01/02/03 - Challenges, Seizure & Intro

Question 1

Name a few technical challenges?

Answer 1

• Different perception
• New devices every day
• Different file systems / formats
• Different operating systems
• Frequent updates of OS & apps
• No one forensic tool can do everything
• Proprietary SW & HW
• Different languages
• Competency levels
• Costs for training & equipment (competency levels)
• Device condition (age, wear, damage, liquid, elec. failure)
• Convert data to human readable format

Question 2

What are collection challenges?

Answer 2

• Logical vs. file system vs. physical acquisition
• User <-> device interaction may be required
• Software may need to be installed for data extraction
• Deleted data / hidden data

Question 3

Name some legal challenges?

Answer 3

Statutory powers

• Breach of Article 6 (Right to a Fair Trial) of European Convention on Human Rights
• Powers to access online data repositories
• General Data Protection Regulation (GDPR)

Retention, disclosure and defence access

• Consider the integrity of digital. Data can get destroyed over time.
• SW / HW to copy or examine may become obsolete or unavailable

Question 4

Name a few examination challenges?

Answer 4

• May encounter problems with non standard characters in different languages
• Acquisition methods
• Security locks/Pattern/PIN/Biometric protection
• Remote Wipe
• Manual extraction/capturing data
• Report output – Presentation of data
• Increased range of data cables & power connectors
• Parsing variety of app data

Question 5

What tags should be on a bag?

Answer 5

• What is it
• Who found it
• Where was it found
• When was it found
• How was it found (Situation and phone status)

Question 6

What are other good seizure tools / procedures?

Answer 6

• Faraday Bags
• Labelling information
• Chain of custody (continuity) bag
• Tamper Proof boxes
• SIM card labelling

Question 7

What can be found out by just looking at the device:

Answer 7

• Make / Model
• Type of Device
• Condition
• Capabilities
• Original service provider
• Network type (GSM / 3G / 4G / 5G)

Question 8

Name the Mobile Device Data Storage Components?

Answer 8

Mobile Device Internal Memory

• Flash Memory of two types: NOR or NAND memory
• Non-volatile, varies in capacity, low power consumption, small physical dimensions
• Available in different packages (TSOP - Thin Small Outline Package, BGA - Ball Grid Array)
• Different technologies (eMMC - embedded MultiMediaCard, eMCP - embedded Multi-Chip package, UFS - Universal Flash Storage)

SIM / UICC

• Subscriber Identity Module/ Universal Integrated Circuit Card
• Contains user and network specific data
• User data can be PIN or PUK locked
• Limited memory capacity depending on SIM generation
• An embedded SIM has also been developed and is being used for machine to machine communications

Memory SD Card

• Varies in capacity from Mb to multiple Gb’s
• File system typically FAT format
• Media can be locked to mobile device
• Can contain non standard mobile device data
• Micro SD is the most common type
• Sony use M2 card

Question 9

Explain the three examination types?

Answer 9

Logical

• Logical acquisition and decoding allows the retrieval of a subset of manually accessible data. Extraction software asks the mobile device what data is available.
• Typically uses the device Application Programming Interface (API).
• Will not provide deleted data on low end devices
• May provide limited deleted data on smart devices
• Different protocols are used
• SIM/UICC can provide limited deleted data

File System

• Uses device and O.S. specific communication protocols
• Similar to Logical extraction but allows a copy of the file system to be obtained
• Can be achieved using forensic tools or in some cases flasher tools
• Forensic tools can decode some file systems
• May not decode all of the data
• Additional non visible data may be retrieved
• Requires a physical cable connection to the mobile device
• May use conventional or alternative data connection

Physical

• Physical Acquisition allows the retrieval of hidden, deleted and corrupted data
• Physical extraction involves either:
• Cable connection and specific software (e.g. XRY, UFED, Flasher tools, JTAG, ISP)
• Removing memory chips from circuit board & “dumping” contents
• Special boot loaders may be used
• Data is supplied in a “raw” form
• Interpretation requires time & specialist knowledge
• Provides a lot of data including deleted handset information
• Decoding the results of a physical extraction (aka “hex dump”) can be a time consuming process and is not appropriate for every case 16

Question 10

What is IMEI?

Answer 10

International Mobile Equipment Identity; This is the serial number (15 digits) of the handset (like Vehicle Identification Number). It is intended to be unique, but can be re-programmed with specialist equipment (illegal).

IMEI can reveal: Make, model, date and country of origin. IMEI can be found: either printed on device, by typing *#06#, may be located on device packaging.

• 35/1950/00/901935/8 (Check Digit)
• 35-1950-00-901935-8 (Check Digit)
• 35-209900-176148-23 (Software Version)

First 8 digits: Type Allocation Code

9-14 digits: Serial Number

15. digit: Check digit (luhn algorithm)

Question 11

What is Luhn?

Answer 11

The formula verifies a number against its included check digit, which is appended at the end of the IMEI.

1. Starting from the left assign the label D14 down to D1 Double the value of the odd digits e.g. (D1x2) (D3x2) (D5x2) and so on
2. Add together the individual digits obtained in the step above and add these to the sum of all the even labelled digits D2, D4, D6 and so on
3. If the total ends in 0 then the check digit is 0. If the number does not end in 0 then the CD is calculated by subtracting the resultant in step three from the next higher number which ends in 0

Question 12

What is the FCC-ID?

Answer 12

ID Federal Communications Commission Identification: Found on devices for US market. The first three or five characters represent the manufacturer known as the grantee code. Remaining characters are known as the equipment product

Code.

Question 13

Explain some Mobile Device Connectivity options?

Answer 13

Data cables

• Serial, USB or RJ45
• Require driver software

Infra Red

• Requires reader on PC
• Requires manual interaction to activate
• Not commonly used
• Very slow
• Not in use anymore

Bluetooth

• Requires reader on PC
• Requires manual interaction to activate
• Data alteration
• Results from reading same handset with different connection interface may vary!

JTAG

• Requires specialist communications device
• May use adapter to connect
• May require solder connection to the PCB
• Identification of points a challenge
• Not always supported by vendor
• Good for physical acquisition

ISP

• Requires solder or probe connection to PCB
• Identification of points a challenge
• Only works for certain chip technology
• Good for physical acquisition

Question 14

Name some non-GSM technologies?

Answer 14

AMPS

• Advanced Mobile Phone System
• Analogue
• Some networks still exist!

D-AMPS / TDMA

• Digital Advanced Mobile Phone System
• Digital 2G standard
• Networks in N. & S. America (e.g. Verizon)

CDMA

• Code Division Multiple Access Technologies
• CDMAOne (IS 95) Digital 2G standard pioneered by Qualcomm
• May or may not require SIM
• CDMA2000/WCDMA (IS 2000) Hybrid 2.5G / 3G standard
• Networks in N. & S. America, Asia and Africa

iDEN

• Developed by Motorola
• Networks in North & South America, Asia

Satellite phones

• Global providers are Inmarsat , Globalstar and Iridium
• Regional providers also exist which have combined GSM/ Satphone capabilities Thuraya

Question 15

What is GPS?

Answer 15

Most common system in use is US NAVSTAR Global Positioning System. It is a satellite-based radionavigation system owned by the United States government and operated by the United States Air Force. It is a global navigation satellite system (GNSS) that provides geolocation and time information to a GPS receiver anywhere on or near the Earth where there is an unobstructed line of sight to four or more GPS satellites. Obstacles such as mountains and buildings block the relatively weak GPS signals.

• Network of satellites transmitting their location in space back to Earth
• Two primary frequencies:
• L1 1575.42 Mhz Standard Positioning Service (SPS) or Coarse Acquisition Code (C/A code)
• L2 1227.60 Mhz Precise Positioning Service (PPS)
• Weak signal received by GPS receivers on Earth
• Multiple satellites provide coverage simultaneously
• Uses Trilateration to determine location
• GPS uses timing difference on signal to determine distance from satellite
• Performing the same technique from three satellites provides an accurate location to within 10 metres (2D location)
• The distance calculated using the fourth satellite is used to validate the determined location (3D location)

Question 16

What is aGPS?

Answer 16

Assisted GPS is a system that often significantly improves the startup performance. A-GPS is extensively used with GPS-capable cellular phones. Cold Start TTFF (time to first fix) can take minutes to determine location. This is influenced by a number of factors: Location (open skies quicker fix), RF interference, number of satellites. aGPS uses additional technology: Mobile Network, WiFi.

Question 17

Name three Alternative Global Satellite Navigation Systems?

Answer 17

• GLONAAS (Russia)
• Galileo (Europe)
• Beidou Navigation Satellite System (China)