Forensic investigation of certain types of mobile devices Silas Luttenberger and Reiner Creutzburg Fachhochschule Brandenburg - University of Applied Sciences, Department of Informatics and Media, Magdeburger Straße 50, D-14770 Brandenburg, Germany ABSTRACT The aim of this paper is to show the usefulness of Windows based Open Source Tools and other demo versions of software tools for forensic investigation of modern mobile devices. It is demonstrated how important data stored in the mobile device are investigated. Different scenarios of investigations are presented that are well-suited for a inexpensive forensics lab work in university. In particular the forensic investigation of three different cell phones is described: Motorola V3m, Motorola V3i, and BlackBerry 8700g10. Keywords: Cell phone forensics, forensics for mobile devices, cell phone, mobile phone forensics
1. INTRODUCTION The number of mobile phones has highly increased during the last years. Every year new releases of new mobile devices which are different in functions, structure and technical accessories can be observed. Mobile phones are a part of the regular daily live. Alone in Germany the number of mobile phone subscribers in 2009 increased by more than one million to 108.5 million subscribers in a country of around 80 million inhabitants, i.e. 1.3 subscriptions per person11 . How can an examiner analysis this diversity of devices? The mobile phone has evolved into a masterpiece and information like calls, messages, addresses, notes, appointments, pictures, movies and other data can be saved. Persons making endless phone calls, using durable social networks like facebook, sending hundreds or thousands of messages to others, sharing pictures and movies of everything what they have done or what they will do, ... . That’s why cell phones became like a digital fingerprint of the behavior of the user. The cell phone contains more often information that can be used as an evidence in court to clarify crime. These facts awake interests to the analysis of different mobile phone models with different programs. The aim of this paper is to test the quality of these programs for forensic investigations of certain types of mobile devices. To enable the validity in court the data of the mobile phone have to be preserved. How can the integrity of data be achieved? Which areas of a cell phones are important for forensics investigations and what difficulties and risks can occur during an analysis process? These questions and approaches on a cell phone forensic investigation shall be discussed and explained in this paper. On reveal the gain of information with the help of programs, which are used for forensic investigation, shall a fundamental understanding be obtained for forensics investigations. Thereby not only forensic software shall be used, but rather programs which are specific developed for some particular mobile phones or models. This paper shows which information an examiner can get. Here we focus to cheap alternative programs in comparison to expensive professional forensic software is shown. In the following the mobile phone with its functions and structure will be explained and the SIM card and mobile communication standards are described. Additionally, some methods of investigations are shown and the hash code is described. Afterwards an explanation of cell phone forensics is given and it will be shown how sensible information can be extracted from the SIM card and of the mobile phone. Also known approaches of the analysis of mobile phones will be shown. Whereas examiners are confronted with different problems during examination, some of these problems will be mentioned. The results of investigation which are made with some models will be shown. Further author information: (Send correspondence to S. Luttenberger) S. Luttenberger: E-mail:
[email protected] R. Creutzburg: E-mail:
[email protected], Phone: +49 (0) 3381 355 442
Multimedia on Mobile Devices 2011; and Multimedia Content Access: Algorithms and Systems V, edited by David Akopian, Reiner Creutzburg, Cees G. M. Snoek, Nicu Sebe, Lyndon Kennedy, Proc. of SPIE-IS&T Electronic Imaging, SPIE Vol. 7881, 78810Q · © 2011 SPIE-IS&T · CCC code: 0277-786X/11/$18 · doi: 10.1117/12.879319 SPIE-IS&T/ Vol. 7881 78810Q-1
2. MOBILE PHONES AND DEVICES Each mobile phone has a lot of technical accessories like a battery, charger, data cable to connect to a computer for updates, data export or import and to create backups, loading pictures, movies, music and other data. Here it should be mentioned that every manufacturer has its own types of battery, data cables, charger and that they do not fit to the devices of other manufacturers. Meanwhile there are some standards for special accessories which are used by many manufacturers like the mini USB or headphones and headset connections. Modern mobile phones of today are structured with a display, a camera, touchscreen and/or keyboard, speakers, microphone, microcontroller, transceiver and aerial, slots for the battery, memory card and a SIM card. The SIM card is needed for identification towards the cellular network. Many cell phones are equipped with either Bluetooth, WLAN and partially with infrared. Because of the diversity of mobile devices and differences in their structure and applications the models are divided into three categories, basic, advanced and smart. The basic version describes what functions and what structure the mobile phone should have at a minimum. The advanced version is a bit better and the smart is the device what a modern cell phone normally has. What is possible with a mobile phone and what function it has, is always dependent on the model and how old the devices are. But usually a new mobile phone has almost always some different Java applications. Standard applications on cell phones are games, calculator, ring tones, notes, voice recordings, calendar for dates, alarmclock and desktop settings,... . Today the most devices have graphical user interfaces with many self-explanatory icons where the user can find each function. The most important functions on a cell phone are the sms service, possibility to dial and receive calls and a phone book, where the user can save all contacts with their data. The user can chose where the data shall be saved, like either on the SIM card, on the mobile phone, or on the memory card. Besides the user can change basic settings like the clock, date, language, the radio network, activation of functions like bluetooth, wlan and infrared. Other options are password settings, PIN changes and changes of user and device information. When a camera is available the user can take pictures or make movies and can save them in a directory. Each mobile phone has protocols for dialed, received and missed calls. These protocols are important for a forensic examination. Also text messages are very important and are saved in designated folders. Many phones possess an integrated music player and options to manage their music. To get the music on the phone or to update the software drivers of the phone, the user have to connect to a computer, for example via USB connection. Is the user connected to a computer it is possible to make backups of the phone, synchronize data or copy data. Mobile phones with a wlan connection can be justify for the Internet, so that the user can read emails or get data. Almost every mobile device have an interpreter for the programming language Java. Other functions depends on the model, manufacturer and user. Many applications can the user download later like for example the GPS function. The users have the possibility to program their own applications and share them with other users. Programming languages are used for it are Java, C, C++, because many devices are supporting them. Many manufacturers provide a software development kit (SDK) for application design and sometimes simulators. Examiner confronted with different devices, thats why they have to know the specialties in which the different models distinguish from each other to chose the right approaches for the investigation.
PDA The Personal Digital Assistant (PDA) is used as a synonym for a small, portable computer, which can perform applications. The main task is the maintenance of calender, address and task entries. PDA’s are a part of a the modern Smartphones and they are almost in every new model implemented. That’s why PDA is used in combination with cell phones.
Smartphone A Smartphone is a combination of a capable mobile phone and a PDA. The special about Smartphones compare to older cell phones is, that the user can add new Apps (applications) with new functions to their device or can develop their own once. The most applications can get from an online store which is integrated in the
SPIE-IS&T/ Vol. 7881 78810Q-2
operation system. The applications are proved, sold or deleted by the manufacturer. Another difference between a Smartphone an other cell phones is that the user interface is not defined anymore like by older devices. Older cell phones can only extend with Java applications, but on Smartphones are other options. Typical Smartphones are the iPhone, the BlackBerry or the Windows Mobile. All of them using another operation system like Windows or Linux or others.
3. SIM CARDS This section deals with the structure and standards of the SIM card. SIM stands for subscriber identity module which identifies and authenticates the user towards the network. After the identification the user can phone and use services of the provider. Today there are two different SIM card sizes, the most used mini SIM card with 25 x 15 mm and the micro SIM card with a size of 15 x 12 mm. After buying one, the user have to break the SIM card out of a chipcard (ID-1-format). The standard SIM card includes a processor, RAM for the program execution, ROM for applications and the operation system, a memory (16-128 KB EEPROM) and an changeable PIN, which secures the phone for unauthorized access 12 . If the PIN is entered wrong three times, the SIM card is blocked. The user can use the PUK (personal unblocking key) to unblock the PIN code. If the PUK code is entered wrong 8 till 10 times the SIM card is disabled and the user have to buy a new one. The PUK is dependent on the SIM card and sometimes it’s possible to get the PUK code from the manufacturer8 . Mostly the phone book, calls and message drafts are saved on the SIM card. These is especially the case for older devices, because there were no other saving options supported. For many models the user can choose where the data shall be saved, on the SIM card or on the mobile phone. New models as the Apple iPhone don’t save any information on the SIM card. The data structure of the SIM card is standardised. The main root or Masterfile (MF) contains so-called Directory Files (DF) and Elementary Files (EF). The directory files are subdirectories of the main directory and contain for example information about the DCS (Digital Cellular System) or the operation system information of the telecom provider. These data are written in the elementary files. The important forensic information is mainly found in the EF’s 12,14 . To read data from a SIM card a SIM card reader is necessary. When buying a mobile phone mostly a SIM card is contained. The SIM cards of prepaid phones have mainly a netlock or SIM lock. This means the mobile phone can only be used with this one SIM card (SIM lock) or only with SIM cards of same provider (netlock). This barrier can be deleted when the user pays a fee or after two years waiting. Besides on the Internet exist some tutorials how to delete a SIM lock, but this is forbidden in some countries.
4. CELL PHONE STANDARDS In this section the communication connection standards for mobile phones and their properties are discussed. There are three big network communication standards in the world: UMTS, GSM and CDMA. GSM (Global System for Mobile Communications) was the first network communication standard in the world and was the reason that more mobile phones were sold in the year of 1990. It is a network communication standard in around 200 countries and based on the ISDN network protocol, whereby similar functions are supported. GSM is the most used network in the world and the user need a SIM card to use it. There are three GSM standards, phase 1, phase 2 and phase 2+. Phase 1 is the first development and was published with the start of GSM. It supports the basic services like call divert, phone, text messages, radio interfaces, network and service packages and many other things. Phase 2 improved the included services and published new functions and services like forwarding the telephone number, knocking, hold the phone, forwarding calls, closed user groups, new coding, teleconference and a microcell structure 9 .
SPIE-IS&T/ Vol. 7881 78810Q-3
Phase 2+ has a higher data transfer rate and better service. It got extensions for data transfer like HSCSD ( High Speed Circuit Switched Data), GPRS (General Packet Radio Service), EDGE (Enhanced Data Rates for Global Evolution)15 . Furthermore, there exists the CDMA standard (Code Division Multiplex Access), which is used mainly in the USA and was developed by Qualcomm. It is a data transfer procedure and it is based on the channel access method. The CDMA system doesn’t use SIM cards in their devices13 . Some mobile phones support both CDMA and GSM networks. These devices are called hybrid phones. UMTS (Universal Telecommunications System) is a mobile network communication standard of the 3rd generation and is managed of the 3GPP (3rd Generation Partnership Project). With UMTS a higher data transfer than GSM is achieved and new options are open for using the Internet. UMTS works with a new radio access technique which is based on the CDMA technology. The user can send and receive many data streams at the same time, so that the user can call and at the same time receive emails. UMTS uses a USIM card which extends the SIM card with information about the owner and access control of the UMTS provider 7 .
5. FORENSIC INVESTIGATION Live Analysis The Live analysis is the investigation of the device while it’s still working. This approach makes it possible to collect volatile data. The advantage of the live analysis is that the examiner can comprehend the workflow of processes. The disadvantage is the manipulation of data, because of the active usage of the system. Protocols and the access time for data will be updated. Additionally, new processes can be created and the memory will change. The examiner risks to activate bad programs or processes on the device which can manipulate data, delete or hide them while searching manual on the phone.
Post Mortem Analysis A Post Mortem analysis will be applicable after an incident and on an image of the device. The image has to be a one-by-one copy of the examination object. On those hard disk images and memory dumps interesting data like pictures, movies, log files or deleted files are investigated. The advantage of using a forensic image is that no processes or data will be manipulated or deleted. The investigation is independent of the device, therefore the device can used for another investigation. Additionally it is possible to create a chain of evidence. Hash code Hash codes are very important for computer forensics, because there are like a fingerprint of data. A hash code can be calculated for a file with the help of a program like for example HashCalc. One file will always get the same hash code as long as the content, name or other attributes are not changed. Thereby a manipulation on a file may be detected. That’s why hash codes are used especially for the integrity of data in computer forensics. Many forensic programs calculate the hash code during the investigation process for each investigated file. Is this not the case separate programs like HashCalc can calculate the hash code for each file, image or drive.
6. CELL PHONE FORENSICS ‘ Digital forensics is the examination of hardware or software in the pursuit of evidence to disprove or prove an allegation. Handheld forensics is the examination of hardware and software that are typically an integrated unit in the pursuit of evidence to disprove or prove an allegation2 ’. The main difference between computer forensics and cell phone forensics is that the investigator has to handle a diversity of different hardware and software standards. Besides, mobile phones have their own methods for communication and special data formats and operation systems. The approaches of investigation are very diverse and differ a lot from the standard forensic approaches with computers.
SPIE-IS&T/ Vol. 7881 78810Q-4
6.1 Cell Phone Information The information that can be obtained from a cell phone depends on the device, manufacturer and model. Also the date of manufacture is important, because on old devices the examiner can’t find for example pictures or movies. Dependent on the facts of the case and the device, the following information can get out of the phone: phone book with contacts, calendar, notes, voice notes, video, audio, pictures, calls(missed, dialed and received), e-mails, Internet activities, IMEI (International Mobile Equipment Identity) for GSM devices, MEID (Mobile Equipment Identifier) for CDMA devices, games and applications. To this list can meanwhile text messages listed, because new mobile phones don’t save them only on the SIM card, but on the device self. Normally they only will be saved on the SIM card. Especially from pictures, emails, Internet protocols, audio data, videos, notes, calendar and protocols of calls an examiner can get very important information of social contacts, offenders, victims, places and activities to a special time. All this information can be an evidence in a forensic investigation.
6.2 SIM Card Information Different information of the SIM card can be very important for an investigator. Below some information is listed, which is saved by default on a SIM card. This includes the phone book with contacts, thereby received and written messages. Conditionally some forensic programs can reconstruct deleted messages. Especially text messages and the phone book are not saved anymore on the SIM card, but on the memory in newer devices. On some mobile phones the user can choose if these information shall be saved on the SIM card or on the device. From the phone book and sms the examiner can get lots of important information, like contacts to other persons, communication traffic, time and date as well as passwords, the PIN and emails which can be saved in text messaged or phone book entries. Therefore, received, dialed and missed calls are logged in a protocol. These logs can show time, date and communication partner, thus are giving digestions of maybe involved persons for the case. Otherwise the SIM card has mainly stored information of services, networks, PIN and PUK code. Other interesting details are: the IMSI (International Mobile Subscriber Identity) is the unique number of a SIM card, which identifies the user towards the mobile phone provider. The IMSI has 15 digits. Out of these digits an investigator can get the Mobile Country Code (MCC), Mobile Network Code (MNC) and the Mobile Subscriber Identification Number (MSIN), which is the identification number of a mobile station (the device itself). An example of SIM card information: IMSI: 262032490071167 MCC: 262 for Germany MNC: 03 for E-Plus mobile network MSIN: 2490071167 Otherwise, lots of information can get out of the SIM card structure, if the forensic program can read it. Each SIM card has an Integrated Circuit Card Identification (ICCID), which is mostly printed on the SIM card and saved in the memory. The ICCID is a serial number and has up to 18 digits plus one check digit, which is necessary for error detection and is calculated with the Luhn algorithm. With the check digit input errors of digits and permutations of two digits can be detected3 .
6.3 Different Investigation Approaches In cell phone forensics are more options for a forensic analysis, which are based on live and post mortem analysis. This are three types: manual, logical and physical analysis. Physical analysis has three approaches, using hex dumps, memory analysis or micro analysis with an electron microscope. An overview is shown in figure1. Manual Extraction: The manual analysis is a live analysis, where the examiner is going through the device via clicking (with touchscreen or keyboard) manually. That means data will be shown on the display of the device and the investigator takes picture or makes a video of each step and what is displayed. Advantage of this type of analysis is that it is an easy and fast way to examine and it can be used on every mobile phone. Furthermore, there is no need
SPIE-IS&T/ Vol. 7881 78810Q-5
- more forensic funded analysis - more technical analysis - time consuming
Micro Read
- less forensic funded analysis - less technical analysis - shorter analysis time
Memory Read Hex Dump Logical Analysis Manual Extraction
Figure 1. Pyramid with analysis approaches1
for additional cables. Disadvantage of this is that the examiner can make lots of mistakes, for example through programmed traps, destroyed buttons or wrong settings for navigation. Moreover the examiner has to know the language which is used of the phone. Besides deleted messages and data can’t viewed and recovered. Logical Analysis: At the logical analysis the mobile phone is connected with a computer. Here the phone is switched on and the connection can be done with bluetooth, infrared, wireless or USB connection. On the computer forensic programs are executed for an investigation of a mobile phone. These programs have access to data, can copy and sometimes reconstruct them. It is possible to create backup files of the whole phone content. Advantages are a fast, easy and repeatable procedure to get information and data. The programs are supporting different languages and can investigate different areas of the mobile phone. Furthermore, reports can be created automatically out of the results of investigation. Disadvantages of a logical analysis are that many programs can’t avoid that data are written on the device. Additionally, only a few or no data can be reconstructed. Furthermore, more and different cables are needed for the connection for different models. Hex Dump: For the hex dump analysis a flasher box will be connected with to a mobile phone. By means of commands an image of the RAM in a hexadecimal format will be created. Therefore, an analysis close to the system is possible. Compared to other procedures here considerably more deleted data and find more hidden data can be reconstructed. A disadvantage of the hex dump analysis is the conversion of the data into hexadecimal format. Unfortunately a flasher box supports only some models or can be used only for a few manufacturer. Furthermore, this approach is difficult to use, because the software and source code which is used in the flasher box is not known and model specific cables are needed for a connection. Memory Read: The physical analysis of the memory differs from the hex dump analysis in that a connection is build directly to the memory of the device and not anymore to the mobile phone. This bypasses the processor of the device, so that a communication with the memory is possible. This method allows to extract almost all data from the phone. Disadvantages are thats a difficult approach and the examiner needs a high technical knowledge. All data which is found has to be interpreted and if necessary converted to make an analysis possible. There is no source code for the examiner and the cable which are needed have to be build by himself to connect to the device. Besides the realization is very time consuming. Micro Read: The micro analysis is an investigation of the memory with usage of an electron microscope. This analysis is one of the most forensically based approach, but the usage of an electron microscope is the most difficult, expensive, technical and time consuming approach. It is very theoretical like the physical analysis and the data have to
SPIE-IS&T/ Vol. 7881 78810Q-6
be interpreted and converted. This is why this approach is not used very often. The advantages are leading in extracting all data, but the negative facts show that it is not of practical use. In general, during an investigation many things have to receive attention, like data protection rules, approaches or programs which shall be used. Otherwise evidences can be destroyed. A help for the whole forensic procedure can be the flowchart of Geschonneck in figure 2.
7. DIFFICULTIES During a forensic process very often different problems occur which have to be resolved by the examiner. The diversity of the different models requires many different software, chargers and data cables. Therefore, there is a need for an extensive equipment, which has to be carried to each field operation and this doesn’t guarantee that every model can be supported. The reason is that permanently new models will be released on the market. That’s why the examiner always has to be up to date with his equipment, because needed components are not always found at the place. This results in a financial problem and doesn’t exclude that components will be overlooked. In this way investigations will be complicated. Similar problems occur with software, which is used for an analysis. This software has to be updated for each new model by the respective company. An update takes only place after a longer time period to add more than only one new device to the service. As long as the programs are not up to date the investigator has to use alternative software and this means loosing time for the investigation. Other problems occur during the analysis process, because in general forensic software shall get information out of the device without manipulation of the data. This is mostly not always possible. Changes can happen when the phone is switched on or off as well as connecting the phone to a computer that changes the log files. Special difficulty occurs when the phone is switched off, because to switch it on passwords, PIN’s or PUK’s are needed. The authentication code has to be found or asked from the offender. Some passwords can be hacked, as long as there are no restrictions for the input like in the case of the BlackBerry device. The PIN code can’t be recovered out of the phone or the SIM card. Anti-forensics is another problem for the examiner, because it can make the forensic investigation process complicated or impossible. There are special tools developed which hinder the securing of data and the analysis. The variants of impediment of the analysis varies from manipulation of data, deception, deleting or creating false tracks for the examiner. All these impediments can happen during examination when the device is manipulated by the user with anti-forensic tools. Difficult is the investigation of backup files, because some manufacturers have their own file types and too many different programs are needed for an examination, for example the BlackBerry uses its own backup file type (IPD).
8. USED PROGRAMS This section shows some programs which were used for the investigations. These programs are either freeware or demo versions of commercial forensic software.
8.1 Software for Cell Phone Investigation For the investigations two different Motorola devices the V3m and V3i and a BlackBerry 8700g device are used. Especially the BlackBerry 8700g, which is not supported by most of the forensic software products, was one reason why alternative programs were used. The programs BBSAK, ABC Amber BlackBerry Converter, MagicBerry and the desktop manager for BlackBerry are used for the forensic approaches to get evidence. The BlackBerry Swiss Army Knife (BBSAK) was needed for a manual analysis on a device. This program has the possibility to take screenshots of each active BlackBerry display. This results in a protocol during the manual analysis. BBSAK provides other options, whereby creating a backup of all applications, reading the system and the event protocols, and creating a dump file of the device, are the most interesting and useful options.
SPIE-IS&T/ Vol. 7881 78810Q-7
Because a manual analysis is always coupled with the risk to change data, an image was created by means of the BlackBerry Manager. The problem with this backup is that it is a special data type, which can only be created and used by BlackBerry. Many forensic programs don’t support this file type. Good solutions are the ABC Amber BlackBerry Converter and the MagicBerry, which can show the information out of the IPD format. Both programs show the details of all entries of the backup file in an explorer view. The MagicBerry shows only calendar entries, call protocols, address bock, text messages, tasks and notes. Compared to MagicBerry the ABC Amber BlackBerry Converter is more clear, shows more data and has more options and settings. MagicBerry is freeware, it is a good program fixed on the essential information. These are the both comfortable solutions. Otherwise an IPD file can be opened with a hex editor and searched for information, but this is complicated and very time consuming. The V3i and V3m are analyzed via P2K Tools and P2K Commander. These programs were useless for the V3m, because P2K Commander got no useful results and P2K Tools don’t support V3m and crashed always during the start or when different options were used. P2K Tools and P2K Commander are tools which are developed by a community for Motorola devices. The P2K Commander can access Motorola devices and change entries in the system file structure. This program could show the file structure of the V3m, but all folders were empty, so that no new information could be found. When using P2K Commander for the V3i, it can show the files in the system file structure of the device, so that the entries in the folders could be opened in a hex editor and analyzed. P2K Tools is a collection of different Motorola tools, which are developed by the community. It has a user interface and supports a variety of different functions. With this tool general information about the device can be requested like the IMSI, IMEI or the model type. Other options implemented are to show the system file structure (which is similar as from P2K Commander), web sessions, a terminal for AT-commands, text messages, protocols, phone book entries, calendar and creation of backup files or dump files of the memory. Another program which can create backup and dump files of Motorola devices is Flash&Backup. MOBILedit! Forensic is used for investigations on mobile phones and can be used for SIM cards. It is a user friendly, clear and easy to use program, which detects connected mobile phones which are supported by this software. After detection of the device the user has the option to create a backup of the current device. The found device and the content with all data are shown in an explorer view and the folder can viewed like under Windows. The software shows according to each model different data like text messages, call protocols, calendar entires, address book, notes and the file system. MOBILedit! Forensic for example had no access to the file system of the V3m. If it was tried to open the file system, the software lost the connection to the cell phone. This is a sign that this model is not totally supported. In the full version of the software, the user can create a report for each device in different languages. The created report can be saved and printed. If a backup file of a cell phone was once created, with the help of the Phone Image Carver one can search for deleted data. The demo version could find in many samples some deleted pictures, messages and other data which could be shown and reconstructed partially or totally. Here data like PDF or DOC files can only be viewed and saved on the computer in the full software version. The variety of used programs have all advantages and disadvantages, whereby MOBILedit! Forensic, P2K Tools and ABC Amber BlackBerry Converter are good programs, which can be used for an investigation. P2K Tools for example is a good collection of useful programs for an investigation on Motorola devices, as long as the devices are supported. MOBILedit! Forensic is very fast, user friendly and easy to use with good results. Even ABC Amber BlackBerry Converter is currently the only good solution to analyze and evaluate backup files of a BlackBerry with good results. BBSAK and P2K Commander cannot be recommended, because these program change the log file of the BlackBerry during each function call. That’s why it’s more a program for a general user. The P2K Commander is a good tool to show the system folder structure of a Motorola device, though many data couldn’t be shown in clear text.
8.2 Software for SIM Card Investigation Many programs can read and analyze mobile phone and can read text messages and address bocks, but don’t get information out of the SIM card file structure.
SPIE-IS&T/ Vol. 7881 78810Q-8
Some investigations are made with free usable programs like SIMspy2, Tulp2G and UndeleteSMS and with some commercial programs like SIMCon and CPA SIM Analyser. The software SIMspy2 and SIMCon can show the whole data structure of the SIM card. Whereby SIMCon shows essentially more entries, because in SIMspy2 are not all areas totally implemented. SIMCon can view general information like the ICCID, IMSI, provider, phase and other important details. All these results can be saved as a report or printed with SIMCon. These function are not included in SIMspy2. CPA SIM Analyser and Tulp2G are comparable, because both programs can create very detailed, easy and clear reports and the creation of reports is similar. If the right templates are chosen with Tulp2G one can analyze and create reports for SIM cards as well as for mobile phones. Both programs ask first for the PIN or PUK code, before an investigation starts and show how many tries are left for the PIN and PUK codes. That helps an examiner, because when there are no tries left an examination on a SIM card is useless. The PIN or PUK has to be entered right or the analysis can‘t be continued. After this more settings are requested, which are mainly used for the final report in CPA SIM Analyser. That means information about the case is requested and can be entered in different forms and will be taken over to the report after creating. After choosing some settings and entering the correct PIN the process of analysis can continue. The final report will be created and encloses general information of the SIM card and entries about text messages, phone book entries, call protocols, ICCID, IMEI, provider, memory capacity and phases. Whereby the CPA SIM Analyzer has a few more information than he Tulp2G and the details which are added by the user themselves before the investigation. In the examination all text messages are not shown and decoded correctly in the CPA SIM Analyzer. This means in some messages letters were missed, because maybe it was just a demo version of the CPA SIM Analyzer. As another representative of commercial programs SIM Manager 2 was chosen, because this program can show deleted text messages for a few SIM cards. Otherwise this software is more useful for a general user, because it’s made for copying data from the SIM card and save or change data on the SIM card. It is simple build with a user interface and can read only a few general information of the SIM card, after successful PIN input. An examiner can get out information on providers, text messages, phone book entries and some protocol entries of calls. Finally, a program called UndeleteSMS was tested, which can show deleted messages of some SIM cards. This is dependent of the SIM card type, which is used (similar to SIM Manager 2. It is a program which runs in a terminal without any user interface. The results of UndeleteSMS are very different: a) no report or possibility to read information; b) only a list which shows that there are deleted messages, but without the content; c) content of the deleted messages in a list with the phone number and date. The content of text messages is shown rarely. Of all used programs for SIM card analysis SIMCon, CPA SIM Analyzer and Tulp2G are very suitable for forensic investigations since they have options to create reports. The tables 1 and 2 summarize the results of the tests.
9. CONCLUSION Meanwhile a huge diversity of programs for investigation of mobile phones and SIM cards are available on the market. That’s why only a few programs could be tested. All programs differ from each other only in some functions, settings and in the results. Commercial programs essentially support more devices, have more functions and get more information out of the devices. There is the possibility to use freeware for an investigation, but then the examiner needs more programs for an examination to get a wider range of evidences. Some of the tested freeware are only usable by mobile phone users to get and change details of their own phone. Therefore, these programs should be known by an examiner to understand the functionalities and possibilities for changing evidences by the user. This knowledge is helpful for finding hints for manipulation or hiding of data.
SPIE-IS&T/ Vol. 7881 78810Q-9
10. PROSPECT How Steve Jobs said on June 2, 2010, tablet PCs like the iPad will be the notebooks of the future and less people will use a normal computer in the future, only for special applications4 . Mobile phones hold more and more functions and they can already afford what a computer can do. The borders between cell phones and a computer are disappearing more and more. Therefore, more options to use the mobile phone for criminal actions exist. Almost everyone owns a cell phone and saves lots of information, which can be important for a criminal act. It can be assumed that the manufacturers agree on standards for equipment, system ports and data formats. Promoted is this because more and more mobile phones are able to use the Internet and Smartphones using operation systems which are more similar to a computer system. Other companies using these operating systems to develop applications. Through the growth of functions the probability of attacks to a cell phone is higher, that means more viruses, worms, trojans, ... will exist and an investigator has to handle them. Thats why in the future many forensic scientists are needed. Already today there is not enough qualified personal staff for forensic investigations available. It is worth continue searching in this area, because there will be enough challenges in the future and enough work for forensic investigations.
ACKNOWLEDGEMENTS ¨mmel (M. Sc.) and Thomas Ho ¨ ne (B. Sc.), who helped us during writing this Special thanks to Karl Ku paper and making the practical experiments.
References [1] Brothers, S., “How cell phone forensic tools actually work (proposed leveling)”, 2008. [2] Cohen, T. and Schroader, A., Alternate Data Storage Forensics, Syngress Publishing, Inc. 2007. [3] Elatec, “Introduction to SIM cards”, Presentation, 2007. [4] Fried, I. and Kaden, J., “Steve Jobs: Das Ende des PC-Zeitalters ist nah”, ZDNet, June 2010. [5] H¨ one, Th., “iPhone-Forensik mit MAC OS X basierten Open-Source-Anwendungen”, Bachelor Thesis, Fachhochschule Brandenburg - University of Applied Sciences, Brandenburg (Germany), 2010. [6] Geschonneck, A., Computerforensik Computerstraftaten erkennen, ermitteln, aufkl¨ aren, ISBN 0596153589, O‘Reilly, 2008. [7] IT-Wissen - IT-Lexikon, “IT-Wissen - IT-Lexikon f¨ ur Internet, Telekommunikation, Software und Elektronik” (in German), Internet, July 2010. [8] Jansen, W. and Ayers, R., “Guidelines on cell phone forensics”, Special Publication 800-101, National Institute of Standards and Technology April 2007, Sponsored by the Department of Homeland Security. [9] Kowalk, W., “Rechnernetze - GSM”, 2002. [10] Luttenberger, S., “Forensik ausgew¨ ahlter mobiler Endger¨ ate”, Bachelor Thesis, Fachhochschule Brandenburg - University of Applied Sciences, Brandenburg (Germany), 2010. [11] Melzer, R., “Deutschland: Mobilfunkanschl¨ usse stiegen 2009 auf 108,3 Millionen”, Internet, March 2010. [12] Bhadsavle, N. and Wang, J.A., “Validating Tools for Cell Phone Forensics”, Southern Polytechnic State University, Technical Report CISE-CSE-08-05, May 2008. [13] Volonino, L. and Anzaldua, R., Computer Forensics For Dummies, Wiley Publishing, Inc. 2008. [14] Jansen, W. and Ayers, R., “Forensic Software Tools for Cell Phone - Subscriber Identity Modules”, National Institute of Standards and Technology, Technical Report CISE-CSE-08-05, 2006. [15] W¨olfle, R. D., “Elektrosmoginfo - die EMVU-Informationsseite von Dipl.-Ing. Ralf Dieter W¨olfle”, 2007.
SPIE-IS&T/ Vol. 7881 78810Q-10
Table 1. Freeware for reading SIM cards
Messages
Reports Address book Call protocols Network information
Display PIN/PUK tries General Information Use of hash codes
Tulp2G SMS with status in report, text, service station, sender, date
SIMspy SMS with text, sender
yes, as XML in report in report forbidden and licensed provider, last connection, preferred provider yes
no yes yes forbidden and licensed provider, last connection without provider name yes
yes like ICCID, IMSI, provider, service in report
ICCID; provider no
status,
IMSI,
UndeleteSMS only deleted SMS with partial text, sender, service station, status no no no no
no no no
Table 2. Commercial software for reading SIM cards
Messages
SIM Analyser in report SMS with status, text, service station, sender
SIM Manager 2 SMS with status, text, sender, service station, date, partial deleted SMS no
SIMCon SMS with status, text, sender, service station, date
Report
yes, as rtf file
Address book Call protocols Network information
in report in report forbidden and licensed provider, last connection, preferred provider yes
yes yes forbidden and licensed provider, last connection yes
yes, without special file type yes yes forbidden and licensed provider, last connection, preferred provider yes
yes like ICCID, IMSI, provider, memory capacity, phase in report
ICCID, IMSI, provider, phase
ICCID, IMSI, provider, phase
no
yes for each entry/file
Display PIN/PUK tries General information Use of hash codes
SPIE-IS&T/ Vol. 7881 78810Q-11
Figure 2. Flowchart of Geschonneck for preservation of mobile devices5
SPIE-IS&T/ Vol. 7881 78810Q-12
