and this is not an easy task (Jansen, et al., 2007). Other option is to use
Faraday bags to isolate the phone from the network. In this case the phone will start
searching for the network and this is going to increase the energy consumption and reduces
the battery life.
The second challenge that may come up during this stage is the phone being in a
compromised condition such as when immersed in a liquid. In such case, the battery should
be removed from the phone to protect it from any electrical shorting. The phone itself
should be stored in a container filled with the same liquid and transferred to the
examination lab. Some liquids such as contaminated blood or explosive liquids can be
27
dangerous for the investigator to deal with, and require a specialist consultation (Jansen, et
al., 2007).
Maintaining the phone's connectivity and power is another challenge for investigators
during the acquisition stage. As mentioned before, if the mobile phone was on it should be
charged during the investigation process. Different phone models by different
manufacturers require different power charger, so the investigator should be ready with
most of the cables in the crime scene and during the acquisition process (Wolleschensky,
2007).
Connecting the phone to the PC for forensic investigation is a bigger problem since there is
no standard interface especially for the older phones. This challenge requires the
investigator to host a big collection of cables (Wolleschensky, 2007). Some forensic software
provide cable kits for the most common phones, but for a rare phone the investigator has to
buy the cable individually if it is not available.
The next challenge is the selection of the forensic tool. There are many forensic tools
available, either software or hardware tools. Every tool has advantages and disadvantages
based on the supported phones and the operating systems. The investigator has to be very
careful before testing any tool with the phone in order not to destroy the evidence. He can
use his previous experience to find the proper tool that can be used with a specific phone.
It is always recommended that the investigator uses a similar phone for testing before
applying the tool to the target device. Also it is recommended not to rely on one tool, so the
investigator can prove to the court that the same results have been obtained using different
tools (Wolleschensky, 2007).
28
these claims not accurate since these forensic tools are depending on the manufacturer
property operating system to access the phone data.
Mobile phones have two processes which can directly affect the integrity of the forensic
results. First process is the internal clock, which continuously change the data in the
memory (Wolleschensky, 2007). The second process called “Wear Leveling” which is the
process that maximizes the lifetime of the memory cards in the mobile phones. Since
memory cards can be erased and written only for certain amount of times, this process
makes sure that all memory parts are systematically used and keeps the lifetime of the
memory as long as possible (Wolleschensky, 2007). Investigators should be able to prove
the repeatability of the results to the court, the usual way to do so is to use checksum proof.
But both internal clock and wear leveling processes make the checksum meaningless. Since
investigators can’t use the checksum to prove the repeatability, all steps of the forensic
examination should be documented so the opposing party can check the results for
verification.
During the acquisition process, the phone memory and operating system should remain
active which make it impossible to avoid the internal memory changes, even if is very minor
changes but it may affect the evidence integrity for example SMS messages status can be
changed from read to unread.
5.3 Anti-Forensics
Anti-Forensics is an immature field of the digital forensics, especially if we are talking about
mobile phones anti-forensics. Anti-forensics can be identified as “any attempts to
compromise the availability or usefulness of evidence in the forensic process” (Android anti-
forensics through a local paradigm, 2010). Evidence availability can be compromised by
preventing the creation process, manipulating the evidence, or hiding the evidence; while
the usefulness of the evidence can be compromised by tampering with the evidence
integrity or deleting the evidence itself (Android anti-forensics through a local paradigm,
2010).
Direct access to the mobile phones internal memory is one of the main problems in the
mobile forensics field. Even if the removable memory can be removed and analyzed in a
direct manner, the internal memory cannot. This scenario makes the phone internal
memory is an ideal candidate to apply the anti-forensics techniques.
29
Hiding the evidence: used to hide the evidence from the forensic investigator rather
than the forensic tools by decreasing the visibility of the evidence, or sometimes
make it completely invisible. The efficacy of this technique is strongly depending on
the limitations of the forensic investigators and/or the forensic tool. As for the
previous category, the presence of these tools will generate new evidence.
Eliminating the source of evidences: this technique is used to prevent evidence
creation rather than hiding or destroying the evidence.
Counterfeiting the evidence: in order to mislead the forensic investigator, this
technique is used to create fake evidence which is made to produce wrong
information.
30
Chapter 6: iPhone Forensics
6.1 introductions
iPhone was introduced on January, 2007 by Apple (Hoog, et al., 2009)as a multimedia and
internet enabled smart phone with a large memory capacity. Because of the powerful
design of the iPhone, the high technology used and the large number of applications
available, iPhone became so widely used. People usually use the iPhone as a primary device
for communication and storing different forms of data; however, permanently deleting data
from the iPhone is extremely difficult (Zdziarski, 2008).
iPhone has a very active hacking community putting a lot of effort to unlock the device or
developing and installing third party software by Jailbreaking the phone or changing the
phone filesystem.
Table 3 shows internal hardware components of the iPhone as published by Andrew Hoog in
his guide “iPhone Forensics” (Hoog, et al., 2009).
31
Function Manufacturer Model/Part Number
Application Processor (CPU) Samsung S5L8900B01 – 412 MHz
ARM1176Z(F)-S RISC, 128 Mbytes
of stacked, package-onpackage, DDR
SDRAM
3D graphic acceleration Imagination Technologies Power VR MBX Lite
UMTS power amplifier (PA), TriQuint TQM676031 – Band 1 – HSUPA
duplexer TQM666032 – Band 2 – HSUPA
and transmit filter module TQM616035 – Band 5/6 - WCDMA/
with output power detector HSUPA PA-duplexer
UMTS transceiver Infineon PMB 6272 GSM/EDGE and WCDMA
PMB 5701
Baseband processor Infineon X-Gold 608 (PMB 8878)
Baseband's support memory Numonyx PF38F3050M0Y0CE - 16 Mbytes of
NOR flash and 8 Mbytes of pseudo-
SRAM
GSM/EDGE quad-band amp Skyworks SKY77340 (824- to 915-MHz)
GPS, Wi-Fi, and BT antenna NXP OM3805, a variant of PCF50635/33
Communications Infineon SMARTi Power 3i (SMP3i)
power management
System-level power management NXP PCF50633
Battery charger/USB controller Linear Technology LTC4088-2
GPS Infineon PMB2525 Hammerhead II
NAND flash Toshiba TH58G6D1DTG80 (8 GB NAND
Flash)
Serial flash chip SST SST25VF080B (1 MB)
Accelerometer ST Microelectronics LIS331 DL
Wi-Fi Marvell 88W8686
Bluetooth CSR BlueCore6-ROM
Audio codec Wolfson WM6180C
Touch screen controller Broadcom BCM5974
Link display interface National Semiconductor LM2512AA Mobile Pixel Link
Touch screen Line Driver Texas Instruments CD3239
Table 2: iPhone Hardware Components
(Hoog, et al., 2009)
6.2.1 Processor
iPhone processor is based on the ARM11 core. CPU is 667MHz processor, under clocked to
412MHz to save the battery power (Shimpi, 2009).
32
6.2.3 Operating System.
iPhone runs a mobile build of Mac OS X (Leopard 10.5), which is almost similar to the
desktop version of Mac OS X except for some differences in the Kernel. The iPhone uses a
secure signed kernel to prevent tampering with the phone operating system. (Zdziarski,
2008). Applications that are installed on the iPhone run on a sandboxed environment, so
any application cannot access the data stored by another application.
Figure 12 illustrates the iPhone operating system design (mobileforensics.wordpress.com,
2008).
33
During the Jailbreaking, AFC is used to load a small area of the RAM that acts as disk drive
(RAM Disk) to the iPhone memory. This RAM disk contains the Jailbreaking payload, when
the phone boots, the payload will be copied to the filesystem, and once the phone reboots
the payload will be executed (mobileforensics.wordpress.com, 2008).
34
6.4 Testing Condition
For the forensic analysis in this chapter, I am using iPhone 3GS 32 GB with firmware iOS
4.0.1. The iPhone is jailbroken using “JailbreakMe1”, and is used for one month including
emails, phone calls, SMS, internet surfing, taking photos, and installation of many
applications. This iPhone is synced with iTunes version 9.2.1.4. I used a laptop with Windows
7 Enterprise Edition during this testing.
As a study case for mobile forensics; here I am going to simulate the data acquisition
process from the above mentioned iPhone 3GS using two different methodologies. I am
using a trial version of the forensic tool, which has some limitations either in reporting or in
the quantity of the extracted information.
For analysis and reporting, I am using the same concept used by Andrew Hoog in his paper
“iPhone Forensics” (Hoog, et al., 2009) by referencing the acquired data to the expected
data from the phone.
Hoog used a ranking mechanism to determine the accuracy of the tool by assigning a
quantitative number for every item of the expected data as shown in table 3.
Hoog’s ranking starts from 0 to 5, as the following:
(0)- The tool failed to recover the data
(1, 2) – The recovered data is less the expected data
(3)- The recovered data meet the expectation
(4, 5)- The recovered data exceed the expected data.
Expected Data
Data Description
Call Logs 43 calls
Phonebook 385 PC Contacts + 584 Exchange Contacts
Favorites Contacts 7 Contacts
SMS 18 messages, 3 deleted
Emails Hundreds of emails in 3 accounts
Calendar 92 events
Images 5 + 2 deleted
Melodies 24 Ringtones
Web history Yes
Videos No
Wireless networks 2 stored wireless networks
Applications 30
Notes 0
Passwords Yes
Phone Information Yes
Other Files Yes
Table 3: Expected Data
1
www.jailbreakme.com, http://jailbreakme.com/faq.html
35
6.5 Oxygen Forensic Suite 2010
36
o Paired Wi-Fi network settings
o Wi-Fi and Bluetooth addresses
Supported devices list: iPhone, iPhone 3G, iPhone 3GS, iPod Touch.
37
Figure 14: Oxygen Connection Selection
I selected Connect via Cable option; then I connected the iPhone device to the PC.
38
Figure 15: Oxygen Connect Phone via Cable
39
Figure 16: Oxygen Phone Detected
The connection wizard found the connected iPhone and displayed the correct device IMEI.
40
Figure 17: Oxygen Data Extraction Wizard
This is the first screen of data extraction wizard. The wizard went through few steps before
starting the data extraction process.
- Device identification
- Selection of the types of data to be extracted
- Extraction customization if required
- Extraction settings confirmation
41
Figure 18: Oxygen Device Identification
This screen allows the examiner to add information about the device, case, and the
inspector. Also the examiner can select the hash algorithm.
42
Figure 19: Oxygen Device Owner Number
This screen allows the examiner to add the owner's phone number that can be helpful in the
data analysis later on. This screen allows up to 4 phone numbers.
43
Figure 20: Oxygen Data Type Selection
This screen can be used to select the data of interest. For testing purpose, I selected all data.
The next screen will confirm the extraction settings
44
Figure 22: Oxygen Data Extraction Process
The wizard will start reading all selected data sections. The next screen will show extraction
summery and it will ask if the examiner want to open the report or customize the report
data before exporting it.
45
6.5.4 Results and Reporting
Once the acquisition process is over, the results can be displayed either through the
application interface or it can be exported to report.
46
Figure 26: Oxygen Calendar
Recovered calendar data
47
Figure 28: Oxygen Images
Recovered Images
48
Figure 30: Oxygen Documents
Recovered documents including txt, html, pdf, and any document files.
49
Figure 32: Oxygen Database
Recovered databases such as SQLite database and .db files. I will explain how to recover
these databases during the next test.
50
6.5.5 Test Summary
Data Original Stored Data Recovered by Oxygen Ranking
Call Logs 43 calls No 0
385 PC Contacts + 584
Phonebook 963 3
Exchange Contacts
Favorites Contacts 7 Contacts 7 3
SMS 18 messages, 3 deleted 15 2
Hundreds of emails in 3
Emails No 0
accounts
87 (85 All Day event +2
Calendar 92 events 3
appointments)
Images 5 + 2 deleted 5741 5
Melodies 24 Ringtones 24 3
Web history Yes Yes 3
Videos No No 3
3 with details including SSID, BSSID,
3 stored wireless
Wireless networks RSI, Channel, Last joined time, and 3
networks
Last auto joined time
Applications 30 0 0
Notes 0 0 3
Passwords Yes No 0
Phone Information Yes Yes 3
Other Files Yes Yes 3
Table 4: Oxygen Tool – Test Summery
6.5.6 Conclusion
Oxygen is a fast forensic solution; it can be used to perform logical data acquisition. It is able to
recover most of the expected data. But since I am using a trial version which has some limitation, I
can’t assign a proper ranking to the acquisition process. But I can notice that the tool can’t recover
any of the deleted data.
51
6.6 Zdziarski Technique
Jonathan Zdziarski is an active member in the iPhone development community, he is known
as “Nerve Gas”. He is also a research scientist in machine learning technologies to combat
online fraud and spam. Zdziarski published many books related to the iPhone application
and forensics (www.zdziarski.com), (www.oreillynet.com/pub/au/1861).
6.6.1 Overview
Zdziarski technique is the only method that can be used to perform a bit-by-bit copy of the
iPhone internal disk, and it uses the cryptographic mechanisms to prove that both images
are identical.
This method requires some modifications on the system partition, but as mentioned before,
since this partition is completely isolated from the media partition, this modification will not
affect the user's stored data.
Zdziarski technique is based on building a custom RAM Disk and restoring it to the iPhone
instead of restoring the default phone filesystem. Once the phone is rebooted, the RAM
Disk will be executed to install the recovery payload to the filesystem, which contains some
UNIX traditional tools such as SSH and DD for disk imaging.
Once these recovery payload are installed, the user can establish SSH session to the iPhone
and perform a bit-by-bit copy of the user's media disk (Zdziarski, 2008).
iPhone Forensic book for Zdziarski discussed the forensic examination of iPhones with
firmware v1.1.4 and v2.x. He used “iLiberty+” and “PwnageTool” tolls to install the recovery
payload to the filesystem. Since these tools are not available for the iPhone 3GS with
version 4.0.1, I will use a different tool to perform this test.
6.6.2 Installation
2
http://www.appleiphoneschool.com/what-is-cydia/
52
Figure 34: JailbreakMe Home Screen Figure 35: Cydia Home Screen
SSH server/ client should be installed on the desktop which is used for the forensic
examination. I used “Cygwin OpenSSH” for windows. It can be downloaded from
http://chinese-watercolor.com/LRP/printsrv/cygwin-sshd.html.
6- When it asks for root@192.168.0.10 password, enter the SSH server password.
7- The image will be created on the specified location, and growing. It took around 10
hours to finish the copying process of 32 GB iPhone.
54
6.6.4 Results and Reporting
Once the image has been created, many forensic tools can be used to analyze the acquired
data. iPhone uses HFS/X filesystem, which is not recognized by most of the forensic tools.
Zdziarski used a mechanism to change the image identifier from HX to H+ by changing the
identifier located inside the image on offset 0x400. So any forensic tool can now recognize
the image (Zdziarski, 2008). I choose not to change the identifier but to use data recovery
software called “PhotoRec3” used to recover the lost files from hard disk but it can
understand HFS/X format and recover the data directly.
Another way to read the recovered dd image is to mount the image using a mounting tool
to allow Windows to recognize the HFS/X filesystem. Zdziarski mentioned a useful tool for
windows users called “HFSExplorer4”, which can be used to extract the files from the HFS/X
image and browse the folders and files manually (Zdziarski, 2008). I used this tool to
navigate through the image and export some interesting files and databases, then open it
later using SQLite browsing tool like SQLiteBrowser5.
Once PhotoRec image recovery is finished, the recovered data can be explored through
windows explorer, search for specific file extension.
3
http://www.cgsecurity.org/wiki/PhotoRec
4
http://hem.bredband.net/catacombae/hfsx.html
5
http://sqlitebrowser.sourceforge.net
55
Figure 39: images recovered by PhotoRec
Many screenshots can be found in the recovered images, since iPhone creates a screenshot
of all recent actions every time the home button is pressed.
56
Figure 41: Image browsing through HFSExplorer
57
Interesting databases and files can be found in different places. These are the locations of
the most interesting files:
Data Location
Phonebook /mobile/Library/AddressBook/AddressBook.sqlitedb
Phonebook Images /mobile/Library/AddressBook/AddressBookImages.sqlitedb
Calendar /mobile/Library/Calendar/Calendar.sqlitedb
Call Logs /wireless/Library/CallHistory/call_history.db
Emails /mobile/Library/Mail/Envelope Index
Email attachments /mobile/Library/Mail/Attachments/
Keyboard cache /mobile/Library/Keyboard/dynamic-text.dat
Cookies /mobile/Library/Cookies/Cookies.plist
SMS /mobile/Library/SMS/sms.db
Notes /mobile/Library/Notes/notes.sqlite
Phone Preferences /mobile/Library/Preferences/
Safari History /mobile/Library/Safari/History.plist
Ringtones /stash/Ringtones
Table 5: locations of the important data in the iPhone filesystem
Since most of the important data is stored in SQLite databases, SQLite Database Browser
can be used to access these databases, and customized queries can be performed to put all
records together.
58
Figure 44: Call history database as displayed in SQLite browser
6.6.6 Conclusion
Since this technique uses bit-by-bit copy of the internal disk storage, it should be the most
accurate technique for iPhone forensics. But there is a question mark over some issues like
how it is performed, the difficulties of the analysis, and the way of data acquisition (Hoog, et
al., 2009). From a legal point of view, this method is violating ACPO principals and apple
copyrights (mobileforensics.wordpress.com, 2008).
59
Conclusion
With the continued enhancements in mobile phones industry,
With the continued enhancements in mobile phone industry, mobile forensics has become a
growing subject area in computer forensics with a lot of challenges facing forensic
specialists. As discussed in this project, the most challengeable problems for mobile
forensics are the ability to cover all newly available phones, and to ensure the integrity of
the acquired evidence. In my opinion, to solve these problems some type of corporation is
required between the forensic tools manufacturers and the mobile phone manufacturers to
standardize the communication process between mobile phones and forensic tools, as well
as to solve security issues such as authentication and encryption. In this case, forensic tools
should be available for law enforcement agencies only to avoid any misuse of the tool.
A standard model for investigation procedures should exist, in order to ensure the reliability
of the investigations. This again depends on a standardized mobile phone and forensic tools
industry.
Currently available forensic tools can perform an adequate functionality; however, more
research is needed to develop new tools, new methodologies, or to improve the currently
available tools. The rapid growing of mobile phone industry demands a rapid development
in mobile forensic tools to meet the investigation requirements, coverage of new devices,
and to ensure the evidence integrity.
iPhone is one of the most challengeable devices for the forensic tools manufacturers since
Apple is trying to improve the security of the device through the regular firmware updates
and new software/hardware releases. Consequently, forensic tools manufacturers' job is
becoming more difficult finding a common state to build their tools.
Hacking communities’ research in some cases could be useful for forensic investigators but
it should go under proper legalized channels. In the same time these iPhone hacking
communities are a big challenge to the forensic investigators and forensic tools
manufacturers.
60
BIBLIOGRAPHY
ACPO. 2003. Good Practice Guide for Computer-Based Electronic Evidence. www.7safe.com.
[Online] 2003. [Cited: August 1, 2010.]
http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdf.
Official release version 4.0.
Al-Zarouni, Marwan. 2007. Introduction to Mobile Phone Flusher Device and Considerations
for their Use in Mobile Phone Forensics. School of Computer and Information Science, Edith
Cowan University. 2007. Online Access from
http://scissec.scis.ecu.edu.au/proceedings/2007/forensics/15_Al-Zarouni%20-
%20Introduction%20to%20Mobile%20Phone%20Flasher%20Devices%20and%20Considerati
ons%20for%20their%20Use%20in%20Mobile%20Phone%20Forensics.pdf on 13 June 2010.
Android anti-forensics through a local paradigm. Distefano, Alessandro, Me, Gianluigi and
Pace, Francesco. 2010. Rome : digital Investigation, 2010, ELSEVIER, Vol. 7. Accessed online
from http://www.dfrws.org/2010/proceedings/2010-310.pdf on 20 August 2010. S83eS94.
Ayers, Rick, et al. 2007. Cell Phone Forensic Tools: An Overview and Analysis Update.
Gaithersburg : National Institute of Standards and Technology, 2007. Online Access on 15
July 2010 from http://csrc.nist.gov/publications/nistir/nistir-7387.pdf. NISTIR 7387.
BABT. IMEI Number Structure. British Approvals Board for Telecommunications. [Online]
British Approvals Board for Telecommunications. [Cited: July 28, 2010.]
http://www.babt.com/babt/en/services/imei_number_allocation/number_structure.
Bryan, Sterling. 2009. Mobile Forensics Behind Bars. Washington, D.C. : Office of Security
Technology, Federal Bureau of Prisons, 2009. Online Access on 16th July 2010 from
http://files.sans.org/summit/forensics09/PDFs/0625%20Mobile%20Forensics%20power%20
point(Sterling)Arial%20final%20short.pdf.
Forensics and SIM Cards: an Overview. Casadei, Fabio, Savoldi, Antonio and Gubian, Paolo.
2006. 1, s.l. : International Journal of Digital Evidence, 2006, Vol. 5.
Forensics and the GSM mobile telephone system. Willassen, Svein Yngvar. 2003. 1, s.l. :
International Journal of Digital Evidence, 2003, Vol. 2. Online access on 20 July 2010 from
http://www.utica.edu/academic/institutes/ecii/publications/articles/A0658858-BFF6-C537-
7CF86A78D6DE746D.pdf.
GSM Security. 2009. What is IMEI ? GSM Security. [Online] Network System Architects Inc.,
2009. [Cited: July 28, 2010.] http://www.gsm-security.net/faq/imei-international-mobile-
equipment-identity-gsm.shtml.
61
Hoog, Andrew and Gaffaney, Kyle. 2009. iPhone Forensics. viaForensics.com. s.l. : Andrew
Hoog, 2009. Online Access on 15th July from http://viaforensics.com/wpinstall/wp-
content/uploads/2009/03/iPhone-Forensics-2009.pdf.
International Telecommunication Union. 2009. Measuring the information Society. The ICT
Development Index. Geneva : International Telecommunication Union, 2009. Online Access
on 1st July 2010 from http://www.itu.int/ITU-
D/ict/publications/idi/2009/material/IDI2009_w5.pdf. ISBN 92-61-12831-9.
ITU Telecom World 2009. 2009. THE WORLD IN 2009: ICT FACTS AND FIGURES. Geneva :
International Telecommunication Union, 2009. Online Access on 1st July 2010 from
http://www.itu.int/ITU-D/ict/material/Telecom09_flyer.pdf.
ITU World Telecommunication. ICT Indicators database. Global mobile cellular subscriptions,
total and per 100 inhabitants 2000-2009. [Online] [Cited: July 15, 2010.]
http://www.itu.int/ITU-D/ict/statistics/material/graphs/Global_mobile_cellular_00-09.jpg.
Jansen, Wayne and Ayers, Rick. 2007. Guidelines on Cell Phone Forensics:
Recommendations of the National Institute of Standards and Technology. Gaithersburg,
MD : National Institute of Standards and Technology, 2007. Online Access on 20 July 2010
from http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf. NIST Special
Publication 800-101.
Jansen, Wayne and Delaitre, Aurelien. 2009. Mobile Forensic Referance Materials: A
Methodology and Reification. Gaithersburg, MD : National Institute of Standards and
Technology, 2009. Online Access on 1st May 2010 from
http://www.nist.gov/customcf/get_pdf.cfm?pub_id=903402. NISTR 7617.
Jansen, Wayne, Delaitre, Aurelien and Moenner, Ludovic. 2008. Overcoming Impediments
to Cell Phone Forensics. NIST. Gaithersburg : s.n., 2008. Online Access from
http://csrc.nist.gov/groups/SNS/mobile_security/documents/mobile_forensics/Impediment
s-formatted-final-post.pdf on 1 August 2010.
Marwan, Al Zarouni. 2006. Mobile Handset Forensic Evidence: a challenge for Law
Enforcement. School of Computer and Information Science. s.l. : Edith Cowan University,
2006. Online Access on 30 July 2010 from
http://scissec.scis.ecu.edu.au/confs/proceedings/2006/forensics/Al-Zarouni%20-
%20Mobile%20Handset%20Forensic%20Evidence%20-
%20a%20challenge%20for%20Law%20Enforcement.pdf.
62
Michael, Harrington. 2007. General Characteristics of the Subscriber Identity Module File
System. mobileforensics.wordpress.com. [Online] Feb 24, 2007. [Cited: July 23, 2010.]
http://mobileforensics.files.wordpress.com/2007/02/sim-file-system.pdf.
Mock, Dave . 2002. Wireless Advances the Criminal Enterprise. [Online] Jun 28, 2002. [Cited:
July 1, 2010.]
http://thefeaturearchives.com/topic/Technology/Wireless_Advances_the_Criminal_Enterpr
ise.html.
Netherlands Forensic Institute. 2006. Workflow for Mobile Phone Forensic Examinations .
Flow Chart Forensic Mobile Phone Examination. [Online] May 4, 2006. [Cited: May 2, 2010.]
http://www.holmes.nl/MPF/FlowChartForensicMobilePhoneExamination.htm.
Nokia Networks Oy. 2002. GSM Architecture. TC Finland : Nokia, Jan 2002. Online access on
22 July 2010 from http://www.roggeweck.net/uploads/media/Student_-
_GSM_Architecture.pdf.
Ramabhadran, Anup. 2007. Forensic Investigation Process Model For Windows Mobile
Devices. Security Group. s.l. : Tata Elxis, 2007. Paper. Online Access on 5 July 2010 from
http://www.forensicfocus.com/downloads/windows-mobile-forensic-process-model.pdf.
Savoldi, Antonio and Gubian, Paolo. 2007. SIM and USIM Filesystem: a Forensics
Perspective. Brescia, Italy : University of Brescia Department of Electronics for Automation,
2007. Online Access on 23 July 2010 from
http://pds3.egloos.com/pds/200705/25/00/sim_and_usim_filesystem_a_forensics_perspec
tive.pdf.
Scientific Working Group on Digital Evidence. 2007. SWGDE and SWGIT Digital &
Multimedia Evidence Glossary. s.l. : Scientific Working Group on Digital Evidence, 2007.
Online Access on 30 July 2010 from
http://www.swgde.org/documents/swgde2008/SWGDE_SWGITGlossaryV2.2.pdf.
Shimpi, Anand Lal. 2009. The iPhone 3GS Hardware Exposed & Analyzed. AnandTech.
[Online] October 6, 2009. [Cited: August 22, 2010.] http://www.anandtech.com/show/2782.
63
Stepanov, Max. GSM Security Overview (Part 2). The Rachel and Selim Benin School of
Computer Science and Engineering. [Online] [Cited: July 23, 2010.]
www.cs.huji.ac.il/~sans/students_lectures/GSM%20Security.ppt.
TR, 3GPP. 2009. 3rd Generation Partnership Project; Technical Specification Group Core
Network and Terminals; SIM/USIM internal and external interworking aspects. s.l. : 3GPP TR,
2009. Online Access on 23 July 2010 from
http://www.3gpp.org/ftp/specs/archive/31_series/31.900/31900-800.zip.
Wayne, Jansen A. and Delaitre, Aurelien. 2007. Reference Material For Assessing Forensic
SIM Tools. Gaithersburg, MD : National Institute of Standards and Technology, 2007. ICCST
2007-74.
Wayne, Jansen and Ayers, Rick. An Overview and Analysis of PDA Forensic Tools. s.l. :
National Institute of Standards and Technology. Online Access on 1 May 2010 from
http://csrc.nist.gov/groups/SNS/mobile_security/documents/mobile_forensics/ForensicArti
cle-DI-fin.pdf.
Willassen, Svein. Forensic analysis of mobile phone internal memory. s.l. : Norwegian
University of Science and Technology. Online Access from
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.101.6742&rep=rep1&type=pdf
on 23 July 2010.
Willassen, Svein Y. 2003. Evidence in Mobile Phone Systems. 2003. Online Access from
http://web.archive.org/web/20041126135046/http://www.mobileforensics.com on 1st
August 2010.
Wolleschensky, Lars. 2007. Cell Phone Forensics. s.l. : Ruhr-Universit•at Bochum, 2007.
Online Access from
http://www.crypto.rub.de/imperia/md/content/seminare/itsss07/cell_phone_forensics.pdf
on 1 August 2010.
64
Appendix
Email Communications
Hello Ahmed:
All of our products have a free trial downloadable demo. I have provided the link for you for to download the
demo along with some product information on Device Seizure. I hope this information helps. Please let me
know if I can be of furhter assistance.
Shannon Moore
Director of Sales
Paraben Corporation
This message is confidential and intended only for the individual named. If you are not that individual, do not disseminate, distribute or copy this e-
mail. If you feel you have received this message in error, please contact the sender immediately and delete this message. Information transmitted by
e-mail is not secure and may be intercepted by a third party. There is no intent on the part of the sender to waive any privilege that may attach to
this communication. Thank you for your cooperation.
A
From: Mike Dickinson [mailto:xxxx@msab.com]
Sent: 18 February 2010 11:23 AM
To: Ahmed M. Said
Subject: RE: XRY/XACT
Ahmed,
You are welcome. Please find enclosed a copy of the presentation to assist you with your project
work in the future.
Kind Regards
----------------------------------------------------
Mike Dickinson
Country Manager - UK & Ireland
Mobile: +44 xxxx xxx xxx | Office: xxxx xxx xxxx (UK) | Fax: xxxx xxx xxxx (UK)
E-mail: mike.xxxx@msab.com | Skype: xxxxx | Web: www.msab.com
----------------------------------------------------
-----Original Message-----
From: Ahmed M. Said [xxxx]
Sent: 17 February 2010 22:20
To: Mike Dickinson
Subject: RE: XRY/XACT
Dear Mike,
It was my pleasure to meet you today and attend these interesting presentation and demos. Really
appreciate it and hope to see you shortly.
Thank you very much
Kind Regards,
Ahmed
------------------------------------------------------------
B
From: Mike Dickinson [mailto:xxxx@msab.com]
Sent: 18 February 2010 11:23 AM
To: Ahmed M. Said
Subject: RE: XRY/XACT
Ahmed,
I will pencil in Wed 17th Feb for you at 2pm and hopefully that will match with your supervisor?
Provided you can let me know by 8th Feb at the latest if that date is ok – I am happy to hold it for
you.
Kind Regards
----------------------------------------------------
Mike Dickinson
Country Manager - UK & Ireland
Mobile: +44 xxxx xxx xxx | Office:xxxx xxx xxxx (UK) | Fax: xxxx xxx xxxx (UK)
E-mail: xxxx@msab.com <mailto:xxxx@msab.com> | Skype: xxxxxx | Web: www.msab.com
<http://www.msab.com/>
----------------------------------------------------
From: Mike Dickinson [mailto:Xxxx@msab.com]
Sent: Wednesday, January 20, 2010 11:27 AM
To: Ahmed M. Said
Subject: RE: XRY/XACT
Ahmed,
I am sorry but our distributor for the Oman region has declined to get involved because you only
wish to evaluate the equipment and the cost in facilitating this means it is uneconomical to achieve
right now.
I suggest the best way forward is to see the equipment when you are in the UK.
Provided you can give me sufficient advance warning then I am sure I can spare a day to show you
the technology and also present to your class if they are interested.
Kind Regards
----------------------------------------------------
Mike Dickinson
Country Manager - UK & Ireland
Mobile: +44 xxxx xxx xxx | Office:xxxx xxx xxxx (UK) | Fax: xxxx xxx xxxx (UK)
E-mail: xxxx@msab.com <mailto:xxxx@msab.com> | Skype: xxxxxx | Web: www.msab.com
<http://www.msab.com/>
C
From: Ahmed M. Said [mailto:xxx]
Sent: 20 January 2010 04:29
To: Mike Dickinson
Subject: RE: XRY/XACT
Hi Mike,
I am going there on 15th Feb. I will talk to my supervisor regarding this I feel this is will be better
than just forwarding him the email. Also I didn’t receive any call from your distributor here in Oman
yet. If you can send me their contact information I will be able to call them.
Thanks
Ahmed Said
--------------------------------------------------
Ahmed,
OK let me know when you have spoken to RHUL and are next in the country and hopefully we can
arrange a presentation to your class.
Kind Regards
----------------------------------------------------
Mike Dickinson
Country Manager - UK & Ireland
Mobile: +44 xxxx xxx xxx | Office:xxxx xxx xxxx (UK) | Fax: xxxx xxx xxxx (UK)
E-mail: xxxx@msab.com <mailto:xxxx@msab.com> | Skype: xxxxxx | Web: www.msab.com
<http://www.msab.com/>
----------------------------------------------------
D
From: Ahmed M. Said [mailto:xxx]
Sent: 14 January 2010 06:50
To: Mike Dickinson
Subject: RE: XRY/XACT
Hi Mike,
Thank you again for support, sure I am very interested to be in touch with one of your reseller here
in Oman. But I hope that they will be able to support me during the project..
Regards
Ahmed Said
---------------------------------------------------------------------
From: Mike Dickinson [mailto:Xxxx@msab.com]
Sent: Wednesday, January 13, 2010 2:27 PM
To: Ahmed M. Said
Cc: Thomas Renman
Subject: RE: XRY/XACT
Ahmed
No problem – it sounds like it would be easier for you to deal with our local reseller in Oman?
I can forward this information to them to contact you if you like?
Kind Regards
----------------------------------------------------
Mike Dickinson
Country Manager - UK & Ireland
----------------------------------------------------
Hello Mike,
Thank you very much for your support, unfortunately I am not a full time student reside in UK, I am a
part time modular program student. I am residing in Oman and just visiting UK for classes only which
usually one week per module. So next time I suppose to be there by 14th February. I am planning to
start working on my project by the coming May after the final exams.
Mainly I am interested in Blackberry forensics. I have Blackberry 8230 phone which can be used for
E
this exercise.
Sure I am very interested to attend any of your presentations but I don’t know if there is anything
scheduled during my UK visit.
Ahmed Said
---------------------------------------------------------------------
Ahmed,
I am the UK Country Manager for Micro Systemation and may be able to assist you.
Can you advise me what the phone model is that you wish to trial so I can check that we actually
support it?
I am afraid that I cannot lend you the equipment - but I am prepared to attend the University for the
day and allow you to use the equipment in order to get the results you want.
I regularly do presentations on mobile phone forensics to Universities in the UK so if you think your
lecturers or colleagues at RHUL would be interested in a presentation on mobile forensics, I am
happy to consider that for you as well.
Kind Regards
----------------------------------------------------
Mike Dickinson
Country Manager - UK & Ireland
Mobile: +44 xxxx xxx xxx | Office:xxxx xxx xxxx (UK) | Fax: xxxx xxx xxxx (UK)
E-mail: xxxx@msab.com <mailto:xxxx@msab.com> | Skype: xxxxxx | Web: www.msab.com
<http://www.msab.com/>
----------------------------------------------------
F
From: Ahmed M. Said [mailto:xxx]
Sent: den 11 januari 2010 03:08
To: support
Subject: XRY/XACT
Hi,
I am MSc. information security student at Royal Holloway University of London (RHUL). I am doing
my project on mobile forensics and the tools used for data acquisition.
I am going to do a practical test as a case study on one of phone brands using different tools
available on the market and compare the results based on the hashing technique used, reliability,
integrity.. etc.
I am looking for a trial kit of your tools to help me to go ahead with this exercise.
Regards
Ahmed Said
G
Ahmed,
Thanks for your email, I did something similar for iPhone Forensics which you can download for free
on our website.
With regards to our Android services, unfortunately we release the technique to primarily law
enforcement only and after they attend our training class. If it helps, I am mimic the iPhone white
paper I mentioned above for Android and will test a number to available techniques. Check our
website over the next few weeks to see if we've released it yet.
Thanks and good luck. If you need someone to review when you are done are in draft, let me know.
Andrew Hoog
Chief Investigative Officer
tel: xxx-xxx-xxxx
xxxxxx@viaforensics.com