Digital Forensic Examination of Mobile Phones Paula Thomas & Duncan McPhee

1. Digital Forensic Examination of Mobile Phones Paula Thomas & Duncan McPhee Faculty of Advanced Technology University of Glamorgan

2. Introduction • More than 3 billion Mobile Phones in use world wide. • New phone model realised worldwide every 4 days. • Six manufacturers make 80% of phones - • Nokia, Motorola, LG, Sony Ericsson, Samsung, Siemens • Over 50 manufacturers make up other 20% • Many Operating Systems – • Symbian 46%, Apple 17%, Rim 15%, Microsoft 13% and others • Each phone model on each network has a different version of OS

3. Swiss Army Phone Phone? Or Evolved computing?

4. The Importance http://news.bbc.co.uk/1/hi/england/humber/8300582.stm http://news.sky.com/skynews/Home/Sky-News-Archive/Article/200806413442844 http://www.thisisbath.co.uk/news/Police-Ben-s-death-steer-youngsters-away-drugs/article-765007-detail/article.html

5. The Investigation • Analyse the data – Call records etc. • Do we need to involve the network? • Can we collect and search for relevant evidence? • Can we link the phone to the person or other people? • Forensics can help with supplementary evidence & counter “false defences”.

6. Sources Of Evidence • Subscriber (You). • SIM (Subscriber Identity Module). • Phone. • Base Station. • Network.

7. Forensic Issues Cables are a big problem Forensic software support Block incoming signals Personal Pin codes - 3 attempts only Battery Pin Unlock Code - network

8. Hard Disk Analysis Passwords & Attacks. Well established guidelines Copy to a like medium Patterns. Reconstruction tools. Levels of searching. Control of data & display. = Write Blocked Hashes. Reporting. Examine an Image Using standard cables Deleted data. KFF. Longer Lifecycle Decrypt & Crack.

9. Work on seized device. Not all data extracted. Mobile Device Analysis Different OS. = Phone to disk Report but limited data. Examine an Image using cables or wireless Hex Issues. Connectivity. Shorter Lifecycle Guidelines unclear Unable to copy to a like medium

10. XRY Forensic Hardware & Software XRY communicates with the phone using cables or Bluetooth Will need to install software on some phone models

11. XRY Example Text Messages Case Data Pictures

12. Principle 1 • No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may be subsequently relied upon in court. • Isolate device from network – dummy SIM card, Faraday bag • Use forensic software – XRY, Oxygen, Paraben • Use a secure reliable connection interface which minimises data change on the device – XRY uses cable or Bluetooth • The process of reading some data types may change their state - SMS • All examinations should include some degree of manual examination – photograph screen content • Exercise care when dealing with PIN’s/passwords to avoid permanent damage – 3 attempts and device is wiped Review of ACPO

13. Mobile Phone v Hard Disk • No crime scene guidelines for phones – switch on/off? • ACPO guidelines for forensic examination of computers is unambiguous. • ACPO does not provide any guidance for damaged or broken phones • Encryption on iPhone, Blackberry, etc • Evidential Integrity issues

14. Conclusion • Traditional crimes will migrate to mobile devices. • Exponential use • Large amount of mobile devices being used as evidence. • Differing models, op sys, technology, language of device • Forensics is a new disciple for mobile devices • Requires updating, ‘perfect case’. • ACPO limited • Lacking how to record and report evidence from a mobile device. • Hard disk & mobile device similar in nature i.e. digital media but different in many ways.

15. Questions ?