Applied Cellphone Forensics
- 1 Applied Cellphone Forensics
- 1.1 Introduction
- 1.2 Processes of the Acquisition, Preservation, Analysis of Evidence
- 1.3 Presentation of Physical and Digital Cellular Phone Evidence in the Investigation Process
- 1.4 Evidence Regulation and its Impacts in the Investigation Process
- 1.5 Applications: Practical Forensic Cases Related to Cellular Phones
Applied Cellphone Forensics
• Defining processes of the acquisition, preservation, analysis of evidence
• Presentation of physical and digital cellular phone evidence in the investigation process
• Evidence regulation and its impacts in the investigation process
• Applications: practical forensic cases related to cellular phones
Cellular telephones are a ubiquitous consumer device. Over 180 million subscribers are using one of over 500 different cellphones offered in the United States from over 30 different manufacturers, processing voice and data traffic over 4 carrier networks. Invariably, with so much voice and data traffic being sent from one cellphone to another, many of these phones can provide critical evidentiary data to crime scene investigators. Unfortunately, the forensic acquisition and analysis of these phones is a new process in the computer forensics world. Several reasons exist, but the main reasons are the lack of awareness and training of law enforcement agencies. This paper is an effort to change this deficiency.
Processes of the Acquisition, Preservation, Analysis of Evidence
Due to their nature, cell phones are acquired and preserved in the same action. This acquisition and preservation is done with various tools and technologies. The actual process of the virtual acquisition of the phone depends very much upon the manufacturer and model of the phone.
Usually, a visit to one of the phone carriers’ outlet location can provide you with the information detailing the specifics of the phone. However, in a worst case scenario, removing the battery out from its compartment usually will provide you with the manufacturer name and specific model number.
Once the phone is identified, either through known identification or through other aforementioned means, more information can be gleaned about the phones technical specifications and capabilities by visiting the PhoneScoop (www.phonescoop.com) website.
Once identified, the phone is ready for the next step of the virtual acquisition.
To ensure a good evidence acquisition
It can be done through various cabling systems and various software applications. Examples of the cabling systems include Paraben’s Cell Seizure Toolkit, Susteen’s Law Enforcement Cabling Kit, or the various specific manufacturers’ data cables.
Specifically, at the time of this writing, Paraben’s Cell Seizure Version 3.0 will acquire many phones from Nokia, LG, Sony-Ericsson, Motorola, Siemens, and Samsung.
Susteen SecureView Version 1 will acquire phones from LG, Motorola, Samsung, Sony-Ericsson, Sanyo, and Nokia. With Secure View, Susteen has included its cables from it’s popular Data Pilot system.
BITPim, Version 8.08 will acquire phones from LG, Samsung, Audiovox, Sanyo, Toshiba
Other products include: Nokia’s Oxygen PM Forensics Edition Verision 2.8.7 provides support for most Nokia phones as well as some Samsung and Mobiado phones
Float’s Mobile Agent
iDEN Media Downloader
iDEN Phoenbook Manager
Access Data’s FTK
Guidance Software’s EnCase
SIM Card software applications:
Is there a method for determining which application to use based on the phone? Can this be built from a database of knowledge
Process of Cellphone Acquisition.
1. Take phone off network via faraday technology
2. Connect power source and ensure at least 50% charge
3. Connect the data synchronization cable to the phone
4. Launch the software application for acquisition and analysis
5. Acquire the phones image
Process of SIM Card Acquisition.
1. Connect SIM Card to Computer through a compliant card reader
2. Launch the software application for acquisition and analysis
3. Acquire and Analyze the SIM Card
Process of Cellphone Analysis.
What are we looking for:
Short Dial Numbers
Phone Settings (language, date/time, tone/volume etc)
Stored Audio Recordings
Stored Computer Files
Logged incoming calls and dialed numbers
Stored Executable Programs
GPRS, WAP and Internet settings
Calendar and Contacts
Calls Made, Received, and Missed
Ring Tones, Games, Pictures, Videos and other Downloaded information
Process of SIM Card Analysis.
What are we looking for:
Abbreviated Dialing Numbers
Last Numbers Dialed
Presentation of Physical and Digital Cellular Phone Evidence in the Investigation Process
Forensic Evidence Folder Organization
Analog – Screenshots of phones
Digital – Reports from applications
Word Document for binding information together
Evidence Regulation and its Impacts in the Investigation Process
Cellphones are not hard drives
Live versus dead animals
Hard Drives are coming tho: http://itvibe.com/news/3934/
SIM cards are getting bigger too: http://www.vnunet.com/2150531
Applications: Practical Forensic Cases Related to Cellular Phones
Ayers, R., Jansen, W. (2005) Cellular Phone Forensics. NIST
Paraben Forensics Cell Seizure v3.0. (n.d.). Retrieved Feb. 12, 2006 from http://www.paraben-forensics.com/catalog/product_info.php?cPath=25&products_id=311
Nokia Oxygen Phone Manager II Version 2.8.7. (n.d.). Retrieved Feb 12, 2006 from http://www.opm-2.com/Forensic/
Susteen Secure View (n.d.). Retrieved Feb. 12, 2006 from http://www.susteen.com/lawenforcement.htm