Why mobile devices• Mobile forensics dominates the digital forensics landscape
• Some numbers:
– In America we have more than 317 million people and more than 327 million mobile devices. That means 103.1 devices per 100 people.
– 64 percent of American adults own a Smartphone
Cellular technology
• How does the concept of cellular communication differ from earlier devices, such as CBs, radio telephones, etc?
• Simplex vs. half-duplex vs. duplex
Cellular concept
• In the late 50’s engineers at Bell Labs developed a new theory – the cellular system
• Towers at the corners, transmitting in three directions, forming hexagonal cells
• Technology did not exist at that time to support the theory
Cellular concept
• Three-sided towers, each side covering 120 degrees, to combine to cover a 360 degree circle
Cellular concept
• These cells work together to provide more complete coverage
• Much smaller range = less power needed by device = smaller battery = smaller device
• Frequency re-use
Cellular concept
• As a mobile device reaches the limit of one tower’s range, and that tower’s signal weakens, the device is “handed off” to the next tower, as that tower’s signal grows stronger
• No need for action from user
Cellular concept
• Keep in mind, this is a “concept”
• The reality can sometimes look very different
Cellular reality
• Sectors are often greater or less than 120 degrees
• Coverage may be affected by• Population
• Geography/Foliage
• Date/Time
• Etc.
Cellular networks
• The main control point of a large group of cell towers in one area, is the Mobile Telephone Switching Office (“switch”)
• May control thousands of individual cell sites
MTSO
• When a cellular device is turned on, it locates a tower and identifies itself to its carrier
• The device transmits certain data to the network to authenticate itself to the network
MTSO
• The device’s location is maintained by the MTSO, so that it knows where to find the device should someone wish to communicate with it
• The MTSO connects to the Public Switched Telephone Network, and transfer calls to that network to be relayed to the device it is calling
1G
• First Generation
• Analog technology
• Introduced in the 1980’s, and were eventually replaced by 2G technology
Cell Phone Technology
• 1971 – AT&T submits proposal to FCC for advanced cellular service
• Finally approved in 1982.
• Meanwhile, elsewhere…
1G
• First commercially automated network in 1G was NTT, in Japan, in 1979
• Followed in 1981 by the Nordic Mobile Telephone (NMT)
1G• Finally, in 1983, AMPS comes to America.
• First network was in Chicago (Ameritech), followed by Washington DC.
Analog vs. Digital
• Analog-electronic transmissions accomplished by varying wavelength frequency or amplitude
• Digital-Refers to transmissions with data being sent as a “positive” or a “non-positive” (1 or 0)
2G
• Benefits of digital– Compression
– Decreased radio power from handsets
– Reduces fraud
– Enhanced security
– Less interference
– Better penetration through buildings
2G
• Several different 2G technologies emerged, using different digital protocols
– GSM
– CDMA
– TMDA
– IDEN
3G• First commercial 3G network (GSM) – NTT in
Japan, 2001
• First commercial 3G CDMA network – USA (Monet) and South Korea, 2002
• Second 3G network in USA – Verizon Wireless, July 2002.
3G
• Now, with increased transmission speeds, we begin to see mobile broadband modems
– PCMCIA, USB
– Wireless routers (MiFi)
3G
• Devices begin to appear with embedded 3G data capability
– Netbooks
– Kindle, Nook, iPad, tablets
3G
• 3G also makes possible the introduction of the “smart phone”.
– Apple
– Android
– Blackberry
– …and many others
3G• 3G was slow to spread
– Some 2G networks were not compatible with the 3G technologies, so all equipment had to be replaced
– By 2007, only 9% of worldwide subscribers were using 3G
4G
• Main difference between 3G and 4G is (theoretically) the elimination of circuit switching, resulting in an all IP-based network.
4G
• International Telecommunications Union –sets standards for 4G
– All packet switched
– Transmission speeds of 1Gbp/s for stationary units, 100Mbp/s for moving units.
4G
• IPv4:
–32 bit
– Identified as numbers such as: 209.13.42.145
–Divided by periods
–4.3 billion IP addresses available
4G
• IPv6:– 128 bit– Identified as letters and numbers such as
2001:db8:85a3::8a2e:370:7334
–Divided by colons–340 Undecillion, or 340 trillion trillion
trillion IP addresses available
4G
• Current technologies do not meet 4G standards
• However, the ITU has stated that current technologies like LTE and WiMax, although they do not meet standards, could be called 4G, because they represent "a substantial level of improvement in performance and capabilities with respect to the initial third generation systems now deployed.”
5G
• 5G-Fifth Generation of Wireless.
• Expected to be in place by 2020
• 1GB speed
• Very efficient
• Able to support large amounts of connections
CDMA vs. GSM
• CDMA – Code Division Multiple Access
• GSM – Global System for Mobile Communication (actually, it’s Groupe SpécialMobile)
CDMA vs. GSM
• CDMA – most popular technology in the United States
• GSM – most popular technology in the world
ICCID
• Integrated Circuit Card ID (ICCID) – a 19 to 20 digit serial number for a SIM card used to securely store the IMSI number for a subscriber.
• The ICCID is also called the SIM Serial Number.
• It is stamped on the SIM card.
SIM cards
• New 4G phones from both GSM and CDMA providers will contain a SIM card
• Some older CDMA phones may contain a SIM card to make them “Global” or “World” phones
CDMA Identifiers
• Electronic Serial Number (ESN) - The unique identification number embedded in a wireless phone by the manufacturer. Each time a call is placed, the ESN is automatically transmitted to the base station so the wireless carrier's mobile switching office can check the call's validity. MINs and ESNs can be electronically checked to help prevent fraud.
• Mobile Equipment Identifier (MEID) - a globally unique 56-bit identification number for a physical piece of CDMA equipment. MEID’s replaced ESN’s after the original ESN scheme being depleted in 2008.
ESN / MEID
• Many times you will still see providers use the term ESN even thought the number will actually be the MEID.
• These numbers specifically identify the device
GSM Identifiers
• International Mobile Equipment Identifier (IMEI)-A unique 15-digit number that serves as the serial number of the GSM handset. The IMEI appears on the label located on the back of the phone, and uniquely identifies that device
GSM Identifiers
• International Mobile Subscriber Identifier (IMSI)-A unique 15-digit number which designates the subscriber. It is stored on the SIM card, and identifies the account holder.
IMSI
• The first 3 numbers identify the country code, for example the US is code 310.
• The next 3 number will identify the carrier code, for example AT&T code is 410. T-Mobile is code 026.
• Therefore an AT&T IMSI will begin with 310410
Other important identifiers• Mobile Identification Number (MIN)-Unique identifier that
can be used to identify a cellular phone by the network. The MIN and ESN are both transmitted to the network to assist with authentication.
• Mobile Directory Number (MDN)- The actual number a person would dial to reach a specific phone. (This is your phone number)
iOS
• Apple’s Mobile Operating System.
– Simply called iPhone OS prior to June 2010.
– Based off of the Mac OS
– iPhone, iPad, iPod Touch.
– Currently up to 9.2+
– Forensically:
–DB, SQL and Plists
Jailbreak
• Some people “jailbreak” iOS devices to allow for greater control and a larger amount of Apps.
• Allows “Root Access” of the device.
• Gives the user greater access to many apps that are not available through the App store.
Android
• Developed in 2003
• Acquired by Google in 2005.
– Forensically DB, SQL and XML
– Uses the Linux Kernel.
– Similar to iOS devices, many people
want more control, and therefore
“root” the device.
Android Flavors
• Cupcake (1.5)
• Donut (1.6)
• Éclair (2.0 – 2.1)
• Froyo (2.2)
• Gingerbread (2.3x)
• Honeycomb (3.1 – 3.2)
• Ice Cream Sandwich (4.0)
• Jelly Bean (4.1 – 4.3)
• KitKat (4.4)
• Lollipop (5.0 – 5.1)
• Marshmallow (6.0)
Blackberry
• Formerly Research in Motion, now Blackberry Limited
– Distributes Blackberry devices.
– Based in Waterloo Canada.
Blackberry
• Had many government and business contracts
• Strengths were security and handling of email
• Failed to keep up with trends
•Went from 43% market share in 2010 to 1.3% in 2015
• Blackberry 10
Windows
• Microsoft entry into the smartphone market.
– Windows 8 was designed to integrate the Mobile Devices and the PC’s.
– Lumia series handsets
–Nokia handset running Windows OS
Windows and Nokia
• On February 11, 2011 Nokia announced that it was migrating away from Symbian towards Windows.
• On September 2, 2013 it was announced that Microsoft was purchasing Nokia’s mobile division for 7.2 billion dollars.
Mobile device investigations in 2015
–Mobile forensics vs. traditional computer forensics
–The two aspects of investigating mobile devices
Application data• What are applications?
• What do they allow us to do?
• What types of devices use them?
• What type of information do they retain?
There are a large number of applications which give us enhanced communication capabilities
Applications
Backup files• Is a backup the same as a sync?
• What types of devices create backups?
• Where do backup files get stored?
• What types of data are in backup files?
If you do not have the phone
• Open the backup folder and locate the files named:
• Info.plist
• Manifest.plist
– How are we going to get our backup file from the subject computer?
• Just boot it up and copy it out?
– What are we going to use to examine our backup file?
• Again, great information, but it doesn’t do us any good if we don’t collect it, and if we don’t know how to examine it
Defeating passcodes
• Different solutions for different devices, and different version of the mobile operating systems
• Some carry inherent risks
Lockdown plist
• The Lockdown plist is created by an iOS device on a “Trusted” computer system. It is NOT part of the backup process. So a back up is NOT required.
Lockdown Plist
• To unlock the device using the lockdown plist, we copy it from the bad guy’s computer and import it into our forensic software.
Provider records
• Will include call detail records
• May include SMS and data usage, depending on the provider
• May include “historical handset location data”
Provider Records• What can we get from the Wireless Services Provider?
• Call detail logs• Originating cell site (Latitude and Longitude)• Terminating cell site• Cell site sector Azimuth• Direction of call (incoming or outgoing)• Calling number• Dialed number• Call duration• Data usage• Location of cell towers
• Subscriber information (Name, address, etc)
• SMS information (Text or just sender and receiver?)
• ESN / MEID, MIN, MDN, IMEI, IMSI of target phone.
• Tower dump
• Definitions
• Reports of Lost / stolen phone
• Type of phone
• If prepaid, where purchased?
• Status
• Other phones on the same account
• Cell sites at the time of the incident (Not current)
• PCMD / RTT / Historical Handset Location(Maybe?)
• Contents of the Cloud
Historical handset location
• Available from several providers
• More precise location than cell site/sector
• Is it GPS?
Follow PATCtech!
• Updates & PATCtech Research
• Public Safety News
• Training Opportunities
PATCtech @PATCtech
Forensic Digital Evidence Investigators(LinkedIn Group)