Difference between pages "Applied Cellphone Forensics" and "JTAG Huawei TracFone M866C"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Huawei M866C - Ascend Y)
 
Line 1: Line 1:
===Applied Cellphone Forensics===
+
== Huawei  H866C - Ascend Y ==
  
• Defining processes of the acquisition, preservation, analysis of evidence
+
This phone is supported by the Tracfone. This uses a Qualcomm 7625A 800 MHz (S1) Processor and comes standard with Android version 2.3. This phone is unsupported by RIFF Box for the JTAG process for resurrector.
  
• Presentation of physical and digital cellular phone evidence in the investigation process
+
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:Huawei-tracfone-m866c-front.JPG | 200px ]]
 +
|-
 +
|}
  
• Evidence regulation and its impacts in the investigation process
+
=== Getting Started ===
  
• Applications: practical forensic cases related to cellular phones
 
  
====Introduction====
+
What you need:
Cellular telephones are a ubiquitous consumer device. Over 180 million subscribers are using one of over 500 different cellphones offered in the United States from over 30 different manufacturers, processing voice and data traffic over 4 carrier networks. Invariably, with so much voice and data traffic being sent from one cellphone to another, many of these phones can provide critical evidentiary data to crime scene  investigators. Unfortunately, the forensic acquisition and analysis of these phones is a new process in the computer forensics world. Several reasons exist, but the main reasons are the lack of awareness and training of law enforcement agencies. This paper is an effort to change this deficiency.
+
  
====Processes of the Acquisition, Preservation, Analysis of Evidence ====
 
Due to their nature, cell phones are acquired and preserved in the same action. This acquisition and preservation is done with various tools and technologies. It can be done through various cabling systems and various software applications. Examples of the cabling systems include Paraben’s Cell Seizure Toolkit, Susteen’s Law Enforcement Cabling Kit, or the various manufacturers data cables.
 
  
The various software applications include:<br>
+
# Riff Box
Paraben’s Cell Seizure<br>
+
# USB to Micro USB cord
Susteen’s SecureView<br>
+
BITPim<br>
+
Nokia’s Oxygen PM Forensic Edition<br>
+
FloAt's Mobile Agent<br>
+
iDEN Media Downloader<br>
+
iDEN Phoenbook Manager<br>
+
SmartMoto<br>
+
GSM .XRY<br>
+
SuperAgent RSS<br>
+
MobilEdit<br>
+
Tulp2G<br>
+
Access Data’s FTK<br>
+
Guidance Software’s EnCase<br>
+
  
SIM Card software applications:<br>
 
SIM Seizure<br>
 
SIMCon<br>
 
Tulp2G<br>
 
  
 +
=== NAND Dump Procedure ===
  
Overly simplified…<br>
 
  
Is there a method for determining which application to use based on the phone?
+
# Remove the battery and peel the label back to expose the TAPS.
Can this be built from a database of knowledge
+
# Connect the RIFF box to the PC via USB.
 +
# Connect the RIFF box to the PCB via the JTAG pins.
 +
# Connect the PCB to a Micro USB cord and power via a power supply.
 +
# Start the "RIFF box" software.
 +
# Power the PCB.
 +
# Dump the NAND.
  
Process of Cellphone Acquisition.<br>
 
1. Take phone off network via faraday technology<br>
 
2. Connect power source and ensure at least 50% charge<br>
 
3. Connect the data synchronization cable to the phone<br>
 
4. Launch the software application for acquisition and analysis<br>
 
5. Acquire the phones image<br>
 
  
Process of SIM Card Acquisition.<br>
+
The TAPS are located under the battery, behind the Huawei phone label. The phone will be powered by a Micro USB cord from an AC battery charger.
1. Connect SIM Card to Computer through a compliant card reader<br>
+
2. Launch the software application for acquisition and analysis<br>
+
3. Acquire and Analyze the SIM Card<br>
+
  
Process of Cellphone Analysis.<br>
 
What are we looking for:<br>
 
GSM: IMEI<br>
 
CDMA: ESN<br>
 
Short Dial Numbers<br>
 
SMS Messages<br>
 
Phone Settings (language, date/time, tone/volume etc)<br>
 
Stored Audio Recordings<br>
 
Stored Computer Files<br>
 
Logged incoming calls and dialed numbers<br>
 
Stored Executable Programs<br>
 
GPRS, WAP and Internet settings<br>
 
Calendar and Contacts<br>
 
Calls Made, Received, and Missed<br>
 
Ring Tones, Games, Pictures, Videos and other Downloaded information<br>
 
  
 +
The TAPS order is as follows:
  
Process of SIM Card Analysis.<br>
+
# 1=Not Used
What are we looking for:<br>
+
# 2=TCK
Location Information<br>
+
# 3=GND
SMS Messages<br>
+
# 4=TMS
Abbreviated Dialing Numbers<br>
+
# 5=TDI
Last Numbers Dialed<br>
+
# 6=TDO
 +
# 7=RTCK
 +
# 8=TRST
 +
# 9=NRST
  
  
====Presentation of Physical and Digital Cellular Phone Evidence in the Investigation Process ====
+
{| border="1" cellpadding="2"
Cellular Phone<br>
+
|-
Forensic Evidence Folder Organization<br>
+
| [[ File:Hauwei_U866C_TAPS.jpg | 600px ]]
Analog – Screenshots of phones<br>
+
|-
Digital – Reports from applications<br>
+
|}
Word Document for binding information together<br>
+
  
  
====Evidence Regulation and its Impacts in the Investigation Process ====
+
After the wires are connected to the board, the phone is powered by the USB connection. Plug the Micro USB into the USB connection on the device and then plug the phone into a wall outlet. The phone should respond with the vibrator switch activating for less than a second.
Cellphones are not hard drives<br>
+
Live versus dead animals<br>
+
  
Hard Drives are coming tho: http://itvibe.com/news/3934/
 
  
SIM cards are getting bigger too: http://www.vnunet.com/2150531
+
Launch the Riff Box JTAG Manager and use the following settings:
====Applications: Practical Forensic Cases Related to Cellular Phones ====
+
 
Examples???
+
 
 +
* JTAG TCK Speed = RTCK
 +
* Resurrector Settings= Huawei U8655
 +
* Auto FullFlash size
 +
 
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:M866C_setting.jpg | 800px ]]
 +
|-
 +
|}
 +
 
 +
 
 +
Advanced Settings:
 +
 
 +
 
 +
* Ignore Target IDCODE during Resurrection and DCC Loader operations
 +
 
 +
 
 +
{| border="1" cellpadding="2"
 +
|-
 +
| [[ File:huawei-tracfone-m865c-riff-advanced-settings.jpg | 600px ]]
 +
|-
 +
|}
 +
 
 +
 
 +
Then connect and get the ID, you should receive the dead body signal. Then read the memory.
 +
 
 +
 
 +
=== Notes ===
 +
 
 +
 
 +
The phone has a 512 MB NAND flash memory chip which should take approximately 30 minutes to download.
 +
 
 +
 
 +
=== References ===
 +
*http://www.phonescoop.com/phones/phone.php?p=3308
 +
*http://www.riffbox.org/

Latest revision as of 20:51, 25 November 2013

Huawei H866C - Ascend Y

This phone is supported by the Tracfone. This uses a Qualcomm 7625A 800 MHz (S1) Processor and comes standard with Android version 2.3. This phone is unsupported by RIFF Box for the JTAG process for resurrector.

Huawei-tracfone-m866c-front.JPG

Getting Started

What you need:


  1. Riff Box
  2. USB to Micro USB cord


NAND Dump Procedure

  1. Remove the battery and peel the label back to expose the TAPS.
  2. Connect the RIFF box to the PC via USB.
  3. Connect the RIFF box to the PCB via the JTAG pins.
  4. Connect the PCB to a Micro USB cord and power via a power supply.
  5. Start the "RIFF box" software.
  6. Power the PCB.
  7. Dump the NAND.


The TAPS are located under the battery, behind the Huawei phone label. The phone will be powered by a Micro USB cord from an AC battery charger.


The TAPS order is as follows:

  1. 1=Not Used
  2. 2=TCK
  3. 3=GND
  4. 4=TMS
  5. 5=TDI
  6. 6=TDO
  7. 7=RTCK
  8. 8=TRST
  9. 9=NRST


Hauwei U866C TAPS.jpg


After the wires are connected to the board, the phone is powered by the USB connection. Plug the Micro USB into the USB connection on the device and then plug the phone into a wall outlet. The phone should respond with the vibrator switch activating for less than a second.


Launch the Riff Box JTAG Manager and use the following settings:


  • JTAG TCK Speed = RTCK
  • Resurrector Settings= Huawei U8655
  • Auto FullFlash size
M866C setting.jpg


Advanced Settings:


  • Ignore Target IDCODE during Resurrection and DCC Loader operations


Huawei-tracfone-m865c-riff-advanced-settings.jpg


Then connect and get the ID, you should receive the dead body signal. Then read the memory.


Notes

The phone has a 512 MB NAND flash memory chip which should take approximately 30 minutes to download.


References