Applied Cellphone Forensics

From ForensicsWiki
Revision as of 21:29, 27 February 2006 by Rmislan (Talk | contribs)

Jump to: navigation, search

Applied Cellphone Forensics

• Defining processes of the acquisition, preservation, analysis of evidence

• Presentation of physical and digital cellular phone evidence in the investigation process

• Evidence regulation and its impacts in the investigation process

• Applications: practical forensic cases related to cellular phones


Cellular telephones are a ubiquitous consumer device. Over 180 million subscribers are using one of over 500 different cellphones offered in the United States from over 30 different manufacturers, processing voice and data traffic over 4 carrier networks. Invariably, with so much voice and data traffic being sent from one cellphone to another, many of these phones can provide critical evidentiary data to crime scene investigators. Unfortunately, the forensic acquisition and analysis of these phones is a new process in the computer forensics world. Several reasons exist, but the main reasons are the lack of awareness and training of law enforcement agencies. This paper is an effort to change this deficiency.

Processes of the Acquisition, Preservation, Analysis of Evidence

Due to their nature, cell phones are acquired and preserved in the same action. This acquisition and preservation is done with various tools and technologies. The actual process of the virtual acquisition of the phone depends very much upon the manufacturer and model of the phone.

Usually, a visit to one of the phone carriers’ outlet location can provide you with the information detailing the specifics of the phone. However, in a worst case scenario, removing the battery out from its compartment usually will provide you with the manufacturer name and specific model number.

Once the phone is identified, either through known identification or through other aforementioned means, more information can be gleaned about the phones technical specifications and capabilities by visiting the PhoneScoop ( website.

Once identified, the phone is ready for the next step of the virtual acquisition.

Off Network

Powered up

To ensure a good evidence acquisition


It can be done through various cabling systems and various software applications. Examples of the cabling systems include Paraben’s Cell Seizure Toolkit, Susteen’s Law Enforcement Cabling Kit, or the various specific manufacturers’ data cables.

Specifically, at the time of this writing, Paraben’s Cell Seizure Version 3.0 will acquire many phones from Nokia, LG, Sony-Ericsson, Motorola, Siemens, and Samsung.

Susteen SecureView Version 1 will acquire phones from LG, Motorola, Samsung, Sony-Ericsson, Sanyo, and Nokia. With Secure View, Susteen has included its cables from it’s popular Data Pilot system.

BITPim, Version 8.08 will acquire phones from LG, Samsung, Audiovox, Sanyo, Toshiba

Other products include: Nokia’s Oxygen PM Forensics Edition Verision 2.8.7 provides support for most Nokia phones as well as some Samsung and Mobiado phones

Float’s Mobile Agent

iDEN Media Downloader

iDEN Phoenbook Manager



SuperAgent RSS


Access Data’s FTK
Guidance Software’s EnCase

SIM Card software applications:
SIM Seizure

Overly simplified…

Is there a method for determining which application to use based on the phone? Can this be built from a database of knowledge

Process of Cellphone Acquisition.
1. Take phone off network via faraday technology
2. Connect power source and ensure at least 50% charge
3. Connect the data synchronization cable to the phone
4. Launch the software application for acquisition and analysis
5. Acquire the phones image

Process of SIM Card Acquisition.
1. Connect SIM Card to Computer through a compliant card reader
2. Launch the software application for acquisition and analysis
3. Acquire and Analyze the SIM Card

Process of Cellphone Analysis.
What are we looking for:
Short Dial Numbers
SMS Messages
Phone Settings (language, date/time, tone/volume etc)
Stored Audio Recordings
Stored Computer Files
Logged incoming calls and dialed numbers
Stored Executable Programs
GPRS, WAP and Internet settings
Calendar and Contacts
Calls Made, Received, and Missed
Ring Tones, Games, Pictures, Videos and other Downloaded information

Process of SIM Card Analysis.
What are we looking for:
Location Information
SMS Messages
Abbreviated Dialing Numbers
Last Numbers Dialed

Presentation of Physical and Digital Cellular Phone Evidence in the Investigation Process

Cellular Phone
Forensic Evidence Folder Organization
Analog – Screenshots of phones
Digital – Reports from applications
Word Document for binding information together

Evidence Regulation and its Impacts in the Investigation Process

Cellphones are not hard drives
Live versus dead animals

Hard Drives are coming tho:

SIM cards are getting bigger too:

Applications: Practical Forensic Cases Related to Cellular Phones



Ayers, R., Jansen, W. (2005) Cellular Phone Forensics. NIST

Paraben Forensics Cell Seizure v3.0. (n.d.). Retrieved Feb. 12, 2006 from

Nokia Oxygen Phone Manager II Version 2.8.7. (n.d.). Retrieved Feb 12, 2006 from

Susteen Secure View (n.d.). Retrieved Feb. 12, 2006 from