UNIT 1

Terry Addison
Course: IT-550
Kaplan University
October 3, 2014

UNIT 1

2
Introduction

Amid our examination of the digital terrorist and the smart phone found with him that
held codes and data that could harm enterprises with infections and different vindictive
information that was viewed as a security concern a telephone was found inside the potential
hoodlums work area while looking the scene. As per the warrant the telephone was legitimately
feasible also because of having the capacity to hold relative data at the case nearby.
At the point when looking a telephone certain sorts of fittings and apparatuses are
required to completely discover all data that can be found on it. In the first place
notwithstanding, when looking a telephone the examination must be broken down into two
sections. The primary part is the obtaining of the physical memory connected with the PIM parts
of the telephone. The second part manages the SIM card and all the data found on it (Volonino,
Anzaldua & Godwin, 2007.)
The PIM bit of a telephone is connected with PDA qualities and the primary part of
getting data from this a piece of the telephone is verifying force is not hindered whenever. This is
on the grounds that the data put away is blaze based and if the battery kicks the bucket or force
connector is unplugged and it turns off all client data is eradicated. To help in the examination
and quests of mobile phones when managing the individual distinguishing proof director or PIM
it is expressed that

If discovered turned off it must stay off

UNIT 1

The telephone ought to be put in an envelope which is then fixed before being put

into a proof sack to limit physical access while still inside the confirmation pack.

Since most telephones are just provided for one rechargeable battery which does

not generally last and cannot be safeguarded the telephone ought to be stopped up with the right
power connector which is then passed through the proof pack so it is kept charged.

If the telephone is found on then it ought to be kept in a dynamic running mode

by tapping on the screen or whatever other capacity that would keep it running without messing
with confirmation. This keeps any secret key or client confirmation securities from being run
into. In the event that for reasons unknown doing this could adjust the likelihood of the gadget
kicking the bucket the extent that battery life or flawed force connector the gadget can be turned
off yet just in the wake of recording current state and noting time and date of shutdown.

A scan around the gadget for related glimmer memory should likewise be directed

on the off chance that data was put away on outside media for the gadget.

seized.

All force strings, manuals, and related things to the telephone should likewise be

UNIT 1

4
Any treatment of the gadget before the examination must be taken a gander at as

allowable in the court of law for future incidents significance it ought not to be tampered with.
The second part of a phone's PIM territory of the examination is any remote movement.
Either turning off the gadget or setting it in a seclusion sack that discourages radio recurrence
signs will permit the gadget to stay sheltered from any remote impedance or endeavors to change
information while in authority (Volonino, Anzaldua & Godwin, 2007.)
CLIENTAUTHENTICATION ISSUES IN CELL PHONES

Amid the examination of the gadget if any client confirmation issues emerge there are
constrained methods for discovering routes around it. Either asking what the secret word is,
reaching the producer to check whether there are any indirect accesses or different methods for
getting around the watchword security, hunt the web down know adventures, for example, secret
word wafers for the gadget or in most compelling cases bring in PDA experts who have some
expertise in information recuperation are truly the main routes known starting now (Volonino,
Anzaldua & Godwin, 2007.)

The PDA gimmicks of a PDA can be examined in one of two ways physically or
sensibly. The physical examination is the bit- by- bit duplicate of the physical parts of a PDA, for
example, the RAM, ROM or plate drives. This gives the examiner the capacity to duplicate each
bit including potential shrouded or erased data. An intelligent examination duplicates records just
the working framework can see, for example, documents and indexes however forgets all other

UNIT 1

data that is thought to be erased. At the point when examining a wireless both roads ought to be
taken a gander at to think about and completely be mindful of all ranges inside the cell. At the
point when uniting the gadget to the specialists programming the most ideal path is to utilize
given lines with the gadget, for example, usb connectors which permits data to be exchanged.
Encase programming is best utilized as a part of this situation albeit different apparatuses can be
utilized, for example, Hot sync and ActiveSync which manage PIM related conventions and
Paraben which was made for PC to PDA acquisitions(volonino, Anzaldua & Godwin, 2007.)
SIM TECHNIQUES

The second piece of a wireless examination manages the SIM card. This card is intended
to recognize the endorser and confirm the supporter of the mobile phone system. These cards
likewise contain phonebooks, instant messages, call data and system design data for the client
which is not generally the same for the telephone. SIM cards can be expelled from a telephone
and put in a SIM card per user which removes everything data needed in the examination unless
a pin is allocated to it for security purposes (Volonino, Anzaldua & Godwin, 2007.)

An alternate gimmick of SIM cards is each has their period of the standard they can help.
This fundamentally implies more seasoned SIM's do less then fresher ones. The stages right now
accessible are 1, 2, 2.5 and 3. At the point when removing data from a SIM card the apparatuses
utilized must meet the necessities of the stage the SIM has. This likewise implies here and there
more than one apparatus must be utilized to completely catch all information. Likewise so as to
perform any sort of examination all client confirmation must be circumventing by a few means

UNIT 1

overall the agent will arrive at a standstill. Utilizing both PDA's PIM and SIM advances permits
there to be numerous sorts of security if needed. A SIM is normally ensured by a PIN or card
holder confirmation (CHV) number and can have more than one number set. In the event that a
PIN is set up there are two primary approaches to work around it. Initially you can approach the
client for it or approach the administration supplier for a PIN unblocking key (PUK). The PUK
will reset the PIN and permit get to past validation. The greatest thing to recollect with SIM
cards is you just get 3 opportunities to attempt to move beyond the PIN before you are bolted
out. On the off chance that utilizing a PUK and still you are not able to get access it is best not to
utilize an animal energy assault in light of the fact that after 3 times of utilizing it you are bolted
out forever bringing about any information placed on it to be rendered pointless (Volonino,
Anzaldua & Godwin, 2007.)
Likewise with all other scientific examinations a physical as well as consistent obtaining
is possible on Pdas. Then again, not at all like most gadgets this methodology must be performed
on both PIM and SIM gadgets. The greater part of today's telephones accompanied a support
which permits synchronization to the client's machine. At the point when performing an
examination the product utilized must have the capacity to work with this association sort.
Different strategies can be utilized also for more current telephones that are outfitted with Wi-Fi,
Bluetooth or IR interfaces when gathering data from programming that permits these sorts of
associations (Volonino, Anzaldua & Godwin, 2007.)
STEPS INVOLVED IN INVESTIGATION PROCEDURE OF CELLPHONES

UNIT 1

At the point when working with mobile phones it is vital to comprehend that they have
comparable attributes to PDA's and the above steps ought to still be utilized as though utilizing a
PDA however different rules are required also which include:

Find programming good with the phone being referred to

Find out how you will synchronize gadgets either through usb, blue tooth or

related network

Use required conventions before securing if necessary, for example, Microsoft

ActiveSync, Palm Hot sync, and Blackberry Desktop Manager. These are utilized to make a
visitor account on suspect gadget for the reason that the PDA does not permit synchronization
between measurable machine and the PDA gadget before obtaining.

Physically join with interface picked in above steps

Make beyond any doubt all supplies and essential information is available to

begin. Counting battery reinforcement, charger, passwords for gadget, links, supports outside
SIM per users and manuals for gadgets.

UNIT 1

Most Microsoft bundles are GUI based permitting a wizard or something to that

affect strolling you through the setup process which would typically make inquiries, for example,

Manufacturer or worldwide framework for versatile correspondence (GSM) SIM

card

Cellular telephone model

Connection type

Type of information needed

Make a bit stream duplicate of gadget and make hash qualities to demonstrate

honesty of information

Create gives an account of discoveries found from examination strategies and

ventures from programming (Volonino, Anzaldua & Godwin, 2007.)

UNIT 1

This can incorporate contacts, pictures, plans, or some other data that could
prompt utilization of the codes discovered or different gatherings included which
could conceivably cause the case to develop into much more places to inquiry and
individuals to question or could contract the wrongdoing down to simply the
individual we are aware of.

TOOLS USED TODAY FOR PDA/ CELL PHONE FORENSICS

Tools used when examining a cell phone/ PDA device vary. This is
because this type of forensics is the newest to the field and many of the softwares
work with only certain models while others do not. This too includes the fact that
multiple tools may have to be used to fully penetrate and get all information from
a device for an investigation. Some of the most popular are:
1.

Encase and Palm OS software- At present Encase does not support Pocket

PC, Linux, or Blackberry devices. It can make a bit stream of the entire physical
area of a Palm OS device and perform constant cyclic redundancy check (CRC)
calculations to ensure data integrity. CRC checks are mathematical algorithms
that check to make sure data transmitted from original device is exactly the same
that is given to receiving device. Encase creates an evidence file and mounts it on
examiners PC. It also uses a software write blocking technique which can hash
data issues of data corruption or modifications are eliminated. Encase has the
added ability to generate reports, has excellent search functions and can save

UNIT 1

10
important data for the examiner. It is widely used in most of todays court cases
due to its reputation and accuracy.
2.

PDA Seizure- has the ability to do forensic examination on Palm OS,

Pocket PC and Berry Devices. Has a built in PDA password cracker. It is simple
to use and heavily GUI based. It ensures there are no writes to the PDA and also
ensures the data integrity of the image being transferred. Because it is able to
examine so many different devices including those of Encase it is up to the
examiner to have device drivers for devices to be examined properly. Other
features PDA seizure utilizes include:
1.

Multilanguage support

2.

Search functions

3.

Bookmark functions

4.

HTML reporting

5.

Ability to view images internally

6.

Report Generation

3.

Palm dd (pdd) - A command line tool used within a Windows environment

to generate the physical image of a Palm OS device. It does not have any
graphical user capabilities and is no longer supported. It creates two files one that
gives information on size of RAM/ROM, processor type, and OS version. The
second file contains bit image and is in binary form. Once binary form is
complete a hex editor can be used to import it into software such as Encase to
complete examination.

UNIT 1

11
4.

POSE (Palm OS Emulator) - Emulates the Palm OS device on a personal

computer when ROM from a physical Palm device is loaded into memory. Comes
with tool to extract images but can also support use of Palm dd or dd which comes
from UNIX based operating system that does low level bit level copying of
storage media. It emulates device on computer down to buttons and interface.
Once emulated all PIM functions can be looked at as well as the ability to
generate screen shots for court proceedings.
5.

PDA memory Cards- Memory cards used in cell phone/ PDA devices are

usually all internal and come with a special reader when to be synced to PC.
These come in the form of Compact Flash Cards, Extended Memory Cards,
Memory Sticks, Micro-drives; Multimedia cards and secures digital cards. To do
any examination on these types of storage devices an external card reader must be
used. Most memory cards use the normal FAT format such as that of a hard drive.
Data does not get deleted from these devices due to power outages so the ability
to pull information off of them is the same as if pulling information from a hard
drive (Volonino, Anzaldua & Godwin, 2007.)
SUMMARY
There are many other tools that can be used to examine a cell phone but
remembering you are actually examining two different types of technology both
PIM and SIM technology must be used. As of now Logicubes CellDek and
Parbens Device Seizure are the most popular for PDA/ cell phone analysis. These
two companies continue to create updates and the ability to continue using their
softwares as technology changes (Volonino, Anzaldua & Godwin, 2007.) As

UNIT 1

12
technology changes, updates and intermingles it is important to understand that
cell phone technology is becoming more computer based, such as todays
Window based phones with windows operating systems installed, which means
the more complex cell phone forensics will become because you will then have to
combine PIM, SIM and Windows operating system extraction techniques in order
to fully understand and gather all required information for an investigation. Then
depending on the evidence found with these techniques even more forensic
techniques may come into play because image files, emails, text messages and
other computer based techniques come into play which can all develop and work
within each other.

UNIT 1

13
References

Volonino, L., Anzaldua, R., & Godwin, J. (2007). Security computer forensics principles and
practices. (pp. 1-27). Upper Saddle River, New Jersey: Pearson Prentice Hall.