EXTRACTION METHODS OF MOBILE FORENSICS

January 20, 2020 Krishna CHARACTERISTICS, CHIP DESOLDERING, DECODING PHASE, DUMPING PHASE, EXTRACTION, information extraction, MANUAL EXTRACTION, MOBILE FORENSICS, PHYSICAL EXTRACTION

Generally products tend to split mobile forensics information extraction into two different methods, the physical extraction and the logical extraction. The reason for this split is because unlike a personal computer which has a standardized interface, mobile phones tend to use proprietary interfaces or deviate from standards. This means that generally it will take longer to develop a product which can produce a bit by bit copy of the flash memory. In some instances it might even be impossible.

MANUAL EXTRACTION

If a product cannot be found which supports extraction of data from a device, a manual examination is generally carried out by the forensic examiner. This generally involves stepping through the user interface of the device and photographing each entry. The manual procedure can be extremely time consuming as a device can contain thousands of entries such as SMS.

LOGICAL EXTRACTION

Logical extraction is the extraction of information from the device using the vendor interface for synchronizing the contents of the phone with a [personal computer]. This usually does not produce any deleted information due to it normally being removed from the file system of the phone. However in some cases the phone may keep a [database] file of information which does not overwrite the information but simply marks it as deleted and available for later overwriting. In this case, if the device allows [file system] access through their synchronization interface, it is possible to recover deleted information.

A logical extraction is generally easier to work with as it does not produce a large [binary blob]. However a skilled forensic examiner will be able to extract far more information from a physical extraction.

PHYSICAL EXTRACTION

Physical extraction is the extraction of information from the device by direct access to the flash memories. Generally this is harder to achieve because the device vendors needs to secure against arbitrary reading of memory so that a device may be locked to a certain operator. A physical extraction is the method most similar to the examination of a [personal computer]. It produces a bit by bit copy of the device [flash memories]. Generally the physical extraction is then split into two steps, the dumping phase and the decoding phase.

DUMPING PHASE

Dumping is the process of connecting to the device and retrieving a bit by bit copy of the flash memory. This generally involves some sort of security bypass for the device leading to execution of the code responsible for reading the flash memory and transmitting it to another device, usually a personal computer, for later examination. It is equivalent to the step which takes a sector by sector copy of a hard drive. In a good implementation of the dumping phase you will also get access to data which the device has marked as deleted or bad. Flash devices tend to perform [wear leveling] because flash memory has a limited number of writes. This leads to information usually being replicated in many areas of a chip which makes deletion of data on flash media harder than simply overwriting the original file.

DECODING PHASE

Decoding is the process of taking a bit by bit copy of the flash memory and extracting information from the dump. There are two main ways of decoding information in a flash dump, either by arbitrary scanning the whole dump for a pattern or by decoding the flash translation layer, then file system layer and finally the file data. The first method which searches for data patterns in the whole dump can generally extract more information but can run into issues where the data is fragmented and impossible to recover using this method. This is because flash memories are first wear leveled which splits data into different sizes and spreads it out over the memory and in the
next layer the file system generally splits file data further due to allocation of blocks.

CHIP DESOLDERING

In the cases where no product support dumping a device it is possible to desolder the flash chips from the PCB of the device. The flash chips are then usually read using custom hardware or a commercial off the shelf memory programmer. The resulting flash memory dump can then be run through the decoding step of the physical dumping procedure.

MOBILE PHONE CHARACTERISTICS

Mobile phones are highly mobile communications devices that perform an array of functions ranging from that of a simple digital organizer to that of a low-end personal computer. Designed for mobility, they are compact in size, battery powered, and lightweight. Most cell phones have a basic set of comparable features and capabilities. They house a microprocessor, read only memory (ROM), random access memory (RAM), a radio module, a digital signal processor, a microphone and speaker, a variety of hardware keys and interfaces, and a liquid crystal display (LCD). The operating system (OS) of the device is held in ROM, which with the proper tools typically can be erased and reprogrammed electronically. RAM, which for certain models may be used to store user data, is kept active by batteries, whose failure or exhaustion causes that information to be lost. The latest cell phones come equipped with system-level microprocessors that reduce the number of supporting chips required and include considerable memory capacity. Built-in Mini Secure Digital (MiniSD), Multimedia Card Mobile (MMCmobile),or other types of card slots support removable memory cards or specialized peripherals, such as an SDIO Wi-Fi card. Wireless communications such as infrared (i.e., IrDA) or Bluetooth may also be built into the device. Different devices have different technical and physical characteristics (e.g., size, weight, processor speed, memory capacity). Devices may also use different types of expansion capabilities to provide additional functionality. Furthermore, cell phone capabilities sometimes include those of other devices such as PDAs, global positioning systems, and cameras. Overall, they can be classified as basic phones that are primarily simple voice and messaging communication devices; advanced phones that offer additional capabilities and services for multimedia; and smart phones or high-end phones that merge the capabilities of an advanced phone with those of a PDA.

Despite the type of cell phone, nearly all devices support voice and text messaging, a set of basic Personal Information Management (PIM) applications that includes phonebook and date book facilities, and a means to synchronize PIM data with a desktop computer. More advanced devices also provide the ability to perform multimedia messaging, connect to the Internet and surf the Web, exchange electronic mail, or chat using instant messaging. They may also provide enhanced PIM applications that work with specialized built-in hardware, such as a camera. Finally, very high-end devices called smart phones add PDA-like capability for reviewing electronic documents (e.g., reports, briefing slides, and spreadsheets) and running a wide variety of general and special- purpose applications. Smart phones are typically larger than other phones, support a bigger-size display (e.g., 1⁄4 VGA and higher), and may have an integrated QWERTY keyboard or touch sensitive screen. They also offer more extended expansion capabilities through peripheral card slots, other built-in wireless communications such as Bluetooth and WiFi, and synchronization protocols to exchange other kinds of data beyond basic PIM data (e.g., graphics, audio, and archive file formats). Table 2 lists the differences in software capabilities found on these device classes.

Software Characterization

IDENTITY MODULE CHARACTERISTICS

Subscriber Identity Modules are synonymous with mobile phones and devices that interoperate with GSM cellular networks. Under the GSM framework, a cellular phone is referred to as a Mobile Station and is partitioned into two distinct components: the Subscriber Identity Module (SIM) and the Mobile Equipment (ME). As the name implies, a SIM is a removable component that contains essential information about the subscriber. The ME, the remaining radio handset portion, cannot function fully without one. The SIM‘s main function entails authenticating the user of the cell phone to the network to gain access to subscribed services. The SIM also provides storage for personal information, such as phone book entries and text messages, as well as service-related information.

The SIM-ME partitioning of a cell phone stipulated in the GSM standards has brought about a form of portability. Moving a SIM between compatible cell phones automatically transfers with it the subscriber‘s identity and the associated information and capabilities. In contrast, present-day CDMA phones do not employ a SIM. Analogous SIM functionality is instead directly incorporated within the device. While SIMs are most widely used in GSM systems, comparable modules are also used in iDEN phones and UMTS user equipment (i.e., a USIM). Because of the flexibility a SIM offers GSM phone users to port their identity, personal information, and service between devices, eventually all cellular phones are expected to include (U)SIM-like capability.

The SIM operating system controls access to elements of the file system [3GP05a]. Actions such are reading or updating can be permitted or denied unconditionally, or allowed conditionally with certain access rights. Rights are assigned to a subscriber through 4-8 digit Personal Identification Number (PIN) codes. PINs protect core (U) SIM subscriber-related data and certain optional data.
PIN codes can be modified by the subscriber, and their function disabled or enabled. A preset number of attempts, usually three, are allowed for providing the correct PIN code to the (U)SIM before further attempts are blocked completely, rendering communications inoperative only by providing a correct PIN Unblocking Key (PUK) can the value of a PIN and its attempt counter be reset on the (U)SIM. If the number of attempts to enter the correct PUK value exceeds a set limit, normally ten attempts, the card becomes blocked permanently. The PUK for a PIN can be obtained from the service provider or network operator by providing the identifier of the SIM (i.e., its Integrated Circuit Chip Identifier or ICCID). The ICCID is normally imprinted on the (U)SIM, but can also be read from an element of the file system.