A Practical Guide to Computer Forensics Investigations

A PRACTICAL GUIDE TO

COMPUTER
FORENSICS
INVESTIGATIONS

DR. DARREN R. HAYES

A Practical Guide to
Computer Forensics
Investigations
Dr. Darren R. Hayes

800 East 96th Street, Indianapolis, Indiana 46240 USA

9780789741158_forensics.indb i

11/20/14 10:48 PM

A Practical Guide to Computer Forensics Investigations

Associate Publisher
Dave Dusthimer

Copyright © 2015 by Pearson Education, Inc.
All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or
transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise,
without written permission from the publisher. No patent liability is assumed with respect
to the use of the information contained herein. Although every precaution has been taken in
the preparation of this book, the publisher and author assume no responsibility for errors or
omissions. Nor is any liability assumed for damages resulting from the use of the information
contained herein.
ISBN-13: 978-0-7897-4115-8
ISBN-10: 0-7897-4115-6

Acquisitions Editor
Betsy Brown
Development Editor
Jeff Riley
Managing Editor
Sandra Schroeder
Project Editor
Mandie Frank

Library of Congress Control Number:  2014955541
Printed in the United States of America

Copy Editor
Krista Hansing

First Printing: December 2014

Trademarks
All terms mentioned in this book that are known to be trademarks or service marks have
been appropriately capitalized. Pearson IT Certification cannot attest to the accuracy of this
information. Use of a term in this book should not be regarded as affecting the validity of any
trademark or service mark.

Warning and Disclaimer
Every effort has been made to make this book as complete and as accurate as possible, but
no warranty or fitness is implied. The information provided is on an “as is” basis. The author
and the publisher shall have neither liability nor responsibility to any person or entity with
respect to any loss or damages arising from the information contained in this book.

Special Sales
For information about buying this title in bulk quantities, or for special sales opportunities
(which may include electronic versions; custom cover designs; and content particular to your
business, training goals, marketing focus, or branding interests), please contact our corporate
sales department at [email protected] or (800) 382-3419.

Indexer
Larry Sweazy
Proofreader
Megan Wade-Taxter
Technical Editors
Dennis Dragos
Shawn Merdinger
Publishing Coordinator
Vanessa Evans
Designer
Alan Clements
Compositor
Tricia Bronkella

For government sales inquiries, please contact [email protected].
For questions about sales outside the U.S., please contact [email protected]. 

9780789741158_forensics.indb ii

11/20/14 10:48 PM

Contents at a Glance
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
1

The Scope of Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2

Windows Operating and File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3

Handling Computer Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

4

Acquiring Evidence in a Computer Forensics Lab . . . . . . . . . . . . . . . . . . 116

5

Online Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

6

Documenting the Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

7

Admissibility of Digital Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

8

Network Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

9

Mobile Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

10 Photograph Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
11 Mac Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
12 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

iii

9780789741158_forensics.indb iii

11/20/14 10:48 PM

Table of Contents
Introduction
Chapter 1: The Scope of Computer Forensics

xx
2

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Popular Myths about Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . 3
Types of Computer Forensics Evidence Recovered . . . . . . . . . . . . . . . . . . . . . . 5
Electronic Mail (Email) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Websites Visited and Internet Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Cellphone Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
What Skills Must a Computer Forensics Investigator Possess? . . . . . . . . . . . 10
Computer Science Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Legal Expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Communication Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Linguistic Abilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Continuous Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
An Appreciation for Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
The Importance of Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Job Opportunities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
A History of Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1980s: The Advent of the Personal Computer . . . . . . . . . . . . . . . . . . . . . 14
1990s: The Impact of the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Training and Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Law Enforcement Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

iv

Table of Contents

9780789741158_forensics.indb iv

11/20/14 10:48 PM

Chapter 2: Windows Operating and File Systems

32

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Physical and Logical Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
File Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
File Conversion and Numbering Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Conversion of Binary to Decimal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Hexadecimal Numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Conversion of Hexadecimal to Decimal . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Conversion of Hexadecimal to ASCII (American Standard Code
for Information Interchange) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Unicode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
The Boot Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Windows File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Windows Registry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Registry Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
FTK Registry Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Microsoft Windows Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Windows Vista . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Windows 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Windows 8.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Chapter 3: Handling Computer Hardware

80

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Hard Disk Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Small Computer System Interface (SCSI) . . . . . . . . . . . . . . . . . . . . . . . . . 81
Integrated Drive Electronics (IDE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Serial ATA (SATA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Cloning a PATA or SATA Hard Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Cloning Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table of Contents

9780789741158_forensics.indb v

v

11/20/14 10:48 PM

Removable Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
FireWire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
USB Flash Drives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
External Hard Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
MultiMedia Cards (MMCs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Chapter 4: Acquiring Evidence in a Computer Forensics Lab

116

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Lab Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
American Society of Crime Laboratory Directors . . . . . . . . . . . . . . . . . . 117
American Society of Crime Laboratory Directors/Lab
Accreditation Board (ASCLD/LAB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
ASCLD/LAB Guidelines for Forensic Laboratory Management
Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Scientific Working Group on Digital Evidence (SWGDE) . . . . . . . . . . . . 119
Private Sector Computer Forensics Laboratories . . . . . . . . . . . . . . . . . . . . . . 119
Evidence Acquisition Laboratory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Email Preparation Laboratory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Inventory Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Web Hosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Computer Forensics Laboratory Requirements . . . . . . . . . . . . . . . . . . . . . . . . 121
Laboratory Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Laboratory Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Laboratory Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Extracting Evidence from a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Using the dd Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Using Global Regular Expressions Print (GREP) . . . . . . . . . . . . . . . . . . 145
Skimmers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
vi

Table of Contents

9780789741158_forensics.indb vi

11/20/14 10:48 PM

Chapter 5: Online Investigations

162

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Working Undercover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Generate an Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Generate an Email Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Mask Your Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Website Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Website Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Website Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Background Searches on a Suspect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Personal Information: Mailing Address, Email Address,
Telephone Number, and Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Personal Interests and Membership of User Groups . . . . . . . . . . . . . . . 178
Searching for Stolen Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Online Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Credit Cards for Sale. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Electronic Medical Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Cyberbullying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Social Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Capturing Online Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Using Screen Captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Using Video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Viewing Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Using Windows Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Chapter 6: Documenting the Investigation

210

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Obtaining Evidence from a Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Documenting a Crime Scene. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Table of Contents

9780789741158_forensics.indb vii

vii

11/20/14 10:48 PM

Seizing Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Crime Scene Examinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Documenting the Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Completing a Chain of Custody Form . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Completing a Computer Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Completing a Hard Disk Drive Worksheet . . . . . . . . . . . . . . . . . . . . . . . . 217
Completing a Server Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Using Tools to Document an Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
CaseNotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
FragView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Helpful Mobile Applications (Apps) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Network Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
The Cop App . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Lock and Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Digital Forensics Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Federal Rules of Civil Procedure (FRCP) . . . . . . . . . . . . . . . . . . . . . . . . . 222
Federal Rules of Evidence (FREvidence) . . . . . . . . . . . . . . . . . . . . . . . . . 222
Writing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Time Zones and Daylight Saving Time (DST) . . . . . . . . . . . . . . . . . . . . . 222
Creating a Comprehensive Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Using Expert Witnesses at Trial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
The Expert Witness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
The Goals of the Expert Witness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Preparing an Expert Witness for Trial . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

viii

Table of Contents

9780789741158_forensics.indb viii

11/20/14 10:48 PM

Chapter 7: Admissibility of Digital Evidence

238

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
History and Structure of the United States Legal System . . . . . . . . . . . . . . . 239
Origins of the U.S. Legal System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Overview of the U.S. Court System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
In the Courtroom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Evidence Admissibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Constitutional Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
First Amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
First Amendment and the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Fourth Amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Fifth Amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Sixth Amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Congressional Legislation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Rules for Evidence Admissibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Criminal Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
When Computer Forensics Goes Wrong . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Pornography in the Classroom. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Structure of the Legal System in the European Union (E.U.) . . . . . . . . . . . . . 278
Origins of European Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Structure of European Union Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Structure of the Legal System in Asia. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
India . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Chapter 8: Network Forensics

292

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
The Tools of the Trade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Table of Contents

9780789741158_forensics.indb ix

ix

11/20/14 10:48 PM

Networking Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
SMTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Understanding the OSI Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
The Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
The Data Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
The Network Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
The Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
The Session Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
The Presentation Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
The Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Advanced Persistent Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Cyber Kill Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Indicators of Compromise (IOC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Investigating a Network Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Chapter 9: Mobile Forensics

320

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
The Cellular Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Base Transceiver Station . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Mobile Station . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Cellular Network Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

x

Table of Contents

9780789741158_forensics.indb x

11/20/14 10:48 PM

SIM Card Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Types of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Handset Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Memory and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Battery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Other Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Mobile Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Android OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Windows Phone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Standard Operating Procedures for Handling Handset Evidence . . . . . . . . . 347
National Institute of Standards and Technology . . . . . . . . . . . . . . . . . . 348
Preparation and Containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Wireless Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Documenting the Investigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Handset Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Cellphone Forensic Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Cellphone Forensics Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Logical versus Physical Examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Manual Cellphone Examinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Flasher Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Global Satellite Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Satellite Communication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Legal Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Carrier Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Other Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Tablets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
GPS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

Table of Contents

9780789741158_forensics.indb xi

xi

11/20/14 10:48 PM

Chapter 10: Photograph Forensics

372

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Understanding Digital Photography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Digital Photography Applications and Services . . . . . . . . . . . . . . . . . . . 376
Examining Picture Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Exchangeable Image File Format (EXIF) . . . . . . . . . . . . . . . . . . . . . . . . . 377
Evidence Admissibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Federal Rules of Evidence (FRE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Analog vs. Digital Photographs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Worldwide Manhunt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
NYPD Facial Recognition Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Chapter 11: Mac Forensics

390

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
A Brief History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Macintosh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Mac Mini with OS X Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
iPod . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
iPad. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Apple Wi-Fi Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Macintosh File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Forensic Examinations of a Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
IOReg Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
PMAP Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Epoch Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Recovering Deleted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

xii

Table of Contents

9780789741158_forensics.indb xii

11/20/14 10:48 PM

Journaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
DMG File System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
PList Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
SQLite Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Macintosh Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Target Disk Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Apple Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
iOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
iOS 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
iOS 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Security and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
iPod . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Enterprise Deployment of iPhone and iOS Devices . . . . . . . . . . . . . . . . 426
Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Find My iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Wanted Hactevist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Michael Jackson . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Stolen iPhone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Drug Bust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Chapter 12: Case Studies

436

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Zacharias Moussaoui . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Standby Counsel Objections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Prosecution Affidavit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

Table of Contents

9780789741158_forensics.indb xiii

xiii

11/20/14 10:48 PM

xiv

Exhibits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Email Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
BTK (Bind Torture Kill) Killer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Profile of a Killer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Cyberbullying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Federal Anti-harassment Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
State Anti-harassment Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Warning Signs of Cyberbullying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
What Is Cyberbullying? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Phoebe Prince . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Ryan Halligan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Megan Meier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Tyler Clementi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Sports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

Index

9780789741158_forensics.indb xiv

458

11/20/14 10:48 PM

xv

About the Author
Dr. Darren R. Hayes is a leading expert in the field of digital forensics and computer security. He
is the director of cybersecurity and an assistant professor at Pace University, and he has been named
one of the Top 10 Computer Forensics Professors by Forensics Colleges.
Hayes has served on the board of the High Technology Crime Investigation Association (HTCIA),
Northeast Chapter, and is the former president of that chapter. He also established a student chapter
of the HTCIA at Pace University.
During his time at Pace University, Hayes developed a computer forensics track for the school’s
bachelor of science in information technology degree. He also created a computer forensics research
laboratory, where he devotes most of his time to working with a team of students in computer
forensics and, most recently, the burgeoning field of mobile forensics. As part of his research and
promotion of this scientific field of study, he has fostered relationships with the NYPD, N.Y. State
Police, and other law enforcement agencies. He also organized a successful internship program at the
cybercrime division of the New York County D.A. Office and the Westchester County D.A. Office.
Hayes is not only an academic, however—he is also a practitioner. He has been an investigator on
both civil and criminal investigations and has been called upon as an expert for a number of law
firms. In New York City, Hayes has been working with six to eight public high schools to develop a
curriculum in computer forensics. He collaborates on computer forensics projects internationally and
has served as an extern examiner for the MSc in Forensic Computing and Cybercrime Investigation
degree program at University College Dublin for four years.
Hayes has appeared on Bloomberg Television and Fox 5 News and been quoted by Associated
Press, CNN, Compliance Week, E-Commerce Times, The Guardian (UK), Investor’s Business Daily,
MarketWatch, Newsweek, Network World, Silicon Valley Business Journal, USA Today, Washington
Post, and Wired News. His op-eds have been published by American Banker’s BankThink and The
Hill’s Congress Blog. In addition, he has authored a number of peer-reviewed articles in computer
forensics, most of which have been published by the Institute of Electrical and Electronics Engineers
(IEEE). Hayes has been both an author and reviewer for Pearson Prentice Hall since 2007.

9780789741158_forensics.indb xv

11/20/14 10:48 PM

xvi

About the Technical Reviewer
Dennis Dragos, President of DDragos Information Security and Investigation Corp. (DDIS) served
20 years in the New York City Police Department. For 11 years, he was assigned to the NYPD
Computer Crimes Squad, Special Investigations Division, Detective Bureau, reaching the rank of 2nd
grade detective. He is currently an adjunct assistant professor of the Cyber Security Systems Program
within the College of Professional Studies at St. John’s University, Queens, N.Y.
Shawn Merdinger is the CISO for Valdosta State University in Georgia. He has worked with
Cisco Systems, 3Com/TippingPoint at University of Florida Health Science Center, and as an independent consultant. His current research focuses on medical device security, and he is the founder
of the MedSec group on LinkedIn. Shawn has presented original research at security conferences
such as DEFCON, Educause, ISSA, InfraGard, Ph-Neutral, ShmooCon, CONfidence, NoConName,
O’Reilly, CSI, IT Underground, CarolinaCon, and SecurityOpus. He holds a bachelor’s degree from
University of Connecticut and a master’s from the University of Texas at Austin.

9780789741158_forensics.indb xvi

11/20/14 10:48 PM

xvii

Dedication
This book is dedicated to my loving wife, Nalini, and my children,
Nicolai, Aine, Fiona, and Shay.

Acknowledgments
I should begin by acknowledging my supportive and patient wife, Nalini, who is my best friend. Long
hours working on a book mean sacrifices for everyone in the family, and my children, Nicolai, Aine,
Fiona, and Shay, have been brilliant. My parents, Annette and Ted, have been mentors throughout my
life, and I will always be in their debt.
Professionally, I should acknowledge the former deans of the Seidenberg School at Pace University,
Dr. Susan Merritt and Dr. Constance Knapp, who have always believed in me and supported me. My
current dean, Dr. Amar Gupta, continues to support my passion for computer forensics and security.
Others who deserve honorable mention are my colleagues at Pace, Dean Jonathan Hill, Dr. Catherine
Dwyer, Dr. Nancy Hale, Dr. John Molluzzo, Dean Bernice Houle, Dr. Susan Maxam, Dr. Richard
Kline, Professor Andreea Cotoranu, Dr. Li-Chiou Chen, Dr. Lixin Tao, Dr. Fred Grossman, Ms.
Susan Downey, Ms. Bernice Tracey, Ms. Fran O’Gara, Dr. Narayan Murthy, Dr. James Gabberty,
Professor Robert Benjes, Ms. Stephanie Elson, Ms. Kimberly Brazaitis, and many others.
The students at Pace University inspire me more than they realize and work many hours in the
computer forensics lab. I appreciate all the hard work and dedication by Pace students Mr. Roman
Perez, Ms. Renee Pollack, Mr. Mario Camilla, Mr. James Ossipov, Mr. Shariq Qureshi, Ms. Eileen
Mulhall, Mr. Matthew Chao, Mr. Jakub Redziniak, and Ms. Fitore Balidemaj, to name but a few.
I wish to acknowledge my good friends from the Computer Crimes Squad, New York Police
Department. We have enjoyed a marvelous relationship with the NYPD for many years, and I have
attended many certification classes with them. My friends and colleagues include Det. Dennis
Dragos, Det. Richard Macnamara, Det. Robert DiBattista, Det. Jorge Ortiz, Det. Joseph Garcia,
Lt. Dennis Lane, Lt. Felix Rivera, Det. Owen Soba, Det. Waldo Gonzalez, Det. John Crosas, and a
number of other wonderful detectives. I have also gained invaluable practical experience by working
with former Lt. John Otero, former Det. Domingo Gonzalez, and former Det. Yalkin Demirkaya.
I would also like to mention other law enforcement and government agencies that have been
marvelous friends and collaborators. They include the New York State Police, Federal Bureau of
Investigation, United States Secret Service, Central Intelligence Agency, Bundeskriminalamt, U.K.
law enforcement, and Europol.
My thanks to Mr. David Szuchman, Mr. Richard Brittson, and Mr. Steven Moran of the New York
County D.A. Office. Thanks also to Mr. Michael Delohery, Bureau Chief, High Technology Crime
Bureau, Westchester County D.A., and his colleagues.

9780789741158_forensics.indb xvii

11/20/14 10:48 PM

xviii

Special thanks to Mr. Ryan Kubasiak, an expert in Mac forensics and my good friend; Mr. Thomas
Ryan, Bristol Global; and Mr. Kenneth Citarella, one of the founding fathers of HTCIA Northeast.
Thanks also to Dr. John Collins, Chairperson; and Mr. Bill Soo Hoo, College of Professional Studies,
New Jersey City University. Ms. Bernadette Gleason, Citi, Ms. Dora Gomez, and Alex Allphin have
been tremendous supporters as well. I appreciate the professional support and guidance from my
good friend Francis X. Schroeder.
My sincere thanks to Mr. Warner Johnston and Ms. Ruth Fasoldt from the Association of Chartered
Certified Accountants USA. Their tremendous support for our work at Pace has been well noted.
I also wish to thank my friends at my alma mater, University College Dublin, Ireland. Dr. Pavel
Gladyshev and Dr. Fergus Toolan have been terrific collaborators, and it was an honor to serve as
extern examiner for their master of science in forensic computing and cybercrime investigation.
Ms. Debra Lesser, Executive Director, Justice Resource Center, has been very kind to me over
the years and has allowed me to work with many magnificent high school teachers, including
Mr. Stephen Bland, from Lehman High School. My thanks also to Ms. Gladys Aviles, Executive
Assistant, and Carolyn Morway, Civic Education Coordinator, at the Justice Resource Center.

9780789741158_forensics.indb xviii

11/20/14 10:48 PM

xix

We Want to Hear from You!
As the reader of this book, you are our most important critic and commentator. We value your
opinion and want to know what we’re doing right, what we could do better, what areas you’d like to
see us publish in, and any other words of wisdom you’re willing to pass our way.
We welcome your comments. You can email or write to let us know what you did or didn’t like about
this book—as well as what we can do to make our books better.
Please note that we cannot help you with technical problems related to the topic of this book.
When you write, please be sure to include this book’s title and author as well as your name and email
address. We will carefully review your comments and share them with the author and editors who
worked on the book.
Email: [email protected]
Mail:

Pearson IT Certification
ATTN: Reader Feedback
800 East 96th Street
Indianapolis, IN 46240 USA

Reader Services
Visit our website and register this book at www.pearsonitcertification.com/register for convenient
access to any updates, downloads, or errata that might be available for this book.

9780789741158_forensics.indb xix

11/20/14 10:48 PM

xx

Introduction
The field of digital forensics is relatively new, and more books are being published on this subject
matter in recent times. The problem is that many of books are very technical but are lacking in terms
of the investigative skills. To be an exemplary computer forensics examiner, you need to have both
technical and investigative skills. For example, simply finding the evidence on a computer is not
good enough—you must be able to place the suspect behind the keyboard. Moreover, a good investigator must be able to think well beyond the scope of the computer. Chapter 11, “Mobile Forensics,”
is a good example of this: an investigator can retrieve an extraordinary amount of evidence about a
user’s activity on a smartphone without actually seizing the device. This book also clearly outlines
the many different skills that are beneficial in the field of computer forensics, including knowledge of
hardware, programming, and the law, as well as the ability to speak a second language and possession
of solid writing skills.
This book assumes no prior knowledge of the subject matter, and I have written it for both high
school and university students and professional forensics investigators. Additionally, other professions can clearly benefit from reading this book—it is useful for lawyers, forensic accountants,
security professionals, and others who have a need to understand how digital evidence is gathered,
handled, and admitted to court. The book places a significant emphasis on process and adherence to
the law, which are equally important to the evidence that can ultimately be retrieved.
The reader of this book should also realize that a comprehensive knowledge of computer forensics
can lead to a variety of careers. Digital forensics examiners and experts work for accounting firms,
software companies, banks, law enforcement, intelligence agencies, and consulting firms. Some are
experts in mobile forensics, some excel in network forensics, and others focus on personal computers.
Other experts specialize in Mac forensics or reverse engineering malware. The good news for graduates with computer forensics experience is that they have a variety of directions to choose from: the
job market for them will remain robust, with more positions than graduates for the foreseeable future.
This book is a practical guide, not only because of the hands-on activities it offers, but also because
of the numerous case studies and practical applications of computer forensics techniques. Case
studies are a highly effective way to demonstrate how particular types of digital evidence have been
successfully used in different investigations.
Finally, this book often refers to professional computer forensics tools that can be expensive. You
should realize that academic institutions can take advantage of significant discounts when purchasing
these products. I also included many free or low-cost forensics tools in the book, and these can be just
as effective as some of the expensive tools. You can definitely develop your own program or laboratory in a budget-conscious way.

9780789741158_forensics.indb xx

11/20/14 10:48 PM

xxi

Register this Book to unlock the data files that are needed to complete the end-of-chapter projects.
Follow the steps below:
1. Go to www.pearsonITcertification.com/register and log in or create a new account.
2. Enter the ISBN: 9780789741158
3. Click on the “Access Bonus Content” link in the Registered Products section of your account

page, to be taken to the page where your downloadable content is available.

9780789741158_forensics.indb xxi

11/20/14 10:48 PM

Chapter

9

Mobile Forensics
Learning Outcomes
After reading this chapter, you will be able to understand the following:
■

The evolution and importance of cellphone forensics;

■

An overview of cellular networks;

■

The type of evidence available from cellphone carriers;

■

Retrieving evidence from a smartphone;

■

Conducting SIM card forensics;

■

Analyzing cellphone operating systems;

■

Legal considerations associated with cellphone investigations;

■

Tablets, GPS and other mobile device forensics; and

■

How to document a cellphone investigation.

Introduction
The field of mobile forensics has exploded in recent times and is now one of the most important areas
of research, for several reasons. First and foremost, the capabilities of cellphones have been greatly
enhanced; these devices are arguably more important than desktop or laptop computers because they
are generally always turned on and usually always mobile. Therefore, they continually record our
movements and our activities and provide tremendous insight into our behavior. Communication on a
cellphone is very different compared to a traditional computer; interestingly, criminals often say or text
things on a cellphone that they would never do on a traditional computer.
Cellphone forensics has not always been taken seriously. Even in 2008, if you had asked someone in
law enforcement about investigating cellphones, you would have typically heard that nobody in the
laboratory worked on cellphones or that cellphones did not hold anything of value. Some people might

320

9780789741158_forensics.indb 320

11/20/14 10:48 PM

Introduction

321

even have said that the only reason for cellphone forensic software was that some suspicious spouses
bought the software to see if their partner was cheating.
Hardware imaging devices have also been used for a number of years but were not originally used
for investigations. Cellebrite sold its hardware to cellphone retailers who needed a device to copy the
contents of a customer’s cellphone and its SIM card to another cellphone, usually when the customer
wanted to upgrade to a new phone. When law enforcement became involved in cellphone investigations, Cellebrite made some minor modifications and began selling many more devices.
Cellphone forensics was always important, but not many people realized its importance. This is not
surprising: The available cellphone forensic software could not work with the vast majority of cellphones. After Internet capabilities were added to cellphones, their importance to investigations grew.
With this demand came better forensic software. Suddenly, more evidence was available, including
email, Internet searches, and social networking activity. Today just about every computer forensics
laboratory has cellphone forensic capabilities. Additionally, there has been a separation of duties in
larger laboratories. For example, one investigator may be responsible for extracting evidence from
the cellphone, while another investigator might be responsible for much of the paperwork, including
subpoenas to cellphone carriers. Yet another investigator may be responsible for gathering and
analyzing data from base transceiver stations. A base transceiver station (BTS) is the equipment
found at a cell site that facilitates the communication of cellphone users across a cellular network.
Cellphone forensics has tremendous challenges, however. A huge number of cellphones still cannot
be imaged. Forensic software and hardware supports only the most popular cellphones—more than
a hundred new cellphones come to market each year, but many will never be supported by forensic
tools. Some of the most problematic cellphones to examine are the inexpensive pay-as-you-go phones
from companies like TracFone. Issues also exist with some cellphones from the other smaller cellular
companies, like Virgin Mobile, Boost, and MetroPCS.
The issue of encrypted mobile platforms and applications for mobile devices developed by companies
like Silent Circle is also relevant. The Blackphone is another challenge for investigators because the
developers claim to protect the user’s privacy through advanced encryption. Investigators also face
a plethora of operating systems running on cellphones today. An investigator working with a laptop
will generally encounter a Microsoft Windows operating system or Apple’s Mac OS X (operating
system). An investigator who obtains a cellphone, on the other hand, could encounter a Symbian, RIM,
Windows, iOS, Android, or other mobile device operating system.
In looking to the future, our dependency on cellphone forensics will only increase, and the number
of vendor-supported cellphones and tablets will expand. The vociferous market for Android and iOS
devices means that the investigator must look outside the device more—to the synced computer, to
the synced devices in the home and at work, and to the cloud. Cellphones continue to have a growing
dependence on cloud computing, which means that investigators will increasingly rely on evidence
that goes beyond the scope of the network carrier. Integrated user applications found on the cellphone,
like Facebook and Gmail, are important and will increase in importance. Moreover, we should continually think outside the box as good investigators do. For example, many smartphone users with newer

9780789741158_forensics.indb 321

11/20/14 10:48 PM

322

CHAPTER 9 Mobile Forensics

cars can pair their device to their automobile to play music and accept calls. These dashboard systems
will also often attempt to download the user’s contacts, which the investigator can later retrieve.
This chapter is called “Mobile Forensics” instead of “Cellphone Forensics” because it discusses other
mobile devices that can hold incriminating evidence, including tablets, personal media players, and
GPS devices. As always, a good digital forensics investigator needs to think beyond the obvious.

The Cellular Network
A cellular network is a group of cells. A cell refers to a geographic area within a cellular network. A
cell site is a cell tower located in a cell. When you make a call with your cellphone, you connect with
a cell tower. The communication is then transmitted to the Mobile Switching Center. The Mobile
Switching Center (MSC) is responsible for switching data packets from one network path to another
on a cellular network. If the user is calling a user on a cellular network managed by another carrier,
the call is routed from the MSC to the Public Switched Telephone Network. The Public Switched
Telephone Network (PSTN) is an aggregate of all circuit-switched telephone networks. The purpose
of the PSTN is to connect all telephone networks worldwide; this is where tolls for connecting calls
across different networks are calculated. Figure 9.1 details the path of a cellphone call.
Cellular Telephone Network

Mobile
Station (MS)

Base Station Subsystem (BSS)

Base Transceiver
Station (BTS)

Mobile Phone
and
SIM card

Base Station
Controller (BCS)
Base Transceiver
Station (BTS)

FIGURE 9.1

Network Subsystem

Mobile Switching
Center (MSC)

Public Switched
Telephone
Network (PSTN)

Service Provider’s server:
- Home Location Register (HLR)
- Visitor Location Register (VLR)
- Equipment Identity Register (EIR)
- Authentication Center (AUC)

Cellular network

Base Transceiver Station
A cell site, also known as a cell tower, can be a stand-alone tower or can be attached to a building
or other structure. The cell tower generally has an antenna with three panels on each side. Typically,
each antenna has three sides. Usually the middle panel is a transmitter, and the two outer panels are

9780789741158_forensics.indb 322

11/20/14 10:48 PM

The Cellular Network

323

receivers. The cell tower is generally over 200 feet high (see Figure 9.2). A tower can contain multiple
antennae, which are owned by different carriers. An antenna can be located on a cell tower or placed
on the side or top of a building.

FIGURE 9.2

Cell tower

Let’sGet
GetPractical!
Practical!
Let’s
Locate Local Cell Towers and Antennae
Understanding the location of cell towers and antennae is helpful, and there are resources to help.
1. Start your web browser and navigate to www.antennasearch.com.
2. In the Street Address field, type 1600 Pennsylvania Ave NW. For City, type
Washington; for State, type DC; and for Zip, type 20006; then click Go.
3. Click Process and then compare your screen to Figure 9.3.

9780789741158_forensics.indb 323

11/20/14 10:48 PM

324

CHAPTER 9 Mobile Forensics

FIGURE 9.3

Search results

4. Click the Download Records link under View Tower Results.
5. In the displayed File Download dialog box, click Open.
The unformatted results display in Excel.
6. Save the file as directed by your instructor and then Exit Excel.
7. On the antennasearch.com website, click View Tower Results.
A Google map displays. You can also click the Satellite button or the Hybrid button for a
different view. You can also use the control to zoom in on a tower.
8. Click one of the cell tower links, and then compare your screen with Figure 9.4.
9. Close your web browser.

9780789741158_forensics.indb 324

11/20/14 10:48 PM

The Cellular Network

FIGURE 9.4

325

Map of cell tower location

As previously noted, the Base Transceiver Station (BTS) is the equipment at the cell site that facilitates communication between the cellphone user and the carrier’s network. A Base Station Controller
(BSC) manages the radio signals for Base Transceiver Stations, in terms of assigning frequencies and
handoffs between cell sites. When moving through an area, several Base Transceiver Stations might
handle your call—a handoff would occur from one BTS to another. There are two types of handoff.
In a soft handoff, a cellular communication is conditionally handed off from one base station to
another, and the mobile equipment is simultaneously communicating with multiple Base Transceiver
Stations. The handoff is conditional because the signal strength on a new BTS are adjudicated. In a
hard handoff, the communication is handled by one Base Transceiver Station at a time, with no simultaneous communication.
BTS Evidence
From a computer forensics perspective, it is important to understand how a cellular network is structured so that the investigator can determine the type of evidence that can be retrieved from the carrier’s
network, even without access to the suspect’s handset. Law enforcement can request cell site records
from a carrier for a particular cellphone user that indicate where the user was, based on data retrieved
from the BTS. It is important for the investigator to specify the desired format for the evidence; getting
the information in a spreadsheet is generally more helpful because the data can be easily sorted and
analyzed. Figure 9.5 shows sample data from a BTS.

9780789741158_forensics.indb 325

11/20/14 10:48 PM

326

CHAPTER 9 Mobile Forensics

FIGURE 9.5

BTS data

To obtain evidence, law enforcement can contact the network carrier and explain the user information
that is needed as part of an ongoing investigation. The investigator should also explain to the provider
that the customer in question should not be notified about the investigation; this is covered under U.S.C.
2703(f). Law enforcement can request that the suspect’s records be preserved for 90 days, pending
acquisition of a search warrant. In the aftermath of Edward Snowden, more third-party services have
stated that they will inform the customer about these requests unless instructed not to do so by a judge.
Under U.S.C. 2307(d), law enforcement can use a court order to obtain cellular tower data.
Subscriber Evidence
In addition to BTS evidence, law enforcement can obtain subscriber information, call detail records,
and PUK codes. Subscriber records are personal details the carrier maintains about customers; they
can include name, address, alternative phone numbers, Social Security number, and credit card information. Call detail records (CDRs) are details used for billing purposes; they can include phone
numbers called, duration, dates and times of calls, and cell sites used. The PIN Unlock Key (PUK) is
an unlock reset code used to bypass the SIM PIN protection.

Mobile Station
The mobile station consists of mobile equipment (handset) and, in the case of a GSM network, a
Subscriber Identity Module (SIM). An International Mobile Equipment Identity (IMEI) number
uniquely identifies the mobile equipment or handset. The initial six or eight digits of the IMEI are
the Type Allocation Code. The Type Allocation Code (TAC) identifies the type of wireless device.
The website www.nobbi.com/tacquery.php allows an investigator to enter a TAC or IMEI to discover
details about a specific device.
The IMEI is generally found by removing the back of the cellphone and then looking under the battery,
as shown in Figure 9.6.

9780789741158_forensics.indb 326

11/20/14 10:48 PM

The Cellular Network

327

IMEI

FIGURE 9.6

IMEI on the cellphone

Let’sGet
GetPractical!
Practical!
Let’s
Locate the IMEI Through the Keypad
When looking for the IMEI, it is proper procedure to look under the battery. However, the IMEI can
be displayed through the keypad:
1. Power on your cellphone.
2. On your keypad, type *#06#.
The IMEI number should display on your GSM cellphone.

9780789741158_forensics.indb 327

11/20/14 10:48 PM

328

CHAPTER 9 Mobile Forensics

A Universal Integrated Circuit Card (UICC) is a smart card used to uniquely identify a subscriber
on a GSM or UMTS network. With a GSM network, the smart card is a SIM; with a UMTS, the smart
card is a Universal Subscriber Identity Module (USIM).
A Mobile Equipment Identifier (MEID) is an internationally unique number that identifies a CDMA
handset (mobile equipment). The MEID was previously referred to as an Electronic Serial Number
(ESN) before it was replaced by a global MEID standard around 2005. An Electronic Serial Number
(ESN) is an 11-digit number used to identify a subscriber on a CDMA cellular network. The ESN
contains a manufacturer code and a serial number that identifies a specific handset. Both the ESN
and the MEID are noted on the handset in both decimal format and hex format. The website
www.meidconverter.com allows users to convert between ESN and MEID and also view both decimal
and hex values of an ESN or MEID. Some providers, like Virgin Mobile USA, provide a lookup feature
for subscriber details using the MEID.
Many CDMA cellphones have a subsidy lock. A subsidy lock confines a subscriber to a certain cellular
network so that a cellphone can be sold for free or at a subsidized price. From a forensics perspective,
this means that the phone’s file system might not be able to be acquired with an active Service
Programming Code (SPC). For example, an iPhone may be available for as little as $99, but you are
locked into a particular carrier and a specific contract. The unlocked iPhone may actually cost over
$700 (depending on the model), but the user can easily switch carriers and is not locked into a two-year
agreement. The unlocked iPhone 4S, for example, will not work on a CDMA network, like Sprint or
Verizon; it will work only on a GSM network. Prepaid cellphone plans offered by T-Mobile and others
in which the subscriber pays full price for the phone can be unlocked. An investigator should understand this because the handset may have been used internationally with a SIM card purchased abroad.
Locked cellphones (with an SPC) are less widely available in Europe, and carrier handset subsidies are
frequently offered less. Prepaid and pay-as-you-go plans are generally more popular. In fact, in some
countries, it is illegal for a cellphone carrier to sell a locked phone.
All cellphones sold in the United States have an FCC-ID. An FCC-ID is a number issued by the
Federal Communication Commission (FCC) indicating that the handset is authorized to operate on
radio frequencies within FCC control. Figure 9.7 shows a sample FCC-ID on a handset.
The FCC-ID can be viewed by removing the back of a cellphone and taking out the battery. Investigators then can enter the FCC-ID on the FCC website (http://transition.fcc.gov/oet/ea/fccid/). After you
enter the FCC-ID, you can download a manual for the cellphone. This is important for an investigator
who might need to know about the features of the cellphone and, more importantly, wants to know how
to remove the cellphone from all networks and external communications for proper containment.
Additional information about cellphones and cellphone carriers can be obtained from the websites
www.phonescoop.com, PDAdb.net, and www.gsmarena.com.

9780789741158_forensics.indb 328

11/20/14 10:48 PM

The Cellular Network

329

FCC-ID

FIGURE 9.7

FCC-ID

SIM Card
The SIM card identifies a user on a cellular network and contains an IMSI. SIM cards are found in
cellphones that operate on GSM cellular networks and usually in iDEN network cellphones. A user
can simply add a SIM card to an unlocked cellphone. Not all U.S. cellphone carriers allow a user to
purchase a SIM card and use the handset on another network. In the European Union (E.U.), generally
all GSM-compatible cellphones can be unlocked. In fact, in some E.U. countries, it is illegal for cellphones to be locked.
The International Mobile Subscriber Identity (IMSI) is an internationally unique number on the
SIM card that identifies a user on a network. The Mobile Country Code (MCC) is the first three digits
of the IMSI. The proceeding two to three digits are the Mobile Network Code (MNC). For example,
MNC 026 for MCC 310 represents the carrier T-Mobile USA. The final part of the IMSI is the MSIN,
which consists of up to 10 digits. A Mobile Subscriber Identity Number (MSIN) is created by a

9780789741158_forensics.indb 329

11/20/14 10:48 PM

330

CHAPTER 9 Mobile Forensics

cellular telephone carrier and identifies the subscriber on the network. The Mobile Subscriber ISDN
(MSISDN) is essentially the phone number for the subscriber. The MSISDN is a maximum of 15 digits
and is comprised of the Country Code (CC), the Numbering Plan Area (NPA), and the Subscriber
Number (SN). Country Codes are relatively easy to find. For example, in the Americas the CC is
1 because it is in Zone 1. For Trinidad and Tobago, it is 1-868. European countries are in Zone 3
and Zone 4. For example, Ireland, in Zone 3, is 353, and the United Kingdom, in Zone 4, is 44. The
Numbering Plan Area for Nassau County, New York, is 516 and is also referred to as the area code.
The SIM card also includes an ICCID. The Integrated Circuit Card ID (ICCID) can be a 19- to
20-digit serial number physically located on the SIM card, or it can contain fewer numbers (see
Figure 9.8).

FIGURE 9.8

SIM card

The first two digits of the ICCID are referred to as the Major Industry Identifier (MII). The ICCID can
be accessed via the SIM card in the EF_ICCID file.
International Numbering Plans
The website www.numberingplans.com is a tremendous resource for mobile forensics examiners
working with GSM cellphones. The website provides “Number Analysis Tools”, which allow the user
to conduct an analysis of the following:
■

Phone number

■

IMSI number

9780789741158_forensics.indb 330

11/20/14 10:48 PM

The Cellular Network

■

IMEI number

■

SIM number

■

ISPC number

331

An International Signaling Point Code (ISPC) is a standardized numbering system used to identify
a node on an international telecommunications network.
Authenticating a Subscriber on a Network
The Mobile Switching Center is where user information passes to the Home Locator Register, Visitor
Locator Register, and Authentication Center. The Home Locator Register (HLR) is a database of a
carrier’s subscribers and includes those users’ home addresses, IMSI, telephone numbers, SIM card
ICCIDs, and services used. The Visitor Locator Register (VLR) is a database of information about a
roaming subscriber. A subscriber can be found on only one HLR but can exist in multiple VLRs. The
current location of a mobile station (handset) can be found on a VLR as well. The VLR also contains
the Temporary Mobile Subscriber Identity. The Temporary Mobile Subscriber Identity (TMSI) is
a randomly generated number that is assigned to a mobile station, by the VLR, when the handset is
switched on, and is based on the geographic location.
The Equipment Identity Register (EIR) is used to track IMEI numbers and decide whether an IMEI
is valid, suspect, or perhaps stolen. The Authentication Center (AuC) is a database that contains the
subscriber’s IMSI, authentication, and encryption algorithms. The Authentication Center issues the
subscriber an encryption key that encrypts wireless communications between the mobile equipment
and the network.

Cellular Network Types
There are two types of cellular service carriers. A Mobile Network Operator (MNO) owns and
operates a cellular network. The following companies are MNOs:
■

Verizon

■

T-Mobile

■

Sprint/Nextel

■

AT&T/Cingular

A Mobile Virtual Network Operator (MVNO) does not own its own cellular network, but operates
on the network of a Mobile Network Operator. For example, Virgin Mobile USA has its own cellular
service but operates on the Sprint Network. This means that two warrants may be needed for an investigation: one for Sprint (the MNO) and one for Virgin Mobile USA (the MVNO) to obtain a suspect’s
records. The following companies are MVNOs:

9780789741158_forensics.indb 331

11/20/14 10:48 PM

332

CHAPTER 9 Mobile Forensics

■

Virgin Mobile USA

■

Net10

■

MetroPCS

■

TracFone

■

Cricket

■

SIMPLE Mobile

■

Boost Mobile

Evolution of Wireless Telecommunications Technologies
Cellular telecommunication technologies include 2G (second-generation), 3G (third-generation), and
4G (fourth-generation) communications. It is important to note that the term cellular telephone network
is not used here because 3G and 4G cellular networks also support mobile broadband Internet services.
Consumers utilizing these services can operate on cellular networks with either a Mi-Fi router or a
plug-and-play USB device. My Wireless Fidelity (Mi-Fi) is a portable wireless router (see Figure 9.9)
that provides Internet access for up to five Internet-enabled devices and communicates via a cellular
network.

FIGURE 9.9

Virgin Mobile USA Mi-Fi mobile hotspot

9780789741158_forensics.indb 332

11/20/14 10:48 PM

The Cellular Network

333

4G is the latest wireless telecommunications standard and supports high-speed large data transmission
rates. 4G Long Term Evolution (LTE) Advanced is a high-mobility broadband communication that
is suitable for use on trains and in other vehicles. Motorola Mobility, which was purchased by Google
in 2011, holds the patent for this technology. 4G LTE was first implemented in Oslo (Norway) and
Stockholm (Sweden).
The International Telecommunication Union (ITU) is an agency of the United Nations that produces
standards for information and communication technologies. The ITU is comprised of 193 members
and more than 700 private sector and academic institutions.
Time Division Multiple Access (TDMA)
Time Division Multiple Access (TDMA) is a radio communication methodology that enables devices
to communicate on the same frequency by splitting digital signals into time slots, or bursts. Bursts are
data packets that are transmitted on the same frequency. 2G GSM networks use the TDMA method of
communication.
Global System for Mobile Communications (GSM)
Global System for Mobile Communications (GSM) is an international standard for signal communications, which uses TDMA and Frequency Division Duplex (FDD) communication methods. Thus,
GSM cellular telephones use bursts. GSM was created by the European Telecommunications Standards Institute (ETSI), which was primarily designed by Nokia and Ericsson. The latest and fastest
GSM standard is 4G LTE Advanced. 3G GSM networks use Universal Mobile Telecommunications
System (UMTS) and Wide Band CDMA (WCDMA) for communication. WCDMA is a high-speed
signal transmission method based on CDMA and FDD methods. TDMA is often described as the
precursor to the GSM protocol, although the two networks are incompatible. T-Mobile and AT&T use
GSM networks in the United States.
When unlocked, GSM handsets can be used on international networks by simply purchasing a SIM
card locally and activating the SIM card with a local carrier. This is important to know because a
suspect could have used a GSM phone internationally, so evidence could have been when the SIM card
was switched.
It should be noted that Karsten Nohl, PhD, has written extensively about security vulnerabilities associated with GSM. Nohl has presented a formula for breaking the A5-1 encryption, which GSM cellphones operating on the T-Mobile and AT&T networks use.
3GP is an audio/video file format found on mobile phones operating on 3G GSM cellular networks.
This standard was developed by the 3rd Generation Partnership Project. 3rd Generation Partnership
Project (3GPP) is a collaboration of six telecommunications standards bodies and a large number
of telecommunications corporations worldwide that provide telecommunication standards. The scope
of their work includes Global System for Mobile Communication (GSM), General Packet Radio
Service (GPRS), and Enhanced Data rates for GSM Evolution (EDGE). More information about 3GPP
is available at www.3gpp.org. General Packet Radio Service (GPRS) is packet-switching wireless

9780789741158_forensics.indb 333

11/20/14 10:48 PM

334

CHAPTER 9 Mobile Forensics

communication found on 2G and 3G GSM networks. Enhanced Data rates for GSM Evolution
(EDGE) is a high-data-transfer technology found on GSM networks. EDGE provides up to three
times the data capacity of GPRS.
Universal Mobile Telecommunications System (UMTS)
Universal Mobile Telecommunications System (UMTS) is a 3G cellular network standard that is
based upon GSM and was developed by 3GPP. As previously noted, UMTS cellphones utilize a USIM
smart card to identify the subscriber on a network. From a forensics perspective, a USIM can store
more files than a SIM card. Communication across the network is via the wideband WCDMA protocol.
Code Division Multiple Access (CDMA)
Code Division Multiple Access (CDMA) is a spread-spectrum communication methodology that uses
a wide bandwidth for transmitting data. This technology, developed by Qualcomm, does not share
channels; it uses multiplexing techniques. Multiplexing is where multiple signals are transmitted
simultaneously across a shared medium. A fiber optic is an example of a shared medium that can use
multiplexing. CDMA2000 is a 3G technology that uses the CDMA communications protocol. CDMA
technology is used by Verizon and Sprint on their U.S. nationwide cellular networks.
3GP2 is an audio/video file format found on mobile phones operating on 3G CDMA cellular networks.
This standard was developed by the 3rd Generation Partnership Project 2. 3rd Generation Partnership Project 2 (3GPP2) is a partnership of North American and Asian 3G telecommunications
companies that develop standards for third-generation mobile networks, including CDMA. For more
information about the work of 3GPP2, its partners, and its members, visit www.3gpp2.org.
Integrated Digital Enhanced Network (iDEN)
Integrated Digital Enhanced Network (iDEN) is a wireless technology developed by Motorola that
combines two-way radio capabilities with digital cellphone technology. iDEN is based on TDMA.
Nextel introduced Push-to-talk, which used iDEN, in 1993, to enable subscribers to use their cellphones like a walkie-talkie (or two-way radio). When using the cellphone with the Push-to-talk feature,
cell towers are not used. iDEN is a proprietary protocol, unlike all the other major cellular networks,
which use standard open protocols.

SIM Card Forensics
The two primary functions of a SIM card are to identify the subscriber to a cellular network and to
store data. We have already discussed the mechanism by which the IMSI on the SIM identifies a user
on a GSM or iDEN network. More important to the investigator is the SIM card’s storage of important
evidence. A SIM is essentially a smart card that is comprised of a processor and memory.

9780789741158_forensics.indb 334

11/20/14 10:48 PM

The Cellular Network

335

SIM Hardware
SIM cards have different form factors. The Mini-SIM is 25mm × 15 mm, and the Micro-SIM is 15mm
× 12mm. There are also embedded SIM cards. Printed on the outside is a unique serial number called
an ICCID. The serial interface is the area where the SIM card communicates with the handset, as in
Figure 9.10.
Serial Interface

FIGURE 9.10

Serial interface

SIM File System
The Electronically Erasable Programmable Read Only Memory (EEPROM) is where the hierarchical
file system exists. The operating system, user authentication, and encryption algorithms are found on
the SIM card’s read-only memory (ROM).
There are three primary components of the file system:
1. Master File (MF) that is the root of the file system
2. Dedicated Files (DFs), which are basically directories
3. Elementary Files (EFs), where the data is held

The latter is where investigators can retrieve a tremendous amount of subscriber information. Abbreviated Dialing Numbers (ADN) contains the contact names and numbers entered by the subscriber.
On the SIM, these contacts are located in the folder EF_ADN. Forbidden Public Land Mobile
Network (FPLMN) refers to cellular networks to which a subscriber attempted to connect but was
not authorized to do so. This information can be found in EF_FPLMN. This data can assist investigators
who want to know where a suspect was located, even if he or she was unsuccessful in connecting to a
network. Last Numbers Dialed (LND) refers to a list of all outgoing calls made by the subscriber. The

9780789741158_forensics.indb 335

11/20/14 10:48 PM

336

CHAPTER 9 Mobile Forensics

folder EF_LND holds this information. EF_LOCI contains the Temporary Mobile Subscriber Identity
TMSI, which is assigned by the Visitor Locator Register (VLR). The TMSI represents the location
where the mobile equipment was last shut down. The TMSI is four octets long and will make no sense
to the investigator. However, the investigator could contact the carrier for assistance with determining
the location represented by the TMSI. Table 9.1 provides the definitions of the acronyms used in the
SIM file system.
TABLE 9.1 SIM File System Acronyms
Acronym

Definition

EF_ADN

Abbreviated Dialing Numbers (ADN)

EF_FPLMN

Forbidden Public Land Mobile Network (FPLMN)

EF_LND

Last Numbers Dialed (LND)

EF_LOCI

Area where the user last powered down the phone

EF_SMS

Short Message Service (SMS)

Figure 9.11 shows the SIM directory structure.

MF (Master
File)

DF (Directory)
Telecom

DF (Directory)
GSM

EF_ADN

EF_SMS

EF_LOCI

EF_LND

EF_FPLMN

FIGURE 9.11

SIM directory structure

9780789741158_forensics.indb 336

11/20/14 10:48 PM

The Cellular Network

337

Access to the SIM
Gaining access to the data on a SIM is challenging if the SIM card has been PIN protected. A PIN on
a SIM is usually four digits long but can be up to eight digits. An investigator has three attempts to get
the PIN correct before the SIM is locked. After that, the device prompts for a PUK (Pin Unlock Key)
or PUC (Personal Unblocking Code. An investigator can request a PUC from the carrier. A Personal
Unblocking Code (PUC) is a code that is available from the carrier and allows a user to remove the
PIN protection from the SIM card.

Note
NOTE
A user can go online and change the PUK. The investigator then would be unable to access the
contents of the SIM without the cooperation from the subscriber.

SIM Card Clone
Similar to hard disk drive cloning, an investigator often chooses to clone a SIM card instead of examining the original SIM card. As a best practice, a SIM card clone should be used in the investigation in
place of the original. Most cellphone forensic tools enable the investigator to clone a SIM card.

Types of Evidence
The range of evidence available from a cellphone is quite different from what can be acquired from a
laptop or desktop. One of the primary differences is the existence of SMS and MMS messages, which
the following section explains in detail.
Short Message Service (SMS)
Short Message Service (SMS) is a text message communication service found on mobile devices.
These text messages can be found in memory on a mobile handset or on a SIM card in the handset.
SMS messages are mostly saved on the handset, but when stored on the SIM card, they can be found
in the DF_TELECOM file.
An investigator can determine whether an SMS message has been read, deleted, or sent based on the
status flag. The byte value changes based on the status of the message. Table 9.2 identifies the values
of the status flag and their meanings.
TABLE 9.2 Values and Descriptions of the Status Flag Value
Status Flag Value (Binary)

Description

00000000

Deleted message

00000001

Read message

00000011

Unread message

00000101

Sent message

00000111

Unsent message

9780789741158_forensics.indb 337

11/20/14 10:48 PM

338

CHAPTER 9 Mobile Forensics

When viewing the text message with a hex editor, an unread SMS message begins with 11, a deleted
message begins with 00, and so forth.
Multimedia Messaging Service (MMS)
Multimedia Messaging Service (MMS) is a messaging service found on most cellphones that allows
the user to send multimedia content, like audio, video, and images. Using a cellphone forensics tool,
the investigator can carve this multimedia content out of the user’s messages. MMS can be retrieved
from a SIM or from the mobile device.

Handset Specifications
Knowledge of handset hardware helps an investigator know how to safely secure the device after it has
been seized. As previously noted, the investigator can research the FCC-ID on the handset online to
identify the features of the mobile device.

Memory and Processing
Cellphones contain a microprocessor, ROM chip, and random access memory (RAM). The operating
system is located in ROM. Secure Digital (SD) cards, particularly microSD cards, are frequently found
in smartphones as well. They can contain the following data:
■

Photos

■

Videos

■

Apps

■

Maps

Many smartphones today are opting not to use a removable SD card, but instead use an internal
Embedded Multimedia Card (eMMC). This memory uses FAT32.

Battery
Four types of cellphone batteries primarily are used: lithium ion (Li-Ion), lithium polymer (Li-Poly),
nickel cadmium (NiCd), and nickel metal hydride (NiMH). The iPhone and BlackBerry Curve use a
lithium ion battery, which is lightweight compared to other batteries.

Other Hardware
Cellphones vary from model to model, but they also generally have a radio module, digital signal
processor, liquid crystal display (LCD), microphone, and speaker. Some models also have a built-in
keyboard.

9780789741158_forensics.indb 338

11/20/14 10:48 PM

Mobile Operating Systems

339

Accelerometer
Another feature that is frequently found on cellphones today is an accelerometer. An accelerometer
is a hardware device that senses motion or gravity and reacts to these changes. For example, the accelerometer facilitates a screen flip when the device is turned sideways or upside-down. Moreover, the
accelerometer enhances the gamer’s experience by allowing the user to turn and move by changing
the angle of the device. The accelerometer has become popular since its integration into the iPad and
iPhone.
Camera
Most cellphones today come with a digital camera that has still photo and video capabilities. Most
smartphones possess features that allow the user to take a photo and quickly upload that picture to a
social networking site like Facebook. In terms of video, many smartphones enable the user to upload
content directly to sites like YouTube. Many smartphones also embed the latitude and longitude of
where the photograph was taken: Most Android cellphones do this by default.

Mobile Operating Systems
As noted in earlier chapters, the purpose of an operating system (OS) is to manage the resources of an
electronic device—usually, a computer. A cellphone’s OS is found in a ROM chip on the phone. From
a computer forensics perspective, knowledge of an OS helps an investigator understand what type of
evidence can be retrieved, the tools required to retrieve the evidence, and where to find the evidence.
The problem for investigators is that mobile devices have so many different operating systems than do
traditional computers. It is helpful to have at least one investigator in your lab become a registered app
developer so that you can access the beta version of the latest mobile operating system version. This
gives you more time to plan and adjust for new security enhancements and changes to system files.

Android OS
Android is an open source operating system based on the Linux 2.6 kernel. In 2005, Google acquired
Android. Android is maintained by the Open Handset Alliance (OHA), a collaborative group of telecom
companies, mobile phone manufacturers, semiconductor, and software companies.
The Android OS is found on smartphones, tablets, and many other consumer electronics. Smartphones
running on the Android platform can be found on the GSM, CDMA, and iDEN cellular networks.
Android phones have tremendous capabilities, thanks to the numerous apps available from the Android
market. However, this wealth of functionality comes at a price when it comes to battery life, and an
investigator should be aware of this. Also bear in mind that a tablet could also have cellular capabilities. Numerous tablets run on Android OS, including Samsung’s popular Galaxy Tab and eReaders,
such as Amazon’s Kindle.

9780789741158_forensics.indb 339

11/20/14 10:48 PM

340

CHAPTER 9 Mobile Forensics

Android is widely found in the auto industry. The Shanghai Automotive Industry Corporation (SAIC)
now runs its media entertainment on the Android platform. The Audi 8 uses both Google Maps navigation and Google Earth. The Nevada Department of Vehicles has approved Android for use in its
self-driving cars. Ford Motor Company and General Motors have also adopted Android for use in their
cars, and the Renault Clio and Zoe have a 7-inch touch-screen dashboard device running on Android.
Android can also be found in home appliances. Dacor has an Android-powered oven, for example, that
operates based on recipes from a tablet. Android has been integrated into refrigerators, which can scan
the barcode on food labels and monitor the freshness of items left in the refrigerator; these refrigerators
also assist consumers with a diet application and help complete a grocery list. Some air conditioners
run on the Android OS and allow for remote control and operation, and a certain LG washer and dryer
appliances runs on Android. In the future, we are likely to see what amounts to an Android ecosystem.
Android File System
An Android device has two types of memory: RAM and NAND. As on a regular computer, RAM is
volatile memory and may contain evidence that includes the user’s passwords. NAND is nonvolatile
flash memory. A page or a chunk on NAND can be anywhere from 512K to 2048K. Android supports
a number of file systems, including Ext4, FAT32, and YAFFS2 (Yet Another Flash File System 2). The
Ext4 file system can be found on the Google Nexus S and appears to be supplanting the YAFFS2 file
system. YAFFS2 is an open source file system that was developed for use with NAND flash memory.
Currently, a forensic analyst must download the YAFFS2 source code and review the files in a hex
editor.
Microsoft’s FAT32 file system resides on Android devices; the FAT32 file system is found on microSD
cards, which are common in many Android handsets. The Linux file system driver for FAT32 is called
VFAT. Android apps also often are run from the microSD card.
The most valuable evidence on an Android is in the libraries, especially the SQLite databases. A
SQLite database is an open source relational database standard, which is frequently found on mobile
devices. The development and maintenance of SQLite is sponsored by the SQLite Consortium, which
includes Oracle, Nokia, Mozilla, Adobe, and Bloomberg.
Samsung Galaxy
Apple may have the lion’s share of the tablet market, but the Samsung Galaxy is the top-selling smartphone. The company has sold well more than 100 million units. Less than a month after its release,
Galaxy S4 sales surpassed the 10 million units sold marker, which translates to 4 units sold every
second. The S4 includes a new feature called Dual Shot that enables the user to simultaneously take a
picture with the front and rear cameras on the device. Users can also add sound to a photo. A feature
known as Group Play allows multiple owners of the S4 to share music, photos, and documents, and also
play games together. The user can also create special albums with a narration to go with the pictures,

9780789741158_forensics.indb 340

11/20/14 10:48 PM

Mobile Operating Systems

341

called Story Album. S Voice is a voice-activated artificial intelligence that comes with Samsung Galaxy
S3, the S4, and certain Galaxy Note tablets. The feature is similar to Apple’s Siri.
Released in September 2013, the Samsung Galaxy Gear is a watch that connects to the Galaxy smartphone. The watch comes complete with a 1.9-megapixel camera, allows 720p video recording, contains
4GB of memory, and supports Bluetooth. This smart watch allows the user to place and answer calls
directly through the watch. Therefore, when seizing a Samsung Galaxy smartphone or tablet, the investigator must be aware that a paired watch may also need to be seized.
Spring 2014 saw the release of the Samsung S5. The impressive part of this device is its 16-megapixel
camera with UHD 4K video recording at 30 fps. The device also comes with a fingerprint scanner,
which can pose accessibility issues for investigators. The device has a heart rate monitor as well,
to help with personalization and prove ownership of the smartphone. The S5 runs on Android 4.4.2
KitKat. Like its predecessor, this device also syncs to a smart watch called Gear 2 Neo.
Android Evidence
Investigators can extract evidence from an Android smartphone in four ways:
1. Logical (hardware/software)
2. Physical (hardware/software)
3. Joint Test Action Group (JTAG)
4. Chip-off

Some mobile forensic software supports logical acquisition of a smartphone, which means that only
user data can be recovered, not system files. Optimally, the investigator should acquire a physical
image when possible. A physical image is generally acquired from a backup or by pushing an exploit
to the device. To retrieve the user files on an Android, the Data Partition must be accessed by rooting
the device.
Joint Test Action Group (JTAG)

Joint Test Action Group (JTAG) is an IEEE standard (IEEE 1149.1) for testing, maintenance, and
support of assembled circuit boards. JTAG has become increasingly important as a way to bypass
security and encryption on a smartphone to obtain a physical dump of the phone’s data.
The RIFF box in Figure 9.12 is used to acquire the data from the circuit board on the cellphone. A full
dump of NAND memory can be obtained. The connectors are carefully soldered onto the JTAG points
on the circuit board. Voltage can be applied to the circuit board using a cellphone battery and can be
monitored using a voltmeter.

9780789741158_forensics.indb 341

11/20/14 10:48 PM

342

CHAPTER 9 Mobile Forensics

FIGURE 9.12

JTAG acquisition with a RIFF box

Chip-Off

When mobile forensics software or a UFED Touch cannot be used, JTAG is the next course of action.
The last resort available to the investigator, when all else fails, is chip-off. Very few computer forensics
labs conduct chip-off because of the high costs involved and because the skills required create a significant barrier to entry; this method is also not always successful. Chip-off can be used to circumvent
encryption on many different circuit boards or be used to access data on a chip when the circuit board
has been damaged. The chip can be removed from the board by applying hot air or infrared to the
soldered pins. The chip can then be added to an adapter (see Figure 9.13) and read.

9780789741158_forensics.indb 342

11/20/14 10:48 PM

343

Mobile Operating Systems

FIGURE 9.13

Chip adaptors

Android Security
Users can secure their Android smartphone in these ways:
■

PIN-protection (a numeric PIN number);

■

Password (alpha-numeric);

■

Pattern lock, where a finger is used to secure the device with gestures (swiping motion); and

■

Biometrics (an iris or retina scan, or perhaps facial recognition).

The pattern lock is also referred to as a gesture. The user swipes a 3×3 grid (9 dots) on the smartphone
screen, and no dot can be swiped more than once. This means that working out the user’s gesture is not
too difficult. The 20-byte hex value found in gesture.key file can be added to a free tool produced
by viaForensics, called viaExtract, to determine the pattern lock. The path to this gesture file is
data/system/gesture.key. The file is encrypted with a SHA-1 hash algorithm. To obtain the
gesture, a physical image of the device is conducted.
Password protection can be the most difficult to crack. The file where the password is stored can be
found here: data/system/pc.key. An investigator can attempt to crack the password using brute force or
can use a dictionary attack.

9780789741158_forensics.indb 343

11/20/14 10:48 PM

344

CHAPTER 9 Mobile Forensics

A PIN on an Android has a maximum of eight digits. After the user unsuccessfully enters the PIN a
number of times, then the user is requested to enter the Gmail login and password.
Some biometric, third-party solutions rely on facial recognition. Interestingly, this type of security can
be bypassed by using a photo of the suspect’s face to unlock the device.
An investigator should also consider searching for the latest security vulnerabilities associated with
Android and other mobile device platforms. Security flaws, as well as application vulnerabilities, are
regularly uncovered and made public online and may provide an opportunity to gain access to valuable
evidence. Of course, investigators must decide whether an approach is forensically sound.
Android Forensics Tools
Many different Android forensics tools are available. viaForensics is one organization that produces
free tools, such as Santoku, which enables the examiner to image an Android device. The company
also produces AFLogical, which performs a logical acquisition of Android 1.5 or higher. The data
acquired is stored on a blank SD card.
Android Applications (Apps)
Android applications (apps) are developed in Java and have an .apk file extension. For Google Play
to accept an Android application, a signed certificate must be associated with the application. Applications run in a Dalvik Virtual Machine (DVM) and have a unique user ID and process. This enforces
application security and prevents data sharing with other apps. Especially helpful for the investigator is
the fact that the date and time when an app is executed are stored on the device. It is the developer that
decides what data will be shared, and therefore the data that the examiner can retrieve is only as good
as what the developer has made available.
The developer has four choices for data storage:
1. Preference
2. Files
3. SQLite database
4. Cloud

SQLite databases can be a great source of evidence for the investigator. The following tools retrieve
data from these relational databases:
■

SQLite Database Browser (http://sqlitebrowser.sourceforge.net/)

■

SQLite Viewer (www.oxygen-forensic.com/en/features/sqliteviewer/)

■

SQLite Analyzer (www.kraslabs.com/sqlite_analyzer.php)

9780789741158_forensics.indb 344

11/20/14 10:48 PM

Mobile Operating Systems

345

Every time an Android user walks past a Wi-Fi hotspot, that hotspot is recorded on that device,
regardless of whether the user attempted to connect to that device. This information can be retrieved
from Cache.WiFi. The data retrieved from this file can be used to map out where a user was moving
from and to. Third-party applications have used this locational information to track where users go
and as a basis for other applications, like traffic alert services. Therefore, an investigator should also
consider the locational data being recorded by third-party apps.
Facebook is one of the most popular apps found on smartphones. It is important to know that just about
all the information stored in a user’s online profile can be found in that user’s smartphone or tablet.
Fb.db is the SQLite database that contains a user’s Facebook contacts, chat logs, messages, photos,
and searches.
A user’s login and password for Exchange can be found in plain text at the following path:
/data/data/com.android.email/databases/EmailProvider.db. A user’s Gmail login and
password can also be found in plain text at com.google.android.gm.
Android smartphones come with a GPS application for turn-by-turn directions, called Navigation. The
SQLite database associated with Navigation is Da_destination.db. This file contains the sound
files (WAV) that can be played to determine the directions a suspect took.
Of course, there is also cellular telephone evidence. SMS and MMS can be found at
/data/data/com.android.providers.telephony. This file includes the sender, recipient, read
status, pictures, and audio/video files. MMS can be found at /data/data/com.android.mms.

Symbian OS
Symbian is a mobile device operating system developed by Nokia and currently maintained by
Accenture. Symbian was the most popular mobile operating system as of 2012, although Android was
the fastest-growing OS. Symbian OS can be found on Nokia, Sony Ericsson, Samsung, and Hitachi
handsets, to name but a few. However, Nokia has been moving away from Symbian OS, in favor of
Windows OS. Nokia has transferred support for Symbian OS to Accenture.
Research in Motion (RIM)
RIM OS is the operating system developed by Research in Motion (RIM) for use on BlackBerry
smartphones and tablets. Although they are limited, BlackBerry APIs are available to allow for thirdparty development. The BlackBerry OS is now open source system, however.
Because many organizations issue their employers BlackBerry devices, these smartphones can provide
a wealth of evidence. The BlackBerry was developed with corporate productivity in mind, so this
device can attain Internet access through a carrier’s data plan but can also work in Wi-Fi hotspots. In
fact, with BlackBerry 7.1 OS, the device can connect to a hotspot and then become a mobile hotspot
for up to five devices. BlackBerry Tablet OS is an operating system developed for the BlackBerry
PlayBook tablet computer. Unlike Google’s Android OS, which runs on handsets manufactured by a
wide variety of providers, RIM OS works only on BlackBerry devices.

9780789741158_forensics.indb 345

11/20/14 10:48 PM

346

CHAPTER 9 Mobile Forensics

It is important for an investigator to understand that, even without access to the BlackBerry handset,
the investigator can access a wealth of handset evidence from the computer that a suspect or victim
synced to. An IPD Backup File is file backup from a BlackBerry that is found on a synced computer
or medium. The files can be recognized by their .ipd file extension. More importantly, these IPD files
are unencrypted and might be more accessible from a computer than from the device itself (which
could be PIN protected).
Many tools available allow an investigator to parse, view, and search through these files. One tool is
Elcomsoft Blackberry Backup Explorer. The software works with the IPD files on a Mac or Windows
computer and can extract email, SMS, MMS, call logs, Internet activity, appointments, photos, and
other user-created files. Elcomsoft also produces a password recovery utility for purchase. Figure 9.14
shows an image of the BlackBerry Curve, which is still a popular smartphone.

FIGURE 9.14

BlackBerry Curve

9780789741158_forensics.indb 346

11/20/14 10:48 PM

Standard Operating Procedures for Handling Handset Evidence

347

Windows Phone
Windows Phone is a Microsoft operating system that can be found on personal computers, mobile
phones, and tablets. It resides on mobile phones manufactured by HTC, Samsung, Nokia, and others.
Examining Windows smartphones can be problematic and often requires JTAG to download data from
the handset. The good news is that the files downloaded using JTAG are NTFS and do not need to
be converted. Internet Explorer Mobile is the web browser, based on Internet Explorer 9, found on
Windows Phone devices. People Hub is an address book tool found on Windows Phone devices that
can synchronize contacts from social networking sites like Facebook, Twitter, and LinkedIn. Windows
Phone supports POP and IMAP email protocols, including Hotmail, Gmail, and Yahoo! Mail, and can
sync contacts and calendars from these services. Zune is the application used for managing multimedia
files on Windows Phone devices. As one would expect, .WMV files are supported, but so too are AVI,
MP4, MOV, and 3GP/3G2 file formats.
Windows Phone Applications
Bing Mobile is the search engine included with Windows Phone. Tellme is a Microsoft tool found on
Windows Phone, which is used for voice recognition commands for Bing searches, to call contacts or
to activate applications. Bing Maps is a vehicle navigation system that comes with Windows Phone.
Office Hub coordinates Microsoft Office applications and documents. Microsoft Office Mobile
includes Excel Mobile, Word Mobile, PowerPoint Mobile, and SharePoint Workspace Mobile, all of
which are compatible with the desktop versions of Microsoft Office.
Other Mobile Operating Systems
There are some other operating systems that an investigator may encounter. Bada is an operating
system that was developed by Samsung Electronics. Handsets that run Bada OS usually have “Wave”
in the name. Some mobile phones also run Linux OS. For example, the Nokia N900 smartphone’s
operating system is Maemo 5, which is Linux based, but it can run full Linux OS. Some people refer
to this device as a “hacker phone.”

Standard Operating Procedures for Handling
Handset Evidence
Laboratories and their investigators must use best practices for cellphone examinations. Luckily,
guidelines are available to use as the basis for the laboratory’s standard operating procedures (SOP).
An organization’s SOP varies from place to place primarily as a result of differences in organizational budgets; this then impacts the resources (equipment, personnel, training, and so on) the lab has
available.
When documenting the examination of a cellphone, it is important to document every person who
came in contact with the device. For example, some onsite police are instructed to place a handset into

9780789741158_forensics.indb 347

11/20/14 10:48 PM

348

CHAPTER 9 Mobile Forensics

Airplane Mode when it is seized, and that needs to be documented; if the device was dusted for fingerprints before its arrival at the computer forensics lab, that also should be a part of the investigative
report.

National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST) provides standard operating procedures
for a variety of scientific practices, including cellphone forensics. NIST Special Publication 800-101
Revision 1 (final) issued guidelines on cellphone forensics in 2014. NIST is a well-recognized organization, and computer forensics investigators should be familiar with its guidelines.
Four steps are involved in a forensic examination:
1. Preservation
2. Acquisition
3. Examination and analysis
4. Reporting

NIST Resources for Tool Validation
The first point to make is that, as with every other forensic tool in a computer forensics lab, all tools
should be validated prior to their use in investigations. It is essential to use test data and follow a set
of investigative protocols to determine the data that can be extracted. Comparisons also should be
made with other cellphone tools. Questions about this validation process may arise during a court trial.
Validation also incorporates the use of cryptographic hashes, like MD5 or a SHA1 or a SHA2 hash,
to ensure that the results from using a particular tool can be reproduced with the exact same outcome.
During the validation process, error rates should be clearly documented.
NIST provides examiners with tremendous resources to assist with testing tools. The Computer Forensic
Tool Testing (CFTT) project provides guidelines for testing computer forensics tools, including test
criteria, test sets, and test hardware. More information can be found at www.cftt.nist.gov/.
The National Software Reference Library (NSRL) provides guidance on effectively using technology
in investigations that require the examination of digital evidence. More information can be found at
www.nsrl.nist.gov/.
NIST has provided test datasets of digital evidence. The Computer Forensic Reference Data Sets
(CFReDS) for digital evidence are test data that can be used to validate forensic tools, test equipment,
and train investigators. More information is available at www.cfreds.nist.gov/.
Computer forensics investigators should also be familiar with the U.S. Department of Justice’s NIJ
report Electronic Crime Scene Investigation: A Guide to First Responders. This is a general guide to
computer forensic investigations.

9780789741158_forensics.indb 348

11/20/14 10:48 PM

349

Standard Operating Procedures for Handling Handset Evidence

The Association of Chief Police Officers (ACPO) and other standards have noted the importance of
making sure evidence is not changed after it is subjected to an examination. According to the ACPO:
No actions performed by investigators should change data contained on digital devices or storage
media that may subsequently be relied upon in court.
With cellphones, a fundamental problem arises when it comes to a forensics. Cellphones generally
have small onboard memory capacity, so memory utilization and compression is essential. This,
coupled with the fact that these devices are continually connected to a cellular network, means that the
data on a cellphone is continually changing. When a computer forensics examiner attempts to extract
evidence from a cellphone, changes can be made to the cellphone. What is important to remember is
that the user-created data can remain unaltered when using best practices. Therefore, the evidence is
admissible when the process is documented appropriately. Some investigators still contend that “cellphone forensics” does not exist and that there are only “cellphone examinations.”

Preparation and Containment
Containing a cellphone should be a careful but expeditious process. According to the U.S. Department
of Justice (NIJ) guidelines, in the Electronic Crime Scene Investigation—A Guide for First Responders
book, investigators should follow these steps:
■

Securing and evaluating the scene—Steps should be taken to ensure the safety of individuals
and to identify and protect the integrity of potential evidence.

■

Documenting the scene—Investigators should create a permanent record of the scene,
accurately recording both digital-related and conventional evidence.

■

Evidence collection—Traditional and digital evidence should be collected in a manner that
preserves its evidentiary value.

■

Packaging, transportation, and storage—Investigators should take adequate precautions
when packaging, transporting, and storing evidence, to maintain the chain of custody.

Therefore, the investigator should first document the crime scene, including making notes and taking
photographs. The investigator should then properly contain the cellphone. Proper containment means
removing the device from the network. The following containers can be used to remove the device
from wireless networks:
■

Faraday box

■

RF Shield box

■

MFI Shielding Cloth (see Figure 9.15)

9780789741158_forensics.indb 349

11/20/14 10:48 PM

350

CHAPTER 9 Mobile Forensics

■

Paraben StrongHold bag (see Figure 9.16)

■

Arson can

FIGURE 9.15

MFI Shielding Cloth

A Faraday box can be expensive, whereas an arson can may serve as a cheaper option and still be very
effective. An even cheaper alternative is tin foil. Some investigators place a cellphone in a Faraday box
but leave a cable hanging out, to continue charging the phone. The problem is that a charging cable can
actually work like an aerial. The issue with containment of a cellphone is that the device will boost the
signal in an attempt to connect to the cellular network, which drains the battery faster. Smartphones,
like the iPhone and Android phones, will require frequent charging because of the number of applications that simply drain the battery faster. Once the phone shuts down, there is the risk of encountering
a user’s handset PIN or a SIM card PIN (or both).

9780789741158_forensics.indb 350

11/20/14 10:48 PM

Standard Operating Procedures for Handling Handset Evidence

FIGURE 9.16

351

Paraben StrongHold bag

Forensic Shield Box
Concentric Technology Solutions produces a series of RF Shield Boxes for securing cellphones and
blocking external signals (ramseyforensicbox.com). These Shielded Test Enclosures not only prevent
wireless signals from being received by the device, but also include a power source for the devices
housed in the box. The boxes can be padlocked for additional security. The box is also illuminated and
fitted with gloves so that the investigator can examine the cellphone in the box. Ports can also be added
to the box so that they can be imaged without removing the device. Additionally, investigators can use
a feature that allows them to record video and audio of the examination of the device in the box.

9780789741158_forensics.indb 351

11/20/14 10:48 PM

352

CHAPTER 9 Mobile Forensics

Wireless Capabilities
Today’s cellphones have many wireless capabilities. Apart from cellular communications, many cellphones have infrared (IrDA), Wi-Fi, or Bluetooth wireless capabilities built in. This is important to
remember when containing a cellphone device.
A cellphone can also be properly contained by doing the following:
■

Remove the SIM card (if it has one)

■

Change setting to Airplane Mode

■

Disable the wireless connection

■

Disable the Bluetooth connection

Using the FCC-ID and finding the cellphone’s manual can help with finding the wireless capabilities of
the device and removing the device from all potential wireless connections.

Let’sGet
GetPractical!
Practical!
Let’s
Identify the Features of a Cellular Phone
Detailed information about all devices operating on frequencies controlled by the FCC is available
online. You will need Adobe Reader installed to complete this practical.
1. Start your web browser and navigate to http://transition.fcc.gov/oet/ea/fccid/.
Ensure that any Pop-Up Blocker feature on your web browser is disabled.
2. Using your own cellphone, remove the back of the device and then remove the battery so
that the FCC-ID on the device is displayed.
3. Enter the FCC-ID in the Grantee Code box and in the Product Code box, as shown in
Figure 9.17.
4. Click the Search button.
5. Review the displayed documents, and then document the features of the device, including
wireless features and the type of network it operates on (for example, CDMA or GSM).
6. Submit the report as directed by your instructor.

9780789741158_forensics.indb 352

11/20/14 10:48 PM

Standard Operating Procedures for Handling Handset Evidence

FIGURE 9.17

353

FCC-ID lookup page

Some organizations use signal jammers in their computer forensics labs to block all radio transmissions and interference with cellphones. However, the FCC has reiterated that these devices are illegal
to use, even for law enforcement, because in an emergency situation, a person in distress might not be
able to contact emergency services. A signal jammer can be used if a license is obtained officially from
the FCC. For example, a bomb disposal squad might get permission to use a signal jammer to prevent
the remote detonation of a bomb; terrorists often use a cellphone to detonate a bomb.
The cellphone carrier can also be contacted to ensure that the phone is removed from the network.
Criminals often report a cellphone lost to erase the contents of the cellphone, so moving fast to remove
the device from the network rapidly is critical.
Charging the Device
Keeping a cellphone’s battery charged is critical. Smartphones, especially Android and iPhones, have
notoriously poor battery life because of the many applications that quickly consume the phone’s
charge. Given that many smartphones are PIN protected and that containing a phone in a Faraday box
will boost the signal and battery usage, finding a charger quickly is vital.

Note
NOTE
Never keep a cellphone in a container like a Faraday box with a charging cable sticking out: A
charging cable can act as an aerial. Never charge a seized cellphone via a computer, or you are
likely to change evidence on the phone.

9780789741158_forensics.indb 353

11/20/14 10:48 PM

354

CHAPTER 9 Mobile Forensics

Documenting the Investigation
Most forensic tools, like Paraben’s Device Seizure AccessData’s MPE+, have a built-in report feature.
The investigator’s report should ultimately include the following details:
Device specifications, including details about the SIM card
■

Where the device was seized

■

How the device was seized (copies of consent form or warrant)

■

Preparation techniques, including removing the device from the network

■

Forensic tools used to acquire the evidence

■

Evidence acquired (SMS, MMS, images, video, contacts, call history, etc.)

■

Carrier evidence (subscriber details and call detail records)

■

Application service evidence (e.g. Gmail from Google’s e-mail servers)

Naturally, photographs of the location where the device was seized, the device itself and all relevant
numbers (ICCID, IMEI, etc.) should be taken.

Handset Forensics
A SIM card provides a tremendous amount of evidence, as does an SD card. However, examining the
onboard memory on the handset itself is equally important. Both software and hardware forensics solutions are available.

Cellphone Forensic Software
Several innovative software programs can effectively perform cellphone forensics, including these:
■

BitPim

■

Mobile Phone Examiner (MPE+)

■

MOBILedit! Forensic

■

Device Seizure

■

SIMcon

■

XAMN

Each is described in greater detail here.

9780789741158_forensics.indb 354

11/20/14 10:48 PM

Handset Forensics

355

BitPim
BitPim is an open source tool that allows you to view and manipulate files on a many CDMA phones.
Mobile phones supported by BitPim include Samsung, LG, Sanyo, and many other cellphones that
contain Qualcomm CDMA chipsets. The software can be downloaded for free from www.bitpim.org.
Mobile Phone Examiner (MPE+)
This tool enables the investigator to examine a wide range of cellular handsets and SIM (or USIM)
cards. The tool enables the examiner to carve data. In other words, it separates images and video and
audio files that are embedded in MMS files. MPE+ enables the user to enter a PIN for PIN-protected
handsets and SIM cards. Moreover, the tool enables the user to enter a PUK code to bypass the PIN on
a SIM card.
The files acquired by MPE+ can be exported as a PDF or exported in Microsoft Excel (CSV file).
Image files of the handset or SIM card are in an AD1 format, which can be opened in either MPE+ or
AccessData’s FTK.
An academic version of MPE+ comes with instructor and student manuals, the software, and mobile
phone files for practical classroom labs.
MOBILedit! Forensic
MOBILedit is an organizational tool for a smartphone user’s contacts, messages, media, and other files
that is installed on the user’s computer. A forensic edition can be used to extract cellphone files and
generate investigation reports.
Device Seizure
Developed and distributed by Paraben Corporation, Device Seizure is well known by mobile forensic
examiners because the software supports more devices than many software tools. The tool’s capabilities include mobile phones, tablets, iPhones, PDAs, and GPS devices. Figure 9.18 displays Device
Seizure’s user interface.
Paraben also supplies device containment supplies, such as its StrongHold Bag, StrongHold Box
(Faraday box), and Project-A-Phone for manual examinations.

9780789741158_forensics.indb 355

11/20/14 10:48 PM

356

CHAPTER 9 Mobile Forensics

FIGURE 9.18

Device Seizure user interface

SIMcon
SIMcon is an application that works with a SIM card reader to recover deleted messages, contacts, call
logs, and other user files. Similar to other cellphone forensic tools, it does produce MD5 and SHA-1
hash values of evidence. Although the tool works only with SIM cards, it is a low-cost forensic tool
used by many in law enforcement.
XAMN
Micro Systemation produces software and a hardware field kit for forensics examiners. The company
also provides a helpful link analysis tool that some other vendors provide. XAMN is a link analysis
tool. Link analysis allows an investigator to add the images from multiple smartphones and quickly
identify commonalities between the phones, including contacts. Link analysis can detail accomplices
or victims that suspects may have in common. The tool can also map out where a suspect or victim
was traveling, based on cellular tower, Wi-Fi hotspot, or photo geotag data. In addition, XAMN has a
timeline and calendar function. As you can imagine, a tool that graphically represents how suspects are
linked through data retrieved from their cellphones and maps out where they have been not only saves
time, but also can be invaluable to determine what transpired when a crime was committed.

9780789741158_forensics.indb 356

11/20/14 10:48 PM

Handset Forensics

357

Note
NOTE
Other reputable cellphone forensic tools are available, all with their unique strengths and features:
■

BKForensics: Cell Phone Analyzer

■

Katana Forensics: Lantern

■

Oxygen: Oxygen Forensic Suite

■

CDMA SoftWare: CDMAWorkshop

■

Motorola-Tools.com: Flash&Backup

■

MediaFire: Nokia Flash Tool

■

Susteen: Secure-View

Cellphone Forensics Hardware
Investigators have numerous software solutions for imaging cellphones and tablets, but they also can
use hardware devices for this. Some of these hardware devices are helpful when examining cellphones
in the field because they can be charged and have write-blocking capabilities built in.
CellDEK
CellDEK is a mobile forensics hardware device manufactured by Logicube. The CellDEK is a device
that can be used in the field for imaging mobile phones and navigation systems, like Garmin and
TomTom. The device supports iOS devices, like the iTouch and iPhone and numerous smartphones.
Cellebrite
Cellebrite’s Universal Forensics Extraction Device (UFED) is a hardware device that can be used for
logical and physical extractions from cellphones and GPS devices. UFED is very well regarded in the
industry, and many law enforcement computer forensics laboratories have the device. Part of UFED’s
success stems from the wide range of phones supported by Cellebrite, including iOS, Android, and
RIM devices. The UFED Touch can be used in a laboratory or in the field, which appeals to law
enforcement. Figure 9.19 shows a UFED Touch.

9780789741158_forensics.indb 357

11/20/14 10:48 PM

358

CHAPTER 9 Mobile Forensics

FIGURE 9.19

UFED Touch from Cellebrite

Logical versus Physical Examination
Mobile forensic tools provide a logical or physical extraction of evidence from a cellphone—or sometimes both. Similar to examining a personal computer, a logical examination of a cellphone provides a
traditional view of the directories, files, and folders, and it can be compared to the interface we see with
Windows File Explorer on a PC or Finder on a Mac. The physical view refers to the actual location and
size of files in memory. Only a physical examination can retrieve deleted messages and other deleted
files.
A major difference with computer forensics and mobile forensics is that, with a physical view of files
on a computer, we can find file fragments. However, when an SMS text message is deleted, you can
typically be certain that the message has been removed and no message fragments exist. A physical
extraction can resurrect some deleted files, however.

Manual Cellphone Examinations
In the absence of a mobile forensic imaging tool, the investigator is forced to manually examine the
cellphone. This happens frequently, especially with lower-end prepaid phones offered by companies,
like TracFone. Tools for these phones are generally nonexistent. This is especially a problem when
there is no data port on the handset. Sometimes data can be downloaded from the device through
Bluetooth. When traditional imaging is not an option, the investigator acts as a “field jockey” and

9780789741158_forensics.indb 358

11/20/14 10:48 PM

Manual Cellphone Examinations

359

thumbs through the phone’s contents, taking photos along the way. Project-a-Phone and Fernico ZRT
are two tools designed for photographing cellphone screens, although using a regular digital camera
can suffice. Documenting the process in detail is critical nevertheless. The reason for using a solution,
like Project-a-Phone (see Figure 9.20) is that the tool comes with a reporting tool to make the process
easier.

FIGURE 9.20

Project-a-Phone

Flasher Box
In the absence of a cellphone forensic imaging solution, one might expect to perform a manual examination using Project-A-Phone or a similar device. Consider what happens when an examiner cannot
bypass the cellphone’s PIN or if the phone is damaged. As a last resort, some investigators will use a
flasher box. A flasher box is a device used to make a physical dump of a cellphone.

9780789741158_forensics.indb 359

11/20/14 10:48 PM

360

CHAPTER 9 Mobile Forensics

There are disadvantages, though, to using a flasher box. Using the device may change the data on the
cellphone. Additionally, an examiner using such a device should have proper training. The device does
not create a helpful MD5 hash for you. Nevertheless, NIJ and ACPO discuss the use of flasher boxes in
their standard operating procedures. Moreover, flasher boxes were initially a solution before advanced
cellphone forensic tools became available.

Global Satellite Service Providers
Wireless telephones do not always operate on a cellular network. In fact, most of the world’s surface
area does not have cellular service. Thus, a ship in the middle of the ocean or an expedition to the
Antarctic cannot rely on a local cell site to route calls. Instead, these telephones communicate with
other telephones through satellites. Emergency personnel can also use these telephones during a crisis
situation, like an earthquake.

Satellite Communication Services
Iridium Communications maintains a group of 66 satellites called the Iridium Satellite Constellation.
These satellites operate in a low orbit approximately 485 miles into the Earth’s atmosphere. The
company also provides global satellite phones that go beyond traditional terrestrial cellphones. These
cellphones can provide direct communications via satellite linkages in areas without cell site coverage,
such as in the middle of the Atlantic Ocean or in the Arctic. Globestar is a similar satellite phone
provider. SkyWave Mobile Communications provides satellite and General Packet Radio Service for
transportation, mining (oil and gas), heavy equipment, and utility companies.
Inmarsat PLC, a British satellite company, provides similar phone service through 11 geostationary
telecommunications satellites. The company provides Global Maritime Distress & Safety Services
(GMDSS).

Legal Considerations
As noted in Chapter 7, “Admissibility of Digital Evidence,” under the Fourth Amendment, a government
agent must obtain a warrant to conduct a search. This is true in the case of cellphones. However, there
are exceptions to this rule, including consent, incident to arrest, or exigent circumstances. Exigent
circumstances imply that a warrantless search was required to save a life (for example, in the case of
a kidnapping).
When applying for a search warrant, the investigator should describe the cellphone and include the
following details:
■

Make

■

Model

9780789741158_forensics.indb 360

11/20/14 10:48 PM

Other Mobile Devices

■

Serial number (if available)

■

Manufacturer

■

Telephone number

■

Location of the device (address and specific location)

361

If available, the investigator should also include the IMEI or MEID of the phone. In addition, the
investigator should detail the type of evidence he or she wants to acquire (SMS, MMS, contacts, and
so forth).

Carrier Records
The investigator can also obtain corroborating evidence from the cellular carrier, in the form of
subscriber records and call detail records. The carrier uses subscriber records for billing, and the call
detail records provide information about the location and time a cellphone was used to make calls.
Remember, a call can be traced to multiple cell sites and can identify a route taken by the suspect. Call
detail records identify the location of the handset at a particular location; it is up to the investigator to
link the suspect to that handset. When obtaining call detail records, the investigator should request the
data in a particular format (such as CSV) and also request information about how to interpret cell site
codes that are provided. The carrier can send the investigator a voicemail reset code when requested.

Other Mobile Devices
Numerous other devices can be of evidentiary value to investigations. These devices include tablets,
GPS devices, and personal media devices.

Tablets
As with cellphones, many different types of tablets are on the market. The software and operating
systems running on these devices are very similar. iOS and Android are the most widely found operating systems running on tablets. Some tablets also come with a data plan that runs on a cellular
network. Computer forensic tools like Device Seizure, Cellebrite, and BlackLight support a number of
tablets. Figure 9.21 shows Amazon’s Kindle, which runs on Android OS.

9780789741158_forensics.indb 361

11/20/14 10:48 PM

362

CHAPTER 9 Mobile Forensics

FIGURE 9.21

Amazon Kindle

GPS Devices
GPS devices can be used for maritime navigation, driving, and aviation. Handheld devices are used
for recreation, like biking and hiking, or can be used by emergency services during disasters. Many
of these devices, like TomTom, can be imaged by forensic tools like Cellebrite and Paraben’s Device
Seizure. Many of these devices come with an SD card, which can be valuable to an investigator. An
investigator may also find evidence on a user’s synced computer.
Four primary sources of evidence are available from a GPS device: trackpoints, track log, waypoint,
and route. More recent GPS devices also contain data about cellphones that were connected via Bluetooth or even Internet searches. Motonav is one example of the expanded services now available.
Devices like Motonav, may possess data from the synced cellphone like the user contacts. General
Motors (GM) OnStar service is another potential source of data for investigators. GM stores GPS data
from vehicles with the built-in OnStar service. GM’s monitoring has sparked controversy because
the company can disclose this information to third parties, even after the subscriber has terminated
services. The TomTom satnav navigation system also caused controversy when it was discovered that
the company was sending historical driver GPS routing data to police in the Netherlands. The user data
from the TomTom helped police set up speed traps, based on driver habits.
A trackpoint is a geo-locational record that is automatically captured and stored by a GPS device.
Trackpoints are not created by the user. For example, when a GPS device is turned on, a trackpoint,

9780789741158_forensics.indb 362

11/20/14 10:48 PM

Other Mobile Devices

363

recording the current location is made, and then subsequent trackpoints are created at predetermined
intervals. A track log is a list of trackpoints that can be used to re-create a route.
A waypoint is a geo-locational point of interest created by a user. Waypoints are often created to note
places of interest, like a restaurant or a hotel, as part of a longer route. Finally, a route is a series of
user-created waypoints on a trip.
GPS Tracking
Since 2009, all cellphones are federally mandated to have a GPS chip embedded in the device. In 2003,
the U.S. Federal Communications Commission’s E-911 Mandate was introduced. Enhanced 911 is a
federal mandate that stipulates that all handset manufacturers must ensure that caller ID and locational
data can be obtained from a cellphone subscriber making a 911 call. Therefore, the police can locate
a person in distress using Assisted GPS, which uses the GPS chip in your cellphone and triangulation
rather than simply relying on cell site data. Interestingly, the infamous hacker Kevin Mitnick eluded
law enforcement for many years, yet it was his cellphone that led the FBI to discover his whereabouts
using triangulation. A Public Safety Access Point (PSAP) is a call center that receives emergency
requests from the public for police, medical, or firefighter services.

Case Study
To Catch a Murderer: A Case Study
A Public Safety Access Point can assist police by tracking a subscriber’s cellphone in real time.
In October 2004, Fred Jablin was found dead in his home on Hearthglow Lane in Richmond,
Virginia. Detective Coby Kelley quickly suspected Jablin’s ex-wife, Piper Rountree, and quickly
obtained a warrant for Rountree’s cellphone records. Fred Jablin, distinguished chair at the
University of Richmond, had suffered a very nasty divorce and custody battle with Rountree, and
Jablin had won sole custody. By September 2004, Rountree was in trouble: She owed $10,000
in back alimony.
Detective Kelley obtained the cellphone records for Piper Rountree’s cellphone, which placed the
phone at the scene of the crime. Kelley tracked the cellphone going east on I-64 toward Norfolk
Airport. A brief interruption in signal location occurred before the phone could be tracked again
in Baltimore, Maryland. Of course, Rountree stated that she had not been in Virginia at the time
of the murder, but was actually in Houston, Texas. She also stated that her sister, Tina Rountree,
often used her cellphone.
Piper Rountree called her son 14 hours prior to the murder and mentioned that she was in Texas,
although her cellphone was pinging towers in Virginia. On October 21 (a few days prior to the
murder), Rountree purchased a wig on the Internet, using her own account, but the wig was
delivered to her former boyfriend’s P.O. Box in Houston. Piper Rountree was attempting to use
the wig to pose as her sister, Tina. A Southwest Airlines employee later testified that he had
witnessed Piper Rountree boarding a plane to Virginia. On May 6, 2005, Piper Roundtree was
sentenced to life in prison plus three years for use of a firearm in a crime. This case clearly illustrates how important cellphone evidence was in corroborating evidence used at trial.

9780789741158_forensics.indb 363

11/20/14 10:48 PM

364

CHAPTER 9 Mobile Forensics

Summary
Mobile forensics has become extremely important for investigations because of the wealth of evidence
it can provide. This type of information can even be more important than the evidence gleaned from a
traditional computer because cellphones are always on and we carry them everywhere. Forensic tools
have improved over the past five years, but we still have many devices that are not supported. With the
growing importance of cellphone forensics, investigators are reaching out beyond the cellphone to the
cellular carrier and cloud computing service providers.
Cellphones are problematic to analyze because so many different operating systems and device models
are available, and the data on these devices continually changes because of network connections and
their small onboard memory. The contents of a smartphone cannot be analyzed as one mass media
device because of removable memory and SIM cards (GSM phones).
A variety of cellular networks exist, with GSM and CDMA being the predominant network protocols.
Understanding these networks helps investigators understand where the evidence is located. Mobile
Network Operators, like Sprint and Verizon, own and operate networks; a Mobile Virtual Network
Operator provides service but does not own the cellular network infrastructure.
Other mobile devices, like tablets and GPS electronics, also are important to investigators. A tablet can
have Internet service through a cellular network. Broadband USB and Mi-Fi cards also use cellular
networks.
Investigators should always test forensic tools prior to their use. Many cellphones are not supported
by forensic tools, so a manual investigation must be conducted. Investigators should also be aware
of NIST, NIJ, and ACPO standard operating procedures for investigating digital devices. Proper care
should be afforded when containing the device, charging the device, and ensuring isolation from a
variety of wireless networks.

KEY TERMS
3GP: An audio/video file format found on mobile phones operating on 3G GSM cellular networks.
3GP2: An audio/video file format found on mobile phones operating on 3G CDMA cellular networks.
3rd Generation Partnership Project (3GPP): A collaboration of six telecommunications standards
bodies and a large number of telecommunications corporations worldwide that provides telecommunication standards.
3rd Generation Partnership Project 2 (3GPP2): A partnership of North American and Asian 3G
telecommunications companies that develop standards for third-generation mobile networks, including
CDMA.
4G Long Term Evolution (LTE) Advanced: A high-mobility broadband communication that is
suitable for use on trains and in other vehicles.

9780789741158_forensics.indb 364

11/20/14 10:48 PM

Summary

365

abbreviated dialing numbers (ADN): Contains the contact names and numbers entered by the
subscriber.
accelerometer: A hardware device that senses motion or gravity and reacts to these changes.
Android: An open source operating system based on the Linux 2.6 kernel.
Assisted GPS: Uses the GPS chip in your cellphone and triangulation simply relying on cell site data.
Authentication Center (AuC): A database that contains the subscriber’s IMSI, authentication, and
encryption algorithms.
base station controller (BSC): Manages the radio signals for base transceiver stations, assigning
frequencies and handoffs between cell sites.
base transceiver station (BTS): The equipment found at a cell site that facilitates the communication
of a cellphone user across a cellular network.
Bing Maps: A vehicle navigation system that comes with Windows Phone.
Bing Mobile: The search engine included with Windows Phone.
call detail records (CDR): Details used for billing purposes; these can include phone numbers called,
duration of calls, dates and times of calls, and cell sites used.
CDMA2000: A 3G technology that uses the CDMA communications protocol.
cell: A geographic area within a cellular network.
cell site: A cell tower located in a cell.
cellular network: A group of cells.
Code Division Multiple Access (CDMA): A spread-spectrum communication methodology that uses
a wide bandwidth for transmitting data.
Electronic Serial Number (ESN): An 11-digit number used to identify a subscriber on a CDMA
cellular network.
Enhanced 911: A federal mandate that stipulates that all handset manufacturers must ensure that caller
ID and locational data can be obtained from a cellphone subscriber making a 911 call.
Enhanced Data rates for GSM Evolution (EDGE): A high-data-transfer technology found on GSM
networks. EDGE provides up to three times the data capacity of GPRS.
Equipment Identity Register (EIR): Used to track IMEI numbers and decide whether an IMEI is
valid, suspect, or perhaps stolen.
FCC-ID: A number issued by the Federal Communication Commission (FCC) that indicates the
handset is authorized to operate on radio frequencies within the FCC’s control.
flasher box: A device used to make a physical dump of a cellphone.

9780789741158_forensics.indb 365

11/20/14 10:48 PM

366

CHAPTER 9 Mobile Forensics

Forbidden Public Land Mobile Network (FPLMN): Cellular networks that a subscriber attempted
to connect to but was not authorized for.
General Packet Radio Service (GPRS): Packet-switching wireless communication found on 2G and
3G GSM networks.
Global System for Mobile Communications (GSM): An international standard for signal communications that uses TDMA and Frequency Division Duplex communication methods.
hard handoff: Communication handled by one only base transceiver station at a time, with no simultaneous communication.
Home Locator Register (HLR): A database of a carrier’s subscribers, including their home addresses,
IMSI, telephone numbers, SIM card ICCIDs, and services used.
Integrated Circuit Card ID (ICCID): Usually, a 19-digit serial number physically located on the
SIM card.
Integrated Digital Enhanced Network (iDEN): A wireless technology developed by Motorola that
combines two-way radio capabilities with digital cellphone technology.
International Mobile Equipment Identity (IMEI): Number that uniquely identifies the mobile
equipment or handset.
International Mobile Subscriber Identity (IMSI): An internationally unique number on the SIM
card that identifies a user on a network.
International Signaling Point Code (ISPC): A standardized numbering system used to identify a
node on an international telecommunications network.
International Telecommunication Union (ITU): An agency of the United Nations that produces
standards for information and communication technologies.
Internet Explorer Mobile: The web browser, based on Internet Explorer 9, found on Windows Phone
devices.
IPD Backup File: A file backup from a BlackBerry that is found on a synced computer or medium.
Joint Test Action Group (JTAG): An IEEE standard (IEEE 1149.1) for testing, maintenance, and
support of assembled circuit boards.
Last Numbers Dialed (LND): A list of all outgoing calls made by the subscriber.
Mobile Country Code (MCC): The first three digits of the IMSI.
Mobile Equipment Identifier (MEID): An internationally unique number that identifies a CDMA
handset (Mobile Equipment).
Mobile Network Operator (MNO): Owns and operates a cellular network.
Mobile Station: Consists of Mobile Equipment (handset) and a Subscriber Identity Module (SIM).

9780789741158_forensics.indb 366

11/20/14 10:48 PM

367

Summary

Mobile Subscriber Identity Number (MSIN): Created by a cellular telephone carrier, and identifies
the subscriber on the network.
Mobile Subscriber ISDN (MSISDN): Essentially, the phone number for the subscriber.
Mobile Switching Center (MSC): Responsible for switching data packets from one network path to
another on a cellular network.
Mobile Virtual Network Operator (MVNO): Does not own its own cellular network, but operates on
the network of a Mobile Network Operator.
Multimedia Messaging Service (MMS): A messaging service found on most cellphones that allows
the user to send multimedia content such as audio, video, and images.
multiplexing: Multiple signals transmitted simultaneously across a shared medium.
My Wireless Fidelity (Mi-Fi): A portable wireless router that provides Internet access for up to five
Internet-enabled devices and communicates via a cellular network.
Office hub: Coordinates Microsoft Office applications and documents.
People Hub: An address book tool found on Windows Phone devices that has the ability to synchronize
contacts from social networking sites like Facebook, Twitter, and LinkedIn.
PIN Unlock Key (PUK): An unlock reset code used to bypass the SIM PIN protection.
Public Safety Access Point (PSAP): A call center that receives emergency requests from the public
for police, medical, or firefighter services.
Public Switched Telephone Network (PSTN): An aggregate of all circuit-switched telephone
networks.
RIM OS: Operating system developed by Research in Motion for use on BlackBerry smartphones and
tablets.
Route: A series of user-created waypoints on a trip.
Short Message Service (SMS): A text message communication service found on mobile devices.
SIM card: Identifies a user on a cellular network and contains an IMSI.
soft handoff: Cellular communication conditionally handed off from one base station to another, with
the mobile equipment simultaneously communicating with multiple base transceiver stations.
SQLite database: An open source relational database standard that is frequently found on mobile
devices.
subscriber records: Personal details maintained by the carrier about its customers, including their
names, addresses, alternative phone numbers, Social Security numbers, and credit card information.
subsidy lock: Confines a subscriber to a certain cellular network so that a cellphone can be sold for
free or at a subsidized price.

9780789741158_forensics.indb 367

11/20/14 10:48 PM

368

CHAPTER 9 Mobile Forensics

Symbian: A mobile device operating system developed by Nokia and currently maintained by
Accenture.
Tellme: A Microsoft tool found on Windows Phone that is used for voice recognition commands for
Bing searches, to call contacts or to activate applications.
Temporary Mobile Subscriber Identity (TMSI): A randomly generated number that the VLR
assigns to a mobile station when the handset is switched, based on the geographic location.
Time Division Multiple Access (TDMA): A radio communication methodology that enables devices
to communicate on the same frequency by splitting digital signals into time slots, or bursts.
track log: A list of trackpoints that can be used to re-create a route.
trackpoint: A geolocational record that is automatically captured and stored by a GPS device.
Type Allocation Code (TAC): Identifies the type of wireless device.
Universal Integrated Circuit Card (UICC): A smart card used to uniquely identify a subscriber on
a GSM or UMTS network.
Universal Mobile Telecommunications System (UMTS): A 3G cellular network standard based on
GSM and developed by 3GPP.
Visitor Locator Register (VLR): A database of information about a roaming subscriber.
waypoint: A geolocational point of interest created by a user.
Wide Band CDMA (WCDMA): A high-speed signal transmission method based on CDMA and FDD
methods.
Windows Phone: A Microsoft operating system that can be found on personal computers, mobile
phones, and tablets.

Assessment
CLASSROOM DISCUSSIONS
1. You have just received a mobile device with an FCC-ID of BEJVM670. You have been told

that the cellphone has an MEID. Using this information, answer the following questions:
A. What U.S. cellular carrier(s) could be providing service for the cellphone?
B. Does this cellphone have Bluetooth?
C. Could this cellphone have been used to take photographs? If so, could the photos have

GPS data associated with them?
D. Where on this device could there be potential evidence? For example, in addition to the

handset, is there a SIM or SD card?

9780789741158_forensics.indb 368

11/20/14 10:48 PM

Summary

369

2. Detail best practices for containing and analyzing a cellular telephone.
3. In what ways could the cellphone carrier assist you in your investigation?
4. Describe how cellphone forensics differs from traditional computer forensics.

MULTIPLE-CHOICE QUESTIONS
1. The equipment found at a cell site that facilitates the communication of a cellphone user

across a cellular network is best described as which of the following?
A. Cellular network
B. Base Transceiver Station
C. Public Switched Telephone Network
D. Home Locator Register
2. Which of the following best describes the role of the Base Station Controller?
A. Manages the radio signals for Base Transceiver Stations.
B. Assigns frequencies and handoffs between cell sites.
C. Both A and B are correct.
D. Neither A or B is correct.
3. Which of the following are details used by telecommunications carriers for billing purposes and

can include phone numbers called, duration of calls, dates and times of calls, and cell sites used?
A. Equipment Identity Register
B. Mobile Network Operator
C. Temporary Mobile Subscriber Identity
D. Call detail records
4. Which of the following typically is not be found on a GSM cellphone?
A. SIM
B. IMEI
C. FCC-ID
D. MEID
5. The first three digits of the IMSI are referred to as which of the following?
A. Mobile Country Code
B. Mobile Subscriber Identity Number
C. Mobile Network Operator
D. Integrated Circuit Card ID

9780789741158_forensics.indb 369

11/20/14 10:48 PM

370

CHAPTER 9 Mobile Forensics

6. Which of the following is a portable wireless router that provides Internet access for up to five

Internet-enabled devices and communicates via a cellular network?
A. Office hub
B. Public Safety Access Point
C. Mobile station
D. Mi-Fi
7. Which of the following is a high-mobility broadband communication that is suitable for use

on trains and in other vehicles?
A. 2G
B. 3G
C. 3GPP
D. 4G LTE
8. Which of the following is an international standard for signal communications that uses

TDMA and FDD (Frequency Division Duplex) communication methods?
A. GSM
B. CDMA
C. UMTS
D. WCDMA
9. Which one of the following directories contains a list of contacts (names and telephone num-

bers) saved by a subscriber on a SIM card?
A. EF_SMS
B. EF_LOCI
C. EF_LND
D. EF_ADN
10. Which of the following mobile operating systems is an open source operating system based on

the Linux 2.6 kernel and is owned by Google?
A. Symbian
B. Android
C. RIM
D. Windows

9780789741158_forensics.indb 370

11/20/14 10:48 PM

371

Summary

FILL IN THE BLANKS
1. A(n) _____________ is the geographic area within a cellular network.
2. A Mobile _____________ Center is responsible for switching data packets from one network

path to another on a cellular network.
3. A(n) _____________ handoff occurs when a cellular communication is conditionally

handed off from one base station to another and the mobile equipment is simultaneously
communicating with multiple Base Transceiver Stations.
4. A(n) _____________ Mobile Equipment Identity number uniquely identifies the Mobile

Equipment or handset.
5. The database that contains information about a roaming subscriber is referred to as a(n)

_____________ Locator Register.
6. The _____________ Identity Register is used to track IMEI numbers and decide whether an

IMEI is valid, suspect, or perhaps stolen.
7. Integrated _____________ Enhanced Network is a wireless technology developed by Motorola

that combines two-way radio capabilities with digital cellphone technology.
8. _____________ Public Land Mobile Network refers to cellular networks that a subscriber

attempted to connect to but was not authorized for.
9. A Personal Unlock _____________ (PUK) is a code that is available from the carrier and

allows a user to remove the PIN protection from the SIM card.
10. A Public Safety _____________ Point is a call center that receives emergency requests from

the public for police, medical, or firefighter services.

PROJECTS
Write an Essay about Cellphone Forensics
Find an example of cellphone forensics used in a criminal investigation, and write an essay about its
importance in successfully convicting a suspect.
Write Standard Operating Procedures for Examining a Cellphone
Find a smartphone and then write standard operating procedures for examining that cellphone. Include
in your essay forensic tools that will work with that particular model.
Describe a Forensic Examiner’s Guide to Working with a Mobile Operating System
Select a mobile operating system and then describe a forensic examiner’s guide to working with that
operating system.
Write an Essay Describing the Differences in Examining Two Different Cellphones
Write an essay describing the differences from an examination of a CDMA cellphone and a GSM cellphone.

9780789741158_forensics.indb 371

11/20/14 10:48 PM

9780789741158_forensics.indb 457

11/20/14 10:49 PM

Index
Numerics
3GPP2 (3rd Generation Partnership Project
2), 334
3GPP (3rd Generation Partnership Project),
333
4G Long Term Evolution (LTE) Advanced,
333

A
ABA (American Bankers Association), 151
ABC fire extinguishers, 140
Abrahams, Jared, 375
Abbreviated Dialing Numbers. See ADNs
accelerometers, 339
access

data, 142
digital evidence, 238
Asia legal system, 282
European Union (EU) legal system,
278-282
United States legal system, 239-244
email, 6
password-cracking software, 138-139
personal information, 193-195

458

9780789741158_forensics.indb 458

11/20/14 10:49 PM

alternative volume headers

restrictions (labs), 141-143
SIM cards. 337

459

Adobe Digital Negative. See DNG
formats

AccessData, 13

Adroit Forensics, 140

accountants, forensic, 22

ADS (Alternate Data Stream, 45

ACLU (American Civil Liberties Union),
19, 163

Advanced Encryption Standard. See
AES

acquisition of evidence, 116

Advanced Forensics Format. See AFF

access restrictions (labs), 141-143
devices
extracting, 147-152
skimmers, 152-155

Advanced Persistent Threats. See APTs
AES (Advanced Encryption Standard),
58
AFF (Advanced Forensics Format), 137
AIM (AOL Instant Messenger), 181-183

lab requirements, 117-124, 128-141,
144

AirDrop, 410

private sector labs, 119-121

AirPort

actuator arms, 35
Address Resolution Protocol. See ARP
addresses, IP (Internet Protocol), 192
admissibility of evidence. See also
evidence

digital evidence, 248
constitutional law, 248-277
criminal defense, 276
difficulties with, 277-278
rules, 271-276
email, 6
images, 380

AirPlay, 395

Express, 396
Extreme, 396
Time Capsule, 396
al-Awlaki, Anwar, 187
Alexa, 173
algorithms

MD5, 374
XOR, 183
Alito, Samuel, 260
allocated storage space, 33
allocation blocks, 397
Al-Qaeda, 178, 186

case studies, 382-383

Alternate Data Stream. See ADS

comparing digital to analog, 381

alteration of evidence, 6

FRE (Federal Rules of Evidence),
380

altering images, 381

ADNs (Abbreviated Dialing Numbers),
335

9780789741158_forensics.indb 459

alternative copy devices, 90
alternative volume headers, 397

11/20/14 10:49 PM

460

Amazon Kindle

Amazon Kindle, 361-362

antivirus software, 138

Amber Alert Bill (2003), 16

anybirthday.com, 192

AMBER Alert Facebook profiles, 188

AOL Instant Messenger. See AIM

American Bankers Association. See
ABA

APIs (application programming
interfaces), 189

American Civil Liberties Union. See
ACLU

appeals courts, 242
Apple, 14

American Medical Response, 163

AirDrop. See AirDrop

American Society of Crime
Laboratories Directors/Laboratory
Accreditation Board. See ASCLD/LAB

AirPort. See AirPort

American Society of Crime Laboratory
Directors. See ASCLD/LAB

FireWire, 94

Configurator, 426
forensics, 398

Amero, Julie, 277

case studies, 426-427

analysis

deleted file recovery, 401

files, 4

DMG file system, 401

media, 226

Epoch Time, 399-400

Registry (Windows 7), 65-66

IOReg Info, 398

Windows operating systems. See
Windows operating systems

journaling, 401

analytics, Twitter, 189
Anderson, Michael, 15
Android, 184, 339

applications, 344-345
evidence, 341
file systems, 340
security, 343
tools, 344
Anonymizer.com, 169
anonymizers (online proxies), 170
Anthony, Casey, 68
AntiSecurity, 173

mobile devices, 409-418, 425-426
operating systems, 404-409
PList files, 404
PMAP Info, 399
SQLite databases, 404
history of, 393-396
Macintosh. See Mac computers
MFS (Macintosh File System),
397-398
TV, 395
application layer (Layer 7), 309
application programming interfaces.
See APIs

antistatic polyethylene evidence bags,
130

9780789741158_forensics.indb 460

11/20/14 10:49 PM

bags (evidence)

applications, 130. See also files; tools

Atari, 14

AIM, 183

ATMs (Automatic Teller Machines), 8

Android, 344-345

ATM skimmers, 153

antivirus, 138

Atomic Energy Act of 1954, 267

bit-stream imaging, 131, 137

attacks

DeadAIM, 445
digital photographs, 376
Facebook, 376
Flickr, 376
Instagram, 377
SnapChat, 377
Evidence Eliminator, 6
Find My iPhone, 427
password-cracking, 138-139
Skype, 183
Tor, 170
virtual machines, 138
Windows 8.1, 71

461

APTs (Advanced Persistent Threats),
310-313
brute force, 138
dictionary, 138
networks, investigating, 313
SYN flood, 308
terrorist, 194
AuC (Authentication Center), 331
audits, lab access, 143
Automatic Teller Machines. See ATMs
AutoPlay dialog box, 58
Autopsy, 131, 137
Avery Doninger v. Lewis Mills High
School, 250

Windows Phone, 347
APTs (Advanced Persistent Threats),
310-313
archive.org, 171

B

archives, websites, 171

background searches, 173-174,
182-187, 190-195

Arizona v. Gant (2009), 256, 263

BackTrack, 293

ARP (Address Resolution Protocol), 306

Backup and Restore Center (Windows
7), 60

Arturo, Ernesto, 264
ASCII, hexadecimal conversion to,
38-41
ASCLD/LAB, 141
Asia legal system, 282
Assisted GPS, 363. See also GPS

backups

iPhones, 418
Windows 7, 62
bad sectors, 34
Baez, David, 383
bags (evidence), 130

9780789741158_forensics.indb 461

11/20/14 10:49 PM

462

Ballmer, Steve

Ballmer, Steve, 64

blogs.com, 186

banks, 151. See also financial fraud

Bluffmycall.com, 167-168

Base Station Controller. See BSC

Blu-ray discs, 104

Base Transceiver Station. See BTS

BMP (Bitmap Image File), 7, 379

bash boards, 444

Bohach v. City of Reno, 266

Basic Input/Output System. See BIOS

Bonds, Barry, 447

batteries, handsets, 338

Boot Camp, 80, 397

Bay Area Laboratories Company
(BALCO), 253, 447

booting (iBoot), 418

best evidence rule, 276

Boucher, Larry, 81

BHO (Browser Help Object), 296

brbpub.com, 191

Bill of Rights, 240

BreakPoint Software, 40

binary to decimal conversion, 37

Breivik, Anders Behring, 186

Bing

Brightness adjustment (images), 381

bootstrapping, 42

Maps, 347

Britton, Craig, 375

Mobile, 347

Broadcasting Emergency Response,
188

biometrics (Windows 7), 59
BIOS (Basic Input/Output System),
42-44

Brown, Jerry, 263

bit-stream imaging software, 131, 137

brute force attacks, 138

bit-stream imaging tools, 4, 47

BSC (Base Station Controller), 325

Bitcoin, 170

BTK (Bind Torture Kill) killer, 106,
441-442

BitLocker, 10, 59, 62
Bitmap Image File. See BMP
BitPim, 355
Bits, 37
BitTorrent, 173
BlackBag, 13
BlackBerry, 345
BlackLight, 137, 214
blocks, allocation, 397
blogdigger.com, 186

Browser Help Object (BHO), 296

BTS (Base Transceiver Station), 322,
325
budgets, labs, 141
Bulger, James “Whitey”, 188
bullying, 196
Bullying Prevention Policy Law, 445
Bureau of Labor Statistics, 12
Bush, George W., 14
bytes, 34-36

blogs, monitoring, 186-187

9780789741158_forensics.indb 462

11/20/14 10:49 PM

Certified Forensic Computer Examiner

463

C

catalog files, 398

C2 (command and control), 312
CabinCr3w hacktevist, 427

CCFE (Certified Computer Forensics
Examiner), 21

cabinets (lab layouts), 124

CCTV (closed-circuit television), 8

Cache.db file, 407

CDMA (Code Division Multiple Access),
334

California State Senate and Assembly,
263

CCE (Certified Computer Examiner), 21

CDRs (call detail records), 326

California v. Nottoli, 262

CD-RW (compact disc-rewritable), 103

call detail records. See CDRs

CDs (compact discs), 102

cameras, 129. See also images

CellDEK, 357

cell phones, 339

Cellebrite, 357

metadata, 139

Cellebrite UFED, 262

Canseco, Jose, 447
capturing online communications,
197-200
careers, 12-14

cellphones

evidence, 10
forensics, 320-322
evidence, 338, 347-350, 353-354

education, 19

GPS providers, 360

law enforcement, 19-24

handsets, 338-339, 354-358

Carey, Patrick, 254

legal considerations, 360-363

carrier records, cellular phones, 361

manual examinations, 358-360

CART (Computer Analysis and
Response Team), 15

networks, 322, 325, 328, 338

carving (files), 132, 140
CaseNotes, 220
case studies

BTK (Bind Torture Kill) killer,
441-442
cyberbullying, 443-446
image evidence, 382-383
Mac forensics, 426-427
sports, 447-448
Zacharias Moussaoui, 437-441

9780789741158_forensics.indb 463

operating systems, 339-347
SIM cards, 334-337
jammers, 142
CERT (Computer Emergency Response
Team), 19
certifications, 21-24, 141
Certified Computer Examiner. See CCE
Certified Computer Forensics
Examiner. See CCFE
Certified Forensic Computer Examiner.
See CFCE

11/20/14 10:49 PM

464

Certiorari

Certiorari, 252
CFCE (Certified Forensic Computer
Examiner), 21

Clinton, William “Bill” Jefferson, 169,
270
cloning

CF (CompactFlash) cards, 98

devices, 86-88, 124

CF (Core Foundation), 402

HDDs (hard disk drives), 86-93

Chain of Custody, 2, 130, 215. See also
evidence

SIM cards, 337

chain of events, email as evidence, 5
characters, control, 40
charging cellphones, 353
Charydczak, Gary, 446

closed-circuit television. See CCTV
Cloud, email access, 6
clusters, 34
codified laws, 240

chat, undercover investigations, 164

COFEE (Computer Online Forensic
Evidence Extractor), 63

check fraud, 151-152

collaboration, international, 17

child exploitation cases, images, 7

color balancing, 381

child pornography. See also images

COM (Component Object Model), 52

databases, 17

command and control. See C2

email as evidence, 5

Commodore, 14

E.U., 281

common law, 240

pedophile networks, 178

communication

search warrants, 253

investigator skills, 11

undercover investigations, 163

linguistics skills, 11

Chip-offs, 342, 411

Communications Assistance for Law
Enforcement Act (CALEA), 268

Cho, Seung-Hui, 3

compact discs. See CDs

CIRCAMP (COSPOL Internet Related
Child Abuse Material Project), 17

CompactFlash cards. See CF cards

China, legal system, 282

City of Ontario v. Quon, 560 U.S. (2010),
266

comparisons

forensics, 3-4
Windows file systems, 46

civil law, 240

Component Object Model. See COM

Clementi, Tyler, 196, 445

Comprehensive Drug Testing (CDT),
447

client computers, 9

9780789741158_forensics.indb 464

11/20/14 10:49 PM

Copyright Act for libraries

465

files, 45

Digital Millennium Copyright Act
(DMCA) (1998), 270-271

images, 139

Federal Wiretap Act of 1968, 265-266

compression

Computer Analysis and Response
Team. See CART

Foreign Intelligence Surveillance Act
(FISA- 1978), 266

computer crime, 3

PROTECT Act of 2003, 270

Computer Emergency Response Team.
See CERT

USA PATRIOT Act, 268-270. See also
PATRIOT Act

Computer Forensic Investigations and
Incident Response class, 22
computer forensics, 3. See also
forensics
Computer Fraud and Abuse Act (18
U.S.C. § 2511), 267

constitutional law, 240, 248-277

Fifth Amendment, 263-264
First Amendment, 248-251
Fourth Amendment, 251-263
Sixth Amendment, 264-265

Computer Online Forensic Evidence
Extractor. See COFEE

contact, Transfer of Evidence theory, 4

computer science skills, 10

continuous learning, investigator skills,
11

Computer Technology Investigators
Network. See CTIN
computer worksheets, 216-217

containment, cellphones, 349

contrast adjustment, 381
control

confidentiality, investigator skills, 12

characters, 40

configuration

email, 5

Apple Configurator, 426
Lawful Intercept Configuration Guide,
268
Registry (Windows), 50-52

controlled substances, warrantless
searches, 255
conversion

bytes, 36

Confrontation Clauses, 265

files, 37-40

congressional legislation, 265

hexadecimal to ASCII, 38-41

Communications Assistance for Law
Enforcement Act (CALEA), 268

cookies, viewing, 199-200

Computer Fraud and Abuse Act (18
U.S.C. § 2511), 267

Cop app, 221

Cookies.plist file, 407
Copyright Act for libraries, 270

Corporate Espionage (18 U.S.C. §
1030(a)(1)), 267

9780789741158_forensics.indb 465

11/20/14 10:49 PM

466

Core Foundation

Core Foundation. See CF
Corley, Eric, 14

CTIN (Computer Technology
Investigators Network), 20

corporate espionage, 3

Cupertino, California, 391

Corporate Espionage (18 U.S.C. §
1030(a)(1)), 267

Curtilage, 259

COSPOL Internet Related Child Abuse
Material Project. See CIRCAMP

cybercrime, 3

counterterrorism, 194

cylinders, 36

cyberbullying, 196, 443-446
cyberstalking, 443

Court of Appeals of the State of
California, 263
Court of Justice of the European
Union, 279

D

court orders, 258

Dark Web, 170

cover pages, reports, 225

Dartmouth College, 374

credit cards, 8

data access, 142

fraud, 149-151

data forks, 397

sale of, 195

Data Link Escape. See DLE

crime, 3, 195

data link layer (Layer 2), 306

credit cards, 195

Data Protection features, 412

cyberbullying, 196

databases

identity theft, 195

child pornography, 17

medical records, 196

fusion centers, 18

social networks, 196-197

INTERPOL, 194

crime scene investigators. See CSIs

local, 194

crime scenes

Registry (Windows), 50-52

documenting, 211

SQLite, 340, 404, 420

examinations, 213

Daubert v. Merrell Dow
Pharmaceuticals, 272

criminal defense, 276
cropping images, 381
cross-transference, 4
cryptanalysis, 138

Daylight Savings Time. See DST
D.C. Circuit Court, 260
DCF (Design rule for Camera File
system), 375

CSIs (crime scene investigators),
213-214

9780789741158_forensics.indb 466

11/20/14 10:49 PM

devices

DCIM (Digital Camera Images), 376

devices

DeadAIM, 181, 445

alternative copy, 90

Debian-based Linux systems, 193

Apple, 393-396, 409

debit cards, fraud, 149-151

iOS, 410

decryption, 4, 132

iOS 7, 410

decimal

iOS 8, 410-411

binary to conversion, 37

iPads, 413

hexadecimal to conversion, 38

iPhones, 413-418, 425-426

default gateways, 299
DEFAULT keys, 52
defendants, 239
defense attorneys, 276
Defense Reform Initiative Directive #27
(1998), 15

security, 411
charging, 353
cloning, 86-88, 124
evidence, extracting from, 147-152
flasher box, 359

defragmentation, Vista (Windows), 54

GPS, 258-262, 362

deleting files, recovering, 4, 401

networks, 294

delivery of attacks, 312
Department of Defense. See DoD
Department of Homeland Security. See
DHS
Department of Justice. See DOJ
Department of Motor Vehicles. See
DMV

467

DHCP (Dynamic Host
Configuration Protocol) servers,
298
DNS (Domain Name System)
servers, 301
firewalls, 304

depositions, 273

IDS (intrusion detection systems),
304

Design rule for Camera File system.
See DCF

OSI (Open Systems
Interconnection), 305-310

destruction of evidence, 6

ports, 305

detectives, 167. See also investigations

proxy servers, 295

Device Firmware Upgrade (DFU) Mode,
417

routers, 302-304

Device Seizure, 355

SMTP (Simple Mail Transport
Protocol) servers, 299-301
Web servers, 295-297

9780789741158_forensics.indb 467

11/20/14 10:49 PM

468

devices

removable memory, 93
Blu-ray discs, 104
CD-RW (compact disc-rewritable),
103

digital evidence. See also evidence

access, 238
Asia legal system, 282

CDs (compact discs), 102

European Union (EU) legal system,
278-282

CF (CompactFlash) cards, 98

United States legal system, 239-244

DVDs, 103

admissibility, 248

external hard drives, 95-96

constitutional law, 248-277

FireWire, 94

criminal defense, 276

floppy disks, 104-106

difficulties with, 277-278

magnetic tapes, 107-108

digital forensics reference, 221

Memory Sticks, 98

Digital Millennium Copyright Act
(DMCA) (1998), 270-271

MMCs (MultiMedia cards), 96
SD (Secure Digital) cards, 97-98,
101
USB flash drives, 95
xD (Extreme Digital) cards, 99
Zip disks, 107
skimmers, 152-155
write-blockers, 124
DFU (Device Firmware Upgrade) Mode,
417

Digital Negative. See DNG
digital photographs, 375. See also
images

applications, 376
Facebook, 376
Flickr, 376
Instagram, 377
SnapChat, 377
evidence, 380

DHCP (Dynamic Host Configuration
Protocol) servers, 298

case studies, 382-383

DHS (Department of Homeland
Security), 16, 193

FRE (Federal Rules of Evidence),
380

dictionary attacks, 138

comparing to analog, 381

Digital Assembly, 140

EXIF (Exchangeable Image File
Format), 377-380

Digital Camera Images. See DCIM

file systems, 375

digital cameras, metadata, 139. See
also images

metadata, 377

digital data, recovery, 3

9780789741158_forensics.indb 468

Digital Still Capture Nikon. See DSCN
digital surveillance as search, 258

11/20/14 10:49 PM

education

469

Disaster Recovery Plans, 144

DoD (Department of Defense), 15

Disclosure of Expert Testimony in the
Federal Rules of Civil Procedure, 228

DOJ (Department of Justice), 18, 254

disk controllers, 82

Doninger, Avery, 250

Disk Defragmenter, 54

Downloads.plist file, 407

disk geometry, 36

Dread Pirate Roberts, 170

disk images, 86

Drew, Lori, 445

Disk Jockey PRO Forensic Edition,
86, 89

DriveSpy, 132

Domain Name System. See DNS

Disk Signatures, 44

dry chemical extinguishing solutions,
140

Disk Utility, 406

DSCN (Digital Still Capture Nikon), 376

Disney Wonder Cruise, 427

DST (Daylight Savings Time), 223

DLE (Data Link Escape), 40

Dunn tests, 259

DMG file system, 401

duplicators, 124

DMV (Department of Motor Vehicles),
194

DVDs, 103

DNG (Adobe Digital Negative) formats,
139

Dynamic Host Configuration Protocol.
See DHCP
dynamic IP addresses, 192

DNS (Domain Name System) servers,
301
documentation, 210

E

Chain of Custody forms, 2
crime scenes, 211

E01 files, 137

documenting evidence, 214-220

eBay, 3

expert witnesses, 227-230

Eckhardt, Christopher, 249

mobile forensics, 354
obtaining evidence from service
providers, 211
seizing evidence, 213-214

ECTF (Electronic Crimes Task Force),
16
EDGE (Enhanced Data rates for GSM
Evolution), 334

tools, 220-222

eDiscovery (electronic discovery), 13,
119

Word. See Word

editors, hex, 37, 40

writing reports, 222-227

education, 19-24

9780789741158_forensics.indb 469

11/20/14 10:49 PM

470

EFS (Encrypted File System)

EFS (Encrypted File System), 59

en banc, 447

EHRs (electronic health records), 196

EnCase, 131, 137

EIR (Equipment Identity Register), 331

Encrypted File System. See EFS

Elcomsoft, 138

encryption, 9

electricity requirements (labs), 140

Apple, 411

Electronic Communications Privacy Act
of 1986 (ECPA), 265

BitLocker, 10, 59

Electronic Crime Scene Investigation: A
Guide for First Responders, 211, 348

Skype, 420

Electronic Crimes Task Forces, 14
Electronic Crimes Task Force. See
ECTF

FileVault, 405
End of Sector Markers, 44
endurance, 6. See also evidence
energy requirements (labs), 140

Electronic Frontier Foundation, 271

Enhanced 911, 363

electronic health records. See EHRs

Enhanced Data rates for GSM
Evolution. See EDGE

electronic media, analysis, 226
Electronic Serial Number. See ESN
electronically stored information. See
ESI
Elia, Franklin D., 263
email, 15

Apple ID, 412
evidence, 5-7
hacking, 195

Enron, 3, 6
EnScript, 137
Entersect, 9, 193
environment, Transfer of Evidence
theory, 4
Epoch Time, 399-400
equipment for CSIs (crime scene
investigators), 213-214

investigations, 3

ESI (electronically stored information),
119

Mac forensics, 404

ESN (Electronic Serial Number), 328

preparation labs, 120

espionage, 3

privacy, 253

E.U. (European Union)

servers, 300

access to personal data in, 194

undercover investigations, generating,
165-167

legal system, 278-282

Zacharias Moussaoui case study,
440-441
embezzlement, 3

9780789741158_forensics.indb 470

legislature, 279
European Commission, 279
European Union. See E.U.
Europol, 281

11/20/14 10:49 PM

evidence

471

events, 5, 55

HDD (hard disk drive) worksheets,
217-218

Event Viewer

server worksheets, 218-220

Evans, Josh, 445

Vista (Windows), 55-57

exculpatory, 3

Windows 7, 66-67

handsets, 354-360

evidence

access, 238

images, 140, 380
case studies, 382-383

Asia legal system, 282

comparing digital to analog, 381

European Union (EU) legal system,
278-282

FRE (Federal Rules of Evidence),
380

United States legal system, 239-244
acquisition, 116

IM (Instant Messenger), 182
inculpatory, 3

access restrictions (labs), 141-143

iPhones, 418

lab requirements, 117-124, 128-132,
137-141, 144

labels, 130

private sector labs, 119-121

lockers, 122

admissibility, 248

lists, 212
mobile forensics, 338, 347-354

constitutional law, 248-277

seizing, 213-214

criminal defense, 276

service providers, obtaining from, 211

difficulties with, 277-278

skimmers, 152-155

rules, 271-276

Skype, 420

Android, 341

spoliation, 12

bags, 130

subscribers, 326

best evidence rule, 276

tampering, 6

BTK (Bind Torture Kill) killer case
study, 442

Transfer of Evidence theory, 4

BTS (Base Transceiver Station), 325
devices, extracting from, 147-152
documenting, 214
Chain of Custody forms, 215

types of, 5
cellphones, 10
email, 5-7
images, 7-8
Internet searches, 9

computer worksheets, 216-217

9780789741158_forensics.indb 471

11/20/14 10:49 PM

472

evidence

video, 8-9

F

websites visited, 9
Viber, 423

Face.com, 376

websites, 171-173

Facebook

WhatsApp, 423

background searches, 187-188

Windows 8.1, 71

E.U., 280

Zacharias Moussaoui case study, 438

images, 373-376

Evidence Eliminator, 6

WhatsApp, 423

examining image files, 377-380

fake images, viewing, 381

Exchangeable Image File Format. See
EXIF

false identities, generating, 164, 167,
170

exclusionary rule, 251

falsification of evidence, 6

exculpatory evidence, 3

family court, 244

executive summaries, reports, 225

FARC (Fuerzas Armadas
Revolucionarias de Colombia), 17

exfiltration, 312
exhibits, 227, 440
EXIF (Exchangeable Image File
Format), 377-380
EXIFextracter, 378

Farid, Hany, 381
Fast Global Regular Expressions Print.
See FGREP
FAT (File Allocation Table), 44

ExifTool, 378

FAT12 file system, 44

exigent circumstances, 254

FAT16 file system, 44

expert witnesses, 227-230, 273-274

FAT32 file system, 45

exploitation, 312

FAT64 file system, 45

Extensible Markup Language. See XML
Extensible Messaging and Presence
Protocol. See XMPP
external hard drives, 95-96
extracting evidence from devices,
147-152
Extreme Digital cards. See xD cards

FATX file system, 45
fault tolerance, 92
FBI (Federal Bureau of Investigation),
15

Facebook, 188
Ten Most Wanted list, 372
FCC (Federal Communications
Commission), 142
FCC-IDs, 328

9780789741158_forensics.indb 472

11/20/14 10:49 PM

files

features (Windows operating systems),
53

files

analysis, 4

Vista, 53-59

Cache.db, 407

Windows 7, 59-69

carving, 132, 140

Windows 8.1, 70-72

catalog, 398

federal appellate courts, 242
Federal Bureau of Investigation. See
FBI
Federal Communications Commission.
See FCC

compression, 45
conversion, 37-42
Cookies.plist, 407
deleting, recovering, 401

federal courts, 242

Downloads.plist, 407

Federal Law Enforcement Training
Center. See FLETC

E01, 137

Federal Rules of Civil Procedure. See
FRCP
Federal Rules of Evidence. See FRE
Federal Wiretap Act of 1968, 265-266

email. See email
evidence
cellphones, 10
email, 5-7

FGREP (Fast Global Regular
Expressions Print), 148

groups (Windows 7), 68

Fifth Amendment (U.S. Constitution),
263-264

Internet searches, 9

File Allocation Table. See FAT
file-sharing protocols, 173
file systems, 32

Android, 340
digital photographs, 375
DMG, 401
MFS (Macintosh File System),
397-398
SIM cards, 335
Windows, 44-50
File Translation Layer. See FTL

473

images, 7-8
metadata (Windows), 58
Registry (Windows), 50-52
storage, 34-36
types of, 5
video, 8-9
websites visited, 9
groups (Windows 7), 68
hibernation, 404
images
examining, 377
EXIF (Exchangeable Image File
Format), 377-380
formats, 139

9780789741158_forensics.indb 473

11/20/14 10:49 PM

474

files

index.dat, 200
metadata, 7, 58
PList, 404
RAW, 379
Registry (Windows), 52
router.config, 171

Forbidden Public Land Mobile Network.
See FPLMN
FoneFinder (fonefinder.net), 169
Foreign Intelligence Surveillance Act
(FISA- 1978), 266
Forensic Toolkit. See FTK
forensics

slack, 35

accountants, 22

SMART, 137

definition of, 2

storage, 34-36

evidence

TopSites.plist, 408
FileVault, 405
financial fraud, 149-151
Find My iPhone app, 427
findings (reports), 227
firewalls, 304
FireWire, 94
firmware, 138, 270
First Amendment (U.S. Constitution),
248-251
Fixed Interpol Network Database and
Mobile Interpol Network Database.
See MIND/FIND
flaming, 444
flash cookies, 199
flash drives (USB), 95
flash memory, reading, 99-100
flasher boxes, 359
flashlights, 129
FLETC (Federal Law Enforcement
Training Center), 19

access restrictions (labs), 141-143
cellphones, 10
email, 5-7
extracting from devices, 147-152
images, 7-8
Internet searches, 9
lab requirements, 117-124, 128-132,
137-141, 144
private sector labs, 119-121
skimmers, 152-155
types of, 5
video, 8-9
websites visited, 9
history of, 14
1980s, 14-15
1990s, 15-19
images, 139
importance of, 12-14
investigators

Flickr (images), 376

communication skills, 11

floppy disks, 104-106

computer science skills, 10

9780789741158_forensics.indb 474

11/20/14 10:49 PM

Fourth Amendment (U.S. Constitution)

confidentiality, 12

networks

legal expertise, 11

APTs (Advanced Persistent
Threats), 310-313

linguistics, 11

devices, 294

continuous learning, 11

Mac, 390-391, 398
Apple mobile devices, 409-418,
425-426
case studies, 426-427
deleted file recovery, 401
DMG file system, 401

475

DHCP (Dynamic Host
Configuration Protocol) servers,
298
DNS (Domain Name System)
servers, 301
firewalls, 304

Epoch Time, 399-400

IDS (intrusion detection systems),
304

history of, 393-396

investigating attacks, 313

IOReg Info, 398

OSI (Open Systems
Interconnection), 305-310

journaling, 401
MFS (Macintosh File System),
397-398

ports, 305

operating systems, 404-409

routers, 302-304

PList files, 404
PMAP Info, 399

SMTP (Simple Mail Transport
Protocol) servers, 299-301

SQLite databases, 404

tools, 293-294

mobile, 320-322
evidence, 338, 347-350, 353-354
GPS providers, 360

proxy servers, 295

Web servers, 295-297
routers, 193
formats

handsets, 354-358

images, 139

handset specifications, 338-339

numbering, 37-42

legal considerations, 360-363

reports, 225

manual examinations, 358-360

forms, Chain of Custody, 2, 215

networks, 322, 325, 328, 338

Formspring, 444

operating systems, 339-347

Foursquare, 190

myths about, 3-4

9780789741158_forensics.indb 475

Fourth Amendment (U.S. Constitution),
251-263

11/20/14 10:49 PM

476

FPLMN (Forbidden Public Land Mobile Network)

FPLMN (Forbidden Public Land Mobile
Network), 335

geographic location (longitude and
latitude), images, 139

FragView, 220

geometry, disk, 36

frames, 102
Franklin, Benjamin, 239

General Packet Radio Service. See
GPRS

fraud

geotags, 187

check, 151-152

gestures, 343

financial, 149-151

GIAC Certified Forensic Analyst. See
GCFA

FRCP (Federal Rules of Civil
Procedure), 222
Freedom of the Press Foundation, 171
Freenet, 171
FRE (Federal Rules of Evidence), 380
fruit of the poisonous tree, 252

GIAC (Global Information Assurance
Certification), 23
Giambi, Jason, 447
GIF (Graphics Interchange Format), 380
Glass, Robert, 5

Frye v. United States, 272

Global Information Assurance
Certification. See GIAC

FTK (Forensic Toolkit), 131-132

Global Positioning System. See GPS

FTK Imager, 47-48, 133, 137
FTL (File Translation Layer), 92

Global System for Mobile
Communications. See GSM networks

Fuerzas Armadas Revolucionarias de
Colombia. See FARC

glossaries, 227

fusion centers, 18, 194

GMT (Greenwich Mean Time), 223

Gmail, 167. See also email
goals of expert witnesses, 228

G

Goldstein, Emmanuel. See Corley, Eric

garbage collection, 91

Good Practice Guide for ComputerBased Electronic Evidence, 281

Garfinkel, Simson, 137

Google

GCFA (GIAC Certified Forensic
Analyst), 23

Earth, 195

generating

GoogleTalk, 184

email, undercover investigations,
165-167
identities, 164
geodata, 187

9780789741158_forensics.indb 476

email access, 6
Groups, 185
Gorshkov, Vasily, 195, 257
GPRS (General Packet Radio Service),
333

11/20/14 10:49 PM

hardware

GPS (Global Positioning System), 7

handsets

devices, 362

forensics, 354-358

providers, 360

manual examinations, 358-360

tracking, 258-262, 363

specifications, 338-339

Grand Juries, 263

happy slapping, 444

graphic representations in reports, 224

hard disk drives. See HDDs

graphical user interfaces. See GUIs

hard handoffs, 325

graphics. See also images

hardware, 80

raster, 378

firewalls, 304

vector, 379

flash memory, reading, 99-100

Graphics Interchange Format. See GIF

handsets, 338

Greenwich Mean Time. See GMT

HDDs (hard disk drives), 81

Greig, Catherine, 188
GREP (Global Regular Expressions
Print), 147-149
groups

files (Windows 7), 68

477

IDE (Integrated Drive Electronics),
82
SATA (Serial ATA), 83-93
SCSI (Small Computer System
Interface), 81-82

usenet, 184

IDS (intrusion detection systems), 304

users, searching, 18-179

lab layouts, 124

GSM (Global System for Mobile
Communications) networks, 127
GuerrillaMail, 166
Guidance Software, 13, 131
guidelines, ASCLD/LAB, 117-119
GUIs (graphical user interfaces), 44

mobile forensics, 357
removable memory, 93
Blu-ray discs, 104
CD-RW (compact disc-rewritable),
103
CDs (compact discs), 102
CF (CompactFlash) cards, 98

H

DVDs, 103
external hard drives, 95-96

hackers, 257
hacking email, 195
Halligan, Ryan, 181, 196, 445
Hamilton, Alexander, 239, 271

9780789741158_forensics.indb 477

FireWire, 94
floppy disks, 104-106
magnetic tapes, 107-108

11/20/14 10:49 PM

478

hardware

Memory Sticks, 98

Hickory High School, Pennsylvania, 250

MMCs (MultiMedia cards), 96

Hierarchical File System. See HFS

SD (Secure Digital) cards, 97-98,
101

High Tech Crime Investigation
Association. See HTCIA

USB flash drives, 95

history

xD (Extreme Digital) cards, 99

of Apple, 393-396

Zip disks, 107

of forensics, 14

routers, 302-304

1980s, 14-15

SIM cards, 335

1990s, 15-19

write-blockers, 124
Hash Value Sharing Initiative, 375

of Safari browsers, 406
of United States legal system, 239-244

HB 479, The Offense of Stalking, 443

History.plist, 406

HDDs (hard disk drives), 81

HLR (Home Locator Register), 331

external, 95-96

Holden, Thomas James, 372

IDE (Integrated Drive Electronics), 82

Homeland Security Data Network
(HSDN), 194

SATA (Serial ATA), 83-93
SCSI (Small Computer System
Interface), 81-82
worksheets, 217-218
hearsay, Federal Rules of Evidence
(FRE), 275
hex editors, 37, 40
Hex Workshop, 40
hexadecimal

ASCII conversions, 38-41
to decimal conversion, 38
numbering, 37-38
HFS (Hierarchical File System), 397
HFS+ (Mac OS Extended), 397
Hiberfil.sys file, Vista (Windows), 59
hibernation files, 404

9780789741158_forensics.indb 478

HootSuite, 179
Horton v. California, 254
Host Protected Area. See HPA
hosting (Web), 121
Hotz, George, 270
HPA (Host Protected Area ), 88
HSDN (Homeland Security Data
Network), 194
HSIN-SLIC (Homeland Security
Information Network State and Local
Intelligence Community Interest), 194
HTCIA (High Tech Crime Investigation
Association), 20
HTTP (HyperText Transfer Protocol), 15,
296
Huang, Michelle, 446
Huntington Beach Police Department,
373

11/20/14 10:49 PM

indicators of compromise

479

I

bit-streaming imaging software, 131,
137

I2P (Invisible Internet Project), 171

comparison software, 17

IACIS (International Association of
Computer Investigative Specialists),
21

disk, 86

IACRB (Information Assurance
Certification Review Board), 21

enhancements, 381
evidence, 7-8, 140, 380
case studies, 382-383

iBeacons, 425

comparing digital to analog, 381

IBM, 14

FRE (Federal Rules of Evidence),
380

iBoot, 418
ICAID (INTERPOL Child Abuse Image
Database), 17

EXIF (Exchangeable Image File
Format), 377-380

ICCID (Integrated Circuit Card ID), 330

file systems, 375

Ice Rocket, 178

forensics, 139

iCloud, 406, 419

MD5 hashing, 5

ICSE DB (International Child Sexual
Exploitation image database), 17

metadata, 139, 377

IDE (Integrated Drive Electronics), 82

RAM, 133, 137
virtual machine software, 138

iDEN (Integrated Digital Enhanced
Network), 334

imaging software (iPhones), 417

identities

IMEI (International Mobile Equipment
Identity), 326

generating, 164
masking, 167, 170
theft, 195

impersonation, 444
importance of forensics, 12-14

IDS (intrusion detection systems), 304

IMSI (International Mobile Subscriber
Identity), 329

ILook, 16, 132

Incident Response Team. See IRT

IM (Instant Messenger), 180-182

inculpatory evidence, 3, 252

images, 375

index.dat file, 200

applications, 376

indexing, Vista (Windows), 57

Facebook, 376

India legal system, 282

Flickr, 376

indicators of compromise. See IOCs

Instagram, 377
SnapChat, 377

9780789741158_forensics.indb 479

11/20/14 10:49 PM

480

indictments

indictments, 263
Information Assurance Certification
Review Board. See IACRB
information technology. See IT
InfraGard, 20
InPrivate browsing, 67
In re Boucher, No. 2: 06-mj-91, 2009 WL
424718, 264
Instagram, 376-377
Integrated Circuit Card ID. See ICCID
Integrated Digital Enhanced Network.
See iDEN

International Mobile Subscriber
Identity. See IMSI
international numbering plans, 330
International Organization on
Computer Evidence. See IOCE
International Society of Forensic
Computer Examiners. See ISFCE
International Telecommunication
Union. See ITU
Internet

communications, capturing, 197-200
First Amendment and, 249-251

Integrated Drive Electronics. See IDE

history of forensics (1990s), 15

Intelius, 174

online investigations, 162-163

intellectual property, E.U., 280
intent, email, 5

background searches, 182-187,
190-195

interfaces

online crime, 195-197

APIs (application programming
interfaces), 189
Safari browser, 406

undercover, 163-167, 170
website evidence, 171-173
searching for evidence, 9

SATA (Serial ATA), 83-93

Internet Explorer, 170

SCSI (Small Computer System
Interface), 81-82

Internet Explorer Mobile, 347

Windows 7, 67-68

Internet Relay Chat. See IRC

Internet Protocol. See IP

intermediate appellate courts, 243

Internet service providers. See ISPs

Internal Revenue Service. See IRS

Interpol, 17, 20

International Association of Computer
Investigative Specialists. See IACIS
International Child Sexual Exploitation
image database. See ICSE DB
international collaboration, 17
international databases, 194
International Mobile Equipment
Identity. See IMEI

9780789741158_forensics.indb 480

databases, 194
image evidence, 382
INTERPOL Child Abuse Image
Database. See ICAID
INTERPOL Computer Forensics
Analysis Unit, 17
intrusion detection systems. See IDS

11/20/14 10:49 PM

iPhones

Intrusion Kill Chains, 310
inventory control, private sector labs,
120
investigations

documents, 210
crime scenes, 211
documenting evidence, 214-220
expert witnesses, 227-230

481

investigator skills, 10

communication, 11
computer science, 10
confidentiality, 12
continuous learning, 11
legal expertise, 11
linguistics, 11
Invisible Internet Project. See I2P

obtaining evidence from service
providers, 211

IOCE (International Organization on
Computer Evidence), 17

seizing evidence, 213-214

IOCs (indicators of compromise), 312

tools, 220-222

IOReg Info, 398

writing reports, 222-227

iOS, 410. See also Apple

eDiscovery, 119

iOS 7, 410

evidence. See also evidence

iOS 8, 410-411

cellphones, 10

IP (Internet Protocol), 192

email, 5-7

iPads, 394, 413. See also Apple

images, 7-8

iPhones, 394, 413-418, 425-426. See
also Apple

Internet searches, 9
video, 8-9
websites visited, 9
mobile forensics, documentation, 354
network attacks, 313
online, 162-163
background searches, 182-187,
190-195

evidence, 418
imaging software, 417
Mail, 419
operating modes, 417-418
Safari browsers, 419
Skype, 420
SQLite databases, 420

online crime, 195-197

theft, 427

undercover, 163-167, 170

Touch ID, 416

website evidence, 171-173

versions, 414-416

purpose of, 225

Viber, 422

SCSI (Small Computer System
Interface), 82

9780789741158_forensics.indb 481

11/20/14 10:49 PM

482

iPods

iPods, 393, 412
IRC (Internet Relay Chat), 180-182

JPEG (Joint Photographic Experts
Group), 7, 139, 379

Iridium Communications, 360

JTAG (Joint Test Action Group), 341

IRS (Internal Revenue Service), 16

Judex, 279

IRT (Incident Response Team), 17

judges, 241

IsAnybodyDown, 375

juries, 239-241, 263

ISFCE (International Society of
Forensic Computer Examiners), 21

jurisdiction, 242

ISPs (Internet service providers), 253,
265
IT (information technology), 120
ITU (International Telecommunication
Union), 333
Ivanov, Alexey, 195, 257

K
Kagan, Elena, 260
Kaminski, John, 103
Katz, Charles, 252
Katz v. United States, 252
Kee, Eric, 381

J

Kelley, Coby, 10
Kernell, David, 169

Jablin, Fred, 363
Jackson, Michael, 427
jammers, cellular telephones, 142
Jay, John, 271
JEIDA (Japan Electronic Industry
Development Association), 375
jihadist groups, 178
jobs

openings, attacks, 310

kernels, 42
Kerzic, Duane, 19
keys, DEFAULT, 52
keystroke loggers, 196
Knock and Talk, 254
Krieger, Mike, 377
Kubasiak, Ryan, 390
Kumho Tire Co. v. Carmichael, 273

opportunities, 12-14
Jobs, Steve, 391. See also Apple

L

Joint Photographic Experts Group. See
JPEG

labels (evidence), 130

Joint Test Action Group. See JTAG

labs

Jones, Antoine, 260
journaling, 45, 401
journalspace.com, 186

9780789741158_forensics.indb 482

ASCLD/LAB (American Society of
Crime Laboratory Directors/Lab
Accreditation Board), 117-119

11/20/14 10:49 PM

Library of Congress

budgets, 141
evidence

Foreign Intelligence Surveillance
Act (FISA- 1978), 266

access restrictions, 141-143

PROTECT Act of 2003, 270

private sector labs, 119-121

USA PATRIOT Act, 268-270

requirements, 117-124, 128-132,
137-141, 144
layouts, 121, 124, 128-131, 137-139

constitutional, 248-277
Fifth Amendment, 263-264
First Amendment, 248-251

lands, 102

Fourth Amendment, 251-263

Larson, Stephen, 6

Sixth Amendment, 264-265

Last Numbers Dialed. See LND
latitude, images, 139
law enforcement. See also investigator
skills

access to personal information,
193-195
training, 19-24

European, 278-279
layouts of labs, 121, 124, 128-131,
137-139
Layshock et al v. Hermitage School
District et al, 249
Layshock, Justin, 249
LeadsOnline, 179

Law Enforcement Services Portal. See
LESP

LEAP (Local Number Portability
Enhanced Analytic Platform), 169

Lawful Intercept Configuration Guide,
268

Leap Second Bug, 223

laws

Leavenworth, Kansas, 372

Congressional legislation, 265
Communications Assistance for Law
Enforcement Act (CALEA) (47
U.S.C. § 1002), 268
Computer Fraud and Abuse Act (18
U.S.C. § 2511), 267
Corporate Espionage (18 U.S.C. §
1030(a)(1)), 267

483

leap seconds, 223
legal considerations, mobile forensics,
360-363
legal expertise, investigative skills, 11
Lempel, Ziv, Welch (LZW) lossless data
compression algorithm, 380
LESP (Law Enforcement Services
Portal), 374
Lewinsky, Monica, 169

Digital Millennium Copyright Act
(DMCA) (1998), 270-271

Lewis Mills High School, Connecticut,
251

Federal Wiretap Act of 1968,
265-266

libraries, Pictures Library, 68

9780789741158_forensics.indb 483

Library of Congress, 3

11/20/14 10:49 PM

484

linear filtering (images)

linear filtering (images), 381
linguistics, 11
LinkedIn, 190
Linux systems, 193, 293
lists, evidence, 212

M
Mac computers, 128. See also Apple

forensics, 398

Litvenko, Alexander, 8

Apple mobile devices, 409-418,
425-426

live forensics, 193

case studies, 426-427

livejournal.com, 186

deleted file recovery, 401

LND (Last Numbers Dialed), 335

DMG file system, 401

local databases, 194

Epoch Time, 399-400

Local Number Portability Enhanced
Analytic Platform. See LEAP

IOReg Info, 398

Locard, Edmond, 4
Location Services

iPhones, 425
Skype, 420
Viber, 423-425
locations

cell towers, 322
labs, 143
Lock and Cide, 221
lockers, evidence, 122
locking SIM cards, 418
logical extraction, mobile forensics,
358
logical file sizes, 68
logical storage, 34. See also storage
logs, NTFS, 45
longitude, images, 139
lookups, 169
Lopatka, Sharon, 5
lossless compression, 139
lossy compression, 139

journaling, 401
operating systems, 404-409
PList files, 404
PMAP Info, 399
SQLite databases, 404
history of, 393-396
MFS (Macintosh File System),
397-398
Mac Marshal, 137
Mac mini servers, 391
Mac OS Extended (HFS+), 397
Mac OS X 10.6 (Snow Leopard), 80
MacBooks, 391
Madison, James, 248, 271
Magnet Forensics, 197
Magnetic Media Program (FBI), 15
magnetic tapes, 107-108
magstripe encoders, 154
mail expire (www.mailexpire.com), 166
Mail (iPhones), 419
Mailinator, 167

Lounsbury, Mark, 278

9780789741158_forensics.indb 484

11/20/14 10:49 PM

metadata

Major Industry Identifier. See MII

memory. See also RAM

Major League Baseball (MLB), 447

as evidence, 214

malware, antivirus software, 138

flash, reading, 99-100

Manning, Bradley, 171

handsets, 338

Mann, Matthew, 256

RAM, 92

manual examinations, mobile forensics,
358-360

removable, 93

Marbury v. Madison, 248
masking identities, 167, 170-171
Mason, George, 248
Master Boot Code, 44
Master Boot Record. See MBR

Blu-ray discs, 104
CD-RW (compact disc-rewritable),
103
CDs (compact discs), 102
CF (CompactFlash) cards, 98

Master File Table. See MFT

DVDs, 103

Master Partition Table, 44

external hard drives, 95-96

Mattel vs. MGA Entertainment, Inc., 6

FireWire, 94

MBR (Master Boot Record), 44

floppy disks, 104-106

McCaffrey, Kate, 427

magnetic tapes, 107-108

MCC (Mobile Country Code), 329

ROM, 42

McGuire, Mark, 447

Memory Sticks, 98

McIntyre v. Ohio Elections CommMn,
(1995), 271

MMCs (MultiMedia cards), 96

MD5 algorithm, 5, 374
media

analysis, 226
partitions, 410
medical record theft, 196
megapixels, 378
Megaproxy.com, 169
MEID (Mobile Equipment Identifier), 328
Meier, Megan, 196, 445
Melendez-Diaz v. Massachusetts, 265
Mellon, John, 21
memberships searching user groups,
178-179

9780789741158_forensics.indb 485

485

SD (Secure Digital) cards, 97-98,
101
USB flash drives, 95
xD (Extreme Digital) cards, 99
Zip disks, 107
Vista (Windows), 57
Memory Sticks, 98
Mesa Verde High School, 163
metadata, 132

EXIF (Exchangeable Image File
Format), 377-380
files, 7, 58
images, 139, 377

11/20/14 10:49 PM

486

methodologies, reports

methodologies, reports, 226

iPhones, 413-418, 425-426

Metropolitan Transportation Authority
(MTA), 12

security, 411
MOBILedit, 355

MFS (Macintosh File System), 397-398

Mobile Equipment Identifier. See MEID

MFT (Master File Table), 46-47

mobile forensics, 320-322

Michigan State Police, 262
Micro Systemation, 356
Microsoft. See also Windows operating
systems

evidence, 338, 347-350, 353-354
GPS providers, 360
handsets, 338-339, 354-358

email access, 6

legal considerations, 360-363

Windows Phone, 347

manual examinations, 358-360

Word, 8

networks, 322, 325, 328, 338

MiFi (My Wireless Fidelity), 332

operating systems, 339-347

MII (Major Industry Identifier), 149

SIM cards, 334-337

Miller v. California, 413 U.S. 15 (1973),
251

Mobile Network Operators. See MNOs

MIME (Multipurpose Internet Mail
Extensions), 301

Mobile Stations, 326

MIND/FIND (Fixed Interpol Network
Database and Mobile Interpol
Network Database), 194
Miranda v. Arizona, 264

Mobile Phone Examiner. See MPE+
Mobile Subscriber Identity Number.
See MSIN
Mobile Subscriber ISDN. See MSISDN
Mobile Switching Center. See MSC

MMCs (MultiMedia cards), 96

Mobile Virtual Network Operators. See
MVNOs

MMS (Multimedia Messaging Service),
211, 338

modes, iPhones, 417-418

mobile apps, 221
MNOs (Mobile Network Operator), 331
Mobile Country Code. See MCC
mobile devices (Apple), 409

iOS, 410
iOS 7, 410

modifying images, 381
monitoring blogs, 186-187
Mountain Standard Time. See MST
Moussaoui, Zacharias, 438-441
MPE+ (Mobile Phone Examiner), 355
MSC (Mobile Switching Center), 322

iOS 8, 410-411

MSIN (Mobile Subscriber Identity
Number), 329

iPads, 413

MSISDN (Mobile Subscriber ISDN), 330
MST (Mountain Standard Time), 223

9780789741158_forensics.indb 486

11/20/14 10:49 PM

networks

MTA (Metropolitan Transportation
Authority), 12

NCFI (National Computer Forensics
Institute), 16

MultiMedia cards. See MMCs

NCIC (National Crime Information
Center), 194

Multimedia Messaging Service. See
MMS
multiple displays (Mac), 406

NCMEC (National Center for Missing
and Exploited Children), 15, 374

Multipurpose Internet Mail Extensions.
See MIME

NCTC (National Counterterrorism
Center), 194

murder, 3

NETCRAFT, 172

Murray, Conrad, 427

Network Analyzer, 221

MVNOs (Mobile Virtual Network
Operators), 331

network layer (Layer 3), 306

MySpace, 190, 250

487

networks

myths about forensics, 3-4

APTs (Advanced Persistent Threats),
310-313

My Wireless Fidelity. See MiFi

attack investigations, 313
backing up to, 62

N
National Center for Missing and
Exploited Children. See NCMEC

cellular, 322, 328-338
forensics
devices, 294

National Computer Forensics Institute.
See NCFI

DHCP (Dynamic Host
Configuration Protocol) servers,
298

National Counterterrorism Center
(NCTC), 194

DNS (Domain Name System)
servers, 301

National Crime Information Center. See
NCIC

firewalls, 304

National Institute of Science and
Technology. See NIST
National Labor Relations Board (NLRB),
163

IDS (intrusion detection systems),
304
OSI (Open Systems
Interconnection), 305-310

National White Collar Crime Center.
See NW3C

ports, 305

navigating Windows 7, 67-68

routers, 302-304

9780789741158_forensics.indb 487

proxy servers, 295

11/20/14 10:49 PM

488

networks

SMTP (Simple Mail Transport
Protocol) servers, 299-301
subscriber authentication, 331
tools, 293-294

hexadecimal, 37-38
international numbering plans, 330
NW3C (National White Collar Crime
Center), 20

Web servers, 295-297
GSM (Global System for Mobile
Communications), 127

O

P2P (peer-to-peer), 171

Objective-C, 401

pedophile, 178

O’Brien, James, 381

professional, 190

obtaining evidence from service
providers, 211

social. See social networking
Neustar (www.neustar.biz), 169

Ochoa III, Higinio O., 427

New Technology File System. See
NTFS

O’Connor v. Ortega, 480 U.S. 709
(1987), 252

New York City Department of
Education, 20

Office Hub, 347

New York Court of Appeals, 261

OLAF (European Anti-fraud Office), 281

New York Police Department, 193, 383

Olmstead, Roy, 252

New York State Supreme Court, 263

Olmstead v. United States, 277 U.S. 438
(1928), 252

New York v. Perez, 263
New York v. Weaver, 261
newsgroups, 184
nibbles, 38
Ninth Circuit Court, 253, 258, 447
NIST (National Institute of Science and
Technology), 224, 348
NLRB (National Labor Relations Board),
163
notifications (Macs), 406
NTFS (New Technology File System), 45
numbers

Ohio v. Johnson, 261

online communications, capturing,
197-200
online investigations, 162-163

online crime, 195
credit cards, 195
cyberbullying, 196
identity theft, 195
medical records, 196
social networks, 196-197
undercover, 163-164

allocation blocks, 397

background searches, 182-187,
190-195

formats, 37-42

generating email accounts, 165-167

9780789741158_forensics.indb 488

11/20/14 10:49 PM

pedophiles

generating identities, 164

OS X (Mac), 391, 405-406

masking identities, 167, 170

outing, 444

website evidence, 171-173

ownership

online polls, 444

email, 5

online proxy, 169

USB devices (Windows 7), 63

Open Systems Interconnection. See
OSI
operating modes (iPhones), 417-418
operating systems

Android, 184
boot processes, 42-44
iOS, 410

P
P2P (peer-to-peer) networks, 171
Pace University, 20
packet sniffers, 294
Palin, Sarah, 169, 195

iOS 7, 410

Palo Alto Police, 427

iOS 8, 410-411

Paraben, 13

journaling, 401

Parallel ATA. See PATA

Mac forensics, 404

partitions, 34, 44

OS X, 405-406

media, 410

TDM (Target Disk Mode), 408-409

root, 410

mobile, 339-347

Passware, 138

Windows

password-cracking software, 4,
138-139

conversion, 37-42
features, 53
file storage, 34-36
file systems, 44-50
Registry, 50-52
Vista, 53-59
Windows 7, 59-69
Windows 8.1, 70-72
opportunities, job, 12-14
Oregon v. Meredith, 261
Ortega, Magno, 252
OSI (Open Systems Interconnection),
305-310

9780789741158_forensics.indb 489

489

Password Recovery Toolkit. See PRTK
passwords

Apple ID, 412
iCloud Keychain, 406
PATA (Parallel ATA), 83, 86-93
paths, Registry (Windows 7), 66
PATRIOT Act, 16, 254, 268-270
Paul, Christopher Neil, 383
PCs (personal computers), 14, 128
pedophiles

email as evidence, 5
networks, 178

11/20/14 10:49 PM

490

peer-to-peer

peer-to-peer. See P2P

physical memory, Vista (Windows), 57

pen registers, 258

physical security of labs, 142

People Hub, 347

physical storage, 34

People v. Diaz, 256

Pictures Library, 68

People v Spinelli, 35, 77, 81, 263

pictures, 8. See also images

performance-enhancing drugs (PEDs),
447

Pin Unblocking Key. See PUK
pipl.com, 176

persistent cookies, 199

Pirate Bay, 173

personal computers. See PCs

pits, 102

personal information, law enforcement
access to, 193-195

pixels, 378

Personal Unblocking Code. See PUC
PhotoDNA, 374
photographs, 375. See also images

applications, 376

plain error, 255
plaintiffs, 119, 239
plain view doctrine, 254
platters, 35
Playstation 3, 270

Facebook, 376

Please Rob M, 188

Flickr, 376

PList files, 401-404

Instagram, 377

plutil (property list utility), 402

SnapChat, 377

PMAP Info, 399, 402

evidence, 380
case studies, 382-383
comparing digital to analog, 381
FRE (Federal Rules of Evidence),
380

PNG (Portable Network Graphics), 7,
380
pornography

child. See child pornography
in classrooms, 277

EXIF (Exchangeable Image File
Format), 377-380

Portable Network Graphics. See PNG

file systems, 375

PowerBook laptops, 391

metadata, 377

precedents, 240

ports, 305

physical evidence, 4. See also evidence

predictive coding, 226

physical extractions, mobile forensics,
358

preparation for expert witnesses, 228

physical file size, 35

press releases, attacks, 311

presentation layer (Layer 6), 308

physical layer (Layer 1), 306

9780789741158_forensics.indb 490

11/20/14 10:49 PM

raster graphics

491

prevalence, email as evidence, 6

providers (GPS), 360

Prince Edward Island, 188, 374

proxy servers, 295

Prince, Phoebe, 196, 444

proxy services, 169

privacy. See also access

PRTK (Password Recovery Toolkit), 4,
120

email, 253
E.U, 279-280
India, 282
private investigation firms, 13
private sector labs, 119-121
probable cause, 252

PSAP (Public Safety Access Point), 363
PSTN (Public Switched Telephone
Network), 322
public records, 191
Public Safety Access Point. See PSAP

probate court, 244

Public Switched Telephone Network.
See PSTN

processes

PUC (Personal Unblocking Code), 337

boot, 42-44

PUK (Pin Unblocking Key), 326, 337

MD5 hashing, 5

purpose of investigations, 225

ware-leveling, 91
processing handsets, 338
ProDiscover, 313
professional networks, 190
promiscuous mode, 294

Q
Quick Look, 398
Quon, Jeff, 266

property list utility. See plutil
property (stolen), searching, 179-187
prosecution (documentation), 210

R

crime scenes, 211
documenting evidence, 214-220
expert witnesses, 227-230
obtaining evidence from service
providers, 211
seizing evidence, 213-214
tools, 220-222
writing reports, 222-227

Rader, Dennis Lynn, 441. See also BTK
killer
RAID (Redundant Array of Independent
(or Inexpensive) Disks), 92-93, 293
RAM (random access memory), 9, 92,
293

as evidence, 214
imaging, 133, 137

prosecution affidavits, Zacharias
Moussaoui, 440

raster-based graphics, 139. See also
images

PROTECT Act of 2003, 16, 270

raster graphics, 378

9780789741158_forensics.indb 491

11/20/14 10:49 PM

492

Ravi, Dharun

Ravi, Dharun, 446
RAW files, 379

Regional Computer Forensics
Laboratory. See RCFL

RAW formats, 139

Registry Viewer, 52

RCFL (Regional Computer Forensics
Laboratory), 18-19

Registry (Windows), 52

reading flash memory, 99-100

analysis, 65-66
online communications capture, 200

read-only memory. See ROM

regulatory law, 240

ReadyBoost, Vista (Windows), 57

reliability, 92

Real Time Crime Center. See RTCC

removable memory, 93. See also
memory

Research in Motion. See RIM
reconnaissance, 310

Blu-ray discs, 104

Record Management Systems (RMS),
194

CD-RW (compact disc-rewritable), 103

records

cellular phones, 361
public, 191
subscriber, 326
recovery. See also PRTK

deleted files, 4, 401
digital data, 3
evidence
cellphones, 10
email, 5-7
images, 7-8
Internet searches, 9
types of, 5
video, 8-9
websites visited, 9
Recovery Mode (iPhones), 417
Recycle Bin, 92
Redundant Array of Independent (or
Inexpensive) Disks. See RAID

CDs (compact discs), 102
CF (CompactFlash) cards, 98
DVDs, 103
external hard drives, 95-96
FireWire, 94
floppy disks, 104-106
magnetic tapes, 107-108
Memory Sticks, 98
MMCs (MultiMedia cards), 96
SD (Secure Digital) cards, 97-98, 101
USB flash drives, 95
xD (Extreme Digital) cards, 99
Zip disks, 107
reports (investigations), 210

crime scenes, 211
documenting evidence, 214-220
expert witnesses, 227-230
obtaining evidence from service
providers, 211
seizing evidence, 213-214

9780789741158_forensics.indb 492

11/20/14 10:49 PM

searches

tools, 220-222

Rule 52(b), 255

writing reports, 222-227

Rule 902(11), Rule 902(12), 275

Research in Motion. See RIM

Rules of Criminal Procedure, 255

resource forks, 397

Russian hackers, 257

Restoration of images, 381

Ryan, Steven, 262

493

restoration points (Windows 7), 61
revenge porn, 375
reverse lookups, 169
RF Shield Boxes, 351
Rigmaiden, Daniel David, 258
Riley v. California, 263
RIM (Research in Motion), 345
RMS (Record Management Systems),
194
Rodriguez, Alex, 447
Rombom, et al. v. Weberman et al., 6
ROM (read-only memory), 42
rootkits, 45
root partitions, 410
Rountree, Piper, 10, 363
router.config file, 171

S
Safari browsers, 406-408, 419
safety, labs, 140
Samsung Galaxy, 340
Sanchez, Rodolfo, 12
Sarbanes-Oxley Act, 119
SATA (Serial ATA), 83-93, 128
satellite communication services, 360
saving digital photographs, 375
SCA (Stored Communications Act), 6,
253, 265
Scientific Working Group on Digital
Evidence. See SWGDE

Router Marshal, 193

Scientific Working Group on Imaging
Technologies. See SWGIT

RouterPasswords.com, 193

screen capture software, 197-198

routers, 193, 302-304

screwdrivers, 128

routes, 363

scripting languages, 298

Royal Canadian Mounted Police
(RCMP), 188, 374

SCSI (Small Computer System
Interface), 81-82

RTCC (Real Time Crime Center), 193

SD (Secure Digital) cards, 97-98, 101

rules

Search Bug, 175

best evidence, 276

searches

exclusionary, 251

background searches, 173-174,
177-187, 190-195

FRE (Federal Rules of Evidence), 380

digital surveillance as, 258

evidence admissibility, 271-276

9780789741158_forensics.indb 493

11/20/14 10:49 PM

494

searches

Internet as evidence, 9

servers

and seizure, 261

DHCP (Dynamic Host Configuration
Protocol), 298

stolen property, 183-187

DNS (Domain Name System), 301

Vista (Windows), 57

Mac mini, 391

warrantless searches, 254-257

OS X Server, 391

warrants (Fourth Amendment),
252-254

proxy, 295

search incident to a lawful arrest, 256

Windows 7, 69
SEC (Securities and Exchange
Commission), 13, 119
sectors, 34

SMTP (Simple Mail Transport
Protocol), 299-301
Web, 9, 295-297
worksheets, 218-220
services (digital photographs), 376

Secure Digital cards. See SD cards

Facebook, 376

SecureDrop, 171

Flickr, 376

Secure Techniques for Onsite Preview.
See STOP

Instagram, 377
SnapChat, 377

Securities and Exchange Commission.
See SEC

session layer (Layer 5), 308

security

sessions

Android, 343

cookies, 199

Apple, 411-412

on compact discs, 103

APTs (Advanced Persistent Threats),
310-313

Sewell, Dara K., 440

attacks. See attacks

Shield Boxes, 351

evidence lockers, 122

Short Message Service. See SMS

firewalls, 304
forensics, comparisons, 3-4
labs, access restrictions, 141-143
Windows 8.1, 72

sexting, 444

Shugart Associates, 81
signal jammers, 142
SIM cards, 329-337, 418
SIMCon, 356

seizing evidence, 213-214

Simple Mail Transport Protocol. See
SMTP

September 11, 2001, 268. See also
terrorists

SIM (Subscriber Identification Module)
cards, 127

Serial ATA. See SATA

9780789741158_forensics.indb 494

11/20/14 10:49 PM

SSDs (solid state drives)

Sixth Amendment (U.S. Constitution),
264-265
skills of investigators, 10

communication, 11

495

MySpace, 190
Twitter, 189
soft handoffs, 325
software, 130. See also applications

computer science, 10

antivirus, 138

confidentiality, 12

bit-stream imaging, 131, 137

continuous learning, 11

firewalls, 304

legal expertise, 11

IDS (intrusion detection systems), 304

linguistics, 11

mobile forensics, 354-355

skimmers, 8, 152-155
skipease.com, 176
Skype, 183, 420
slack, files, 35
sleepimage files, 404

password-cracking, 138-139
Tor, 170
virtual machines, 138
solid state drives. See SSDs

Sleuthkit, 132, 137

Sony Computer Entertainment America
v. George Hotz, 270

Small Computer System Interface. See
SCSI

Sony Music Entertainment v. Does, 271

SMART files, 137

sound recordings, 270

SmartCarving, 140

South Dakota v. Opperman (1976) 428
U.S. 364 (96 S.Ct. 3092), 262

smartphones, 340. See also mobile
forensics

Southwest Airlines, 363

Smith v. Maryland, 442 U.S. 735 (1979),
258

Spencer, Elliot, 16

SMS (Short Message Service), 337
SMTP (Simple Mail Transport Protocol)
servers, 299-301

Souza, Dawnmarie, 163
spindles, 35
spoleo.com, 176
spoliation of evidence, 12

Smyth v. The Pillsbury Company, 266

sports case studies, 447-448

Snagit, 198

Spotlight, 398

SnapChat, 377

Spring.me, 444

Snowden, Edward, 171

SpyDialer.com, 168

social networking, 187

SQLite databases, 340, 404, 420

crimes, 196-197

SSDs (solid state drives), 90-91

Facebook, 187-188
Foursquare, 190

9780789741158_forensics.indb 495

11/20/14 10:49 PM

496

standards

standards

OSI (Open Systems Interconnection),
305-310
Unicode, 42

subpoenas, 264
subscriber evidence, 326, 331
Subscriber Identification Module cards.
See SIM cards

standby counsel objections, Zacharias
Moussaoui, 439

subscriber records, 326

standing, 256

Supreme Court, 242

state appellate courts, 243

Supreme Court of California, 256

state courts, 243

surveillance

state laws, GPS tracking devices,
261-262
State of Connecticut v. John Kaminski,
103
State v. Armstead, 275

Suicide Prevention Law (Act 114), 445

as search, 258
video, 8. See also video
suspects, background searches,
173-187, 182-195

statutory law, 240

SWGDE (Scientific Working Group on
Digital Evidence), 119

Stengart vs. Loving Care Agency, Inc.,
6

SWGIT (Scientific Working Group on
Imaging Technologies), 381

steroids, 447

Symbian, 345

Sticky Notes (Windows 7), 65

SYN flood attacks, 308

statistics, websites, 172

SYN-SYN-ACK handshakes, 307

sting operations, 164
Stingray, 258

system configuration, Registry
(Windows), 50-52

stolen goods, tracking, 427

System Software Personalization, 410

stolen property, searching, 183-187

System Status, 221

STOP (Secure Techniques for Onsite
Preview), 20

Systrom, Kevin, 377

storage, 34. See also memory

digital photographs, 375
files, 34-36
Stored Communications Act (SCA), 6
structure

of United States legal system, 239-244
of reports, 224, 227

T
table of contents. See TOCs
tables

byte conversion, 36
MFTs, 46-47
tablets, 361

subnet masks, 299

9780789741158_forensics.indb 496

11/20/14 10:49 PM

tools

TAC (Type Allocation Code), 326

497

Tagged Image File Format. See TIFF

Threat and Local Observation Notice.
See TALON

tags (Macs), 406

three-message handshakes, 307

Tails, 170

TIFF (Tagged Image File Format), 7, 380

TALON (Threat and Local Observation
Notice), 194

Time Division Multiple Access. See
TDMA

tampering with evidence, 6, 130

Tinker, John, 249

Tandy, 14

Tinker, Mary Beth, 249

Target Disk Mode. See TDM

Tinker v. Des Moines Independent
Community School District, (1969),
249

TCP (Transmission Control Protocol),
307
TDM (Target Disk Mode), 408-409
TDMA (Time Division Multiple Access),
333
tech forums, attacks, 311
Tech Pathways, 313
Tellme, 347
Temporary Mobile Subscriber Identity.
See TMSI

TLO (Terrorism Liaison Officer), 194
TMSI (Temporary Mobile Subscriber
Identity), 331
Tobolski, Donny, 163
TOCs (table of contents), 103, 225
TomTom, 362. See also GPS
tools, 4

Adroit Forensics, 140

Tenth Circuit U.S. Court of Appeals, 255

AIM, 183

Terrorism Liaison Officer (TLO), 194

Android, 344

terrorists, 194

BitLocker, 10, 59

attacks, 194

bit-stream imaging, 4

blogs, 186

Boot Camp, 80

The-cloak.com, 169

COFEE, 63

theft

Disk Defragmenter, 54

credit cards, 195
identity, 195

Disk Jockey PRO Forensic Edition, 86,
89

iPhones, 427

Disk Utility, 406

medical records, 196

documentation, 214, 220-222

The Onion Router. See TOR

Chain of Custody forms, 215

theories, Transfer of Evidence, 4

computer worksheets, 216-217

theultimates.com, 174

9780789741158_forensics.indb 497

11/20/14 10:49 PM

498

tools

HDD (hard disk drive) worksheets,
217-218

TOR (The Onion Router), 68

server worksheets, 218-220

touch screens (Windows 7), 64

Touch ID (iPhones), 416

Epoch Time, 399-400

TPM (Trusted Platform Module), 59

EXIFextracter, 378

tracking

ExifTool, 378

changes, 45

FileVault, 405

GPS, 258-262, 363

FTK Imager, 47-48

stolen goods, 427

GREP (Global Regular Expressions
Print), 147-149

tracks, 34, 103, 363

I2P (Invisible Internet Project), 171

traffic

trackpoints, 362

ILook, 16

court, 244

IM (Instant Messenger), 182

stops (Fourth Amendment), 262-263

IOReg Info, 398

training, 19-24

iPhones, 417

Transfer of Evidence theory, 4

labs, 128

Transmission Control Protocol. See
TCP

Magnet Forensics, 197
networks, 293-294
PMAP Info, 399
PRTK (Password Recovery Toolkit),
120
plutil (property list utility), 402

triage forensics, 193
Trial Courts of Limited Jurisdiction, 244
tricking, 444
TRIM, 92
Trojan horses, 196, 311
Trusted Platform Module. See TPM

Snagit, 198

tweetpaths.com, 189

Skype. See Skype

TwitPic, 189

TwitPic, 189

Twitter, background searches, 189

validation, 348

Type Allocation Code. See TAC

Vere Software, 197

types

video, 199

of cellular service carriers, 331-334

WayBackMachine, 171

of compression, 139

WhatsApp, 423

of cookies, 199

TopSites.plist file, 408
Tor, 170

9780789741158_forensics.indb 498

11/20/14 10:49 PM

USB (universal serial bus)

of evidence, 5

Unique Device Identifiers. See UDIDs

cellphones, 10

United States legal system, 239-244

email, 5-7

United States Secret Service. See
USSS

images, 7-8
Internet searches, 9
video, 8-9
websites visited, 9
of images, 7, 378

499

United States v. Carey, 254
United States v. Jones, 260
United States v. Leon, 468 U.S. 897
(1984), 253
United States v. Lori Drew, 445
United States v. Magana, 512 F.2d
1169-1171 (9th Cir. 1975), 260

U

United States v. Mann (No. 08-3041,
256

UCD (University College Dublin), 20
UDIDs (Unique Device Identifiers), 411

United States v. McConney, 728 F.2d
1195, 1199 (9th Cir.), 254

UFED (Universal Forensics Extraction
Device), 357

United States v. Tank, 275

UICC (Universal Integrated Circuit
Card), 328

United States v. Ziegler, 253

UMTS (Universal Mobile
Telecommunications System), 334
unallocated storage space, 33
undercover investigations, 163-164.
See also investigations

background searches, 173-174,
177-187, 190-195
email, generating, 165-167
identities
generating, 164
masking, 167, 170
website evidence, 171-173
Unicode, 42

United States v. Warshak, 253
Universal Forensics Extraction Device.
See UFED
Universal Integrated Circuit Card. See
UICC
Universal Time Coordinated. See UTC
University College Dublin. See UCD
unlocking SIM cards, 418
UPS (uninterruptible power supply), 140
URIs (uniform resource identifiers), 296
USA PATRIOT Act, 14-16, 254, 268-270
USB (universal serial bus)

flash drives, 95
ownership of, 63

uniform resource identifiers. See URIs
uninterruptible power supply. See UPS

9780789741158_forensics.indb 499

11/20/14 10:49 PM

500

U.S. court system

U.S. court system, 241

vector graphics, 379

appeals courts, 242

Vere Software, 197

federal appellate courts, 242

verification, MD5 hashing, 5

federal courts, 242

versions

intermediate appellate courts, 243

iPhones, 414-416

state appellate courts, 243

Windows

state courts, 243

Vista, 53-59

Supreme Court, 242

Windows 7, 59-69

Trial Courts of Limited Jurisdiction,
244

Windows 8.1, 70-72
Viber, 422

U.S. District Courts, 243

video

U.S. District Court of Arizona, 258

evidence, 8-9

usenet groups, 184

online communication capture, 199

user groups, searching, 178-179

tools, 199

U.S. Naval Research Laboratory, 170
USSS (United States Secret Service),
16
U.S. v. Daniel David Rigmaiden, 258
U.S. v. Dunn, 480 U.S. 294 (1987), 259
U.S. v. Jones, 261
U.S. v. Knotts 460 U.S. 276 (1983), 259
U.S. v. McIver, 259
U.S. v. Pineda-Moreno, 259

viewing

BIOS, 42
cookies, 199-200
Event Viewer
Vista (Windows), 55
Windows 7, 66-67
Registry Viewer, 52
residences, 195

U.S. v. Simpson, 255

Virginia Declaration of Rights, 248

UTC (Universal Time Coordinated), 223

Virginia Polytechnic, 3
Virtual Global Taskforce, 17
virtual machine software, 138

V

viruses, 45, 311
VLR (Visitor Locator Register), 331

vacuuming, 404

Volume Shadow Copy, 58, 313

validation tools, 348
values, bits, 37
vBulletin, 178

9780789741158_forensics.indb 500

11/20/14 10:49 PM

X-Ways Forensics

W

501

storage, 34-36
Vista, 53-59

Wantirna South, Melbourne, Australia,
427
ware-leveling, 91
warrantless searches, 254-257
Warshak, Steve, 253
Washington v. Jackson, 150 Wash.2d
251, 76 P.3d 217 (Wash. 2003), 261
WayBackMachine, 171
Wayne, Ronald, 391
waypoints, 363
WCDMA (Wide Band CDMA), 333

Windows 7, 59-69
Windows 8.1, 70-72
Windows Phone, 347
WinHex, 132
wireless capabilities, 352-353
wireless devices (Apple), 395
Wireless Fidelity (WiFi) connections,
142
witnesses, expert, 227-230, 273-274
Wolf, Cassidy, 375

weaponization, attacks, 311

Word (Microsoft), 8. See also
documents

Web browsers, 67-68, 296

workbenches, lab layouts, 122

Web hosting, private sector labs, 121

worksheets, 216-217

Web servers, 9, 295-297
webcasting, 270
websites, evidence, 171-173, 9
Weeks v. United States, 232 U.S. 383
(1914), 251
Weiner, Charles R., 266
WhatsApp, 423-425

HDDs (hard disk drives), 217-218
servers, 218-220
workstations, lab layouts, 122
Wozniak, Steve, 391. See also Apple
write-blockers, 100, 124
writing reports, 222-227

whistleblowers, 171
Windows bitmap (BMP, 7

X

Windows File Registry, applying, 200
Windows Live Messenger, 184

XAMN tool (Micro Systemation), 356

Windows operating systems, 53

xD (Extreme Digital) cards, 99

boot processes, 42-44

XML (Extensible Markup Language), 56

conversion, 37-42

XMPP (Extensible Messaging and
Presence Protocol), 182

file systems, 44-50
Registry, 50-52
Safari for, 408

9780789741158_forensics.indb 501

XOR algorithm, 183
XPath (XML Path Language), 57
X-Ways Forensics, 132

11/20/14 10:49 PM

502

Yahoo!

Y

Z

Yahoo!

zabasearch.com, 174

email access, 6

Zdziarski, Jonathan, 390

Messenger, 183

Zeus, 196

Yemen, 187

Ziegler, William Wayne, 253
zillow.com, 195
Zip disks, 107

9780789741158_forensics.indb 502

11/20/14 10:49 PM