Mobiltelefoner som bevis i

brottsmål

Thomas Renman – Micro Systemation AB

thomas.renman@msab.com

Agenda – 22 maj Micro Systemation AB

y Micro Systemation – vad
gör vi? y Grundades 1984
y XRY video
y Mobiltelefoner som bevis
i brottsmål y Fokus på kriminaltekniska verktyg för
y Vad kan man hitta i en mobiltelefoner
mobiltelefon?
y Mobiltelefonens olika
lagrings enheter y Publikt bolag, noterade på NGM börsen
y Hur får man ut sedan 1999
informationen?

XRY Korta fakta XRY Video

y C:\XRY Video\XRY Video
y Produktutvecklingen av .XRY började 2003 Presentation\VIDEO_TS\VTS_01_1.VOB
y Första leveransen september 2003
y Version 2 lanserades november 2004
y Version 3 lanserades hösten 2006
y Support för 400 telefon modeller från 12 tillverkare
y Används i mer än 40 länder
y England och Holland största marknaderna
 Mobiltelefoner som Exempel på vad kan man hitta i en
bevis i brottsmål mobiltelefon
y Samtalslistor
y SMS
y Kontakter
y Bilder
y Videos
y E‐mail
y GPS data

Inside a Mobile Phone

y Data can be stored in 3 primary
locations
y Handset
y SIM
y Memory card (optional)
y Duplication may occur between
these
y Handset sometimes referred to
as:
y “Mobile Station” (MS) in GSM
y “User Equipment” (UE) in 3G

Subscriber Identity Module Integrated Circuit Card

(SIM) Identifier
y A “smart card” containing:
y CPU
y RAM y ICCID uniquely identifies the card
y ROM y 19 or 20 digits in length
y EEPROM
y I/O circuits y Always stored digitally in the card
y Stores: y Normally printed on the outside
y Card identity (ICCID)
(may be abbreviated)
y Subscriber identity (IMSI)
y User data y Can determine issuing service
y Defined by international standards (ETSI) provider & country from ICCID
European Telecommunications Standards Institute
International Mobile Subscriber Universal Subscriber Identity
Identity
Module
y IMSI uniquely identifies a subscriber
y USIM is a 3G SIM card
y Always stored digitally on the card y Differences include:
y Seldom seen by, or known to, the owner y Greater storage capacity
y 15 digits in length y Enhanced phone book (e.g.
nickname, email etc.)
y Can also determine the issuing service provider & y But same physical shape & size
country from the IMSI y May not be able to visually
Mobile Country
Mobile Code
Network (MCC)
Code (MNC) identify as a USIM
y Combination (hybrid) cards exist
5300166045081798

Vodafone NZ
New Zealand

International Mobile Equipment

Identifier
y 15 digits in length
y Stored digitally in the handset
y Printed on a sticker under the battery
y Can determine make & model from IMEI

The two
versions should
match…

Type *#06#

Mobile Phone Memory Mobile Phone Memory

y Handsets contain different memory chips for data y Contents of memory will change constantly
storage y Power on/power off
y User interaction
y Operating system
y Interaction with network
y User data
y Few standards/rules govern: y Memory provided for user data may be
y What should be stored (except IMEI) y Pre‐allocated
y e.g. Nokia 6220 limited to 20 dialled calls, 300 contacts etc.
y Where/how it should be stored
y Shared
y How/when it should be deleted (except call registers on y e.g. Nokia 6630 has 10MB “shared memory”
SIM swap)
Operating Systems Connection Interfaces
y Operating system is the manufacturer’s software which makes
the phone work y Cable
y Most handsets run proprietary o/s software y Fast, secure, quite reliable
y Different between different makes and models
y High‐end “smartphones” may run: y Infra‐red
y Slower, quite secure, less reliable
y Not all data may be retrieved

y Bluetooth
y Quite fast, less secure, less
reliable, more intrusive

Symbian OS Windows Mobile Palm

Memory Cards
y Increasingly common in new handsets
y Different physical “form factors” exist
y e.g. MMC, microSD, MemoryStick Duo etc.
y 4GB cards currently available (Jan ‘07)
y PC‐compatible FAT filesystem widely adopted
y May contain pictures, movies, MP3……..or any
file at all!
y Deleted data retrievable with established
computer forensic techniques

Logical Extraction
y Extraction software asks handset
what data is available
y Handset may or may not provide
data
y Will not provide deleted data
y Different protocols are used for:
y Different handsets
y Different data types
 Protocols Used in Logical
Results from Logical Extractions
Extractions y The following data may be retrievable
y Phonebook/contacts
y AT
y Call registers (dialled, missed, received)
y Identification, basic information for most GSM models.
y SMS
y MMS
y OBEX (“OBject EXchange”)
y Photos
y Pictures, audio, video
y Different flavours for different makes and models y Movies
y Audio files (ringtones, MP3, recordings)
y IrMC, SyncML y Calendar / appointments / tasks / notes
y OBEX based protocols. Phone book, calendar, notes y Games & other software
y And more…
y FBUS
y Nokia’s binary protocol. Differences for almost each model.

Physical Extraction
y Physical extraction involves either
y Removing chips from circuit board &
“dumping” contents (destructive)
y Via a data cable (e.g. service ports on many
Nokias)

y Data is supplied in a “raw” form

y Interpretation requires time & specialist
Frågor?
knowledge
y Provides a lot of data including deleted
handset information