Intro to Cell Phone Technology for Investigators

Why mobile devices• Mobile forensics dominates the digital forensics landscape

• Some numbers:

– In America we have more than 320 million people and more than 330 million mobile devices. That means more than 103 devices per 100 people.

– More than 64 percent of American adults own a Smartphone

Cellular technology

• What is a cell phone?

• What are its composite parts?

Cellular technology

• How does the concept of cellular communication differ from earlier devices, such as CBs, radio telephones, etc?

• Simplex vs. half-duplex vs. duplex

• Early radio-phones

• Single tower

• Large power source

• Few channels

• No hand-offs

Cellular concept

• In the late 50’s engineers at Bell Labs developed a new theory – the cellular system

• Towers at the corners, transmitting in three directions, forming hexagonal cells

• Technology did not exist at that time to support the theory

Cellular concept

• And where are the towers located?

Cellular concept

• Three-sided towers, each side covering (roughly) 120 degrees, combining to cover a 360 degree circle

Cellular concept

• These cells work together to provide more complete coverage

• Much smaller range = less power needed by device = smaller battery = smaller device

• Frequency re-use

Cellular concept

• As a mobile device reaches the limit of one tower’s range, and that tower’s signal weakens, the device is “handed off” to the next tower, as that tower’s signal grows stronger

• No need for action from user

Cellular concept

• Keep in mind, this is a “concept”

• The reality can sometimes look very different

Propagation map

Cellular reality

• Sectors are often greater or less than 120 degrees

• Coverage may be affected by• Population

• Geography/Foliage

• Date/Time

• Etc.

Cellular networks

• In a cellular network, only the last link is wireless

Cellular networks

• The main control point of a large group of cell towers in one area, is the Mobile Telephone Switching Office (“switch”)

• May control thousands of individual cell sites

MTSO

• When a cellular device is turned on, it locates a tower and identifies itself to its carrier

• The device transmits certain data to the network to authenticate itself to the network

MTSO

• The device’s location is maintained by the MTSO, so that it knows where to find the device should someone wish to communicate with it

• The MTSO connects to the Public Switched Telephone Network, and transfer calls to that network to be relayed to the device it is calling

Cell Tech

• Now, let’s explore some common cell phone terminology

• First, the “generations”…

1G

• First Generation

• Analog technology

• Introduced in the 1980’s, and were eventually replaced by 2G technology

Cell Phone Technology

• 1971 – AT&T submits proposal to FCC for advanced cellular service

• Finally approved in 1982.

• Meanwhile, elsewhere…

1G

• First commercially automated network in 1G was NTT, in Japan, in 1979

• Followed in 1981 by the Nordic Mobile Telephone (NMT)

1G• Finally, in 1983, AMPS comes to America.

• First network was in Chicago (Ameritech), followed by Washington DC.

2G

• 2G technologies appear in the 1990’s

• With 2G, we switch from analog to digital.

Analog vs. Digital

• Analog-electronic transmissions accomplished by varying wavelength frequency or amplitude

• Digital-Refers to transmissions with data being sent as a “positive” or a “non-positive” (1 or 0)

2G

• Benefits of digital– Compression

– Decreased radio power from handsets

– Reduces fraud

– Enhanced security

– Less interference

– Better penetration through buildings

2G

• Disadvantages

– Decreased radio power from handsets

– Dropouts vs. Static

2G

• However, the main benefit of digital networks is….

- Data transmission

2G

• Several different 2G technologies emerged, using different digital protocols

– GSM

– CDMA

– TMDA

– IDEN

2G

• 1991 – first GSM network, Radiolinja, in Finland.

2.5G?

• 2.5G was just an increase in speed, which allowed things like MMS, email, web access.

3G• First commercial 3G network (GSM) – NTT in

Japan, 2001

• First commercial 3G CDMA network – USA (Monet) and South Korea, 2002

• Second 3G network in USA – Verizon Wireless, July 2002.

3G

• Primary difference between 2G and 3G –packet switching vs. circuit switching

3G

• So what does this mean to us?

– Mobile internet access

– Video calls

– Streaming video

3G

• Now, with increased transmission speeds, we begin to see mobile broadband modems

– PCMCIA, USB

– Wireless routers (MiFi)

3G

• Devices begin to appear with embedded 3G data capability

– Netbooks

– Kindle, Nook, iPad, tablets

3G

• 3G also makes possible the introduction of the “smart phone”.

– Apple

– Android

– Blackberry

– …and many others

3G• 3G was slow to spread

– Some 2G networks were not compatible with the 3G technologies, so all equipment had to be replaced

– By 2007, only 9% of worldwide subscribers were using 3G

4G

• Main difference between 3G and 4G is (theoretically) the elimination of circuit switching, resulting in an all IP-based network.

4G

• Various 4G technologies

– HSPA+

– WiMax

– LTE

4G

• International Telecommunications Union –sets standards for 4G

– All packet switched

– Transmission speeds of 1Gbp/s for stationary units, 100Mbp/s for moving units.

4G

• 4G technologies should also support IPv6

– IPv4 vs. IPv6

4G

• IPv4:

–32 bit

– Identified as numbers such as: 209.13.42.145

–Divided by periods

–4.3 billion IP addresses available

4G

• IPv6:– 128 bit– Identified as letters and numbers such as

2001:db8:85a3::8a2e:370:7334

–Divided by colons–340 Undecillion, or 340 trillion trillion

trillion IP addresses available

4G

• Current technologies do not meet 4G standards

• However, the ITU has stated that current technologies like LTE and WiMax, although they do not meet standards, could be called 4G, because they represent "a substantial level of improvement in performance and capabilities with respect to the initial third generation systems now deployed.”

5G

• 5G-Fifth Generation of Wireless.

• Expected to be in place by 2020

• 1Gb speed

• Very efficient

• Able to support large amounts of connections

CDMA vs. GSM

• CDMA – Code Division Multiple Access

• GSM – Global System for Mobile Communication (actually, it’s Groupe SpécialMobile)

CDMA vs. GSM

• CDMA – most popular technology in the United States

• GSM – most popular technology in the world

CDMA vs. GSM

• Traditionally, one way to tell the difference was the presence of a SIM card

SIM Cards

• What can a SIM card contain?

• Phonebook

• Call logs

• Speed dial

• SMS messages

SIM cards

• What must a SIM card contain?

• The IMSI

ICCID

• Integrated Circuit Card ID (ICCID) – a 19 to 20 digit serial number for a SIM card used to securely store the IMSI number for a subscriber.

• The ICCID is also called the SIM Serial Number.

• It is stamped on the SIM card.

SIM cards

• New 4G phones from both GSM and CDMA providers will contain a SIM card

• Some older CDMA phones may contain a SIM card to make them “Global” or “World” phones

CDMA

• Verizon

• Sprint

• US Cellular

GSM

• AT&T

• T-Mobile

• What about Tracfone?

• What about Cricket?

The progression:

1G 2G 3G 4G

CDMAone CDMA2000 LTE

Analog

GSM UMTS LTE

CDMA Identifiers

• Electronic Serial Number (ESN) - The unique identification number embedded in a wireless phone by the manufacturer. Each time a call is placed, the ESN is automatically transmitted to the base station so the wireless carrier's mobile switching office can check the call's validity. MINs and ESNs can be electronically checked to help prevent fraud.

ESN

• Mobile Equipment Identifier (MEID) - a globally unique 56-bit identification number for a physical piece of CDMA equipment. MEID’s replaced ESN’s after the original ESN scheme being depleted in 2008.

gbard@patctech.com

ESN / MEID

• Many times you will still see providers use the term ESN even thought the number will actually be the MEID.

• These numbers specifically identify the device

GSM Identifiers

• International Mobile Equipment Identifier (IMEI)-A unique 15-digit number that serves as the serial number of the GSM handset. The IMEI appears on the label located on the back of the phone, and uniquely identifies that device

GSM Identifiers

• International Mobile Subscriber Identifier (IMSI)-A unique 15-digit number which designates the subscriber. It is stored on the SIM card, and identifies the account holder.

IMSI

• The first 3 numbers identify the country code, for example the US is code 310.

• The next 3 number will identify the carrier code, for example AT&T code is 410. T-Mobile is code 026.

• Therefore an AT&T IMSI will begin with 310410

IMEI and IMSI from an AT&T record

Other important identifiers• Mobile Identification Number (MIN)-Unique identifier that

can be used to identify a cellular phone by the network. The MIN and ESN are both transmitted to the network to assist with authentication.

• Mobile Directory Number (MDN)- The actual number a person would dial to reach a specific phone. (This is your phone number)

• Mobile Station International Subscriber Directory Number (MSISDN) – Country code and subscriber number

Current relevant operating systems

• iOS

• Android

• Blackberry

• Windows

iOS

• Apple’s Mobile Operating System.

– Simply called iPhone OS prior to June 2010.

– Based off of the Mac OS

– iPhone, iPad, iPod Touch.

– Currently up to 10.3.1

– Forensically:

–DB, SQL and Plists

Jailbreak

• Some people “jailbreak” iOS devices to allow for greater control and a larger amount of Apps.

• Allows “Root Access” of the device.

• Gives the user greater access to many apps that are not available through the App store.

Android

• Developed in 2003

• Acquired by Google in 2005.

– Forensically DB, SQL and XML

– Uses the Linux Kernel.

– Similar to iOS devices, many people

want more control, and therefore

“root” the device.

Android Flavors

• Cupcake (1.5)

• Donut (1.6)

• Éclair (2.0-2.1)

• Froyo (2.2)

• Gingerbread (2.3x)

• Honeycomb (3.0-3.2)

• Ice Cream Sandwich (4.0)

• Jelly Bean (4.1-4.3)

• KitKat (4.4)

• Lollipop (5.0-5.1)

• Marshmallow (6.0-6.0.1)

• Nougat (7.0-7.1)

Blackberry

• Formerly Research in Motion, now Blackberry Limited

– Distributes Blackberry devices.

– Based in Waterloo Canada.

Blackberry

• Had many government and business contracts

• Strengths were security and handling of email

• Failed to keep up with trends

•Went from 43% market share in 2010 to 1.3% in 2015

• Blackberry 10 – January 2013 (currently 10.3.3)

• 2015 – began releasing devices running Android

Windows

• Microsoft entry into the smartphone market.

– Windows 8 was designed to integrate the Mobile Devices and the PC’s.

– Lumia series handsets

–Nokia handset running Windows OS

Windows and Nokia

• On February 11, 2011 Nokia announced that it was migrating away from Symbian towards Windows.

• On September 2, 2013 it was announced that Microsoft was purchasing Nokia’s mobile division for 7.2 billion dollars.

Evolving Names

• Windows Mobile

• Windows Phone

• Windows 10 Mobile

Number portability

• What is number portability, and why is it important to our investigation?

Mobile device investigations in 2015

–Mobile forensics vs. traditional computer forensics

–The two aspects of investigating mobile devices

Mobile digital forensics

• Hardware and software

• Recoverable data

– Feature phones

– Smartphones

Application data• What are applications?

• What do they allow us to do?

• What types of devices use them?

• What type of information do they retain?

Applications

• Some applications can wipe a device remotely

There are a large number of applications which give us enhanced communication capabilities

Applications

Applications

• Other applications allow users to conduct voice communications over the internet.

• Let’s take a quick look at some application files that might hold important evidence

WiFi connections…

Kik messages…

eBay searches…

Wikipedia searches…

Facebook friends…

…and Facebook messages

• These application files can provide a detailed account of the device owner’s activity

Backup files• Is a backup the same as a sync?

• What types of devices create backups?

• Where do backup files get stored?

• What types of data are in backup files?

iOS device backups are created using iTunes:

Where do you find iOS backups?

If you do not have the phone

• Open the backup folder and locate the files named:

• Info.plist

• Manifest.plist

Info and Manifest

• Simply open each of them with Notepad and take a look:

Info.plist

Manifest.plist

And even a list of your apps

iOS 10 looks a little different…

But the same information is still there…

– How are we going to get our backup file from the subject computer?

• Just boot it up and copy it out?

– What are we going to use to examine our backup file?

iPhone backups

• What if we don’t have pricey forensic software?

- Manually?

- Cheaper options?

How can we tell what type of file this is?

In Notepad

File Signature (header and footer)

…and then open it with an appropriate tool

How about a tool that is very effective, yet inexpensive?

iPhone Backup Extractor

• But it only examines backup files; what if we are dealing with the device itself?

• Again, great information, but it doesn’t do us any good if we don’t collect it, and if we don’t know how to examine it

Defeating passcodes

• Different solutions for different devices, and different version of the mobile operating systems

• Some carry inherent risks

The IP Box

Lockdown plist

• The Lockdown plist is created by an iOS device on a “Trusted” computer system. It is NOT part of the backup process. So a back up is NOT required.

Lockdown Plist

• To unlock the device using the lockdown plist, we copy it from the bad guy’s computer and import it into our forensic software.

A pattern locked Android device…

Bypassing passcodes

• Be aware of the capabilities of your tools, and the risks that they may carry

Call detail records

• What are call detail records?

• How do we obtain them?

Provider records

• Will include call detail records

• May include SMS and data usage, depending on the provider

• May include “historical handset location data”

Provider Records• What can we get from the Wireless Services Provider?

• Call detail logs• Originating cell site (Latitude and Longitude)• Terminating cell site• Cell site sector Azimuth• Direction of call (incoming or outgoing)• Calling number• Dialed number• Call duration• Data usage• Location of cell towers

• Subscriber information (Name, address, etc)

• SMS information (Text or just sender and receiver?)

• ESN / MEID, MIN, MDN, IMEI, IMSI of target phone.

• Tower dump

• Definitions

• Reports of Lost / stolen phone

• Type of phone

• If prepaid, where purchased?

• Status

• Other phones on the same account

• Cell sites at the time of the incident (Not current)

• PCMD / RTT / Historical Handset Location(Maybe?)

• Contents of the Cloud

What are we hoping to discern from CDRs?

• Historical location

• Possible pattern of movement

AT&T Call Detail Records

Records from a theft incident

And the map of those calls

A different tool: DART

A series of calls from a T-Mobile CDR

• There are several options for mapping cell towers

• Know the limitations of your tool

Historical handset location

• Available from several providers

• Sprint – PCMD

• Verizon – RTT

• AT&T - NELOS

• More precise location than cell site/sector

• Does that mean it’s more accurate?

Historical handset location

• Be aware of the accuracy of this information

• Don’t ignore it, but do not be overly reliant on it

Follow PATCtech!

• Updates & PATCtech Research

• Public Safety News

• Training Opportunities

PATCtech @PATCtech

Forensic Digital Evidence Investigators(LinkedIn Group)