Difference between pages "Vendors" and "Applied Cellphone Forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Training)
 
 
Line 1: Line 1:
= Software Vendors =
+
===Applied Cellphone Forensics===
  
; [[X-Ways Software]]
+
• Defining processes of the acquisition, preservation, analysis of evidence
: http://www.x-ways.net/
+
  
; [[Tech Assist, Inc.]]
+
• Presentation of physical and digital cellular phone evidence in the investigation process
: http://www.toolsthatwork.com/
+
  
= Hardware Vendors =
+
• Evidence regulation and its impacts in the investigation process
  
; [[ForensicPC]]
+
• Applications: practical forensic cases related to cellular phones
: http://www.forensicpc.com/
+
: Various [[Write Blockers]], [[forensic field kit]]s, forensics software, etc.
+
  
; [[Wiebetech]]
+
====Introduction====
: http://wiebetech.com/
+
Cellular telephones are a ubiquitous consumer device. Over 180 million subscribers are using one of over 500 different cellphones offered in the United States from over 30 different manufacturers, processing voice and data traffic over 4 carrier networks. Invariably, with so much voice and data traffic being sent from one cellphone to another, many of these phones can provide critical evidentiary data to crime scene  investigators. Unfortunately, the forensic acquisition and analysis of these phones is a new process in the computer forensics world. Several reasons exist, but the main reasons are the lack of awareness and training of law enforcement agencies. This paper is an effort to change this deficiency.
: Various [[Write Blockers]], [[forensic field kit]]s, etc.
+
  
= Training =
+
====Processes of the Acquisition, Preservation, Analysis of Evidence ====
<b> The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv</b>
+
Due to their nature, cell phones are acquired and preserved in the same action. This acquisition and preservation is done with various tools and technologies. The actual process of the virtual acquisition of the phone depends very much upon the manufacturer and model of the phone.  
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
<br><br>
<table BORDER=0 CELLSPACING=0 CELLPADDING=5 BGCOLOR="#CCFFFF" >
+
Usually, a visit to one of the phone carriers’ outlet location can provide you with the information detailing the specifics of the phone. However, in a worst case scenario, removing the battery out from its compartment usually will provide you with the manufacturer name and specific model number.
<tr><td ALIGN=CENTER WIDTH="100%" HEIGHT="20" BGCOLOR="#ADD8E6" class="columnheader"><B>UPCOMING EVENTS</B></td></tr>
+
<br><br>
<tr><td><center><b>CONFERENCES</b></center></td><tr>
+
Once the phone is identified, either through known identification or through other aforementioned means, more information can be gleaned about the phones technical specifications and capabilities by visiting the PhoneScoop (www.phonescoop.com) website.  
<tr><td class="events">CanSecWest/Core06<br>Apr 03-07, Vancouver, BC, Canada<br>http://cansecwest.com</td></tr>
+
<br><br>
<tr><td class="events">LayerOne 2006<br>Apr 15-16, Los Angeles, CA<br>http://www.layerone.info/index.html</td></tr>
+
Once identified, the phone is ready for the next step of the virtual acquisition.
<tr><td class="events">2006 GFIRST Conference<br>Apr 30-May 05, Orlando, FL<br>http://www.us-cert.gov/GFIRST</td></tr>
+
<br><br>
<tr><td class="events">Computer and Enterprise Investigations Conference (CEIC) 2006<br>May 03-06, Las Vegas, NV<br>http://www.ceic2006.com</td></tr>
+
'''''Off Network'''''
<tr><td class="events">HTCIA  Silicon Valley Training Conference 2006<br>May 08-10, Santa Clara, CA<br>http://htciatraining.org/general_info.asp</td></tr>
+
<br><br>
<tr><td class="events">21st IFIP International Information Security Conference<br>May 22-24, Karlstad, Sweden<br>http://www.sec2006.org</td></tr>
+
'''''Powered up'''''
<tr><td class="events">2006 USENIX Annual Technical Conference<br>May 30-Jun 03, Boston, MA<br>http://www.usenix.org/events/usenix06/</td></tr>
+
<br><br>
<tr><td class="events">2006 Techno-Security Conference<br>Jun 04-07, Myrtle Beach, SC<br>http://www.techsec.com/html/Techno2006.html</td></tr>
+
To ensure a good evidence acquisition
<tr><td class="events">CSI Netsec Conference<br>Jun 12-14, Scottsdale, AZ<br>http://www.gocsi.com/netsec/</td></tr>
+
<br><br>
<tr><td class="events">RECON 2006<br>Jun 16-18, Montreal, Quebec, Canada<br>http://recon.cx</td></tr>
+
'''''Cables'''''
<tr><td class="events">Information Hiding Conference 2006<br>Jul 10-12, Alexandria, VA<br>http://ih2006.jjtc.com</td></tr>
+
<br><br>
<tr><td class="events">BlackHat Briefings and Training<br>Jul 29-Aug 03, Las Vegas, NV<br>http://www.blackhat.com/html/bh-link/briefings.html</td></tr>
+
It can be done through various cabling systems and various software applications. Examples of the cabling systems include Paraben’s Cell Seizure Toolkit, Susteen’s Law Enforcement Cabling Kit, or the various specific manufacturers’ data cables.  
<tr><td class="events">15th USENIX Security Symposium<br>Jul 31-Aug 04, Vancouver, BC, Canada<br>http://www.usenix.org/events/sec06/</td></tr>
+
<br><br>
<tr><td class="events">DefCon 14<br>Aug 04-06, Las Vegas, NV<br>http://www.defcon.org</td></tr>
+
Specifically, at the time of this writing, Paraben’s Cell Seizure Version 3.0 will acquire many phones from Nokia, LG, Sony-Ericsson, Motorola, Siemens, and Samsung.
<tr><td class="events">RCFG International Training Symposium 2006 - GMU<br>Aug 07-11, Fairfax, VA<br>http://www.rcfg.org/</td></tr>
+
<br><br>
<tr><td class="events">Digital Forensics Research Workshop 2006<br>Aug 14-16, Lafayette, IN<br>http://www.dfrws.org</td></tr>
+
Susteen SecureView Version 1 will acquire phones from LG, Motorola, Samsung, Sony-Ericsson, Sanyo, and Nokia. With Secure View, Susteen has included its cables from it’s popular Data Pilot system.
<tr><td class="events">International Conference on IT-Incident Management & IT-Forensics<br>Oct 18-19, Stuttgart, Germany<br>http://www.imf-conference.org</td></tr>
+
<br><br>
<tr><td class="events">HTCIA 2006 International Training Conference and Expo<br>Oct 29-Nov 01, Cleveland, OH<br>http://www.ohiohtcia.org/conf_main.html</td></tr>
+
BITPim, Version 8.08 will acquire phones from LG, Samsung, Audiovox, Sanyo, Toshiba
<tr><td><center><b>ON-GOING/CONTINUOUS TRAINING</b></center></td><tr>
+
<br><br>
<tr><td class="events">Basic Computer Examiner Course<br>Computer Forensic Training Online<br>http://www.cftco.com</td></tr>
+
Other products include: Nokia’s Oxygen PM Forensics Edition Verision 2.8.7 provides support for most Nokia phones as well as some Samsung and Mobiado phones
<tr><td class="events">MaresWare Suite Training<br>First full week every month, Atlanta, GA<br>http://www.maresware.com/maresware/training/maresware.htm</td></tr>
+
<br><br>
<tr><td class="events">Linux Data Forensics Training<br>Distance Learning Format<br>http://www.crazytrain.com/training.html</td></tr>
+
Float’s Mobile Agent
<tr><td><center><b>SCHEDULED  TRAINING COURSES</b></center></td>
+
<br><br>
<tr><td class="events">Advanced Data Recovery and Analysis, Internet Trace Evidence-ADRA-INET<br>Apr 03-06, Burlington, VT (Burlington Police Department)<br>http://nw3c.org/courses_adra_inet.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
iDEN Media Downloader
<tr><td class="events">SMART Linux Data Forensics Training<br>Apr 03-06, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
<br><br>
<tr><td class="events">Basic Data Recovery and Aquisition-BDRA<br>Apr 03-07, Miami, FL (Florida Department of Law Enforcement (FDLE))<br>http://nw3c.org/courses_bdra.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
iDEN Phoenbook Manager
<tr><td class="events">Intermediate Data Recovery and Analysis-IDRA<br>Apr 03-07, Concord, NH (New Hampshire Attorney Generals Office)<br>http://nw3c.org/courses_idra.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
<br><br>
<tr><td class="events">CCE Bootcamp<br>Apr 03-07, Bergen County Law and Public Safety Institute, Mahwah, NJ<br>http://www.cce-bootcamp.com</td></tr>
+
SmartMoto
<tr><td class="events">Professional Hacking Business Class<br>Apr 03-07, Dallas, TX<br>http://www.vigilar.com/training_professional_hacking.html</td></tr>
+
<br><br>
<tr><td class="events">Ethical Hacking: Security Testing and Certified Ethical Hacker<br>Apr 03-07, Washington, DC<br>http://www.infosecinstitute.com/courses/ethical_hacking_training.html</td></tr>
+
GSM .XRY
<tr><td class="events">AccessData BootCamp<br>Apr 04-06, Austin, TX<br>http://www.accessdata.com/training</td></tr>
+
<br><br>
<tr><td class="events">AccessData Windows Forensics<br>Apr 04-06, London, England<br>http://www.accessdata.com/training</td></tr>
+
SuperAgent RSS
<tr><td class="events">Helix Incident Response & Forensics<br>Apr 05-07, San Antonio, TX<br>http://www.e-fense.com/103signup.html</td></tr>
+
<br><br>
<tr><td class="events">Anti-Hacking for Network Penetration Testing ECSA<br>Apr 10-14, Sunnyvale, CA<br>http://www.securityuniversity.net/classes_anti-hacking_pentest.php</td></tr>
+
MobilEdit
<tr><td class="events">Professional Hacking Business Class<br>Apr 10-14, Boston, MA<br>http://www.vigilar.com/training_professional_hacking.html</td></tr>
+
<br><br>
<tr><td class="events">Applied Computer Forensics Business Boot Camp<br>Apr 10-14 , Norman, OK<br>http://www.vigilar.com/training_cce.html?mc=ggaw_Forensics_training</td></tr>
+
Tulp2G<br>
<tr><td class="events">Digital Evidence Acquisition Specialist Training Program (DEASTP)<br>Apr 10-21, FLETC, Glynco, GA<br>http://www.fletc.gov/cfi/fy06tibsched.htm<br><b>Limited to Law Enforcement</b></td></tr>
+
Access Data’s FTK<br>
<tr><td class="events">AccessData BootCamp<br>Apr 11-13, Denver, CO and Philadelphia, PA<br>http://www.accessdata.com/training</td></tr>
+
Guidance Software’s EnCase<br>
<tr><td class="events">AccessData Windows Forensics<br>Apr 11-13, Cleveland/Richfield, OH<br>http://www.accessdata.com/training</td></tr>
+
 
<tr><td class="events">Catching the Hackers Intro to IDS<br>Apr 17-19, McLean, VA<br>http://www.securityuniversity.net/classes_introIDS.php</td></tr>
+
SIM Card software applications:<br>
<tr><td class="events">Advanced SMART Linux Data Forensics Training<br>Apr 17-20, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
SIM Seizure<br>
<tr><td class="events">Investigation of Online Child Exploitation, Level I <br>Apr 17-21, Sacramento, CA<br>http://www.search.org/programs/hightech/calendar.asp<br><b>Limited to Law Enforcement</b></td></tr>
+
SIMCon<br>
<tr><td class="events">Advanced Data Recovery and Analysis, Windows-ADRA-NTx<br>Apr 17-21, Birmingham, AL (Jefferson County Sheriffs Office)<br>http://nw3c.org/courses_adra_ntx.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
Tulp2G<br>
<tr><td class="events">Ethical Hacking: Security Testing and Certified Ethical Hacker<br>Apr 17-21, Sierra Vista, AZ<br>http://www.infosecinstitute.com/courses/ethical_hacking_training.html</td></tr>
+
 
<tr><td class="events">AccessData Windows Forensics<br>Apr 18-20, San Francisco/Redwood City, CA<br>http://www.accessdata.com/training</td></tr>
+
 
<tr><td class="events">Advanced Data Recovery and Analysis, Internet Trace Evidence-ADRA-INET<br>Apr 24-27, Buffalo Grove, IL (Buffalo Grove Police Department)<br>http://nw3c.org/courses_adra_inet.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
Overly simplified…<br>
<tr><td class="events">The Investigation of Computer Crime <br>Apr 24-28, Edneyville, NC<br>http://www.search.org/programs/hightech/calendar.asp<br><b>Limited to Law Enforcement</b></td></tr>
+
 
<tr><td class="events">Basic Data Recovery and Aquisition-BDRA<br>Apr 24-28, Franklin, MA (NESPIN)<br>http://nw3c.org/courses_bdra.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
Is there a method for determining which application to use based on the phone?
<tr><td class="events">Applied Computer Forensics Boot Camp<br>Apr 24-28 , Atlanta, GA<br>http://www.vigilar.com/training_cce.html?mc=ggaw_Forensics_training</td></tr>
+
Can this be built from a database of knowledge
<tr><td class="events">Professional Hacking Business Class<br>Apr 24-28, Los Angeles, CA<br>http://www.vigilar.com/training_professional_hacking.html</td></tr>
+
 
<tr><td class="events">How to Break Software Security + SW Coding Fundamentals<br>Apr 24-28, McLean, VA<br>http://www.securityuniversity.net/classes_SI_SW_Security%20Testing_%20BP.php</td></tr>
+
Process of Cellphone Acquisition.<br>
<tr><td class="events">IACIS 2006 Annual Computer Forensic Training<br>Apr 24-May 05, Altamonte Springs, FL<br>http://www.cops.org<br><b>Limited to Law Enforcement</b></td></tr>
+
1. Take phone off network via faraday technology<br>
<tr><td class="events">SMART Linux Data Forensics Training<br>May 01-04, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
2. Connect power source and ensure at least 50% charge<br>
<tr><td class="events">Windows Client Email Data Structures-EMAIL<br>May 01-05, Chicago, IL (Chicago Police Department)<br>http://nw3c.org/courses_adra_email.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
3. Connect the data synchronization cable to the phone<br>
<tr><td class="events">CEH Ethical Hacking Certification Class<br>May 01-05, McLean, VA<br>http://www.securityuniversity.net/classes_CEH.php</td></tr>
+
4. Launch the software application for acquisition and analysis<br>
<tr><td class="events">Seized Computer Evidence Recovery Specialist Training Program (SCERS)<br>May 01-12, FLETC, Glynco, GA<br>http://www.fletc.gov/cfi/fy06tibsched.htm<br><b>Limited to Law Enforcement</b></td></tr>
+
5. Acquire the phones image<br>
<tr><td class="events">AccessData BootCamp<br>May 02-04, Glasgow, Scotland<br>http://www.accessdata.com/training</td></tr>
+
 
<tr><td class="events">AccessData Windows Forensics<br>May 02-04, Chicago, IL<br>http://www.accessdata.com/training</td></tr>
+
Process of SIM Card Acquisition.<br>
<tr><td class="events">Advanced Data Recovery and Analysis, Windows-ADRA-NTx<br>May 08-12, Tallahassee, FL (Florida Department of Law Enforcement (FDLE))<br>http://nw3c.org/courses_adra_ntx.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
1. Connect SIM Card to Computer through a compliant card reader<br>
<tr><td class="events">Anti-Hacking for Network Penetration Testing ECSA<br>May 08-12, Sunnyvale, CA<br>http://www.securityuniversity.net/classes_anti-hacking_pentest.php</td></tr>
+
2. Launch the software application for acquisition and analysis<br>
<tr><td class="events">Professional Hacking Business Class<br>May 08-12, Chicago, IL<br>http://www.vigilar.com/training_professional_hacking.html</td></tr>
+
3. Acquire and Analyze the SIM Card<br>
<tr><td class="events">AccessData BootCamp<br>May 09-11, St. Paul, MN<br>http://www.accessdata.com/training</td></tr>
+
 
<tr><td class="events">AccessData Windows Forensics<br>May 09-11, Durham, NC<br>http://www.accessdata.com/training</td></tr>
+
Process of Cellphone Analysis.<br>
<tr><td class="events">Network Exploitation Analysis Training Program (NEATP)<br>May 09-18, FLETC, Glynco, GA<br>http://www.fletc.gov/cfi/fy06tibsched.htm<br><b>Limited to Law Enforcement</b></td></tr>
+
What are we looking for:<br>
<tr><td class="events">Anti-Hacking for Trojans,Virus, Patch Mgt and Incident Response<br>May 15-17, Sunnyvale, CA<br>http://www.securityuniversity.net/classes_anti-hacking_trojans_virus_patchmgt.php</td></tr>
+
GSM: IMEI<br>
<tr><td class="events">The Investigation of Computer Crime <br>May 15-19, Moline, IL<br>http://www.search.org/programs/hightech/calendar.asp<br><b>Limited to Law Enforcement</b></td></tr>
+
CDMA: ESN<br>  
<tr><td class="events">Basic Data Recovery and Aquisition-BDRA<br>May 15-19, Springdale, AR (Fayetteville Police Department)<br>http://nw3c.org/courses_bdra.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
Short Dial Numbers<br>
<tr><td class="events">Advanced Internet Investigations <br>May 15-26, Sacramento, CA<br>http://www.search.org/programs/hightech/calendar.asp<br><b>Limited to Law Enforcement</b></td></tr>
+
SMS Messages<br>
<tr><td class="events">AccessData Windows Forensics<br>May 16-18, New York, NY<br>http://www.accessdata.com/training</td></tr>
+
Phone Settings (language, date/time, tone/volume etc)<br>
<tr><td class="events">Certified Wireless Network Administrator CWNA<br>May 20-23, McLean, VA<br>http://www.securityuniversity.net/classes_wireless_CWNA.php</td></tr>
+
Stored Audio Recordings<br>
<tr><td class="events">Certified Wireless Security Professional CWSP<br>May 20-23, McLean, VA<br>http://www.securityuniversity.net/classes_wireless_CWSP.php</td></tr>
+
Stored Computer Files<br>
<tr><td class="events">Boot Camp Certified Wireless Network Admin/ Wireless Security Professional<br>May 20-26, McLean, VA<br>http://www.securityuniversity.net/classes_wireless_CWSP.php</td></tr>
+
Logged incoming calls and dialed numbers<br>
<tr><td class="events">Automated Forensic Tools-AFT<br>May 22-25, Anchorage, AK (Anchorage Police Department)<br>http://nw3c.org/courses_adra_aft.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
Stored Executable Programs<br>
<tr><td class="events">Advanced SMART Linux Data Forensics Training<br>May 22-25, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
GPRS, WAP and Internet settings<br>
<tr><td class="events">Certified Wireless Analyst Professional CWAP<br>May 22-26, McLean, VA<br>http://www.securityuniversity.net/classes_wireless_CWAP.php</td></tr>
+
Calendar and Contacts<br>
<tr><td class="events">Professional Hacking Business Class<br>May 22-26, Columbia, MD<br>http://www.vigilar.com/training_professional_hacking.html</td></tr>
+
Calls Made, Received, and Missed<br>
<tr><td class="events">Applied Computer Forensics Boot Camp<br>May 22-26 , Springfield, VA<br>http://www.vigilar.com/training_cce.html?mc=ggaw_Forensics_training</td></tr>
+
Ring Tones, Games, Pictures, Videos and other Downloaded information<br>
<tr><td class="events">Certified Wireless Network Administrator CWNA<br>Jun 03-06, Sunnyvale, CA<br>http://www.securityuniversity.net/classes_wireless_CWNA.php</td></tr>
+
 
<tr><td class="events">Boot Camp Certified Wireless Network Admin/ Wireless Security Professional<br>Jun 03-10, Sunnyvale, CA<br>http://www.securityuniversity.net/classes_wireless_bootcamp.php</td></tr>
+
 
<tr><td class="events">SMART Linux Data Forensics Training<br>Jun 05-08, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
Process of SIM Card Analysis.<br>
<tr><td class="events">Basic Data Recovery and Aquisition-BDRA<br>Jun 05-09, Tampa, FL (Florida Department of Law Enforcement (FDLE))<br>http://nw3c.org/courses_bdra.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
What are we looking for:<br>
<tr><td class="events">Professional Hacking Business Class<br>Jun 05-09, San Francisco, CA<br>http://www.vigilar.com/training_professional_hacking.html</td></tr>
+
Location Information<br>
<tr><td class="events">Computer Network Investigations Training Program (CNITP)<br>Jun 06-16, FLETC, Glynco, GA<br>http://www.fletc.gov/cfi/fy06tibsched.htm<br><b>Limited to Law Enforcement</b></td></tr>
+
SMS Messages<br>
<tr><td class="events">Certified Wireless Security Professional CWSP<br>Jun 07-10, Sunnyvale, CA<br>http://www.securityuniversity.net/classes_wireless_CWSP.php</td></tr>
+
Abbreviated Dialing Numbers<br>
<tr><td class="events">Secure Techniques for Onsite Preview-STOP<br>Jun 12-13, Franklin, MA (NESPIN)<br>http://nw3c.org/courses_stop.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
Last Numbers Dialed<br>
<tr><td class="events">Investigation of Online Child Exploitation, Level I <br>Jun 12-16, Sacramento, CA<br>http://www.search.org/programs/hightech/calendar.asp<br><b>Limited to Law Enforcement</b></td></tr>
+
 
<tr><td class="events">The Investigation of Computer Crime <br>Jun 12-16, Las Cruces, NM<br>http://www.search.org/programs/hightech/calendar.asp<br><b>Limited to Law Enforcement</b></td></tr>
+
 
<tr><td class="events">CHFI Computer Hacking Forensics Investigator Certification<br>Jun 12-16, McLean, VA<br>http://www.securityuniversity.net/classes_CHFI.php</td></tr>
+
====Presentation of Physical and Digital Cellular Phone Evidence in the Investigation Process ====
<tr><td class="events">Applied Computer Forensics Boot Camp<br>Jun 12-16 , Ft. Lauderdale, FL<br>http://www.vigilar.com/training_cce.html?mc=ggaw_Forensics_training</td></tr>
+
Cellular Phone<br>
<tr><td class="events">AccessData Windows Forensics<br>Jun 13-15, Dallas/Addison, TX<br>http://www.accessdata.com/training</td></tr>
+
Forensic Evidence Folder Organization<br>
<tr><td class="events">AccessData Internet Forensics<br>Jun 13-15, Manchester, England-UK<br>http://www.accessdata.com/training</td></tr>
+
Analog – Screenshots of phones<br>
<tr><td class="events">Secure Techniques for Onsite Preview-STOP<br>Jun 14-15, Franklin, MA (NESPIN)<br>http://nw3c.org/courses_stop.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
Digital – Reports from applications<br>
<tr><td class="events">Advanced SMART Linux Data Forensics Training<br>Jun 19-22, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
Word Document for binding information together<br>
<tr><td class="events">Basic Data Recovery and Aquisition-BDRA<br>Jun 19-23, Pueblo, CO (Pueblo County Sheriffs Office)<br>http://nw3c.org/courses_bdra.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
 
<tr><td class="events">The Investigation of Computer Crime <br>Jun 19-23, Sacramento, CA<br>http://www.search.org/programs/hightech/calendar.asp<br><b>Limited to Law Enforcement</b></td></tr>
+
 
<tr><td class="events">CCE Bootcamp<br>Jun 19-23, Cyber Crime Institute at Kennesaw State University, Kennesaw, GA<br>http://www.cce-bootcamp.com</td></tr>
+
====Evidence Regulation and its Impacts in the Investigation Process ====
<tr><td class="events">Introductory MacIntosh Forensics<br>Jun 19-23, Santa Clara, CA<br>http://www.blackbagtech.com/training.html</td></tr>
+
Cellphones are not hard drives<br>
<tr><td class="events">Anti-Hacking Certificate Class<br>Jun 19-23, McLean, VA<br>http://www.securityuniversity.net/classes_anti-hacking.php</td></tr>
+
Live versus dead animals<br>
<tr><td class="events">CEH Ethical Hacking Certification Class<br>Jun 19-23, Sunnyvale, CA<br>http://www.securityuniversity.net/classes_CEH.php</td></tr>
+
 
<tr><td class="events">Professional Hacking Business Class<br>Jun 19-23, NYC, NY<br>http://www.vigilar.com/training_professional_hacking.html</td></tr>
+
Hard Drives are coming tho: http://itvibe.com/news/3934/
<tr><td class="events">Advanced Penetration Testing: ECSA Boot Camp<br>Jun 19-23, Dallas, TX<br>http://www.vigilar.com/training_advanced_penetration.html</td></tr>
+
 
<tr><td class="events">Cyber Counterterrorism Investigations Training Program (CCITP)<br>Jun 19-28, FLETC, Glynco, GA<br>http://www.fletc.gov/cfi/fy06tibsched.htm<br><b>Limited to Law Enforcement</b></td></tr>
+
SIM cards are getting bigger too: http://www.vnunet.com/2150531
<tr><td class="events">AccessData BootCamp<br>Jun 20-22, San Jose, CA and Frankfurt, Germany<br>http://www.accessdata.com/training</td></tr>
+
====Applications: Practical Forensic Cases Related to Cellular Phones ====
<tr><td class="events">AccessData Windows Forensics<br>Jun 20-22, Burlington, MA and Omaha, NE<br>http://www.accessdata.com/training</td></tr>
+
Examples???
<tr><td class="events">Basic On-line Technical Skills-BOTS<br>Jun 26-30, Miami, FL (Florida Department of Law Enforcement (FDLE))<br>http://nw3c.org/courses_bots.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
 
<tr><td class="events">Advanced Penetration Testing: ECSA Boot Camp<br>Jun 26-30, NYC, NY<br>http://www.vigilar.com/training_advanced_penetration.html</td></tr>
+
 
<tr><td class="events">Introduction to Internet Crime Investigations <br>Jul 06, Sacramento, CA<br>http://www.search.org/programs/hightech/calendar.asp<br><b>Limited to Law Enforcement</b></td></tr>
+
References
<tr><td class="events">SMART Linux Data Forensics Training<br>Jul 10-13, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
<br><br>
<tr><td class="events">Basic Local Area Network (LAN) Investigation <br>Jul 10-14, Sacramento, CA<br>http://www.search.org/programs/hightech/calendar.asp<br><b>Limited to Law Enforcement</b></td></tr>
+
Ayers, R., Jansen, W. (2005) Cellular Phone Forensics. NIST
<tr><td class="events">Applied Computer Forensics Boot Camp<br>Jul 10-14 , Las Vegas, NV<br>http://www.vigilar.com/training_cce.html?mc=ggaw_Forensics_training</td></tr>
+
<br><br>
<tr><td class="events">Digital Evidence Acquisition Specialist Training Program (DEASTP)<br>Jul 10-21, FLETC, Glynco, GA<br>http://www.fletc.gov/cfi/fy06tibsched.htm<br><b>Limited to Law Enforcement</b></td></tr>
+
Paraben Forensics Cell Seizure v3.0. (n.d.). Retrieved Feb. 12, 2006 from http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=311
<tr><td class="events">AccessData BootCamp<br>Jul 11-13, Los Angeles/El Segundo, CA<br>http://www.accessdata.com/training</td></tr>
+
<br><br>
<tr><td class="events">AccessData Windows Forensics<br>Jul 11-13, Washington, DC<br>http://www.accessdata.com/training</td></tr>
+
Nokia Oxygen Phone Manager II Version 2.8.7. (n.d.). Retrieved Feb 12, 2006 from http://www.opm-2.com/Forensic/
<tr><td class="events">Professional Hacking Business Class<br>Jul 11-15, Philadelphia, PA<br>http://www.vigilar.com/training_professional_hacking.html</td></tr>
+
<br><br>
<tr><td class="events">Basic Data Recovery and Aquisition-BDRA<br>Jul 17-21, Orlando, FL (Florida Department of Law Enforcement (FDLE))<br>http://nw3c.org/courses_bdra.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
Susteen Secure View (n.d.). Retrieved Feb. 12, 2006 from http://www.susteen.com/lawenforcement.htm
<tr><td class="events">Anti-Hacking for Network Penetration Testing ECSA<br>Jul 17-21, McLean, VA<br>http://www.securityuniversity.net/classes_anti-hacking_pentest.php</td></tr>
+
<tr><td class="events">Applied Computer Forensics Business Boot Camp<br>Jul 17-21 , Norman, OK<br>http://www.vigilar.com/training_cce.html?mc=ggaw_Forensics_training</td></tr>
+
<tr><td class="events">AccessData Windows Forensics<br>Jul 18-20, Portland, OR<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">Network Exploitation Analysis Training Program (NEATP)<br>Jul 18-27, FLETC, Glynco, GA<br>http://www.fletc.gov/cfi/fy06tibsched.htm<br><b>Limited to Law Enforcement</b></td></tr>
+
<tr><td class="events">Advanced SMART Linux Data Forensics Training<br>Jul 24-27, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
<tr><td class="events">Seized Computer Evidence Recovery Specialist Training Program (SCERS)<br>Jul 31-Aug 11, FLETC, Glynco, GA<br>http://www.fletc.gov/cfi/fy06tibsched.htm<br><b>Limited to Law Enforcement</b></td></tr>
+
<tr><td class="events">Secure Techniques for Onsite Preview-STOP<br>Aug 07-08, Jacksonville, FL (Florida Department of Law Enforcement (FDLE))<br>http://nw3c.org/courses_stop.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
<tr><td class="events">SMART Linux Data Forensics Training<br>Aug 07-10, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
<tr><td class="events">AccessData Windows Forensics<br>Aug 08-10, St. Louis/Ballwin, MO<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">Secure Techniques for Onsite Preview-STOP<br>Aug 09-10, Jacksonville, FL (Florida Department of Law Enforcement (FDLE))<br>http://nw3c.org/courses_stop.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
<tr><td class="events">Certified Wireless Analyst Professional CWAP<br>Aug 14-18, Sunnyvale, CA<br>http://www.securityuniversity.net/classes_wireless_CWAP.php</td></tr>
+
<tr><td class="events">AccessData BootCamp<br>Aug 15-17, New York, NY<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">Certified Wireless Network Administrator CWNA<br>Aug 19-21, McLean, VA<br>http://www.securityuniversity.net/classes_wireless_CWAP.php</td></tr>
+
<tr><td class="events">Advanced SMART Linux Data Forensics Training<br>Aug 21-24, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
<tr><td class="events">Intermediate MacIntosh Forensics<br>Aug 21-25, Santa Clara, CA<br>http://www.blackbagtech.com/training.html</td></tr>
+
<tr><td class="events">CEH Ethical Hacking Certification Class<br>Aug 21-25, McLean, VA<br>http://www.securityuniversity.net/classes_CEH.php</td></tr>
+
<tr><td class="events">Cyber Counterterrorism Investigations Training Program (CCITP)<br>Aug 21-30, FLETC, Glynco, GA<br>http://www.fletc.gov/cfi/fy06tibsched.htm<br><b>Limited to Law Enforcement</b></td></tr>
+
<tr><td class="events">AccessData Windows Forensics<br>Aug 22-24, Philadelphia, PA<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">Certified Wireless Security Professional CWSP<br>Aug 22-25, McLean, VA<br>http://www.securityuniversity.net/classes_wireless_CWSP.php</td></tr>
+
<tr><td class="events">Computer Network Investigations Training Program (CNITP)<br>Aug 22-Sep 01, FLETC, Glynco, GA<br>http://www.fletc.gov/cfi/fy06tibsched.htm<br><b>Limited to Law Enforcement</b></td></tr>
+
<tr><td class="events">SMART Linux Data Forensics Training<br>Sep 04-07, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
<tr><td class="events">CEH Ethical Hacking Certification Class<br>Sep 11-14, Sunnyvale, CA<br>http://www.securityuniversity.net/classes_CEH.php</td></tr>
+
<tr><td class="events">Windows Client Email Data Structures-EMAIL<br>Sep 11-15, Miami, FL (Florida Department of Law Enforcement (FDLE))<br>http://nw3c.org/courses_adra_email.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
<tr><td class="events">Advanced SMART Linux Data Forensics Training<br>Sep 18-21, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
<tr><td class="events">AccessData Windows Forensics<br>Sep 19-21, Frankfurt, Germany-auf DEUTSCH<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">AccessData Windows Forensics<br>Oct 03-05, San Jose, CA<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">AccessData Internet Forensics<br>Oct 03-05, Washington, DC<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">SMART Linux Data Forensics Training<br>Oct 09-12, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
<tr><td class="events">Applied Computer Forensics Business Boot Camp<br>Oct 09-13 , Norman, OK<br>http://www.vigilar.com/training_cce.html?mc=ggaw_Forensics_training</td></tr>
+
<tr><td class="events">AccessData Windows Forensics<br>Oct 10-12, Austin, TX<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">AccessData BootCamp<br>Oct 10-12, New York, NY<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">Basic Data Recovery and Aquisition-BDRA<br>Oct 16-20, Jacksonville, FL (Florida Department of Law Enforcement (FDLE))<br>http://nw3c.org/courses_bdra.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
<tr><td class="events">Advanced MacIntosh Forensics<br>Oct 16-20, Santa Clara, CA<br>http://www.blackbagtech.com/training.html</td></tr>
+
<tr><td class="events">AccessData Windows Forensics<br>Oct 17-19, Los Angeles/El Segundo, CA<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">Advanced SMART Linux Data Forensics Training<br>Oct 23-26, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
<tr><td class="events">AccessData BootCamp<br>Oct 24-26, Burlington, MA<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">Advanced Data Recovery and Analysis, Internet Trace Evidence-ADRA-INET<br>Nov 06-09, Orlando, FL (Florida Department of Law Enforcement (FDLE))<br>http://nw3c.org/courses_adra_inet.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
<tr><td class="events">SMART Linux Data Forensics Training<br>Nov 06-09, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
<tr><td class="events">AccessData Internet Forensics<br>Nov 07-09, Chicago, IL<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">AccessData Windows Forensics<br>Nov 14-16, Denver, CO<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">Advanced SMART Linux Data Forensics Training<br>Nov 20-23, Austin, TX<br>http://www.asrdata.com/training/training2.html</td></tr>
+
<tr><td class="events">AccessData BootCamp<br>Nov 20-22, Redwood City, CA<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">AccessData Windows Forensics<br>Nov 28-30, St. Paul, MN<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">AccessData BootCamp<br>Nov 28-30, Stockholm, Sweden<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">Basic Data Recovery and Aquisition-BDRA<br>Dec 04-08, Tallahassee, FL (Florida Department of Law Enforcement (FDLE))<br>http://nw3c.org/courses_bdra.cfm<br><b>Limited to Law Enforcement</b></td></tr>
+
<tr><td class="events">AccessData Windows Forensics<br>Dec 05-07, Dallas/Addison, TX<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">AccessData BootCamp<br>Dec 18-20, Washington, DC<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">AccessData BootCamp<br>Dec 27-29, New York, NY<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">AccessData Windows Forensics<br>Dec 27-29, New York, NY<br>http://www.accessdata.com/training</td></tr>
+
<tr><td class="events">AccessData Internet Forensics<br>Dec 27-29, New York, NY<br>http://www.accessdata.com/training</td></tr>
+
</table>
+

Revision as of 16:29, 27 February 2006

Applied Cellphone Forensics

• Defining processes of the acquisition, preservation, analysis of evidence

• Presentation of physical and digital cellular phone evidence in the investigation process

• Evidence regulation and its impacts in the investigation process

• Applications: practical forensic cases related to cellular phones

Introduction

Cellular telephones are a ubiquitous consumer device. Over 180 million subscribers are using one of over 500 different cellphones offered in the United States from over 30 different manufacturers, processing voice and data traffic over 4 carrier networks. Invariably, with so much voice and data traffic being sent from one cellphone to another, many of these phones can provide critical evidentiary data to crime scene investigators. Unfortunately, the forensic acquisition and analysis of these phones is a new process in the computer forensics world. Several reasons exist, but the main reasons are the lack of awareness and training of law enforcement agencies. This paper is an effort to change this deficiency.

Processes of the Acquisition, Preservation, Analysis of Evidence

Due to their nature, cell phones are acquired and preserved in the same action. This acquisition and preservation is done with various tools and technologies. The actual process of the virtual acquisition of the phone depends very much upon the manufacturer and model of the phone.

Usually, a visit to one of the phone carriers’ outlet location can provide you with the information detailing the specifics of the phone. However, in a worst case scenario, removing the battery out from its compartment usually will provide you with the manufacturer name and specific model number.

Once the phone is identified, either through known identification or through other aforementioned means, more information can be gleaned about the phones technical specifications and capabilities by visiting the PhoneScoop (www.phonescoop.com) website.

Once identified, the phone is ready for the next step of the virtual acquisition.

Off Network

Powered up

To ensure a good evidence acquisition

Cables

It can be done through various cabling systems and various software applications. Examples of the cabling systems include Paraben’s Cell Seizure Toolkit, Susteen’s Law Enforcement Cabling Kit, or the various specific manufacturers’ data cables.

Specifically, at the time of this writing, Paraben’s Cell Seizure Version 3.0 will acquire many phones from Nokia, LG, Sony-Ericsson, Motorola, Siemens, and Samsung.

Susteen SecureView Version 1 will acquire phones from LG, Motorola, Samsung, Sony-Ericsson, Sanyo, and Nokia. With Secure View, Susteen has included its cables from it’s popular Data Pilot system.

BITPim, Version 8.08 will acquire phones from LG, Samsung, Audiovox, Sanyo, Toshiba

Other products include: Nokia’s Oxygen PM Forensics Edition Verision 2.8.7 provides support for most Nokia phones as well as some Samsung and Mobiado phones

Float’s Mobile Agent

iDEN Media Downloader

iDEN Phoenbook Manager

SmartMoto

GSM .XRY

SuperAgent RSS

MobilEdit

Tulp2G
Access Data’s FTK
Guidance Software’s EnCase

SIM Card software applications:
SIM Seizure
SIMCon
Tulp2G


Overly simplified…

Is there a method for determining which application to use based on the phone? Can this be built from a database of knowledge

Process of Cellphone Acquisition.
1. Take phone off network via faraday technology
2. Connect power source and ensure at least 50% charge
3. Connect the data synchronization cable to the phone
4. Launch the software application for acquisition and analysis
5. Acquire the phones image

Process of SIM Card Acquisition.
1. Connect SIM Card to Computer through a compliant card reader
2. Launch the software application for acquisition and analysis
3. Acquire and Analyze the SIM Card

Process of Cellphone Analysis.
What are we looking for:
GSM: IMEI
CDMA: ESN
Short Dial Numbers
SMS Messages
Phone Settings (language, date/time, tone/volume etc)
Stored Audio Recordings
Stored Computer Files
Logged incoming calls and dialed numbers
Stored Executable Programs
GPRS, WAP and Internet settings
Calendar and Contacts
Calls Made, Received, and Missed
Ring Tones, Games, Pictures, Videos and other Downloaded information


Process of SIM Card Analysis.
What are we looking for:
Location Information
SMS Messages
Abbreviated Dialing Numbers
Last Numbers Dialed


Presentation of Physical and Digital Cellular Phone Evidence in the Investigation Process

Cellular Phone
Forensic Evidence Folder Organization
Analog – Screenshots of phones
Digital – Reports from applications
Word Document for binding information together


Evidence Regulation and its Impacts in the Investigation Process

Cellphones are not hard drives
Live versus dead animals

Hard Drives are coming tho: http://itvibe.com/news/3934/

SIM cards are getting bigger too: http://www.vnunet.com/2150531

Applications: Practical Forensic Cases Related to Cellular Phones

Examples???


References

Ayers, R., Jansen, W. (2005) Cellular Phone Forensics. NIST

Paraben Forensics Cell Seizure v3.0. (n.d.). Retrieved Feb. 12, 2006 from http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=311

Nokia Oxygen Phone Manager II Version 2.8.7. (n.d.). Retrieved Feb 12, 2006 from http://www.opm-2.com/Forensic/

Susteen Secure View (n.d.). Retrieved Feb. 12, 2006 from http://www.susteen.com/lawenforcement.htm