MOBILE FORENSIC ANALYSIS
HOW TO IDENTIFY A SUBSCRIBER?
Every mobile subscriber is issued with a smart card called a Subscriber Identity Module (SIM). As physical evidence the SIM provides details printed on the surface of:
- Name of the Network Provider
- Unique ID Number
GENERIC PROPERTIES
All MS‘s have follow GSM standards on how they access and communicate with the network and SIM card Every MS has a unique ID called the International Mobile Equipment Identity (IMEI). Everything else is manufacturer dependent
- File system
- Features
- Interface, etc
Have to request the SIM PIN if activated May have optional MS PIN. No way of bypassing the MS PIN without specialist hardware provided by manufacturer.
ELECTRONIC ACCESS TO THE SIM
Every SIM can be protected by a Personal Identification Number (PIN)
- Set at point of manufacture
- Can be changed by the Subscriber
- Four digit code
- Usually 3 attempts before phone is blocked
Bypassing the PIN requires the Pin Unblocking
- Key (PUK)
- 8 digit code
- Set by manufacturer
- Maximum 10 attempts before phone is permanently blocked
WHAT CAN BE EXTRACTED FROM A SIM?
A SIM is a smart card it has a processor & Non-volatile memory processor is used for providing access to the data and security GSM standard 1111 specifies the physical and logical properties of access mechanism for the SIM .To access the data need:
- Standard smart card reader
- SIM access Software
- Data stored in binary files
There is a fix number of files stored on a SIM most have evidentiary value. However, most provide network rather than subscriber
- Data
- Most network data is not visible to the user of the SIM
- via the MS
- We shall concentrate on the user data files
LOCATION INFORMATION FILE
- The bytes 5-9 of the LOCI contain the network Location Area Identifier (LAI) code.
- Network Operator specific
- This data is retained when the MS is powered down
- Updated as MS moves from one location to another
- Analyst can determine which location the MS was present in when last used
- Location Areas can contain many cells
- LOCI DOES NOT DETAIL WHICH CELL!
- Cell data not stored on SIM
SERIAL NUMBER
- Integrated Circuit Card Identifier
- Corresponds to the number printed on the surface of the SIM
- Identifies the SIM
SUBSCRIBER IDENTIFIER
- International Mobile Subscriber Identity
- Unique ID for every subscription on the Operator‘s network
PHONE NUMBER
- Mobile Station International ISDN number
TEXT MESSAGE DATA (SMS)
- Short Message Service is a popular communication method
- Most SIM‘s have a standard set of slots for storing messages.
TEXT MESSAGE DATA (SMS) – STATUS
- Status byte values
- When user deletes a message only the status flag is changed. Therefore, providing the message has not been overwritten any message in a slot can be recovered and translated using software.
DIALLED NUMBERS
- Most SIMs have up to 100 slots for storing phone numbers
- Newer SIMs can store more than 100 slots
- Binary encoded name/number pair
- When number is deleted the slot is filled with FF hex value so deleted numbers cannot be retrieved forensically
- Slots are allocated in sequence
Therefore can forensically analyze if a number between two numbers has been deleted
- SIMs can store up to five of the last dialed numbers
- Binary encoded format
- Most MS manufacturers do not use this feature preferring to implement this feature on the MS calling logs
ACCESSING MS (MOBILE STATION OR CELL PHONE) DATA
- Stored in flash memory
- Forensic Investigator must ensure the retrieval of data without alteration!
Imaging
- As most MS‘s now have flash upgradeable Operating Systems, etc. this is usually a straightforward process
- However, manufacturer‘s are reluctant to provide access to the tools to achieve this Independent tools known as Flashers are available for most mainstream MS‘s but have no recognized legal status in some parts of the world.
Data suites
- Provided by manufacturers
- Allow access to SMS/MMS, call registers, phonebooks, etc. as stored on phone
- Cannot access memory directly.
FLASH MEMORY
Flash memory stores information in an array of floating-gate transistors, called “cells”. In traditional single-level cell (SLC) devices, each cell stores one bit of information. Some newer flash memory, known as multi-level cell (MLC) devices, can store more than one bit per cell by choosing between multiple levels of electrical charge to apply to the floating gates of its cells. On Mobile Phones: flash memory contains vital personal information and cellular operator information that constantly changes.
MS DATA
Very much dependent on the model, MAY include:
- IMEI
- Short Dial Numbers
- Text/Multimedia Messages
- Settings (language, date/time, tone/volume etc)
- Stored Audio Recordings
- Stored images/multimedia
- Stored Computer Files
- Logged incoming calls and dialled numbers
- Stored Executable Progams (eg J2ME)
- Stored Calendar Events
- IxRTT, EvDO, GSM, GPRS, WAP and Internet settings
THREATS TO MS DATA
Tools such as Flashers and Data Suites can be used to directly manipulate MS dataCommon threat is removing the Service Provider Lock (SPLock) limiting the MS to a single networked:
- Changing the IMEI on stolen phones
- Networks blacklist stolen IMEI‘s in the EIR
- Can also be used to avoid tracing an MS
- Detecting changes to the IMEI
- Compare the electronic IMEI with that printed on the inside of the device
NETWORK OPERATOR DATA
The Network Operators can provide detailed data on calls made/received, message traffic, data transferred and connection location/timing The HLR can provide;
- Customer name and address
- Billing name and address (if other than customer)
- User name and address (if other than customer)
- Billing account details
- Telephone Number (MSISDN)
- IMSI
- SIM serial number (as printed on the SIM-card)
- PIN/PUK for the SIM
- Subscriber Services allowed
THE CALL DATA RECORDS (CDR’S)
Produced in the originating MSC transferred to the OMC
- Every call
- Every message
Each CDR contains;
- Originating MSISDN
- Terminating MSISDN
- Originating and terminating IMEI
- Duration of call
- Type of Service
- Initial serving Base Station (BTS)
