Mobile Forensics Flashcards
What is Mobile Forensics?
Mobile forensics is used to recover digital evidence from a mobile device in a forensically sound manner.
What are the three mobile storage locations?
Internal Phone Memory
SIM Card Memory
External Memory
Internal Phone Memory includes?
It includes data stored in RAM, ROM, or flash memory.
It stores the Mobile phone’s OS, applications, and data. The investigator can extract information from internal phone memory using AT commands with the help of a USB cable, infrared, or Bluetooth.
SIM Card Memory Includes?
It includes data stored in the SIM card memory. The SIM stores personal information, address books, messages, and service-related information.
External Phone Memory Includes?
It includes data stored in SD card, MiniSD Card, MicroSD, etc. It stores personal information such as audio, video, and images.
Mobile device forensics process
- Collect evidence
- Document scene and preserve evidence
- Imaging & profiling
- Acquire information
- Report
Mobile Switching Center (MSC):
the switching system for the cellular network
Base Transceiver Station (BTS):
radio transceiver equipment that communicates with mobile phones
Base Station Controller (BSC):
manages the transceiver’s equipment and performs channel assignment
BSS: Base Station Subsystem
is responsible for managing the radio network and is controlled by the Mobile service switching center (MSC). It consists of the elements BSC (Base Station controller), BTS (Base Transceiver Station), and TC (Transcoder)
Home Location Register (HLR):
It is the database at MSC. It is the central repository system for subscriber data and service information
Visitor Location Register (VLR):
It is the database used in conjunction with the HLR for mobile phones roaming outside their service area
Mobile Device Architectural Layers
Client Application Communications API GUI API Phone API Middleware Components OS Hardware Radio Interface, gateway, and network interface Network
The Client Application
Client application represents any android application that runs on the Android platform.
The Communication API
Simplifies the process of interacting with web services and other applications such as email, internet, and SMS
The GUI API
Responsible for creating menus and sub-menus in designing applications. It acts as an interface where the developer has a chance of building other plugins.
The Phone API
Provides telephony services related to the mobile carrier operator such as making calls, receiving calls, and SMS. All phone APIs appear at the application layer.
The mobile OS
Offers utilities for scheduling multiple tasks, memory management tasks, synchronization, and priority allocation. It also provides interfaces for communication between application layers, middleware layers, and hardware.
Hardware
A mobile device contains hardware such as a display device, keypad, RAM, flash, embedded processor, and media processor, which are responsible for mobile operation.
Radio interface, gateway, and network interface:
A mobile device communicates with the network operator with some interfaces, such as radio interface, gateway, and network interface, to establish safe and secure communication.
Network
To communicate with the network, the data must pass through various layers to reach the destination. The data travels over network layers to reach its destination.
Android Architecture Stack
Linux Kernal Libraries Android Runtime -Dalvik Virtual Machine -Core Java Libraries Application Framework Applications
Linux Kernal
Linux kernel operates as an intelligence layer between the hardware and software layers.
Libraries
Permits the device to manage various types of data. The application developer generally writes libraries for all the available hardware separately in C or C++ language.
Android Runtime
Android Runtime is an application runtime setting used by the Android OS that transforms machine bytecode into normal instructions. It is the successor of Dalvik
Dalvik Virtual Machine (DVM)
Dalvik Virtual Machine (DVM) is a type of the Java virtual machine responsible for power management and memory management. The Dalvik virtual machine runs only .dex files built from .class files during compilation to achieve better efficiency using few resources. It creates partitions in the virtual machine to provide security, isolation, memory management, and threading support si
Core Java Libraries
Core Java libraries differ from Java software edition and Java micro edition, but provides almost all the functionalities stated in Java software edition libraries
Application Framework
Android applications, in general, interact with these application framework blocks itself to manage basic mobile functions such as resource management and voice call management. Android developers make use of these tools as the base while developing applications.
Applications
The Applications portion is the last stage of android architecture that displays applications on the user screen. All the applications designed and developed fit into this portion. By default, this portion loads with some basic applications such as:
Home
Contacts
Call Register
Browser
The developer, in general, designs the applications that replace default apps with some better features. The Android OS offers vast opportunities for developers in developing applications without any restrictions.
Android Boot Process
Step 1: power on, the Boot ROM code is activated. This loads the Boot Loader into the device RAM and starts execution.
Step 2: Boot Loader initializes before the Android OS is loaded. The boot loader will set up all the essential things such as network and memory, that are required to start the kernel. Location of the Boot Loader is as follows: \bootable\bootloader\legacy\usbloader
Step 3: The Android kernel initializes and it sets up everything required for the system to run. As the kernel starts, it initializes the interrupt controllers, setup memory protections, caches, and scheduling. Once done, the system can now use virtual memory and launch the user space processes. The kernel then looks for the init process (under system/core/init) and launches it as the initial user space process.
Step 4: Init is the first user process that starts on the device. It is the parent of all the processes and resides at the following address: /system/core/init
init initializes the Zygote, runtime, and daemon processes, and at this instance, the Android logo appears on the mobile screen. Init process is responsible to:
- Mount directories like /sys , /dev or /proc
- Run init.rc script located at /system/core/rootdir/init.rc
The init.rc script describes the system services, file system, and other parameters that need to be set up.
Step 5: In Java, whenever a new app launches, a separate VM instance will occur in the memory. Therefore, if multiple applications launch at the same time, multiple Dalvik VM instances occur, resulting in extensive memory and time consumption. To avoid this, Android implements a system termed “Zygote,” which enables code sharing across the Dalvik virtual machine, resulting in low memory consumption and quick startup time. Zygote is a VM process that launches at the system boot. It preloads and initializes the core library classes. Whenever a new app launches, Zygote forks a new virtual machine and runs the app in its sandboxed environment. It provides a pre-warmed up virtual machine instance for each apk to run, thereby reducing the startup time. In simple terms, the init process initializes the Zygote, which in turn initializes the Dalvik virtual machine.
Step 6: On completion of step 5, runtime requests Zygote to launch the system server, which initializes services such as Power Manager, Battery Service, and Bluetooth Service. The system server is the first Java-based component to launch on the device, during the bootup sequence. The Android boot process completes only after all the services are up and running in the device memory, and then, the system triggers an “ACTION_BOOT_COMPLETED” standard broadcast.
iOS Architecture
Has four abstraction layers in its design
- Core Operating system layer
- Core Services layer
- Media Services layer
- Cocoa Touch layer.
The OS occupies 500 MB data of iPhone storage and uses Objective C language for coding.
Cocoa Touch Layer
First and topmost layer in iOS architecture.
Media Services Layer
The Media Services layer mainly takes care of media files such as audio and video. It also handles important technologies such as OpenGL ES and OpenAL, Core Graphics, Core Media, and AV Foundation
Cors Services Layer
The Core Services Layer is mainly responsible for managing basic system services that an iOS application uses. The Cocoa Touch Layer mainly depends on this layer to offer better services while using applications. It offers services such as iCloud Storage, Grand Central Dispatch, Block Objects, and In-App Purchase. The Automatic Reference Counting feature is the latest in the Core Services Layer and its main purpose is to simplify the memory management in Objective C.
Core OS Layer
Core OS layer is the most important of all the layers since it provides the maximum features for the applications. It provides most of the frameworks needed for the applications for their accurate functionality
Device Firmware Upgrade
Unlike the normal booting process, forensic investigators use Device Firmware Upgrade (DFU) mode to gain lower level of access of the device. Using this mode, investigator can alter the boot sequence and perform forensic examination on the device.
What two modes does an iPhone operate in?
Normal and DFU
Difference between normal and DFU mode is?
iBoot is not booted during the DFY mode boot sequence
Mobile Forensics Process
- Collect and Preserve the Evidence
- Document the Scene
- Imaging and Profiling
- Acquire and analyze information
- Generate a Report
Subscriber Identity Module (SIM)
A Subscriber Identity Module (SIM) can store sensitive data such as the user’s contacts, messages, and time stamps associated with them. It also contains technical information such as Integrated Circuit Card Identifier (ICCID), International Mobile Subscriber Identity (IMSI), last dialed numbers (LDNs), service provider name (SPN), etc., which help a forensic investigator during cell phone data acquisition
Different Cellular Networks
Code Division Multiple Access (CDMA)
Enhanced Data Rates for GSM Evolution (EDGE) Integrated Digital Enhanced Network (iDEN)
General Packet Radio Service (GPRS)
Global System for Mobile Communications (GSM)
High-Speed Downlink Packet Access (HSDPA)
Time Division Multiple Access (TDMA)
Universal Mobile Telecommunications System (UMTS) Unlicensed Mobile Access (UMA)
Call Detail Record (CDR) contains information about user activities with the mobile phone. The service providers record and store this information in their databases. The call data record contains several categories of information:
- Called telephone number or numbers
- Names and addresses of the subscribers or registered users
- Date and time of the start and end of the communication
- Telephone service used, e.g. voice, conference call, Short Message Service (SMS), Multimedia Service (MMS)
- International Mobile Subscriber Identity (IMSI) of the calling and called party
- International Mobile Equipment Identity (IMEI) of the calling and called party
- Location label (Cell ID) at the start and end of the communication
- Data mapping between Cell IDs and their geographical location at the start and end of the communication
Subscriber Identity Module (SIM) Main Function
Entails authenticating the user of the cell phone to the network to gain access to subscribed service.
SIM File System
Stored in EPROM, containing three components
- Master File
- Dedicated File
- Elementary File
Master File (MF)
the root of the file system, contains one or more DF’s. It may contain one or more EF’s. A 2-byte file identifier of 3F00 identifies the master file, which is completely reserved for MF.
Dedicated File (DF)
contains only the header that holds information related to file structure and security information. As with MF, a 2-byte identifier is useful for DF to identify the dedicated file.
Elementary Files (EF)
contains both the header and body, which hold actual data in different forms, including the transparent, linear fixed, and cyclic forms. Contains a unique serial number of the individual SIM card. It also contains various types of data as a sequence of data bytes, a sequence of fixed- size records, or as fixed-size records.
Depending on the structure of the body, four types of EF are available in a SIM card’s file system:
Transparent EF, Linear-fixed EF, Linear-variable EF, and Cyclic EF.
How do I acquire data from a SIM Card?
- To access the SIM, PIN code (Personal Identification Number) is required
- Failure to enter a valid PIN in three attempts blocks the card and then an eight- digit PUK (Personal Unlock Number) must be entered
- PUK is provided by the network operator and cannot be changed by the user
- Failure to get correct PUK in 10 attempts disables the SIM permanently
- Investigator should ask the network operator for PUK to gain access to the SIM
Integrated Circuit Card Identification (ICC ID)
- The ICCID of the (U)SIM can be up to 20 digits long
- It consists of an industry identifier prefix (89 for telecommunications), followed by a country code, an issuer identifier number, and an individual account identification number
- This code helps to identify the country and network operator’s name
- If ICCID does not exist on the SIM, get it by using a (U)SIM acquisition tool such as ForensicSIM Toolkit
International mobile subscriber identity (IMSI):
It is a 15-digit subscriber identification number that helps the investigator in tracing the lost mobile device. It defines a subscriber in the wireless world, including the country and mobile network to which the subscriber belongs.
Service provider name (SPN):
It signifies a SIM card service provider (example: Idea, Airtel, etc.) Investigators must pay more attention to the authenticity and verifiability of the service provider records.
Mobile country code (MCC):
MCC is a 2-to 3-digit identification number printed on the SIM that represents the country code of a SIM user internationally on a GSM network. It is useful along with mobile network code (MNC) to identify a mobile phone operator.
Mobile network code (MNC):
MNC is a two-digit network identification number used along with the MCC printed on SIM. It used to identify the SIM user on a mobile phone network.
Mobile subscriber identification number (MSIN):
It is a 10-digit number MIN (mobile identification number) that helps identify the mobile phone service provider within a mobile carrier network.
Mobile international subscriber directory number (MSISDN):
It is a number used for international identification of mobile phone numbers, and it contains the country code and nation-wide destination code. This number has up to 15 digits after the exclusion of prefixes.
International Mobile Equipment Identifier (IMEI)
- IMEI is a 15-digit number that indicates the manufacturer, model type, and country of approval for GSM devices
- First eight digits, known as the Type Allocation Code (TAC), give the model and origin
- For powered on GSM and UMTS phones, the International Mobile Equipment Identifier (IMEI) can be obtained by keying in *#06#
Electronic Serial Number (ESN)
Electronic Serial Number (ESN)
- ESN is a unique 32-bit identifier recorded on a secure chip in a mobile phone by the manufacturer
- First 8-14 bits identify the manufacturer and the remaining bits identify the assigned serial number
File Carving
File carving is a method of recovering deleted files from the device’s memory. It is an important technique in the process of forensic investigation because it recovers files from the file structure when files are corrupted or deleted.
