Difference between pages "Applied Cellphone Forensics" and "Chip-Off BlackBerry Curve 9320"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Created page with "== Tear Down == <ol start="1"> <li>Remove the back panel.</li> </ol> {| border="1" cellpadding="2" |- | 300px |- |} <ol start="2"> ...")
 
Line 1: Line 1:
===Applied Cellphone Forensics===
+
== Tear Down ==
  
• Defining processes of the acquisition, preservation, analysis of evidence
+
<ol start="1">
 +
<li>Remove the back panel.</li>
 +
</ol>
  
• Presentation of physical and digital cellular phone evidence in the investigation process
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:1-bb9320-BackPanelRemoved.jpg| 300px ]]
 +
|-
 +
|}
  
• Evidence regulation and its impacts in the investigation process
+
<ol start="2">
 +
<li>Remove the SIM and SD Memory Card.</li>
 +
</ol>
  
• Applications: practical forensic cases related to cellular phones
+
<ol start="3">
 +
<li>Using a torx-6 screw driver remove the 2 visible screws on the back of the phone.</li>
 +
</ol>
  
====Introduction====
+
{| border="1" cellpadding="2"
Cellular telephones are a ubiquitous consumer device. Over 180 million subscribers are using one of over 500 different cellphones offered in the United States from over 30 different manufacturers, processing voice and data traffic over 4 carrier networks. Invariably, with so much voice and data traffic being sent from one cellphone to another, many of these phones can provide critical evidentiary data to crime scene  investigators. Unfortunately, the forensic acquisition and analysis of these phones is a new process in the computer forensics world. Several reasons exist, but the main reasons are the lack of awareness and training of law enforcement agencies. This paper is an effort to change this deficiency.
+
|-
 +
| [[File:2-bb9320-ScrewRemoval.jpg| 300px ]]
 +
|-
 +
|}
  
====Processes of the Acquisition, Preservation, Analysis of Evidence ====
+
<ol start="4">
Due to their nature, cell phones are acquired and preserved in the same action. This acquisition and preservation is done with various tools and technologies. The actual process of the virtual acquisition of the phone depends very much upon the manufacturer and model of the phone.
+
<li>Remove the screen protector using a shim, guitar pick, or prying tool.</li>
<br><br>
+
</ol>
Usually, a visit to one of the phone carriers’ outlet location can provide you with the information detailing the specifics of the phone. However, in a worst case scenario, removing the battery out from its compartment usually will provide you with the manufacturer name and specific model number.
+
<br><br>
+
Once the phone is identified, either through known identification or through other aforementioned means, more information can be gleaned about the phones technical specifications and capabilities by visiting the PhoneScoop (www.phonescoop.com) website.
+
<br><br>
+
Once identified, the phone is ready for the next step of the virtual acquisition.
+
<br><br>
+
'''''Off Network'''''
+
<br><br>
+
'''''Powered up'''''
+
<br><br>
+
To ensure a good evidence acquisition
+
<br><br>
+
'''''Cables'''''
+
<br><br>
+
It can be done through various cabling systems and various software applications. Examples of the cabling systems include Paraben’s Cell Seizure Toolkit, Susteen’s Law Enforcement Cabling Kit, or the various specific manufacturers’ data cables.  
+
<br><br>
+
Specifically, at the time of this writing, Paraben’s Cell Seizure Version 3.0 will acquire many phones from Nokia, LG, Sony-Ericsson, Motorola, Siemens, and Samsung.
+
<br><br>
+
Susteen SecureView Version 1 will acquire phones from LG, Motorola, Samsung, Sony-Ericsson, Sanyo, and Nokia. With Secure View, Susteen has included its cables from it’s popular Data Pilot system.
+
<br><br>
+
BITPim, Version 8.08 will acquire phones from LG, Samsung, Audiovox, Sanyo, Toshiba
+
<br><br>
+
Other products include: Nokia’s Oxygen PM Forensics Edition Verision 2.8.7 provides support for most Nokia phones as well as some Samsung and Mobiado phones
+
<br><br>
+
Float’s Mobile Agent
+
<br><br>
+
iDEN Media Downloader
+
<br><br>
+
iDEN Phoenbook Manager
+
<br><br>
+
SmartMoto
+
<br><br>
+
GSM .XRY
+
<br><br>
+
SuperAgent RSS
+
<br><br>
+
MobilEdit
+
<br><br>
+
Tulp2G<br>
+
Access Data’s FTK<br>
+
Guidance Software’s EnCase<br>
+
  
SIM Card software applications:<br>
+
{| border="1" cellpadding="2"
SIM Seizure<br>
+
|-
SIMCon<br>
+
| [[File:3-bb9320-ScreenRemoval.jpg| 300px ]]
Tulp2G<br>
+
|-
 +
|}
  
 +
<ol start="5">
 +
<li>Remove 2 torx-5 screws.</li>
 +
</ol>
  
Overly simplified…<br>
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:4-bb9320-ScrewRemoval.jpg| 300px ]]
 +
|-
 +
|}
  
Is there a method for determining which application to use based on the phone?
+
<ol start="6">
Can this be built from a database of knowledge
+
<li>Use the shim to detach the outer bezel/keyboard from the device.</li>
 +
</ol>
  
Process of Cellphone Acquisition.<br>
+
{| border="1" cellpadding="2"
1. Take phone off network via faraday technology<br>
+
|-
2. Connect power source and ensure at least 50% charge<br>
+
| [[File:5-bb9320-TopPlate.jpg| 300px ]] 5-1-bb9320-TopPlate.jpg| 300px ]]
3. Connect the data synchronization cable to the phone<br>
+
|-
4. Launch the software application for acquisition and analysis<br>
+
|}
5. Acquire the phones image<br>
+
  
Process of SIM Card Acquisition.<br>
+
<ol start="7">
1. Connect SIM Card to Computer through a compliant card reader<br>
+
<li>Remove 4 additional torx-6 screws. The main board will now easily be separated from the back plate</li>
2. Launch the software application for acquisition and analysis<br>
+
</ol>
3. Acquire and Analyze the SIM Card<br>
+
  
Process of Cellphone Analysis.<br>
+
{| border="1" cellpadding="2"
What are we looking for:<br>
+
|-
GSM: IMEI<br>
+
| [[File:6-bb9320-ScrewRemoval.jpg| 300px ]]
CDMA: ESN<br>
+
|-
Short Dial Numbers<br>
+
|}
SMS Messages<br>
+
Phone Settings (language, date/time, tone/volume etc)<br>
+
Stored Audio Recordings<br>
+
Stored Computer Files<br>
+
Logged incoming calls and dialed numbers<br>
+
Stored Executable Programs<br>
+
GPRS, WAP and Internet settings<br>
+
Calendar and Contacts<br>
+
Calls Made, Received, and Missed<br>
+
Ring Tones, Games, Pictures, Videos and other Downloaded information<br>
+
  
 +
<ol start="8">
 +
<li>Peel off the vendor sticker.</li>
 +
</ol>
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:7-bb9320-VendorPlate.jpg| 300px ]]
 +
|-
 +
|}
  
Process of SIM Card Analysis.<br>
+
<ol start="9">
What are we looking for:<br>
+
<li>Remove the plastic cover protecting the track pad ribbon cable, and disconnect the track pad.</li>
Location Information<br>
+
</ol>
SMS Messages<br>
+
Abbreviated Dialing Numbers<br>
+
Last Numbers Dialed<br>
+
  
 +
<ol start="10">
 +
<li>Remove the final torx-4 screw located beneath the plastic protector, to remove the plastic keyboard overlay.</li>
 +
</ol>
  
====Presentation of Physical and Digital Cellular Phone Evidence in the Investigation Process ====
+
{| border="1" cellpadding="2"
Cellular Phone<br>
+
|-
Forensic Evidence Folder Organization<br>
+
| [[File:8-bb9320-ScrewRemoval.jpg| 300px ]]
Analog – Screenshots of phones<br>
+
|-
Digital – Reports from applications<br>
+
|}
Word Document for binding information together<br>
+
  
 +
<ol start="11">
 +
<li>Disconnect the ribbon cable connected to the LCD. Then using a pick separate the display from the main board.</li>
 +
</ol>
  
====Evidence Regulation and its Impacts in the Investigation Process ====
+
{| border="1" cellpadding="2"
Cellphones are not hard drives<br>
+
|-
Live versus dead animals<br>
+
| [[File:9-bb9320-ScreenRemoval.jpg| 300px ]]
 +
|-
 +
|}
  
Hard Drives are coming tho: http://itvibe.com/news/3934/
+
<ol start="12">
 +
<li>The tear down is now complete</li>
 +
</ol>
  
SIM cards are getting bigger too: http://www.vnunet.com/2150531
+
{| border="1" cellpadding="2"
====Applications: Practical Forensic Cases Related to Cellular Phones ====
+
|-
Examples???
+
| [[File:9-1-bb9320-TearDownComplete.jpg| 300px ]]
 +
|-
 +
|}
 +
 
 +
eMMC Removal
 +
 
 +
<ol start="1">
 +
<li>The eMMC is located beneath the heat shield directly above the Micro SD card slot.</li>
 +
</ol>
 +
 
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:10-bb9320-EMMC-Location.jpg| 300px ]]
 +
|-
 +
|}
 +
 
 +
<ol start="2">
 +
<li>Place the main board in a stand or holder and position it approximately 2 1/2" - 3" inches away from a heat gun or device the blows super hot air.</li>
 +
</ol>
 +
 
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:11-bb9320-HeatShield.jpg| 300px ]]
 +
|-
 +
|}
 +
 
 +
<ol start="3">
 +
<li>Monitoring the temperature the heat shield will come off easily between 190-200 Centigrade.</li>
 +
</ol>
 +
 
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:12-bb9320-HeatShield.jpg| 300px ]] 13-bb9320-HeatShieldRemoved.jpg| 300px ]]
 +
|-
 +
|}
 +
 
 +
<ol start="4">
 +
<li>Continue working under the high heat. With the 9315/9320's I've worked on the eMMC has been ready to lift off of the main board using tweezers immediately after removing the heat shield.</li>
 +
</ol>
 +
 
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:14-bb9320-EMMC-Removed.jpg| 300px ]]
 +
|-
 +
|}
 +
 
 +
<ol start="5">
 +
<li>Using liquid flux, or flux paste and a soldering iron clean the pads on the eMMC in preparation for a read</li>
 +
</ol>
 +
 
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[File:15-bb9320-EMMC-Cleanup.jpg| 300px ]]
 +
| [[File:16-bb9320-EMMC-Clean.jpg| 300px ]]
 +
|-
 +
|}
 +
 
 +
<ol start="6">
 +
<li>The eMMC is now ready to read using the appropriate adapter/programmer and software.</li>
 +
</ol>
 +
 
 +
At the time of this writing (2013OCT29) the eMMC that was removed in this example was read using an UP828 programmer via the "VBGA169E" adapter. The resulting image was then parsed via the CelleBrite Physical Analyzer (V. 3.8.5.108).

Revision as of 13:26, 30 October 2013

Tear Down

  1. Remove the back panel.
1-bb9320-BackPanelRemoved.jpg
  1. Remove the SIM and SD Memory Card.
  1. Using a torx-6 screw driver remove the 2 visible screws on the back of the phone.
2-bb9320-ScrewRemoval.jpg
  1. Remove the screen protector using a shim, guitar pick, or prying tool.
3-bb9320-ScreenRemoval.jpg
  1. Remove 2 torx-5 screws.
4-bb9320-ScrewRemoval.jpg
  1. Use the shim to detach the outer bezel/keyboard from the device.
5-bb9320-TopPlate.jpg 5-1-bb9320-TopPlate.jpg| 300px ]]
  1. Remove 4 additional torx-6 screws. The main board will now easily be separated from the back plate
6-bb9320-ScrewRemoval.jpg
  1. Peel off the vendor sticker.
7-bb9320-VendorPlate.jpg
  1. Remove the plastic cover protecting the track pad ribbon cable, and disconnect the track pad.
  1. Remove the final torx-4 screw located beneath the plastic protector, to remove the plastic keyboard overlay.
8-bb9320-ScrewRemoval.jpg
  1. Disconnect the ribbon cable connected to the LCD. Then using a pick separate the display from the main board.
9-bb9320-ScreenRemoval.jpg
  1. The tear down is now complete
9-1-bb9320-TearDownComplete.jpg

eMMC Removal

  1. The eMMC is located beneath the heat shield directly above the Micro SD card slot.
10-bb9320-EMMC-Location.jpg
  1. Place the main board in a stand or holder and position it approximately 2 1/2" - 3" inches away from a heat gun or device the blows super hot air.
11-bb9320-HeatShield.jpg
  1. Monitoring the temperature the heat shield will come off easily between 190-200 Centigrade.
12-bb9320-HeatShield.jpg 13-bb9320-HeatShieldRemoved.jpg| 300px ]]
  1. Continue working under the high heat. With the 9315/9320's I've worked on the eMMC has been ready to lift off of the main board using tweezers immediately after removing the heat shield.
14-bb9320-EMMC-Removed.jpg
  1. Using liquid flux, or flux paste and a soldering iron clean the pads on the eMMC in preparation for a read
15-bb9320-EMMC-Cleanup.jpg 16-bb9320-EMMC-Clean.jpg
  1. The eMMC is now ready to read using the appropriate adapter/programmer and software.

At the time of this writing (2013OCT29) the eMMC that was removed in this example was read using an UP828 programmer via the "VBGA169E" adapter. The resulting image was then parsed via the CelleBrite Physical Analyzer (V. 3.8.5.108).