Bulletin FORENSIC TECHNIQUES FOR specialists to adopt new techniques when ITL Bulletins are published by the Information cell phones are involved. Developed with Technology Laboratory (ITL) of the National CELL PHONES Institute of Standards and Technology (NIST). the support of the Department of Homeland Security, the guide provides Each bulletin presents an in-depth discussion Shirley Radack, Editor basic information about the characteristics of a single topic of significant interest to the Computer Security Division of cell phones and explains the issues to be information systems community. Bulletins are Information Technology Laboratory considered when organizations are issued on an as-needed basis and are National Institute of Standards and conducting incident response and other available from ITL Publications, National Technology types of investigations. Institute of Standards and Technology, 100 Bureau Drive, Stop 8900, Gaithersburg, MD The data that is captured on mobile phones Guidelines on Cell Phone 20899-8900, telephone (301) 975-2832. To be can be a source of valuable information to Forensics placed on a mailing list to receive future organizations that are investigating crimes, bulletins, send your name, organization, and policy violations, and other security Guidelines on Cell Phone Forensics: business address to this office. You will be incidents. The science of recovering digital placed on this mailing list only. evidence from mobile phones, using Recommendations of the National Institute forensically sound conditions and accepted of Standards and Technology was issued in May 2007 as NIST Special Publication Bulletins issued since June 2006: methods, is called mobile phone forensics. Domain Name System (DNS) Services: NIST In general, forensic science is the (SP) 800-101. Written by Wayne Jansen Recommendations for Secure Deployment, application of scientific principles for and Rick Ayers of NIST, SP 800-101 June 2006 legal, investigative, and public policy provides an in-depth examination of Protecting Sensitive Information Processed purposes. Digital forensic science refers to mobile phones, the technology involved, and Stored in Information Technology (IT) the preservation, acquisition, examination, and the management of forensic Systems, August 2006 analysis, and reporting of electronic data procedures. It covers phones with Forensic Techniques: Helping Organizations collected and stored on computer and advanced features beyond simple voice Improve Their Responses to Information communication and text messaging, and Security Incidents, September 2006 network systems and on many digital Log Management: Using Computer and devices. details their technical and operating Network Records to Improve Information characteristics. The guide discusses Security, October 2006 The digital forensic community faces procedures and techniques involved in cell Guide to Securing Computers Using Windows special challenges when investigating phone forensic activities, as well as XP Home Edition, November 2006 crimes and incidents involving mobile available forensic software tools that Maintaining Effective Information Technology phones. While cell phones are widely used support those activities. (IT) Security Through Test, Training, and for both personal and professional Exercise Programs, December 2006 The extensive reference list in NIST SP Security Controls for Information Systems: applications, the technology of cell phones 800-101 provides a rich selection of in- Revised Guidelines Issued by NIST, January is continually changing as new designs and 2007 improved techniques are introduced. As a print and online resources for cell phone Intrusion Detection and Prevention Systems, result of the rapid pace of change, the products and services, as well as February 2007 established guides that provide advice on discussions of the application of forensic Improving the Security of Electronic Mail: the application of computer forensics techniques. The appendices to the guide Updated Guidelines Issued by NIST, March usually do not cover cell phones, include an acronym list, a glossary of 2007 especially those with advanced terms used in the guide, and a detailed Securing Wireless Networks, April 2007 capabilities. view of the steps involved in the Securing Radio Frequency Identification acquisition of a cell phone with Universal (RFID) Systems, May 2007 The Information Technology Laboratory Mobile Telecommunications System of the National Institute of Standards and capabilities. Another section of the Technology (NIST) recently issued a new appendices provides information about the guide to help organizations develop contents of records collected by cellular appropriate policies and procedures for network carriers involving event and call dealing with the information on cell data. phones, and for preparing their forensic 2 June 2007 While not providing specific legal advice GSM voice and data capabilities, and (RAM), a radio module, a digital signal to organizations, the guide covers the TDMA capabilities. Such a phone would processor, a microphone and speaker, a information and principles that will enable not be compatible with CDMA networks. variety of hardware keys and interfaces, organizations to establish the policies and and a liquid crystal display (LCD). The procedures needed for an effective Mobile phones can also be acquired operating system (OS) of the device is forensics program developed in without service from a manufacturer, held in ROM, which can be erased and conjunction with their legal advisors, vendor, or other source, and the service reprogrammed electronically when the agency officials, and managers. can be arranged separately with a service proper tools are used. The RAM, which provider or network operator, provided may be used to store user data, is NIST SP 800-101 is available from that the phone is compatible with the supported by batteries. If the batteries fail, NIST’s website at: network. When in operation, mobile the information can be lost. http://csrc.nist.gov/publications/nistpubs/in phones may contact compatible networks dex.html. operated for or by another service The newest cell phones are equipped with provider, and gain service. To administer system-level microprocessors that reduce Who We Are the cellular network system, provide the number of supporting chips required to The Information Technology Laboratory (ITL) subscribed services, and accurately bill or operate the phone and include is a major research component of the National debit subscriber accounts, data about the considerable memory capacity. Other Institute of Standards and Technology (NIST) service contract and associated service capabilities include card slots that support of the Technology Administration, U.S. activities are captured and maintained by removable memory cards or specialized Department of Commerce. We develop tests and measurement methods, reference data, the network system. peripherals, such as wireless capabilities. proof-of-concept implementations, and Wireless communications capabilities may technical analyses that help to advance the Cellular networks provide coverage based also be built into the phone. development and use of new information on dividing a large geographical service technology. We seek to overcome barriers to area into smaller areas of coverage called Different devices have different technical the efficient use of information technology, and cells. These cells can often utilize unused and physical characteristics, such as size, to make systems more interoperable, easily radio frequencies in the limited radio weight, processor speed, and memory usable, scalable, and secure than they are spectrum, enabling more calls to take capacity. Devices may also use different today. Our website is http://www.itl.nist.gov. place than might be possible otherwise. types of expansion capabilities to provide As a mobile phone user moves from one additional functionality. Cell phones may Cell Phone Technology cell to another, active connections must be have the capabilities of other devices such monitored and effectively passed along as personal digital assistants (PDAs), In the United States, digital cellular between cells to maintain the connection global positioning systems, and cameras. networks have been developed based on While there are many different types of different and incompatible sets of The main components of cellular networks cell phones, they can be generally standards. Two types of digital cellular are: the Base Transceiver Station (BTS), characterized as: basic phones that are networks dominate: Code Division the radio transceiver equipment that primarily simple voice and messaging Multiple Access (CDMA) and Global communicates with the mobile phones; the communication devices; advanced phones System for Mobile Communications Base Station Controller (BSC), which that offer additional capabilities and (GSM) networks. Other commonly manages the transceiver equipment and services for multimedia; and smart phones implemented cellular networks include performs channel assignment; and the or high-end phones that combine the Time Division Multiple Access (TDMA) Mobile Switching Center (MSC), the capabilities of an advanced phone with and Integrated Digital Enhanced Network switching system for the cellular network. those of a PDA. (iDEN). iDEN networks use a proprietary The BSC and the BTS units it controls are protocol designed by Motorola, while the sometimes collectively referred to as a Forensic Tools others follow standardized open protocols. Base Station. Also available is a digital version of the The application of forensic software tools original analog standard for cellular Cell Phone Characteristics to cell phones is a very different process telephone phone service called Digital from the forensic process used with Advanced Mobile Phone Service (D- Cell phones are highly mobile personal computers. The latter devices are AMPS). communications devices that perform primarily designed as general-purpose functions such as organizing digital data systems, while cell phones are designed Mobile phones work with certain subsets and carrying out basic personal computing more as special-purpose appliances that of these network types, with the service activities. Designed for mobility, these perform a set of predefined tasks. Since provider supplying the phone and the phones are compact in size, battery cellular phone manufacturers tend to rely details of the service agreement. For powered, and lightweight. Most cell on different proprietary operating systems example, a service provider or network phones have a basic set of comparable rather than the more standardized operator for a GSM network that has some features and capabilities. They are approach found in personal computers, older TDMA network segments in composed of a microprocessor, read only there are different toolkits for use with operation might supply a phone that has memory (ROM), random access memory mobile devices. Also, the toolkits are often 3 June 2007 limited to a narrow range of distinct recognition, documentation, and collection Guidelines should focus on general platforms for a manufacturer’s product procedures, without altering or changing methodologies for investigating incidents line, an operating system family, or a type the content of data on devices and media. using forensic techniques. While of hardware architecture. Since the developing comprehensive procedures technology of cell phones is frequently • Acquiring information from a digital tailored to every possible situation is not updated, tool manufacturers must update device and its peripheral equipment and generally feasible, organizations should their tools continually to keep their media in a controlled setting, such as a consider developing step-by-step coverage current. As a result, the laboratory. procedures for performing all routine development of tools for newer models of activities in the preservation, acquisition, cell phones frequently lags behind the • Examining and analyzing digital examination and analysis, and reporting of introduction of new models. evidence through the application of digital evidence found on cell phones and established scientifically based methods, associated media. The guidelines and Forensic tools acquire data from a device fully describing the content and state of procedures should facilitate consistent, by both physical acquisition and logical the data. effective, accurate, and repeatable actions acquisition methods. Physical acquisition carried out in a forensically sound manner, involves a bit-by-bit copy of an entire • Reporting on the investigation by suitable for legal prosecution or physical store of data, such as a memory preparing a detailed summary of all of the disciplinary actions. The guidelines and chip. Logical acquisition involves a bit-by- steps taken and the conclusions reached in procedures should support the bit copy of logical storage objects, such as the investigation of a case, maintaining a admissibility of evidence into legal directories and files that are located in a careful record of all actions and proceedings, including seizing and file system. Physical acquisition has observations, describing results of tests handling evidence properly, maintaining advantages over logical acquisition, since and examinations, and explaining the the chain of custody, storing evidence it allows deleted files and any data inferences drawn from the evidence. appropriately, establishing and remnants present to be examined. maintaining the integrity of forensic tools Extracted device images need to be parsed, NIST Recommendations for the and equipment, and demonstrating the decoded, and translated to uncover the Application of Cell Phone integrity of any electronic logs, records, data present. The work is tedious and time- Forensics and case files. The guidelines and consuming to perform manually. Physical procedures should be reviewed device images can be imported into a tool NIST recommends that organizations periodically and also whenever there are to automate examination and reporting; implement the following recommendations significant changes in cell phone however, only a few tools tailored for to facilitate the application of efficient and technology that affect them. obtaining cell phone images are currently effective digital forensic activities available. Although logical acquisition is involving cell phones and cellular devices. Ensure that organizational policies and more limited than physical acquisition, the procedures support the reasonable and system data structures are usually easier Ensure that organizational policies appropriate use of forensic tools for cell for a tool to extract. The logical contain clear statements about forensic phones. acquisition of data provides a more natural considerations involving cell phones. and understandable organization of the Policies and procedures should clearly data for use during examination. Both At a high level, policies should allow explain what actions are to be taken by a types of acquisition are useful. authorized personnel to perform forensic unit under various circumstances investigations of cell phones that have commonly encountered with cell phones. Steps in the Investigation been issued by the organization when there They should also describe the quality are legitimate reasons for such measures to apply in verifying the proper Investigations and incidents are handled in investigations and they are conducted functioning of any forensic tools used in different ways depending upon the under the appropriate circumstances. The examining cell phones and associated circumstances and severity of the incident, forensic policy should clearly define the media. Procedures for handling sensitive and on the experience of the investigation roles and responsibilities of the workforce information that might be recorded by team. Organizations can advance the and of any external organizations forensic tools should also be addressed. effective application of cell phone performing or assisting with the Legal counsel should carefully review all forensics by carefully planning the steps in organization’s forensic activities. The forensic policy and high-level procedures the investigative process: policy should also indicate internal teams for compliance with international, federal, and external organizations to be contacted state, and local laws and regulations, as • Defining the procedures and principles under various circumstances. appropriate. that will apply when dealing with digital evidence, and establishing roles and Create and maintain procedures and Ensure that the organization’s forensic responsibilities for the personnel involved. guidelines for performing forensic tasks professionals are prepared to conduct on cell phones. activities in cell phone forensics. • Preserving the evidence related to the investigation through appropriate search, 4 June 2007 Forensic professionals, especially first responders to incidents, should understand Disclaimer their roles and responsibilities for cell NIST SP 800-72, Guidelines on PDA Any mention of commercial products or reference to phone forensics and receive training and Forensics, by Wayne Jansen and Rick commercial organizations is for information only; it education on related forensic tools, Ayers, helps organizations develop does not imply recommendation or endorsement by policies, guidelines, and procedures. policies and procedures for personal NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Forensic professionals should also consult digital assistants (PDAs) and assists closely with legal counsel in general forensic specialists in dealing with preparation for forensics activities, such as situations involving PDAs. ITL Bulletins via E-Mail determining which actions should and We now offer the option of delivering your ITL should not be taken under various NIST SP 800-86, Guide to Integrating Bulletins in ASCII format directly to your e-mail address. To subscribe to this service, send an circumstances. In addition, management Forensic Techniques into Incident e-mail message from your business e-mail should be responsible for supporting Response, by Karen Kent, Suzanne account to listproc@nist.gov with the message forensic capabilities, reviewing and Chevalier, Tim Grance, and Hung Dang, subscribe itl-bulletin, and your name, e.g., approving forensic policy, and examining provides detailed information on John Doe. For instructions on using listproc, and endorsing unusual forensic actions establishing a forensic capability, send a message to listproc@nist.gov with the that may be needed in a particular including the development of policies and message HELP. To have the bulletin sent to situation. procedures and the use of forensic an e-mail address other than the FROM techniques to assist with computer security address, contact the ITL editor at incident response. 301-975-2832 or elizabeth.lennon@nist.gov. More Information
NIST publications assist organizations in These publications and other security-
planning and implementing a related publications are available from comprehensive approach to information NIST’s website: security. Publications dealing specifically http://csrc.nist.gov/publications/nistpubs/in with digital forensics include: dex.html.