Types of Mobile Device Examinations Flashcards
What are the three different types of mobile device examination?
- Logical
- File System
- Physical
A combination of these types may be required depending of factors such as:
-What we are looking for
-Type & condition of device (low end devices may not have a logical data interface, or a device may have damaged interface port or screen)
-Operating system type (limitations may prevent extraction of some data)
-Tools available to the examiner
What is a LOGICAL Examination?
- Retrives manually accessible data
- Extraction software asks the system what data is available.
- Typically uses the device’s Application Programming Interface (API)
- Typically only the LIVE data on a device will be provided.
- Result is device dependent. Some handsets may not provide data e.g. will not provide deleted data on low end devices, some high end devices may provide limited deleted data.
- Encrypted and unencrypted back-up aquisitions may be completed to retrieve data
- A SIM / UICC can be examined separetely and may provide limted deleted data
Give an example of some data that may be obtained in a LOGICAL examination
- Calls
- Contacts
- SMS
- Apps
- Location data
- Photographs
- Video
- Audio
*** depends on a number of factors such as type of device, operating system, user operation of the device & capability of the forensic tool.
What is a FILE SYSTEM examination?
- Uses device & operating system specific communication protocols.
- Similar to a logical extraction but allows a copy of the file system to be obtained.
- Achieved by using forensic aquisition tools to decode some files systems. Some other tools can be used to extract the file system contents which can then be loaded into a forensic tool to decode.
- Not all data may be decoded
- Some additional non visible data may be retrieved (such as blue tooth pairing mac addresses).
- Requires a physical cable connection to the mobile device
- This connection can be through the conventional data port or an alternative data connection like an engineering port on the PCB.
- The implemention of file based encryption means additional tools may be required such as Magnet Grey Key, XRY Pro, Cellbrite Premium, or even hardware exploits may be required.
Give an example of some data that may be obtained in a FILE SYSTEM examination
- Calls
- Contacts
- SMS
- Chat (in logical this was apps not chat)
- Location data
- Photographs
- Video
- Audio
(all above are same as logical aquisition) plus the below can be obtained with FS aquisition
- Database artifacts
- Bluetooth pairings
- Security codes
- last or previously inserted SIM details
May require a number of tools to decode such as hex editors and other tools.
*** depends on a number of factors such as type of device, operating system, user operation of the device & capability of the forensic tool.
What is a PHYSICAL Examination
- Allows the potential retrieveal of hidden, deleted or corrupt data by extraction at a lower level (system level) of the device. Bypasses the device operating system and accesses the device’s raw storage
- involves either a cable connection & specialist software (e.g. JTAG, ISP In Service Programming or flasher tools)
- or removing memory chips from a circuit board & ‘dumping’ the contents - a ‘chip off’
- or some tools use specialist boot loaders that forcce the device into a special mode
Data is supplied in raw form. requires de-coding.
- Interpretation requires time & specialist knowledge. May require tools or manual carving.Not appropriate for every case.
- Provides a lot of data including deleted handset info.
Give an example of some data that may be obtained in a PHYSICAL examination
- IMEI number
- IMSI (from last card)
- ICC-ID (from last card)
- Contacts
- Call logs
- Calender
- Memos
-SMS
-MMS
-email - Photos
- Video
-audio
-Apps - Files
- Geodata
- Wifi
- Accounts
-Metadata - Various other possibilities as technology changes.
*** depends on a number of factors such as type of device, user operation / configuration of the device & capability of the forensic tool.
