Why mobile devices Mobile forensics dominates the digital forensics landscape Some numbers In America we have more than 317 million people and more than 327 million mobile devices That means 1031 devices per 100 people ID: 811326
Download The PPT/PDF document "Intro to Cell Phone Technology" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Intro to Cell Phone Technology
Slide2Why mobile devices
Mobile forensics dominates the digital forensics landscape
Some numbers:
In America we have more than 317 million people and more than 327 million mobile devices. That means 103.1 devices per 100 people.
64 percent of American adults own a Smartphone
Slide3Cellular technology
What is a cell phone?
What are its composite parts?
Slide4Cellular technology
How does the concept of cellular communication differ from earlier devices, such as CBs, radio telephones,
etc
?
Simplex vs. half-duplex vs. duplex
Slide5Early radio-phones
Single tower
Large power source
Few channels
No hand-offs
Slide6Cellular concept
In the late 50’s engineers at Bell Labs developed a new theory – the cellular system
Towers at the corners, transmitting in three directions, forming hexagonal cells
Technology did not exist at that time to support the theory
Slide7Slide8Cellular concept
And where are the towers located?
Slide9Slide10Cellular concept
Three-sided towers, each side covering 120 degrees, to combine to cover a 360 degree circle
Slide11Slide12Cellular concept
These cells work together to provide more complete coverage
Much smaller range = less power needed by device = smaller battery = smaller device
Frequency re-use
Slide13Cellular concept
As a mobile device reaches the limit of one tower’s range, and that tower’s signal weakens, the device is “handed off” to the next tower, as that tower’s signal grows stronger
No need for action from user
Slide14Cellular concept
Keep in mind, this is a “concept”
The reality can sometimes look very different
Slide15Propagation map
Slide16Cellular reality
Sectors are often greater or less than 120 degrees
Coverage may be affected by
Population
Geography/Foliage
Date/Time
Etc.
Slide17Cellular networks
In a cellular network, only the last link is wireless
Slide18Cellular networks
The main control point of a large group of cell towers in one area, is the Mobile Telephone Switching Office (“switch”)
May control thousands of individual cell sites
Slide19MTSO
When a cellular device is turned on, it locates a tower and identifies itself to its carrier
The device transmits certain data to the network to authenticate itself to the network
Slide20MTSO
The device’s location is maintained by the MTSO, so that it knows where to find the device should someone wish to communicate with it
The MTSO connects to the Public Switched Telephone Network, and transfer calls to that network to be relayed to the device it is calling
Slide21Cell Tech
Now, let’s explore some common cell phone terminology
First, the “generations”…
Slide221G
First Generation
Analog technology
Introduced in the 1980’s, and were eventually replaced by 2G technology
Slide23Cell Phone Technology
1971 – AT&T submits proposal to FCC for advanced cellular service
Finally approved in 1982.
Meanwhile, elsewhere…
Slide241G
First commercially automated network in 1G was NTT, in Japan, in 1979
Followed in 1981 by the Nordic Mobile Telephone (NMT)
Slide251G
Finally, in 1983, AMPS comes to America.
First network was in Chicago (Ameritech), followed by Washington DC.
2G
2G technologies appear in the 1990’s
With 2G, we switch from analog to digital.
Slide27Analog vs. Digital
Analog
-electronic transmissions accomplished by varying wavelength frequency or amplitude
Digital-
Refers to transmissions with data being sent as a “positive” or a “non-positive” (1 or 0)
Slide282G
Benefits of digital
Compression
Decreased radio power from handsets
Reduces fraud
Enhanced security
Less interference
Better penetration through buildings
Slide292G
Disadvantages
Decreased radio power from handsets
Dropouts vs. Static
Slide302G
However, the main benefit of digital networks is….
- Data transmission
Slide312G
Several different 2G technologies emerged, using different digital protocols
GSM
CDMA
TMDA
IDEN
Slide322G
1991 – first GSM network,
Radiolinja
, in Finland.
Slide332.5G?
2.5G was just an increase in speed, which allowed things like MMS, email, web access.
Slide343G
First commercial 3G network (GSM) – NTT in Japan, 2001
First commercial 3G CDMA network – USA (Monet) and South Korea, 2002
Second 3G network in USA – Verizon Wireless, July 2002.
Slide353G
Primary difference between 2G and 3G – packet switching vs. circuit switching
Slide363G
So what does this mean to us?
Mobile internet access
Video calls
Streaming video
Slide373G
Now, with increased transmission speeds, we begin to see mobile broadband modems
PCMCIA, USB
Wireless routers (
MiFi
)
Slide383G
Devices begin to appear with embedded 3G data capability
Netbooks
Kindle, Nook,
iPad
, tablets
Slide393G
3G also makes possible the introduction of the “smart phone”.
Apple
Android
Blackberry
…and many others
Slide403G
3G was slow to spread
Some 2G networks were not compatible with the 3G technologies, so all equipment had to be replaced
By 2007, only 9% of worldwide subscribers were using 3G
Slide414G
Main difference between 3G and 4G is (theoretically) the elimination of circuit switching, resulting in an all IP-based network.
Slide424G
Various 4G technologies
HSPA+
WiMax
LTE
Slide434G
International Telecommunications Union – sets standards for 4G
All packet switched
Transmission speeds of 1Gbp/s for stationary units, 100Mbp/s for moving units.
Slide444G
4G technologies should also support IPv6
IPv4 vs. IPv6
Slide454G
IPv4:
32 bit
Identified as numbers such as: 209.13.42.145
Divided by periods
4.3 billion IP addresses available
Slide464G
IPv6:
128 bit
Identified as letters and numbers such as
2001:db8:85a3::8a2e:370:7334
Divided by colons
340
Undecillion
, or 340 trillion
trillion
trillion IP addresses available
Slide474G
Current technologies do not meet 4G standards
However, the ITU has stated that current technologies like LTE and
WiMax
, although they do not meet standards, could be called 4G, because they represent "a
substantial level of improvement in performance and capabilities with respect to the initial third generation systems now
deployed.”
Slide485G
5G
-Fifth Generation of Wireless.
Expected to be in place by 2020
1GB speed
Very efficient
Able to support large amounts of connections
Slide49CDMA vs. GSM
CDMA – Code Division Multiple
A
ccess
GSM – Global System for Mobile Communication (actually, it’s
Groupe
Spécial
Mobile)
Slide50CDMA vs. GSM
CDMA – most popular technology in the United States
GSM – most popular technology in the world
Slide51CDMA vs. GSM
Traditionally, one way to tell the difference was the presence of a SIM card
Slide52Slide53SIM Cards
What
can
a SIM card contain?
Phonebook
Call logs
Speed dial
SMS
messages
Slide54SIM cards
What
must
a SIM card contain?
The
IMSI
Slide55Slide56ICCID
Integrated Circuit Card ID (ICCID)
– a 19 to 20 digit serial number for a SIM card used to securely store the IMSI number for a subscriber.
The ICCID is also called the SIM Serial Number.
It is stamped on the SIM card.
Slide57SIM cards
New 4G phones from both GSM and CDMA providers will contain a SIM card
Some older CDMA phones may contain a SIM card to make them “Global” or “World” phones
Slide58CDMA
Verizon
Sprint
US Cellular
Slide59GSM
AT&T
T-Mobile
Slide60What about
Tracfone
?
What about Cricket?
Slide61The progression:
1G 2G 3G 4G
CDMAone
CDMA200 LTE
Analog
GSM UMTS LTE
Slide62CDMA Identifiers
Electronic Serial Number (ESN)
- The unique identification number embedded in a wireless phone by the manufacturer. Each time a call is placed, the ESN is automatically transmitted to the base station so the wireless carrier's mobile switching office can check the call's validity. MINs and ESNs can be electronically checked to help prevent fraud.
Slide63ESN
Slide64Mobile Equipment Identifier (MEID)
- a globally unique 56-bit identification number for a physical piece of CDMA equipment. MEID’s replaced ESN’s after the original ESN scheme being depleted in 2008.
gbard@patctech.com
Slide65Slide66Slide67ESN / MEID
Many times you will still see providers use the term ESN even thought the number will actually be the MEID.
These numbers specifically identify the device
Slide68GSM Identifiers
International Mobile Equipment Identifier (IMEI)-
A unique 15-digit number that serves as the serial number of the GSM handset. The IMEI appears on the label located on the back of the phone, and uniquely identifies that device
Slide69GSM Identifiers
International Mobile Subscriber Identifier (IMSI)-
A unique 15-digit number which designates the subscriber.
It
is stored on the SIM
card, and identifies
the account holder.
Slide70IMSI
The first 3 numbers identify the country code, for example the US is code 310.
The next 3 number will identify the carrier code, for example AT&T code is 410. T-Mobile is code 026.
Therefore an AT&T IMSI will begin with 310410
Slide71IMEI and IMSI from an AT&T record
Slide72Other important identifiers
Mobile Identification Number (MIN)-
Unique identifier that can be used to identify a cellular phone by the network. The MIN and ESN are both transmitted to the network to assist with authentication.
Mobile Directory Number (MDN)-
The actual number a person would dial to reach a specific phone. (This is your phone
number)
Slide73Current relevant operating systems
iOS
Android
Blackberry
Windows
Slide74iOS
Apple’s Mobile Operating System.
Simply called iPhone OS prior to June 2010.
Based off of the Mac
OS
iPhone, iPad,
iPod Touch.
Currently up to
9.2+
Forensically:
DB, SQL and
Plists
Slide75Jailbreak
Some
people “jailbreak”
iOS devices
to allow for greater control and a larger amount of Apps.
Allows “Root Access” of the device.
Gives the user greater access to many apps that are not available through the App store.
Slide76Android
Developed in 2003
Acquired by Google in 2005.
Forensically DB, SQL and XML
Uses the Linux Kernel.
Similar to iOS devices, many people
want more control, and therefore
“root” the device.
Slide77Android Flavors
Cupcake (1.5)
Donut (1.6)
Éclair (2.0 – 2.1)
Froyo (2.2)
Gingerbread (2.3x)
Honeycomb (3.1 – 3.2)
Ice Cream Sandwich (4.0)
Jelly Bean (4.1 – 4.3)
KitKat (4.4)
Lollipop (5.0 – 5.1)
Marshmallow (6.0)
Slide78Blackberry
Formerly Research in Motion, now Blackberry Limited
Distributes Blackberry devices.
Based in Waterloo Canada.
Slide79Blackberry
Had many government and business contracts
Strengths were security and handling of email
Failed to keep up with trends
Went from 43% market share in 2010 to 1.3% in 2015
Blackberry 10
Slide80Windows
Microsoft entry into the smartphone market.
Windows 8 was designed to integrate the Mobile Devices and the PC’s.
Lumia series handsets
Nokia handset running Windows OS
Slide81Windows and Nokia
On February 11, 2011 Nokia announced that it was migrating away from Symbian towards Windows.
On September 2, 2013 it was announced that Microsoft was purchasing Nokia’s mobile division for 7.2 billion dollars.
Slide82Number portability
What is number portability, and why is it important to our investigation?
Slide83Mobile device investigations in 2015
Mobile forensics vs. traditional computer forensics
The two aspects of investigating mobile devices
Slide84Mobile digital forensics
Hardware and software
Recoverable data
Feature phones
Smartphones
Slide85Slide86Application data
What are applications?
What do they allow us to do?
What types of devices use them?
What type of information do they retain?
Slide87Applications
Some applications can wipe a device remotely
Slide88Slide89There are a large number of applications which give us enhanced communication capabilities
Applications
Slide90Applications
Other applications allow users to conduct voice communications over the internet.
Slide91Let’s take a quick look at some application files that might hold important evidence
Slide92WiFi
connections…
Slide93Kik
messages…
Slide94eBay searches…
Slide95Wikipedia searches…
Slide96Facebook friends…
Slide97…and Facebook messages
Slide98These application files can provide a detailed account of the device owner’s activity
Slide99Backup files
Is a backup the same as a sync?
What types of devices create backups?
Where do backup files get stored?
What types of data are in backup files?
Slide100iOS device backups are created using iTunes:
Slide101Where do you find iOS backups?
Slide102Slide103If you do not have the phone
Open the backup folder and locate the files named:
Info.plist
Manifest.plist
Slide104Slide105Info and Manifest
Simply open each of them with Notepad and take a look:
Slide106Info.plist
Slide107Slide108Slide109Slide110Slide111Slide112Manifest.plist
Slide113Slide114Slide115Slide116And even a list of your apps
Slide117Slide118Oxygen Forensic Suite
Slide119iPhone backups
What if we don’t have forensic software?
Slide120How can we tell what type of file this is?
Slide121In Notepad
Slide122File Signature (header and footer)
Slide123…and then open it with an appropriate tool
Slide124Slide125How are we going to get our backup file from the
subject
computer?
Just boot it up and copy it out?
What are we going to use to examine our backup file?
Slide126Again, great information, but it doesn’t do us any good if we don’t collect it, and if we don’t know how to examine it
Slide127Defeating passcodes
Different solutions for different devices, and different version of the mobile operating systems
Some carry inherent risks
Slide128Slide129Lockdown p
list
The Lockdown
p
list
is created by an iOS device on a “Trusted” computer system. It is NOT part of the backup process. So a back up is NOT required.
Slide130Slide131Lockdown Plist
To unlock the device using the lockdown
plist
, we copy it from the bad guy’s computer and import it into our forensic software.
Slide132Slide133Slide134Slide135Slide136Slide137The IP Box
Slide138A pattern locked Android device…
Slide139Bypassing passcodes
Be aware of the capabilities of your tools, and the risks that they may carry
Slide140Call detail records
What are call detail records?
How do we obtain them?
Slide141Provider records
Will include call detail records
May include SMS and data usage, depending on the provider
May include “historical handset location data”
Slide142Provider Records
What
can we get from the Wireless Services Provider?
Call detail logs
Originating cell site (Latitude and Longitude)
Terminating cell site
Cell site sector Azimuth
Direction of call (incoming or outgoing)
Calling number
Dialed number
Call duration
Data usage
Location of cell towers
Slide143Subscriber information (Name, address,
etc
)
SMS information (Text or just sender and receiver?)
ESN / MEID, MIN, MDN, IMEI, IMSI of target phone.
Tower dump
Definitions
Reports of Lost / stolen phone
Type of phone
If prepaid, where purchased?
StatusOther phones on the same accountCell sites at the time of the incident (Not current)
PCMD / RTT / Historical Handset Location(Maybe?)
Contents of the Cloud
Slide144What are we hoping to discern from CDRs?
Historical location
Possible pattern of movement
Slide145Slide146AT&T Call Detail Records
Slide147Records from a theft incident
Slide148And the map of those calls
Slide149Historical handset location
Available from several providers
More precise location than cell site/sector
Is it GPS?
Slide150Slide151Slide152Slide153Slide154Historical handset location
Be aware of the accuracy of this information
Do not over-rely on it
Slide155Follow PATCtech!
Updates & PATCtech Research
Public Safety News
Training Opportunities
PATCtech
@
PATCtech
Forensic Digital Evidence
Investigators
(LinkedIn Group)