Notes - MCS
Computer Systems Forensic Analysis
Notes - MCS
Computer Systems Forensic Analysis
  • Computer Systems Forensic Analysis
  • Overview of Cybercrime
    • Cyberspace
    • Information Security Principles
    • Cybercrime vs. Computer Crime
    • Cybercrime slang
      • Images
    • Digital Evidence
  • Introduction to Digital Forensics
    • Concepts
    • Digital Forensic
    • Digital Investigation
    • Digital Crime Scene Investigation Methodology
    • Digital Evidence Handling
    • Ethical Code
  • Obtaining Evidences
    • Introduction
    • Boot Process
    • Secuere Boot Process
    • Windows Boot Process
    • Forensic Boot Tools
    • Bootable CD-ROMS - Linux Based
    • ADS
    • Forensic Sorting Tools
    • Forensic Acquisition
    • Dealing With Media Errors
    • Hidden Areas
    • Write Protection of Evidence Media
    • Storing Acquired Data
    • Image File Acquisition
    • Hash Values
  • Data Organization
    • Data Organization
    • File System
    • File Content
    • Endianness
    • Character Encoding
    • Data Structures
    • Date and Time
    • Encoding
  • Storage Devices
    • BIOS versus direct access
    • Hard Disk Geometry
    • Advanced Technology Attachment Interface
      • Device Configuration Overlay
    • Small Computer Systems Interface
    • NAND Flash memory
    • Level wearing
    • HDD vs SSD
    • Pen USB vs SSD Comparison
    • SSD Connectors, Interfaces, and Transfer Protocols
  • Volumes and Partitions
    • Concepts
    • Partition Tables
    • Sectors Addresses
    • Logical addresses
    • Volume Analysis
    • Types of Partition Tables
    • Common Partition Tables (MBR)
    • Boot Code
    • MBR examination
    • Removable Storage
    • Common Partition Tables (GPT)
    • Common Partition Tables (BSD)
    • Volumes’ Aggregation
  • RAM Analysis
    • RAM Analysis
    • General Computer Architecture
    • DMA – Direct Memory Access
    • Paging
    • Memory Acquisition
  • Mobile Forensics
    • Forensic value of phones
    • International Mobile Equipment Identifier
    • Potential Evidence
    • Forensics Dangers
    • Data Acquisition
    • Logical acquisition
    • Physical acquisition
    • Hashing
    • Software tools
  • Open Source INTelligence
    • Classical sources of information and intelligence
    • Evolution of OSINT - Open Sources Intelligence
    • Information sources
    • Closed source of information
    • Open sources
    • Information to Intelligence Cycle
    • Skills of the Analyst
    • Open Source Possibilities
    • Automated Processing
    • DarkNet
  • Documentation and Reporting
    • Introduction
    • Physical examination
    • Examining a computer
    • Media Examination
    • Examples of things to write in the report
    • Forensic Report
Powered by GitBook
On this page
  • Phones' data locations
  • Acquiring data from phones
  • SIM cards
  • Universal Integrated Circuit Card (UICC)
  • Integrated Circuit Card Identifier (ICCID)
  • Subscriber Identity Module (SIM)
  • International Mobile Subscriber Identity (IMSI)
  • Mobile Station International Subscriber Directory Number
  1. Mobile Forensics

Forensic value of phones

Phones, especially smartphones, have a huge potential to provide evidence.

  • are part of our everyday life:

    • screen checks/day and h/day usage of smartphones.

    • they store a huge amount of diverse information:

      • logs of calls, messages, GPS, network connections contents of messages, emails, multimedia (photos and video), social networks, etc…

  • sales of smartphones surpassed PCs by the end of 2011.

Phones' data locations

Where is data located on phones?

  • data can be physically stored in 3 different locations:

    • handset, memory card, and SIM card.

  • some types of data may be found in more than one location:

    • contacts on SIM and handset.

    • pictures on the handset and memory card.

Acquiring data from phones

Retrieval approach:

  • Examine every area (handset, memory card, and SIM) independently.

    • to be sure of capturing all the information you can.

Can data be stored anywhere else?

  • Service providers → require additional legal procedures.

  • Cloud services → might require additional legal procedures.

  • Handset backups → more common in iOS devices.

SIM cards

Disambiguation.

  • UICC (Universal Integrated Circuit Card) – is the technical name of the physical part of the smart card.

  • SIM (Subscriber Identity Module) – is a logical module stored inside the smart card.

    • in the early stages a SIM consisted of the hardware and the software.

A given card can contain multiple SIMs. This would allow multiple phone numbers or accounts to be accessed by a single UICC.

Universal Integrated Circuit Card (UICC)

How many sizes/formats exist?

Embedded UICC (also known as eSIM).

  • permanently embedding into devices used in machine-to-machine (M2M) applications.

  • not replaceable by a regular user.

  • 2 formats MFF1 and MFF2, both have the same size.

    • MFF1 is socketable (replaceable with special tools).

    • MFF2 is soldered.

Main characteristics:

  • processor.

  • storage.

    • memory to store text-based user data e. g. SMS, contacts, and calls.

    • traditionally held just 16 to 64 KB, but some have 1 GB.

UICC are also known as "SIM cards".

  • mandatory in GSM networks.

  • standardized by 3GPP.

Integrated Circuit Card Identifier (ICCID)

  • uniquely identifies the card.

  • 19 or 20 digits in length.

  • often printed on the outside (may be abbreviated).

  • always stored digitally in the card.

ICCID identifies the issuing service provider and country.

Subscriber Identity Module (SIM)

Role of the SIM.

  • Authentication - the mobile network uses a challenge/response security mechanism to allow access to the network.

  • Accountability - the SIM contains a unique reference number that identifies the card and the subscriber to ensure that associated costs are allocated correctly.

GSM types

USIM - Universal Subscriber Identity Module.

  • for 3G and newer networks.

  • compared with SIM:

    • higher security, bigger and improved phonebook, can run small applications.

Multi-application cards have 2 partitions: SIM + USIM.

International Mobile Subscriber Identity (IMSI)

IMSI:

  • uniquely identifies the subscriber.

  • stored digitally on the card.

  • cannot be changed in a normal card.

  • can also identify the issuing service provider and country.

  • usually not known by the owner.

  • composed by:

    • Mobile Country Code (MCC).

    • Mobile Network Code (MNC).

    • Mobile Subscription Identification Number (MSIN).

Mobile Station International Subscriber Directory Number

MSISDN:

  • like the IMSI, the DSISDN is also an important number for identifying a mobile subscriber.

  • used for routing calls to the subscriber.

  • it is the number normally dialed to connect a call to the mobile phone.

  • The ITU-T recommendation E.164 limits the maximum length of an MSISDN to 15 digits. 1-3 digits are reserved for country code.

MSISDN = Country Code + Subscriber Number.

Last updated 1 year ago