LECTURE 16 Mobile Forensics (1)

investigating the Mobile forensic investigation process & digital evidence provided

• Mobile phones are increasingly used in criminal activity.

• Collecting mobile phone evidence is now standard practice.

  – For anybody held for questioning

  – Even if the subject is not charged

• Mobile devices have a basic set of comparable features:

  • Microprocessor (e.g., Qualcomm Snapdragon 865)

  • Read Only Memory (ROM) stores the OS.

  • Random Access Memory (RAM) stores user data.

  • Radio module (2.4/5.8Ghz transceiver)

  • Digital signal processor

  • Microphone and speaker

  • Hardware keys and interfaces

  • Display (LCD, LED, or OLED)

• Two generations of mobile phones

  • Feature phones: simple voice and messaging

  • Smartphones: advanced capabilities like PCs

Why use Feature Phones?

1. Burner (disposable) low- cost devices

2. Legacy hardware still in wide circulation (Nokia 3310 )

3. Privacy-conscious individuals in need of mobile telecoms

Feature Phone vs Smartphone Comparison Hardware Characteristics

Software Characteristics for Feature Phone vs Smartphone

Relevant Identifiers

• IMEI (International Mobile Equipment ID)

  • Identifies a mobile device using IMEI Lookup,

  • TAC: Identifies vendor & model

  • SNR: Identifies a specific unit manufactured by a vendor

• IMSI (International Mobile Subscriber ID)

  • Identifies who pays the bill to the cellular network provider.

  • Includes mobile subscription identification number (MSIN).

  • Temporary IMSI is assigned while roaming.

• ICCID (Integrated Circuit Card Identifier)

  • Identifies the SIM card itself

  • Composed of 19-20 digits.

  • MII (Major Issue ID), MCC (Mobile Country Code), Issuer ID, Account ID, Checksum.

Cellular/Mobile Networks: base stations

• Mobile phones communicate through radio frequency/wave.

• Cellular network: composed of cellular radio towers (base stations).

• Each base station:

  • Has an ID called SID number

  • Has coordinates for geo-location.

• A Cell is an area covered by 3 base stations.

• Each Base station streams frequency in 3 directions. (frequency channels)

How Mobile Networks work?

• Mobile "pings" the provider with IMEI, IMSI, and ICCID.

• If the provider (identified by a SID number) is within

  range, Provider checks numbers against databases.

• Mobile switches to connect to the right frequency.

Mobile Communication Standards

• GSM: Global System for Mobile Communication

• CDMA: Code-Division Multiple Access

• 4G LTE: Long-Term Evolution

• WiMAX: Worldwide Interoperability for Microwave Access

Cell Network technologies :Generations

Other Wireless Technologies used by mobile devices

• Bluetooth: secure connection between mobile and peripherals at close range.

• NFC: Near Field Communication; shares info between 2 compatible devices that are close (< 0.2m).

• GPS: Global Positioning System; provides global positioning coordinates.

• Satellite phones: useful in areas not covered by cellular networks.

  ---

Digital Forensics Investigation Process

1. Preparation Phrase

2. Acquisition & Preservation

3. Examination & Analysis

4. Reporting & Presentation

Preparation Phase : Considerations

• What is known about the case?

• Which resources will be required?

• Which expertise / specialty will be required?

• Which are the best practices & applicable standards?

• Who will be involved in the investigation?

• Any special consideration? Eg,

  • About confidentiality

  • About preservation of “wet forensic evidence”

Acquisition & Preservation Phase :considerations

ACPO Principles for Digital Evidence

• Principle 1: Don’t change evidence.

• Principle 2: If you do change evidence, be qualified to explain the implications.

• Principle 3: Keep an audit trail; results must be repeatable.

• Principle 4: The Officer in Charge is responsible for compliance.

ACPO Principle 1: & Mobile Phones

Mobile phones pose a problem

• because it isn’t normally possible NOT to alter evidence

• Turning on the phone will cause evidence to be altered

• Removing the battery may cause evidence to be altered

• Interacting with the phone will alter evidence

ACPO Principle 2: & Mobile Phones

Extra care/evidence must be gathered for proof of investigator’s actions

• Anything that can alter data

• Cloning SIM card (removal of SIM & potential removal of battery)

• Using phone to get IMEI number (*#06#)

• Data acquisition apparatus (e.g., Cellebrite UFED) may install data

• Some devices will alter flags on the data (i.e. turn messages to ‘read’ from ‘unread’)

  ACPO Principle 3: & Mobile Phones

  Take lots of photographs / record videos

  – Of actual device

  • Data on device may be different to that reported by software

  (e.g. daylight saving)

  – Your interactions with the device

  – Content of device screen

  – Damage to device

  – Identifying information (model numbers, etc)

  – Sign chain of custody / exhibit forms

  ACPO Principle 4: & Mobile Phones•

  Keep the Officer In Charge informed

  – Particularly when you know you will change data

  – Discovery of unrelated “evidence of criminal activity”

  – Gaining permission for method to be used for acquisition

  – Report on results

  – Manage expectations

• Integrity of Evidence

• ACPO principles are crucial to build a compelling statement of authenticity.

• ACPO 1 and 2 concern device integrity and explainability of changes.

• Crucial for non-repudiation and establishing provenance (ACPO 3 and 4). Devices may be remotely accessible – changes need to be

  accounted for beyond lab activities

Conclusion:

• Mobile devices:

– Have diverse communication capabilities

– Can be remotely accessed by owners

– Store a wealth of personal and positional data

• Investigations must follow core principles:

– ACPO Principles

– Preventing tampering by remote parties