Difference between pages "Cell Phone Forensics" and "Common Log File System (CLFS)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(External links)
 
Line 1: Line 1:
== Guidelines ==
+
The '''Common Log File System''' ('''CLFS''') is a special purpose file (sub)system designed for transaction logging and/or recovery. The CLFS is not a file system in the traditional meaning of a disk file system, but more of a logical (special purpose) file system that operates in combination with a disk file system like [[NTFS]].
  
# If on, switch it off. If off, leave off.  
+
== Overview ==
 +
A CLFS log consists of a base log file (.blf) and one or more container files.
  
#* Note only under exceptional circumstances should the handset be left switched on and in any case every precaution to prevent the handset connecting with the Communication Service Provider should be made. Consider use of one of many [[wireless preservation]] or [[RF isolation]] techniques. Note that the slightest signal leakage will allow an overwriting text message through even if a phone call can't get through.
+
There are two types of logs:
 +
* dedicated logs; contains a single stream of log record.
 +
* multiplexed (or common ) logs; contains several streams of log records.
  
#* Instead of switching off, it may be better to remove the battery. Phones run a different part of their program when they are turned off.  You may wish to avoid having this part of the program run.
+
== Implementation ==
  
#* Note that removing the battery or powering off a mobile phone may introduce a handset unlock code upon powering the device on.
+
According to Wikipedia CLFS was introduced in Windows server 2003 R2.
  
# Collect and preserve other surrounding and related devices. Be especially careful to collect the power charger. The phone's battery will only last a certain amount of time. When it dies, much of the data on the device may go too!
+
In Windows Vista the CLFS is implemented as a driver named: clfs.sys. User space equivalent functionality is provided by clfsw32.dll, which communicates to the driver by DeviceIoControl calls.
+
# Plug the phone in, preferably in the evidence room, as soon as possible.
+
# Retain [[search warrant]] (if necessary - [[LE]]).
+
# Return device to forensic lab if able.
+
# Use [[forensically sound]] tools for processing. However, also remember ACPO Principle 2 says: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
+
  
== Notes ==
+
== Also see ==
 +
Windows Internals 5 by Mark E. Russinovich and David A. Solomon
  
Expand on as to what to collect:
+
== External links ==
 +
[http://msdn.microsoft.com/en-us/library/bb986747%28VS.85%29.aspx MSDN on Common Log File System]
  
* [[ESN]],
+
[http://en.wikipedia.org/wiki/Common_Log_File_System Wikipedia on Common Log File System]
* [[IMEI]],
+
* [[Carrier]],
+
* Manufacturer,
+
* Model Number,
+
* Color, and
+
* Other information related to [[Cell Phone]] and [[SIM Card]]...
+
  
Process:
+
[[Category:Logical file systems]]
# Photograph the [[Cell Phone]] screen during power up.
+
# Research the [[Cell Phone]] for technical specifications.
+
# Research the [[Cell Phone]] for forensic information.
+
# Based on phone type [[GSM]], [[CDMA]], [[iDEN]], or [[Pay As You Go]] determine acquisition tools
+
 
+
GSM:
+
# Phone and SIM Card
+
# SIM Card
+
 
+
CDMA:
+
# Phone
+
 
+
iDEN:
+
# Three major tools exist for iDEN Phones:
+
* iDEN Companion Pro
+
* iDEN Media Downloader
+
* iDEN Phonebook Manager
+
 
+
Pay As You Go:
+
# Phone
+
 
+
== External Links ==
+
 
+
Articles and Reference Materials
+
*[http://www.e-evidence.info/cellarticles.html E-Evidence.Info Articles, Papers, Presentations, etc.]  
+
*[http://esm.cis.unisa.edu.au/new_esml/resources/publications/forensic%20analysis%20of%20mobile%20phones.pdf Forensic Analysis of Mobile Phones]
+
*[http://www.ijde.org/docs/03_spring_art1.pdf Forensics and the GSM Mobile Telephone System]
+
*[http://www.cl.cam.ac.uk/~fms27/persec-2006/goodies/2006-Naccache-forensic.pdf Law Enforcement, Forensics and Mobile Communications]
+
*[http://www.forensics.nl/mobile-pda-forensics Mobile Phone Forensics & PDA Forensics Links]
+
*[http://www.holmes.nl/MPF/FlowChartForensicMobilePhoneExamination.htm Netherlands Forensic Institute: Mobile Phone Forensics Examination - Basic Workflow and Preservation]
+
*[http://csrc.nist.gov/mobilesecurity/publications.html#MF U.S. National Institute of Standards and Technology Documents]
+
 
+
Conferences
+
*[http://www.MobileForensicsWorld.com/ Mobile Forensics World]
+
 
+
Investigative Support
+
*[http://www.search.org/files/pdf/CellphoneInvestToolkit-0806.pdf Creating a Cell Phone Investigation Toolkit: Basic Hardware and Software Specifications]
+
*[http://www.e-evidence.info/cellular.html E-Evidence.Info Mobile Forensic Tools]
+
*[http://www.forensicfocus.com ForensicFocus.com(Practitioners Forum)]
+
*[http://www.hex-dump.com Hex-Dump.com(Advanced Forum for Hex Dump and Memory Analysis)]
+
*[http://www.Mobile-Examiner.com Mobile-Examiner.com (Forum for Practitioners)]
+
*[http://www.Mobile-Forensics.com Mobile-Forensics.com (Research Forum for Mobile Device Forensics)]
+
*[http://www.mfi-training.com Mobile Forensics Training Forum (Mobile Device Investigative Support and Training)]
+
*[http://www.SmartPhoneForensics.com SmartPhoneForensics.com (Mobile Device Forensics Training and Investigative Support)]
+
*[http://www.Phone-Forensics.com Phone-Forensics.com (Advanced Forum for Practitioners)]
+
*[http://trewmte.blogspot.com TREW Mobile Telephone Evidence (Mobile Telephone Evidence Practitioner Site)]
+
 
+
Phone Research
+
*[http://www.GSMArena.com GSMArena.com (Technical information regarding GSM Cell Phones)]
+
*[http://www.MobileForensicsCentral.com MobileForensicsCentral.com (Information regarding Cell Phone Forensic Applications)]
+
*[http://www.PhoneScoop.com PhoneScoop.com (Technical information regarding all Cell Phones)]
+
*[http://www.ssddforensics.com/ Small Scale Digital Device Forensics Information]
+
 
+
Training
+
*[http://www.Mobile-Forensics.com Mobile-Forensics.com (Research Forum for Mobile Device Forensics)]
+
*[http://www.MobileForensicsWorld.com/Training.aspx Mobile Forensics World Training]
+
*[http://www.mobileforensicstraining.com Mobile Forensics Training (Mobile Forensics Inc. Training Class site)]
+
*[http://www.paraben-training.com/training.html Paraben-Forensics.com (Paraben's Handheld Forensic Training Classes)]
+
*[http://www.SmartPhoneForensics.com SmartPhoneForensics.com (Mobile Device Forensics Training and Investigative Support)]
+

Revision as of 05:03, 3 December 2010

The Common Log File System (CLFS) is a special purpose file (sub)system designed for transaction logging and/or recovery. The CLFS is not a file system in the traditional meaning of a disk file system, but more of a logical (special purpose) file system that operates in combination with a disk file system like NTFS.

Overview

A CLFS log consists of a base log file (.blf) and one or more container files.

There are two types of logs:

  • dedicated logs; contains a single stream of log record.
  • multiplexed (or common ) logs; contains several streams of log records.

Implementation

According to Wikipedia CLFS was introduced in Windows server 2003 R2.

In Windows Vista the CLFS is implemented as a driver named: clfs.sys. User space equivalent functionality is provided by clfsw32.dll, which communicates to the driver by DeviceIoControl calls.

Also see

Windows Internals 5 by Mark E. Russinovich and David A. Solomon

External links

MSDN on Common Log File System

Wikipedia on Common Log File System