Mobile Phone Forensics Michael Jones Overview • • • • • Mobile phones in crime The mobile phone system Components of a mobile phone The challenge of forensics So many handsets, so little time… Michael Jones Mobile Phone Forensics Mobile Phones in Crime • Direct: the phone as an instrument of crime – Terrorism – Cyber bullying • Indirect: the phone as an accessory – Contacts – Phone calls and messaging • General – The phone is a ‘must have 24/7’ device Michael Jones Mobile Phone Forensics Data Recovered from a Mobile Phone • Same questions as for all investigations • Is the data valid? – Is it an accurate reflection of events? – Is it complete? • Is the data reliable? – Are the measurements accurate? – Could they have been tampered with? Michael Jones Mobile Phone Forensics The Mobile Phone System • First mobile telephone system was developed and inaugurated in the U.S in 1945 in St Louis, Missouri – Bell Laboratories were responsible for most developments • The system (still, today) uses a number of hexagonal ‘cells’ that handle connections with mobile devices • Cells use different frequencies • Communication is full duplex Michael Jones Mobile Phone Forensics Mobile Phone Generations • 1G – Analogue • 2G (includes 2.5, 2.75) – Digital, mostly GSM, circuit switched • 3G – High speed IP data networks and mobile broadband), packet switched • 4G – All IP networks Use of Internet, LAN, etc Michael Jones Mobile Phone Forensics Cell Phone Channels • Carriers are allocated a number of channels per city/geographical area – One channel = form of communication • There is therefore a capacity on each cell – Each phone call needs channels for full duplex – And some channels are reserved for control communications Michael Jones Mobile Phone Forensics Making a call • The caller’s phone sends a request to the nearest cell – The cell controlling the callee is then located – The request is then sent to that phone • And the phone rings • When a person moves – There is a handover to the nearest cell • Many issues with this Michael Jones Mobile Phone Forensics Components of a Mobile Phone • IMEI number – International Mobile Equipment Identity – Unique at the point of manufacture • SIM card – Subscriber Identity/Identification Module – Includes: • • • • • service-subscriber key (IMSI) security authentication and ciphering information temporary information related to the local network a list of the services the user has access to two passwords (PIN for usual use and PUK for unlocking) – Uses Public Key Infrastructure (PKI) Michael Jones Mobile Phone Forensics Mobile Phone Forensics • Capture – Should the phone be turned off? – What about fingerprints? • Investigation – Where is the data? • SIM card • Phone memory – How to access the data? Michael Jones Mobile Phone Forensics 10 Accessing the Data • Types of access – Physical and logical • Logical – Most phones use a proprietary storage format • This may be becoming less common • This complicates investigation of physical acquisition – The meaning of what is stored is often not clear • Many manufacturers include their own ‘features’ Michael Jones Mobile Phone Forensics 11 A Forensic Investigation • Need to use a forensic investigation ‘kit’ • This reads the data in a forensically sound manner – Read only, write blocking • The kit needs to have – All the relevant connectors and battery connections – Up-to-date software to locate and read the data Michael Jones Mobile Phone Forensics 12 Communications • SIM card reader • WiFi • Bluetooth Michael Jones Mobile Phone Forensics 13 What Data is Included? • Logs – Calls, missed calls, SMS messages • Contacts – Including ‘speed dial’ numbers • Locations – If GPS enabled Michael Jones Mobile Phone Forensics 14 Issues • Multiple phones – Have you captured all relevant phones? • Pay-as-you-go – Unregistered phones • Multiplicity of phones – Thousands of models available – Most with proprietary OS and filing systems • Time and cost • Storage – Faraday bag Michael Jones Mobile Phone Forensics 15 Summary • Mobile phones are a valuable source of data – Location(s) – Activities • Most people own at least one – And phones are (generally) reliably unique • Criminals are aware of the capabilities of mobile forensics Michael Jones Mobile Phone Forensics 16 [...]... Jones Mobile Phone Forensics 12 Communications • SIM card reader • WiFi • Bluetooth Michael Jones Mobile Phone Forensics 13 What Data is Included? • Logs – Calls, missed calls, SMS messages • Contacts – Including ‘speed dial’ numbers • Locations – If GPS enabled Michael Jones Mobile Phone Forensics 14 Issues • Multiple phones – Have you captured all relevant phones? • Pay-as-you-go – Unregistered phones... of phones – Thousands of models available – Most with proprietary OS and filing systems • Time and cost • Storage – Faraday bag Michael Jones Mobile Phone Forensics 15 Summary • Mobile phones are a valuable source of data – Location(s) – Activities • Most people own at least one – And phones are (generally) reliably unique • Criminals are aware of the capabilities of mobile forensics Michael Jones Mobile. ..Accessing the Data • Types of access – Physical and logical • Logical – Most phones use a proprietary storage format • This may be becoming less common • This complicates investigation of physical acquisition – The meaning of what is stored is often not clear • Many manufacturers include their own ‘features’ Michael Jones Mobile Phone Forensics 11 A Forensic Investigation • Need to use a forensic investigation... source of data – Location(s) – Activities • Most people own at least one – And phones are (generally) reliably unique • Criminals are aware of the capabilities of mobile forensics Michael Jones Mobile Phone Forensics 16 ... • • • Mobile phones in crime The mobile phone system Components of a mobile phone The challenge of forensics So many handsets, so little time… Michael Jones Mobile Phone Forensics Mobile Phones... Michael Jones Mobile Phone Forensics Mobile Phone Forensics • Capture – Should the phone be turned off? – What about fingerprints? • Investigation – Where is the data? • SIM card • Phone memory... to that phone • And the phone rings • When a person moves – There is a handover to the nearest cell • Many issues with this Michael Jones Mobile Phone Forensics Components of a Mobile Phone •