If extraterrestrials arrived on planet Earth tomorrow morning to study humans, they could be forgiven for thinking that we somehow need our mobile phones for us to remain conscious. In the smartphone era it is rare to find a person without a device in hand, or at least very close by at all times. I’m guilty of using my phone constantly, and you could very well be too. The impact of this from a digital evidence perspective is that more important evidence is moving off our traditional devices, like laptop and desktop machines, and finding its way onto our mobile devices. Photographs, messages, emails, app data that covers every facet of our lives, and even location data that shows where we were physically at a given moment, can all be found on our mobile devices. Just as the sensitivity of the data on these devices has increased, so too has the quality of the measures employed to protect it. Full device encryption is standard on most devices, biometric authentication is well established, and the ability to remotely wipe data from a device from the other side of the world is an expected feature. This has resulted in a situation whereby investigators have to put on their creative hats once again.

The global smartphone market is dominated by two names: Apple’s iPhone and closed-source iOS operating system, and Google’s Android operating system, which is used by a variety of manufacturers, notably Samsung, Huawei and Google themselves. Smartphones are of particular interest to us, and are the focus of this chapter, since their functionality and performance is more likely to elevate them to the status of ‘laptop replacement’ devices, and thus they’re more likely to contain that range of evidence discussed earlier. ‘Traditional’ mobile phones shouldn’t be completely shunned, though. Cheap throwaway devices can be bought with cash, and provide a suspect with a degree of deniability when used in support of a crime. If any type of device provides an opportunity for people to store data on it, you can rest assured that people will store data on it, knowingly or not. The term ‘mobile device’ can be broadly applied to other equipment, including tablets, satellite navigation equipment and wearable computers like fitness trackers or smart watches. If it’s any kind of computer that moves, and is relevant to the investigation, we should attempt to seize it.

MOBILE PHONE TERMINOLOGY

Usability is highly important in mobile devices, which is why, when compared to traditional laptop and desktop devices, they tend to require a lot less maintenance. You will typically get hardware and software that is designed together, and therefore the maintenance of such devices requires a lot less manual intervention. A side effect of this usability is that many people don’t realise that the modern smartphone is a full-blown computer, just in a smaller form. As such, they don’t realise that the threat surface of their mobile device is comprised of the same risks as traditional computers – mobile malware and client-side attacks specifically for mobile devices, to name but a couple of examples.

When a person buys a new mobile device, in a retail setting or online, the setup activity is minimal. Typically, a SIM card has to be installed, if it’s not already pre-installed, and then the device must be activated, which can be done online without further human interaction. In the store an employee will usually do all this for you. Then you’re free to go about your day with your new device. In the vast majority of cases, the next time you’ll be back at the store will be when you become eligible for an upgrade and are ready for a new device, or if your phone suffers some unfortunate screen-shattering fate along the way. This whole experience means that even though we’re using our phones more than ever, we’re probably further abstracted from the underlying technologies than ever before. Given this, we should take a moment to recap some of the underlying technology concepts that keep us glued to our phones.

Cellular networks

Before we even get to mobile phone devices, we have to have a significant cellular communications infrastructure in place to make them useful. A telecommunications service provider is responsible for maintaining this infrastructure. Cellular radio towers are dotted across an area in a pattern that uses directional antennas to ensure maximum coverage. In a city a cell tower is typically able to provide up to half a mile of coverage, whereas in more rural areas, with fewer people and obstacles, a single tower can provide many miles of coverage.

The earliest cellular networks used analogue radio signals, which provided only voice support and offered nothing in the way of security. A simple radio scanner could be used to listen to calls. Nowadays those signals are digital, and have seen multiple enhancements in both performance and security over the years. The majority of cellular networks these days are built on third- or fourth-generation technologies. The Universal Mobile Telecommunications System (UMTS) is the third-generation (3G) technology, and supports voice, text and data at speeds of at least 144 kbps, with actual speeds typically being higher. Long-term Evolution (LTE) is the fourth-generation technology, which uses IP packets rather than the cellular-specific packet-switching network technologies seen in previous generations. With speeds of up 300 Mbps possible, some people are perfectly happy with a 4G LTE connection being their only source of personal internet connectivity.

From an investigative perspective, cellular networks can be extremely valuable sources of information. To support an investigation, telecommunications service providers can provide call detail records listing a subscriber’s call activity during a given time period. Additionally, each time a phone registers with a given cell tower, either because it has been powered on or simply because it has moved around, the telecommunications service provider can use this information to provide a rough location for the device. Both of these use cases require that the appropriate legal authorisation has been obtained.

SIM cards

The Subscriber Identity Module (SIM) is a small removable chip that contains details pertaining to the identity of a phone. The SIM is used to store a number of important identification numbers and authentication codes.

IMSI

The International Mobile Subscriber Identity (IMSI) uniquely identifies a user of a cellular network. These numbers are a maximum of 15 digits in length and are made of codes that represent the home country and issuer of the device, along with a unique code to identify the subscriber’s account. The IMSI is then used by the telecommunications service provider to route calls to the correct person. Given that the IMSI is a sensitive piece of information (it could be used to eavesdrop if compromised) it is sent only rarely. After an initial IMSI exchange, a temporary version called a TMSI (the T stands for temporary) is created and used in most exchanges.

Devices called IMSI catchers can be used to compromise transmissions between a mobile device and a cellular network, and work by performing a man-in-the-middle attack against the mobile device. Posing as the closest nearby cell tower, the IMSI catcher will trick the device into connecting to it. It then sends a special request asking for the IMSI to be sent from the device. The catcher can then act as a proxy between the device and the legitimate cellular network. Using encryption downgrade techniques the catcher can then eavesdrop on voice calls and intercept data. IMSI catchers are used by both law enforcement and intelligence agencies during their investigations.

PIN and PUK codes

SIM cards can store authentication codes that provide an additional layer of protection against SIM misuse. A SIM card with a PIN code set will require that same PIN to be entered to ‘unlock’ the card in order to make calls or send data over a cellular network. Given that the PIN is stored on the card, rather than in the device, that same PIN will need to be entered on any device in which the SIM card is used. A three-attempt lockout policy is in place for SIM PINs: if the wrong PIN code is entered three or more times in a row the card will remain locked; a second code is needed to unlock it from this point.

That second code is known as a personal unblocking key (PUK). These are obtained from the provider who sold the SIM card, typically through a web interface, and are the master key for the SIM card. If a PUK is entered 10 times or more incorrectly then it’s game over for that SIM card. It will remain forever locked, and a replacement would need to be sought.

It is important to remember that a SIM PIN is different from a device PIN that can be set as part of a mobile operating system. Therefore, a device PIN may or may not have a lockout policy or, more worryingly from a preservation perspective, a device-wipe policy.

IMEI

The International Mobile Equipment Identity (IMEI) is a unique number given to a mobile device, as opposed to the subscriber (IMSI). The number is 15 or 16 digits in length and comprised of numerical sequences that can identify the manufacturer of the device, where the device was built, and of course the specific device itself.

In the UK and various other countries IMEI blacklisting is used to prevent devices that have been reported as stolen from connecting to cellular networks. In practice this means that a stolen device, even with a new SIM card, would be unable to make voice calls, decreasing its value. While the IMEI blocking technique undoubtedly helps, like every technical security control it is subject to constant attack. There are plenty of tools out there that allow an IMEI number to be changed, even though the act of doing so might be explicitly outlawed in some jurisdictions.

SEIZING MOBILE DEVICES

When an investigator makes a determination that a mobile device could contain evidence pertaining to an investigation, and has the legal authority to seize a device, the specific actions they take can vary depending on the state of the device at that particular moment.

Powered on and unlocked

By far the most ideal scenario, and therefore the least likely to materialise (this work makes you a little cynical, if I didn’t already mention that), would be if a device is found at a crime scene, powered on and completely unlocked. In this case the investigator’s aim would be to keep the device running as long as possible and prevent it from locking. A couple of useful but entirely non-specialised tools can help with this particular endeavour. If you’ve ever walked around any sort of information technology event where there is a vendor hall, such as a security conference, you can probably find both of these things available for free as promotional gifts handed out by the vendors. The first is a battery backup for a mobile device. These are typically small tube-like objects with a couple of USB ports on them, one for charging the battery and one for charging the device. The second is a device known colloquially as a ‘USB condom’. These devices attach to a USB type A connector, often found on one end of a smartphone charging cable, and are actually little write blockers that allow USB power to flow through the cable but provide a physical barrier between the cable’s data connectors. The idea is that you use them to protect your own devices from being accessed via the cable, when charging up at an airport for instance, but they work just as well in forensics settings.

Once the device is stabilised with power, all network connectivity should be removed. As the device is unlocked, this could theoretically be done by way of direct manipulation of the operating system settings – enabling aeroplane mode, for example. However, this isn’t without risk. Making changes to the device settings, of course, directly affects the original evidence source, which is contrary to digital forensics principles. It also provides the phone with a chance to register a change that could indicate that it has fallen into someone else’s hands – a software kill switch that knows to wipe the device if aeroplane mode is enabled, for instance. It’s not likely in the majority of cases, but if a suspect were technically savvy enough, why not? For these reasons, a tried and tested method is to place the device in an RF-shielded bag that blocks the cellular and Wi-Fi signals from communicating with the device in a more natural ‘out of range’ manner. We do this, of course, to protect against remote manipulation, such as a suspect running a remote wipe on the device.

Finally, before we are ready to acquire the device we should prepare it for acquisition by enabling any USB debugging features, such as those found in the Android operating system. These features allow the device to communicate directly with a computer running the Android Software Development Kit, and as a result open up more options for Android acquisition tools. The investigator should also check whether or not a passcode is present on the device. If it is, and can be removed by the investigator, then it should be. As always, the investigator should detail the actions they take while removing the passcode. If a passcode cannot be removed then emphasis will shift to a manual examination.

Powered on and locked

This is the most likely condition for a mobile device at a crime scene and, in the case of a modern mobile device, one of the most challenging to deal with. Most modern devices require the phone to be unlocked by way of a passcode before attempting any sort of physical or logical acquisition. Without that code we essentially have a brick containing garbage data that will never be of any use to us. As with any rule there are exceptions, but those exceptions usually come at some significant cost – a commercialised zero-day vulnerability that can bypass the lock code of a smartphone could easily have a price tag in the millions of pounds.

So, do we just give up? No, of course not, that’s not how we operate. Let’s look at one potential way around this problem. Because our phones have become so important, we tend to back them up to another location, either to a cloud backup service or to another device. While a phone may be encrypted, there’s no guarantee that the backup is. I’ve personally found entire backups of otherwise encrypted devices on seized laptops. Those backups contain pretty much all the same information as on the phone. They are taken at the logical level rather than being a physical image, so no slack space to carve, but given that we were faced with being locked out completely a few moments ago, we’ll take it.

Thanks to cloud technologies our devices have been afforded more opportunity to present a unified front than ever before. Within the Apple ecosystem it is possible for all devices to run on their iCloud platform, meaning that a message sent to an iPhone can be viewed on a user’s laptop, tablet and desktop machine all at the same time. Those messages may live in the cloud, but content is downloaded to the local machine for performance reasons. Therefore, we could very easily gain indirect access to content through this vector.

A powered-off device

Devices should initially be kept powered off if they are found in that condition prior to an attempt at physical acquisition. If physical acquisition is found to be a non-viable option then the device should be powered on, again in a network-isolated condition. The next steps will then be determined based on the lock status of the device.

Damaged

Everyone knows at least one friend who has a mobile phone with a perennially cracked screen. These things go everywhere and get dropped or otherwise mistreated at a consistent rate. Given this, what if a device cannot actually be powered up because it is so damaged? Techniques exist that may be the only option for forensic acquisition, and these are aimed at the chips and circuits within the device itself.

JTAG

An industry group known as the Joint Test Action Group (JTAG) was responsible for inventing a method for testing printed circuit boards in the 1980s that has forensics use cases to this day. A JTAG debug port may be included on a device’s circuitry, and trained investigators can use this port, some solder and some specialised tools to instruct the phone’s CPU to offload data found within its memory chips. Using this method it can be possible to obtain a full physical image of a mobile device, no passcode or working screen required.

This may sound remarkable, but don’t forget that this isn’t without its limitations. First, the device must have a JTAG port to start with. You can find these on Android phones, but you’ll never find them on an iPhone. Secondly, it’s extremely labour intensive. Also, if the device is encrypted then that physical image will also be encrypted, so you’d still need to know the passcode to get at the majority of the useful information.

Chip off

A chip-off method can also be used to recover data from mobile devices. This method requires removing a memory chip from the smartphone (i.e. taking the chip off) and placing it on a donor board, with the goal of using software on that board to access the data in the chip. The donor board is essentially an external reader that allows the investigator to read the contents of the memory chip directly. Again, it’s a relatively painstaking process, requires specialised equipment and could be undone by device encryption. That said, it might be the only option available.

ACQUISITION TYPES AND TOOLS

A number of different mobile device acquisition techniques were alluded to in the previous section, namely manual, logical and physical. Let’s take a look at each of these, and the tools that can be used to perform them.

Manual acquisition

An acquisition technique used by forensic investigators and concerned spouses alike, manual acquisition simply means scrolling through the contents of a phone and looking to see what you can see. Unlike the concerned spouse, a forensic investigator will typically film this entire process to create a record of the actions they took when acquiring the evidence. This approach has the advantage of requiring no special tools, simply using the operating system on the phone to access data as anyone would. The primary disadvantage is that the investigator is limited to accessing files and information that are visible to the operating system – no deleted files can be accessed, for example.

The Paraben PAP 8000 is a video camera designed specifically for forensics investigations. It allows the examiner to place the phone on an area that is exactly the correct distance from the camera.

Logical acquisition

This approach to acquisition results in a bit-by-bit copy of a device’s file system, and thus contains only those files that are in allocated space. This, of course, is another way of saying that any deleted files in slack space will not be included in the image.

Logical images of phones can be acquired in a couple of different ways, using specialised and not-so-specialised tools. A device backup image, such as those created by iTunes in the case of the iPhone, would be considered a logically acquired image. Forensics suites such as Cellebrite’s UFED⁶⁰ and Paraben’s E3: DS⁶¹ are designed to perform logical acquisitions by using the device manufacturer’s APIs for exchanging data over a cable. The forensics software installed on the investigator’s machine will communicate with the phone and build the image from the data that is returned.

Despite its limitations, a logical image will have an associated structure thanks to the file system, and therefore will be easier to examine when compared to working with a full physical image.

Physical acquisition

This is the mobile equivalent of taking a desktop hard drive and connecting to a write blocker for imaging. A full bit-by-bit image of a device, including slack space, is created during a physical acquisition. Unlike the desktop, however, there are no hard disks in a mobile phone that you can simply remove and attach to the write blocker. Instead, physical acquisitions are typically performed by using a custom boot loader developed specifically for forensics usage and bundled with a mobile forensics suite.

The commercial UFED suite of mobile device forensics tools developed by Cellebrite is a prime example of a tool that uses a custom boot loader. To perform a physical acquisition of an Android device the tool uses a cable connection to inject a custom boot loader. It then requires the examiner to install a blank SD card to which the contents of the phone will be imaged.

Removable media

Should a device feature removable media such as a Micro SD card for additional storage, it should be acquired using the best available method. That would typically be a full physical image; however, if the card is encrypted then a logical image from the operating system’s mounted volume perspective would be likely to be a more fruitful approach.

Acquisition of SIM data

Data can be acquired directly from a SIM card using a hardware SIM card reader and a software tool that understands the data structures on the SIM card. AccessData’s Mobile Phone Examiner+ is one such software tool that can perform this function. The data found in SIM cards includes the IMSI and TMSI, as well as information regarding recent calls.

SMARTPHONES

Given that the majority of devices we’ll run into in the field these days are smartphones, we should be especially well versed in both Apple iOS and Android. I would be remiss if I didn’t mention the fact that there are, of course, other smartphone operating systems out there, such as Windows Mobile and Blackberry OS, but only one of those is currently supported (Windows) and, unlike in the desktop space, the Windows Mobile market share is low. With this in mind, the balance of probabilities would suggest that you’ll find an Apple or Android device at a scene where a smartphone is involved.

Android

In the world of smartphones the market share belongs to Android. Developed by Google based on the Linux kernel, the Android operating system is an open-source project used by many manufacturers. Those manufacturers will typically add proprietary code to the official Android distribution in order to add their own features to the devices they sell.

True open-source spins of Android that have been developed by the open-source community do exist, and are designed for users who wish to be free of any proprietary code. Along these lines, a community has grown up who create software to ‘root’ Android phones. Rooting an Android phone involves using a custom boot loader to obtain root access to the device.

By using a custom boot loader it is possible to load the operating system with additional components and in a different configuration to allow different types of access to the device beyond those afforded by the standard boot loader shipped with a device. Since the operating system is Linux based, the root account has all the power that a root user on a server would have. Most Android devices allow for rooting because they don’t ship with locked boot loaders. It is therefore something to be mindful of when working with an Android device. A rooted device would make it easier for that phone’s owner to run anti-forensic tools.

Owing again to its Linux heritage, analysis of an Android device has a very similar feel to examining any other Linux machine. Elements of the Linux FHS can be seen when analysing a logical device image. Thanks to this standard the file system layout is roughly the same between devices, but there is always the possibility of slight variations.

Apple

Apple’s iOS is the closed-source operating system for their iPhone and iPad devices. Like macOS, it is a Unix-like operating system derived from the open-source Darwin operating system. Apple maintains strict control over which apps can run on iOS through code signing and various other security features, which led to a movement in the early days of the operating system to create so-called jailbreaks. These use kernel patches to achieve root-level access to the devices to bypass Apple’s security controls and install unsigned third-party software.

In the arms race between Apple and the jailbreaking community the tide seems to have swung in Apple’s favour, with the most recent versions of iOS having escaped unbroken owing to improvements in security controls and a less active jailbreaking scene. What this means from our perspective is that iOS devices are extremely predictable. The iOS file system layout on one device will exactly match that on another. This predictability means that we can very easily visit common locations for forensic artefacts.

iOS stores the majority of useful forensic data in databases and .plist files (a property list, just like in macOS). Because iOS is Unix based it uses a Unix file structure and, as of 2017, the APFS file system. Some commonly reviewed locations in investigations include:

SUMMARY

In this chapter we introduced the topic of mobile forensics. We reviewed the underlying terminology and infrastructure that powers modern-day cellular networks, and how that infrastructure can play a role in our investigations.

We discussed how the state in which a mobile device is seized influences the acquisition options available, including some advanced acquisition techniques like JTAG and chip off. Finally, we reviewed some common storage locations on Android and Apple iOS devices that are of particular importance to an investigator because of the evidence they may contain.

While we’ve been focused primarily on technical topics to this point in our digital forensics journey, we’re about to switch gears to another skill set that is just as important for any investigator: the art of reporting your findings in a clear and pragmatic way.

60 Cellebrite (2018) UFED Ultimate / PA. Cellebrite. Available from https://www.cellebrite.com/en/products/ufed-ultimate/ [5 May 2018].

61 Paraben (2018) E3: DS. Paraben Corporation. Available from https://www.paraben.com/products/e3-ds [5 May 2018].