Class 3

Mobile Forensics

Mobile devices are widespread and highly used in our day-to-day lives

Challenges in mobile forensics

  • Hardware differences

  • Mobile OS's

  • Anti-forensics

  • Outdated devices

  • Passcodes

NIST 800-101 Four steps for Mobile Forensics

  • Preservations

  • Acquisiion

  • Examination and analysis

  • Reporting

Cellular networks

  • Base Transceiver Station (BTS)

  • Mobile Switching Center (MSC)

Law enforcement can request cell-site records from a carrier for a particular cell phone user that indicate where the user was based on data retrieved from the BTS

Carriers are forced to keep logs for each cellular connection a cell phone makes

Retrieve Evidence Smartphones

A SIM Card is unique for every phone and can identify a carrier and customer

Android

Android is open source. There are two types of memory: RAM and NAND. RAM is volatile and may contain user passwords and NAND is a nonvolatile flash memory. The most valuable data from an Android is the SQLite database which contains the entire cell phone file system

Evidence can be extracted in four ways:

  • Logical (hardware/software)

  • Physical (hardware/software)

  • Joint Test Action Group (JTAG)

  • Chip off **Very intrusion

  • In-System Programming (ISP)

"In the absence of a mobile forensic imaging tool, the investigator is forced to manually examine the cell phone"

  • Recording each action used on the phone can be done for documentation

Static analysis
Dynamic analysis

Analyzing the app without analyzing

Executing the app and analyzing

Cloud Forensics

We must get approval from the cloud provider before performing any digital forensic techniques. We can use the log management consoles already built into the cloud providers application/admin console.

PreviousClass 2NextClass 4

Last updated