Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Guide to Computer Forensics and Investigations, Fifth Edition 12-1
Chapter 12
Mobile Device Forensics
At a Glance
Instructor’s Manual Table of Contents
• Overview
• Objectives
• Teaching Tips
• Quick Quizzes
Guide to Computer Forensics and Investigations, Fifth Edition 12-2
Lecture Notes
Overview
Chapter 12 explains how to obtain information from a phone or mobile device.
Although some freeware is used in projects, much of the software discussed in this
chapter is expensive and not provided on the book’s DVD. Mobile device forensics is a
Chapter Objectives
• Explain the basic concepts of mobile device forensics
• Describe procedures for acquiring data from mobile devices
Teaching Tips
Understanding Mobile Device Forensics
2. Describe some of the items that might be stored on cell phones, including:
a. Incoming, outgoing, and missed calls
b. Multimedia Message Service (MMS; text messages) and Short Message Service
(SMS) messages
c. E-mail accounts
d. Instant messaging (IM) logs
e. Web pages
3. Explain why investigating smartphones and mobile devices is one of the most
challenging tasks in digital forensics.
Mobile Phone Basics
1. Mention that mobile phone technology has advanced rapidly in the past decade.
Guide to Computer Forensics and Investigations, Fifth Edition 12-3
2. Describe the four generations of mobile phones:
a. Analog
3. Explain that several digital networks are used in the mobile phone industry. Use Table
12-1 to describe the most important digital networks.
4. Discuss the technologies that 4G networks can use:
• Orthogonal Frequency Division Multiplexing
5. Describe the three main components used for cell communication:
a. Base transceiver station (BTS)
b. Base station controller (BSC)
c. Mobile switching center (MSC)
Inside Mobile Devices
2. Explain that cell phone hardware consists of a microprocessor, ROM, RAM, a digital
3. Mention that most basic phones have a proprietary OS, although smartphones use the
same OSs as PCs.
4. Explain that phones store system data in electronically erasable programmable read-
5. Discuss how personal digital assistants (PDAs) have been mostly replaced by iPods,
6. List the peripheral memory cards that may be found in PDAs:
7. Explain that subscriber identity module (SIM) cards are found most commonly in GSM
devices and consist of a microprocessor and internal memory.
8. Explain that GSM refers to mobile phones as “mobile stations” and divides a station
into two parts: the SIM card and the mobile equipment (ME).
9. Describe the additional SIM card purposes, including:
10. Mention that SIM cards come in two sizes. Portability of information is what makes
SIM cards so versatile.
Older CDMA phones don’t use SIM cards; they incorporate the card’s functions
Understanding Acquisition Procedures for Mobile Devices
1. Explain that the main concerns with mobile devices are loss of power, synchronization
3. Mention that depending on the warrant or subpoena, the time of seizure might be
relevant.
4. Explain that messages might be received on the mobile device after seizure, so you
must isolate the device from incoming signals with one of the following options:
5. Mention that the drawback to using these isolating options is that the mobile device is
6. Explain that back in the forensics lab, you should check these four areas:
a. The internal memory
8. Explain that the file system for a SIM card is a hierarchical structure. Use Figure 12-1
9. Explain that information that can be retrieved falls into four categories:
a. Service-related data, such as identifiers for the SIM card and the subscriber
10. Mention that if power has been lost, PINs or other access codes might be required to
view files.
Mobile Forensics Equipment
2. Describe the steps to analyze a mobile device:
• The first step is identifying the mobile device.
3. Define a SIM card reader as a combination hardware/software device used to access the
SIM card.
5. Describe the general procedure for accessing a SIM card as follows:
a. Remove the back panel of the device
6. Mention that a variety of SIM card readers are on the market. Some are forensically
7. Explain that documenting messages that haven’t been read yet is critical. Using a tool
8. Discuss the six types of mobile forensic methods listed by NIST:
9. Describe some of the mobile forensics tools, including:
a. Paraben Software Device Seizure Toolbox
10. Mention that software tools differ in the items they display and the level of detail. Point
out that some tools are designed for updating files, not retrieving data.
11. Discuss the complications that arise when acquiring social media evidence on mobile
Mobile Forensics Tools in Action
1. Describe Cellebrite as a widely used mobile forensics tool, often used by law
2. Allow students to work through the activities where they will examine evidence
3. Discuss the following new technologies and challenges regarding mobile device
forensics:
• Development of type 2 hypervisors for mobile devices
Guide to Computer Forensics and Investigations, Fifth Edition 12-7
Quick Quiz 1
1. Global System for Mobile Communications (GSM) uses the ____ technique, so
multiple phones take turns sharing a channel.
2. Typically, phones store system data in ____, which enables service providers to
reprogram phones without having to physically access memory chips.
3. _____ are usually found in GSM devices and consist of a microprocessor and internal
memory.
4. The file system for a SIM card is a ______ structure.
5. The _____ mobile forensics method requires physically removing the flash memory
chip and gathering information at the binary level.
Class Discussion Topics
1. What are the main hardware/software components used in cell phone communication?
2. What are the differences between tablets and smart phones?
Additional Projects
1. Ask students to read more about the evolution of cell phone communications and write
a report summarizing the most important points.
Additional Resources
1. Evolution of the mobile phone:
2. Subscriber Identity Module:
Key Terms
➢ Code Division Multiple Access (CDMA) — A widely used digital cell phone
technology that makes use of spread-spectrum modulation to spread the signal across a
wide range of frequencies.
➢ fourth-generation (4G) — The current generation of mobile phone standards, with
technologies that improved speed and accuracy.
➢ Global System for Mobile Communications (GSM) — A second-generation cellular
network standard; currently the most popular cellular network type in the world.
➢ International Telecommunication Union (ITU) — An international organization
dedicated to creating telecommunications standards.
➢ Orthogonal Frequency Division Multiplexing (OFDM) – A 4G technology that uses
numerous parallel carriers instead of a single broad carrier and is less susceptible to
➢ Telecommunications Industry Association (TIA) — A U.S. trade association
representing hundreds of telecommunications companies that works to establish and
maintain telecommunications standards.
➢ third-generation (3G) — The preceding generation of mobile phone standards and
technology; had more advanced features and higher data rates than the older analog and
