Chapter 12 Homework The First Step Identifying The Mobile Device

Guide to Computer Forensics and Investigations, Fifth Edition 12-1

Chapter 12

Mobile Device Forensics

At a Glance

Instructor’s Manual Table of Contents

• Overview

• Objectives

• Teaching Tips

• Quick Quizzes

Guide to Computer Forensics and Investigations, Fifth Edition 12-2

Lecture Notes

Overview

Chapter 12 explains how to obtain information from a phone or mobile device.

Although some freeware is used in projects, much of the software discussed in this

chapter is expensive and not provided on the book’s DVD. Mobile device forensics is a

Chapter Objectives

• Explain the basic concepts of mobile device forensics

• Describe procedures for acquiring data from mobile devices

Teaching Tips

Understanding Mobile Device Forensics

2. Describe some of the items that might be stored on cell phones, including:

a. Incoming, outgoing, and missed calls

b. Multimedia Message Service (MMS; text messages) and Short Message Service

(SMS) messages

c. E-mail accounts

d. Instant messaging (IM) logs

e. Web pages

3. Explain why investigating smartphones and mobile devices is one of the most

challenging tasks in digital forensics.

Mobile Phone Basics

1. Mention that mobile phone technology has advanced rapidly in the past decade.

Guide to Computer Forensics and Investigations, Fifth Edition 12-3

2. Describe the four generations of mobile phones:

a. Analog

3. Explain that several digital networks are used in the mobile phone industry. Use Table

12-1 to describe the most important digital networks.

4. Discuss the technologies that 4G networks can use:

• Orthogonal Frequency Division Multiplexing

5. Describe the three main components used for cell communication:

a. Base transceiver station (BTS)

b. Base station controller (BSC)

c. Mobile switching center (MSC)

Inside Mobile Devices

2. Explain that cell phone hardware consists of a microprocessor, ROM, RAM, a digital

3. Mention that most basic phones have a proprietary OS, although smartphones use the

same OSs as PCs.

4. Explain that phones store system data in electronically erasable programmable read-

5. Discuss how personal digital assistants (PDAs) have been mostly replaced by iPods,

6. List the peripheral memory cards that may be found in PDAs:

7. Explain that subscriber identity module (SIM) cards are found most commonly in GSM

devices and consist of a microprocessor and internal memory.

8. Explain that GSM refers to mobile phones as “mobile stations” and divides a station

into two parts: the SIM card and the mobile equipment (ME).

9. Describe the additional SIM card purposes, including:

10. Mention that SIM cards come in two sizes. Portability of information is what makes

SIM cards so versatile.

Older CDMA phones don’t use SIM cards; they incorporate the card’s functions

Understanding Acquisition Procedures for Mobile Devices

1. Explain that the main concerns with mobile devices are loss of power, synchronization

3. Mention that depending on the warrant or subpoena, the time of seizure might be

relevant.

4. Explain that messages might be received on the mobile device after seizure, so you

must isolate the device from incoming signals with one of the following options:

5. Mention that the drawback to using these isolating options is that the mobile device is

6. Explain that back in the forensics lab, you should check these four areas:

a. The internal memory

8. Explain that the file system for a SIM card is a hierarchical structure. Use Figure 12-1

9. Explain that information that can be retrieved falls into four categories:

a. Service-related data, such as identifiers for the SIM card and the subscriber

10. Mention that if power has been lost, PINs or other access codes might be required to

view files.

Mobile Forensics Equipment

2. Describe the steps to analyze a mobile device:

• The first step is identifying the mobile device.

3. Define a SIM card reader as a combination hardware/software device used to access the

SIM card.

5. Describe the general procedure for accessing a SIM card as follows:

a. Remove the back panel of the device

6. Mention that a variety of SIM card readers are on the market. Some are forensically

7. Explain that documenting messages that haven’t been read yet is critical. Using a tool

8. Discuss the six types of mobile forensic methods listed by NIST:

9. Describe some of the mobile forensics tools, including:

a. Paraben Software Device Seizure Toolbox

10. Mention that software tools differ in the items they display and the level of detail. Point

out that some tools are designed for updating files, not retrieving data.

11. Discuss the complications that arise when acquiring social media evidence on mobile

Mobile Forensics Tools in Action

1. Describe Cellebrite as a widely used mobile forensics tool, often used by law

2. Allow students to work through the activities where they will examine evidence

3. Discuss the following new technologies and challenges regarding mobile device

forensics:

• Development of type 2 hypervisors for mobile devices

Guide to Computer Forensics and Investigations, Fifth Edition 12-7

Quick Quiz 1

1. Global System for Mobile Communications (GSM) uses the ____ technique, so

multiple phones take turns sharing a channel.

2. Typically, phones store system data in ____, which enables service providers to

reprogram phones without having to physically access memory chips.

3. _____ are usually found in GSM devices and consist of a microprocessor and internal

memory.

4. The file system for a SIM card is a ______ structure.

5. The _____ mobile forensics method requires physically removing the flash memory

chip and gathering information at the binary level.

Class Discussion Topics

1. What are the main hardware/software components used in cell phone communication?

2. What are the differences between tablets and smart phones?

Additional Projects

1. Ask students to read more about the evolution of cell phone communications and write

a report summarizing the most important points.

Additional Resources

1. Evolution of the mobile phone:

2. Subscriber Identity Module:

Key Terms

➢ Code Division Multiple Access (CDMA) — A widely used digital cell phone

technology that makes use of spread-spectrum modulation to spread the signal across a

wide range of frequencies.

➢ fourth-generation (4G) — The current generation of mobile phone standards, with

technologies that improved speed and accuracy.

➢ Global System for Mobile Communications (GSM) — A second-generation cellular

network standard; currently the most popular cellular network type in the world.

➢ International Telecommunication Union (ITU) — An international organization

dedicated to creating telecommunications standards.

➢ Orthogonal Frequency Division Multiplexing (OFDM) – A 4G technology that uses

numerous parallel carriers instead of a single broad carrier and is less susceptible to

➢ Telecommunications Industry Association (TIA) — A U.S. trade association

representing hundreds of telecommunications companies that works to establish and

maintain telecommunications standards.

➢ third-generation (3G) — The preceding generation of mobile phone standards and

technology; had more advanced features and higher data rates than the older analog and