Mobile Phone ForensicsMichael Jones... Mobile Phones in Crime• Direct: the phone as an instrument of crime – Terrorism – Cyber bullying • Indirect: the phone as an accessory – Contacts –
Trang 1Mobile Phone Forensics
Michael Jones
Trang 2• Mobile phones in crime
• The mobile phone system
• Components of a mobile phone
• The challenge of forensics
• So many handsets, so little time…
Trang 3Mobile Phones in Crime
• Direct: the phone as an instrument of crime
– Terrorism
– Cyber bullying
• Indirect: the phone as an accessory
– Contacts
– Phone calls and messaging
• General
– The phone is a ‘must have 24/7’ device
Trang 4Data Recovered from a Mobile Phone
• Same questions as for all investigations
• Is the data valid?
– Is it an accurate reflection of events?
– Is it complete?
• Is the data reliable?
– Are the measurements accurate?
– Could they have been tampered with?
Trang 5The Mobile Phone System
• First mobile telephone system was developed
and inaugurated in the U.S in 1945 in St Louis, Missouri.
– Bell Laboratories were responsible for most
developments
• The system (still, today) uses a number of
hexagonal ‘cells’ that handle connections with
mobile devices
• Cells use different frequencies
• Communication is full duplex
Trang 6Mobile Phone Generations
• 1G
– Analogue
• 2G (includes 2.5, 2.75)
– Digital, mostly GSM, circuit switched
• 3G
– High speed IP data networks and mobile
broadband), packet switched
• 4G
– All IP networks Use of Internet, LAN, etc
Trang 7Cell Phone Channels
• Carriers are allocated a number of channels per city/geographical area
– One channel = 1 form of communication
• There is therefore a capacity on each cell
– Each phone call needs 2 channels for full duplex – And some channels are reserved for control
communications
Trang 8Making a call
• The caller’s phone sends a request to the
nearest cell
– The cell controlling the callee is then located
– The request is then sent to that phone
• And the phone rings
• When a person moves
– There is a handover to the nearest cell
• Many issues with this
Trang 9Components of a Mobile Phone
• IMEI number
– International Mobile Equipment Identity
– Unique at the point of manufacture
• SIM card
– Subscriber Identity/Identification Module
– Includes:
• service-subscriber key (IMSI)
• security authentication and ciphering information
• temporary information related to the local network
• a list of the services the user has access to
• two passwords (PIN for usual use and PUK for unlocking)
– Uses Public Key Infrastructure (PKI)
Trang 10Mobile Phone Forensics
• Capture
– Should the phone be turned off?
– What about fingerprints?
• Investigation
– Where is the data?
• SIM card
• Phone memory
– How to access the data?
Trang 11Accessing the Data
• Types of access
– Physical and logical
• Logical
– Most phones use a proprietary storage format
• This may be becoming less common
• This complicates investigation of physical acquisition
– The meaning of what is stored is often not clear
• Many manufacturers include their own ‘features’
Trang 12A Forensic Investigation
• Need to use a forensic investigation ‘kit’
• This reads the data in a forensically sound
manner
– Read only, write blocking
• The kit needs to have
– All the relevant connectors and battery
connections
– Up-to-date software to locate and read the data
Trang 13• SIM card reader
• WiFi
• Bluetooth
Trang 14What Data is Included?
• Logs
– Calls, missed calls, SMS messages
• Contacts
– Including ‘speed dial’ numbers
• Locations
– If GPS enabled
Trang 15• Multiple phones
– Have you captured all relevant phones?
• Pay-as-you-go
– Unregistered phones
• Multiplicity of phones
– Thousands of models available
– Most with proprietary OS and filing systems
• Time and cost
• Storage
– Faraday bag
Trang 16• Mobile phones are a valuable source of data
– Location(s)
– Activities
• Most people own at least one
– And phones are (generally) reliably unique
• Criminals are aware of the capabilities of
mobile forensics