Intro to Cell Phone Technology - PowerPoint Presentation

Slide1

Intro to Cell Phone Technology

Slide2

Why mobile devices

Mobile forensics dominates the digital forensics landscape

Some numbers:

In America we have more than 317 million people and more than 327 million mobile devices. That means 103.1 devices per 100 people.

64 percent of American adults own a Smartphone

Slide3

Cellular technology

What is a cell phone?

What are its composite parts?

Slide4

Cellular technology

How does the concept of cellular communication differ from earlier devices, such as CBs, radio telephones,

etc

?

Simplex vs. half-duplex vs. duplex

Slide5

Early radio-phones

Single tower

Large power source

Few channels

No hand-offs

Slide6

Cellular concept

In the late 50’s engineers at Bell Labs developed a new theory – the cellular system

Towers at the corners, transmitting in three directions, forming hexagonal cells

Technology did not exist at that time to support the theory

Slide7

Slide8

Cellular concept

And where are the towers located?

Slide9

Slide10

Cellular concept

Three-sided towers, each side covering 120 degrees, to combine to cover a 360 degree circle

Slide11

Slide12

Cellular concept

These cells work together to provide more complete coverage

Much smaller range = less power needed by device = smaller battery = smaller device

Frequency re-use

Slide13

Cellular concept

As a mobile device reaches the limit of one tower’s range, and that tower’s signal weakens, the device is “handed off” to the next tower, as that tower’s signal grows stronger

No need for action from user

Slide14

Cellular concept

Keep in mind, this is a “concept”

The reality can sometimes look very different

Slide15

Propagation map

Slide16

Cellular reality

Sectors are often greater or less than 120 degrees

Coverage may be affected by

Population

Geography/Foliage

Date/Time

Etc.

Slide17

Cellular networks

In a cellular network, only the last link is wireless

Slide18

Cellular networks

The main control point of a large group of cell towers in one area, is the Mobile Telephone Switching Office (“switch”)

May control thousands of individual cell sites

Slide19

MTSO

When a cellular device is turned on, it locates a tower and identifies itself to its carrier

The device transmits certain data to the network to authenticate itself to the network

Slide20

MTSO

The device’s location is maintained by the MTSO, so that it knows where to find the device should someone wish to communicate with it

The MTSO connects to the Public Switched Telephone Network, and transfer calls to that network to be relayed to the device it is calling

Slide21

Cell Tech

Now, let’s explore some common cell phone terminology

First, the “generations”…

Slide22

1G

First Generation

Analog technology

Introduced in the 1980’s, and were eventually replaced by 2G technology

Slide23

Cell Phone Technology

1971 – AT&T submits proposal to FCC for advanced cellular service

Finally approved in 1982.

Meanwhile, elsewhere…

Slide24

1G

First commercially automated network in 1G was NTT, in Japan, in 1979

Followed in 1981 by the Nordic Mobile Telephone (NMT)

Slide25

1G

Finally, in 1983, AMPS comes to America.

First network was in Chicago (Ameritech), followed by Washington DC.

Slide26

2G

2G technologies appear in the 1990’s

With 2G, we switch from analog to digital.

Slide27

Analog vs. Digital

Analog

-electronic transmissions accomplished by varying wavelength frequency or amplitude

Digital-

Refers to transmissions with data being sent as a “positive” or a “non-positive” (1 or 0)

Slide28

2G

Benefits of digital

Compression

Decreased radio power from handsets

Reduces fraud

Enhanced security

Less interference

Better penetration through buildings

Slide29

2G

Disadvantages

Decreased radio power from handsets

Dropouts vs. Static

Slide30

2G

However, the main benefit of digital networks is….

- Data transmission

Slide31

2G

Several different 2G technologies emerged, using different digital protocols

GSM

CDMA

TMDA

IDEN

Slide32

2G

1991 – first GSM network,

Radiolinja

, in Finland.

Slide33

2.5G?

2.5G was just an increase in speed, which allowed things like MMS, email, web access.

Slide34

3G

First commercial 3G network (GSM) – NTT in Japan, 2001

First commercial 3G CDMA network – USA (Monet) and South Korea, 2002

Second 3G network in USA – Verizon Wireless, July 2002.

Slide35

3G

Primary difference between 2G and 3G – packet switching vs. circuit switching

Slide36

3G

So what does this mean to us?

Mobile internet access

Video calls

Streaming video

Slide37

3G

Now, with increased transmission speeds, we begin to see mobile broadband modems

PCMCIA, USB

Wireless routers (

MiFi

)

Slide38

3G

Devices begin to appear with embedded 3G data capability

Netbooks

Kindle, Nook,

iPad

, tablets

Slide39

3G

3G also makes possible the introduction of the “smart phone”.

Apple

Android

Blackberry

…and many others

Slide40

3G

3G was slow to spread

Some 2G networks were not compatible with the 3G technologies, so all equipment had to be replaced

By 2007, only 9% of worldwide subscribers were using 3G

Slide41

4G

Main difference between 3G and 4G is (theoretically) the elimination of circuit switching, resulting in an all IP-based network.

Slide42

4G

Various 4G technologies

HSPA+

WiMax

LTE

Slide43

4G

International Telecommunications Union – sets standards for 4G

All packet switched

Transmission speeds of 1Gbp/s for stationary units, 100Mbp/s for moving units.

Slide44

4G

4G technologies should also support IPv6

IPv4 vs. IPv6

Slide45

4G

IPv4:

32 bit

Identified as numbers such as: 209.13.42.145

Divided by periods

4.3 billion IP addresses available

Slide46

4G

IPv6:

128 bit

Identified as letters and numbers such as

2001:db8:85a3::8a2e:370:7334

Divided by colons

340

Undecillion

, or 340 trillion

trillion

trillion IP addresses available

Slide47

4G

Current technologies do not meet 4G standards

However, the ITU has stated that current technologies like LTE and

WiMax

, although they do not meet standards, could be called 4G, because they represent "a

substantial level of improvement in performance and capabilities with respect to the initial third generation systems now

deployed.”

Slide48

5G

5G

-Fifth Generation of Wireless.

Expected to be in place by 2020

1GB speed

Very efficient

Able to support large amounts of connections

Slide49

CDMA vs. GSM

CDMA – Code Division Multiple

A

ccess

GSM – Global System for Mobile Communication (actually, it’s

Groupe

Spécial

Mobile)

Slide50

CDMA vs. GSM

CDMA – most popular technology in the United States

GSM – most popular technology in the world

Slide51

CDMA vs. GSM

Traditionally, one way to tell the difference was the presence of a SIM card

Slide52

Slide53

SIM Cards

What

can

a SIM card contain?

Phonebook

Call logs

Speed dial

SMS

messages

Slide54

SIM cards

What

must

a SIM card contain?

The

IMSI

Slide55

Slide56

ICCID

Integrated Circuit Card ID (ICCID)

– a 19 to 20 digit serial number for a SIM card used to securely store the IMSI number for a subscriber.

The ICCID is also called the SIM Serial Number.

It is stamped on the SIM card.

Slide57

SIM cards

New 4G phones from both GSM and CDMA providers will contain a SIM card

Some older CDMA phones may contain a SIM card to make them “Global” or “World” phones

Slide58

CDMA

Verizon

Sprint

US Cellular

Slide59

GSM

AT&T

T-Mobile

Slide60

What about

Tracfone

?

What about Cricket?

Slide61

The progression:

1G 2G 3G 4G

CDMAone

CDMA200 LTE

Analog

GSM UMTS LTE

Slide62

CDMA Identifiers

Electronic Serial Number (ESN)

- The unique identification number embedded in a wireless phone by the manufacturer. Each time a call is placed, the ESN is automatically transmitted to the base station so the wireless carrier's mobile switching office can check the call's validity. MINs and ESNs can be electronically checked to help prevent fraud.

Slide63

ESN

Slide64

Mobile Equipment Identifier (MEID)

- a globally unique 56-bit identification number for a physical piece of CDMA equipment. MEID’s replaced ESN’s after the original ESN scheme being depleted in 2008.

gbard@patctech.com

Slide65

Slide66

Slide67

ESN / MEID

Many times you will still see providers use the term ESN even thought the number will actually be the MEID.

These numbers specifically identify the device

Slide68

GSM Identifiers

International Mobile Equipment Identifier (IMEI)-

A unique 15-digit number that serves as the serial number of the GSM handset. The IMEI appears on the label located on the back of the phone, and uniquely identifies that device

Slide69

GSM Identifiers

International Mobile Subscriber Identifier (IMSI)-

A unique 15-digit number which designates the subscriber.

It

is stored on the SIM

card, and identifies

the account holder.

Slide70

IMSI

The first 3 numbers identify the country code, for example the US is code 310.

The next 3 number will identify the carrier code, for example AT&T code is 410. T-Mobile is code 026.

Therefore an AT&T IMSI will begin with 310410

Slide71

IMEI and IMSI from an AT&T record

Slide72

Other important identifiers

Mobile Identification Number (MIN)-

Unique identifier that can be used to identify a cellular phone by the network. The MIN and ESN are both transmitted to the network to assist with authentication.

Mobile Directory Number (MDN)-

The actual number a person would dial to reach a specific phone. (This is your phone

number)

Slide73

Current relevant operating systems

iOS

Android

Blackberry

Windows

Slide74

iOS

Apple’s Mobile Operating System.

Simply called iPhone OS prior to June 2010.

Based off of the Mac

OS

iPhone, iPad,

iPod Touch.

Currently up to

9.2+

Forensically:

DB, SQL and

Plists

Slide75

Jailbreak

Some

people “jailbreak”

iOS devices

to allow for greater control and a larger amount of Apps.

Allows “Root Access” of the device.

Gives the user greater access to many apps that are not available through the App store.

Slide76

Android

Developed in 2003

Acquired by Google in 2005.

Forensically DB, SQL and XML

Uses the Linux Kernel.

Similar to iOS devices, many people

want more control, and therefore

“root” the device.

Slide77

Android Flavors

Cupcake (1.5)

Donut (1.6)

Éclair (2.0 – 2.1)

Froyo (2.2)

Gingerbread (2.3x)

Honeycomb (3.1 – 3.2)

Ice Cream Sandwich (4.0)

Jelly Bean (4.1 – 4.3)

KitKat (4.4)

Lollipop (5.0 – 5.1)

Marshmallow (6.0)

Slide78

Blackberry

Formerly Research in Motion, now Blackberry Limited

Distributes Blackberry devices.

Based in Waterloo Canada.

Slide79

Blackberry

Had many government and business contracts

Strengths were security and handling of email

Failed to keep up with trends

Went from 43% market share in 2010 to 1.3% in 2015

Blackberry 10

Slide80

Windows

Microsoft entry into the smartphone market.

Windows 8 was designed to integrate the Mobile Devices and the PC’s.

Lumia series handsets

Nokia handset running Windows OS

Slide81

Windows and Nokia

On February 11, 2011 Nokia announced that it was migrating away from Symbian towards Windows.

On September 2, 2013 it was announced that Microsoft was purchasing Nokia’s mobile division for 7.2 billion dollars.

Slide82

Number portability

What is number portability, and why is it important to our investigation?

Slide83

Mobile device investigations in 2015

Mobile forensics vs. traditional computer forensics

The two aspects of investigating mobile devices

Slide84

Mobile digital forensics

Hardware and software

Recoverable data

Feature phones

Smartphones

Slide85

Slide86

Application data

What are applications?

What do they allow us to do?

What types of devices use them?

What type of information do they retain?

Slide87

Applications

Some applications can wipe a device remotely

Slide88

Slide89

There are a large number of applications which give us enhanced communication capabilities

Applications

Slide90

Applications

Other applications allow users to conduct voice communications over the internet.

Slide91

Let’s take a quick look at some application files that might hold important evidence

Slide92

WiFi

connections…

Slide93

Kik

messages…

Slide94

eBay searches…

Slide95

Wikipedia searches…

Slide96

Facebook friends…

Slide97

…and Facebook messages

Slide98

These application files can provide a detailed account of the device owner’s activity

Slide99

Backup files

Is a backup the same as a sync?

What types of devices create backups?

Where do backup files get stored?

What types of data are in backup files?

Slide100

iOS device backups are created using iTunes:

Slide101

Where do you find iOS backups?

Slide102

Slide103

If you do not have the phone

Open the backup folder and locate the files named:

Info.plist

Manifest.plist

Slide104

Slide105

Info and Manifest

Simply open each of them with Notepad and take a look:

Slide106

Info.plist

Slide107

Slide108

Slide109

Slide110

Slide111

Slide112

Manifest.plist

Slide113

Slide114

Slide115

Slide116

And even a list of your apps

Slide117

Slide118

Oxygen Forensic Suite

Slide119

iPhone backups

What if we don’t have forensic software?

Slide120

How can we tell what type of file this is?

Slide121

In Notepad

Slide122

File Signature (header and footer)

Slide123

…and then open it with an appropriate tool

Slide124

Slide125

How are we going to get our backup file from the

subject

computer?

Just boot it up and copy it out?

What are we going to use to examine our backup file?

Slide126

Again, great information, but it doesn’t do us any good if we don’t collect it, and if we don’t know how to examine it

Slide127

Defeating passcodes

Different solutions for different devices, and different version of the mobile operating systems

Some carry inherent risks

Slide128

Slide129

Lockdown p

list

The Lockdown

p

list

is created by an iOS device on a “Trusted” computer system. It is NOT part of the backup process. So a back up is NOT required.

Slide130

Slide131

Lockdown Plist

To unlock the device using the lockdown

plist

, we copy it from the bad guy’s computer and import it into our forensic software.

Slide132

Slide133

Slide134

Slide135

Slide136

Slide137

The IP Box

Slide138

A pattern locked Android device…

Slide139

Bypassing passcodes

Be aware of the capabilities of your tools, and the risks that they may carry

Slide140

Call detail records

What are call detail records?

How do we obtain them?

Slide141

Provider records

Will include call detail records

May include SMS and data usage, depending on the provider

May include “historical handset location data”

Slide142

Provider Records

What

can we get from the Wireless Services Provider?

Call detail logs

Originating cell site (Latitude and Longitude)

Terminating cell site

Cell site sector Azimuth

Direction of call (incoming or outgoing)

Calling number

Dialed number

Call duration

Data usage

Location of cell towers

Slide143

Subscriber information (Name, address,

etc

)

SMS information (Text or just sender and receiver?)

ESN / MEID, MIN, MDN, IMEI, IMSI of target phone.

Tower dump

Definitions

Reports of Lost / stolen phone

Type of phone

If prepaid, where purchased?

StatusOther phones on the same accountCell sites at the time of the incident (Not current)

PCMD / RTT / Historical Handset Location(Maybe?)

Contents of the Cloud

Slide144

What are we hoping to discern from CDRs?

Historical location

Possible pattern of movement

Slide145

Slide146

AT&T Call Detail Records

Slide147

Records from a theft incident

Slide148

And the map of those calls

Slide149

Historical handset location

Available from several providers

More precise location than cell site/sector

Is it GPS?

Slide150

Slide151

Slide152

Slide153

Slide154

Historical handset location

Be aware of the accuracy of this information

Do not over-rely on it

Slide155

Follow PATCtech!

Updates & PATCtech Research

Public Safety News

Training Opportunities

PATCtech

@

PATCtech

Forensic Digital Evidence

Investigators

(LinkedIn Group)