Seeking the Truth from Mobile Evidence Basic Fundamentals, Intermediate and Advanced Overview of Current Mobile Forensic Investigations John Bair (Police Detective: City of Tacoma, WA), Part-Time Lecturer: Institute of Technology, University of Washington-Tacoma, WA, United States Table of Contents Cover image Title page Copyright Dedication Foreword Preface Acknowledgment Introduction Part 1. Basic, Fundamental Concepts Chapter 1. Defining Cell Phone Forensics and Standards Introduction Defining Cell Phone Forensics Chapter Summary Key Points Chapter 2. Evidence Contamination and Faraday Methods Introduction Evidence Contamination Faraday Origins Faraday Methods Chapter Summary Key Points Chapter 3. The Legal Process—Part 1 Introduction—Chapter Disclosure The Legal Process Mobile Network Operators Mobile Virtual Network Operators Determining Target Number Chapter Summary Key Points Chapter 4. The Legal Process—Part 2 Search Warrant Language Destructive Court Orders Chapter Summary Key Points Chapter 5. The Cellular Network Introduction to the Cellular Network Code Division Multiple Access Global Systems for Mobile Communications and Time Division Multiple Access Integrated Digital Enhanced Network Long-Term Evolution International Mobile Equipment Identity Mobile Equipment Identifier Subscriber Identity Module International Mobile Subscriber Identity Integrated Circuit Card Identifier Mobile Identification Number, Mobile Directory Number, and Preferred Roaming List How a Call Is Routed Through a Global System for Mobile Communications Network Chapter Summary Key Points Chapter 6. Subscriber Identity Module Introduction SIM Sizes Internal Makeup Where Is My Evidence? SIM Security Forensic SIM Cloning Chapter Summary Key Points Chapter 7. Device Identification Introduction Handset Communication Types The Form Factors Common Operating Systems Steps for Device Identification (Free) Removable Storage Chapter Summary Key Points Chapter 8. Triaging Mobile Evidence Introduction Devices Powered On Devices Powered Off Locked Devices Powered On Forensic Processing Triage Forms Chapter Summary Key Points Chapter 9. The Logical Examination Introduction—A “Logical” Home Computer Forensics and Mobile Forensics Connection Interfaces Agent or Client Communication Protocols Attention Terminal Commands Port Monitoring Chapter Summary Key Points Chapter 10. Troubleshooting Logical Examinations Introduction History of Common Problems Truck and Trailer Analogy Device Manager Advanced Tab (Device Manager) Using Log Files General Troubleshooting Steps Chapter Summary Key Points Chapter 11. Manual Examinations History Reasons for the Manual Examination Hardware Tools for Manual Extractions Software Solutions An Alternative Solution to Hardware and Software Vendors Chapter Summary Key Points Chapter 12. Report Writing History—Our Forensic Wheel A Final Report Example General Questions to Answer/Include in Your Report Initial Contact Device State Documenting Other Initial Issues (DNA/Prints/Swabbing) Specific Tools and Versions Used Listing Parsed Data Reporting Issues and Anomalies Validation Methods of Reporting Other Formats and Proprietary Readers Hashing The Archive Disk Chapter Summary Key Points Part 2. Intermediate Concepts Chapter 13. Physical Acquisitions History Flasher Boxes Pros and Cons—Flasher Box Usage Bootloaders Current Popular Boxes Early Physical Examination Vendors and Tools MSAB and Cellebrite Chapter Summary Key Points Chapter 14. Physical Memory and Encoding History NAND and NOR NAND Blocks, Spare Area, Operation Rules, Wear Leveling, Garbage Collection, and the SQLite Databases Encoding Chapter Summary Key Points Chapter 15. Date and Time Stamps Introduction “In the Beginning…” Epoch, GMT, and UTC Integers Formats Chapter Summary Key Points Chapter 16. Manual Decoding MMS Introduction—Lab Work Susteen—SV Strike and Burner Breaker MMS Carving Containers for MMS Chapter Summary Key Points Chapter 17. Application Data Introduction—A Last Argument Applications Supported Decoding—The Tip of the Iceberg Database Naming—It Does Not Always Stay Original Validating Database Content Sanderson Forensics SQLite Forensic Browser Write-Ahead Log Files Journal Files Blobs and Attachments Chapter Summary Key Points Chapter 18. Advanced Validation Introduction USB Monitoring—Can You Hear Me Now? UltraCompare Professional Chapter Summary Key Points Part 3. Advanced Concepts Chapter 19. Android User Enabled Security: Passwords and Gesture Introduction—Security on Androids Simple Security Values The Password Lock Hashcat The Pattern Lock (Gesture) SHA-1 Exercise Chapter Summary Key Points Chapter 20. Nondestructive Hardware and Software Solutions Introduction MFC Dongle IP Box UFED User Lock Code Recovery Tool Best Smart Tool FuriousGold XPIN Clip Other Methods Chapter Summary Key Points Chapter 21. Phone Disassembly and Water-Damaged Phones Introduction—Holding It All Together Fastening Methods Tools Used Removing Moisture (Water Damage) Suggestions—Saltwater Exposure