±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34595
New Yesterday: 0 Visitors: 294

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Mobile forensics question

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: Mobile forensics question

Post Posted: Wed May 10, 2017 12:39 pm

- jaclaz
trewmte just proposed (a very extensive and articulated) answer to question #2, here:
www.forensicfocus.com/...1/#6588141

- trewmte
Contaminating Evidence ONE - trewmte.blogspot.co.uk...e-one.html

Contaminating Evidence TWO - trewmte.blogspot.co.uk...e-two.html


jaclaz


Thanks Jaclaz. Here is a further update in the series:

Contaminating Evidence FOUR
trewmte.blogspot.co.uk...-four.html
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 

trewmte
Senior Member
 
 
  

Re: Mobile forensics question

Post Posted: Thu May 11, 2017 2:31 pm

Contaminating Evidence FIVE

trewmte.blogspot.co.uk...-five.html
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 

trewmte
Senior Member
 
 
  

Re: Mobile forensics question

Post Posted: Sun May 14, 2017 12:00 pm

Contaminating Evidence SIX

trewmte.blogspot.co.uk...e-six.html
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 

trewmte
Senior Member
 
 
  

Re: Mobile forensics question

Post Posted: Mon May 15, 2017 6:05 am

- aco0008


2. What would you do if presented with an exhibit bag containing a mobile phone (which cannot be fully accessed without a SIM Card) and a SIM Card (which was not inserted and may/may not be associated with the device) separately and what could the affects be if the SIM Card was inserted into the mobile phone?

3. What methods could be applied to prevent network connection to a device?

4. If a device was not seized in the correct manner (e.g.: a battery was removed) what could be affected on the device in question? or if the device was turned on/activated with a memory card inserted, what would the affects be?

5. If the connection port is damaged/missing, what would you do? what alternatives methods could be used to obtain the notable data?

6. What data extraction method would you apply if the points to prove for the case was focused on obtaining deleted data? what alternative methods could you use to carve for deleted pictures files etc?

2. Software's such as UFED 4PC can extract devices that require a sim card without the sim card being put into the device, in which sometimes a physical, file-system and even logical extraction is possible. Sometimes, you can even get an extraction using Bluetooth using UFED.
If none of these is at your disposal then continue reading.

3. Farday bags can prevent network connection, but I'm not sure if you can then access the device because it would have to be sealed, then there's these things,

www.teeltech.com/mobil...usb-pouch/
www.teeltech.com/mobil...te3000fav/

gotta loveee technology these days eh. This way you can manually look at the data and report what you see in an evidential manner.

4. It depends, usually battery removal doesn't do anything, unless something was being done at that time with the phone, so let's say a file transfer to something else, in which you may lose to who and what was being transferred, other than that not such a big deal.
If a memory card is inserted, you have to know if it is the device owner's card or not, or you you will be confused in to who it belongs to, which can lead to a wrong investigation, BUT if it is the target's phone's memory card, then all round better for you since, you are now capable of retrieving more data, because in most cases, a memory card would be used for the transfer of some sort of data. This can later be ripped, by either using FTK to get an E01 file which would be the best thing to do, to make sure you get the most out of the memory card.

5. If the connection port is damaged, and you have no experience in repairing or replacing it then if you're allowed go to a mobile phone repair shop and request to repair the connection port.
Now, a VERY advanced method of obtaining data would be JTAG or Chip off, which would require you to attach specific cables to specific area's of the device's board, to retrieve a full on Physical Dump of the phone, which can be later parsed using commercial software out there, some of the best would be Magnet IEF / Axiom, you can even get some free software out there but it would require a lot of work to get through.

6. Mainly, physical extractions have the best amount of data, new and deleted on there, since it's an image file of the entire device, whence carved, it brings back a whole lot of good stuff. A File System Extraction would also be decent. If you were to recover SD card data, then as I said an FTK E01 would be enough for the job. If it is the device and you want to recover content on there, then software's such as UFED 4PC is needed, or would do the best for the job!

Hope I could be of any help, UFED 4PC which is made by Cellebrite, does an outstanding job of ripping all sort of smartphone's, so personally I just rely on that to get the job done when it comes to phones...
_________________
Digital Forensics is an Exact science, not the procedures, but the results. 

Vesalius
Senior Member
 
 

Page 2 of 2
Go to page Previous  1, 2