Robert Morris University Limitations to Mobile Forensics Discussion And Responses

Read Chapters 9 & 10

For this assignment, you must reply to this post and address the questions below, prior to 11:59 p.m. ET on Thursday, February 18th. Continue to follow your classmates’ posts for the remainder of the week and post follow

–

up messages to at least two of your classmates’ posts prior to 11:59 p.m. ET on Sunday, February 21st. Your follow-up posts can add additional insight to a classmate’s opinions or can challenge their opinions. Use examples from the readings, or from your own research, to support your views, as appropriate. For your follow-up posts this week, you may wish to visit a couple of the web sites contributed by your classmates and share your opinion of these sites with the class. Be sure to read the follow-up posts to your own posts and reply to any questions or requests for clarification. You are encouraged to conduct research and use other sources to support your answers. Be sure to list your references at the end of your post. References must be in APA citation format.  All posts must be a minimum of 250-300 words. All follow-up posts to your classmates must be a minimum of 150 words for each required post. Peer responses posted after 11:59 pm on Sunday evenings will not be accepted or calculated into the weekly forum grade.

Discussion Grading Rubric (100 Points)Synthesis of Concepts55Clear Citations using APA format10Writing Standards10Peer Reviews (minimum of 2) – Responses posted after the current week will not be accepted25Timeliness – 10% penalty per week for late work

—

—

1.Research the limitations to mobile forensics. (HINT: look at the new iPhone and Android). Please discuss the limitations to forensics investigators in regard to the new and old models. What will investigators need to do in order to retrieve information/evidence from the device?

Student 1:

NATHANIEL MEREDITH

Week 6 Discussion

Mobile forensics covers a wide array of products, not just mobile phones. This can make a mobile investigator’s job quite difficult at times, as there are a wide array of products to deal with. Not only this, but mobile products are actively upgraded and improved, especially in security and encryption capabilities. This can limit how much information a mobile investigator can pull from a mobile device. An article from MSAB summarizes the concept fairly well, “Extracting data from unlocked smartphones is a relatively straightforward task. But accessing locked devices can prove challenging. Manufacturers are developing password and encryption schemes that make it practically impossible for law enforcement agents to access the data” (Eichbaum, 2019). Eichbaum continues by explaining that almost as soon as a vulnerability is found, it is almost immediately patched. This means most new phone models can be tough to crack open. However, there are software and hardware tools that can assist in dumping raw data from the device, thus bypassing some security protocols (Eichbaum, 2019). This continual improvement and push to find vulnerabilities and alternative methods to accessing new phone data will ensure that law enforcement can continue to analyze seized phone data. On the other hand, some older phone models are still in use and are no longer actively updated. This means any vulnerabilities that are found may not be patched and therefore give law enforcement a way to extract information from these devices. With the use of these older devices comes the issue that less people are focusing on ways to extract data from them. Some of these phones, like feature phones, have unique ways of storing data. “In order to handle such phones, law enforcement members need proper training to ensure safe preservation of the extracted data” (Eichbaum, 2019). Overall, mobile forensic investigators will see many more limitations when compared to other digital forensic fields due to the large variety in devices and the active update capabilities that come with them.

References:

Eichbaum, J. (2019, October 31). Five continual challenges with SMARTPHONE FORENSICS. Retrieved from

https://www.msab.com/2019/09/09/five-continual-cha…

Reiber, L. (2016). Mobile forensic investigations: A guide to evidence collection, analysis, and presentation. New York, New York: McGraw-Hill Education.

Student 2

ADRIAN OLIVERIO

Week 6 Discussion

Advancements in technology have become both beneficial and hurtful to mobile forensics. On one hand, the amount of data that can be recovered from devices now-a-days is massively more incriminating than that of old devices with less features. On the other hand, new obstacles have been created for investigators. “One of the biggest forensic challenges when it comes to the mobile platform is the fact that data can be accessed, stored, and synchronized across multiple devices. As the data is volatile and can be quickly transformed or deleted remotely, more effort is required for the preservation of this data. Mobile forensics is different from computer forensics and presents unique challenges to forensic examiners” (Mahalik & Tamma, 2016). New phones such as the new Samsung or the new iPhone are starting to use cloud storage as the primary storage location for certain files. This can be beneficial to users because they can access those files anywhere on many different devices, but for investigators it creates another layer that they have to gain access to so they can obtain the data.

Other limitations or obstacles include differences in hardware and software between devices, Mobile platform security features such as two factor authentication, and Anti-forensic technique possibilities on the devices. The differences in hardware and software makes it so investigators have to have a broad knowledge base on how to analyze all of the different hardware and software utilized in mobile technology. Two Factor Authentication can also be a burden to investigators because it creates an extra layer that investigators will have to get past. This could slow down an investigation or lead to investigators not getting the evidence all together. Lastly, “Anti-forensic techniques, such as data hiding, data obfuscation, data forgery, and secure wiping, make investigations on digital media more difficult” (Mahalik & Tamma, 2016).

In order to capture all of the evidence behind the obstacles mentioned above, investigators need to be prepared. They need to have knowledge of all of the different cloud location and how to access them in situation where they are unable to obtain the data from the mobile device. They also need to be aware of two factor authentication methods used. They will have to either gain access to the person’s authentication account or get a warrant to serve the company who handles the 2FA. Finally, they have to also be vigilant in looking for any anti-forensic techniques and preventing future issue like remote data wipe.

Reference:

Mahalik, Heather & Tamma, Rohit (2016, April 25) Mobile Forensics and Its Challenges. Retrieved from

https://hub.packtpub.com/mobile-forensics-and-its-…

Challenges in Mobile Phone ForensicsKyle D. Lutes
Associate Professor, Mobile Computing Lab
kdlutes@purdue.edu
Richard P. Mislan
Assistant Professor, Cyber Forensics Lab
rmislan@purdue.edu
Computer & Information Technology
Purdue University
ABSTRACT
As ubiquitous societal components, mobile (or cellular)
telephones continue to become increasingly prevalent.
With a shrinking footprint and a seemingly everincreasing storage capacitance, these devices can be
warehouses of information about our daily lives. Just as
mobile phones permeate our social fabric, they are also
becoming more and more crucial as evidentiary devices
in civil and criminal investigations. Thus, our law
enforcement, intelligence and private investigation
communities are grasping for ways to get evidence off
each and every mobile device. Some tools and techniques
exist for such investigative work; however, there is not
yet one good solution. The various manufacturers,
models, operating systems, protocols, and cables lend to
a combinatorial explosion that leaves most criminal
investigators grasping for a cohesive solution.
During a recent project funded by a National Institute of
Justice Electronic Crimes Research grant, we experienced
these challenges first hand. In this paper, we summarize
the issues facing both the criminal investigators hoping to
recover evidence from these mobile phone devices as
well as the challenges that must be overcome by the
technology vendors who are working to develop
automated tools to aid the investigators.
Keywords: mobile phones, computer forensics, mobile
forensics, pervasive computing
1. RELEVANCE
Mobile phones became part of our world in the late
1990’s with the introduction of so-called “bag and brick”
phones. The usage of mobile phones has since
skyrocketed due to reduced cost, and with the
introduction of text messaging features, which launched
commercially in 1995. Several key factors that have
made the mobile phone so pervasive include the
introduction of the pre-paid phones from the second
generation networks and the fact that there are over 243.4
million subscribers who can send and receive text
messages [6]. By June 2005, estimates of 7.2 billion text
messages were exchanged in the US each month, and by
2007 the number has launched to 28.8 billion text
messages per month [6]. Other reasons for increased
usage of mobile phones include custom ring tones,
Internet connectivity, multimedia messaging services,
music and video capabilities, games, cameras, and other
features.
2. MOBILE PHONE FORENSICS
As daily life and business moves at the speed of electrons
through the air, most civil and criminal investigations
involve some sort of digital element. As mobile phones
become so ubiquitous and play such a large societal role
[9], there is a high probability that these same devices
will be part of those investigations. There are four ways
in which a mobile phone can be tied to crime:




It can be used as a communication tool in the
process of committing a crime.
It can be a storage device providing evidence of
a crime.
It can contain victim information.
It can be a means of committing a crime.
Today’s criminal investigators must be familiar with
mobile phones and understand the intricacies of mobile
phone forensics. In other words, acquiring and analyzing
the data on the device, attached SIM cards, and inclusive
memory cards. These procedures are well documented
and should be adhered to in the forensics acquisition and
analysis of mobile phone data [1, 2, 3, 4, 5, 10, 11, 12,
18]. However documented, it is well known that there is
currently no one examination facilitation tool (hardware
or software) that is universally used or recommended to
remove the data from each and every mobile phone [17].
Mobile phones can yield an abundance of information.
The most obvious kinds of data that can be retrieved from
a phone are call logs, contact lists, and text messages.
However, in an investigation, other features of a modern
mobile phone, such as ring tones, T9 dictionaries, canned
responses, video files, still image files, calendar events,
miscellaneous documents and data files, and location
information can also provide valuable clues. Given the
variety of types of information available, it is imperative
to examine every single one with utmost precision,
especially since it is entirely possible, with the use of
specialized tools, to often recover deleted information.
3. CURRENT CHALLENGES
Knowing the importance of the forensics of mobile phone
devices, it is essential to understand the current known
challenges facing investigators. Using funding from the
National Institute of Justice Electronic Crimes Research
grant, a survey of the current mobile phone landscape
produced six general categories of challenges: 1) carriers
and manufacturers, 2) data preservation, 3) power and
data
connectors,
4)
operating systems
and
communication protocols, 5) security mechanisms, and 6)
unique data formats. The following is a realization of
these challenges.
Carriers and Manufacturers
In an investigation of a mobile phone, the first action
must be the identification of the phone. Given that there
are multiple network carriers (at least seventeen in the
US alone) and device manufacturers (over thirty in the
US), identifying a phone by sight alone is extremely
difficult even for trained investigators [8]. A given model
from a single hardware manufacturer may be marketed
using many different names from the various carriers. A
good example of this is the recently popular Motorola
RAZR which is marketed under at least 24 different
product names. It is not until an investigator removes the
device’s battery that the true hardware model can be
determined, but removing batteries can cause the phone
to lose the information stored in volatile memory, or even
worse, force a handset lock code on power up.
Data Preservation
For a mobile phone investigation, it is important to
prevent the device from receiving any further data or
voice communication. As text messages are stored in a
“First In, First Out” order, any new incoming text
messages could delete older stored text messages.
Likewise, incoming calls could erase call history logs,
and some devices (such as the RIM Blackberry) can be
wiped of all data remotely if not protected from incoming
communications. Therefore, upon initial acquisition,
these mobile phones must be placed in some sort of
wireless preservation container. Multiple technologies
can be used for this with various levels of success. These
tools range from three layers of common aluminum foil,
to a tri-weave mesh material shield of nickel, silver, and
copper [14], to an anodized aluminum shielded enclosure
made to withstand wireless devices from radio
frequencies [15].
Power and Data Connectors
Another challenge facing investigators is how to preserve
power to the phone. If left unplugged for a long enough
period of time, a phone’s battery will eventually lose all
power. Because many mobile phones store information in
volatile memory, a complete loss of power may mean a
loss of information, thus a loss of crucial evidence.
Therefore, it is desirable to keep a phone in a charging
state. Frustratingly, there currently is no standard for
power requirements for mobile phones.
This lack of power standards is compounded by the fact
that there is also no standard for cable connectors. There
are literally hundreds of different mobile phone power
connectors currently in use. So even if two phones
require the same voltage to remain charged, they likely
will not have compatible power connectors.
One group, the OMTP (Open Mobile Terminal Platform)
hopes to reduce the number of connectors by
recommending the micro-USB standard be adopted
across the mobile industry [16]. Even though criminal
investigators, and end consumers for that matter, would
benefit from such a standard, it is unlikely to happen any
time soon as hardware manufacturers are constantly
changing designs and will employ whichever connector
type helps them achieve their design goals.
Operating Systems and Communication
Protocols
Another challenge impeding the development of
forensics tools is the various operating systems used on
mobile phones. Mobile phones have evolved into fullfledged computing platforms requiring vendors to use
sophisticated operating systems so that various software
applications can be run on them. Several of the common
operating systems in include RIM’s Blackberry, iDEN,
Palm, Symbian, Windows Mobile, Macintosh OS X, and
various versions of the Linux open-source operating
system. Some operating systems are also proprietary to
the hardware manufacturer. For example, Nokia has the
ISA platform for the Series 30 and 40 phones.
The challenge of having all these operating systems is
knowing which protocols to use for communication
between the evidentiary mobile phone and the forensic
investigator’s computer. Some of the more well-known
data communication protocols currently in use are AT,
BREW, FBUS, IrMC, MBUS, OBEX, and SyncML [4,
13] and are highly dependent on the operating system and
restrictions imposed by each carrier.
Often proprietary, sometimes very cryptic, and hardly
ever documented [19], these protocols can be used to
retrieve information from a mobile phone such as its
make and model, telephone number, software revisions,
serial number, call logs, contacts, text messages, ring
tones, videos, images, and other important pieces of data.
Unfortunately, almost every phone implements a
different flavor of each of these protocols, seeming never
to respond to the same commands the same way. Worse
still, several operating systems require the examiner to
first copy program files directly to the device in order to
open a communications channel so that critical evidence
can be retrieved. However, the mere act of copying data
to a mobile phone has the potential to erase evidence.
One more note should be made about how protocols may
sometimes change data. For example, in some phones,
using the built-in protocols to access messages in the
message store will mark the message as read even if the
user has never seen the message. This necessity to access
information on the phone, even if it changes the state of
the phone should be seriously considered. In some cases,
evidence retrieved from a phone that required changing
information on the phone can not be used in a court of
law [8].
Security Mechanisms
There are several security mechanisms used on mobile
phones to protect data. These securing mechanisms range
from manufacturer or user handset locks, to SIM card
PINs and PUKs [20]. Whichever type of security is
employed, the implications differ depending on the make
and model of the device. Many mobile phones have a
handset lock code that is either set by the manufacturer
(Motorola – 000000, Nokia – 1234), the last four digits of
the current phone number, or set by the user which is
even more problematic. The handset lock is normally
activated upon power-up, which presents a problem for
examiners who must attempt to investigate a phone that
was found or seized in a powered off state.
One of the most heavily used network technologies the
world over, is Global Systems for Mobile communication
(GSM). Most GSM phones will contain a SIM card,
which contains a light-weight processor chip and a small
amount of non-volatile memory. In GSM phones, the
SIM card is used as a storage device for subscriber
related data. The only purpose of the SIM’s processor is
to implement the access mechanism and security features.
The physical and logical properties of the access
mechanism are defined in GSM specifications. [7]
A physical connection can be made by mounting the SIM
in a standard smart-card reader attached to a typical PC.
Software running on the PC is necessary to logically
access the SIM. The software is needed to implement the
GSM SIM access mechanism. The contents of the SIM
card is organized as a series of files containing binary
data that can be transferred to a PC once the user has
authenticated himself with a PIN and/or PUK code.
A PIN (Personal Identification Number) is not usually
required to gain access to the SIM. Since the phone
cannot be used without access to the SIM, this number
must be entered whenever the phone is turned on. If the
user fails to enter a valid PIN through three attempts, the
card becomes blocked, and the user must instead enter an
8-digit code, called a PUK (Personal Unblocking Key), to
reopen it. If the user fails to enter the correct PUK after
ten attempts, the card becomes permanently blocked and
cannot be reopened.
PINs for a card can be changed and deactivated by the
user. The PUKs are fixed and cannot be changed. Since
the PUK is fixed, the network operator usually keeps
track of the PUKs for all of its users. Therefore, the
investigator can almost always gain access to a SIM card
by asking the network operator for the correct PUK. It
might, however, be more efficient to ask the owner of the
phone to provide correct PIN or PUK codes. During
searches, the PUK might also be recovered, since phone
owners sometimes keep the PUK in writing in case they
forget the PIN [20].
Even after gaining access to the data on the mobile
phone, an additional barrier may be present. Data stored
in files on mobile devices are sometimes stored in an
encrypted form using proprietary encryption algorithm.
This encryption can then make understanding the data
much more difficult or even impossible without help
from the hardware or operating system vendor.
Unique Data Formats
Assuming that the carrier and manufacturer of a phone
can be identified, that the phone can be protected from
wireless activity, that the correct power and data
connector wiring can be found, and that the information
is not stored encrypted, it is then theoretically possible to
retrieve information from the phone. However, one more
obstacle remains. As with the other components that
make up a modern mobile phone, there is neither a
standard format nor a standard location, for much of the
information desired by an investigator.
Data files might be stored in several places. As
mentioned earlier, some information can be stored in the
memory located on the phone’s SIM card. Mobile phone
hardware also contains random access memory (RAM)
that can be segmented as volatile (requires an electrical
charge to retain information), or non-volatile (retains
information without an electrical charge). Investigators
and makers of forensic software need to be aware that
information might be hiding in all these types of memory.
Many mobile phones also contain read-only memory
(ROM). However, ROM is typically used to store the
phone’s operating system and is not easily changed by
the end user. Because the contents of ROM are not easily
changed, the files stored here are likely of little interest to
an investigator.
Textual information such as telephone numbers, address
books, email messages, and text messages are stored
using proprietary file formats. Makers of forensic
software tools will need to be aware of these formats so
they can write software that will convert these files to
information easily understood by humans. An exception
to these proprietary file formats is for image and video
files which are typically stored in common JPG and
MPEG formats.
4. CONCLUSIONS
Modern mobile telephones are now ubiquitous in our
society and have evolved into full-fledge computing
platforms. Thus they are also becoming more and more
crucial as evidentiary devices in civil and criminal
investigations. Mobile phones can yield an abundance of
information including call logs, contact lists, text
messages, ring tones, T9 dictionaries, canned responses,
video files, still image files, calendar events,
miscellaneous documents and data files, and location
information. However, there is no one tool for
investigators to used to retrieve evidence from these
devices so that it can aid in investigations.
The most likely deterrents to a vendor of forensic tools
from creating one single solution is: the number of
carriers and hardware manufacturers; the challenge of
preventing a phone from receiving incoming messages
while at the same time keeping it powered; the hundreds
of electrical and data connectors currently in use; the
many operating systems and communication protocols
being used; the security mechanisms in place on some
phone; and the unique data formats used by vendors for
storing relevant information.
5. REFERENCES
[1] Association of Chief Police Officers/National Hi-Tech
Crime Unit. (n.d.)The Principles of Computer Based
Electronic Evidence. Retrieved September 12, 2007 from
http://www.acpo.police.uk/asp/policies/Data/gpg_compute
r_based_evidence_v3.pdf
[2] Ayers, R., Jansen, W., Cilleros, N., Daniellou, R. (2006).
An Overview of Cell Phone Forensic Tools. Retrieved on
Sept. 10, 2007 from http://www.techsec.com/TF-2006PDF/TF-2006-RickAyers-MobileForensicsTechnoForensics.pdf
[3] Ayers, R., Jansen, W., Cilleros, N., Daniellou, R. (2006).
Cell Phone Forensic Tools: An Overview and Analysis.
Retrieved on Sept. 12, 2007 from
http://csrc.nist.gov/publications/nistir/nistir-7250.pdf
[4] Ayers, R., Jansen, R., Moenner, L., Delaitre, A. (2007).
Cell Phone Forensic Tools: An Overview and Analysis
Update. Retrieved on Sept. 10, 2007 from
http://csrc.nist.gov/publications/nistir/nistir-7387.pdf
[5] Ayers, R. P. Jansen, W. A. (2006). Forensic Software
Tools for Cell Phone Subscriber Identity Modules.
Association of Digital Forensics, Security and Law , April
20-21, 2006 , Las Vegas, NV.
[6] CTIA. (June 2007). Wireless Quick Facts Mid-Year
Figures. Retrieved on Sept. 10, 2007 from
http://ctia.org/media/industry_info/index.cfm/AID/10323
[7] ETSI (1995). Digital cellular telecommunications system
(Phase 2+); Specification of the Subscriber Identity
Module – Mobile Equipment (SIM – ME) interface (GSM
11.11). Retrieved Sept. 10, 2007 from
http://www.ttfn.net/techno/smartcards/gsm11-11.pdf
[8] Gratzner, V., Naccache, D., Znaty, D.(2006). Law
Enforcement, Forensics and Mobile Communications.
Retrieved on Sept. 10, 2007 from
http://www.cl.cam.ac.uk/~fms27/persec2006/goodies/2006-Naccache-forensic.pdf
[9] Hylton, H. (2007). What Your Cell Phone Knows About
You. Time. Retrieved on September 1, 2007 from
http://www.time.com/time/health/article/0,8599,1653267,0
0.html
[10] International Organization on Computer Evidence (2000).
Good Practices for Seizing Electronic Devices – Mobile
Telephones. Retrieved September 12, 2007 from
http://www.ioce.org/fileadmin/user_upload/2000/ioce%20
2000%20electronic%20devices%20good%20practices.doc
[11] Interpol Mobile Phone Forensic Tools Sub-Group. (2006).
Good Practice Guide for Mobile Phone Seizure &
Examination. Retrieved September 12, 2007 from
http://www.holmes.nl/MPF/Principles.doc
[12] Jansen, W., Ayers,R. (2007). Guidelines on Cell Phone
Forensics. Retrieved Sept. 10, 2007 from
http://csrc.nist.gov/publications/nistpubs/800-101/SP800101.pdf
[13] McCarthy, P. (2005). Forensic Analysis of Mobile Phones.
Retrieved Sept. 10, 2007 from
http://esm.cis.unisa.edu.au/new_esml/resources/publicatio
ns/forensic%20analysis%20of%20mobile%20phones.pdf
[14] Paraben. (n.d.). Paraben’s Wireless StrongHold Bag.
Retrieved on September 20, 2007 from
http://www.parabenforensics.com/catalog/product_info.php?products_id=173
&osCsid=45231cbd175b01532932e348deac741f
[15] Ramsey Electronics. (n.d.). STE3000B – RF Shielded Test
Enclosure. Retrieved on September 20, 2007 from
http://www.ramseyelectronics.com/cgibin/commerce.exe?preadd=action&key=STE3000B
[16] Ray, B. (2007). One plug to rule them all. The Register.
Retrieved on September 21, 2007 from
http://www.theregister.co.uk/2007/09/21/omtp_data_stand
ard/
[17] Robinson, G., Smith, G. (2001). Evidence from mobile
phones. The Legal Executive. Journal of the Institute of
Legal Executives. Retrieved on September 12, 2007 from
http://www.ilexjournal.com/special_features/article.asp?th
eid=284&themode=2
[18] Scientific Working Group on Digital Evidence. (2007).
Special Considerations When Dealing With Cellular
Telephones. Retrieved September 12, 2007 from
http://68.156.151.124/documents/swgde2007/SpecialConsi
derationsWhenDealingwithCellularTelephones-040507.pdf
[19] Traud, A. (n.d.). 3GPP TS 27.005 / 27.007 Retrieved Sept.
10, 2007 from http://www.traud.de/gsm/index.html
[20] Willassen, S. (2003). Forensics and the GSM Mobile
Telephone System. International Journal of Digital
Evidence. Spring 2003 Volume 2, Issue 1. Retrieved Sept.
10, 2007 from
http://www.ijde.org/docs/03_spring_art1.pdf
FORENSIC INVESTIGATION PROCESS MODEL
FOR WINDOWS MOBILE DEVICES
Anup Ramabhadran
Security Group – Tata Elxsi
Abstract
Windows mobile device forensics is relatively a new field of interest among scientific
and law enforcement communities. This paper describes the various processes involved
in the forensic investigation of Windows mobile devices in the form of a twelve-stage
model. The rapid technological advancements and increasing popularity of Windows
mobile devices pose great challenges for investigators and law enforcement officials all
over the world. These gadgets are compact hybrid devices integrating the capabilities of
Personal Digital Assistant (PDA), mobile phone, camera, music player, FM radio, Global
Positioning System (GPS) and so on. They have standard computing facilities and
advanced communication features including Wireless and Bluetooth. Technology has
often proved to be a double-edged sword that breeds crime. Naturally windows mobile
devices are of no exception and will play a major role in electronic crimes in future. The
methodology and approach are extremely critical in the forensic investigation of such
crimes. The Windows mobile forensic process model has been developed with the aim of
helping forensic practitioners and organizations for setting up appropriate polices and
procedures.
1. Introduction
Portable electronic device forensics is a relatively new and emerging field of interest
within digital forensics. In the modern era, Personal Digital Assistants (PDAs) are getting
immensely popular. They are prone to get involved in electronic crimes in future, mainly
because of their compact size and integrated features. The Federal Bureau of
Investigation has highlighted the issue of growing crimes involving handheld devices in
their computer crime survey. The PDA family mainly includes Palm devices, Windows
mobile devices (Pocket PCs) and Linux based devices. Among these, Windows mobile
devices are gaining more popularity of late, as they are based on the popular Microsoft
Windows operating system and offer a familiar look and feel. In addition to make and
receive phone calls, it allows to browse the Internet, chat, send and receive
text/multimedia messages as well as view and edit Word, Excel and PowerPoint files.
Discrepancies between computer forensics and portable electronic device forensics exist
due to various factors including:






Wide range of hardware models and accessories.
Variety of different embedded operating systems.
Short product cycle with new models emerging very frequently.
Extreme orientation towards mobility.
File system residing in volatile memory on certain devices while in nonvolatile on some others.
Hybrid devices with advanced networking and communication features.
Page 1 of 16

Suspending processes when off or idle, while the device being active in the
background.
2. Challenges in Windows Mobile Forensics
Windows mobile devices turn out to be quite challenging for forensic investigations,
primarily because of their compact size, integrated features and the availability of a wide
range of models and accessories.









Volatile data: Unlike computers, Windows mobile devices do not have hard
disks. They generally store data in volatile memory, which will be lost if there is
no adequate power. Recovering volatile evidence and analyzing it could turn out
to be a tedious task.
Generic state of the device: Even if a device appears to be in off state, it may not
be entirely inactive, as background processes may be running. A sudden transition
from one state to another may result in loss of data. Care should be taken to
identify the current state of the device and the state it should be kept.
Dynamic nature of evidence: Digital evidence may be easily altered either
knowingly or accidentally. The data residing in a Windows mobile memory may
change dynamically even when the device is left idle. Hence extreme care should
be taken in the preservation of evidence and hashing and various cryptographic
techniques should be applied whenever needed.
Hardware and OS version differences: The forensic investigator may come
across different types of hardware during an investigation. The models may be
different in their size, technical specifications and features. The version of the
operating system may also differ. Tools applicable to a particular version and
model may not work well with another.
Accidental reset: Resetting the device accidentally while examining may result
in the loss of data. A hard reset will wipe out everything from RAM. A soft reset
reinitializes the dynamic memory and records marked for deletion are removed.
Loss of battery life causes a hard reset and hence the battery level needs to be
continuously monitored.
External memory devices: Most Windows mobile devices support additional
memory devices like MMC, SD and CF cards. It is essential to search and seize
such associated memory devices also.
Synchronization with other devices: Potential evidence on Windows mobile
devices may include address book, documents, text messages, voice messages,
passwords, emails and appointment calendars. This information can be
synchronized easily with a personal computer or laptop. Hence they should also
be seized and examined.
Device alteration: Possibilities of device alteration may range from removing
logos and manufacturer labels to modifying the operating system. The expertise of
the suspect should be taken into account. It is possible to remap a hardware key to
perform a function other than the default one. Common utilities can be replaced
with malicious programs to alter the data in the device.
Password recovery: If the device is password protected, the forensic investigator
needs to gain access to the device without damaging the device or the data. The
Page 2 of 16






possible techniques include exploiting system vulnerabilities, authentication
weaknesses and gaining access through backdoor.
Encryption mechanisms: Encryption and other techniques might be used to alter
the data, if the suspect has a certain level of computer expertise. The investigator
should have the tools and expertise to overcome such circumstances.
Communication shielding: Communication mechanisms like wireless could be
on and any further possibility of communication should be eliminated.
Lack of availability of tools: There are only few specialized forensic tools for
Windows mobile devices. A single tool may not perform all the necessary
functions. So in many cases, a combination of tools needs to be used.
Malicious programs: The device may contain malicious software like a virus or
a Trojan. Such malicious programs may attempt to spread over other devices
either over a wired or wireless interface.
Understanding circumstances: In some investigations, an incident might have
occurred but the identity of the offender might be unknown whereas in some
cases the offender and the incident are both known. The forensic examiner should
have adequate knowledge of the circumstances and then search for evidence
accordingly.
Legal issues: Since these devices are extremely compact, there is every
possibility of them being involved in crimes, which can easily cross geographical
boundaries. In order to tackle these multi-jurisdictional issues, the forensic
investigator should be well aware of the nature of the crime and the regional laws.
3. Windows Mobile Device Architecture
The Windows mobile device platform built on Windows CE architecture consists of four
major layers.




Hardware Layer: This consists of microprocessor, RAM, ROM, digital signal
processors, various input/output etc.
Original Equipment Manufacturer (OEM) Layer: This includes boot-loader,
configuration files, drivers and the OEM Adaptation Layer (OAL). The OAL
allows an OEM to adapt to a specific platform and consists of functions related to
system start-up, interrupt management, profiling, power management, timer and
clock.
Operating System Layer: This includes kernel, core DLL, object store,
multimedia technologies, device manager, communication services, networking
and Graphic Windowing and Events Subsystem (GWES). The GWES provides an
interface between the application, user and the operating system. The object store
includes three types of persistent storage, which are the file system, registry and
property databases. The registry stores information about system configuration,
applications, settings user preferences etc. Property database is a storehouse of
data that can be searched and retrieved by associated applications.
Application Layer: This consists of applications like Office mobile, Outlook
mobile, Windows media player, Pocket Internet Explorer, Pocket MSN
Messenger, Picture and Video Viewer etc., user interface, and various custom
applications.
Page 3 of 16
Application
Layer
User Interface
International
Custom Applications
Internet Client
Services
Windows Mobile
Applications
Applications and Services
Development
Core DLL
Object Store
Graphic
Windowing and
Event System
(GWES)
Multimedia
Technologies
Operating
System Layer
Device
Manager
Communication
Services and
Networking
Kernel
OEM Adaptation Layer (OAL)
Drivers
Boot Loader
OEM Layer
Configuration Files
Hardware Layer
Figure 1: Wind
Figure 2: Windows Mobile Simplified Architecture
The different types of memory supported by the operating system are:

RAM: This consists of two areas, the object store in which the data is stored and
program memory where programs execute. The object store is similar to a virtual
RAM disk and data present will be retained even when the system is suspended.
The partition line between object store and program memory can be changed.
Page 4 of 16



Expansion RAM: This is supported to provide additional storage for the users.
This is mapped into virtual memory and appears identical to the system RAM in
the virtual memory map to the operating system.
ROM: It consists of the operating system, applications, data files, support for
uncompressed executables and DLL files. Uncompressed programs are executed
there itself whereas if the module is compressed, it is decompressed and loaded
into the RAM. When a program is executed directly from ROM, the time required
to start an application is less, as it need not have to be loaded into RAM.
Persistent Storage: The persistent storage options are mainly in the form of
removable memory cards like Compact Flash (CF), Secure Digital (SD),
MultiMedia Cards (MMC) etc. Data stored in such removable storage cards are
mapped into the system RAM when required.
4. Hardware Characteristics
Having designed for mobility, Windows mobile devices are very compact in size, battery
powered and light weight. There are many hardware manufactures making devices using
the Windows mobile platform. All of them have a basic set of comparable features and
capabilities. Physical characteristics like size, shape, weight etc. and technical
specifications like processor speed, memory capacity, expansion capabilities etc. may
vary for each model. The Windows mobile platform gives the flexibility to hardware
manufacturer, system integrator or developer to incorporate their choice of services in
their device version. A Windows mobile device in general consists of RAM, ROM,
microprocessor, touch screen liquid crystal display, communication modules like
GSM/GPRS, WLAN, Bluetooth and IrDA, slots for external memory cards and
peripherals, optional modules like FM radio, GPS etc., digital signal processor, camera,
speaker, microphone and a few hardware keys and interfaces. Figure 2 shows the generic
hardware diagram of a modern Windows mobile device.
Page 5 of 16
ROM
Power
Manager
RAM
Memory
Controller
Infrared
LCD
Controller
Touch
Screen
FM Radio
Codec
(Audio)
Processor
Camera
Bluetooth
Core
Wireless
SD-MMC
GPS
Compact
Flash
USB
UART
Power
Cradle
Connector
Figure 3: Windows Mobile Device Generic Hardware Diagram
Page 6 of 16
5. Generic States
Unlike most digital devices that could be either in on state or off state, Windows mobile
devices or rather PDAs in general, can be in any one of a variety of states at a given point
of time.
 Nascent State: The device contains no user data and observes factory
configuration settings. Usually the device must be charged for a minimum amount
of time before entering into this state. Any user action will result in a transition
from this state. This state can be achieved any time by doing a hard reset of the
device or by allowing the battery to discharge totally.
 Active State: The device attains this state whenever it is powered on and the user
is performing some tasks and the file system is having data. This state can be
achieved by doing a soft reset, which clears the working memory.
 Quiescent State: This appears to be an inactive mode, though background
functions are being performed and all user data are being maintained while
conserving battery life. This state is attained when the power button is pressed
while in active or semi-active state. Also when the inactivity timer expires while
in semi-active state a transition to this state occurs. Generally the device is said to
be ‘off’ if it is in the quiescent state and ‘on’ if it is in any other state.
 Semi-Active State: The device in this state is in between active and quiescent
states, attained when a timer is triggered after a period of inactivity. This
conserves battery life by reducing the backlight and other similar functions.
Performing a soft reset, pressing any button or tapping the screen causes transition
to this state.
Power On
Nascent
User Action
Hard Reset
Hard Reset
Power Off
Semi
Active
Timer
Soft Reset
Active
Soft Reset/Screen Tap
Power On
Power off/
Timer
Quiescent
Power Off
Figure 4: Generic States of a Windows Mobile Device
Page 7 of 16
6. Windows Mobile Forensic Process Model
There are many digital forensic models proposed in different parts of the world. However
no conclusion has been reached as which is the most appropriate one. Each framework
may work well with a particular type of investigation. None of these models focus on the
specific information flow associated with the forensic investigation of Windows mobile
devices. The Windows mobile device forensic process model has been developed to help
forensic practitioners and law enforcement officials in the investigation of crimes
involving such devices. The standard practices and techniques in the physical and digital
investigation world are incorporated, wherever appropriate. This model attempts to
overcome the major shortcomings of the existing digital forensic models discussed in the
earlier chapter and emphasises a systematic and methodical approach for digital forensic
investigation. The proposed model consists of twelve stages, which are explained in the
subsequent sections.
Preparation
Securing the Scene
Survey and Recognition
Documenting the scene
Communication Shielding
Volatile Evidence Collection
Non-Volatile Evidence Collection
Preservation
Examination
Analysis
Presentation
Review
Figure 5: Phases of the Windows Mobile Device Forensic Model
6.1. Phase One – Preparation
The preparation phase occurs prior to the actual investigation. This involves getting an
initial understanding of the nature of the crime and activities like preparing the tools
required for standard portable electronic device investigations, building an appropriate
team, assigning roles to each personnel (case supervisor, crime scene sketch preparer,
Page 8 of 16
evidence recorder and so on), accumulating materials for packing evidence sources etc. It
is very important to obtain the best possible assessment of the circumstances relating to
the crime, prior to proceeding to the crime scene. Knowledge of various mobile devices,
accessories, features, specific issues etc. will be beneficial. A critical issue in the
investigations involving Windows mobile devices is that the power runs out before
evidence collection is over. So it is essential to prepare a toolkit consisting of standard
power supplies, cables and cradles. The investigation should follow the various legal
constraints and jurisdictional as well as organizational restrictions. This stage also
involves obtaining search warrants, support from the management, required
authorizations etc. before proceeding to the crime scene. The privacy rights of suspects
should be taken into account. Legal notice must be provided to all concerned parties
notifying about the forensic investigation. An appropriate strategy for investigation
should be developed, having taken into account the nature of the incident and various
technical, legal and business factors. Training, education and experience of the
investigators will contribute in this phase. Having a thorough preparation phase increases
the quality of evidence and minimizes the risks and threats associated with an
investigation.
6.2. Phase Two – Securing the Scene
This stage primarily deals with securing the crime scene from unauthorized access and
preserving the evidence from being contaminated. There should be a formal protocol for
handing over a crime scene in order to ensure that the chain of custody is properly
followed. It will be difficult to judge how much at the crime scene is actually the
evidence. The investigators should identify the scope of the crime and establish a
perimeter. Ensuring the safety of all people at the scene and protecting the integrity of all
evidence should also be the targets at this stage. The investigators should have absolute
control of the scene and interference from unwanted people should be avoided. As the
number of people at the crime scene increases, the possibilities for the contamination and
destruction of evidence also increase. However an attempt should not be made to
determine what is present in the device and external storage media at this stage. The
devices must be left in their existing state until a proper assessment is made. If the device
is on, it is better to leave it on. Similarly, if the device is off, never turn it on. Nobody
should be allowed to touch any electronic device in the scene. Top priority should be
given at this stage in minimising the corruption of evidence. Any item that could be of
evidence should not be tampered with. This phase plays a major role in the overall
investigative process as it determines the quality of evidence.
6.3. Phase Three – Survey and Recognition
This stage involves an initial survey conducted by the investigators for evaluating the
scene, identifying potential sources of evidence and formulating an appropriate search
plan. In a complex environment, this may not be straightforward. In the case of Windows
mobile devices, the major sources of evidence other than the device itself are the power
adaptor, cradle, external memory cards, cables and other accessories. Since the
information present in these devices can be easily synchronized with computers, any
personal computer or laptop at the crime scene may also contain evidence. Evaluate the
electronic equipments at the scene to determine whether any expert assistance is required
Page 9 of 16
in processing the scene. Identifying people in the scene and conducting preliminary
interviews are extremely important. The owners or users of the electronic devices or
system administrators can provide valuable information like the purpose of the system,
security schemes, various applications present in the devices, user names, passwords,
encryption details etc. Without violating the jurisdictional laws and corporate policies,
the investigators must try to obtain the maximum information from the various people
present in the scene. If it becomes necessary to search for items that are not included in
the search warrant, appropriate amendments must be made to the existing warrant or a
new warrant must be obtained, which includes the additional items. An initial plan for
collecting and analysing evidence must be developed at the end of the survey and
recognition phase.
6.4. Phase Four – Documenting the Scene
This stage involves proper documentation of the crime scene along with photographing,
sketching and crime-scene mapping. All the electronic devices at the scene must be
photographed along with the power adaptors, cables, cradles and other accessories. If the
mobile device is in the on state, what is appearing on the screen should also be
documented. A record of all visible data must be created, which helps in recreating the
scene and reviewing it any time. This is particularly important when the forensic
specialist has to do a testimony in a court, which could be several months after the
investigation. Circumstances surrounding the incident, including those who reported the
incident initially and at what date and time, should be included. It is necessary to keep a
log of those who were present on the scene, those who arrived, those who left etc., along
with the summary of their activities while they were at the scene. It is necessary to
classify the people into separate groups like victims, suspects, bystanders, witnesses,
other assisting personnel etc. and record their location at the time of entry.
Documentation is a continuous activity, required in all the stages and is quite critical for
maintaining proper chain of custody.
6.5. Phase Five – Communication Shielding
This step occurs prior to evidence collection. At this stage, all further possible
communication options of the devices should be blocked. Even if the device appears to
be in off state, some communication features like wireless or Bluetooth may be enabled.
This may result in overwriting the existing information and hence such possibilities
should be avoided. In other situations where the device is in the cradle connected to a
computer, synchronization mechanisms using ActiveSync might be enabled. This may
also lead to the corruption of evidence. The best option after seizing a device is to isolate
it by disabling all its communication capabilities. If the device is in the cradle, remove
any USB or serial cable, which connects it to a computer.
6.6. Phase Six – Volatile Evidence Collection
Majority of the evidence involving mobile devices will be of volatile nature, being
present in ROM. Collecting volatile evidence presents a problem as the device state and
memory contents may be changed. The decision whether to collect evidence at the crime
scene or later at a secured forensic workshop depends on the nature of the particular
situation including the current power state. If the device is running out of battery power,
Page 10 of 16
the entire information will be lost soon. In that case, adequate power needs to be
maintained if possible by using the power adaptor or replacing batteries. If maintaining
the battery power seems doubtful, the contents of the memory should be imaged using
appropriate tools as quickly as possible. Paraben PDA Seizure is a major commercial
forensic tool, which can be used for memory acquisition, in addition to several open
source tools. A combination of tools must be used to obtain better results. If possible, an
adequate power supply must be maintained by recharging the device or replacing the
battery, whichever is appropriate. If it is not possible to provide sufficient power, the
device must be switched off to preserve battery life and the contents of the memory. The
presence of any malicious software installed by the user should also be checked at this
stage.
6.7. Phase Seven – Non-volatile Evidence Collection
This phase involves collecting evidence from external storage media supported by these
devices, like MMC cards, compact flash (CF) cards, memory sticks, secure digital (SD)
cards, USB memory sticks etc. Evidence from computers, which are synchronized with
these devices, must be collected. If the device has integrated phone features, the
acquisition of sim card information takes place at this stage. Appropriate forensic tools
must be used for collecting evidence to ensure its admissibility in a court of law. The
integrity and authenticity of the evidence collected should be ensured through
mechanisms like hashing, write protection etc. All power cables, adaptors, cradle and
other accessories should also be collected. Care should be also taken to look for evidence
of non-electronic nature, like written passwords, hardware and software manuals and
related documents, computer printouts etc.
6.8. Phase Eight – Preservation
This phase includes packaging, transportation and storage. Appropriate procedures
should be followed and documented to ensure that the electronic evidence collected is not
altered or destroyed. All potential sources of evidence should be identified and labelled
properly before packing. Use of ordinary plastic bags may cause static electricity. Hence
anti-static packaging of evidence is essential. The device and accessories should be put in
an envelope and sealed before placing it in the evidence bag. The evidence bag must be
kept in a radio frequency isolation container to avoid further communications with any
other device. All the containers holding these evidence bags must also be properly
labelled. Adequate precautions are necessary as the sources of evidence could be easily
damaged while transportation because of shock, excessive pressure, humidity or
temperature. Afterwards the device can be moved to a secure location where a proper
chain of custody can be maintained and examination and processing of evidence can be
started. The evidence should be stored in a secure area and should be protected from
electromagnetic radiations, dust, heat and moisture. Unauthorized people should not have
access to the storage area. National Institute of Standards and Technology guideline
highlights the need of proper transportation and storage procedures, for maintaining a
proper chain of custody.
Page 11 of 16
6.9. Phase Nine – Examination
This phase involves examining the contents of the collected evidence by forensic
specialists and extracting information, which is critical for proving the case. Appropriate
number of evidence back-ups must be created before proceeding to examination. This
phase aims at making the evidence visible, while explaining its originality and
significance. Huge volumes of data collected during the volatile and non-volatile
collection phases need to be converted into a manageable size and form for future
analysis. Data filtering, validation, pattern matching and searching for particular
keywords with regard to the nature of the crime or suspicious incident, recovering
relevant ASCII as well as non- ASCII data etc. are some of the major steps performed
during this phase. Personal organizer information data like address book, appointments,
calendar, scheduler etc, text messages, voice messages, documents and emails are some
of the common sources of evidence, which are to be examined in detail. Finding evidence
for system tampering, data hiding or deleting utilities, unauthorized system modifications
etc. should also be performed. Detecting and recovering hidden or obscured information
is a major tedious task involved. Data should be searched thoroughly for recovering
passwords, finding unusual hidden files or directories, file extension and signature
mismatches etc. The capabilities of the forensic tools used by the examiner play an
important part in the examination phase. When the evidence is checked-out for
examination and checked-in, the date, time, name of investigator and other details must
be documented. It is required to prove that the evidence has not been altered after being
possessed by the forensic specialist and hence hashing techniques like md5 must be used
for mathematical authentication of data.
6.10. Phase Ten – Analysis
This step is more of a technical review conducted by the investigative team on the basis
of the results of the examination of the evidence. Identifying relationships between
fragments of data, analyzing hidden data, determining the significance of the information
obtained from the examination phase, reconstructing the event data, based on the
extracted data and arriving at proper conclusions etc. are some of the activities to be
performed at this stage. The National Institute of Justice (2004) guidelines recommend
timeframe analysis, hidden data analysis, application analysis and file analysis of the
extracted data. Results of the analysis phase may indicate the need for additional steps in
the extraction and analysis processes. It must be determined whether the chain of
evidence and timeline of the events are consistent. Using a combination of tools for
analysis will yield better results. The results of analysis should be completely and
accurately documented.
6.11. Phase Eleven – Presentation
After extracting and analyzing the evidence collected, the results may need to be
presented before a wide variety of audience including law enforcement officials,
technical experts, legal experts, corporate management etc. Depending on the nature of
the incident or crime, the findings must be presented in a court of law, if it is a police
investigation or before appropriate corporate management, if it is an internal company
investigation. As a result of this phase, it should be possible to confirm or discard the
Page 12 of 16
allegations regarding the particular crime or suspicious incident. The individual results of
each of the previous phases may not be sufficient to arrive at a proper conclusion about
the crime. The results of examination and analysis must be reviewed in their entirety to
get a complete picture. A report consisting of a detailed summary of the various steps in
the process of investigation and the conclusions reached must be provided. In many
cases, the forensic specialist may have to give an expert testimony in court. The complex
terms involved in various stages of investigation process needs to be explained in
layman’s terminology. The expertise and knowledge of the forensic examiner, the
methodology adopted, tools and techniques used etc. are all likely to be challenged before
a jury. Along with the report, supporting materials like copies of digital evidence, chain
of custody document, printouts of various items of evidence etc. should also be
submitted.
6.12. Phase Twelve – Review
The final stage in the model is the review phase. This involves reviewing all the steps in
the investigation and identifying areas of improvement. As part of the review phase, the
results and their subsequent interpretation can be used for further refining the gathering,
examination and analysis of evidence in future investigations. In many cases, much
iteration of examination and analysis phases are required to get the total picture of an
incident or crime. This information will also help to establish better policies and
procedures in place in future.
7. Comparison with Existing Models
Table below gives a comparison of the activities in the proposed model with those in the
major existing models described in the previous chapter. Some of the relevant activities
in other models are incorporated in the proposed model. However there are many
activities like communication shielding and volatile evidence collection, which are
unique for this model, as it is clear from the table.
Windows Mobile
Forensic Process Model
NIJ Law
Enforcement
Model
DFRWS
Model
Preparation
Abstract
Digital
Forensic
Model
IDIP
Model



















Securing the scene
Survey and Recognition
Documenting the scene
Communication Shielding
Volatile Evidence Collection
Non-volatile Evidence
Collection
Preservation
Examination
Page 13 of 16


Analysis
Presentation






Review
Table 1: Comparison of Activities in the Major Forensic Models
There may not always be a one-to-one mapping between the activities in the proposed
model and other previous models. In some cases, though the process is similar, the terms
used in other existing forensic models may differ. Table 2 gives a comparison of
terminology used for different processes in the proposed model and various other models
discussed in the previous chapter.
Windows Mobile
Forensic Process
Model
NIJ Law
Enforcement
Model
DFRWS
Model
Preparation
Securing the scene
Preservation
Survey and
Recognition
Documenting the
scene
Communication
Shielding
Volatile Evidence
Collection
Non-volatile
Evidence Collection
Preservation
Identification
Abstract
Digital
Forensic
Model
Preparation
IDIP
Model
Readiness
Preservation
Identification
Survey
Documentation
Collection
Collection
Collection
Preservation
Preservation
Search and
Collection
Preservation
Reconstruction
Examination
Examination
Examination
Examination
Analysis
Analysis
Analysis
Analysis
Presentation
Reporting
Presentation
Presentation
Review
Presentation
Review
Table 2: Mapping of Major Forensic Models to the Proposed Model
8. Advantages of the Model
There are numerous benefits for the proposed model. This model can be used as a
standard for the forensic investigation of any Windows mobile device. When compared
to the existing digital process models which try to capture as much as possible of the
investigative process, the proposed model restricts itself to a subset of portable electronic
device forensics, thereby offering further benefits. It separates the primary investigation
of crimes involving Windows mobile devices and those involving computers. In addition
to standardizing the forensic investigation of Windows mobile devices, it allows
Page 14 of 16
organizations for setting up appropriate polices and procedures when crimes involving
such devices occur.
The model is applicable to corporate and law enforcement investigations and incident
response activities alike. The proven practices in the field of physical investigation are
incorporated. An attempt is made to capture the entire scope of an investigation, rather
than only evidence processing. The major tasks associated with an investigation including
preservation, identification, collection and analysis of evidence are described and proper
information flow among the various phases has been ensured. A proper chain of evidence
custody has been maintained, which makes it a good model for law enforcement. At the
same time care has been taken to take into account the various technical issues associated
with the investigation involving Windows mobile devices, which is required for a digital
investigation process model. Thereby this model bridges the gap between a law
enforcement model and a digital investigation model to a certain extent.
9. Conclusion and Future Work
A new forensic process model has been proposed, focusing exclusively on the issues
surrounding Windows mobile device forensic investigation and standardizing the
approach. This model is an initial step towards bridging the gap between law enforcement
models and digital investigation models. The proposed set of activities in the model is not
complete and there is considerable scope of work in the future. Though the model works
as a standard for the Windows mobile family, additional procedures are needed to
standardize it for the entire PDA family, which includes Palm and Linux devices also.
But for such a generic model, when it comes to the volatile evidence collection phase, the
procedures of memory acquisition will be different depending on the operating system.
Additional work must be done to make sure that the model can be applied to other family
of digital electronic devices including portable music players, digital cameras, mobile
phones, removable data storage devices and so on. However the addition of new
procedures may make this model clumsy.
The model needs to be tested for its practicality. There is not a simple method for testing
the model. The application of the model in different contexts should be studied to verify
that this is a general reference framework. The model needs to be comprehensively
evaluated by forensic specialists and law enforcement officials in different parts of the
world for further refinement of the processes. The technology associated with handheld
devices is changing dramatically day by day. This model is constrained on the current
range of products. As more and more features are incorporated into these devices in
future, the challenges for forensic investigators will also increase. Hence the model needs
to be consistently reviewed and additional procedures need to be added as and when
required.
10. References
Baryamureeba, V. and Tushabe, F. (2004) The Enhanced Digital Investigation
Process Model. Digital Forensic Research Workshop.
Beebe, N.L. and Clark J.G. (2004) A Hierarchical Objectives-Based Framework
for the Digital Investigation Process. Digital Forensic Research Workshop.
Page 15 of 16
Brill, A.E. and Pollitt, M. (2006) The Evolution of Computer Forensic Best
Practices. Journal of Digital Forensic Practice.
Carrier, B. and Spafford, E. (2003) Getting Physical with the Digital Investigation
Model. International Journal of Digital Evidence..
Ciardhuáin, S. (2004) An Extended Model of Cybercrime Investigations.
International Journal of Digital Evidenc..
Horsewell (2004) The Practice of Crime Scene Investigation, New York, CRC.
Heiser, J.G. and Kruse, W.G. (2002) Computer Forensics – Incident Response
Essentials, Boston, Addison-Wesley.
Johnson, T.A. (2006) Forensic Computer Crime Investigation, New York, CRC.
Leong, R. (2006) FORZA – Digital Forensics Investigation Framework That
Incorporate Legal Issues. Elsevier Journal of Digital Investigation.
Mohay, G., Anderson, A., Collie, B., Vel, O. and McKemmish, R. (2003)
Computer and Intrusion Forensics, London, Artech House.
National Institute of Justice (2001) Electronic Crime Scene Investigation – A
Guide for First Responders.
National Institute of Justice (2004) Forensic Examination of Digital Evidence: A
Guide for Law Enforcement.
National Institute of Standards and Technology (2004a) Guidelines on PDA
Forensics. (Special Publication 800-72)
National Institute of Standards and Technology (2004b) PDA Forensic Tools: An
Overview and Analysis. [online]. Available from:
http://www.csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdf
[accessed May 31, 2007].
Nelson, B., Philips, A., Enfinger, F. and Steuart, C. (2005) Guide to Computer
Forensics and Investigations, 2nd edition, Canada, Thomson Learning Inc.Course Technology.
Palmer, G.L. (2001) A Roadmap for Digital Forensic Research – Report from the
First Digital forensics Research Workshop, New York, The MITRE Corporation.
Reith, M., Carr, C. and Gunsch, G. (2002) An Examination of Digital Forensic
Models. International Journal of Digital Evidence, 1 (3), pp.1-12.
Schweitzer, D. (2003) Incident Response Computer Forensics Toolkit,
Indianapolis, Wiley Publishing.
Shinder, D. and Tittel, E. (2002) Scene of the Cybercrime: Computer Forensics
Handbook, Massachusetts, Syngress Publishing.
Vacca, J. (2005) Computer Forensics – Computer Crime Scene Investigation. 2nd
edition, Hingham, Charles River Media Inc.
Page 16 of 16
Mobile Forensics
Searching, Bookmarking and
Creating a Report
SORTING
Sort Data in DS
• After acquisition, DS allows you to Sort Data
• This organizes data by file types
• All graphic files are also collected so that images
can all be viewed in one place
– File signature is checked for images, but also file
content itself is checked
– This advanced carving can parse out images from
areas of the phone that contain MMS and other types
of data
Sort Data
• Choose the Sort Data button and wait for
sorting process to complete
– This can also be done during acquisition if
checkbox is checked)
Sort Data
• Data is sorted by file type
–
–
–
–
–
–
–
–
–
–
–
–
Unknown
Compressed
Databases
Documents
Email
Executable
Graphics
Multimedia
Spreadsheets
Text
XML
Chats
Sorted Images
Image EXIF Data
• From the Sorted Files
view in DS, you can
view EXIF information
from image files,
which may contain
important evidence
Sorted Files vs. Case
• The Sorted Files view can give you a head
start on finding evidence and help you
determine which areas may require further
investigation
• You should also view the Case files (unsorted)
to make sure that no evidence exists that
escaped sorting
Sorted Files vs. Case
SEARCHING
Searching
• Click the Search button on the Ribbon
Searching
• Four ways to
search:
–
–
–
–
Text
Hex
File Mask
MD5 (file
duplicates)
Search Results
• Search results
will appear to
the right of the
screen
• Double-click a
result to view
Searching Options
• Search Files – searches the case for file names
– File Mask (e.g., “*.doc” returns all Word documents
• Search Text – keyword search of case content
– Match whole word – searches for complete word (no parts of
words)
– Match case – searches for exact combination of upper/lower
case
– Can limit Text Search to only certain files (i.e., to save time)
– Can also specify different information standards or languages
• Search History is saved by default, unless “Save history” is
unchecked
Searching Options (continued)
• Search Hexadecimal (base 16)
–
–
–
–
Used if specific hex value is known
Will be faster than text search
Used to find duplicate copy of file
Used to find known file types (e.g., system files with
known Hash/Hex values)
– Hash values are comprised of Hexadecimal characters
• MD5 – 32 hexadecimal characters or 128 bits
• SHA-1 – 40 hexadecimal characters or 160 bits
– Used to find contraband files (e.g., child pornography
images)
Searching Tips
• Browsing for all of one file type can be very time
consuming – better to use “Sorter” function
• Searching for “wifi” will locate all Wi-Fi
connections setup on a device
• Searching for “sms” will locate the SMS/text
database
• Searching for a specific application name will let
you know if a particular app is installed on a
device
What is Boolean Searching?
• Algebra theory created by George Boole in
the 1800’s
• Used today to narrow search results with
keyword searching
Boolean Operators
• Boolean Operators
– AND
• Used to find combinations of words
– OR
• Broadens the search to allow for multiple words
– NOT
• Finds items with the first search term but not the second
– NEAR
• A more specific search; requires the word following to be
within close proximity; you assign the proximity (get NEAR
/3 high)
Searching Options
• Use quotation marks to search for words in a
phrase
– “get high”
• Parentheses tells DS to search for items
within the parentheses first
– Must be used when searching phrases using the
OR operator
• “get high” AND (crack OR blow)
Boolean Searches
• Boolean (AND, OR, NEAR, NOT) will help target more
accurate results and reduce “false positives”
• Examples
– searching for a telephone number AND a keyword will
locate any SMS to/from that number that contains the
keyword
– Searching for a keyword and “@” will locate emails that
contain the keyword
– Searching for keyword and “{YEAR}” will find
appointments, etc. associated with that year (be careful of
formatting: March vs. 03)
BOOKMARKS AND NOTES
Bookmarking
• Bookmarking items allows items to be quickly
located
• Notes can be added to Bookmarks
• Bookmarked items and associated Notes can
be included on Reports
Bookmarking
• Folders, files, and other
single pieces of data can
be bookmarked
• Select the item and
choose “Add Bookmark”
• There are three different ways to bookmark:
– Click on Add Bookmark on the Home tab
– Press INS on your keyboard
– Right-click and choose Add Bookmark
GENERATING REPORTS
Generating a Report
• Click Generate Report from the Home tab
Types of Reports
• Reports can be saved as:
– HTML
•
•
•
•
Investigative
Simple
TreeView
Timeline
– CSV
• Text
– Excel
• Spreadsheet
– PDF
• Investigative
– Text
• Simple
Generating Reports
• Report Formats
–
–
–
–
–
CSV – Comma-Separated Value
HTML – options for both printing and navigating onscreen
PDF – “Investigative Report” – will be best format for printing
TXT – Simple text format
XLS – MS-Excel Spreadsheet format
• Reports can contain “Entire case” (takes more time) or
“Selected items only”
• Bookmarks can be sorted in various ways (e.g., by name,
order selected, creation order, etc.)
Case Information in Reports
• Case Information will be displayed at the
beginning of each Report (regardless of
reporting format)
• Case Information includes:
–
–
–
–
–
–
Case Number
Evidence Number
Examiner(s)
Examiner Agency
Agency Contact Information
et al.
Entering Case Information
• Case Information must be
entered prior to Generating a
Report
• Enter information using
path: Case/Case Info . . .
• The “Case Info . . . “ menu
option opens a wizard that
allows all relevant case
information to be entered
SIGNIFICANCE OF ID NUMBERS
ESN – Electronic Serial Number
• Unique 32bit number assigned to each AMPS,
TDMA, or CDMA device.
• 8bit manufacturer’s code almost exhausted.
14bit code authorized as a fill in until new
system is in place.
MEID – Mobile Equipment ID
• Replaces the soon to be exhausted ESN for
CDMA devices.
• All of these fields are hexadecimal values.
– RR – Regional Code. Globally administered
– XXXXXX – Manufacturer Code
– ZZZZZZ – Serial Number of the device
– C – Check Digit (not transmitted over the air)
IMEI – International Mobile
Equipment ID
• The IMEI is a unique 15-digit code used to
identify an individual GSM mobile telephone
to a mobile network.
Where to locate ESN, MEID, & IMEI?
IMSI – International Mobile Subscriber
Identity
• ITU Spec E.212: International identification plan for
mobile terminals and mobile users that defines a
numbering plan for land mobile stations in
international public land mobile networks (PLMN). It
establishes the principles for allocation of
international mobile station identities (IMSI) to
stations.
• Always 56bit and is unique in every network. Consists
of three parts:
– MCC: mobile country code
– MNC : mobile network code
– MSIN: mobile station identification number
IMEI Number Analysis
• Lookup IMEI on numberingplans.com
• numberingplans.com shows:
– Manufacturer
– Model
– Age of Phone
MCC – Mobile Country Code
• First field of IMSI
• 3 digits in length
• Identifies a country or group of networks that
share an MCC for international services
MNC – Mobile Network Code
• Second field of the IMSI
• Is either 2or 3 digits in length
• The MNC, in combination with the MCC,
uniquely identifies the Home Network of the
mobile terminal or mobile user
MSIN – Mobile Subscriber ID Number
• Third field of the IMSI
• Has maximum of 10 digits
• The MSIN, with a given MCC + the MNC,
identifies a unique mobile terminal or mobile
subscriber within a public network
OR
SIM Cards
• SIM cards are removable cards that allow for
quick transfer from one phone to another
• More widely used in Europe
• Hierarchical file system that:
– Stores names and phone numbers
– Receives and sends text messages
– Stores network configuration information
SIM Card Evidence
•
•
•
•
•
Call Logs
Simple Phone Book
Last 10 outgoing phone numbers
SMS Messages
Security Information
– IMSI
LOCI – Location Information File
• Part of the Elementary File
• Data are retained when phone is powered
down
• Is updated as the phone moves from one
location to another
• Contains information about the Location Area
PIN – Personal Identification Number
• Locks SIM Card until correct code is entered
• Can be changed via the phone handset
• Protects the subscriber’s account, even if the
SIM Card is inserted into another phone
• If entered incorrectly 3 times, SIM Card is
blocked, which requires a PUK from the
service provider
• If PUK is entered incorrectly 10 times, the SIM
Card is permanently disabled
SIM Card Readers
• To acquire data from a SIM card in Device
Seizure, you need to use a SIM card reader
• Insert the SIM card into the reader and then
plug the USB port of the reader into your
computer
SIM Card Acquisition in DS
• SIM cards can be acquired through DS using a
card reader
• Only a logical acquisition can be performed
Media Cards
• Hundreds of different brands
• Storage range can vary
• Device Seizure will acquire:
1
Discussion 5 (Featured Phones and SIM Cards)
Name
Institution
Course
Instructor
Date
2
Why People still buy featured phones and why it is Important to Analyze them
Technological advancements are among the most significant changes in the contemporary
world, including in the communication field. Specifically, the production of smartphones has
increased significantly, causing the phasing out of conventional featured phones. However,
despite the many advantages of smartphones, people are still buying featured phones—both new
and reused. One of the reasons for this continuous purchase is their effectiveness as backup
phones (Yadav, & Naik, 2013). The many applications installed in smartphones usually consume
a lot of power, thereby affecting the smartphone’s battery life. On the other hand, the simplicity
of featured phones always enables them to carry charge longer. Therefore, most people prefer
featured phones as backup phones because of their simplicity and longer battery life.
This simplicity also means that the users do not have to store a lot of their information on
the phones, unlike smartphones that have several apps demanding personal information. For
instance, social media platforms like Facebook demand personal information when registering
and setting an account—something that can never happen with featured phones. Thus, the
featured phones become convenient losing them also would not cause any massive data loss nor
make the users vulnerable to data breach (GSMA Intelligence, 2015). People still buy featured
phones because they are more affordable than smartphones, more so in developing nations where
the cheapest of smartphones elsewhere still retail at too high prices.
The illustrations above show that featured phones are still widely used for
communication, despite the rapid increase in the production and use of smartphones witnessed in
the contemporary world. This use makes it necessary to learn how to analyze these types of
phones. As much as their use has reduced significantly compared to the previous decades, they
still form a crucial part of today’s society. Analyzing them will also improve security because
3
most criminals use featured phones in their illegal dealings because of the simplicity and other
advantages.
Why it is Necessary to Analyze SIM Cards
Telecommunication came with the invention of SIM cards that users could use to identify
themselves when communicating uniquely. SIM registrations have also advanced to currently
require legal documents, meaning that SIM cards can be used to reveal users’ legal identities
(What is a sim card, n.d.). This reason alone makes it very crucial to analyze SIM cards. For
example, at an accident scene having fatalities, the authorities can analyze the SIM cards at the
scene to reveal the victims’ identities. SIM card analysis is crucial to mobile forensic
investigation because they usually act as storage devices (Lee et al., 2020). The cards can store
contacts and messages, among other critical data that usually come in handy during forensic
investigations. During the investigations, the stored data help to connect various links between
the person under investigations and the people they communicated with. Finally, SIM cards can
be used to track users, more so those who engage in criminal activities. Its analysis would thus
help in solving criminal cases that would have otherwise been challenging to crack.
4
References
GSMA intelligence (2015). From Featured Phones to Smartphones, the Road Ahead. Retrieved
file:///C:/Users/user/AppData/Local/Temp/20210210114214feature_phones.pdf
Lee, K., Kaiser, B., Mayer, J., & Narayanan, A. (2020). An Empirical Study of Wireless Carrier
Authentication for {SIM} Swaps. In Sixteenth Symposium on Usable Privacy and
Security ({SOUPS} 2020) (pp. 61-79).
What is a sim card (n.d.). Retrieved
file:///C:/Users/user/AppData/Local/Temp/20210210114214sim_card_committee_report1.pdf
Yadav, K., & Naik, V. S. (2013). Empowering feature phones to build smart mobile networked
systems. Journal of the Indian Institute of Science, 93(3), 521-540.
1
Discussion 5 (Featured Phones and SIM Cards)
Name
Institution
Course
Instructor
Date
2
Why People still buy featured phones and why it is Important to Analyze them
Technological advancements are among the most significant changes in the contemporary
world, including in the communication field. Specifically, the production of smartphones has
increased significantly, causing the phasing out of conventional featured phones. However,
despite the many advantages of smartphones, people are still buying featured phones—both new
and reused. One of the reasons for this continuous purchase is their effectiveness as backup
phones (Yadav, & Naik, 2013). The many applications installed in smartphones usually consume
a lot of power, thereby affecting the smartphone’s battery life. On the other hand, the simplicity
of featured phones always enables them to carry charge longer. Therefore, most people prefer
featured phones as backup phones because of their simplicity and longer battery life.
This simplicity also means that the users do not have to store a lot of their information on
the phones, unlike smartphones that have several apps demanding personal information. For
instance, social media platforms like Facebook demand personal information when registering
and setting an account—something that can never happen with featured phones. Thus, the
featured phones become convenient losing them also would not cause any massive data loss nor
make the users vulnerable to data breach (GSMA Intelligence, 2015). People still buy featured
phones because they are more affordable than smartphones, more so in developing nations where
the cheapest of smartphones elsewhere still retail at too high prices.
The illustrations above show that featured phones are still widely used for
communication, despite the rapid increase in the production and use of smartphones witnessed in
the contemporary world. This use makes it necessary to learn how to analyze these types of
phones. As much as their use has reduced significantly compared to the previous decades, they
still form a crucial part of today’s society. Analyzing them will also improve security because
3
most criminals use featured phones in their illegal dealings because of the simplicity and other
advantages.
Why it is Necessary to Analyze SIM Cards
Telecommunication came with the invention of SIM cards that users could use to identify
themselves when communicating uniquely. SIM registrations have also advanced to currently
require legal documents, meaning that SIM cards can be used to reveal users’ legal identities
(What is a sim card, n.d.). This reason alone makes it very crucial to analyze SIM cards. For
example, at an accident scene having fatalities, the authorities can analyze the SIM cards at the
scene to reveal the victims’ identities. SIM card analysis is crucial to mobile forensic
investigation because they usually act as storage devices (Lee et al., 2020). The cards can store
contacts and messages, among other critical data that usually come in handy during forensic
investigations. During the investigations, the stored data help to connect various links between
the person under investigations and the people they communicated with. Finally, SIM cards can
be used to track users, more so those who engage in criminal activities. Its analysis would thus
help in solving criminal cases that would have otherwise been challenging to crack.
4
References
GSMA intelligence (2015). From Featured Phones to Smartphones, the Road Ahead. Retrieved
file:///C:/Users/user/AppData/Local/Temp/20210210114214feature_phones.pdf
Lee, K., Kaiser, B., Mayer, J., & Narayanan, A. (2020). An Empirical Study of Wireless Carrier
Authentication for {SIM} Swaps. In Sixteenth Symposium on Usable Privacy and
Security ({SOUPS} 2020) (pp. 61-79).
What is a sim card (n.d.). Retrieved
file:///C:/Users/user/AppData/Local/Temp/20210210114214sim_card_committee_report1.pdf
Yadav, K., & Naik, V. S. (2013). Empowering feature phones to build smart mobile networked
systems. Journal of the Indian Institute of Science, 93(3), 521-540.
1
Discussion 5 (Featured Phones and SIM Cards)
Name
Institution
Course
Instructor
Date
2
Why People still buy featured phones and why it is Important to Analyze them
Technological advancements are among the most significant changes in the contemporary
world, including in the communication field. Specifically, the production of smartphones has
increased significantly, causing the phasing out of conventional featured phones. However,
despite the many advantages of smartphones, people are still buying featured phones—both new
and reused. One of the reasons for this continuous purchase is their effectiveness as backup
phones (Yadav, & Naik, 2013). The many applications installed in smartphones usually consume
a lot of power, thereby affecting the smartphone’s battery life. On the other hand, the simplicity
of featured phones always enables them to carry charge longer. Therefore, most people prefer
featured phones as backup phones because of their simplicity and longer battery life.
This simplicity also means that the users do not have to store a lot of their information on
the phones, unlike smartphones that have several apps demanding personal information. For
instance, social media platforms like Facebook demand personal information when registering
and setting an account—something that can never happen with featured phones. Featured phones
do not have any such applications and would thereby not demand much personal data. Most
people, especially older adults, prefer the featured phones because of their readability and ability
to perform a specific function (Zhou, Rau, & Salvendy, 2014). Therefore, such individuals will
still buy feature phones. Finally, people still buy featured phones because they are more
affordable than smartphones, more so in developing nations where the cheapest of smartphones
elsewhere still retail at too high prices.
The illustrations above show that featured phones are still widely used for
communication, despite the rapid increase in the production and use of smartphones witnessed in
the contemporary world. This use makes it necessary to learn how to analyze these types of
3
phones. As much as their use has reduced significantly compared to the previous decades, they
still form a crucial part of today’s society. Analyzing them will also improve security because
most criminals use featured phones in their illegal dealings because of the simplicity and other
advantages.
Why it is Necessary to Analyze SIM Cards
Telecommunication came with the invention of SIM cards that users could use to identify
themselves when communicating uniquely. Most African nations are currently demanding
mandatory registration of SIM cards using users’ real identification credentials (Jentzsch, 2012).
This reason alone makes it very crucial to analyze SIM cards because the analysis will provide
users’ details. For example, at an accident scene having fatalities, the authorities can analyze the
SIM cards at the scene to reveal the victims’ identities. SIM card analysis is crucial to mobile
forensic investigation because they usually act as storage devices (Lee et al., 2020). The cards
can store contacts and messages, among other critical data that usually come in handy during
forensic investigations. During the investigations, the stored data help to connect various links
between the person under investigations and the people they communicated with. Finally, SIM
cards can be used to track users, more so those who engage in criminal activities. Its analysis
would thus help in solving criminal cases that would have otherwise been challenging to crack.
4
References
Jentzsch, N. (2012). Implications of mandatory registration of mobile phone users in Africa.
Telecommunications Policy, 36(8), 608-620.
Lee, K., Kaiser, B., Mayer, J., & Narayanan, A. (2020). An Empirical Study of Wireless Carrier
Authentication for {SIM} Swaps. In Sixteenth Symposium on Usable Privacy and
Security ({SOUPS} 2020) (pp. 61-79).
Yadav, K., & Naik, V. S. (2013). Empowering feature phones to build smart mobile networked
systems. Journal of the Indian Institute of Science, 93(3), 521-540.
Zhou, J., Rau, P. L. P., & Salvendy, G. (2014). Older adults’ use of smart phones: an
investigation of the factors influencing the acceptance of new functions. Behaviour &
Information Technology, 33(6), 552-560.