Cell Phone Forensics – The Basics

Posted on | May 4, 2010 | No Comments

There are so many new types of devices out there, from Droid phones to the iPhone, and from netbooks to the iPad.  The question is: how do we retrieve and analyze this data in a forensically sound manner?

Each device is different, but there are a few rules of thumb, all of which may change from the time I finish typing to the time I click the “submit” button!

For cell phone forensics, the first thing we need to figure out is what type of cell phone it is.  Sometimes the brand and model will be listed on the outside of the phone, and sometimes manufacturer data can be found underneath the battery.  This information will be helpful with the next stage, which is determining where data is kept on your phone.

On older cell phones, user data is often stored in internal memory inside the device itself.  In this case, you may need a special tool available from the manufacturer to access this data.  They can also supply you with a special cable to connect the phone to your computer’s USB port if they use a proprietary cell-phone plug.

If the data is not stored in the internal memory of the phone, it can also be stored on the SIM card.  The SIM card is increasingly used by carriers to authenticate to the cell phone network.  Data such as your phone number, contacts, and a small amount of logs and perhaps text messages are stored on the SIM card.  In order to access this data, you will need to buy an inexpensive SIM card reader.  To keep forensically sound, purchase a reader rather than a device that can read and write – this way you are assured that you do not edit or damage the data in any way.  These are available online for a pittance (less than $5), so I’d order a couple of them – they’re so tiny they are easy to lose!

Of course, not all data is stored on SIM cards – if you need call logs or text message logs going back several months, you will need to contact the cell phone carrier.

For iPhone forensics (and Blackberry forensics), I’d recommend checking out one of the numerous books on the subject.  They go into much more detail than I could possibly type here, and will give you a good overall idea of how the iPhone stores data, and what can be recovered from them.  Remember that other handheld devices like the iPod Touch can also carry valuable data (but without a SIM card), so be sure not to overlook these devices when performing a forensic collection.

I have yet to see an iPad in the wild, and I’ll admit to not having studied the specs or forensic tools available for them yet.  iPad forensics will probably be similar to iPhone forensics, but will also depend on the version of the iPad in question (wifi version vs. 3G version).

Comments

Recent Posts

• Uses of Computer Forensics
• Cellebrite UFED and Cell Phone Forensics
• Google-Motorola acquisition
• Updated the glossary
• Full-Disk Encryption comes to Android
• Information Security – Protecting your business online
• DEFT Linux 6 coming soon
• Digital Copiers as a Forensic Utility
• Cybersecurity Paper from Harvard National Security Journal
• SANS Blog Survey Results

Tags

Android antivirus attorney client privilege Autopsy celebrity Computer Forensics computer security Cyber Crime data recovery DEFT digital evidence disk image drive-by download encryption expectation of privacy facebook firefox Google Guymager hard drive failure law enforcement lawsuit linux Live CD malware mcafee MFT Nessus noscript online banking Ophcrack Password security phishing SANS scam SIM card Sleuthkit social media social networking svchost.exe tax return twitter Webmail workplace yahoo mail

Categories

• Android
• Cell Phone Forensics
• Computer Forensics
• computer security
• Encryption
• Evidence Analysis
• GPS
• Internet Privacy
• iPhone

Archives

• November 2011
• September 2011
• August 2011
• March 2011
• February 2011
• January 2011
• November 2010
• October 2010
• August 2010
• July 2010
• June 2010
• May 2010
• April 2010
• March 2010

Blogroll

• Ediscovery Trends
• SANS Computer Forensics Blog