Well Tiger supposedly got caught by his wife when he received a missed call with the caller ID bearing the name "Aunt" or close. But when his wife called back to speak to this so called "Aunt" there was his mistresses or should i say a younger lady's voice on the voice-mail which aroused the suspicion of his wife.
What Mrs.Woods did is the simplest form of cellphone forensics.
Cell phone Data can usually be retrieved from two sources:
- the device itself phone,sim,memory card
- the network service provider(billing records etc;)
Things vital for computer forensics is the knowledge of
- Various cell phone technology (end user devices and network service provider infrastructure)
- Industry tools for forensics
Cellphone memory has to be accessed through embedded OS unless you are willing to get down to using bread boards.
During acquisition finding the proper tool and cable is not as easy as it is for a computer hard drive
Cellphone towers:
Antennasearch.com give your adress to get info on cell tower with elevation. Fact: Every high rise could be a potential celltower in your neighborhood. The old celltower in the center of the cell range is long gone. Now what we have currently is 3 edges of a hexagon thus 3 cell towers provide signal to a user at a time commonly in what are n-4 and n-7 layouts reusing frequencies far apart.
Calls are routed in the hierarchy of the base transceiver station
(BTS), base station controllers(BSC) and mobile switching center(MSC).
Two prominent forms of technology in the US:
- GSM-- global system mobile uses sim card for access. Has hard hand offs ( your connection actually breaks before another tower can pick you up) and forms 80% of the today's phone in the world.Examples are At&t ,T-mobile
- CDMA----code division multiple access where no sim cards are used. Softhand offs and very popular in the US.
- micro usb is the only standardized for cellphones
- Cellphones have miniture database. Don't have pointers to memory like regular harddrive. On deletion of data what happens is actually just make the database inactive.
Other facts to keep in mind:
- Cellphone service providers usually have a separate division to handle SMS's from voice traffic
There are two types of acquisition:
- logical does not grab deleted data
- Physical grabs deleted data
What can one typically expect to extract from a sim card:
- last 10 calls placed
- text messages
- simple phone book
- international mobile suscriber identity (IMSI)
Cell phone issues:
- cellphones are embedded systems
- data stored in RAM- power dependent
- susceptible to "push" technology
- different terminology than computer forensics
- database entries are overwritten when new SMS comes.
- So if you are caught someone from outside can send you 10 to 20 SMS to delete your previous ones.
- Hence the first rule of acquisition is to prevent communication between the device and the network
- Hence the shield device no signal bag(Faraday bag) with possibly a mobile charger with battery is a must have forensics tool
- Maintain power to a device if it is already powered on.
- if the device is turned off, leave it off but you still need to bag it and later power it on under controlled environment as the device is still susceptible to a burst of incoming calls/voice messages and messages waiting.
list of forensic tools:
- cellebrite's UFED
- compelson laboratories mobiledit
- logiccube's celldek
- paraben's device seizure (grabs data in a nice report)
- paraben's projectaphone
- susteen's secureview
- bitpim(open source)
Call detail records(CDRs) from the phone company has a lot of data like calling imsi,imei and number, called imsi,imei and number and the best strategy is to combine CDRs and records from the handheld device.
Excellent book resources:
Amazon Link: handbook of digital forensic
Some online resources:
www.mobileforensicscentral.com
http://www.mobileforensicsworld.org/
