Mobile Device Forensics and the Internet of Anything

Understanding Mobile Device Forensics

  • Depending on your phone’s model, the following information might be stored on it:
      * Incoming, outgoing, and missed calls
      * MMS and SMS
      * E-mail accounts
      * IM logs
      * Web pages
      * Photos, videos and music files
      * Calendars and address books.
      * Social Media Accounts Informations
      * GPS data
      * Voice recordings and voicemails
      * Bank account log-ins
      * Access to your home

Mobile Phone Basics

  • There were three generations of mobile phones at the end of 2008: analog, digital personal communications service (PCS), and third-generation (3G).
  • Many previously unheard-of features were offered by 3G, including the ability to download while moving in a car or on foot.
  • 2009 saw the launch of the fourth-generation (4G) network by Sprint Nextel.
  • The completion of fifth-generation (5G) cellular networks is anticipated for 2020. These networks will combine cutting-edge technologies, such as the constantly growing cloud and device-to-device networks.
Digital Networks
Digital networkDescription
Code Division Multiple Access (CDMA)Developed during World War II, this technology was patented by Qualcomm after the war. One of the most common digital networks, it uses the full radio frequency spectrum to define channels.
Global System for Mobile Communications (GSM)Another common digital network, it’s used by AT&T and T-Mobile in the United States and is the standard in Europe and Asia.
Time Division Multiple Access (TDMA)This digital network uses the technique of dividing a radio frequency into time slots; GSM networks use this technique. It also refers to a specific cellular network standard covered by Interim Standard (IS) 136.
Integrated Digital Enhanced Network (iDEN)This Motorola protocol combines several services, including data transmission, into one network.
Digital Advanced Mobile Phone Service (D-AMPS)This network is a digital version of the original analog standard for cell phones.
Enhanced Data GSM Environment (EDGE)This digital network, a faster version of GSM, is designed to deliver data.
Orthogonal Frequency Division Multiplexing (OFDM)This technology for 4G networks uses energy more efficiently than 3G networks and is more immune to interference
  • IS-95, developed by the Telecommunications Industry Association (TIA), is followed by the majority of CDM networks. These systems were originally known as CDMAOne, then when 3G services were introduced, they changed their name to CDMA2000.
  • The TDMA technology used by GSM allows for the round-robin sharing of channels by numerous phones.
  • The International Telecommunications Union (ITU) of the United Nations established the 3G standard. It is TDMA, CDMA, and GSM compatible.
  • The EDGE standard was developed specifically for 3G.
  • In 2008, the International Telecommunication Union Radio (ITU-R) created the requirements for carriers to be considered 4G.
      * Orthogonal Frequency Division Multiplexing (OFDM): It uses numerous parallel carriers instead of a single broad carrier and is less susceptible to interference.
      * Mobile WiMAX: This technology uses the IEEE 802.16e standard and OFDMA, and supports transmission speeds of 12 Mbps.
      * Ultra Mobile Broadband (UMB): Also known as CDMA2000 EV-DO, this technology was used by CDMA network providers to switch to 4G and supports transmission speeds of 275 Mbps for downlinks and 75 Mbps for uplinks.
      * Multiple Input Multiple Output (MIMO): This technology, developed by Airgo and acquired by Qualcomm, supports transmission speeds of 312 Mbps and is used by 4G, WiMAX, and other technologies.
      * Long Term Evolution (LTE): This technology, designed for GSM and Universal Mobile Telecommunications Systems (UMTS) technology, supports 45 Mbps to 144 Mbps transmission speeds. Commonly called “4G LTE.”
  • Geographic areas are divided into cells resembling honeycombs.
      * Base transceiver station (BTS): This component is made up of radio transceiver equipment that defines cells and communicates with mobile phones; it’s sometimes referred to as a “cell phone tower,” although the tower is only one part of the BTS equipment.
      * Base station controller (BSC): This combination of hardware and software manages BTSs and assigns channels by connecting to the mobile switching center.
      * Mobile switching center (MSC): This component connects calls by routing digital packets for the network and relies on a database to support subscribers. This central database contains account data, location data, and other key information needed during an investigation.

Inside Mobile Devices

  • Simple cell phones, smartphones, tablets, and smartwatches are all examples of mobile gadgets.

  • A microprocessor, ROM, RAM, a digital signal processor, a radio module, a microphone, and speakers, as well as hardware interfaces and an LCD display, make up the hardware.

  • Although smartphones use the same OSs as Computers, the majority of inexpensive phones have a proprietary OS.

  • Electronically erasable programmable read-only memory (EEPROM), which phones use to store system data, allows service providers to reprogram phones without physically accessing memory chips.

  • The operating system is kept in ROM, a non-volatile memory, so it is accessible along with the other data even if the phone loses power.

  • Personal digital assistants (PDAs) have been superseded for personal usage by iPods, iPads, and other mobile devices. The focus switched to more specialized markets; they are still sold online and are now portable.

  • A number of peripheral memory cards were used with PDAs:
      * Compact Flash (CF): These were used for extra storage and work much the same way as PCMCIA cards.
      * MultiMediaCard (MMC): These were designed for mobile phones, but they can be used with PDAs to provide another storage media.
      * Secure Digital (SD): These cards are similar to MMCs but have added security features to protect data; they’re now used on smartphones.

  • Subscriber Identity Module (SIM) Cards: These are usually found in GSM devices and consist of a microprocessor and internal memory

  • GSM: Refers to mobile phones as “mobile stations” and divides a station into two parts: the SIM card and the mobile equipment (ME), which is the remainder of the phone.

  • The SIM card is necessary for the ME to work and serves these additional purposes:
      * Identifies the subscriber to the network
      * Stores service-related information
      * Can be used to back up the device

Understanding Acquisition Procedures for Mobile Devices

  • Mobile device search and seizure procedures are just as crucial as those for PCs.

  • Loss of power, synchronization with cloud services, and remote wiping are the key issues.

  • As volatile memory is a feature of all mobile devices, it's imperative to keep them powered up while you retrieve RAM data.

  • The moment of seizure could be significant depending on the warrant or subpoena. Moreover, messages that may or may not be admissible in court may be received on the mobile device after a seizure.

  • Note the time and date when you take this action if you decide that the device has to be turned off to save battery life or stop a potential attack.

  • The alternative is to isolate the device from incoming signals with one of the following options:
      * If this option is available, switch the device to airplane mode.
      * Put the gadget into a paint can, preferably one that once held paint designed to block radio waves.
      * Utilize a Faraday bag that complies with the requirements for a Faraday wire cage. Many enable connecting a device to a power source.
      * Switch off the gadget.

  • Using these isolation options has the disadvantage of switching the mobile device into roaming mode, which hastens battery consumption.

  • See what can be recovered once you're back in the forensics lab. Knowing where information is housed will help you decide whether to make a logical acquisition or a physical acquisition.

  • You should look in the following places for information, having in mind that you frequently require the manufacturer's tools with mobile devices:
      * Internal memory
      * SIM card
      * Removable or External Memory Cards
      * Network provider

  • Depending on whether the phone is GSM or CDMA, a SIM card can hold a lot of data. Four categories can be used to group the information that can be retrieved:
      * Service-related data, such as identifiers for the SIM card and subscriber.
      * Call data, such as numbers dialed.
      * Message information.
      * Location information.

Mobile Forensics Equipment

SIM Card Readers
  • These are devices used to read and access SIM cards.
  • The general procedure is as follows:
      * Remove the device’s back panel.
      * Remove the battery.
      * Remove the SIM card from its holder
      * Insert the SIM card into the card reader, which you insert into your forensic workstation’s USB port.
Mobile Phone Forensics Tools and Methods
  • The NIST guidelines list six types of mobile forensics methods:
      * Manual extraction: This method involves looking at the device’s content page by page and taking pictures. It’s used if investigators can’t do a logical or physical extraction.
      * Logical extraction: The mobile device is connected to a forensic workstation via a wired or wireless connection and then the file system information is extracted.
      * Physical extraction: As with a logical extraction, the mobile device is attached to a forensic workstation.
      * Hex dumping and Joint Test Action Group (JTAG) extraction: Hex dumping involves using a modified boot loader to access the RAM for analysis. The JTAG extraction method gets information from the processor, flash memory, or other physical components. It’s a highly invasive method.
      * Chip-off: This method requires physically removing flash memory chip and gathering information at the binary level.
      * Micro read: This method looks at logic gates with an electron microscope and can be used even when data has been overwritten on magnetic media. It’s very expensive, however, so it’s typically used only in cases involving national security.
  • Paraben Software: A vendor of mobile forensics software, offers several tools, such as E3:DS, for mobile device investigations.
      * E3:DS: It examines Internet of Things (IoT) devices, has a bootloader for locked mobile devices, and can perform data parsing and cloud data capture. Paraben offers different packages for a variety of uses.
      * DataPilot: It has collection of cables that can interface with phones made by Nokia, Motorola, Ericsson, Samsung, Audiovox, Sanyo, and others.
  • BitPim: A tool used to view data on many CDMA phones, including LG, Samsung, Sanyo, and others. It offers versions for Windows, Linux, and macOS.
  • Cellebrite UFED Forensic System: It works with smartphones, PDAs, tablets, and GPS devices. This kit comes with several hundred cables, includes handset support for phones from outside the United States, and handles multiple languages.
  • Micro Systemation XRY: It retrieves data from smartphones, GPS devices, tablets, music players, and drones.
  • MOBILedit Forensic: A forensics software tool containing a built-in write-blocker. It can connect to phones directly via Bluetooth, irDA, or a cable and can read SIM cards by using a SIM reader. It’s notable for being very user-friendly.

Understanding Forensics in the Internet of Anything

  • The ITU has divided 5G into three categories
      * enhanced Mobile BroadBand (eMBB): 5G that provides more bandwidth to increase digital connectivity for users.
      * Ultra-reliable and Low-latency Communications (uRLLC): 5G that ocuses on devices such as self-driving cars.
      * massive Machine Type Communications (mMTC): 5G that focuses on smart cities.

  • The use of digital forensics with these 5G devices is now more difficult. People-to-device (P2D), device-to-device (D2D), and device-to-cloud (D2C) interactions will all be topics of investigation.

  • The Internet of Things (IoT) has presented digital forensics investigators with yet another obstacle.

  • In the coming decades, there will likely be 50 billion gadgets connected to the Internet.

  • It can be challenging to pinpoint a date or identify the actual performer of an action because mobile devices and appliances are so interconnected.

  • Investigators will face a variety of brand-new difficulties while collecting data from wearable computers.