Mobile Forensics

Question 1

What is Mobile Forensics?

Answer 1

Mobile forensics is used to recover digital evidence from a mobile device in a forensically sound manner.

Question 2

What are the three mobile storage locations?

Answer 2

Internal Phone Memory
SIM Card Memory
External Memory

Question 3

Internal Phone Memory includes?

Answer 3

It includes data stored in RAM, ROM, or flash memory.
It stores the Mobile phone’s OS, applications, and data. The investigator can extract information from internal phone memory using AT commands with the help of a USB cable, infrared, or Bluetooth.

Question 4

SIM Card Memory Includes?

Answer 4

It includes data stored in the SIM card memory. The SIM stores personal information, address books, messages, and service-related information.

Question 5

External Phone Memory Includes?

Answer 5

It includes data stored in SD card, MiniSD Card, MicroSD, etc. It stores personal information such as audio, video, and images.

Question 6

Mobile device forensics process

Answer 6

1. Collect evidence
2. Document scene and preserve evidence
3. Imaging & profiling
4. Acquire information
5. Report

Question 7

Mobile Switching Center (MSC):

Answer 7

the switching system for the cellular network

Question 8

Base Transceiver Station (BTS):

Answer 8

radio transceiver equipment that communicates with mobile phones

Question 9

Base Station Controller (BSC):

Answer 9

manages the transceiver’s equipment and performs channel assignment

Question 10

BSS: Base Station Subsystem

Answer 10

is responsible for managing the radio network and is controlled by the Mobile service switching center (MSC). It consists of the elements BSC (Base Station controller), BTS (Base Transceiver Station), and TC (Transcoder)

Question 11

Home Location Register (HLR):

Answer 11

It is the database at MSC. It is the central repository system for subscriber data and service information

Question 12

Visitor Location Register (VLR):

Answer 12

It is the database used in conjunction with the HLR for mobile phones roaming outside their service area

Question 13

Mobile Device Architectural Layers

Answer 13

Client Application
Communications API
GUI API
Phone API
Middleware Components
OS
Hardware
Radio Interface, gateway, and network interface
Network

Question 14

The Client Application

Answer 14

Client application represents any android application that runs on the Android platform.

Question 15

The Communication API

Answer 15

Simplifies the process of interacting with web services and other applications such as email, internet, and SMS

Question 16

The GUI API

Answer 16

Responsible for creating menus and sub-menus in designing applications. It acts as an interface where the developer has a chance of building other plugins.

Question 17

The Phone API

Answer 17

Provides telephony services related to the mobile carrier operator such as making calls, receiving calls, and SMS. All phone APIs appear at the application layer.

Question 18

The mobile OS

Answer 18

Offers utilities for scheduling multiple tasks, memory management tasks, synchronization, and priority allocation. It also provides interfaces for communication between application layers, middleware layers, and hardware.

Question 19

Hardware

Answer 19

A mobile device contains hardware such as a display device, keypad, RAM, flash, embedded processor, and media processor, which are responsible for mobile operation.

Question 20

Radio interface, gateway, and network interface:

Answer 20

A mobile device communicates with the network operator with some interfaces, such as radio interface, gateway, and network interface, to establish safe and secure communication.

Question 21

Network

Answer 21

To communicate with the network, the data must pass through various layers to reach the destination. The data travels over network layers to reach its destination.

Question 22

Android Architecture Stack

Answer 22

Linux Kernal
Libraries
Android Runtime
   -Dalvik Virtual Machine
   -Core Java Libraries
Application Framework
Applications

Question 23

Linux Kernal

Answer 23

Linux kernel operates as an intelligence layer between the hardware and software layers.

Question 24

Libraries

Answer 24

Permits the device to manage various types of data. The application developer generally writes libraries for all the available hardware separately in C or C++ language.

Question 25

Android Runtime

Answer 25

Android Runtime is an application runtime setting used by the Android OS that transforms machine bytecode into normal instructions. It is the successor of Dalvik

Question 26

Dalvik Virtual Machine (DVM)

Answer 26

Dalvik Virtual Machine (DVM) is a type of the Java virtual machine responsible for power management and memory management. The Dalvik virtual machine runs only .dex files built from .class files during compilation to achieve better efficiency using few resources. It creates partitions in the virtual machine to provide security, isolation, memory management, and threading support si

Question 27

Core Java Libraries

Answer 27

Core Java libraries differ from Java software edition and Java micro edition, but provides almost all the functionalities stated in Java software edition libraries

Question 28

Application Framework

Answer 28

Android applications, in general, interact with these application framework blocks itself to manage basic mobile functions such as resource management and voice call management. Android developers make use of these tools as the base while developing applications.

Question 29

Applications

Answer 29

The Applications portion is the last stage of android architecture that displays applications on the user screen. All the applications designed and developed fit into this portion. By default, this portion loads with some basic applications such as:
Home
Contacts
Call Register
Browser
The developer, in general, designs the applications that replace default apps with some better features. The Android OS offers vast opportunities for developers in developing applications without any restrictions.

Question 30

Android Boot Process

Answer 30

Step 1: power on, the Boot ROM code is activated. This loads the Boot Loader into the device RAM and starts execution.

Step 2: Boot Loader initializes before the Android OS is loaded. The boot loader will set up all the essential things such as network and memory, that are required to start the kernel. Location of the Boot Loader is as follows: \bootable\bootloader\legacy\usbloader

Step 3: The Android kernel initializes and it sets up everything required for the system to run. As the kernel starts, it initializes the interrupt controllers, setup memory protections, caches, and scheduling. Once done, the system can now use virtual memory and launch the user space processes. The kernel then looks for the init process (under system/core/init) and launches it as the initial user space process.

Step 4: Init is the first user process that starts on the device. It is the parent of all the processes and resides at the following address: /system/core/init

init initializes the Zygote, runtime, and daemon processes, and at this instance, the Android logo appears on the mobile screen. Init process is responsible to:

1. Mount directories like /sys , /dev or /proc
2. Run init.rc script located at /system/core/rootdir/init.rc

The init.rc script describes the system services, file system, and other parameters that need to be set up.

Step 5: In Java, whenever a new app launches, a separate VM instance will occur in the memory. Therefore, if multiple applications launch at the same time, multiple Dalvik VM instances occur, resulting in extensive memory and time consumption. To avoid this, Android implements a system termed “Zygote,” which enables code sharing across the Dalvik virtual machine, resulting in low memory consumption and quick startup time. Zygote is a VM process that launches at the system boot. It preloads and initializes the core library classes. Whenever a new app launches, Zygote forks a new virtual machine and runs the app in its sandboxed environment. It provides a pre-warmed up virtual machine instance for each apk to run, thereby reducing the startup time. In simple terms, the init process initializes the Zygote, which in turn initializes the Dalvik virtual machine.

Step 6: On completion of step 5, runtime requests Zygote to launch the system server, which initializes services such as Power Manager, Battery Service, and Bluetooth Service. The system server is the first Java-based component to launch on the device, during the bootup sequence. The Android boot process completes only after all the services are up and running in the device memory, and then, the system triggers an “ACTION_BOOT_COMPLETED” standard broadcast.

Question 31

iOS Architecture

Answer 31

Has four abstraction layers in its design

• Core Operating system layer
• Core Services layer
• Media Services layer
• Cocoa Touch layer.

The OS occupies 500 MB data of iPhone storage and uses Objective C language for coding.

Question 32

Cocoa Touch Layer

Answer 32

First and topmost layer in iOS architecture.

Question 33

Media Services Layer

Answer 33

The Media Services layer mainly takes care of media files such as audio and video. It also handles important technologies such as OpenGL ES and OpenAL, Core Graphics, Core Media, and AV Foundation

Question 34

Cors Services Layer

Answer 34

The Core Services Layer is mainly responsible for managing basic system services that an iOS application uses. The Cocoa Touch Layer mainly depends on this layer to offer better services while using applications. It offers services such as iCloud Storage, Grand Central Dispatch, Block Objects, and In-App Purchase. The Automatic Reference Counting feature is the latest in the Core Services Layer and its main purpose is to simplify the memory management in Objective C.

Question 35

Core OS Layer

Answer 35

Core OS layer is the most important of all the layers since it provides the maximum features for the applications. It provides most of the frameworks needed for the applications for their accurate functionality

Question 36

Device Firmware Upgrade

Answer 36

Unlike the normal booting process, forensic investigators use Device Firmware Upgrade (DFU) mode to gain lower level of access of the device. Using this mode, investigator can alter the boot sequence and perform forensic examination on the device.

Question 37

What two modes does an iPhone operate in?

Answer 37

Normal and DFU

Question 38

Difference between normal and DFU mode is?

Answer 38

iBoot is not booted during the DFY mode boot sequence

Question 39

Mobile Forensics Process

Answer 39

1. Collect and Preserve the Evidence
2. Document the Scene
3. Imaging and Profiling
4. Acquire and analyze information
5. Generate a Report

Question 40

Subscriber Identity Module (SIM)

Answer 40

A Subscriber Identity Module (SIM) can store sensitive data such as the user’s contacts, messages, and time stamps associated with them. It also contains technical information such as Integrated Circuit Card Identifier (ICCID), International Mobile Subscriber Identity (IMSI), last dialed numbers (LDNs), service provider name (SPN), etc., which help a forensic investigator during cell phone data acquisition

Question 41

Different Cellular Networks

Answer 41

Code Division Multiple Access (CDMA)
Enhanced Data Rates for GSM Evolution (EDGE) Integrated Digital Enhanced Network (iDEN)
General Packet Radio Service (GPRS)
Global System for Mobile Communications (GSM)
High-Speed Downlink Packet Access (HSDPA)
Time Division Multiple Access (TDMA)
Universal Mobile Telecommunications System (UMTS) Unlicensed Mobile Access (UMA)

Question 42

Call Detail Record (CDR) contains information about user activities with the mobile phone. The service providers record and store this information in their databases. The call data record contains several categories of information:

Answer 42

1. Called telephone number or numbers
2. Names and addresses of the subscribers or registered users
3. Date and time of the start and end of the communication
4. Telephone service used, e.g. voice, conference call, Short Message Service (SMS), Multimedia Service (MMS)
5. International Mobile Subscriber Identity (IMSI) of the calling and called party
6. International Mobile Equipment Identity (IMEI) of the calling and called party
7. Location label (Cell ID) at the start and end of the communication
8. Data mapping between Cell IDs and their geographical location at the start and end of the communication

Question 43

Subscriber Identity Module (SIM) Main Function

Answer 43

Entails authenticating the user of the cell phone to the network to gain access to subscribed service.

Question 44

SIM File System

Answer 44

Stored in EPROM, containing three components

1. Master File
2. Dedicated File
3. Elementary File

Question 45

Master File (MF)

Answer 45

the root of the file system, contains one or more DF’s. It may contain one or more EF’s. A 2-byte file identifier of 3F00 identifies the master file, which is completely reserved for MF.

Question 46

Dedicated File (DF)

Answer 46

contains only the header that holds information related to file structure and security information. As with MF, a 2-byte identifier is useful for DF to identify the dedicated file.

Question 47

Elementary Files (EF)

Answer 47

contains both the header and body, which hold actual data in different forms, including the transparent, linear fixed, and cyclic forms. Contains a unique serial number of the individual SIM card. It also contains various types of data as a sequence of data bytes, a sequence of fixed- size records, or as fixed-size records.

Question 48

Depending on the structure of the body, four types of EF are available in a SIM card’s file system:

Answer 48

Transparent EF, Linear-fixed EF, Linear-variable EF, and Cyclic EF.

Question 49

How do I acquire data from a SIM Card?

Answer 49

1. To access the SIM, PIN code (Personal Identification Number) is required
2. Failure to enter a valid PIN in three attempts blocks the card and then an eight- digit PUK (Personal Unlock Number) must be entered
3. PUK is provided by the network operator and cannot be changed by the user
4. Failure to get correct PUK in 10 attempts disables the SIM permanently
5. Investigator should ask the network operator for PUK to gain access to the SIM

Question 50

Integrated Circuit Card Identification (ICC ID)

Answer 50

1. The ICCID of the (U)SIM can be up to 20 digits long
2. It consists of an industry identifier prefix (89 for telecommunications), followed by a country code, an issuer identifier number, and an individual account identification number
3. This code helps to identify the country and network operator’s name
4. If ICCID does not exist on the SIM, get it by using a (U)SIM acquisition tool such as ForensicSIM Toolkit

Question 51

International mobile subscriber identity (IMSI):

Answer 51

It is a 15-digit subscriber identification number that helps the investigator in tracing the lost mobile device. It defines a subscriber in the wireless world, including the country and mobile network to which the subscriber belongs.

Question 52

Service provider name (SPN):

Answer 52

It signifies a SIM card service provider (example: Idea, Airtel, etc.) Investigators must pay more attention to the authenticity and verifiability of the service provider records.

Question 53

Mobile country code (MCC):

Answer 53

MCC is a 2-to 3-digit identification number printed on the SIM that represents the country code of a SIM user internationally on a GSM network. It is useful along with mobile network code (MNC) to identify a mobile phone operator.

Question 54

Mobile network code (MNC):

Answer 54

MNC is a two-digit network identification number used along with the MCC printed on SIM. It used to identify the SIM user on a mobile phone network.

Question 55

Mobile subscriber identification number (MSIN):

Answer 55

It is a 10-digit number MIN (mobile identification number) that helps identify the mobile phone service provider within a mobile carrier network.

Question 56

Mobile international subscriber directory number (MSISDN):

Answer 56

It is a number used for international identification of mobile phone numbers, and it contains the country code and nation-wide destination code. This number has up to 15 digits after the exclusion of prefixes.

Question 57

International Mobile Equipment Identifier (IMEI)

Answer 57

1. IMEI is a 15-digit number that indicates the manufacturer, model type, and country of approval for GSM devices
2. First eight digits, known as the Type Allocation Code (TAC), give the model and origin
3. For powered on GSM and UMTS phones, the International Mobile Equipment Identifier (IMEI) can be obtained by keying in *#06#

Question 58

Electronic Serial Number (ESN)

Answer 58

Electronic Serial Number (ESN)

1. ESN is a unique 32-bit identifier recorded on a secure chip in a mobile phone by the manufacturer
2. First 8-14 bits identify the manufacturer and the remaining bits identify the assigned serial number

Question 59

File Carving

Answer 59

File carving is a method of recovering deleted files from the device’s memory. It is an important technique in the process of forensic investigation because it recovers files from the file structure when files are corrupted or deleted.