Chat with us, powered by LiveChat forensics assignment 11 | Abc Paper
+1(978)310-4246 credencewriters@gmail.com
  

see attachment for the 2 assignments

Assignment: A Mobile Network

Learning Objectives and Outcomes

· Diagram components in a mobile network and its connections. 
· Identify the tool’s capabilities and benefits. 

Assignment Requirements

You are a digital forensics intern at Azorian Computer Forensics, a privately owned forensics investigations and data recovery firm in the Denver, Colorado area. The company’s lab manager wants to include some information on mobile networks in the company policy and procedures manual.
The manager is specifically interested in a diagram that shows major components in a mobile network and arrows that show the flow of signals. This needs to be a simple diagram that’s easy to understand at a glance.

For this assignment:

1. Use the Internet to research how a mobile network is set up. 
2. Create a simple diagram using PowerPoint or the drawing program of your choice that includes:

. A mobile device 
. Mobile switching center (MSC) 
. Base station system (BSS) with at least two base station controllers (BSCs) and base transceiver stations (BTSs) 
. Home location register (HLR) 
. Visitor location register (VLR) 
. Public Switching Telephone Network (PSTN) 
. Arrows that represent the flow of signals starting from the mobile device to the PSTN 

Required Resources

· Course textbook 
· Internet access 

Format:

Microsoft PowerPoint or the drawing program of your choice; file saved as a PDF

Length:

1-2 pages

Self-Assessment Checklist

· I researched mobile network configurations. 
· I understood the process adequately and reflected my knowledge in a diagram or flow chart. 
· I followed the submission guidelines.

Assignment: Mobile Forensics

Learning Objectives and Outcomes

· Describe the steps involved in seizing evidence from a mobile device. 
· Describe the information a mobile device reveals about the owner. 

Assignment Requirements 
You are an experienced employee of the DigiFirm Investigation Company. DigiFirm is conducting an employee training activity in which employees describe the process of how they would look for evidence on their own mobile devices.
For this assignment, write a report that:
· Details the properties of one of your own mobile devices 
· Outlines the steps you would take to seize evidence from your device, including device storage system data, and so on 
· A few legal issues related to mobile device forensic activities in general 
· Lists the general information that your device reveals about your life 

Required Resources

· Course textbook 
· Internet 

Submission Requirements

Format:

Microsoft Word

Font:

Arial, size 12, double-space

Citation Style:

Follow your school’s preferred style guide

Length:

1-2 pages

Self-Assessment Checklist

· I wrote a report that details the properties of one of my mobile devices, outlines the steps I would take to seize evidence from my device, describes a few legal issues related to mobile device forensic activities in general, and lists the general information that my device reveals about my life. 
· I created a professional, well-developed report with proper documentation, grammar, spelling, and punctuation.

System Forensics, Investigation, and Response

Lesson 11
Mobile Forensics

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

1

Learning Objective
Summarize various types of digital forensics.

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

2

Key Concepts
Mobile device concepts
Evidence that can be obtained from a mobile device
How to seize evidence from a mobile device

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

3

Cellular Device Concepts

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

A mobile switching center (MSC) is the switching system for the cellular network. MSCs are used in 1G, 2G, 3G, and Global System for Mobile (GSM) communications networks. You will learn about 3G and GSM networks later in this section. The MSC processes all the connections between mobile devices and between mobile devices and landline phones. The MSC is also responsible for routing calls between base stations and the public switched telephone network (PSTN).

The base transceiver station (BTS) is the part of the cellular network responsible for communications between the mobile phone and the network switching system. The base station system (BSS) is a set of radio transceiver equipment that communicates with cellular devices. It consists of a BTS and a base station controller (BSC). The BSC is a central controller coordinating the other pieces of the BSS.

The home location register (HLR) is a database used by the MSC that contains subscriber data and service information.
It is related to the visitor location register (VLR), which is used for roaming phones.
7/3/2017
4

Mobile switching center (MSC)

The switching system for the cellular network

Base transceiver station (BTS)

The part of the cellular network responsible for communications between the mobile phone and the network switching system

Home location register (HLR)

A database used by the MSC that contains subscriber data and service information

Cellular Device Concepts (Cont.)

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

The subscriber identity module (SIM) is a memory chip that stores the International Mobile Subscriber Identity (IMSI). It is intended to be unique for each phone and is what you use to identify the phone. Many modern phones have removable SIMs, which means you could change out the SIM and essentially have a different phone with a different number.

A SIM card contains its unique serial number—the ICCID—the IMSI, security authentication, and ciphering information. The SIM will also usually have network
information, services the user has access to, and two passwords. Those passwords are the personal identification number (PIN) and the personal unlocking code (PUK).

Electronic serial numbers (ESNs) are unique identification numbers developed by the United States Federal Communications Commission (FCC) to identify cell phones. They are now used only in code division multiple access (CDMA) phones, whereas GSM and later phones use the International Mobile Equipment Identity (IMEI) number. The first 8 bits of the ESN identify the manufacturer, and the subsequent 24 bits uniquely identify the phone. The IMEI is used with GSM and Long Term Evolution (LTE) as well as other types of phones.

The personal unlocking code (PUK) is a code used to reset a forgotten PIN. Using the code returns the phone to its original state, causing loss of most forensic data. If the code is entered incorrectly 10 times in a row, the device becomes permanently blocked
and unrecoverable.

Each SIM is identified by its integrated circuit card identifier (ICCID). These numbers are engraved on the SIM during manufacturing. This number has subsections that are very important for forensics. This number starts with the issuer identification number (IIN), which is a seven-digit number that identifies the country code and issuer, followed by a variable-length individual account identification number to identify the specific phone, and a check digit.
7/3/2017
5

Subscriber identity module (SIM)

A memory chip that stores the International Mobile Subscriber Identity (IMSI)

Electronic serial number (ESN)

A unique identification number developed by the U.S. Federal Communications Commission (FCC) to identify cell phones

Personal unlocking code (PUK)

A code used to reset a forgotten PIN

Network: Cellular

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Global System for Mobile (GSM) communications is a standard developed by the European Telecommunications Standards Institute (ETSI). Basically, GSM is the 2G network.

Enhanced Data Rates for GSM Evolution (EDGE) does not fit neatly into the 2G-3G-4G continuum. It is technically considered 2G, but was an improvement on GSM (2G), so it can be considered a bridge between 2G and 3G technologies.

Universal Mobile Telecommunications System (UMTS) is a 3G standard based on GSM. It is essentially an improvement of GSM.

Long Term Evolution (LTE) is a standard for wireless communication of high-speed data for mobile devices. This is what is commonly called 4G.
7/3/2017
6

2G

GSM

3G

UMTS

4G

2G+

EDGE

LTE

Wi-Fi
Most cellular phones and other mobile devices can connect to Wi-Fi networks
Free Wi-Fi hotspots in restaurants, coffee shops, hotels, homes, and many other locations

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/3/2017
7

Operating Systems

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/3/2017
8

iOS

iPhone

iPad

Android

Samsung Galaxy

Windows 8

Microsoft Mobile/
Nokia

iPod

Blackberry 10

Blackberry

Many more

iOS
Derived from OS X
Interface based on touch and gestures
In normal operations, iOS uses HFS+ file system
Can use FAT32 when communicating with a PC

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

iOS
Originally released in 2007 for the iPod Touch and the iPhone. The user interface is based all on touching the icons directly. It supports what Apple calls gestures: swipe, drag, pinch, tap, and so on. The iOS operating system is derived from OS X.

In normal operations, iOS uses the HFS+ file system, but it can use FAT32 when communicating with a PC.

7/3/2017
9

iOS (Cont.)
Four layers:
Core OS layer: The heart of the operating system
Core Services layer: Where applications interact with the iOS
Media layer: Is responsible for music, video, and so on
Cocoa Touch layer: Responds to gestures

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/3/2017
10

iOS (Cont.)
Contains several elements in data partition:
Calendar entries
Contacts entries
Note entries
iPod_control directory (hidden)
iTunes configuration
iTunes music
iPod_controldevicesysinfo folder contains model number and serial number

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/3/2017
11

Android
Linux-based operating system, completely open source
First released in 2003
Versions of Android named after sweets, such as Version 4.1–4.2 Jelly Bean and Version 7.0 Nougat
Similarity across versions
Can perform similar forensic examinations on different versions

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

A Linux-based operating system that is completely open source.
Android source code: http://source.android.com/
First released in 2003
Versions of Android named after sweets, such as Version 4.1–4.2 Jelly Bean and Version 7.0 Nougat
Differences from version to version usually involved adding new features. If you are comfortable with version 1.6 (Donut), you will be able to do forensic examination on version 4.2 (Jelly Bean).
Samsung Galaxy and many other mobile devices run Android
7/3/2017
12

Windows

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Windows mobile operating systems
1996: Windows CE
2008: Windows Phone; not compatible with many of the previous Windows Mobile apps
2010: Windows Phone 7
2012: Windows 8
2015: Windows 10 Mobile

Windows 10 (Windows 10 Mobile) is shipped on PCs, laptops, phones, and tablets. This means that once you are comfortable with the operating system on
one device, you are going to be able to conduct forensic examinations on other devices running Windows 8 or Windows 10.
7/3/2017
13

1996
Windows CE

2008
Windows Phone

2010
Windows Phone 7

2015
Windows 10 Mobile

Blackberry 10
Based on QRNX operating system
Supports major features similar to other mobile phones
Drag and drop
Gestures

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/3/2017
14

Evidence You Can Get from a Cell Phone

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/3/2017
15

Call history

Emails, texts, and/or other messages

Photos and video

Phone information

GPS information

Network information

Mobile Device States

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

The National Institute of Standards and Technology (NIST) guidelines list four different states a mobile device can be in when you extract data:

Nascent State—Devices are in the nascent state when received from the manufacturer—the device contains no user data and has its original factory
configuration settings.

Active State—Devices that are in the active state are powered on, performing tasks, and able to be customized by the user and have their filesystems
populated with data.

Semi-Active State—The semi-active state is a state partway between active and quiescent. The state is reached by a timer, which is triggered after a period of
inactivity, allowing battery life to be preserved by dimming the display and taking other appropriate actions.

Quiescent State—The quiescent state is a dormant mode that conserves battery life while maintaining user data and performing other background functions. Context information for the device is preserved in memory to allow a quick resumption of processing when returning to the active state.

7/3/2017
16

Semi-Active

Quiescent

Active

Nascent

Rules for Seizing Evidence from a Mobile Device
If you plug device into a computer, make sure device does not synchronize with the computer
Touch evidence as little as possible
Document what you do to the device
Don’t accidentally write data to the mobile device

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

If the forensic workstation is a Windows machine, you can use the Windows Registry to prevent the workstation from writing to the mobile device. Before connecting to a Windows machine, find the Registry key HKEY_LOCAL_MACHINESystemCurrentControlsetStorageDevicePolicies, set the value to 0x00000001, and restart the computer. This prevents that computer from writing to mobile devices that are connected to it.

7/3/2017
17

Mobile Device Forensic Products

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Although Forensic Toolkit and EnCase can both image a phone for you, there are other products made specifically for phone forensics:
Oxygen Forensics—A full forensic tool capable of imaging and examining iPhones and Android phones. It provides a number of user-friendly tools for extracting specific data such as contacts, social media data, and the like.
Cellabrite—The most widely known phone forensics tool. Used heavily by federal law enforcement. It is a very robust and effective tool. Downside: the high cost. It is the most expensive phone forensics tool on the market.
MobileEdit—There are several variations of this product. MobileEdit Lite is the most forensically advanced version of MobileEdit. This is a very easy-to-use tool that can aid a forensic examiner in extracting data from cell phones.
Data Doctor—Recovers all Inbox and Outbox data and all contact data, and has an easy-to-use interface. It has a free trial version, but there is a cost for the full version. Data Doctor retrieves Inbox and sent message data as well as contact data.
Device Seizure—Available from Paraben Software. There is a license fee associated with this product. Paraben makes a number of forensic products.
Forensic SIM Cloner—This tool is used to clone SIM cards, allowing you to perform forensic analysis of the SIM card.
7/3/2017
18

Oxygen Forensics

Cellabrite

Data Doctor

Device Seizure

Forensic SIM Cloner

MobileEdit

The iPhone: Seizing Evidence
iPhone has four-digit pin
10,000 possible combinations of the digits 0–9
Can use automated process to break iPhone passcode, such as XRY
Tools specifically for iOS devices:
Pwnage
Recover My iPod

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/3/2017
19

The iPhone: Seizing Evidence (Cont.)
If forensic workstation has iTunes:
Plug iPhone (or iPad/iPod) into the workstation
Use iTunes to extract information about the device

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/3/2017
20

Apple iPhone iTunes Display
Screenshot reprinted with permission from Apple Inc.

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Three important items to document:
1. The iOS version number
2. The phone number (redacted in this figure)
3. The serial number (redacted in this figure)

Notice you can also see where the phone is backed up. That can indicate yet another place you should search during your forensic investigation.
7/3/2017
21

Seizing Evidence from an iPhone
Information from a device image:
Library_CallHistory_call_history.db
Contains entire call history
Library_Cookies_Cookies.plist
Contains cookies
Give you a history of the phone user’s Internet activities

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

If you have imaged the phone and you then search for information, you may have to look more closely to find some data:
Library_CallHistory_call_history.db has the entire call history. If you cannot view that directly on the phone itself, the database file has all call information.
Cookies are in the file Library_Cookies_Cookies.plist. This can give you a history of the phone user’s Internet activities.
These, and other files, are actually copied to a PC during synchronization. Here are a few of those files:
Library_Preferences_com.apple.mobileipod.plist
Library_Preferences_com.apple.mobileemail.plist
Library_Preferences_com.apple.mobilevpn.plist

The mobileemail.plist file gives you information about email sent and received from the phone.
The mobilevpn.plist file can indicate if the user has used the phone to communicate over a VPN.

7/3/2017
22

Seizing Evidence from an iPhone
Information from a device image:
Library_Preferences_com.apple.mobileipod.plist
Library_Preferences_com.apple.mobileemail.plist
Gives you information about email sent and received from the phone
Library_Preferences_com.apple.mobilevpn.plist
Indicates if user used device to communicate over a VPN

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

If you have imaged the phone and you then search for information, you may have to look more closely to find some data:
Library_CallHistory_call_history.db has the entire call history. If you cannot view that directly on the phone itself, the database file has all call information.
Cookies are in the file Library_Cookies_Cookies.plist. This can give you a history of the phone user’s Internet activities.
These, and other files, are actually copied to a PC during synchronization. Here are a few of those files:
Library_Preferences_com.apple.mobileipod.plist
Library_Preferences_com.apple.mobileemail.plist
Library_Preferences_com.apple.mobilevpn.plist

7/3/2017
23

Seizing Evidence from an iPhone
Deleted files
When a file is deleted on iPhone/iPad/iPod, moved to.Trashes501 folder
Data exists until overwritten

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/3/2017
24

Seizing Evidence from a Blackberry
Download and install BlackBerry Desktop Manager
Steps to create complete backup image:
Open BlackBerry’s Desktop Manager. Click Options then Connection Settings.
If the Desktop Manager hasn’t already done so, select USB-PIN: Device # for connection type. Click OK.

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/3/2017
25

Seizing Evidence from a Blackberry (Cont.)
Select Backup and Restore.
Click the Back Up button for a full backup of the device or use the Advanced section for specific data.
Select your destination (such as workstation) and save the .ipd file.
Examine data and perform a forensic analysis.

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

7/3/2017
26

JTAG
Joint Test Action Group (JTAG)
An Institute of Electrical and Electronics Engineers (IEEE) standard for testing chips
Test access points (TAPs) used to directly access the chip and extract data
Forensic examiner takes back off of phone, and then connects wires by soldering or by using some other means to the TAPs of the phone’s memory chip
Wires also connected to a JTAG device that uses software to extract the data directly from the memory chip

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

Summary
Mobile device concepts
Evidence that can be obtained from a mobile device
How to seize evidence from a mobile device

Page ‹#›
System Forensics, Investigation, and Response

© 2019 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.

error: Content is protected !!