Difference between revisions of "Applied Cellphone Forensics"

From ForensicsWiki
Jump to: navigation, search
(Applied Cellphone Forensics)
Line 1: Line 1:
===Applied Cellphone Forensics===
• Defining processes of the acquisition, preservation, analysis of evidence
• Presentation of physical and digital cellular phone evidence in the investigation process
• Evidence regulation and its impacts in the investigation process
• Applications: practical forensic cases related to cellular phones
Cellular telephones are a ubiquitous consumer device. Over 180 million subscribers are using one of over 500 different cellphones offered in the United States from over 30 different manufacturers, processing voice and data traffic over 4 carrier networks. Invariably, with so much voice and data traffic being sent from one cellphone to another, many of these phones can provide critical evidentiary data to crime scene  investigators. Unfortunately, the forensic acquisition and analysis of these phones is a new process in the computer forensics world. Several reasons exist, but the main reasons are the lack of awareness and training of law enforcement agencies. This paper is an effort to change this deficiency.
====Processes of the Acquisition, Preservation, Analysis of Evidence ====
Due to their nature, cell phones are acquired and preserved in the same action. This acquisition and preservation is done with various tools and technologies. The actual process of the virtual acquisition of the phone depends very much upon the manufacturer and model of the phone.
Usually, a visit to one of the phone carriers’ outlet location can provide you with the information detailing the specifics of the phone. However, in a worst case scenario, removing the battery out from its compartment usually will provide you with the manufacturer name and specific model number.
Once the phone is identified, either through known identification or through other aforementioned means, more information can be gleaned about the phones technical specifications and capabilities by visiting the PhoneScoop (www.phonescoop.com) website.
Off Network
The phone should be taken off of the wireless network. Doing such protects the evidence in several ways. It disallows the erasure stored messages and stored incoming calls. Usually these sources of evidence are stored in cyclic memories, allowing only the most recent number of calls to be stored.
Powered up
To ensure a good evidence acquisition, a cellphone should have at the very least at 50% charge. Ideally, when the phone is seized, the power cable will also be seized. If not, a trip to phone carrier’s outlet location will usually provide the correct power source. There are other options as well, such as the PowerPod from EarHugger.com which will allow for multiple power sources (AC, DC, USB , Auto) and multiple power tips.
Once identified, taken off the network and powered up, the phone is ready for the next step of the virtual acquisition. This can be done through various cabling systems and various software applications. Examples of the cabling systems include Paraben’s Cell Seizure Toolkit, Susteen’s Law Enforcement Cabling Kit, or the various specific manufacturers’ data cables. Once the proper cable is connected to the phone and the forensic computer, acquisition can commence.
Application Audiovox LG Motorola Nokia Samsung Sanyo Siemens Sony-Ericsson Toshiba
Paraben Cell Seizure X X X X X X
Susteen SecureView X X X X X X
Nokia OxygenPM Forensics Edition X X
Float’s Mobile Agent
iDEN Media Downloader
iDEN Phonebook Manager
SuperAgent RSS
Access Data’s FTK<br>
Guidance Software’s EnCase<br>
SIM Card software applications:<br>
SIM Seizure<br>
Overly simplified…<br>
Is there a method for determining which application to use based on the phone?
Can this be built from a database of knowledge
Process of Cellphone Acquisition.<br>
1. Take phone off network via faraday technology<br>
2. Connect power source and ensure at least 50% charge<br>
3. Connect the data synchronization cable to the phone<br>
4. Launch the software application for acquisition and analysis<br>
5. Acquire the phones image<br>
Process of SIM Card Acquisition.<br>
1. Connect SIM Card to Computer through a compliant card reader<br>
2. Launch the software application for acquisition and analysis<br>
3. Acquire and Analyze the SIM Card<br>
Process of Cellphone Analysis.<br>
What are we looking for:<br>
Short Dial Numbers<br>
SMS Messages<br>
Phone Settings (language, date/time, tone/volume etc)<br>
Stored Audio Recordings<br>
Stored Computer Files<br>
Logged incoming calls and dialed numbers<br>
Stored Executable Programs<br>
GPRS, WAP and Internet settings<br>
Calendar and Contacts<br>
Calls Made, Received, and Missed<br>
Ring Tones, Games, Pictures, Videos and other Downloaded information<br>
Process of SIM Card Analysis.<br>
What are we looking for:<br>
Location Information<br>
SMS Messages<br>
Abbreviated Dialing Numbers<br>
Last Numbers Dialed<br>
====Presentation of Physical and Digital Cellular Phone Evidence in the Investigation Process ====
Cellular Phone<br>
Forensic Evidence Folder Organization<br>
Analog – Screenshots of phones<br>
Digital – Reports from applications<br>
Word Document for binding information together<br>
====Evidence Regulation and its Impacts in the Investigation Process ====
Cellphones are not hard drives<br>
Live versus dead animals<br>
Hard Drives are coming tho: http://itvibe.com/news/3934/
SIM cards are getting bigger too: http://www.vnunet.com/2150531
====Applications: Practical Forensic Cases Related to Cellular Phones ====
Ayers, R., Jansen, W. (2005) Cellular Phone Forensics. NIST
Paraben Forensics Cell Seizure v3.0. (n.d.). Retrieved Feb. 12, 2006 from http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=311
Nokia Oxygen Phone Manager II Version 2.8.7. (n.d.). Retrieved Feb 12, 2006 from http://www.opm-2.com/Forensic/
Susteen Secure View (n.d.). Retrieved Feb. 12, 2006 from http://www.susteen.com/lawenforcement.htm

Latest revision as of 17:33, 31 March 2006