Mobile Forensics Be...
 
Notifications
Clear all

Mobile Forensics Beginner

14 Posts
8 Users
0 Likes
697 Views
(@paulo111)
Posts: 36
Eminent Member
Topic starter
 

I have some experience analysing .E01 images of workstations but I want to improve my knowledge of mobile phone forensics. Is there any rule of thumb that details what I will / and what I wont be able to get off phone in terms of potential evidence (I have heard conflicting reviews). Also what software is there out there to review these things, and what sorts of costs involved?

 
Posted : 28/11/2008 4:07 pm
(@mbrown)
Posts: 27
Eminent Member
 

Hi paulo111,
You can find several threads on the forum regarding mobile forensics http//www.forensicfocus.com/search-results?cx=partner-pub-1997641209324587%3Av26jsjw0irb&cof=FORID%3A10&ie=UTF-8&q=mobile#1261. This is also a very good blog dedicated to Mobile Phone Forensics http//trewmte.blogspot.com/

 
Posted : 28/11/2008 4:16 pm
(@paulo111)
Posts: 36
Eminent Member
Topic starter
 

Thanks mbrown, I'll take a look when I get chance. Are you familiar with mobiles, can you clarify the general rule about what you will and what you wont find as evidence from an investigators stand point.

 
Posted : 28/11/2008 4:55 pm
(@mbrown)
Posts: 27
Eminent Member
 

Sorry paulo111. I don't really have much experience in mobile forensics. I'm sure others on the forum can you help you more than I can. I'm just trying to help by pointing you to resources that may help you. Here are two more useful links

1. Mobile Device Forensics Blog

2. Bitpim - Open Source Mobile Forensics Manage data on CDMA phones from LG, Samsung, Sanyo and others

 
Posted : 28/11/2008 6:56 pm
(@jmech)
Posts: 40
Eminent Member
 

Hi Paulo,

There are software packages such as Paraben's Device Seizure, DataPilot SecureView, and BitPim which perform logical acquisitions from phones. This will generally give you the Phone Book, Call History, SMS, Photos, Etc, that have not been deleted. What you get from what software depends on how compatible it is with the particular phone.

There is also a process call hex dumping, for which you need a flasher box and software. I am not that familiar with hex dumping, but my understanding is that it will give you a physical memory dump which you may be able to recover some deleted data.

Check out http//www.e-evidence.info, they have a page on just cell phone forensic software, as well as many papers published about cell phone forensics (computer forensics too). Also take a look at the forum at http//www.phone-forensics.com, there are many members there from the UK and they could probably give you good advice on what you'll need.

The main thing to remember about phones is that there is no one forensic software product that handles every phone. You will have to do a little research to see what packages cover the most phones you will be working with.

Hope this helps and good luck!

Joe

 
Posted : 28/11/2008 7:31 pm
(@paulo111)
Posts: 36
Eminent Member
Topic starter
 

Hi Paulo,

There are software packages such as Paraben's Device Seizure, DataPilot SecureView, and BitPim which perform logical acquisitions from phones. This will generally give you the Phone Book, Call History, SMS, Photos, Etc, that have not been deleted. What you get from what software depends on how compatible it is with the particular phone.

There is also a process call hex dumping, for which you need a flasher box and software. I am not that familiar with hex dumping, but my understanding is that it will give you a physical memory dump which you may be able to recover some deleted data.

Check out http//www.e-evidence.info, they have a page on just cell phone forensic software, as well as many papers published about cell phone forensics (computer forensics too). Also take a look at the forum at http//www.phone-forensics.com, there are many members there from the UK and they could probably give you good advice on what you'll need.

The main thing to remember about phones is that there is no one forensic software product that handles every phone. You will have to do a little research to see what packages cover the most phones you will be working with.

Hope this helps and good luck!

Joe

Thanks nice to see Bitpim is free

 
Posted : 01/12/2008 6:48 pm
neddy
(@neddy)
Posts: 182
Estimable Member
 

In my prior experience (two years as a dedicated mobile phone examiner) what you see is what you get from a mobile phone device.

SIM cards can store deleted SMS messages and old call registers from previous handsets. The removable memory cards from handsets can be examined and deleted files recovered from FAT file system unallocated cluster areas.

No one tool will examine and report on all makes and models. No one methodology can be applied to all makes and models. No case tool will ever be more accurate than an accurate manual transcription of what you see when browsing through the GUI of your average mobile phone.

As for HEX-Dumping, it works, but I would hesitate to say how many examiners could explain how so, when asked.

 
Posted : 03/12/2008 3:35 am
(@trewmte)
Posts: 1877
Noble Member
 

SIM cards can store deleted SMS messages and old call registers from previous handsets. The removable memory cards from handsets can be examined and deleted files recovered from FAT file system unallocated cluster areas.

Agree, but the examination processes for SIM/USIM are not nearly as convoluted as examining a handset, but SIM/USIM requires reading twice as many Standards than for handsets to understand the files and data that reside in them.

No one tool will examine and report on all makes and models. No one methodology can be applied to all makes and models. No case tool will ever be more accurate than an accurate manual transcription of what you see when browsing through the GUI of your average mobile phone.

Agree.

Important to check Nokia 6233 Clock against timestamps of acquired SMS text messages (discussion by a Lead Forensic Examiner)
http//trewmte.blogspot.com/2008/12/nokia-6233-clock.html

A user's experience with an unlocker ultra -thin membrane device (discussion by Technical Officer Greater Manchester Police UK)
http//trewmte.blogspot.com/2008/12/another-ultra-thin-membrane-device.html

As for HEX-Dumping, it works, but I would hesitate to say how many examiners could explain how so, when asked.

Added to which the level of accuracy with respect to attribution of data, format of data, etc. For instance, I recently looked at data said to have been recovered by hex-dumping where the data was presented in a graphics format on the PC and proffered on the basis that it could be useful evidence, and that the image was there because it was downloaded using bluetooth.

Firstly, the manufacturer's spec for the handset indicated that the graphics format was not supported and could not be viewed through the handset GUI and, secondly, the graphics image had been received as an MMS message and subsequently deleted straightaway because of the fact it couldn't be viewed.

 
Posted : 03/12/2008 12:59 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

I have been looking at hex dumps over the last few months and there is some useful information to be gained from them. It is also an area that can teach the examiner a lot about the workings of a phone.

Most of the current tools simply load a hex dump and produce a report which teaches the examiner nothing and IMO more importantly do not allow the examiner to review that data behind the report to see if the report is correct.

I have written and released a tool that does allow the above which has been received very well. There is a demo available on my web site (www.sandersonforensics.com).

 
Posted : 03/12/2008 4:05 pm
(@trewmte)
Posts: 1877
Noble Member
 

I have written and released a tool that does allow the above which has been received very well. There is a demo available on my web site (www.sandersonforensics.com).

I would agree, this tool is very educational and useful to have.

 
Posted : 03/12/2008 7:16 pm
Page 1 / 2
Share: