University of Juba
School of computer science and Information Technology
Department: Information Technology
TITLE: Digital Forensic- Mobile Phones Detection Using FTK IMAGER.
By:
Butrus Cypriano Oturo
Sabina Ikai
Peter Tombe
Supervisor: Madam Lilly Abau
Chapter 1.
INTRODUCTION.
Cell phones have become an integral part of people’s lives. They are not only used for
communication via short messaging service (SMS), calls, emails and internet but advanced
applications such as remote health monitoring systems and security systems have been integrated
with mobile phones. The recent years have seen rapid advancements in the value addition
applications in mobile phones such as high-definition cameras and high-speed internet
connectivity. The country has also experienced developments in the infrastructures to support the
rising need of faster internet connectivity. Safaricom rolled out their 4G internet infrastructure
which is now available in over thirteen towns in the country. Despite the advantages enjoyed by
these advancements in mobile technology, there are threats that have been posed by their usage.
Company data mining has been a big threat in the industry where employees are able to access
sensitive company information and share with the competitors. This led to the development of
cell phone jammers where signal reception is completely blocked when you enter the premises.
Despite personal privacy invaded by the usage of such devices, this could not put to an end the
vice since mobile phones could be connected to the computer and information transferred and
sent when the employee is out of the company premises. Criminal activities and attempted
escape incidences have been organized by inmates in correctional institutions through the use of
mobile phones in such facilities. The most common incidence in the country is when people were
conned by inmates who impersonated promoters and required winners to send money as fees to
facilitate the award of prizes. Life support machines are also sensitive to the use of mobile
phones. The use of mobile phones in such a facility leads to adverse repercussions to the life of
persons whose lives depend on the proper functionality of the machines. Other places are
Airplanes, petrol stations, conference halls, examination halls, worship centers, etc. where the
use of mobile phones can either lead to failure of sensitive machines or is a nuisance.
1.1 Background of the study.
The specific area of this research is to
1.2 Problem statement
1.3 Objectives
1.3.1 General Objectives
1.3.2 Specific objectives
1.3.3 Methodology.
Chaper 2.
Introduction: Importance of mobile forensics
The term “mobile devices” encompasses a wide array of gadgets ranging from mobile
phones, smartphones, tablets, and GPS units to wearables and PDAs. What they all
have in common is the fact that they can contain a lot of user information.
Learn Digital Forensics
Build your skills with hands-on forensics training for computers, mobile devices,
networks and more.
START LEARNING
Mobile devices are right in the middle of three booming technological trends: Internet of
Things, Cloud Computing, and Big Data. The proliferation of mobile technology is
perhaps the main reason, or at least one of the main reasons, for these trends to occur
in the first place. In 2015, 377.9 million wireless subscriber connections of smartphones,
tablets, and feature phones occurred in the United States.
Nowadays, mobile device use is as pervasive as it is helpful, especially in the context of
digital forensics, because these small-sized machines amass huge quantities of data on
a daily basis, which can be extracted to facilitate the investigation. Being something like
a digital extension of ourselves, these machines allow digital forensic investigators to
glean a lot of information.
Information that resides on mobile devices (a non-exhaustive list):

Incoming, outgoing, missed call history

Phonebook or contact lists

SMS text, application based, and multimedia messaging content

Pictures, videos, and audio files and sometimes voicemail messages

Internet browsing history, content, cookies, search history, analytics information

To-do lists, notes, calendar entries, ringtones

Documents, spreadsheets, presentation files and other user-created data

Passwords, passcodes, swipe codes, user account credentials

Historical geolocation data, cell phone tower related location data, Wi-Fi
connection information

User dictionary content

Data from various installed apps

System files, usage logs, error messages

Deleted data from all of the above
Source:
One good display of the real-life effectiveness of mobile forensics is the mobile device
call logs, and GPS data that facilitated solving the 2010 attempted bombing case in
Times Square, NY.
I. What is the mobile forensics process?
Crimes do not happen in isolation from technological tendencies; therefore, mobile
device forensics has become a significant part of digital forensics.
Most people do not realize how complicated the mobile forensics process can be in
reality. As the mobile devices increasingly continue to gravitate between professional
and personal use, the streams of data pouring into them will continue to grow
exponentially as well. Did you know that 33,500 reams of paper are the equivalent of 64
gigabytes if printed? Storage capacity of 64 GB is common for today’s smartphones.
The mobile forensics process aims to recover digital evidence or relevant data from a
mobile device in a way that will preserve the evidence in a forensically sound condition.
To achieve that, the mobile forensic process needs to set out precise rules that will
seize, isolate, transport, store for analysis and proof digital evidence safely originating
from mobile devices.
Usually, the mobile forensics process is similar to the ones in other branches of digital
forensics. Nevertheless, one should know that the mobile forensics process has its own
particularities that need to be considered. Following correct methodology and guidelines
is a vital precondition for the examination of mobile devices to yield good results.
Among the figures most likely to be entrusted with the performance of the following
tasks are Forensic Examiners, Incident Responders, and Corporate Investigators.
During the inquiry into a given crime involving mobile technology, the individuals in
charge of the mobile forensic process need to acquire every piece of information that
may help them later – for instance, device’s passwords, pattern locks or PIN codes.
II. What are the steps in the mobile forensics process?
2.1 Seizure
Mobile phone evidence box
Credit: mobile phone evidence box by jon crel / (CC BY-ND 2.0)
Digital forensics operates on the principle that evidence should always be adequately
preserved, processed, and admissible in a court of law. Some legal considerations go
hand in hand with the confiscation of mobile devices.
There are two major risks concerning this phase of the mobile forensic process: Lock
activation (by user/suspect/inadvertent third party) and Network / Cellular connection.
Network isolation is always advisable, and it could be achieved either through 1)
Airplane Mode + Disabling Wi-Fi and Hotspots, or 2) Cloning the device SIM card.
Airplane mode
Mobile devices are often seized switched on; and since the purpose of their confiscation
is to preserve evidence, the best way to transport them is to attempt to keep them
turned on to avoid a shutdown, which would inevitably alter files.
Phone jammer
Credit: Got myself a Cell Phone Jammer by Baishampayan Ghose / (CC BY-ND 2.0)
A Faraday box/bag and external power supply are common types of equipment for
conducting mobile forensics. While the former is a container specifically designed to
isolate mobile devices from network communications and, at the same time, help with
the safe transportation of evidence to the laboratory, the latter, is a power source
embedded inside the Faraday box/bag. Before putting the phone in the Faraday bag,
disconnect it from the network, disable all network connections (Wi-Fi, GPS, Hotspots,
etc.), and activate the flight mode to protect the integrity of the evidence.
Faraday bag
Last but not least, investigators should beware of mobile devices being connected to
unknown incendiary devices, as well as any other booby trap set up to cause bodily
harm or death to anyone at the crime scene.
2.2 Acquisition
/Identification + extraction/
The goal of this phase is to retrieve data from the mobile device. A locked screen can
be unlocked with the right PIN, password, pattern, or biometrics (Note that biometric
approaches while convenient are not always protected by the fifth amendment of the
U.S. Constitution). According to a ruling by the Virginia Circuit Court, passcodes are
protected, fingerprints not. Also, similar lock measures may exist on apps, images,
SMSs, or messengers. Encryption, on the other hand, provides security on a software
and/or hardware level that is often impossible to circumvent.
It is hard to be in control of data on mobile devices because the data is mobile as well.
Once communications or files are sent from a smartphone, control is lost. Although
there are different devices having the capability to store considerable amounts of data,
the data in itself may physically be in another location. To give an example, data
synchronization among devices and applications can take place directly but also via the
cloud. Services such as Apple’s iCloud and Microsoft’s One Drive are prevalent among
mobile device users, which leave open the possibility for data acquisition from there. For
that reason, investigators should be attentive to any indications that data may transcend
the mobile device as a physical object, because such an occurrence may affect the
collection and even preservation process.
Since data is constantly being synchronized, hardware and software may be able to
bridge the data gap. Consider Uber – it has both an app and a fully functional website.
All the information that can be accessed through the Uber app on a phone may be
pulled off the Uber website instead, or even the Uber software program installed on a
computer.
Regardless of the type of the device, identifying the location of the data can be further
impeded due to the fragmentation of operating systems and item specifications. The
open-source Android operating system alone comes in several different versions, and
even Apple’s iOS may vary from version to version.
Another challenge that forensic experts need to overcome is the abundant and everchanging landscape of mobile apps. Create a full list of all installed apps. Some apps
archive and backup data.
After one identifies the data sources, the next step is to collect the information properly.
There are certain unique challenges concerning gathering information in the context of
mobile technology. Many mobile devices cannot be collected by creating an image and
instead they may have to undergo a process called acquisition of data. Thera are
various protocols for collecting data from mobile devices as certain design specifications
may only allow one type of acquisition.
The forensic examiner should make a use of SIM Card imagining – a procedure that
recreates a replica image of the SIM Card content. As with other replicas, the original
evidence will remain intact while the replica image is being used for analysis. All image
files should be hashed to ensure data remains accurate and unchanged.
2.3 Examination and analysis
Flasher box forensics. Using a UFS box to access mobile phone
As the first step of every digital investigation involving a mobile device(s), the forensic
expert needs to identify:

Type of the mobile device(s) – e.g., GPS, smartphone, tablet, etc.

Type of network – GSM, CDMA, and TDMA

Carrier

Service provider (Reverse Lookup)
The examiner may need to use numerous forensic tools to acquire and analyze data
residing in the machine. Due to the sheer diversity of mobile devices, there is no onesize-fits-all solution regarding mobile forensic tools. Consequently, it is advisable to use
more than one tool for examination. AccessData, Sleuthkit, and EnCase are some
popular forensic software products that have analytic capabilities. The most appropriate
tool(s) is being chosen depending on the type and model of mobile device.
Timeline and link analysis available in many mobile forensic tools could tie each of the
most significant events, from a forensic analyst’s point of view.
Intel Computer Stick imaged and analyzed
All of the information, evidence, and other findings extracted, analyzed, and
documented throughout the investigation should be presented to any other forensic
examiner or a court in a clear, concise, and complete manner.
The New digital reality of mobile forensics
“On May 17, 2015, a biker gang shootout erupted at the Twin Peaks Restaurant near
Waco, Texas, killing nine and injuring dozens. More than a hundred mobile phones
were recovered from the incident, setting the wheels in motion for one of the state’s
largest and most challenging investigations to date.
The events that unfolded at the Twin Peaks restaurant thrust McLennan County law
enforcement into a new urgent reality.
Within days of the decision to deploy, [the Cellebrite’s New UFED Analytics
Platform] allowed both investigators and prosecutors to import and decode all extracted
mobile digital forensics data from one centralized location for fast and efficient analysis.
Call records, text messages, photos, videos and social media posts could be filtered by
keywords and tagged for other members of the investigative team to view instantly.
“… [the solution] allowed us to go back and more quickly comb through the data to find
the bigger picture details we needed to confirm the motives, plans and goals of these
motorcycle organizations [,]” said the McLennan County prosecutor.”
Source: Removing the Burden of Finding Digital “Proof”
Quick Question: What procedure could the McLennan County law enforcement have
used immediately at the crime scene to reduce the large backlogs of digital forensics
casework at the outset (provided that they had the experts to carry out that procedure)?
Find the answer below the Reference List.
III. What other models are available?
IV. Non-invasive vs. invasive forensics
No matter what your actual mobile forensic method is, it is imperative to create a policy
or plan for its execution and follow all its steps meticulously and in the proper sequence.
Not following the protocol may entail grave consequences. One should start with noninvasive forensic techniques first as they tend to endanger a device’s integrity to a
lesser degree. Be careful with built-in security features – “[f]or example, collecting a
physical image before a logical image on certain devices can completely wipe a phone
of all data, as can attempting to access a locked device and making too many password
attempts.” /Source: Mobile Device Forensics by Scott Polus/
From the legal point of view, the level of the interaction between the user and the device
is critical.
Mobile forensics – tool classification pyramid
4.1 Non-invasive methods
Non-invasive methods can deal with other tasks, such as unlocking the SIM lock or/and
the operator lock, the operating system update, IMEI number modification, etc. These
techniques are virtually inapplicable in cases where the device has sustained severe
physical damage. Types of non-invasive mobile forensic methods:

Manual extraction
The forensic examiner merely browses through the data using the mobile device’s
touchscreen or keypad. Information of interest discovered on the phone is
photographically documented. This process of manual extraction is simple and
applicable to almost every phone. While there are some tools designed to make this
process easier, it is not possible, however, to restore deleted data this way.

Logical extraction
This approach involves instituting a connection between the mobile device and the
forensic workstation using a USB cable, Bluetooth, Infrared or RJ-45 cable. Following
the connecting part, the computer sends command requests to the device, and the
device sends back data from its memory. The majority of forensic tools support logical
extraction, and the process itself requires short-term training. On the downside,
however, this technique may add data to the mobile device and may alter the integrity of
the evidence. Also, deleted data is rarely accessible.

JTAG method
JTAG is a non-invasive form of physical acquisition that could extract data from a
mobile device even when data was difficult to access through software avenues
because the device is damaged, locked or encrypted. The device, however, must be at
least partially functional (minor damages would not hinder this method).
The process involves connecting to the Test Access Ports (TAPs) on a device and
instructing the processor to transfer raw data stored on connected memory chips. This
is a standard feature that one could come across in many mobile phone models, which
provides mobile phone manufactures a low-level interface outside the operating system.
Digital forensic investigators take an interest in JTAG, as it can, in theory, allow direct
access to the mobile device’s memory without jeopardizing it. Despite that fact, it is a
labor-intensive, time-consuming procedure, and it requires advance knowledge (not
only of JTAG for the model of the phone under investigation but also of how to arrange
anew the resulting binary composed of the phone’s memory structures).

Hex dump
Similar to JTAG, Hex dump is another method for physical extraction of raw information
stored in flash memory. It is performed by connecting the forensic workstation to the
device and then tunneling an unsigned code or a bootloader into the device, each of
them will carry instructions to dump memory from the phone to the computer. Resulting
image is fairly technical—in binary format—and it requires a person having the technical
education to analyze it. Furthermore, the examiner comes into possession of an
abundant amount of data, since deleted data can be recovered, and, on top of that, the
entire process is inexpensive.
4.2 Invasive methods
Typically, they are longer and more complex. In cases where the device is entirely nonfunctional due to some severe damage, it is very likely the only way to retrieve data
from the device might be to manually remove and image the flash memory chips of the
device. Even if the device or item is in good condition, circumstances may require the
forensic expert to acquire the chip’s contents physically.

Chip-off
A process that refers to obtaining data straight from the mobile device’s memory chip.
According to the preparations pertinent to this level, the chip is detached from the
device and a chip reader or a second phone is used to extract data stored on the device
under investigation. It should be noted that this method is technically challenging
because of the wide variety of chip types existing on the mobile market. Also, the chipoff process is expensive, training is required, and the examiner should procure specific
hardware to conduct de-soldering and heating of the memory chip. Bits and bytes of raw
information that is retrieved from the memory are yet to be parsed, decoded, and
interpreted. Even the smallest mistake may lead to damages to the memory chip, which,
in effect, would render the data irrevocably lost. Consequently, experts advise having
recourse to chip-off when: a) other methods of extraction are already attempted, b) it is
important to preserve the current state of device’s memory, c) the memory chip is the
only element in a mobile device that is not broken.
The whole process consists of five stages:
1. Detect the memory chip typology of the device
2. Physical extraction of the chip (for example, by unwelding it)
3. Interfacing of the chip using reading/programming software
4. Reading and transferring data from the chip to a PC
5. Interpretation of the acquired data (using reverse engineering)
The last two phases coincide with those of the non-invasive methods. However, the
phases of physical extraction and interfacing are critical to the outcome of the invasive
analysis.

Micro read
This method refers to manually taking an all-around view through the lenses of an
electron microscope and analyzing data seen on the memory chip, more specifically the
physical gates on the chip. In a nutshell, micro read is a method that demands utmost
level of expertise, it is costly and time-consuming, and is reserved for serious national
security crises.
Read more articles about mobile forensics:
Common Mobile Forensics Tools And Techniques
Mobile Forensic Process: Steps and Types
Computer Forensics Jobs Outlook: Become An Expert In The Field
Learn Digital Forensics
Build your skills with hands-on forensics training for computers, mobile devices,
networks and more.
START LEARNING
Sources:
The Value of Mobile Device (cell phone) Forensic Examination During an Investigation
Introduction to Mobile Forensics
A Review on Mobile Device’s Digital Forensic Process Models.
Computer forensics follows the bread crumbs left by perpetrators.
Mobile Phone Forensics
Chip-Off Forensics Services
JTAG Forensics Services
Mobile Forensics
Introduction to Mobile Forensics.
Mobile Forensics – How do they do it – Series Part one
Mobile Forensics – How do they do it – Series Part two
Mobile Device Forensics
Mastering Mobile Forensics.
Digital Forensic Computers Forensic Forensic Models Information Technology Essay.
Wikipedia Mobile device forensics.
Mobile Forensics
Guidelines on Mobile Device Forensics,





ONLINE COURSES
MAGAZINES
SHOP
SUBSCRIPTION
BLOG




ABOUT



LOGIN
HOME
BLOG
INTRODUCTION TO MOBILE FORENSICS
Introduction to Mobile Forensics
634
SHARES
ShareTweet
Lesson one
Tutorial 1. Introduction to Mobile Forensics
of the online course "Advanced Smartphone Forensics"
Check here >>
Mobile Forensics is a branch of Digital Forensics and it is about the acquisition and
the analysis of mobile devices to recover digital evidences of investigative interest.
When we talk about Mobile Forensics generally, we use the term “Forensically
Sound”, commonly used in the forensic community to define the application of
methods and techniques, which respect the international guidelines for acquisition,
and examination of mobile devices. The principles for the correct application of
Forensically Sound techniques assume the primary purpose, which is the preservation
and the possibility of non-contamination of the state of things.
All the phases, from the acquisition to forensics analysis of the mobile device, have to
totally avoid non-alteration of the examined device. This process is not easy at all,
particularly in mobile devices.
The continuous evolution of mobile devices technology allows the commercialization
of new mobile phones, which creates new digital investigations problems.
Hardware and software for this type of mobile device analysis are numerous, but none
is able to give an integrated solution for the acquisition and the forensic analysis of all
smartphones.
Furthermore, mobile devices are able to contain plenty of digital information, almost
like a computer, so not only a call log or SMS messages as old mobile phones. Many
of the digital information in a smartphone is reliant on applications installed on it,
which evolve in such a variety that analysis software are not able to support them
completely.
Often the data acquisition from a mobile device is not compatible with some
parameters, which define a Forensically Sound method.
In other words to have access to the mobile device it is necessary to use
communication vectors, bootloader and other agents which are installed in the
memory to enable the communication between the mobile phone and the instrument
that we use for the acquisition and so it is not possible to use a write blocking option.
Often we resort on modify the device configuration for acquisition, but this operation
risks to invalidate the evidence in the Court, even though all the techniques are always
well-documented. As much as possible it is always fundamental to respect the
international guidelines on mobile forensic to ensure the evidence integrity and the
repeatability of the forensic process.
A fundamental aspect on device preservation at the crime scene is evidence collection
on site; that is the preservation of the device found turned on, safeguarding it from
Wi-Fi signals, telecommunication systems, GPS signals and keeping the battery on
charge. This is required to avoid its shutdown and the loss of important information
such as a PIN.
The shutdown could entail a later PIN bypass or even a data loss because of
passwords or cryptography. It is also fundamental to immediately provide
electromagnetic isolation using faraday bags; devices or cases, which allows isolating
the mobile device, darken from radio signals.
Figure 1.0 – Faraday bag
A practical example of a device found in to a crime scene and, not isolated, it can be
the complete remote wiping.
Figure 1.1 – Remote wiping command of an IPhone
The production process of the forensic evidence is divided in five main phase: the
seizure, the identification, the acquisition and the examination or analysis. Once the
data is extracted from a device, different methods of analysis are used based on the
underlying case. As each investigation is distinct, it is not possible to have a single
definitive procedures for all cases.
Each one of these steps has a basic role in the process of digital evidence production.
The international standard are fed by many studies and publications that try to define
the best practices and the guidelines for procedures and methods for the digital
forensic, such as lots of publications and NIST guidelines.
Although the most recent ISO 27037 certification “Guidelines for identification,
collection and/or acquisition and preservation of digital evidence” released in 2012
it is not specific for mobile forensic, it concerns the ISO/IEC standard. This standard
mostly defines methods and techniques in digital forensic investigations, which is
accepted in many Courts.
However, the overall process can be broken into four phases as shown in the diagram
Following:
Below will be elucidated the two first steps involved in the production
of a forensic evidence. In the next lessons will be explained in detail the remaining
three steps.
Handling the device during seizure is one of the important steps while performing
forensic analysis. It is important, for device seizure on the crime scene, to document
with pictures, writing the “where and when”, mobile condition, if it was damaged,
turned on or switched off, picture of the display if switched on, document the event of
memory cards.
It is necessary to seizure cables, chargers, SIM card data or any papers or notes which
may contain access codes that can also be deduced from the personal papers of the
criminals whose devices were confiscated. Statistically many users use password
similar on date of birth, celebrations, names, number plates and other personal
information to remind themselves of passwords. Look for PIN and password can save
much time later to investigators.
On the crime scene, it is fundamental to use proper techniques to protect the device
from communicating with other devices, which may be phone calls, SMS, Wi-Fi
Hotspot interferences, Bluetooth, GPS and many more. It is necessary to place the
device into a Faraday bag and if it is possible add the use of a jammer, to avoid the
alteration of the original state of the device. A phone call, an SMS, an email may
overwrite the previous ones during the evidence collection phase if the phone was not
isolated.
MOBILE DEVICE ISOLATION TECHNIQUES
Faraday’s bag – The immediate use of a Faraday bag is essential in case finding a
turned-on mobile phone. It is important to isolate the mobile phone keeping it on
charge with an emergency battery which will allow you to arrive to the lab safely. It is
also important for the power cord to be isolated because it may allow the mobile to
receive communications. There are different types of Faraday bags on sale that go
from simple bags isolated from radio signals (which I do not recommend) to real
isolation boxes which allow more efficiency. They are made up of
silver/copper/nickel with RoHS double layer conductors. A Faraday bag can be a
great solution to isolate the seizure mobile device
Figure 1.4 – Faraday bag pro
Jamming – The jammers are devices, also known as radio jammers, used to block the
use of mobile phones sending radio waves with the same frequency used by mobile
phones. This causes an interference, which inhibits the communication between
mobiles and BTS, paralyzing every phone activity in its range of action.
Most mobile phones, encounter this disturbance merely as a lack of network
connection. In case of mobile evidence collection jammer devices are used to block
radio communications from GSM/UMTS/LTE. Obviously, the use of a jammer in
these circumstances must be limited to a power that is less (<1W), otherwise it can
disturb every telephone network around. The use is illegal in some countries and it is
often allowed only to police forces.
Figure 1.5 – Jammer GSM -UMTS – LTE
Airplane mode – The airplane mode is one of the options that can be used to protect
the mobile collected into the crime scene to avoid in and out radio transmission. It is a
risky option because it is necessary to interact with the mobile phone, and possible
only if the phone is not protected with Passcode. To activate iOS on this option, from
iOS7 with display locked, airplane mode can be set sliding the dock upward. To set
the mode aereoplane in the Android OS:
1.
Click the menu button on the phone to open the menu.
2.
Select "Settings" at the bottom of the menu that comes up
3.
Under "Wireless & Networks", tap on "More"
4.
Look for the "Airplane mode" option at the top of the settings screen. Tap on it
to put a "check mark" on the box beside it
5.
Wait for the on button to turn blue. This tells you that the mode is active and
your transmissions are now off.
Figure 1.6 – Airplane mode iOS 7/8 activation
The technical methods of protection devices, we mentioned in the previous
paragraphs, they should be used more attention for Android devices, compared to
Apple devices. As they are sequestered, it takes attention to be sure that our actions
will not cause any change of data on the device. In the meantime, it is necessary to use
every and each opportunity that might help the following analysis.
If the device is found unlocked on the crime scene, in other words without lock screen
or access code, it is necessary to change device’s settings to have a better access on
the device.
Some of the settings it is necessary to modify in this situation are:
Enable stay awake setting: by activating this option and putting the device on charge
(it can be used an emergency charger), it allows keeping the device active and with
unlocking setting. On Android devices can be found in Settings | Development, as
shown in the following screenshot:
Figure 1.7 – Enable USB Debugging Android OS 4.2
Activation of debug USB: the activation of this option allows a major access on the
device with Android Debug Bridge (ADB) connection. This option will be a great tool
for the forensic examiner during the extraction data process. On Android devices, this
option can be found in Settings | Development:
Figure 1.8 – Enable USB Debugging Android OS
In next Android versions, from 4.2, the development settings are hidden by default
setting. For the activation, Settings | About phone and tap Build number seven times.
Figure 1.9 – Enable USB Debugging Android OS 4.2
APPLE IPHONE
Before the analysis of an iPhone it is necessary to identify the hardware type and
which firmware is installed on. Easier it is to check the rear of the device’s shell,
where it is impressed:
Figure 2.0 – Hardware number iPhone
About the firmware version, it is possible to check that by accessing on iPhone menu Settings/General/About/Version:
Figure 2.1 – firmware version iPhone
A good alternative to get lots of information from an iPhone is the use of
libimobiledevice ( http://www.libimobiledevice.org ), currently released in 1.2
version, are a good alternative to communicate with Apple devices among which
iPhone, iPad, iPod Touch, Apple TV. They do not need Jailbreak, and they allow
reading device’s information, backup and restore and similar options on the
logical file system acquisition. They can be downloaded and used in Linux
environment, are integrated in live distro Santoku (https://santoku-linux.com/).
Practical Exercise
In this practical exercise, we get information from an Apple iPhone Smartphone:
Step one – Download to web site https://santoku-linux.com/, the santoku live distro –
named santoku_0.5.iso -, burn it in DVD-ROM and start with boot.
Step two - Running libimobiledevice, navigate to Santoku –> Device Forensics –>
lib-iMobile
Figure 2.2 – Running lib-iMobile on Santoku
Step three - This should open a terminal window and list the commands available in
the libimobiledevice tool.
Figure 2.3 – list command available on the libimobiledevice tool
Step four - At this point, you can connect your iOS device to Santoku. If you are
using a VM, make sure the USB device is “attached” to the VM and not the host.
Figure 2.4 – iPhone connected to Santoku
Step five: You can easily check the connectivity between your iPhone and Santoku by
type this command in a terminal window:
idevice_id -s
The command gives all the information you see in the picture, including the
devicename, UDID, the hardware model and many more.
Figure 2.5 – result of the idevice_id –s command
If you want to see only the iPhone’s UDID run the command:
idevice_id -l
This should return the UDID of your phone.
Figure 2.6 – result of the idevice_id –l command
ANDROID
To get information from an Android device is easy.
Go on menu Settings/About Phone/Software and Hardware information, as shown in
the screenshot:
Figure 2.7 – Android Settings –About Phone
PRACTICAL EXERCISE
In this case, we use a Host Windows and Android Software Development Kit. The
Android Software Development Kit (SDK) helps developers build, test, and debug
applications to run on Android. It includes software libraries, APIs, emulator,
reference material, and many other tools. These tools not only help create Android
applications but also provide documentation and utilities that help significantly in
forensic analysis of Android devices. Having sound knowledge of the Android SDK
can help you understand the particulars of a device. This, in turn, will help you during
an investigation. During forensic examination, the SDK helps us connect the device
and access the data present on the device.
The method to get the serial number of an Android device is the following:
Step one – Download from web site the SDK
package: https://developer.android.com/sdk/download.html?v=archives/android-sdkwindows-1.6_r1.zip
Step two – Create a folder called ANDROIDSDK and unzip the zip file you
downloaded
Step three – Connect your Android device via USB cable
Step four – In the command prompt Windows, browse on the ANDROIDSDK folder,
tools, and we run adb device command
Step five – If all work properly, a list of linked devices will appear with a serial
number, if not present on devices’ list, check that the proper work of the driver
and USB debugging enabled.
Figure 2.8 – Windows Command Prompt – adb devices
References, Bibliography, Sources and Suggested Reading

NIST (National Institute of Standards and Technology) - NIST Special Publication 800101 Revision 1 Guidelines on Mobile Device Forensics.

Learning iOS Forensics – M. Epifani, P. Stirparo – (Packtpub 2015) ISBN 978-1-78355351-8.

Android Forensics – Andrew Hoog (Syngress, 2011) ISBN- 978-1-59749-651-3.

Practical Mobile Forensics, Satish Bommisetty, Rohit Tamma, Heather Mahalik
(Packtpub 2014) ISBN 139781783288311.
634
SHARES
ShareTweet
MAY 19, 2015
Login Login with facebook
Login Login with google
Subscribe