Report Mobile Phone Forensics Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In modern times the mobile phone has become a technologically advanced tool, offering a whole host of features above and beyond simply communications. Almost every mobile phone now features some sort of camera, which is capable of taking either still photographs or capturing video. Additionally, the phone may also be equipped with a voice recorder, allowing the phone user to record sounds and voices. In some cases these mobile phone features will be used inappropriately. The form this inappropriate use can take is wide ranging, from stealing corporate date through to capturing pornographic images or video of children. If you are faced with civil or criminal proceedings and need to prove or disprove the inappropriate use of a mobile phone you will need to employ the services of a mobile phone forensics firm. Using specialist tools a trained mobile phone forensics analyst will be able to interrogate the contents of the mobile phone, and check the way in which it has been used.

Mobile phones are consistently used during many forms of criminal activity, and by performing mobile phone forensics on the cellular network usage of a particular mobile phone it is possible to trace where and when calls were made from. This is particularly useful in stalking type cases, where a mobile phone has been used to harass another individual. A mobile phone forensics firm will be able to trace and quantify phone uses within the cellular network

Understanding Mobile Device Forensics

People store a wealth of information on cell phones

People don't think about securing their cell phones

Items stored on cell phones:

Incoming, outgoing, and missed calls

Text and Short Message Service (SMS) messages


Instant-messaging (IM) logs

Web pages


Personal calendars

Address books

Music files

Voice recordings

Investigating cell phones and mobile devices is one of the most challenging tasks in digital forensics

Mobile Phone Basics

Mobile phone technology has advanced rapidly

Three generations of mobile phones:


Digital personal communications service (PCS)

Third-generation (3G)

3G offers increased bandwidth

Several digital networks are used in the mobile phone industry

Main components used for communication:

Base transceiver station (BTS)

Base station controller (BSC)

Mobile switching center (MSC)

Inside Mobile Devices

Mobile devices can range from simple phones to small computers

Also called smart phones

Hardware components

Microprocessor, ROM, RAM, a digital signal processor, a radio module, a microphone and speaker, hardware interfaces, and an LCD display

Most basic phones have a proprietary OS

Although smart phones use the same OSs as PCs

Phones store system data in electronically erasable programmable read-only memory (EEPROM)

Enables service providers to reprogram phones without having to physically access memory chips

OS is stored in ROM

Nonvolatile memory

Subscriber identity module (SIM) cards

Found most commonly in GSM devices

Microprocessor and from 16 KB to 4 MB EEPROM

GSM refers to mobile phones as "mobile stations" and divides a station into two parts:

The SIM card and the mobile equipment (ME)

SIM cards come in two sizes

Portability of information makes SIM cards versatile

Subscriber identity module (SIM) cards

Additional SIM card purposes:

Identifies the subscriber to the network

Stores personal information

Stores address books and messages

Stores service-related information

Inside PDAs

Personal digital assistants (PDAs)

Can be separate devices from mobile phones

Most users carry them instead of a laptop

PDAs house a microprocessor, flash ROM, RAM, and various hardware components

The amount of information on a PDA varies depending on the model

Usually, you can retrieve a user's calendar, address book, Web access, and other items

Peripheral memory cards are used with PDAs

Compact Flash (CF)

MultiMedia Card (MMC)

Secure Digital (SD)

Most PDAs synchronize with a computer

Built-in slots for that purpose

Understanding Acquisition Procedures for Cell Phones and Mobile Devices

The main concerns with mobile devices are loss of power and synchronization with PCs

All mobile devices have volatile memory

Making sure they don't lose power before you can retrieve RAM data is critical

Mobile device attached to a PC via a cable or cradle/docking station should be disconnected from the PC immediately

Depending on the warrant or subpoena, the time of seizure might be relevant

Messages might be received on the mobile device after seizure

Isolate the device from incoming signals with one of the following options:

Place the device in a paint can

Use the Paraben Wireless StrongHold Bag

Use eight layers of antistatic bags to block the signal

The drawback to using these isolating options is that the mobile device is put into roaming mode

Which accelerates battery drainage

Check these areas in the forensics lab :

Internal memory

SIM card

Removable or external memory cards

System server

Checking system servers requires a search warrant or subpoena

SIM card file system is a hierarchical structure

Information that can be retrieved:

Service-related data, such as identifiers for the SIM card and the subscriber

Call data, such as numbers dialed

Message information

Location information

If power has been lost, PINs or other access codes might be required to view files

Acquisition Stage

There are two methods to begin the acquisition of data from the PDA device. The acquisition

can be enacted through the toolbar using the Acquire icon or through the Tools menu and

selecting Acquire Image. Either option starts the acquisition process. With the acquisition

process, both files and memory images can be acquired. By default, the tool marks both types of

data to be acquired. Once the acquisition process is selected, the acquisition wizard illustrated

below in Figure 4 appears to guide the examiner through the process.

Figure 5 below contains an example screen shot of PDA Seizure during the acquisition of a

Pocket PC (PPC) device, displaying the various fields provided by the interface.

Figure 5: Acquisition Screen Shot (PPC)

After PPC acquisition, PDA Seizure reports the following for each individual files: File Path,

File Name, File Type, Creation and Modification Dates, File Attributes, File Size, Status, and an

MD5 File Hash. Validation of file hashes taken before and after acquisition can be used to

determine whether files have been modified during the acquisition stage.

During the acquisition process, CESeizure.dll is executed to acquire unallocated memory

regions. The examiner is prompted with check boxes to select one or all of the following before

acquiring information on the PPC device: Acquire Files, Acquire Databases, Acquire Registry,

and/or Acquire Memory. Each file acquired can be viewed in either text or hex mode, allowing

examiners to inspect the contents of all files present. In order to view the files, examiners must

use one of the following options: export the file, launch a windows application based upon the

file extension (Run File's Application); or, for Palm devices, view the file thru the POSE.

Search Functionality

PDA Seizure's search facility allows examiners to query files for content. The search function

searches the content of files and reports all instances of a given string found. The screenshot

shown below in Figure 6 illustrates an example of the results produced for the string

"Bioswipe.cpl". Neither wildcard characters, such as an asterisk, appear to be supported, nor

do facilities for examining a subset of the files by directory, file type, or file name.

Figure 6: File Content String Search (PPC)

Additionally the search window provides an output of memory related to the string search

provided by the examiner. This allows examiners to scroll through sections of memory and

bookmark valuable information for reporting to be used in judicial, disciplinary, or other

proceedings. Figure 7 illustrates an excerpt of a string search done on the name "Doe" and the

contents shown from the memory window.

The graphics library enables examiners to examine the collection of graphics files present on the

device, identified by file extension. Deleted graphics files do not appear in the library. A

significant improvement to the graphics library would be to identify and include graphics files,

based upon file signature (i.e., known file header and footer values) versus file extension.

Manually performing file signature identification is very time consuming and may cause key

data to be omitted. If deleted graphics files exist, they must be identified via the memory

window by performing a string search to identify file remnants. However, recovery of the entire

image is difficult, since its contents may be compressed by the filesystem or may not reside in

contiguous memory locations, and some parts may be unrecoverable. It also requires knowledge

of associated data structures to piece the parts together successfully. Figure 8 shows a screen

shot of images acquired from a Pocket PC 2002 device.

Report Generation

Reporting is an essential task for examiners. PDA Seizure provides a user interface for report

generation that allows examiners to enter and organize case specific information. Each case

contains an identification number and other information specific to the investigation for reporting

purposes, as illustrated in Figure 12 below.

Once the report has been generated, it produces a .html file for the examiner, including files that

were book-marked, total files acquired, acquisition time, device information, etc. If files were

modified during the acquisition stage, the report identifies them.

Password Cracking

PDA Seizure has the ability to crack passwords for the Palm OS prior to version 4.0. Due to a

weak, reversible password-encoding scheme, it is possible to obtain an encoded form of the

password, determine the actual password, and access a users private data. Password cracking for

Windows CE is not supported. Screenshots illustrated below outline the process of obtaining the

password of a locked device. The first step is to select Decode Password.

Once the examiner has selected Decode Password, the next step is to put the device into console

mode. After the device is in console mode, the password shows up on the screen as illustrated

below in Figure 14, allowing examiners the ability to unlock the device and begin normal

acquisition of information.

Figure 14: Password Crack Step 2 (Palm OS)

Mobile Forensics Equipment

Mobile forensics is a new science

Biggest challenge is dealing with constantly changing models of cell phones

When you're acquiring evidence, generally you're performing two tasks:

Acting as though you're a PC synchronizing with the device (to download data)

Reading the SIM card

First step is to identify the mobile device

Make sure you have installed the mobile device software on your forensic workstation

Attach the phone to its power supply and connect the correct cables

After you've connected the device

Start the forensics program and begin downloading the available information

SIM card readers

A combination hardware/software device used to access the SIM card

You need to be in a forensics lab equipped with appropriate antistatic devices

General procedure is as follows:

Remove the back panel of the device

Remove the battery

Under the battery, remove the SIM card from holder

Insert the SIM card into the card reader

A variety of SIM card readers are on the market

Some are forensically sound and some are not

Documenting messages that haven't been read yet is critical

Use a tool that takes pictures of each screen

Mobile forensics tools

Paraben Software Device Seizure Toolbox




Software tools differ in the items they display and the level of detail

Mobile Forensics Equipment

Other Forensic Software

Pocket PC forensic software enable user to identify complete details of its PDA, Handheld device, Smart phone and all other branded windows mobile device including Samsung, Asus and Motorola. Application describe registry information, operating system type, version, product manufactures name, IMSI number, IMEI number, battery status, database records and display other saved files folders information at laptop or desktop computer system screen.