A PRACTICAL GUIDE TO
COMPUTER
FORENSICS
INVESTIGATIONS
DR. DARREN R. HAYES
A Practical Guide to
Computer Forensics
Investigations
Dr. Darren R. Hayes
800 East 96th Street, Indianapolis, Indiana 46240 USA
9780789741158_forensics.indb i
11/20/14 10:48 PM
A Practical Guide to Computer Forensics Investigations
Associate Publisher
Dave Dusthimer
Copyright © 2015 by Pearson Education, Inc.
All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or
transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise,
without written permission from the publisher. No patent liability is assumed with respect
to the use of the information contained herein. Although every precaution has been taken in
the preparation of this book, the publisher and author assume no responsibility for errors or
omissions. Nor is any liability assumed for damages resulting from the use of the information
contained herein.
ISBN-13: 978-0-7897-4115-8
ISBN-10: 0-7897-4115-6
Acquisitions Editor
Betsy Brown
Development Editor
Jeff Riley
Managing Editor
Sandra Schroeder
Project Editor
Mandie Frank
Library of Congress Control Number: 2014955541
Printed in the United States of America
Copy Editor
Krista Hansing
First Printing: December 2014
Trademarks
All terms mentioned in this book that are known to be trademarks or service marks have
been appropriately capitalized. Pearson IT Certification cannot attest to the accuracy of this
information. Use of a term in this book should not be regarded as affecting the validity of any
trademark or service mark.
Warning and Disclaimer
Every effort has been made to make this book as complete and as accurate as possible, but
no warranty or fitness is implied. The information provided is on an “as is” basis. The author
and the publisher shall have neither liability nor responsibility to any person or entity with
respect to any loss or damages arising from the information contained in this book.
Special Sales
For information about buying this title in bulk quantities, or for special sales opportunities
(which may include electronic versions; custom cover designs; and content particular to your
business, training goals, marketing focus, or branding interests), please contact our corporate
sales department at
[email protected] or (800) 382-3419.
Indexer
Larry Sweazy
Proofreader
Megan Wade-Taxter
Technical Editors
Dennis Dragos
Shawn Merdinger
Publishing Coordinator
Vanessa Evans
Designer
Alan Clements
Compositor
Tricia Bronkella
For government sales inquiries, please contact
[email protected].
For questions about sales outside the U.S., please contact
[email protected].
9780789741158_forensics.indb ii
11/20/14 10:48 PM
Contents at a Glance
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
1
The Scope of Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2
Windows Operating and File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3
Handling Computer Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4
Acquiring Evidence in a Computer Forensics Lab . . . . . . . . . . . . . . . . . . 116
5
Online Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
6
Documenting the Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
7
Admissibility of Digital Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
8
Network Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
9
Mobile Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
10 Photograph Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
11 Mac Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
12 Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
iii
9780789741158_forensics.indb iii
11/20/14 10:48 PM
Table of Contents
Introduction
Chapter 1: The Scope of Computer Forensics
xx
2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Popular Myths about Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . 3
Types of Computer Forensics Evidence Recovered . . . . . . . . . . . . . . . . . . . . . . 5
Electronic Mail (Email) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Websites Visited and Internet Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Cellphone Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
What Skills Must a Computer Forensics Investigator Possess? . . . . . . . . . . . 10
Computer Science Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Legal Expertise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Communication Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Linguistic Abilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Continuous Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
An Appreciation for Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
The Importance of Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Job Opportunities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
A History of Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1980s: The Advent of the Personal Computer . . . . . . . . . . . . . . . . . . . . . 14
1990s: The Impact of the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Training and Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Law Enforcement Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
iv
Table of Contents
9780789741158_forensics.indb iv
11/20/14 10:48 PM
Chapter 2: Windows Operating and File Systems
32
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Physical and Logical Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
File Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
File Conversion and Numbering Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Conversion of Binary to Decimal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Hexadecimal Numbering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Conversion of Hexadecimal to Decimal . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Conversion of Hexadecimal to ASCII (American Standard Code
for Information Interchange) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Unicode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
The Boot Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Windows File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Windows Registry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Registry Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
FTK Registry Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Microsoft Windows Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Windows Vista . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Windows 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Windows 8.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Chapter 3: Handling Computer Hardware
80
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Hard Disk Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Small Computer System Interface (SCSI) . . . . . . . . . . . . . . . . . . . . . . . . . 81
Integrated Drive Electronics (IDE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Serial ATA (SATA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Cloning a PATA or SATA Hard Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Cloning Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table of Contents
9780789741158_forensics.indb v
v
11/20/14 10:48 PM
Removable Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
FireWire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
USB Flash Drives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
External Hard Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
MultiMedia Cards (MMCs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Chapter 4: Acquiring Evidence in a Computer Forensics Lab
116
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Lab Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
American Society of Crime Laboratory Directors . . . . . . . . . . . . . . . . . . 117
American Society of Crime Laboratory Directors/Lab
Accreditation Board (ASCLD/LAB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
ASCLD/LAB Guidelines for Forensic Laboratory Management
Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Scientific Working Group on Digital Evidence (SWGDE) . . . . . . . . . . . . 119
Private Sector Computer Forensics Laboratories . . . . . . . . . . . . . . . . . . . . . . 119
Evidence Acquisition Laboratory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Email Preparation Laboratory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Inventory Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Web Hosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Computer Forensics Laboratory Requirements . . . . . . . . . . . . . . . . . . . . . . . . 121
Laboratory Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Laboratory Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Laboratory Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Extracting Evidence from a Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Using the dd Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Using Global Regular Expressions Print (GREP) . . . . . . . . . . . . . . . . . . 145
Skimmers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
vi
Table of Contents
9780789741158_forensics.indb vi
11/20/14 10:48 PM
Chapter 5: Online Investigations
162
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Working Undercover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Generate an Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Generate an Email Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Mask Your Identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Website Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Website Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Website Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Background Searches on a Suspect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Personal Information: Mailing Address, Email Address,
Telephone Number, and Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Personal Interests and Membership of User Groups . . . . . . . . . . . . . . . 178
Searching for Stolen Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Online Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Identity Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Credit Cards for Sale. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Electronic Medical Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Cyberbullying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Social Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Capturing Online Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Using Screen Captures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Using Video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Viewing Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Using Windows Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Chapter 6: Documenting the Investigation
210
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Obtaining Evidence from a Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Documenting a Crime Scene. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Table of Contents
9780789741158_forensics.indb vii
vii
11/20/14 10:48 PM
Seizing Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Crime Scene Examinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Documenting the Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Completing a Chain of Custody Form . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Completing a Computer Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Completing a Hard Disk Drive Worksheet . . . . . . . . . . . . . . . . . . . . . . . . 217
Completing a Server Worksheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Using Tools to Document an Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
CaseNotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
FragView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Helpful Mobile Applications (Apps) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Network Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
The Cop App . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Lock and Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Digital Forensics Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Federal Rules of Civil Procedure (FRCP) . . . . . . . . . . . . . . . . . . . . . . . . . 222
Federal Rules of Evidence (FREvidence) . . . . . . . . . . . . . . . . . . . . . . . . . 222
Writing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Time Zones and Daylight Saving Time (DST) . . . . . . . . . . . . . . . . . . . . . 222
Creating a Comprehensive Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Using Expert Witnesses at Trial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
The Expert Witness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
The Goals of the Expert Witness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Preparing an Expert Witness for Trial . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
viii
Table of Contents
9780789741158_forensics.indb viii
11/20/14 10:48 PM
Chapter 7: Admissibility of Digital Evidence
238
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
History and Structure of the United States Legal System . . . . . . . . . . . . . . . 239
Origins of the U.S. Legal System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Overview of the U.S. Court System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
In the Courtroom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Evidence Admissibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Constitutional Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
First Amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
First Amendment and the Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Fourth Amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Fifth Amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Sixth Amendment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Congressional Legislation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Rules for Evidence Admissibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Criminal Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
When Computer Forensics Goes Wrong . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Pornography in the Classroom. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Structure of the Legal System in the European Union (E.U.) . . . . . . . . . . . . . 278
Origins of European Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Structure of European Union Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Structure of the Legal System in Asia. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
India . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Chapter 8: Network Forensics
292
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
The Tools of the Trade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Table of Contents
9780789741158_forensics.indb ix
ix
11/20/14 10:48 PM
Networking Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Proxy Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
SMTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Understanding the OSI Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
The Physical Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
The Data Link Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
The Network Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
The Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
The Session Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
The Presentation Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
The Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Advanced Persistent Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Cyber Kill Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Indicators of Compromise (IOC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Investigating a Network Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Chapter 9: Mobile Forensics
320
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
The Cellular Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Base Transceiver Station . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Mobile Station . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Cellular Network Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
x
Table of Contents
9780789741158_forensics.indb x
11/20/14 10:48 PM
SIM Card Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Types of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Handset Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Memory and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Battery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Other Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Mobile Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Android OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Windows Phone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Standard Operating Procedures for Handling Handset Evidence . . . . . . . . . 347
National Institute of Standards and Technology . . . . . . . . . . . . . . . . . . 348
Preparation and Containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Wireless Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Documenting the Investigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Handset Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Cellphone Forensic Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Cellphone Forensics Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Logical versus Physical Examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Manual Cellphone Examinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Flasher Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Global Satellite Service Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Satellite Communication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Legal Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Carrier Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Other Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Tablets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
GPS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Table of Contents
9780789741158_forensics.indb xi
xi
11/20/14 10:48 PM
Chapter 10: Photograph Forensics
372
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Understanding Digital Photography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Digital Photography Applications and Services . . . . . . . . . . . . . . . . . . . 376
Examining Picture Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Exchangeable Image File Format (EXIF) . . . . . . . . . . . . . . . . . . . . . . . . . 377
Evidence Admissibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Federal Rules of Evidence (FRE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Analog vs. Digital Photographs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Worldwide Manhunt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
NYPD Facial Recognition Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Chapter 11: Mac Forensics
390
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
A Brief History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Macintosh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Mac Mini with OS X Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
iPod . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
iPad. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Apple Wi-Fi Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Macintosh File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Forensic Examinations of a Mac . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
IOReg Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
PMAP Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Epoch Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Recovering Deleted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
xii
Table of Contents
9780789741158_forensics.indb xii
11/20/14 10:48 PM
Journaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
DMG File System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
PList Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
SQLite Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Macintosh Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Mac OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Target Disk Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Apple Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
iOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
iOS 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
iOS 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Security and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
iPod . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Enterprise Deployment of iPhone and iOS Devices . . . . . . . . . . . . . . . . 426
Case Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Find My iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Wanted Hactevist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Michael Jackson . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Stolen iPhone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Drug Bust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Chapter 12: Case Studies
436
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Zacharias Moussaoui . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Digital Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Standby Counsel Objections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Prosecution Affidavit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Table of Contents
9780789741158_forensics.indb xiii
xiii
11/20/14 10:48 PM
xiv
Exhibits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
Email Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
BTK (Bind Torture Kill) Killer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Profile of a Killer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Cyberbullying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Federal Anti-harassment Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
State Anti-harassment Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Warning Signs of Cyberbullying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
What Is Cyberbullying? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Phoebe Prince . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Ryan Halligan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Megan Meier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Tyler Clementi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Sports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Index
9780789741158_forensics.indb xiv
458
11/20/14 10:48 PM
xv
About the Author
Dr. Darren R. Hayes is a leading expert in the field of digital forensics and computer security. He
is the director of cybersecurity and an assistant professor at Pace University, and he has been named
one of the Top 10 Computer Forensics Professors by Forensics Colleges.
Hayes has served on the board of the High Technology Crime Investigation Association (HTCIA),
Northeast Chapter, and is the former president of that chapter. He also established a student chapter
of the HTCIA at Pace University.
During his time at Pace University, Hayes developed a computer forensics track for the school’s
bachelor of science in information technology degree. He also created a computer forensics research
laboratory, where he devotes most of his time to working with a team of students in computer
forensics and, most recently, the burgeoning field of mobile forensics. As part of his research and
promotion of this scientific field of study, he has fostered relationships with the NYPD, N.Y. State
Police, and other law enforcement agencies. He also organized a successful internship program at the
cybercrime division of the New York County D.A. Office and the Westchester County D.A. Office.
Hayes is not only an academic, however—he is also a practitioner. He has been an investigator on
both civil and criminal investigations and has been called upon as an expert for a number of law
firms. In New York City, Hayes has been working with six to eight public high schools to develop a
curriculum in computer forensics. He collaborates on computer forensics projects internationally and
has served as an extern examiner for the MSc in Forensic Computing and Cybercrime Investigation
degree program at University College Dublin for four years.
Hayes has appeared on Bloomberg Television and Fox 5 News and been quoted by Associated
Press, CNN, Compliance Week, E-Commerce Times, The Guardian (UK), Investor’s Business Daily,
MarketWatch, Newsweek, Network World, Silicon Valley Business Journal, USA Today, Washington
Post, and Wired News. His op-eds have been published by American Banker’s BankThink and The
Hill’s Congress Blog. In addition, he has authored a number of peer-reviewed articles in computer
forensics, most of which have been published by the Institute of Electrical and Electronics Engineers
(IEEE). Hayes has been both an author and reviewer for Pearson Prentice Hall since 2007.
9780789741158_forensics.indb xv
11/20/14 10:48 PM
xvi
About the Technical Reviewer
Dennis Dragos, President of DDragos Information Security and Investigation Corp. (DDIS) served
20 years in the New York City Police Department. For 11 years, he was assigned to the NYPD
Computer Crimes Squad, Special Investigations Division, Detective Bureau, reaching the rank of 2nd
grade detective. He is currently an adjunct assistant professor of the Cyber Security Systems Program
within the College of Professional Studies at St. John’s University, Queens, N.Y.
Shawn Merdinger is the CISO for Valdosta State University in Georgia. He has worked with
Cisco Systems, 3Com/TippingPoint at University of Florida Health Science Center, and as an independent consultant. His current research focuses on medical device security, and he is the founder
of the MedSec group on LinkedIn. Shawn has presented original research at security conferences
such as DEFCON, Educause, ISSA, InfraGard, Ph-Neutral, ShmooCon, CONfidence, NoConName,
O’Reilly, CSI, IT Underground, CarolinaCon, and SecurityOpus. He holds a bachelor’s degree from
University of Connecticut and a master’s from the University of Texas at Austin.
9780789741158_forensics.indb xvi
11/20/14 10:48 PM
xvii
Dedication
This book is dedicated to my loving wife, Nalini, and my children,
Nicolai, Aine, Fiona, and Shay.
Acknowledgments
I should begin by acknowledging my supportive and patient wife, Nalini, who is my best friend. Long
hours working on a book mean sacrifices for everyone in the family, and my children, Nicolai, Aine,
Fiona, and Shay, have been brilliant. My parents, Annette and Ted, have been mentors throughout my
life, and I will always be in their debt.
Professionally, I should acknowledge the former deans of the Seidenberg School at Pace University,
Dr. Susan Merritt and Dr. Constance Knapp, who have always believed in me and supported me. My
current dean, Dr. Amar Gupta, continues to support my passion for computer forensics and security.
Others who deserve honorable mention are my colleagues at Pace, Dean Jonathan Hill, Dr. Catherine
Dwyer, Dr. Nancy Hale, Dr. John Molluzzo, Dean Bernice Houle, Dr. Susan Maxam, Dr. Richard
Kline, Professor Andreea Cotoranu, Dr. Li-Chiou Chen, Dr. Lixin Tao, Dr. Fred Grossman, Ms.
Susan Downey, Ms. Bernice Tracey, Ms. Fran O’Gara, Dr. Narayan Murthy, Dr. James Gabberty,
Professor Robert Benjes, Ms. Stephanie Elson, Ms. Kimberly Brazaitis, and many others.
The students at Pace University inspire me more than they realize and work many hours in the
computer forensics lab. I appreciate all the hard work and dedication by Pace students Mr. Roman
Perez, Ms. Renee Pollack, Mr. Mario Camilla, Mr. James Ossipov, Mr. Shariq Qureshi, Ms. Eileen
Mulhall, Mr. Matthew Chao, Mr. Jakub Redziniak, and Ms. Fitore Balidemaj, to name but a few.
I wish to acknowledge my good friends from the Computer Crimes Squad, New York Police
Department. We have enjoyed a marvelous relationship with the NYPD for many years, and I have
attended many certification classes with them. My friends and colleagues include Det. Dennis
Dragos, Det. Richard Macnamara, Det. Robert DiBattista, Det. Jorge Ortiz, Det. Joseph Garcia,
Lt. Dennis Lane, Lt. Felix Rivera, Det. Owen Soba, Det. Waldo Gonzalez, Det. John Crosas, and a
number of other wonderful detectives. I have also gained invaluable practical experience by working
with former Lt. John Otero, former Det. Domingo Gonzalez, and former Det. Yalkin Demirkaya.
I would also like to mention other law enforcement and government agencies that have been
marvelous friends and collaborators. They include the New York State Police, Federal Bureau of
Investigation, United States Secret Service, Central Intelligence Agency, Bundeskriminalamt, U.K.
law enforcement, and Europol.
My thanks to Mr. David Szuchman, Mr. Richard Brittson, and Mr. Steven Moran of the New York
County D.A. Office. Thanks also to Mr. Michael Delohery, Bureau Chief, High Technology Crime
Bureau, Westchester County D.A., and his colleagues.
9780789741158_forensics.indb xvii
11/20/14 10:48 PM
xviii
Special thanks to Mr. Ryan Kubasiak, an expert in Mac forensics and my good friend; Mr. Thomas
Ryan, Bristol Global; and Mr. Kenneth Citarella, one of the founding fathers of HTCIA Northeast.
Thanks also to Dr. John Collins, Chairperson; and Mr. Bill Soo Hoo, College of Professional Studies,
New Jersey City University. Ms. Bernadette Gleason, Citi, Ms. Dora Gomez, and Alex Allphin have
been tremendous supporters as well. I appreciate the professional support and guidance from my
good friend Francis X. Schroeder.
My sincere thanks to Mr. Warner Johnston and Ms. Ruth Fasoldt from the Association of Chartered
Certified Accountants USA. Their tremendous support for our work at Pace has been well noted.
I also wish to thank my friends at my alma mater, University College Dublin, Ireland. Dr. Pavel
Gladyshev and Dr. Fergus Toolan have been terrific collaborators, and it was an honor to serve as
extern examiner for their master of science in forensic computing and cybercrime investigation.
Ms. Debra Lesser, Executive Director, Justice Resource Center, has been very kind to me over
the years and has allowed me to work with many magnificent high school teachers, including
Mr. Stephen Bland, from Lehman High School. My thanks also to Ms. Gladys Aviles, Executive
Assistant, and Carolyn Morway, Civic Education Coordinator, at the Justice Resource Center.
9780789741158_forensics.indb xviii
11/20/14 10:48 PM
xix
We Want to Hear from You!
As the reader of this book, you are our most important critic and commentator. We value your
opinion and want to know what we’re doing right, what we could do better, what areas you’d like to
see us publish in, and any other words of wisdom you’re willing to pass our way.
We welcome your comments. You can email or write to let us know what you did or didn’t like about
this book—as well as what we can do to make our books better.
Please note that we cannot help you with technical problems related to the topic of this book.
When you write, please be sure to include this book’s title and author as well as your name and email
address. We will carefully review your comments and share them with the author and editors who
worked on the book.
Email:
[email protected]
Mail:
Pearson IT Certification
ATTN: Reader Feedback
800 East 96th Street
Indianapolis, IN 46240 USA
Reader Services
Visit our website and register this book at www.pearsonitcertification.com/register for convenient
access to any updates, downloads, or errata that might be available for this book.
9780789741158_forensics.indb xix
11/20/14 10:48 PM
xx
Introduction
The field of digital forensics is relatively new, and more books are being published on this subject
matter in recent times. The problem is that many of books are very technical but are lacking in terms
of the investigative skills. To be an exemplary computer forensics examiner, you need to have both
technical and investigative skills. For example, simply finding the evidence on a computer is not
good enough—you must be able to place the suspect behind the keyboard. Moreover, a good investigator must be able to think well beyond the scope of the computer. Chapter 11, “Mobile Forensics,”
is a good example of this: an investigator can retrieve an extraordinary amount of evidence about a
user’s activity on a smartphone without actually seizing the device. This book also clearly outlines
the many different skills that are beneficial in the field of computer forensics, including knowledge of
hardware, programming, and the law, as well as the ability to speak a second language and possession
of solid writing skills.
This book assumes no prior knowledge of the subject matter, and I have written it for both high
school and university students and professional forensics investigators. Additionally, other professions can clearly benefit from reading this book—it is useful for lawyers, forensic accountants,
security professionals, and others who have a need to understand how digital evidence is gathered,
handled, and admitted to court. The book places a significant emphasis on process and adherence to
the law, which are equally important to the evidence that can ultimately be retrieved.
The reader of this book should also realize that a comprehensive knowledge of computer forensics
can lead to a variety of careers. Digital forensics examiners and experts work for accounting firms,
software companies, banks, law enforcement, intelligence agencies, and consulting firms. Some are
experts in mobile forensics, some excel in network forensics, and others focus on personal computers.
Other experts specialize in Mac forensics or reverse engineering malware. The good news for graduates with computer forensics experience is that they have a variety of directions to choose from: the
job market for them will remain robust, with more positions than graduates for the foreseeable future.
This book is a practical guide, not only because of the hands-on activities it offers, but also because
of the numerous case studies and practical applications of computer forensics techniques. Case
studies are a highly effective way to demonstrate how particular types of digital evidence have been
successfully used in different investigations.
Finally, this book often refers to professional computer forensics tools that can be expensive. You
should realize that academic institutions can take advantage of significant discounts when purchasing
these products. I also included many free or low-cost forensics tools in the book, and these can be just
as effective as some of the expensive tools. You can definitely develop your own program or laboratory in a budget-conscious way.
9780789741158_forensics.indb xx
11/20/14 10:48 PM
xxi
Register this Book to unlock the data files that are needed to complete the end-of-chapter projects.
Follow the steps below:
1. Go to www.pearsonITcertification.com/register and log in or create a new account.
2. Enter the ISBN: 9780789741158
3. Click on the “Access Bonus Content” link in the Registered Products section of your account
page, to be taken to the page where your downloadable content is available.
9780789741158_forensics.indb xxi
11/20/14 10:48 PM
Chapter
9
Mobile Forensics
Learning Outcomes
After reading this chapter, you will be able to understand the following:
â–
The evolution and importance of cellphone forensics;
â–
An overview of cellular networks;
â–
The type of evidence available from cellphone carriers;
â–
Retrieving evidence from a smartphone;
â–
Conducting SIM card forensics;
â–
Analyzing cellphone operating systems;
â–
Legal considerations associated with cellphone investigations;
â–
Tablets, GPS and other mobile device forensics; and
â–
How to document a cellphone investigation.
Introduction
The field of mobile forensics has exploded in recent times and is now one of the most important areas
of research, for several reasons. First and foremost, the capabilities of cellphones have been greatly
enhanced; these devices are arguably more important than desktop or laptop computers because they
are generally always turned on and usually always mobile. Therefore, they continually record our
movements and our activities and provide tremendous insight into our behavior. Communication on a
cellphone is very different compared to a traditional computer; interestingly, criminals often say or text
things on a cellphone that they would never do on a traditional computer.
Cellphone forensics has not always been taken seriously. Even in 2008, if you had asked someone in
law enforcement about investigating cellphones, you would have typically heard that nobody in the
laboratory worked on cellphones or that cellphones did not hold anything of value. Some people might
320
9780789741158_forensics.indb 320
11/20/14 10:48 PM
Introduction
321
even have said that the only reason for cellphone forensic software was that some suspicious spouses
bought the software to see if their partner was cheating.
Hardware imaging devices have also been used for a number of years but were not originally used
for investigations. Cellebrite sold its hardware to cellphone retailers who needed a device to copy the
contents of a customer’s cellphone and its SIM card to another cellphone, usually when the customer
wanted to upgrade to a new phone. When law enforcement became involved in cellphone investigations, Cellebrite made some minor modifications and began selling many more devices.
Cellphone forensics was always important, but not many people realized its importance. This is not
surprising: The available cellphone forensic software could not work with the vast majority of cellphones. After Internet capabilities were added to cellphones, their importance to investigations grew.
With this demand came better forensic software. Suddenly, more evidence was available, including
email, Internet searches, and social networking activity. Today just about every computer forensics
laboratory has cellphone forensic capabilities. Additionally, there has been a separation of duties in
larger laboratories. For example, one investigator may be responsible for extracting evidence from
the cellphone, while another investigator might be responsible for much of the paperwork, including
subpoenas to cellphone carriers. Yet another investigator may be responsible for gathering and
analyzing data from base transceiver stations. A base transceiver station (BTS) is the equipment
found at a cell site that facilitates the communication of cellphone users across a cellular network.
Cellphone forensics has tremendous challenges, however. A huge number of cellphones still cannot
be imaged. Forensic software and hardware supports only the most popular cellphones—more than
a hundred new cellphones come to market each year, but many will never be supported by forensic
tools. Some of the most problematic cellphones to examine are the inexpensive pay-as-you-go phones
from companies like TracFone. Issues also exist with some cellphones from the other smaller cellular
companies, like Virgin Mobile, Boost, and MetroPCS.
The issue of encrypted mobile platforms and applications for mobile devices developed by companies
like Silent Circle is also relevant. The Blackphone is another challenge for investigators because the
developers claim to protect the user’s privacy through advanced encryption. Investigators also face
a plethora of operating systems running on cellphones today. An investigator working with a laptop
will generally encounter a Microsoft Windows operating system or Apple’s Mac OS X (operating
system). An investigator who obtains a cellphone, on the other hand, could encounter a Symbian, RIM,
Windows, iOS, Android, or other mobile device operating system.
In looking to the future, our dependency on cellphone forensics will only increase, and the number
of vendor-supported cellphones and tablets will expand. The vociferous market for Android and iOS
devices means that the investigator must look outside the device more—to the synced computer, to
the synced devices in the home and at work, and to the cloud. Cellphones continue to have a growing
dependence on cloud computing, which means that investigators will increasingly rely on evidence
that goes beyond the scope of the network carrier. Integrated user applications found on the cellphone,
like Facebook and Gmail, are important and will increase in importance. Moreover, we should continually think outside the box as good investigators do. For example, many smartphone users with newer
9780789741158_forensics.indb 321
11/20/14 10:48 PM
322
CHAPTER 9 Mobile Forensics
cars can pair their device to their automobile to play music and accept calls. These dashboard systems
will also often attempt to download the user’s contacts, which the investigator can later retrieve.
This chapter is called “Mobile Forensics” instead of “Cellphone Forensics” because it discusses other
mobile devices that can hold incriminating evidence, including tablets, personal media players, and
GPS devices. As always, a good digital forensics investigator needs to think beyond the obvious.
The Cellular Network
A cellular network is a group of cells. A cell refers to a geographic area within a cellular network. A
cell site is a cell tower located in a cell. When you make a call with your cellphone, you connect with
a cell tower. The communication is then transmitted to the Mobile Switching Center. The Mobile
Switching Center (MSC) is responsible for switching data packets from one network path to another
on a cellular network. If the user is calling a user on a cellular network managed by another carrier,
the call is routed from the MSC to the Public Switched Telephone Network. The Public Switched
Telephone Network (PSTN) is an aggregate of all circuit-switched telephone networks. The purpose
of the PSTN is to connect all telephone networks worldwide; this is where tolls for connecting calls
across different networks are calculated. Figure 9.1 details the path of a cellphone call.
Cellular Telephone Network
Mobile
Station (MS)
Base Station Subsystem (BSS)
Base Transceiver
Station (BTS)
Mobile Phone
and
SIM card
Base Station
Controller (BCS)
Base Transceiver
Station (BTS)
FIGURE 9.1
Network Subsystem
Mobile Switching
Center (MSC)
Public Switched
Telephone
Network (PSTN)
Service Provider’s server:
- Home Location Register (HLR)
- Visitor Location Register (VLR)
- Equipment Identity Register (EIR)
- Authentication Center (AUC)
Cellular network
Base Transceiver Station
A cell site, also known as a cell tower, can be a stand-alone tower or can be attached to a building
or other structure. The cell tower generally has an antenna with three panels on each side. Typically,
each antenna has three sides. Usually the middle panel is a transmitter, and the two outer panels are
9780789741158_forensics.indb 322
11/20/14 10:48 PM
The Cellular Network
323
receivers. The cell tower is generally over 200 feet high (see Figure 9.2). A tower can contain multiple
antennae, which are owned by different carriers. An antenna can be located on a cell tower or placed
on the side or top of a building.
FIGURE 9.2
Cell tower
Let’sGet
GetPractical!
Practical!
Let’s
Locate Local Cell Towers and Antennae
Understanding the location of cell towers and antennae is helpful, and there are resources to help.
1. Start your web browser and navigate to www.antennasearch.com.
2. In the Street Address field, type 1600 Pennsylvania Ave NW. For City, type
Washington; for State, type DC; and for Zip, type 20006; then click Go.
3. Click Process and then compare your screen to Figure 9.3.
9780789741158_forensics.indb 323
11/20/14 10:48 PM
324
CHAPTER 9 Mobile Forensics
FIGURE 9.3
Search results
4. Click the Download Records link under View Tower Results.
5. In the displayed File Download dialog box, click Open.
The unformatted results display in Excel.
6. Save the file as directed by your instructor and then Exit Excel.
7. On the antennasearch.com website, click View Tower Results.
A Google map displays. You can also click the Satellite button or the Hybrid button for a
different view. You can also use the control to zoom in on a tower.
8. Click one of the cell tower links, and then compare your screen with Figure 9.4.
9. Close your web browser.
9780789741158_forensics.indb 324
11/20/14 10:48 PM
The Cellular Network
FIGURE 9.4
325
Map of cell tower location
As previously noted, the Base Transceiver Station (BTS) is the equipment at the cell site that facilitates communication between the cellphone user and the carrier’s network. A Base Station Controller
(BSC) manages the radio signals for Base Transceiver Stations, in terms of assigning frequencies and
handoffs between cell sites. When moving through an area, several Base Transceiver Stations might
handle your call—a handoff would occur from one BTS to another. There are two types of handoff.
In a soft handoff, a cellular communication is conditionally handed off from one base station to
another, and the mobile equipment is simultaneously communicating with multiple Base Transceiver
Stations. The handoff is conditional because the signal strength on a new BTS are adjudicated. In a
hard handoff, the communication is handled by one Base Transceiver Station at a time, with no simultaneous communication.
BTS Evidence
From a computer forensics perspective, it is important to understand how a cellular network is structured so that the investigator can determine the type of evidence that can be retrieved from the carrier’s
network, even without access to the suspect’s handset. Law enforcement can request cell site records
from a carrier for a particular cellphone user that indicate where the user was, based on data retrieved
from the BTS. It is important for the investigator to specify the desired format for the evidence; getting
the information in a spreadsheet is generally more helpful because the data can be easily sorted and
analyzed. Figure 9.5 shows sample data from a BTS.
9780789741158_forensics.indb 325
11/20/14 10:48 PM
326
CHAPTER 9 Mobile Forensics
FIGURE 9.5
BTS data
To obtain evidence, law enforcement can contact the network carrier and explain the user information
that is needed as part of an ongoing investigation. The investigator should also explain to the provider
that the customer in question should not be notified about the investigation; this is covered under U.S.C.
2703(f). Law enforcement can request that the suspect’s records be preserved for 90 days, pending
acquisition of a search warrant. In the aftermath of Edward Snowden, more third-party services have
stated that they will inform the customer about these requests unless instructed not to do so by a judge.
Under U.S.C. 2307(d), law enforcement can use a court order to obtain cellular tower data.
Subscriber Evidence
In addition to BTS evidence, law enforcement can obtain subscriber information, call detail records,
and PUK codes. Subscriber records are personal details the carrier maintains about customers; they
can include name, address, alternative phone numbers, Social Security number, and credit card information. Call detail records (CDRs) are details used for billing purposes; they can include phone
numbers called, duration, dates and times of calls, and cell sites used. The PIN Unlock Key (PUK) is
an unlock reset code used to bypass the SIM PIN protection.
Mobile Station
The mobile station consists of mobile equipment (handset) and, in the case of a GSM network, a
Subscriber Identity Module (SIM). An International Mobile Equipment Identity (IMEI) number
uniquely identifies the mobile equipment or handset. The initial six or eight digits of the IMEI are
the Type Allocation Code. The Type Allocation Code (TAC) identifies the type of wireless device.
The website www.nobbi.com/tacquery.php allows an investigator to enter a TAC or IMEI to discover
details about a specific device.
The IMEI is generally found by removing the back of the cellphone and then looking under the battery,
as shown in Figure 9.6.
9780789741158_forensics.indb 326
11/20/14 10:48 PM
The Cellular Network
327
IMEI
FIGURE 9.6
IMEI on the cellphone
Let’sGet
GetPractical!
Practical!
Let’s
Locate the IMEI Through the Keypad
When looking for the IMEI, it is proper procedure to look under the battery. However, the IMEI can
be displayed through the keypad:
1. Power on your cellphone.
2. On your keypad, type *#06#.
The IMEI number should display on your GSM cellphone.
9780789741158_forensics.indb 327
11/20/14 10:48 PM
328
CHAPTER 9 Mobile Forensics
A Universal Integrated Circuit Card (UICC) is a smart card used to uniquely identify a subscriber
on a GSM or UMTS network. With a GSM network, the smart card is a SIM; with a UMTS, the smart
card is a Universal Subscriber Identity Module (USIM).
A Mobile Equipment Identifier (MEID) is an internationally unique number that identifies a CDMA
handset (mobile equipment). The MEID was previously referred to as an Electronic Serial Number
(ESN) before it was replaced by a global MEID standard around 2005. An Electronic Serial Number
(ESN) is an 11-digit number used to identify a subscriber on a CDMA cellular network. The ESN
contains a manufacturer code and a serial number that identifies a specific handset. Both the ESN
and the MEID are noted on the handset in both decimal format and hex format. The website
www.meidconverter.com allows users to convert between ESN and MEID and also view both decimal
and hex values of an ESN or MEID. Some providers, like Virgin Mobile USA, provide a lookup feature
for subscriber details using the MEID.
Many CDMA cellphones have a subsidy lock. A subsidy lock confines a subscriber to a certain cellular
network so that a cellphone can be sold for free or at a subsidized price. From a forensics perspective,
this means that the phone’s file system might not be able to be acquired with an active Service
Programming Code (SPC). For example, an iPhone may be available for as little as $99, but you are
locked into a particular carrier and a specific contract. The unlocked iPhone may actually cost over
$700 (depending on the model), but the user can easily switch carriers and is not locked into a two-year
agreement. The unlocked iPhone 4S, for example, will not work on a CDMA network, like Sprint or
Verizon; it will work only on a GSM network. Prepaid cellphone plans offered by T-Mobile and others
in which the subscriber pays full price for the phone can be unlocked. An investigator should understand this because the handset may have been used internationally with a SIM card purchased abroad.
Locked cellphones (with an SPC) are less widely available in Europe, and carrier handset subsidies are
frequently offered less. Prepaid and pay-as-you-go plans are generally more popular. In fact, in some
countries, it is illegal for a cellphone carrier to sell a locked phone.
All cellphones sold in the United States have an FCC-ID. An FCC-ID is a number issued by the
Federal Communication Commission (FCC) indicating that the handset is authorized to operate on
radio frequencies within FCC control. Figure 9.7 shows a sample FCC-ID on a handset.
The FCC-ID can be viewed by removing the back of a cellphone and taking out the battery. Investigators then can enter the FCC-ID on the FCC website (http://transition.fcc.gov/oet/ea/fccid/). After you
enter the FCC-ID, you can download a manual for the cellphone. This is important for an investigator
who might need to know about the features of the cellphone and, more importantly, wants to know how
to remove the cellphone from all networks and external communications for proper containment.
Additional information about cellphones and cellphone carriers can be obtained from the websites
www.phonescoop.com, PDAdb.net, and www.gsmarena.com.
9780789741158_forensics.indb 328
11/20/14 10:48 PM
The Cellular Network
329
FCC-ID
FIGURE 9.7
FCC-ID
SIM Card
The SIM card identifies a user on a cellular network and contains an IMSI. SIM cards are found in
cellphones that operate on GSM cellular networks and usually in iDEN network cellphones. A user
can simply add a SIM card to an unlocked cellphone. Not all U.S. cellphone carriers allow a user to
purchase a SIM card and use the handset on another network. In the European Union (E.U.), generally
all GSM-compatible cellphones can be unlocked. In fact, in some E.U. countries, it is illegal for cellphones to be locked.
The International Mobile Subscriber Identity (IMSI) is an internationally unique number on the
SIM card that identifies a user on a network. The Mobile Country Code (MCC) is the first three digits
of the IMSI. The proceeding two to three digits are the Mobile Network Code (MNC). For example,
MNC 026 for MCC 310 represents the carrier T-Mobile USA. The final part of the IMSI is the MSIN,
which consists of up to 10 digits. A Mobile Subscriber Identity Number (MSIN) is created by a
9780789741158_forensics.indb 329
11/20/14 10:48 PM
330
CHAPTER 9 Mobile Forensics
cellular telephone carrier and identifies the subscriber on the network. The Mobile Subscriber ISDN
(MSISDN) is essentially the phone number for the subscriber. The MSISDN is a maximum of 15 digits
and is comprised of the Country Code (CC), the Numbering Plan Area (NPA), and the Subscriber
Number (SN). Country Codes are relatively easy to find. For example, in the Americas the CC is
1 because it is in Zone 1. For Trinidad and Tobago, it is 1-868. European countries are in Zone 3
and Zone 4. For example, Ireland, in Zone 3, is 353, and the United Kingdom, in Zone 4, is 44. The
Numbering Plan Area for Nassau County, New York, is 516 and is also referred to as the area code.
The SIM card also includes an ICCID. The Integrated Circuit Card ID (ICCID) can be a 19- to
20-digit serial number physically located on the SIM card, or it can contain fewer numbers (see
Figure 9.8).
FIGURE 9.8
SIM card
The first two digits of the ICCID are referred to as the Major Industry Identifier (MII). The ICCID can
be accessed via the SIM card in the EF_ICCID file.
International Numbering Plans
The website www.numberingplans.com is a tremendous resource for mobile forensics examiners
working with GSM cellphones. The website provides “Number Analysis Tools”, which allow the user
to conduct an analysis of the following:
â–
Phone number
â–
IMSI number
9780789741158_forensics.indb 330
11/20/14 10:48 PM
The Cellular Network
â–
IMEI number
â–
SIM number
â–
ISPC number
331
An International Signaling Point Code (ISPC) is a standardized numbering system used to identify
a node on an international telecommunications network.
Authenticating a Subscriber on a Network
The Mobile Switching Center is where user information passes to the Home Locator Register, Visitor
Locator Register, and Authentication Center. The Home Locator Register (HLR) is a database of a
carrier’s subscribers and includes those users’ home addresses, IMSI, telephone numbers, SIM card
ICCIDs, and services used. The Visitor Locator Register (VLR) is a database of information about a
roaming subscriber. A subscriber can be found on only one HLR but can exist in multiple VLRs. The
current location of a mobile station (handset) can be found on a VLR as well. The VLR also contains
the Temporary Mobile Subscriber Identity. The Temporary Mobile Subscriber Identity (TMSI) is
a randomly generated number that is assigned to a mobile station, by the VLR, when the handset is
switched on, and is based on the geographic location.
The Equipment Identity Register (EIR) is used to track IMEI numbers and decide whether an IMEI
is valid, suspect, or perhaps stolen. The Authentication Center (AuC) is a database that contains the
subscriber’s IMSI, authentication, and encryption algorithms. The Authentication Center issues the
subscriber an encryption key that encrypts wireless communications between the mobile equipment
and the network.
Cellular Network Types
There are two types of cellular service carriers. A Mobile Network Operator (MNO) owns and
operates a cellular network. The following companies are MNOs:
â–
Verizon
â–
T-Mobile
â–
Sprint/Nextel
â–
AT&T/Cingular
A Mobile Virtual Network Operator (MVNO) does not own its own cellular network, but operates
on the network of a Mobile Network Operator. For example, Virgin Mobile USA has its own cellular
service but operates on the Sprint Network. This means that two warrants may be needed for an investigation: one for Sprint (the MNO) and one for Virgin Mobile USA (the MVNO) to obtain a suspect’s
records. The following companies are MVNOs:
9780789741158_forensics.indb 331
11/20/14 10:48 PM
332
CHAPTER 9 Mobile Forensics
â–
Virgin Mobile USA
â–
Net10
â–
MetroPCS
â–
TracFone
â–
Cricket
â–
SIMPLE Mobile
â–
Boost Mobile
Evolution of Wireless Telecommunications Technologies
Cellular telecommunication technologies include 2G (second-generation), 3G (third-generation), and
4G (fourth-generation) communications. It is important to note that the term cellular telephone network
is not used here because 3G and 4G cellular networks also support mobile broadband Internet services.
Consumers utilizing these services can operate on cellular networks with either a Mi-Fi router or a
plug-and-play USB device. My Wireless Fidelity (Mi-Fi) is a portable wireless router (see Figure 9.9)
that provides Internet access for up to five Internet-enabled devices and communicates via a cellular
network.
FIGURE 9.9
Virgin Mobile USA Mi-Fi mobile hotspot
9780789741158_forensics.indb 332
11/20/14 10:48 PM
The Cellular Network
333
4G is the latest wireless telecommunications standard and supports high-speed large data transmission
rates. 4G Long Term Evolution (LTE) Advanced is a high-mobility broadband communication that
is suitable for use on trains and in other vehicles. Motorola Mobility, which was purchased by Google
in 2011, holds the patent for this technology. 4G LTE was first implemented in Oslo (Norway) and
Stockholm (Sweden).
The International Telecommunication Union (ITU) is an agency of the United Nations that produces
standards for information and communication technologies. The ITU is comprised of 193 members
and more than 700 private sector and academic institutions.
Time Division Multiple Access (TDMA)
Time Division Multiple Access (TDMA) is a radio communication methodology that enables devices
to communicate on the same frequency by splitting digital signals into time slots, or bursts. Bursts are
data packets that are transmitted on the same frequency. 2G GSM networks use the TDMA method of
communication.
Global System for Mobile Communications (GSM)
Global System for Mobile Communications (GSM) is an international standard for signal communications, which uses TDMA and Frequency Division Duplex (FDD) communication methods. Thus,
GSM cellular telephones use bursts. GSM was created by the European Telecommunications Standards Institute (ETSI), which was primarily designed by Nokia and Ericsson. The latest and fastest
GSM standard is 4G LTE Advanced. 3G GSM networks use Universal Mobile Telecommunications
System (UMTS) and Wide Band CDMA (WCDMA) for communication. WCDMA is a high-speed
signal transmission method based on CDMA and FDD methods. TDMA is often described as the
precursor to the GSM protocol, although the two networks are incompatible. T-Mobile and AT&T use
GSM networks in the United States.
When unlocked, GSM handsets can be used on international networks by simply purchasing a SIM
card locally and activating the SIM card with a local carrier. This is important to know because a
suspect could have used a GSM phone internationally, so evidence could have been when the SIM card
was switched.
It should be noted that Karsten Nohl, PhD, has written extensively about security vulnerabilities associated with GSM. Nohl has presented a formula for breaking the A5-1 encryption, which GSM cellphones operating on the T-Mobile and AT&T networks use.
3GP is an audio/video file format found on mobile phones operating on 3G GSM cellular networks.
This standard was developed by the 3rd Generation Partnership Project. 3rd Generation Partnership
Project (3GPP) is a collaboration of six telecommunications standards bodies and a large number
of telecommunications corporations worldwide that provide telecommunication standards. The scope
of their work includes Global System for Mobile Communication (GSM), General Packet Radio
Service (GPRS), and Enhanced Data rates for GSM Evolution (EDGE). More information about 3GPP
is available at www.3gpp.org. General Packet Radio Service (GPRS) is packet-switching wireless
9780789741158_forensics.indb 333
11/20/14 10:48 PM
334
CHAPTER 9 Mobile Forensics
communication found on 2G and 3G GSM networks. Enhanced Data rates for GSM Evolution
(EDGE) is a high-data-transfer technology found on GSM networks. EDGE provides up to three
times the data capacity of GPRS.
Universal Mobile Telecommunications System (UMTS)
Universal Mobile Telecommunications System (UMTS) is a 3G cellular network standard that is
based upon GSM and was developed by 3GPP. As previously noted, UMTS cellphones utilize a USIM
smart card to identify the subscriber on a network. From a forensics perspective, a USIM can store
more files than a SIM card. Communication across the network is via the wideband WCDMA protocol.
Code Division Multiple Access (CDMA)
Code Division Multiple Access (CDMA) is a spread-spectrum communication methodology that uses
a wide bandwidth for transmitting data. This technology, developed by Qualcomm, does not share
channels; it uses multiplexing techniques. Multiplexing is where multiple signals are transmitted
simultaneously across a shared medium. A fiber optic is an example of a shared medium that can use
multiplexing. CDMA2000 is a 3G technology that uses the CDMA communications protocol. CDMA
technology is used by Verizon and Sprint on their U.S. nationwide cellular networks.
3GP2 is an audio/video file format found on mobile phones operating on 3G CDMA cellular networks.
This standard was developed by the 3rd Generation Partnership Project 2. 3rd Generation Partnership Project 2 (3GPP2) is a partnership of North American and Asian 3G telecommunications
companies that develop standards for third-generation mobile networks, including CDMA. For more
information about the work of 3GPP2, its partners, and its members, visit www.3gpp2.org.
Integrated Digital Enhanced Network (iDEN)
Integrated Digital Enhanced Network (iDEN) is a wireless technology developed by Motorola that
combines two-way radio capabilities with digital cellphone technology. iDEN is based on TDMA.
Nextel introduced Push-to-talk, which used iDEN, in 1993, to enable subscribers to use their cellphones like a walkie-talkie (or two-way radio). When using the cellphone with the Push-to-talk feature,
cell towers are not used. iDEN is a proprietary protocol, unlike all the other major cellular networks,
which use standard open protocols.
SIM Card Forensics
The two primary functions of a SIM card are to identify the subscriber to a cellular network and to
store data. We have already discussed the mechanism by which the IMSI on the SIM identifies a user
on a GSM or iDEN network. More important to the investigator is the SIM card’s storage of important
evidence. A SIM is essentially a smart card that is comprised of a processor and memory.
9780789741158_forensics.indb 334
11/20/14 10:48 PM
The Cellular Network
335
SIM Hardware
SIM cards have different form factors. The Mini-SIM is 25mm × 15 mm, and the Micro-SIM is 15mm
× 12mm. There are also embedded SIM cards. Printed on the outside is a unique serial number called
an ICCID. The serial interface is the area where the SIM card communicates with the handset, as in
Figure 9.10.
Serial Interface
FIGURE 9.10
Serial interface
SIM File System
The Electronically Erasable Programmable Read Only Memory (EEPROM) is where the hierarchical
file system exists. The operating system, user authentication, and encryption algorithms are found on
the SIM card’s read-only memory (ROM).
There are three primary components of the file system:
1. Master File (MF) that is the root of the file system
2. Dedicated Files (DFs), which are basically directories
3. Elementary Files (EFs), where the data is held
The latter is where investigators can retrieve a tremendous amount of subscriber information. Abbreviated Dialing Numbers (ADN) contains the contact names and numbers entered by the subscriber.
On the SIM, these contacts are located in the folder EF_ADN. Forbidden Public Land Mobile
Network (FPLMN) refers to cellular networks to which a subscriber attempted to connect but was
not authorized to do so. This information can be found in EF_FPLMN. This data can assist investigators
who want to know where a suspect was located, even if he or she was unsuccessful in connecting to a
network. Last Numbers Dialed (LND) refers to a list of all outgoing calls made by the subscriber. The
9780789741158_forensics.indb 335
11/20/14 10:48 PM
336
CHAPTER 9 Mobile Forensics
folder EF_LND holds this information. EF_LOCI contains the Temporary Mobile Subscriber Identity
TMSI, which is assigned by the Visitor Locator Register (VLR). The TMSI represents the location
where the mobile equipment was last shut down. The TMSI is four octets long and will make no sense
to the investigator. However, the investigator could contact the carrier for assistance with determining
the location represented by the TMSI. Table 9.1 provides the definitions of the acronyms used in the
SIM file system.
TABLE 9.1 SIM File System Acronyms
Acronym
Definition
EF_ADN
Abbreviated Dialing Numbers (ADN)
EF_FPLMN
Forbidden Public Land Mobile Network (FPLMN)
EF_LND
Last Numbers Dialed (LND)
EF_LOCI
Area where the user last powered down the phone
EF_SMS
Short Message Service (SMS)
Figure 9.11 shows the SIM directory structure.
MF (Master
File)
DF (Directory)
Telecom
DF (Directory)
GSM
EF_ADN
EF_SMS
EF_LOCI
EF_LND
EF_FPLMN
FIGURE 9.11
SIM directory structure
9780789741158_forensics.indb 336
11/20/14 10:48 PM
The Cellular Network
337
Access to the SIM
Gaining access to the data on a SIM is challenging if the SIM card has been PIN protected. A PIN on
a SIM is usually four digits long but can be up to eight digits. An investigator has three attempts to get
the PIN correct before the SIM is locked. After that, the device prompts for a PUK (Pin Unlock Key)
or PUC (Personal Unblocking Code. An investigator can request a PUC from the carrier. A Personal
Unblocking Code (PUC) is a code that is available from the carrier and allows a user to remove the
PIN protection from the SIM card.
Note
NOTE
A user can go online and change the PUK. The investigator then would be unable to access the
contents of the SIM without the cooperation from the subscriber.
SIM Card Clone
Similar to hard disk drive cloning, an investigator often chooses to clone a SIM card instead of examining the original SIM card. As a best practice, a SIM card clone should be used in the investigation in
place of the original. Most cellphone forensic tools enable the investigator to clone a SIM card.
Types of Evidence
The range of evidence available from a cellphone is quite different from what can be acquired from a
laptop or desktop. One of the primary differences is the existence of SMS and MMS messages, which
the following section explains in detail.
Short Message Service (SMS)
Short Message Service (SMS) is a text message communication service found on mobile devices.
These text messages can be found in memory on a mobile handset or on a SIM card in the handset.
SMS messages are mostly saved on the handset, but when stored on the SIM card, they can be found
in the DF_TELECOM file.
An investigator can determine whether an SMS message has been read, deleted, or sent based on the
status flag. The byte value changes based on the status of the message. Table 9.2 identifies the values
of the status flag and their meanings.
TABLE 9.2 Values and Descriptions of the Status Flag Value
Status Flag Value (Binary)
Description
00000000
Deleted message
00000001
Read message
00000011
Unread message
00000101
Sent message
00000111
Unsent message
9780789741158_forensics.indb 337
11/20/14 10:48 PM
338
CHAPTER 9 Mobile Forensics
When viewing the text message with a hex editor, an unread SMS message begins with 11, a deleted
message begins with 00, and so forth.
Multimedia Messaging Service (MMS)
Multimedia Messaging Service (MMS) is a messaging service found on most cellphones that allows
the user to send multimedia content, like audio, video, and images. Using a cellphone forensics tool,
the investigator can carve this multimedia content out of the user’s messages. MMS can be retrieved
from a SIM or from the mobile device.
Handset Specifications
Knowledge of handset hardware helps an investigator know how to safely secure the device after it has
been seized. As previously noted, the investigator can research the FCC-ID on the handset online to
identify the features of the mobile device.
Memory and Processing
Cellphones contain a microprocessor, ROM chip, and random access memory (RAM). The operating
system is located in ROM. Secure Digital (SD) cards, particularly microSD cards, are frequently found
in smartphones as well. They can contain the following data:
â–
Photos
â–
Videos
â–
Apps
â–
Maps
Many smartphones today are opting not to use a removable SD card, but instead use an internal
Embedded Multimedia Card (eMMC). This memory uses FAT32.
Battery
Four types of cellphone batteries primarily are used: lithium ion (Li-Ion), lithium polymer (Li-Poly),
nickel cadmium (NiCd), and nickel metal hydride (NiMH). The iPhone and BlackBerry Curve use a
lithium ion battery, which is lightweight compared to other batteries.
Other Hardware
Cellphones vary from model to model, but they also generally have a radio module, digital signal
processor, liquid crystal display (LCD), microphone, and speaker. Some models also have a built-in
keyboard.
9780789741158_forensics.indb 338
11/20/14 10:48 PM
Mobile Operating Systems
339
Accelerometer
Another feature that is frequently found on cellphones today is an accelerometer. An accelerometer
is a hardware device that senses motion or gravity and reacts to these changes. For example, the accelerometer facilitates a screen flip when the device is turned sideways or upside-down. Moreover, the
accelerometer enhances the gamer’s experience by allowing the user to turn and move by changing
the angle of the device. The accelerometer has become popular since its integration into the iPad and
iPhone.
Camera
Most cellphones today come with a digital camera that has still photo and video capabilities. Most
smartphones possess features that allow the user to take a photo and quickly upload that picture to a
social networking site like Facebook. In terms of video, many smartphones enable the user to upload
content directly to sites like YouTube. Many smartphones also embed the latitude and longitude of
where the photograph was taken: Most Android cellphones do this by default.
Mobile Operating Systems
As noted in earlier chapters, the purpose of an operating system (OS) is to manage the resources of an
electronic device—usually, a computer. A cellphone’s OS is found in a ROM chip on the phone. From
a computer forensics perspective, knowledge of an OS helps an investigator understand what type of
evidence can be retrieved, the tools required to retrieve the evidence, and where to find the evidence.
The problem for investigators is that mobile devices have so many different operating systems than do
traditional computers. It is helpful to have at least one investigator in your lab become a registered app
developer so that you can access the beta version of the latest mobile operating system version. This
gives you more time to plan and adjust for new security enhancements and changes to system files.
Android OS
Android is an open source operating system based on the Linux 2.6 kernel. In 2005, Google acquired
Android. Android is maintained by the Open Handset Alliance (OHA), a collaborative group of telecom
companies, mobile phone manufacturers, semiconductor, and software companies.
The Android OS is found on smartphones, tablets, and many other consumer electronics. Smartphones
running on the Android platform can be found on the GSM, CDMA, and iDEN cellular networks.
Android phones have tremendous capabilities, thanks to the numerous apps available from the Android
market. However, this wealth of functionality comes at a price when it comes to battery life, and an
investigator should be aware of this. Also bear in mind that a tablet could also have cellular capabilities. Numerous tablets run on Android OS, including Samsung’s popular Galaxy Tab and eReaders,
such as Amazon’s Kindle.
9780789741158_forensics.indb 339
11/20/14 10:48 PM
340
CHAPTER 9 Mobile Forensics
Android is widely found in the auto industry. The Shanghai Automotive Industry Corporation (SAIC)
now runs its media entertainment on the Android platform. The Audi 8 uses both Google Maps navigation and Google Earth. The Nevada Department of Vehicles has approved Android for use in its
self-driving cars. Ford Motor Company and General Motors have also adopted Android for use in their
cars, and the Renault Clio and Zoe have a 7-inch touch-screen dashboard device running on Android.
Android can also be found in home appliances. Dacor has an Android-powered oven, for example, that
operates based on recipes from a tablet. Android has been integrated into refrigerators, which can scan
the barcode on food labels and monitor the freshness of items left in the refrigerator; these refrigerators
also assist consumers with a diet application and help complete a grocery list. Some air conditioners
run on the Android OS and allow for remote control and operation, and a certain LG washer and dryer
appliances runs on Android. In the future, we are likely to see what amounts to an Android ecosystem.
Android File System
An Android device has two types of memory: RAM and NAND. As on a regular computer, RAM is
volatile memory and may contain evidence that includes the user’s passwords. NAND is nonvolatile
flash memory. A page or a chunk on NAND can be anywhere from 512K to 2048K. Android supports
a number of file systems, including Ext4, FAT32, and YAFFS2 (Yet Another Flash File System 2). The
Ext4 file system can be found on the Google Nexus S and appears to be supplanting the YAFFS2 file
system. YAFFS2 is an open source file system that was developed for use with NAND flash memory.
Currently, a forensic analyst must download the YAFFS2 source code and review the files in a hex
editor.
Microsoft’s FAT32 file system resides on Android devices; the FAT32 file system is found on microSD
cards, which are common in many Android handsets. The Linux file system driver for FAT32 is called
VFAT. Android apps also often are run from the microSD card.
The most valuable evidence on an Android is in the libraries, especially the SQLite databases. A
SQLite database is an open source relational database standard, which is frequently found on mobile
devices. The development and maintenance of SQLite is sponsored by the SQLite Consortium, which
includes Oracle, Nokia, Mozilla, Adobe, and Bloomberg.
Samsung Galaxy
Apple may have the lion’s share of the tablet market, but the Samsung Galaxy is the top-selling smartphone. The company has sold well more than 100 million units. Less than a month after its release,
Galaxy S4 sales surpassed the 10 million units sold marker, which translates to 4 units sold every
second. The S4 includes a new feature called Dual Shot that enables the user to simultaneously take a
picture with the front and rear cameras on the device. Users can also add sound to a photo. A feature
known as Group Play allows multiple owners of the S4 to share music, photos, and documents, and also
play games together. The user can also create special albums with a narration to go with the pictures,
9780789741158_forensics.indb 340
11/20/14 10:48 PM
Mobile Operating Systems
341
called Story Album. S Voice is a voice-activated artificial intelligence that comes with Samsung Galaxy
S3, the S4, and certain Galaxy Note tablets. The feature is similar to Apple’s Siri.
Released in September 2013, the Samsung Galaxy Gear is a watch that connects to the Galaxy smartphone. The watch comes complete with a 1.9-megapixel camera, allows 720p video recording, contains
4GB of memory, and supports Bluetooth. This smart watch allows the user to place and answer calls
directly through the watch. Therefore, when seizing a Samsung Galaxy smartphone or tablet, the investigator must be aware that a paired watch may also need to be seized.
Spring 2014 saw the release of the Samsung S5. The impressive part of this device is its 16-megapixel
camera with UHD 4K video recording at 30 fps. The device also comes with a fingerprint scanner,
which can pose accessibility issues for investigators. The device has a heart rate monitor as well,
to help with personalization and prove ownership of the smartphone. The S5 runs on Android 4.4.2
KitKat. Like its predecessor, this device also syncs to a smart watch called Gear 2 Neo.
Android Evidence
Investigators can extract evidence from an Android smartphone in four ways:
1. Logical (hardware/software)
2. Physical (hardware/software)
3. Joint Test Action Group (JTAG)
4. Chip-off
Some mobile forensic software supports logical acquisition of a smartphone, which means that only
user data can be recovered, not system files. Optimally, the investigator should acquire a physical
image when possible. A physical image is generally acquired from a backup or by pushing an exploit
to the device. To retrieve the user files on an Android, the Data Partition must be accessed by rooting
the device.
Joint Test Action Group (JTAG)
Joint Test Action Group (JTAG) is an IEEE standard (IEEE 1149.1) for testing, maintenance, and
support of assembled circuit boards. JTAG has become increasingly important as a way to bypass
security and encryption on a smartphone to obtain a physical dump of the phone’s data.
The RIFF box in Figure 9.12 is used to acquire the data from the circuit board on the cellphone. A full
dump of NAND memory can be obtained. The connectors are carefully soldered onto the JTAG points
on the circuit board. Voltage can be applied to the circuit board using a cellphone battery and can be
monitored using a voltmeter.
9780789741158_forensics.indb 341
11/20/14 10:48 PM
342
CHAPTER 9 Mobile Forensics
FIGURE 9.12
JTAG acquisition with a RIFF box
Chip-Off
When mobile forensics software or a UFED Touch cannot be used, JTAG is the next course of action.
The last resort available to the investigator, when all else fails, is chip-off. Very few computer forensics
labs conduct chip-off because of the high costs involved and because the skills required create a significant barrier to entry; this method is also not always successful. Chip-off can be used to circumvent
encryption on many different circuit boards or be used to access data on a chip when the circuit board
has been damaged. The chip can be removed from the board by applying hot air or infrared to the
soldered pins. The chip can then be added to an adapter (see Figure 9.13) and read.
9780789741158_forensics.indb 342
11/20/14 10:48 PM
343
Mobile Operating Systems
FIGURE 9.13
Chip adaptors
Android Security
Users can secure their Android smartphone in these ways:
â–
PIN-protection (a numeric PIN number);
â–
Password (alpha-numeric);
â–
Pattern lock, where a finger is used to secure the device with gestures (swiping motion); and
â–
Biometrics (an iris or retina scan, or perhaps facial recognition).
The pattern lock is also referred to as a gesture. The user swipes a 3×3 grid (9 dots) on the smartphone
screen, and no dot can be swiped more than once. This means that working out the user’s gesture is not
too difficult. The 20-byte hex value found in gesture.key file can be added to a free tool produced
by viaForensics, called viaExtract, to determine the pattern lock. The path to this gesture file is
data/system/gesture.key. The file is encrypted with a SHA-1 hash algorithm. To obtain the
gesture, a physical image of the device is conducted.
Password protection can be the most difficult to crack. The file where the password is stored can be
found here: data/system/pc.key. An investigator can attempt to crack the password using brute force or
can use a dictionary attack.
9780789741158_forensics.indb 343
11/20/14 10:48 PM
344
CHAPTER 9 Mobile Forensics
A PIN on an Android has a maximum of eight digits. After the user unsuccessfully enters the PIN a
number of times, then the user is requested to enter the Gmail login and password.
Some biometric, third-party solutions rely on facial recognition. Interestingly, this type of security can
be bypassed by using a photo of the suspect’s face to unlock the device.
An investigator should also consider searching for the latest security vulnerabilities associated with
Android and other mobile device platforms. Security flaws, as well as application vulnerabilities, are
regularly uncovered and made public online and may provide an opportunity to gain access to valuable
evidence. Of course, investigators must decide whether an approach is forensically sound.
Android Forensics Tools
Many different Android forensics tools are available. viaForensics is one organization that produces
free tools, such as Santoku, which enables the examiner to image an Android device. The company
also produces AFLogical, which performs a logical acquisition of Android 1.5 or higher. The data
acquired is stored on a blank SD card.
Android Applications (Apps)
Android applications (apps) are developed in Java and have an .apk file extension. For Google Play
to accept an Android application, a signed certificate must be associated with the application. Applications run in a Dalvik Virtual Machine (DVM) and have a unique user ID and process. This enforces
application security and prevents data sharing with other apps. Especially helpful for the investigator is
the fact that the date and time when an app is executed are stored on the device. It is the developer that
decides what data will be shared, and therefore the data that the examiner can retrieve is only as good
as what the developer has made available.
The developer has four choices for data storage:
1. Preference
2. Files
3. SQLite database
4. Cloud
SQLite databases can be a great source of evidence for the investigator. The following tools retrieve
data from these relational databases:
â–
SQLite Database Browser (http://sqlitebrowser.sourceforge.net/)
â–
SQLite Viewer (www.oxygen-forensic.com/en/features/sqliteviewer/)
â–
SQLite Analyzer (www.kraslabs.com/sqlite_analyzer.php)
9780789741158_forensics.indb 344
11/20/14 10:48 PM
Mobile Operating Systems
345
Every time an Android user walks past a Wi-Fi hotspot, that hotspot is recorded on that device,
regardless of whether the user attempted to connect to that device. This information can be retrieved
from Cache.WiFi. The data retrieved from this file can be used to map out where a user was moving
from and to. Third-party applications have used this locational information to track where users go
and as a basis for other applications, like traffic alert services. Therefore, an investigator should also
consider the locational data being recorded by third-party apps.
Facebook is one of the most popular apps found on smartphones. It is important to know that just about
all the information stored in a user’s online profile can be found in that user’s smartphone or tablet.
Fb.db is the SQLite database that contains a user’s Facebook contacts, chat logs, messages, photos,
and searches.
A user’s login and password for Exchange can be found in plain text at the following path:
/data/data/com.android.email/databases/EmailProvider.db. A user’s Gmail login and
password can also be found in plain text at com.google.android.gm.
Android smartphones come with a GPS application for turn-by-turn directions, called Navigation. The
SQLite database associated with Navigation is Da_destination.db. This file contains the sound
files (WAV) that can be played to determine the directions a suspect took.
Of course, there is also cellular telephone evidence. SMS and MMS can be found at
/data/data/com.android.providers.telephony. This file includes the sender, recipient, read
status, pictures, and audio/video files. MMS can be found at /data/data/com.android.mms.
Symbian OS
Symbian is a mobile device operating system developed by Nokia and currently maintained by
Accenture. Symbian was the most popular mobile operating system as of 2012, although Android was
the fastest-growing OS. Symbian OS can be found on Nokia, Sony Ericsson, Samsung, and Hitachi
handsets, to name but a few. However, Nokia has been moving away from Symbian OS, in favor of
Windows OS. Nokia has transferred support for Symbian OS to Accenture.
Research in Motion (RIM)
RIM OS is the operating system developed by Research in Motion (RIM) for use on BlackBerry
smartphones and tablets. Although they are limited, BlackBerry APIs are available to allow for thirdparty development. The BlackBerry OS is now open source system, however.
Because many organizations issue their employers BlackBerry devices, these smartphones can provide
a wealth of evidence. The BlackBerry was developed with corporate productivity in mind, so this
device can attain Internet access through a carrier’s data plan but can also work in Wi-Fi hotspots. In
fact, with BlackBerry 7.1 OS, the device can connect to a hotspot and then become a mobile hotspot
for up to five devices. BlackBerry Tablet OS is an operating system developed for the BlackBerry
PlayBook tablet computer. Unlike Google’s Android OS, which runs on handsets manufactured by a
wide variety of providers, RIM OS works only on BlackBerry devices.
9780789741158_forensics.indb 345
11/20/14 10:48 PM
346
CHAPTER 9 Mobile Forensics
It is important for an investigator to understand that, even without access to the BlackBerry handset,
the investigator can access a wealth of handset evidence from the computer that a suspect or victim
synced to. An IPD Backup File is file backup from a BlackBerry that is found on a synced computer
or medium. The files can be recognized by their .ipd file extension. More importantly, these IPD files
are unencrypted and might be more accessible from a computer than from the device itself (which
could be PIN protected).
Many tools available allow an investigator to parse, view, and search through these files. One tool is
Elcomsoft Blackberry Backup Explorer. The software works with the IPD files on a Mac or Windows
computer and can extract email, SMS, MMS, call logs, Internet activity, appointments, photos, and
other user-created files. Elcomsoft also produces a password recovery utility for purchase. Figure 9.14
shows an image of the BlackBerry Curve, which is still a popular smartphone.
FIGURE 9.14
BlackBerry Curve
9780789741158_forensics.indb 346
11/20/14 10:48 PM
Standard Operating Procedures for Handling Handset Evidence
347
Windows Phone
Windows Phone is a Microsoft operating system that can be found on personal computers, mobile
phones, and tablets. It resides on mobile phones manufactured by HTC, Samsung, Nokia, and others.
Examining Windows smartphones can be problematic and often requires JTAG to download data from
the handset. The good news is that the files downloaded using JTAG are NTFS and do not need to
be converted. Internet Explorer Mobile is the web browser, based on Internet Explorer 9, found on
Windows Phone devices. People Hub is an address book tool found on Windows Phone devices that
can synchronize contacts from social networking sites like Facebook, Twitter, and LinkedIn. Windows
Phone supports POP and IMAP email protocols, including Hotmail, Gmail, and Yahoo! Mail, and can
sync contacts and calendars from these services. Zune is the application used for managing multimedia
files on Windows Phone devices. As one would expect, .WMV files are supported, but so too are AVI,
MP4, MOV, and 3GP/3G2 file formats.
Windows Phone Applications
Bing Mobile is the search engine included with Windows Phone. Tellme is a Microsoft tool found on
Windows Phone, which is used for voice recognition commands for Bing searches, to call contacts or
to activate applications. Bing Maps is a vehicle navigation system that comes with Windows Phone.
Office Hub coordinates Microsoft Office applications and documents. Microsoft Office Mobile
includes Excel Mobile, Word Mobile, PowerPoint Mobile, and SharePoint Workspace Mobile, all of
which are compatible with the desktop versions of Microsoft Office.
Other Mobile Operating Systems
There are some other operating systems that an investigator may encounter. Bada is an operating
system that was developed by Samsung Electronics. Handsets that run Bada OS usually have “Wave”
in the name. Some mobile phones also run Linux OS. For example, the Nokia N900 smartphone’s
operating system is Maemo 5, which is Linux based, but it can run full Linux OS. Some people refer
to this device as a “hacker phone.”
Standard Operating Procedures for Handling
Handset Evidence
Laboratories and their investigators must use best practices for cellphone examinations. Luckily,
guidelines are available to use as the basis for the laboratory’s standard operating procedures (SOP).
An organization’s SOP varies from place to place primarily as a result of differences in organizational budgets; this then impacts the resources (equipment, personnel, training, and so on) the lab has
available.
When documenting the examination of a cellphone, it is important to document every person who
came in contact with the device. For example, some onsite police are instructed to place a handset into
9780789741158_forensics.indb 347
11/20/14 10:48 PM
348
CHAPTER 9 Mobile Forensics
Airplane Mode when it is seized, and that needs to be documented; if the device was dusted for fingerprints before its arrival at the computer forensics lab, that also should be a part of the investigative
report.
National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST) provides standard operating procedures
for a variety of scientific practices, including cellphone forensics. NIST Special Publication 800-101
Revision 1 (final) issued guidelines on cellphone forensics in 2014. NIST is a well-recognized organization, and computer forensics investigators should be familiar with its guidelines.
Four steps are involved in a forensic examination:
1. Preservation
2. Acquisition
3. Examination and analysis
4. Reporting
NIST Resources for Tool Validation
The first point to make is that, as with every other forensic tool in a computer forensics lab, all tools
should be validated prior to their use in investigations. It is essential to use test data and follow a set
of investigative protocols to determine the data that can be extracted. Comparisons also should be
made with other cellphone tools. Questions about this validation process may arise during a court trial.
Validation also incorporates the use of cryptographic hashes, like MD5 or a SHA1 or a SHA2 hash,
to ensure that the results from using a particular tool can be reproduced with the exact same outcome.
During the validation process, error rates should be clearly documented.
NIST provides examiners with tremendous resources to assist with testing tools. The Computer Forensic
Tool Testing (CFTT) project provides guidelines for testing computer forensics tools, including test
criteria, test sets, and test hardware. More information can be found at www.cftt.nist.gov/.
The National Software Reference Library (NSRL) provides guidance on effectively using technology
in investigations that require the examination of digital evidence. More information can be found at
www.nsrl.nist.gov/.
NIST has provided test datasets of digital evidence. The Computer Forensic Reference Data Sets
(CFReDS) for digital evidence are test data that can be used to validate forensic tools, test equipment,
and train investigators. More information is available at www.cfreds.nist.gov/.
Computer forensics investigators should also be familiar with the U.S. Department of Justice’s NIJ
report Electronic Crime Scene Investigation: A Guide to First Responders. This is a general guide to
computer forensic investigations.
9780789741158_forensics.indb 348
11/20/14 10:48 PM
349
Standard Operating Procedures for Handling Handset Evidence
The Association of Chief Police Officers (ACPO) and other standards have noted the importance of
making sure evidence is not changed after it is subjected to an examination. According to the ACPO:
No actions performed by investigators should change data contained on digital devices or storage
media that may subsequently be relied upon in court.
With cellphones, a fundamental problem arises when it comes to a forensics. Cellphones generally
have small onboard memory capacity, so memory utilization and compression is essential. This,
coupled with the fact that these devices are continually connected to a cellular network, means that the
data on a cellphone is continually changing. When a computer forensics examiner attempts to extract
evidence from a cellphone, changes can be made to the cellphone. What is important to remember is
that the user-created data can remain unaltered when using best practices. Therefore, the evidence is
admissible when the process is documented appropriately. Some investigators still contend that “cellphone forensics” does not exist and that there are only “cellphone examinations.”
Preparation and Containment
Containing a cellphone should be a careful but expeditious process. According to the U.S. Department
of Justice (NIJ) guidelines, in the Electronic Crime Scene Investigation—A Guide for First Responders
book, investigators should follow these steps:
â–
Securing and evaluating the scene—Steps should be taken to ensure the safety of individuals
and to identify and protect the integrity of potential evidence.
â–
Documenting the scene—Investigators should create a permanent record of the scene,
accurately recording both digital-related and conventional evidence.
â–
Evidence collection—Traditional and digital evidence should be collected in a manner that
preserves its evidentiary value.
â–
Packaging, transportation, and storage—Investigators should take adequate precautions
when packaging, transporting, and storing evidence, to maintain the chain of custody.
Therefore, the investigator should first document the crime scene, including making notes and taking
photographs. The investigator should then properly contain the cellphone. Proper containment means
removing the device from the network. The following containers can be used to remove the device
from wireless networks:
â–
Faraday box
â–
RF Shield box
â–
MFI Shielding Cloth (see Figure 9.15)
9780789741158_forensics.indb 349
11/20/14 10:48 PM
350
CHAPTER 9 Mobile Forensics
â–
Paraben StrongHold bag (see Figure 9.16)
â–
Arson can
FIGURE 9.15
MFI Shielding Cloth
A Faraday box can be expensive, whereas an arson can may serve as a cheaper option and still be very
effective. An even cheaper alternative is tin foil. Some investigators place a cellphone in a Faraday box
but leave a cable hanging out, to continue charging the phone. The problem is that a charging cable can
actually work like an aerial. The issue with containment of a cellphone is that the device will boost the
signal in an attempt to connect to the cellular network, which drains the battery faster. Smartphones,
like the iPhone and Android phones, will require frequent charging because of the number of applications that simply drain the battery faster. Once the phone shuts down, there is the risk of encountering
a user’s handset PIN or a SIM card PIN (or both).
9780789741158_forensics.indb 350
11/20/14 10:48 PM
Standard Operating Procedures for Handling Handset Evidence
FIGURE 9.16
351
Paraben StrongHold bag
Forensic Shield Box
Concentric Technology Solutions produces a series of RF Shield Boxes for securing cellphones and
blocking external signals (ramseyforensicbox.com). These Shielded Test Enclosures not only prevent
wireless signals from being received by the device, but also include a power source for the devices
housed in the box. The boxes can be padlocked for additional security. The box is also illuminated and
fitted with gloves so that the investigator can examine the cellphone in the box. Ports can also be added
to the box so that they can be imaged without removing the device. Additionally, investigators can use
a feature that allows them to record video and audio of the examination of the device in the box.
9780789741158_forensics.indb 351
11/20/14 10:48 PM
352
CHAPTER 9 Mobile Forensics
Wireless Capabilities
Today’s cellphones have many wireless capabilities. Apart from cellular communications, many cellphones have infrared (IrDA), Wi-Fi, or Bluetooth wireless capabilities built in. This is important to
remember when containing a cellphone device.
A cellphone can also be properly contained by doing the following:
â–
Remove the SIM card (if it has one)
â–
Change setting to Airplane Mode
â–
Disable the wireless connection
â–
Disable the Bluetooth connection
Using the FCC-ID and finding the cellphone’s manual can help with finding the wireless capabilities of
the device and removing the device from all potential wireless connections.
Let’sGet
GetPractical!
Practical!
Let’s
Identify the Features of a Cellular Phone
Detailed information about all devices operating on frequencies controlled by the FCC is available
online. You will need Adobe Reader installed to complete this practical.
1. Start your web browser and navigate to http://transition.fcc.gov/oet/ea/fccid/.
Ensure that any Pop-Up Blocker feature on your web browser is disabled.
2. Using your own cellphone, remove the back of the device and then remove the battery so
that the FCC-ID on the device is displayed.
3. Enter the FCC-ID in the Grantee Code box and in the Product Code box, as shown in
Figure 9.17.
4. Click the Search button.
5. Review the displayed documents, and then document the features of the device, including
wireless features and the type of network it operates on (for example, CDMA or GSM).
6. Submit the report as directed by your instructor.
9780789741158_forensics.indb 352
11/20/14 10:48 PM
Standard Operating Procedures for Handling Handset Evidence
FIGURE 9.17
353
FCC-ID lookup page
Some organizations use signal jammers in their computer forensics labs to block all radio transmissions and interference with cellphones. However, the FCC has reiterated that these devices are illegal
to use, even for law enforcement, because in an emergency situation, a person in distress might not be
able to contact emergency services. A signal jammer can be used if a license is obtained officially from
the FCC. For example, a bomb disposal squad might get permission to use a signal jammer to prevent
the remote detonation of a bomb; terrorists often use a cellphone to detonate a bomb.
The cellphone carrier can also be contacted to ensure that the phone is removed from the network.
Criminals often report a cellphone lost to erase the contents of the cellphone, so moving fast to remove
the device from the network rapidly is critical.
Charging the Device
Keeping a cellphone’s battery charged is critical. Smartphones, especially Android and iPhones, have
notoriously poor battery life because of the many applications that quickly consume the phone’s
charge. Given that many smartphones are PIN protected and that containing a phone in a Faraday box
will boost the signal and battery usage, finding a charger quickly is vital.
Note
NOTE
Never keep a cellphone in a container like a Faraday box with a charging cable sticking out: A
charging cable can act as an aerial. Never charge a seized cellphone via a computer, or you are
likely to change evidence on the phone.
9780789741158_forensics.indb 353
11/20/14 10:48 PM
354
CHAPTER 9 Mobile Forensics
Documenting the Investigation
Most forensic tools, like Paraben’s Device Seizure AccessData’s MPE+, have a built-in report feature.
The investigator’s report should ultimately include the following details:
Device specifications, including details about the SIM card
â–
Where the device was seized
â–
How the device was seized (copies of consent form or warrant)
â–
Preparation techniques, including removing the device from the network
â–
Forensic tools used to acquire the evidence
â–
Evidence acquired (SMS, MMS, images, video, contacts, call history, etc.)
â–
Carrier evidence (subscriber details and call detail records)
â–
Application service evidence (e.g. Gmail from Google’s e-mail servers)
Naturally, photographs of the location where the device was seized, the device itself and all relevant
numbers (ICCID, IMEI, etc.) should be taken.
Handset Forensics
A SIM card provides a tremendous amount of evidence, as does an SD card. However, examining the
onboard memory on the handset itself is equally important. Both software and hardware forensics solutions are available.
Cellphone Forensic Software
Several innovative software programs can effectively perform cellphone forensics, including these:
â–
BitPim
â–
Mobile Phone Examiner (MPE+)
â–
MOBILedit! Forensic
â–
Device Seizure
â–
SIMcon
â–
XAMN
Each is described in greater detail here.
9780789741158_forensics.indb 354
11/20/14 10:48 PM
Handset Forensics
355
BitPim
BitPim is an open source tool that allows you to view and manipulate files on a many CDMA phones.
Mobile phones supported by BitPim include Samsung, LG, Sanyo, and many other cellphones that
contain Qualcomm CDMA chipsets. The software can be downloaded for free from www.bitpim.org.
Mobile Phone Examiner (MPE+)
This tool enables the investigator to examine a wide range of cellular handsets and SIM (or USIM)
cards. The tool enables the examiner to carve data. In other words, it separates images and video and
audio files that are embedded in MMS files. MPE+ enables the user to enter a PIN for PIN-protected
handsets and SIM cards. Moreover, the tool enables the user to enter a PUK code to bypass the PIN on
a SIM card.
The files acquired by MPE+ can be exported as a PDF or exported in Microsoft Excel (CSV file).
Image files of the handset or SIM card are in an AD1 format, which can be opened in either MPE+ or
AccessData’s FTK.
An academic version of MPE+ comes with instructor and student manuals, the software, and mobile
phone files for practical classroom labs.
MOBILedit! Forensic
MOBILedit is an organizational tool for a smartphone user’s contacts, messages, media, and other files
that is installed on the user’s computer. A forensic edition can be used to extract cellphone files and
generate investigation reports.
Device Seizure
Developed and distributed by Paraben Corporation, Device Seizure is well known by mobile forensic
examiners because the software supports more devices than many software tools. The tool’s capabilities include mobile phones, tablets, iPhones, PDAs, and GPS devices. Figure 9.18 displays Device
Seizure’s user interface.
Paraben also supplies device containment supplies, such as its StrongHold Bag, StrongHold Box
(Faraday box), and Project-A-Phone for manual examinations.
9780789741158_forensics.indb 355
11/20/14 10:48 PM
356
CHAPTER 9 Mobile Forensics
FIGURE 9.18
Device Seizure user interface
SIMcon
SIMcon is an application that works with a SIM card reader to recover deleted messages, contacts, call
logs, and other user files. Similar to other cellphone forensic tools, it does produce MD5 and SHA-1
hash values of evidence. Although the tool works only with SIM cards, it is a low-cost forensic tool
used by many in law enforcement.
XAMN
Micro Systemation produces software and a hardware field kit for forensics examiners. The company
also provides a helpful link analysis tool that some other vendors provide. XAMN is a link analysis
tool. Link analysis allows an investigator to add the images from multiple smartphones and quickly
identify commonalities between the phones, including contacts. Link analysis can detail accomplices
or victims that suspects may have in common. The tool can also map out where a suspect or victim
was traveling, based on cellular tower, Wi-Fi hotspot, or photo geotag data. In addition, XAMN has a
timeline and calendar function. As you can imagine, a tool that graphically represents how suspects are
linked through data retrieved from their cellphones and maps out where they have been not only saves
time, but also can be invaluable to determine what transpired when a crime was committed.
9780789741158_forensics.indb 356
11/20/14 10:48 PM
Handset Forensics
357
Note
NOTE
Other reputable cellphone forensic tools are available, all with their unique strengths and features:
â–
BKForensics: Cell Phone Analyzer
â–
Katana Forensics: Lantern
â–
Oxygen: Oxygen Forensic Suite
â–
CDMA SoftWare: CDMAWorkshop
â–
Motorola-Tools.com: Flash&Backup
â–
MediaFire: Nokia Flash Tool
â–
Susteen: Secure-View
Cellphone Forensics Hardware
Investigators have numerous software solutions for imaging cellphones and tablets, but they also can
use hardware devices for this. Some of these hardware devices are helpful when examining cellphones
in the field because they can be charged and have write-blocking capabilities built in.
CellDEK
CellDEK is a mobile forensics hardware device manufactured by Logicube. The CellDEK is a device
that can be used in the field for imaging mobile phones and navigation systems, like Garmin and
TomTom. The device supports iOS devices, like the iTouch and iPhone and numerous smartphones.
Cellebrite
Cellebrite’s Universal Forensics Extraction Device (UFED) is a hardware device that can be used for
logical and physical extractions from cellphones and GPS devices. UFED is very well regarded in the
industry, and many law enforcement computer forensics laboratories have the device. Part of UFED’s
success stems from the wide range of phones supported by Cellebrite, including iOS, Android, and
RIM devices. The UFED Touch can be used in a laboratory or in the field, which appeals to law
enforcement. Figure 9.19 shows a UFED Touch.
9780789741158_forensics.indb 357
11/20/14 10:48 PM
358
CHAPTER 9 Mobile Forensics
FIGURE 9.19
UFED Touch from Cellebrite
Logical versus Physical Examination
Mobile forensic tools provide a logical or physical extraction of evidence from a cellphone—or sometimes both. Similar to examining a personal computer, a logical examination of a cellphone provides a
traditional view of the directories, files, and folders, and it can be compared to the interface we see with
Windows File Explorer on a PC or Finder on a Mac. The physical view refers to the actual location and
size of files in memory. Only a physical examination can retrieve deleted messages and other deleted
files.
A major difference with computer forensics and mobile forensics is that, with a physical view of files
on a computer, we can find file fragments. However, when an SMS text message is deleted, you can
typically be certain that the message has been removed and no message fragments exist. A physical
extraction can resurrect some deleted files, however.
Manual Cellphone Examinations
In the absence of a mobile forensic imaging tool, the investigator is forced to manually examine the
cellphone. This happens frequently, especially with lower-end prepaid phones offered by companies,
like TracFone. Tools for these phones are generally nonexistent. This is especially a problem when
there is no data port on the handset. Sometimes data can be downloaded from the device through
Bluetooth. When traditional imaging is not an option, the investigator acts as a “field jockey” and
9780789741158_forensics.indb 358
11/20/14 10:48 PM
Manual Cellphone Examinations
359
thumbs through the phone’s contents, taking photos along the way. Project-a-Phone and Fernico ZRT
are two tools designed for photographing cellphone screens, although using a regular digital camera
can suffice. Documenting the process in detail is critical nevertheless. The reason for using a solution,
like Project-a-Phone (see Figure 9.20) is that the tool comes with a reporting tool to make the process
easier.
FIGURE 9.20
Project-a-Phone
Flasher Box
In the absence of a cellphone forensic imaging solution, one might expect to perform a manual examination using Project-A-Phone or a similar device. Consider what happens when an examiner cannot
bypass the cellphone’s PIN or if the phone is damaged. As a last resort, some investigators will use a
flasher box. A flasher box is a device used to make a physical dump of a cellphone.
9780789741158_forensics.indb 359
11/20/14 10:48 PM
360
CHAPTER 9 Mobile Forensics
There are disadvantages, though, to using a flasher box. Using the device may change the data on the
cellphone. Additionally, an examiner using such a device should have proper training. The device does
not create a helpful MD5 hash for you. Nevertheless, NIJ and ACPO discuss the use of flasher boxes in
their standard operating procedures. Moreover, flasher boxes were initially a solution before advanced
cellphone forensic tools became available.
Global Satellite Service Providers
Wireless telephones do not always operate on a cellular network. In fact, most of the world’s surface
area does not have cellular service. Thus, a ship in the middle of the ocean or an expedition to the
Antarctic cannot rely on a local cell site to route calls. Instead, these telephones communicate with
other telephones through satellites. Emergency personnel can also use these telephones during a crisis
situation, like an earthquake.
Satellite Communication Services
Iridium Communications maintains a group of 66 satellites called the Iridium Satellite Constellation.
These satellites operate in a low orbit approximately 485 miles into the Earth’s atmosphere. The
company also provides global satellite phones that go beyond traditional terrestrial cellphones. These
cellphones can provide direct communications via satellite linkages in areas without cell site coverage,
such as in the middle of the Atlantic Ocean or in the Arctic. Globestar is a similar satellite phone
provider. SkyWave Mobile Communications provides satellite and General Packet Radio Service for
transportation, mining (oil and gas), heavy equipment, and utility companies.
Inmarsat PLC, a British satellite company, provides similar phone service through 11 geostationary
telecommunications satellites. The company provides Global Maritime Distress & Safety Services
(GMDSS).
Legal Considerations
As noted in Chapter 7, “Admissibility of Digital Evidence,” under the Fourth Amendment, a government
agent must obtain a warrant to conduct a search. This is true in the case of cellphones. However, there
are exceptions to this rule, including consent, incident to arrest, or exigent circumstances. Exigent
circumstances imply that a warrantless search was required to save a life (for example, in the case of
a kidnapping).
When applying for a search warrant, the investigator should describe the cellphone and include the
following details:
â–
Make
â–
Model
9780789741158_forensics.indb 360
11/20/14 10:48 PM
Other Mobile Devices
â–
Serial number (if available)
â–
Manufacturer
â–
Telephone number
â–
Location of the device (address and specific location)
361
If available, the investigator should also include the IMEI or MEID of the phone. In addition, the
investigator should detail the type of evidence he or she wants to acquire (SMS, MMS, contacts, and
so forth).
Carrier Records
The investigator can also obtain corroborating evidence from the cellular carrier, in the form of
subscriber records and call detail records. The carrier uses subscriber records for billing, and the call
detail records provide information about the location and time a cellphone was used to make calls.
Remember, a call can be traced to multiple cell sites and can identify a route taken by the suspect. Call
detail records identify the location of the handset at a particular location; it is up to the investigator to
link the suspect to that handset. When obtaining call detail records, the investigator should request the
data in a particular format (such as CSV) and also request information about how to interpret cell site
codes that are provided. The carrier can send the investigator a voicemail reset code when requested.
Other Mobile Devices
Numerous other devices can be of evidentiary value to investigations. These devices include tablets,
GPS devices, and personal media devices.
Tablets
As with cellphones, many different types of tablets are on the market. The software and operating
systems running on these devices are very similar. iOS and Android are the most widely found operating systems running on tablets. Some tablets also come with a data plan that runs on a cellular
network. Computer forensic tools like Device Seizure, Cellebrite, and BlackLight support a number of
tablets. Figure 9.21 shows Amazon’s Kindle, which runs on Android OS.
9780789741158_forensics.indb 361
11/20/14 10:48 PM
362
CHAPTER 9 Mobile Forensics
FIGURE 9.21
Amazon Kindle
GPS Devices
GPS devices can be used for maritime navigation, driving, and aviation. Handheld devices are used
for recreation, like biking and hiking, or can be used by emergency services during disasters. Many
of these devices, like TomTom, can be imaged by forensic tools like Cellebrite and Paraben’s Device
Seizure. Many of these devices come with an SD card, which can be valuable to an investigator. An
investigator may also find evidence on a user’s synced computer.
Four primary sources of evidence are available from a GPS device: trackpoints, track log, waypoint,
and route. More recent GPS devices also contain data about cellphones that were connected via Bluetooth or even Internet searches. Motonav is one example of the expanded services now available.
Devices like Motonav, may possess data from the synced cellphone like the user contacts. General
Motors (GM) OnStar service is another potential source of data for investigators. GM stores GPS data
from vehicles with the built-in OnStar service. GM’s monitoring has sparked controversy because
the company can disclose this information to third parties, even after the subscriber has terminated
services. The TomTom satnav navigation system also caused controversy when it was discovered that
the company was sending historical driver GPS routing data to police in the Netherlands. The user data
from the TomTom helped police set up speed traps, based on driver habits.
A trackpoint is a geo-locational record that is automatically captured and stored by a GPS device.
Trackpoints are not created by the user. For example, when a GPS device is turned on, a trackpoint,
9780789741158_forensics.indb 362
11/20/14 10:48 PM
Other Mobile Devices
363
recording the current location is made, and then subsequent trackpoints are created at predetermined
intervals. A track log is a list of trackpoints that can be used to re-create a route.
A waypoint is a geo-locational point of interest created by a user. Waypoints are often created to note
places of interest, like a restaurant or a hotel, as part of a longer route. Finally, a route is a series of
user-created waypoints on a trip.
GPS Tracking
Since 2009, all cellphones are federally mandated to have a GPS chip embedded in the device. In 2003,
the U.S. Federal Communications Commission’s E-911 Mandate was introduced. Enhanced 911 is a
federal mandate that stipulates that all handset manufacturers must ensure that caller ID and locational
data can be obtained from a cellphone subscriber making a 911 call. Therefore, the police can locate
a person in distress using Assisted GPS, which uses the GPS chip in your cellphone and triangulation
rather than simply relying on cell site data. Interestingly, the infamous hacker Kevin Mitnick eluded
law enforcement for many years, yet it was his cellphone that led the FBI to discover his whereabouts
using triangulation. A Public Safety Access Point (PSAP) is a call center that receives emergency
requests from the public for police, medical, or firefighter services.
Case Study
To Catch a Murderer: A Case Study
A Public Safety Access Point can assist police by tracking a subscriber’s cellphone in real time.
In October 2004, Fred Jablin was found dead in his home on Hearthglow Lane in Richmond,
Virginia. Detective Coby Kelley quickly suspected Jablin’s ex-wife, Piper Rountree, and quickly
obtained a warrant for Rountree’s cellphone records. Fred Jablin, distinguished chair at the
University of Richmond, had suffered a very nasty divorce and custody battle with Rountree, and
Jablin had won sole custody. By September 2004, Rountree was in trouble: She owed $10,000
in back alimony.
Detective Kelley obtained the cellphone records for Piper Rountree’s cellphone, which placed the
phone at the scene of the crime. Kelley tracked the cellphone going east on I-64 toward Norfolk
Airport. A brief interruption in signal location occurred before the phone could be tracked again
in Baltimore, Maryland. Of course, Rountree stated that she had not been in Virginia at the time
of the murder, but was actually in Houston, Texas. She also stated that her sister, Tina Rountree,
often used her cellphone.
Piper Rountree called her son 14 hours prior to the murder and mentioned that she was in Texas,
although her cellphone was pinging towers in Virginia. On October 21 (a few days prior to the
murder), Rountree purchased a wig on the Internet, using her own account, but the wig was
delivered to her former boyfriend’s P.O. Box in Houston. Piper Rountree was attempting to use
the wig to pose as her sister, Tina. A Southwest Airlines employee later testified that he had
witnessed Piper Rountree boarding a plane to Virginia. On May 6, 2005, Piper Roundtree was
sentenced to life in prison plus three years for use of a firearm in a crime. This case clearly illustrates how important cellphone evidence was in corroborating evidence used at trial.
9780789741158_forensics.indb 363
11/20/14 10:48 PM
364
CHAPTER 9 Mobile Forensics
Summary
Mobile forensics has become extremely important for investigations because of the wealth of evidence
it can provide. This type of information can even be more important than the evidence gleaned from a
traditional computer because cellphones are always on and we carry them everywhere. Forensic tools
have improved over the past five years, but we still have many devices that are not supported. With the
growing importance of cellphone forensics, investigators are reaching out beyond the cellphone to the
cellular carrier and cloud computing service providers.
Cellphones are problematic to analyze because so many different operating systems and device models
are available, and the data on these devices continually changes because of network connections and
their small onboard memory. The contents of a smartphone cannot be analyzed as one mass media
device because of removable memory and SIM cards (GSM phones).
A variety of cellular networks exist, with GSM and CDMA being the predominant network protocols.
Understanding these networks helps investigators understand where the evidence is located. Mobile
Network Operators, like Sprint and Verizon, own and operate networks; a Mobile Virtual Network
Operator provides service but does not own the cellular network infrastructure.
Other mobile devices, like tablets and GPS electronics, also are important to investigators. A tablet can
have Internet service through a cellular network. Broadband USB and Mi-Fi cards also use cellular
networks.
Investigators should always test forensic tools prior to their use. Many cellphones are not supported
by forensic tools, so a manual investigation must be conducted. Investigators should also be aware
of NIST, NIJ, and ACPO standard operating procedures for investigating digital devices. Proper care
should be afforded when containing the device, charging the device, and ensuring isolation from a
variety of wireless networks.
KEY TERMS
3GP: An audio/video file format found on mobile phones operating on 3G GSM cellular networks.
3GP2: An audio/video file format found on mobile phones operating on 3G CDMA cellular networks.
3rd Generation Partnership Project (3GPP): A collaboration of six telecommunications standards
bodies and a large number of telecommunications corporations worldwide that provides telecommunication standards.
3rd Generation Partnership Project 2 (3GPP2): A partnership of North American and Asian 3G
telecommunications companies that develop standards for third-generation mobile networks, including
CDMA.
4G Long Term Evolution (LTE) Advanced: A high-mobility broadband communication that is
suitable for use on trains and in other vehicles.
9780789741158_forensics.indb 364
11/20/14 10:48 PM
Summary
365
abbreviated dialing numbers (ADN): Contains the contact names and numbers entered by the
subscriber.
accelerometer: A hardware device that senses motion or gravity and reacts to these changes.
Android: An open source operating system based on the Linux 2.6 kernel.
Assisted GPS: Uses the GPS chip in your cellphone and triangulation simply relying on cell site data.
Authentication Center (AuC): A database that contains the subscriber’s IMSI, authentication, and
encryption algorithms.
base station controller (BSC): Manages the radio signals for base transceiver stations, assigning
frequencies and handoffs between cell sites.
base transceiver station (BTS): The equipment found at a cell site that facilitates the communication
of a cellphone user across a cellular network.
Bing Maps: A vehicle navigation system that comes with Windows Phone.
Bing Mobile: The search engine included with Windows Phone.
call detail records (CDR): Details used for billing purposes; these can include phone numbers called,
duration of calls, dates and times of calls, and cell sites used.
CDMA2000: A 3G technology that uses the CDMA communications protocol.
cell: A geographic area within a cellular network.
cell site: A cell tower located in a cell.
cellular network: A group of cells.
Code Division Multiple Access (CDMA): A spread-spectrum communication methodology that uses
a wide bandwidth for transmitting data.
Electronic Serial Number (ESN): An 11-digit number used to identify a subscriber on a CDMA
cellular network.
Enhanced 911: A federal mandate that stipulates that all handset manufacturers must ensure that caller
ID and locational data can be obtained from a cellphone subscriber making a 911 call.
Enhanced Data rates for GSM Evolution (EDGE): A high-data-transfer technology found on GSM
networks. EDGE provides up to three times the data capacity of GPRS.
Equipment Identity Register (EIR): Used to track IMEI numbers and decide whether an IMEI is
valid, suspect, or perhaps stolen.
FCC-ID: A number issued by the Federal Communication Commission (FCC) that indicates the
handset is authorized to operate on radio frequencies within the FCC’s control.
flasher box: A device used to make a physical dump of a cellphone.
9780789741158_forensics.indb 365
11/20/14 10:48 PM
366
CHAPTER 9 Mobile Forensics
Forbidden Public Land Mobile Network (FPLMN): Cellular networks that a subscriber attempted
to connect to but was not authorized for.
General Packet Radio Service (GPRS): Packet-switching wireless communication found on 2G and
3G GSM networks.
Global System for Mobile Communications (GSM): An international standard for signal communications that uses TDMA and Frequency Division Duplex communication methods.
hard handoff: Communication handled by one only base transceiver station at a time, with no simultaneous communication.
Home Locator Register (HLR): A database of a carrier’s subscribers, including their home addresses,
IMSI, telephone numbers, SIM card ICCIDs, and services used.
Integrated Circuit Card ID (ICCID): Usually, a 19-digit serial number physically located on the
SIM card.
Integrated Digital Enhanced Network (iDEN): A wireless technology developed by Motorola that
combines two-way radio capabilities with digital cellphone technology.
International Mobile Equipment Identity (IMEI): Number that uniquely identifies the mobile
equipment or handset.
International Mobile Subscriber Identity (IMSI): An internationally unique number on the SIM
card that identifies a user on a network.
International Signaling Point Code (ISPC): A standardized numbering system used to identify a
node on an international telecommunications network.
International Telecommunication Union (ITU): An agency of the United Nations that produces
standards for information and communication technologies.
Internet Explorer Mobile: The web browser, based on Internet Explorer 9, found on Windows Phone
devices.
IPD Backup File: A file backup from a BlackBerry that is found on a synced computer or medium.
Joint Test Action Group (JTAG): An IEEE standard (IEEE 1149.1) for testing, maintenance, and
support of assembled circuit boards.
Last Numbers Dialed (LND): A list of all outgoing calls made by the subscriber.
Mobile Country Code (MCC): The first three digits of the IMSI.
Mobile Equipment Identifier (MEID): An internationally unique number that identifies a CDMA
handset (Mobile Equipment).
Mobile Network Operator (MNO): Owns and operates a cellular network.
Mobile Station: Consists of Mobile Equipment (handset) and a Subscriber Identity Module (SIM).
9780789741158_forensics.indb 366
11/20/14 10:48 PM
367
Summary
Mobile Subscriber Identity Number (MSIN): Created by a cellular telephone carrier, and identifies
the subscriber on the network.
Mobile Subscriber ISDN (MSISDN): Essentially, the phone number for the subscriber.
Mobile Switching Center (MSC): Responsible for switching data packets from one network path to
another on a cellular network.
Mobile Virtual Network Operator (MVNO): Does not own its own cellular network, but operates on
the network of a Mobile Network Operator.
Multimedia Messaging Service (MMS): A messaging service found on most cellphones that allows
the user to send multimedia content such as audio, video, and images.
multiplexing: Multiple signals transmitted simultaneously across a shared medium.
My Wireless Fidelity (Mi-Fi): A portable wireless router that provides Internet access for up to five
Internet-enabled devices and communicates via a cellular network.
Office hub: Coordinates Microsoft Office applications and documents.
People Hub: An address book tool found on Windows Phone devices that has the ability to synchronize
contacts from social networking sites like Facebook, Twitter, and LinkedIn.
PIN Unlock Key (PUK): An unlock reset code used to bypass the SIM PIN protection.
Public Safety Access Point (PSAP): A call center that receives emergency requests from the public
for police, medical, or firefighter services.
Public Switched Telephone Network (PSTN): An aggregate of all circuit-switched telephone
networks.
RIM OS: Operating system developed by Research in Motion for use on BlackBerry smartphones and
tablets.
Route: A series of user-created waypoints on a trip.
Short Message Service (SMS): A text message communication service found on mobile devices.
SIM card: Identifies a user on a cellular network and contains an IMSI.
soft handoff: Cellular communication conditionally handed off from one base station to another, with
the mobile equipment simultaneously communicating with multiple base transceiver stations.
SQLite database: An open source relational database standard that is frequently found on mobile
devices.
subscriber records: Personal details maintained by the carrier about its customers, including their
names, addresses, alternative phone numbers, Social Security numbers, and credit card information.
subsidy lock: Confines a subscriber to a certain cellular network so that a cellphone can be sold for
free or at a subsidized price.
9780789741158_forensics.indb 367
11/20/14 10:48 PM
368
CHAPTER 9 Mobile Forensics
Symbian: A mobile device operating system developed by Nokia and currently maintained by
Accenture.
Tellme: A Microsoft tool found on Windows Phone that is used for voice recognition commands for
Bing searches, to call contacts or to activate applications.
Temporary Mobile Subscriber Identity (TMSI): A randomly generated number that the VLR
assigns to a mobile station when the handset is switched, based on the geographic location.
Time Division Multiple Access (TDMA): A radio communication methodology that enables devices
to communicate on the same frequency by splitting digital signals into time slots, or bursts.
track log: A list of trackpoints that can be used to re-create a route.
trackpoint: A geolocational record that is automatically captured and stored by a GPS device.
Type Allocation Code (TAC): Identifies the type of wireless device.
Universal Integrated Circuit Card (UICC): A smart card used to uniquely identify a subscriber on
a GSM or UMTS network.
Universal Mobile Telecommunications System (UMTS): A 3G cellular network standard based on
GSM and developed by 3GPP.
Visitor Locator Register (VLR): A database of information about a roaming subscriber.
waypoint: A geolocational point of interest created by a user.
Wide Band CDMA (WCDMA): A high-speed signal transmission method based on CDMA and FDD
methods.
Windows Phone: A Microsoft operating system that can be found on personal computers, mobile
phones, and tablets.
Assessment
CLASSROOM DISCUSSIONS
1. You have just received a mobile device with an FCC-ID of BEJVM670. You have been told
that the cellphone has an MEID. Using this information, answer the following questions:
A. What U.S. cellular carrier(s) could be providing service for the cellphone?
B. Does this cellphone have Bluetooth?
C. Could this cellphone have been used to take photographs? If so, could the photos have
GPS data associated with them?
D. Where on this device could there be potential evidence? For example, in addition to the
handset, is there a SIM or SD card?
9780789741158_forensics.indb 368
11/20/14 10:48 PM
Summary
369
2. Detail best practices for containing and analyzing a cellular telephone.
3. In what ways could the cellphone carrier assist you in your investigation?
4. Describe how cellphone forensics differs from traditional computer forensics.
MULTIPLE-CHOICE QUESTIONS
1. The equipment found at a cell site that facilitates the communication of a cellphone user
across a cellular network is best described as which of the following?
A. Cellular network
B. Base Transceiver Station
C. Public Switched Telephone Network
D. Home Locator Register
2. Which of the following best describes the role of the Base Station Controller?
A. Manages the radio signals for Base Transceiver Stations.
B. Assigns frequencies and handoffs between cell sites.
C. Both A and B are correct.
D. Neither A or B is correct.
3. Which of the following are details used by telecommunications carriers for billing purposes and
can include phone numbers called, duration of calls, dates and times of calls, and cell sites used?
A. Equipment Identity Register
B. Mobile Network Operator
C. Temporary Mobile Subscriber Identity
D. Call detail records
4. Which of the following typically is not be found on a GSM cellphone?
A. SIM
B. IMEI
C. FCC-ID
D. MEID
5. The first three digits of the IMSI are referred to as which of the following?
A. Mobile Country Code
B. Mobile Subscriber Identity Number
C. Mobile Network Operator
D. Integrated Circuit Card ID
9780789741158_forensics.indb 369
11/20/14 10:48 PM
370
CHAPTER 9 Mobile Forensics
6. Which of the following is a portable wireless router that provides Internet access for up to five
Internet-enabled devices and communicates via a cellular network?
A. Office hub
B. Public Safety Access Point
C. Mobile station
D. Mi-Fi
7. Which of the following is a high-mobility broadband communication that is suitable for use
on trains and in other vehicles?
A. 2G
B. 3G
C. 3GPP
D. 4G LTE
8. Which of the following is an international standard for signal communications that uses
TDMA and FDD (Frequency Division Duplex) communication methods?
A. GSM
B. CDMA
C. UMTS
D. WCDMA
9. Which one of the following directories contains a list of contacts (names and telephone num-
bers) saved by a subscriber on a SIM card?
A. EF_SMS
B. EF_LOCI
C. EF_LND
D. EF_ADN
10. Which of the following mobile operating systems is an open source operating system based on
the Linux 2.6 kernel and is owned by Google?
A. Symbian
B. Android
C. RIM
D. Windows
9780789741158_forensics.indb 370
11/20/14 10:48 PM
371
Summary
FILL IN THE BLANKS
1. A(n) _____________ is the geographic area within a cellular network.
2. A Mobile _____________ Center is responsible for switching data packets from one network
path to another on a cellular network.
3. A(n) _____________ handoff occurs when a cellular communication is conditionally
handed off from one base station to another and the mobile equipment is simultaneously
communicating with multiple Base Transceiver Stations.
4. A(n) _____________ Mobile Equipment Identity number uniquely identifies the Mobile
Equipment or handset.
5. The database that contains information about a roaming subscriber is referred to as a(n)
_____________ Locator Register.
6. The _____________ Identity Register is used to track IMEI numbers and decide whether an
IMEI is valid, suspect, or perhaps stolen.
7. Integrated _____________ Enhanced Network is a wireless technology developed by Motorola
that combines two-way radio capabilities with digital cellphone technology.
8. _____________ Public Land Mobile Network refers to cellular networks that a subscriber
attempted to connect to but was not authorized for.
9. A Personal Unlock _____________ (PUK) is a code that is available from the carrier and
allows a user to remove the PIN protection from the SIM card.
10. A Public Safety _____________ Point is a call center that receives emergency requests from
the public for police, medical, or firefighter services.
PROJECTS
Write an Essay about Cellphone Forensics
Find an example of cellphone forensics used in a criminal investigation, and write an essay about its
importance in successfully convicting a suspect.
Write Standard Operating Procedures for Examining a Cellphone
Find a smartphone and then write standard operating procedures for examining that cellphone. Include
in your essay forensic tools that will work with that particular model.
Describe a Forensic Examiner’s Guide to Working with a Mobile Operating System
Select a mobile operating system and then describe a forensic examiner’s guide to working with that
operating system.
Write an Essay Describing the Differences in Examining Two Different Cellphones
Write an essay describing the differences from an examination of a CDMA cellphone and a GSM cellphone.
9780789741158_forensics.indb 371
11/20/14 10:48 PM
9780789741158_forensics.indb 457
11/20/14 10:49 PM
Index
Numerics
3GPP2 (3rd Generation Partnership Project
2), 334
3GPP (3rd Generation Partnership Project),
333
4G Long Term Evolution (LTE) Advanced,
333
A
ABA (American Bankers Association), 151
ABC fire extinguishers, 140
Abrahams, Jared, 375
Abbreviated Dialing Numbers. See ADNs
accelerometers, 339
access
data, 142
digital evidence, 238
Asia legal system, 282
European Union (EU) legal system,
278-282
United States legal system, 239-244
email, 6
password-cracking software, 138-139
personal information, 193-195
458
9780789741158_forensics.indb 458
11/20/14 10:49 PM
alternative volume headers
restrictions (labs), 141-143
SIM cards. 337
459
Adobe Digital Negative. See DNG
formats
AccessData, 13
Adroit Forensics, 140
accountants, forensic, 22
ADS (Alternate Data Stream, 45
ACLU (American Civil Liberties Union),
19, 163
Advanced Encryption Standard. See
AES
acquisition of evidence, 116
Advanced Forensics Format. See AFF
access restrictions (labs), 141-143
devices
extracting, 147-152
skimmers, 152-155
Advanced Persistent Threats. See APTs
AES (Advanced Encryption Standard),
58
AFF (Advanced Forensics Format), 137
AIM (AOL Instant Messenger), 181-183
lab requirements, 117-124, 128-141,
144
AirDrop, 410
private sector labs, 119-121
AirPort
actuator arms, 35
Address Resolution Protocol. See ARP
addresses, IP (Internet Protocol), 192
admissibility of evidence. See also
evidence
digital evidence, 248
constitutional law, 248-277
criminal defense, 276
difficulties with, 277-278
rules, 271-276
email, 6
images, 380
AirPlay, 395
Express, 396
Extreme, 396
Time Capsule, 396
al-Awlaki, Anwar, 187
Alexa, 173
algorithms
MD5, 374
XOR, 183
Alito, Samuel, 260
allocated storage space, 33
allocation blocks, 397
Al-Qaeda, 178, 186
case studies, 382-383
Alternate Data Stream. See ADS
comparing digital to analog, 381
alteration of evidence, 6
FRE (Federal Rules of Evidence),
380
altering images, 381
ADNs (Abbreviated Dialing Numbers),
335
9780789741158_forensics.indb 459
alternative copy devices, 90
alternative volume headers, 397
11/20/14 10:49 PM
460
Amazon Kindle
Amazon Kindle, 361-362
antivirus software, 138
Amber Alert Bill (2003), 16
anybirthday.com, 192
AMBER Alert Facebook profiles, 188
AOL Instant Messenger. See AIM
American Bankers Association. See
ABA
APIs (application programming
interfaces), 189
American Civil Liberties Union. See
ACLU
appeals courts, 242
Apple, 14
American Medical Response, 163
AirDrop. See AirDrop
American Society of Crime
Laboratories Directors/Laboratory
Accreditation Board. See ASCLD/LAB
AirPort. See AirPort
American Society of Crime Laboratory
Directors. See ASCLD/LAB
FireWire, 94
Configurator, 426
forensics, 398
Amero, Julie, 277
case studies, 426-427
analysis
deleted file recovery, 401
files, 4
DMG file system, 401
media, 226
Epoch Time, 399-400
Registry (Windows 7), 65-66
IOReg Info, 398
Windows operating systems. See
Windows operating systems
journaling, 401
analytics, Twitter, 189
Anderson, Michael, 15
Android, 184, 339
applications, 344-345
evidence, 341
file systems, 340
security, 343
tools, 344
Anonymizer.com, 169
anonymizers (online proxies), 170
Anthony, Casey, 68
AntiSecurity, 173
mobile devices, 409-418, 425-426
operating systems, 404-409
PList files, 404
PMAP Info, 399
SQLite databases, 404
history of, 393-396
Macintosh. See Mac computers
MFS (Macintosh File System),
397-398
TV, 395
application layer (Layer 7), 309
application programming interfaces.
See APIs
antistatic polyethylene evidence bags,
130
9780789741158_forensics.indb 460
11/20/14 10:49 PM
bags (evidence)
applications, 130. See also files; tools
Atari, 14
AIM, 183
ATMs (Automatic Teller Machines), 8
Android, 344-345
ATM skimmers, 153
antivirus, 138
Atomic Energy Act of 1954, 267
bit-stream imaging, 131, 137
attacks
DeadAIM, 445
digital photographs, 376
Facebook, 376
Flickr, 376
Instagram, 377
SnapChat, 377
Evidence Eliminator, 6
Find My iPhone, 427
password-cracking, 138-139
Skype, 183
Tor, 170
virtual machines, 138
Windows 8.1, 71
461
APTs (Advanced Persistent Threats),
310-313
brute force, 138
dictionary, 138
networks, investigating, 313
SYN flood, 308
terrorist, 194
AuC (Authentication Center), 331
audits, lab access, 143
Automatic Teller Machines. See ATMs
AutoPlay dialog box, 58
Autopsy, 131, 137
Avery Doninger v. Lewis Mills High
School, 250
Windows Phone, 347
APTs (Advanced Persistent Threats),
310-313
archive.org, 171
B
archives, websites, 171
background searches, 173-174,
182-187, 190-195
Arizona v. Gant (2009), 256, 263
BackTrack, 293
ARP (Address Resolution Protocol), 306
Backup and Restore Center (Windows
7), 60
Arturo, Ernesto, 264
ASCII, hexadecimal conversion to,
38-41
ASCLD/LAB, 141
Asia legal system, 282
Assisted GPS, 363. See also GPS
backups
iPhones, 418
Windows 7, 62
bad sectors, 34
Baez, David, 383
bags (evidence), 130
9780789741158_forensics.indb 461
11/20/14 10:49 PM
462
Ballmer, Steve
Ballmer, Steve, 64
blogs.com, 186
banks, 151. See also financial fraud
Bluffmycall.com, 167-168
Base Station Controller. See BSC
Blu-ray discs, 104
Base Transceiver Station. See BTS
BMP (Bitmap Image File), 7, 379
bash boards, 444
Bohach v. City of Reno, 266
Basic Input/Output System. See BIOS
Bonds, Barry, 447
batteries, handsets, 338
Boot Camp, 80, 397
Bay Area Laboratories Company
(BALCO), 253, 447
booting (iBoot), 418
best evidence rule, 276
Boucher, Larry, 81
BHO (Browser Help Object), 296
brbpub.com, 191
Bill of Rights, 240
BreakPoint Software, 40
binary to decimal conversion, 37
Breivik, Anders Behring, 186
Bing
Brightness adjustment (images), 381
bootstrapping, 42
Maps, 347
Britton, Craig, 375
Mobile, 347
Broadcasting Emergency Response,
188
biometrics (Windows 7), 59
BIOS (Basic Input/Output System),
42-44
Brown, Jerry, 263
bit-stream imaging software, 131, 137
brute force attacks, 138
bit-stream imaging tools, 4, 47
BSC (Base Station Controller), 325
Bitcoin, 170
BTK (Bind Torture Kill) killer, 106,
441-442
BitLocker, 10, 59, 62
Bitmap Image File. See BMP
BitPim, 355
Bits, 37
BitTorrent, 173
BlackBag, 13
BlackBerry, 345
BlackLight, 137, 214
blocks, allocation, 397
blogdigger.com, 186
Browser Help Object (BHO), 296
BTS (Base Transceiver Station), 322,
325
budgets, labs, 141
Bulger, James “Whitey”, 188
bullying, 196
Bullying Prevention Policy Law, 445
Bureau of Labor Statistics, 12
Bush, George W., 14
bytes, 34-36
blogs, monitoring, 186-187
9780789741158_forensics.indb 462
11/20/14 10:49 PM
Certified Forensic Computer Examiner
463
C
catalog files, 398
C2 (command and control), 312
CabinCr3w hacktevist, 427
CCFE (Certified Computer Forensics
Examiner), 21
cabinets (lab layouts), 124
CCTV (closed-circuit television), 8
Cache.db file, 407
CDMA (Code Division Multiple Access),
334
California State Senate and Assembly,
263
CCE (Certified Computer Examiner), 21
CDRs (call detail records), 326
California v. Nottoli, 262
CD-RW (compact disc-rewritable), 103
call detail records. See CDRs
CDs (compact discs), 102
cameras, 129. See also images
CellDEK, 357
cell phones, 339
Cellebrite, 357
metadata, 139
Cellebrite UFED, 262
Canseco, Jose, 447
capturing online communications,
197-200
careers, 12-14
cellphones
evidence, 10
forensics, 320-322
evidence, 338, 347-350, 353-354
education, 19
GPS providers, 360
law enforcement, 19-24
handsets, 338-339, 354-358
Carey, Patrick, 254
legal considerations, 360-363
carrier records, cellular phones, 361
manual examinations, 358-360
CART (Computer Analysis and
Response Team), 15
networks, 322, 325, 328, 338
carving (files), 132, 140
CaseNotes, 220
case studies
BTK (Bind Torture Kill) killer,
441-442
cyberbullying, 443-446
image evidence, 382-383
Mac forensics, 426-427
sports, 447-448
Zacharias Moussaoui, 437-441
9780789741158_forensics.indb 463
operating systems, 339-347
SIM cards, 334-337
jammers, 142
CERT (Computer Emergency Response
Team), 19
certifications, 21-24, 141
Certified Computer Examiner. See CCE
Certified Computer Forensics
Examiner. See CCFE
Certified Forensic Computer Examiner.
See CFCE
11/20/14 10:49 PM
464
Certiorari
Certiorari, 252
CFCE (Certified Forensic Computer
Examiner), 21
Clinton, William “Bill” Jefferson, 169,
270
cloning
CF (CompactFlash) cards, 98
devices, 86-88, 124
CF (Core Foundation), 402
HDDs (hard disk drives), 86-93
Chain of Custody, 2, 130, 215. See also
evidence
SIM cards, 337
chain of events, email as evidence, 5
characters, control, 40
charging cellphones, 353
Charydczak, Gary, 446
closed-circuit television. See CCTV
Cloud, email access, 6
clusters, 34
codified laws, 240
chat, undercover investigations, 164
COFEE (Computer Online Forensic
Evidence Extractor), 63
check fraud, 151-152
collaboration, international, 17
child exploitation cases, images, 7
color balancing, 381
child pornography. See also images
COM (Component Object Model), 52
databases, 17
command and control. See C2
email as evidence, 5
Commodore, 14
E.U., 281
common law, 240
pedophile networks, 178
communication
search warrants, 253
investigator skills, 11
undercover investigations, 163
linguistics skills, 11
Chip-offs, 342, 411
Communications Assistance for Law
Enforcement Act (CALEA), 268
Cho, Seung-Hui, 3
compact discs. See CDs
CIRCAMP (COSPOL Internet Related
Child Abuse Material Project), 17
CompactFlash cards. See CF cards
China, legal system, 282
City of Ontario v. Quon, 560 U.S. (2010),
266
comparisons
forensics, 3-4
Windows file systems, 46
civil law, 240
Component Object Model. See COM
Clementi, Tyler, 196, 445
Comprehensive Drug Testing (CDT),
447
client computers, 9
9780789741158_forensics.indb 464
11/20/14 10:49 PM
Copyright Act for libraries
465
files, 45
Digital Millennium Copyright Act
(DMCA) (1998), 270-271
images, 139
Federal Wiretap Act of 1968, 265-266
compression
Computer Analysis and Response
Team. See CART
Foreign Intelligence Surveillance Act
(FISA- 1978), 266
computer crime, 3
PROTECT Act of 2003, 270
Computer Emergency Response Team.
See CERT
USA PATRIOT Act, 268-270. See also
PATRIOT Act
Computer Forensic Investigations and
Incident Response class, 22
computer forensics, 3. See also
forensics
Computer Fraud and Abuse Act (18
U.S.C. § 2511), 267
constitutional law, 240, 248-277
Fifth Amendment, 263-264
First Amendment, 248-251
Fourth Amendment, 251-263
Sixth Amendment, 264-265
Computer Online Forensic Evidence
Extractor. See COFEE
contact, Transfer of Evidence theory, 4
computer science skills, 10
continuous learning, investigator skills,
11
Computer Technology Investigators
Network. See CTIN
computer worksheets, 216-217
containment, cellphones, 349
contrast adjustment, 381
control
confidentiality, investigator skills, 12
characters, 40
configuration
email, 5
Apple Configurator, 426
Lawful Intercept Configuration Guide,
268
Registry (Windows), 50-52
controlled substances, warrantless
searches, 255
conversion
bytes, 36
Confrontation Clauses, 265
files, 37-40
congressional legislation, 265
hexadecimal to ASCII, 38-41
Communications Assistance for Law
Enforcement Act (CALEA), 268
cookies, viewing, 199-200
Computer Fraud and Abuse Act (18
U.S.C. § 2511), 267
Cop app, 221
Cookies.plist file, 407
Copyright Act for libraries, 270
Corporate Espionage (18 U.S.C. §
1030(a)(1)), 267
9780789741158_forensics.indb 465
11/20/14 10:49 PM
466
Core Foundation
Core Foundation. See CF
Corley, Eric, 14
CTIN (Computer Technology
Investigators Network), 20
corporate espionage, 3
Cupertino, California, 391
Corporate Espionage (18 U.S.C. §
1030(a)(1)), 267
Curtilage, 259
COSPOL Internet Related Child Abuse
Material Project. See CIRCAMP
cybercrime, 3
counterterrorism, 194
cylinders, 36
cyberbullying, 196, 443-446
cyberstalking, 443
Court of Appeals of the State of
California, 263
Court of Justice of the European
Union, 279
D
court orders, 258
Dark Web, 170
cover pages, reports, 225
Dartmouth College, 374
credit cards, 8
data access, 142
fraud, 149-151
data forks, 397
sale of, 195
Data Link Escape. See DLE
crime, 3, 195
data link layer (Layer 2), 306
credit cards, 195
Data Protection features, 412
cyberbullying, 196
databases
identity theft, 195
child pornography, 17
medical records, 196
fusion centers, 18
social networks, 196-197
INTERPOL, 194
crime scene investigators. See CSIs
local, 194
crime scenes
Registry (Windows), 50-52
documenting, 211
SQLite, 340, 404, 420
examinations, 213
Daubert v. Merrell Dow
Pharmaceuticals, 272
criminal defense, 276
cropping images, 381
cross-transference, 4
cryptanalysis, 138
Daylight Savings Time. See DST
D.C. Circuit Court, 260
DCF (Design rule for Camera File
system), 375
CSIs (crime scene investigators),
213-214
9780789741158_forensics.indb 466
11/20/14 10:49 PM
devices
DCIM (Digital Camera Images), 376
devices
DeadAIM, 181, 445
alternative copy, 90
Debian-based Linux systems, 193
Apple, 393-396, 409
debit cards, fraud, 149-151
iOS, 410
decryption, 4, 132
iOS 7, 410
decimal
iOS 8, 410-411
binary to conversion, 37
iPads, 413
hexadecimal to conversion, 38
iPhones, 413-418, 425-426
default gateways, 299
DEFAULT keys, 52
defendants, 239
defense attorneys, 276
Defense Reform Initiative Directive #27
(1998), 15
security, 411
charging, 353
cloning, 86-88, 124
evidence, extracting from, 147-152
flasher box, 359
defragmentation, Vista (Windows), 54
GPS, 258-262, 362
deleting files, recovering, 4, 401
networks, 294
delivery of attacks, 312
Department of Defense. See DoD
Department of Homeland Security. See
DHS
Department of Justice. See DOJ
Department of Motor Vehicles. See
DMV
467
DHCP (Dynamic Host
Configuration Protocol) servers,
298
DNS (Domain Name System)
servers, 301
firewalls, 304
depositions, 273
IDS (intrusion detection systems),
304
Design rule for Camera File system.
See DCF
OSI (Open Systems
Interconnection), 305-310
destruction of evidence, 6
ports, 305
detectives, 167. See also investigations
proxy servers, 295
Device Firmware Upgrade (DFU) Mode,
417
routers, 302-304
Device Seizure, 355
SMTP (Simple Mail Transport
Protocol) servers, 299-301
Web servers, 295-297
9780789741158_forensics.indb 467
11/20/14 10:49 PM
468
devices
removable memory, 93
Blu-ray discs, 104
CD-RW (compact disc-rewritable),
103
digital evidence. See also evidence
access, 238
Asia legal system, 282
CDs (compact discs), 102
European Union (EU) legal system,
278-282
CF (CompactFlash) cards, 98
United States legal system, 239-244
DVDs, 103
admissibility, 248
external hard drives, 95-96
constitutional law, 248-277
FireWire, 94
criminal defense, 276
floppy disks, 104-106
difficulties with, 277-278
magnetic tapes, 107-108
digital forensics reference, 221
Memory Sticks, 98
Digital Millennium Copyright Act
(DMCA) (1998), 270-271
MMCs (MultiMedia cards), 96
SD (Secure Digital) cards, 97-98,
101
USB flash drives, 95
xD (Extreme Digital) cards, 99
Zip disks, 107
skimmers, 152-155
write-blockers, 124
DFU (Device Firmware Upgrade) Mode,
417
Digital Negative. See DNG
digital photographs, 375. See also
images
applications, 376
Facebook, 376
Flickr, 376
Instagram, 377
SnapChat, 377
evidence, 380
DHCP (Dynamic Host Configuration
Protocol) servers, 298
case studies, 382-383
DHS (Department of Homeland
Security), 16, 193
FRE (Federal Rules of Evidence),
380
dictionary attacks, 138
comparing to analog, 381
Digital Assembly, 140
EXIF (Exchangeable Image File
Format), 377-380
Digital Camera Images. See DCIM
file systems, 375
digital cameras, metadata, 139. See
also images
metadata, 377
digital data, recovery, 3
9780789741158_forensics.indb 468
Digital Still Capture Nikon. See DSCN
digital surveillance as search, 258
11/20/14 10:49 PM
education
469
Disaster Recovery Plans, 144
DoD (Department of Defense), 15
Disclosure of Expert Testimony in the
Federal Rules of Civil Procedure, 228
DOJ (Department of Justice), 18, 254
disk controllers, 82
Doninger, Avery, 250
Disk Defragmenter, 54
Downloads.plist file, 407
disk geometry, 36
Dread Pirate Roberts, 170
disk images, 86
Drew, Lori, 445
Disk Jockey PRO Forensic Edition,
86, 89
DriveSpy, 132
Domain Name System. See DNS
Disk Signatures, 44
dry chemical extinguishing solutions,
140
Disk Utility, 406
DSCN (Digital Still Capture Nikon), 376
Disney Wonder Cruise, 427
DST (Daylight Savings Time), 223
DLE (Data Link Escape), 40
Dunn tests, 259
DMG file system, 401
duplicators, 124
DMV (Department of Motor Vehicles),
194
DVDs, 103
DNG (Adobe Digital Negative) formats,
139
Dynamic Host Configuration Protocol.
See DHCP
dynamic IP addresses, 192
DNS (Domain Name System) servers,
301
documentation, 210
E
Chain of Custody forms, 2
crime scenes, 211
E01 files, 137
documenting evidence, 214-220
eBay, 3
expert witnesses, 227-230
Eckhardt, Christopher, 249
mobile forensics, 354
obtaining evidence from service
providers, 211
seizing evidence, 213-214
ECTF (Electronic Crimes Task Force),
16
EDGE (Enhanced Data rates for GSM
Evolution), 334
tools, 220-222
eDiscovery (electronic discovery), 13,
119
Word. See Word
editors, hex, 37, 40
writing reports, 222-227
education, 19-24
9780789741158_forensics.indb 469
11/20/14 10:49 PM
470
EFS (Encrypted File System)
EFS (Encrypted File System), 59
en banc, 447
EHRs (electronic health records), 196
EnCase, 131, 137
EIR (Equipment Identity Register), 331
Encrypted File System. See EFS
Elcomsoft, 138
encryption, 9
electricity requirements (labs), 140
Apple, 411
Electronic Communications Privacy Act
of 1986 (ECPA), 265
BitLocker, 10, 59
Electronic Crime Scene Investigation: A
Guide for First Responders, 211, 348
Skype, 420
Electronic Crimes Task Forces, 14
Electronic Crimes Task Force. See
ECTF
FileVault, 405
End of Sector Markers, 44
endurance, 6. See also evidence
energy requirements (labs), 140
Electronic Frontier Foundation, 271
Enhanced 911, 363
electronic health records. See EHRs
Enhanced Data rates for GSM
Evolution. See EDGE
electronic media, analysis, 226
Electronic Serial Number. See ESN
electronically stored information. See
ESI
Elia, Franklin D., 263
email, 15
Apple ID, 412
evidence, 5-7
hacking, 195
Enron, 3, 6
EnScript, 137
Entersect, 9, 193
environment, Transfer of Evidence
theory, 4
Epoch Time, 399-400
equipment for CSIs (crime scene
investigators), 213-214
investigations, 3
ESI (electronically stored information),
119
Mac forensics, 404
ESN (Electronic Serial Number), 328
preparation labs, 120
espionage, 3
privacy, 253
E.U. (European Union)
servers, 300
access to personal data in, 194
undercover investigations, generating,
165-167
legal system, 278-282
Zacharias Moussaoui case study,
440-441
embezzlement, 3
9780789741158_forensics.indb 470
legislature, 279
European Commission, 279
European Union. See E.U.
Europol, 281
11/20/14 10:49 PM
evidence
471
events, 5, 55
HDD (hard disk drive) worksheets,
217-218
Event Viewer
server worksheets, 218-220
Evans, Josh, 445
Vista (Windows), 55-57
exculpatory, 3
Windows 7, 66-67
handsets, 354-360
evidence
access, 238
images, 140, 380
case studies, 382-383
Asia legal system, 282
comparing digital to analog, 381
European Union (EU) legal system,
278-282
FRE (Federal Rules of Evidence),
380
United States legal system, 239-244
acquisition, 116
IM (Instant Messenger), 182
inculpatory, 3
access restrictions (labs), 141-143
iPhones, 418
lab requirements, 117-124, 128-132,
137-141, 144
labels, 130
private sector labs, 119-121
lockers, 122
admissibility, 248
lists, 212
mobile forensics, 338, 347-354
constitutional law, 248-277
seizing, 213-214
criminal defense, 276
service providers, obtaining from, 211
difficulties with, 277-278
skimmers, 152-155
rules, 271-276
Skype, 420
Android, 341
spoliation, 12
bags, 130
subscribers, 326
best evidence rule, 276
tampering, 6
BTK (Bind Torture Kill) killer case
study, 442
Transfer of Evidence theory, 4
BTS (Base Transceiver Station), 325
devices, extracting from, 147-152
documenting, 214
Chain of Custody forms, 215
types of, 5
cellphones, 10
email, 5-7
images, 7-8
Internet searches, 9
computer worksheets, 216-217
9780789741158_forensics.indb 471
11/20/14 10:49 PM
472
evidence
video, 8-9
F
websites visited, 9
Viber, 423
Face.com, 376
websites, 171-173
Facebook
WhatsApp, 423
background searches, 187-188
Windows 8.1, 71
E.U., 280
Zacharias Moussaoui case study, 438
images, 373-376
Evidence Eliminator, 6
WhatsApp, 423
examining image files, 377-380
fake images, viewing, 381
Exchangeable Image File Format. See
EXIF
false identities, generating, 164, 167,
170
exclusionary rule, 251
falsification of evidence, 6
exculpatory evidence, 3
family court, 244
executive summaries, reports, 225
FARC (Fuerzas Armadas
Revolucionarias de Colombia), 17
exfiltration, 312
exhibits, 227, 440
EXIF (Exchangeable Image File
Format), 377-380
EXIFextracter, 378
Farid, Hany, 381
Fast Global Regular Expressions Print.
See FGREP
FAT (File Allocation Table), 44
ExifTool, 378
FAT12 file system, 44
exigent circumstances, 254
FAT16 file system, 44
expert witnesses, 227-230, 273-274
FAT32 file system, 45
exploitation, 312
FAT64 file system, 45
Extensible Markup Language. See XML
Extensible Messaging and Presence
Protocol. See XMPP
external hard drives, 95-96
extracting evidence from devices,
147-152
Extreme Digital cards. See xD cards
FATX file system, 45
fault tolerance, 92
FBI (Federal Bureau of Investigation),
15
Facebook, 188
Ten Most Wanted list, 372
FCC (Federal Communications
Commission), 142
FCC-IDs, 328
9780789741158_forensics.indb 472
11/20/14 10:49 PM
files
features (Windows operating systems),
53
files
analysis, 4
Vista, 53-59
Cache.db, 407
Windows 7, 59-69
carving, 132, 140
Windows 8.1, 70-72
catalog, 398
federal appellate courts, 242
Federal Bureau of Investigation. See
FBI
Federal Communications Commission.
See FCC
compression, 45
conversion, 37-42
Cookies.plist, 407
deleting, recovering, 401
federal courts, 242
Downloads.plist, 407
Federal Law Enforcement Training
Center. See FLETC
E01, 137
Federal Rules of Civil Procedure. See
FRCP
Federal Rules of Evidence. See FRE
Federal Wiretap Act of 1968, 265-266
email. See email
evidence
cellphones, 10
email, 5-7
FGREP (Fast Global Regular
Expressions Print), 148
groups (Windows 7), 68
Fifth Amendment (U.S. Constitution),
263-264
Internet searches, 9
File Allocation Table. See FAT
file-sharing protocols, 173
file systems, 32
Android, 340
digital photographs, 375
DMG, 401
MFS (Macintosh File System),
397-398
SIM cards, 335
Windows, 44-50
File Translation Layer. See FTL
473
images, 7-8
metadata (Windows), 58
Registry (Windows), 50-52
storage, 34-36
types of, 5
video, 8-9
websites visited, 9
groups (Windows 7), 68
hibernation, 404
images
examining, 377
EXIF (Exchangeable Image File
Format), 377-380
formats, 139
9780789741158_forensics.indb 473
11/20/14 10:49 PM
474
files
index.dat, 200
metadata, 7, 58
PList, 404
RAW, 379
Registry (Windows), 52
router.config, 171
Forbidden Public Land Mobile Network.
See FPLMN
FoneFinder (fonefinder.net), 169
Foreign Intelligence Surveillance Act
(FISA- 1978), 266
Forensic Toolkit. See FTK
forensics
slack, 35
accountants, 22
SMART, 137
definition of, 2
storage, 34-36
evidence
TopSites.plist, 408
FileVault, 405
financial fraud, 149-151
Find My iPhone app, 427
findings (reports), 227
firewalls, 304
FireWire, 94
firmware, 138, 270
First Amendment (U.S. Constitution),
248-251
Fixed Interpol Network Database and
Mobile Interpol Network Database.
See MIND/FIND
flaming, 444
flash cookies, 199
flash drives (USB), 95
flash memory, reading, 99-100
flasher boxes, 359
flashlights, 129
FLETC (Federal Law Enforcement
Training Center), 19
access restrictions (labs), 141-143
cellphones, 10
email, 5-7
extracting from devices, 147-152
images, 7-8
Internet searches, 9
lab requirements, 117-124, 128-132,
137-141, 144
private sector labs, 119-121
skimmers, 152-155
types of, 5
video, 8-9
websites visited, 9
history of, 14
1980s, 14-15
1990s, 15-19
images, 139
importance of, 12-14
investigators
Flickr (images), 376
communication skills, 11
floppy disks, 104-106
computer science skills, 10
9780789741158_forensics.indb 474
11/20/14 10:49 PM
Fourth Amendment (U.S. Constitution)
confidentiality, 12
networks
legal expertise, 11
APTs (Advanced Persistent
Threats), 310-313
linguistics, 11
devices, 294
continuous learning, 11
Mac, 390-391, 398
Apple mobile devices, 409-418,
425-426
case studies, 426-427
deleted file recovery, 401
DMG file system, 401
475
DHCP (Dynamic Host
Configuration Protocol) servers,
298
DNS (Domain Name System)
servers, 301
firewalls, 304
Epoch Time, 399-400
IDS (intrusion detection systems),
304
history of, 393-396
investigating attacks, 313
IOReg Info, 398
OSI (Open Systems
Interconnection), 305-310
journaling, 401
MFS (Macintosh File System),
397-398
ports, 305
operating systems, 404-409
routers, 302-304
PList files, 404
PMAP Info, 399
SMTP (Simple Mail Transport
Protocol) servers, 299-301
SQLite databases, 404
tools, 293-294
mobile, 320-322
evidence, 338, 347-350, 353-354
GPS providers, 360
proxy servers, 295
Web servers, 295-297
routers, 193
formats
handsets, 354-358
images, 139
handset specifications, 338-339
numbering, 37-42
legal considerations, 360-363
reports, 225
manual examinations, 358-360
forms, Chain of Custody, 2, 215
networks, 322, 325, 328, 338
Formspring, 444
operating systems, 339-347
Foursquare, 190
myths about, 3-4
9780789741158_forensics.indb 475
Fourth Amendment (U.S. Constitution),
251-263
11/20/14 10:49 PM
476
FPLMN (Forbidden Public Land Mobile Network)
FPLMN (Forbidden Public Land Mobile
Network), 335
geographic location (longitude and
latitude), images, 139
FragView, 220
geometry, disk, 36
frames, 102
Franklin, Benjamin, 239
General Packet Radio Service. See
GPRS
fraud
geotags, 187
check, 151-152
gestures, 343
financial, 149-151
GIAC Certified Forensic Analyst. See
GCFA
FRCP (Federal Rules of Civil
Procedure), 222
Freedom of the Press Foundation, 171
Freenet, 171
FRE (Federal Rules of Evidence), 380
fruit of the poisonous tree, 252
GIAC (Global Information Assurance
Certification), 23
Giambi, Jason, 447
GIF (Graphics Interchange Format), 380
Glass, Robert, 5
Frye v. United States, 272
Global Information Assurance
Certification. See GIAC
FTK (Forensic Toolkit), 131-132
Global Positioning System. See GPS
FTK Imager, 47-48, 133, 137
FTL (File Translation Layer), 92
Global System for Mobile
Communications. See GSM networks
Fuerzas Armadas Revolucionarias de
Colombia. See FARC
glossaries, 227
fusion centers, 18, 194
GMT (Greenwich Mean Time), 223
Gmail, 167. See also email
goals of expert witnesses, 228
G
Goldstein, Emmanuel. See Corley, Eric
garbage collection, 91
Good Practice Guide for ComputerBased Electronic Evidence, 281
Garfinkel, Simson, 137
Google
GCFA (GIAC Certified Forensic
Analyst), 23
Earth, 195
generating
GoogleTalk, 184
email, undercover investigations,
165-167
identities, 164
geodata, 187
9780789741158_forensics.indb 476
email access, 6
Groups, 185
Gorshkov, Vasily, 195, 257
GPRS (General Packet Radio Service),
333
11/20/14 10:49 PM
hardware
GPS (Global Positioning System), 7
handsets
devices, 362
forensics, 354-358
providers, 360
manual examinations, 358-360
tracking, 258-262, 363
specifications, 338-339
Grand Juries, 263
happy slapping, 444
graphic representations in reports, 224
hard disk drives. See HDDs
graphical user interfaces. See GUIs
hard handoffs, 325
graphics. See also images
hardware, 80
raster, 378
firewalls, 304
vector, 379
flash memory, reading, 99-100
Graphics Interchange Format. See GIF
handsets, 338
Greenwich Mean Time. See GMT
HDDs (hard disk drives), 81
Greig, Catherine, 188
GREP (Global Regular Expressions
Print), 147-149
groups
files (Windows 7), 68
477
IDE (Integrated Drive Electronics),
82
SATA (Serial ATA), 83-93
SCSI (Small Computer System
Interface), 81-82
usenet, 184
IDS (intrusion detection systems), 304
users, searching, 18-179
lab layouts, 124
GSM (Global System for Mobile
Communications) networks, 127
GuerrillaMail, 166
Guidance Software, 13, 131
guidelines, ASCLD/LAB, 117-119
GUIs (graphical user interfaces), 44
mobile forensics, 357
removable memory, 93
Blu-ray discs, 104
CD-RW (compact disc-rewritable),
103
CDs (compact discs), 102
CF (CompactFlash) cards, 98
H
DVDs, 103
external hard drives, 95-96
hackers, 257
hacking email, 195
Halligan, Ryan, 181, 196, 445
Hamilton, Alexander, 239, 271
9780789741158_forensics.indb 477
FireWire, 94
floppy disks, 104-106
magnetic tapes, 107-108
11/20/14 10:49 PM
478
hardware
Memory Sticks, 98
Hickory High School, Pennsylvania, 250
MMCs (MultiMedia cards), 96
Hierarchical File System. See HFS
SD (Secure Digital) cards, 97-98,
101
High Tech Crime Investigation
Association. See HTCIA
USB flash drives, 95
history
xD (Extreme Digital) cards, 99
of Apple, 393-396
Zip disks, 107
of forensics, 14
routers, 302-304
1980s, 14-15
SIM cards, 335
1990s, 15-19
write-blockers, 124
Hash Value Sharing Initiative, 375
of Safari browsers, 406
of United States legal system, 239-244
HB 479, The Offense of Stalking, 443
History.plist, 406
HDDs (hard disk drives), 81
HLR (Home Locator Register), 331
external, 95-96
Holden, Thomas James, 372
IDE (Integrated Drive Electronics), 82
Homeland Security Data Network
(HSDN), 194
SATA (Serial ATA), 83-93
SCSI (Small Computer System
Interface), 81-82
worksheets, 217-218
hearsay, Federal Rules of Evidence
(FRE), 275
hex editors, 37, 40
Hex Workshop, 40
hexadecimal
ASCII conversions, 38-41
to decimal conversion, 38
numbering, 37-38
HFS (Hierarchical File System), 397
HFS+ (Mac OS Extended), 397
Hiberfil.sys file, Vista (Windows), 59
hibernation files, 404
9780789741158_forensics.indb 478
HootSuite, 179
Horton v. California, 254
Host Protected Area. See HPA
hosting (Web), 121
Hotz, George, 270
HPA (Host Protected Area ), 88
HSDN (Homeland Security Data
Network), 194
HSIN-SLIC (Homeland Security
Information Network State and Local
Intelligence Community Interest), 194
HTCIA (High Tech Crime Investigation
Association), 20
HTTP (HyperText Transfer Protocol), 15,
296
Huang, Michelle, 446
Huntington Beach Police Department,
373
11/20/14 10:49 PM
indicators of compromise
479
I
bit-streaming imaging software, 131,
137
I2P (Invisible Internet Project), 171
comparison software, 17
IACIS (International Association of
Computer Investigative Specialists),
21
disk, 86
IACRB (Information Assurance
Certification Review Board), 21
enhancements, 381
evidence, 7-8, 140, 380
case studies, 382-383
iBeacons, 425
comparing digital to analog, 381
IBM, 14
FRE (Federal Rules of Evidence),
380
iBoot, 418
ICAID (INTERPOL Child Abuse Image
Database), 17
EXIF (Exchangeable Image File
Format), 377-380
ICCID (Integrated Circuit Card ID), 330
file systems, 375
Ice Rocket, 178
forensics, 139
iCloud, 406, 419
MD5 hashing, 5
ICSE DB (International Child Sexual
Exploitation image database), 17
metadata, 139, 377
IDE (Integrated Drive Electronics), 82
RAM, 133, 137
virtual machine software, 138
iDEN (Integrated Digital Enhanced
Network), 334
imaging software (iPhones), 417
identities
IMEI (International Mobile Equipment
Identity), 326
generating, 164
masking, 167, 170
theft, 195
impersonation, 444
importance of forensics, 12-14
IDS (intrusion detection systems), 304
IMSI (International Mobile Subscriber
Identity), 329
ILook, 16, 132
Incident Response Team. See IRT
IM (Instant Messenger), 180-182
inculpatory evidence, 3, 252
images, 375
index.dat file, 200
applications, 376
indexing, Vista (Windows), 57
Facebook, 376
India legal system, 282
Flickr, 376
indicators of compromise. See IOCs
Instagram, 377
SnapChat, 377
9780789741158_forensics.indb 479
11/20/14 10:49 PM
480
indictments
indictments, 263
Information Assurance Certification
Review Board. See IACRB
information technology. See IT
InfraGard, 20
InPrivate browsing, 67
In re Boucher, No. 2: 06-mj-91, 2009 WL
424718, 264
Instagram, 376-377
Integrated Circuit Card ID. See ICCID
Integrated Digital Enhanced Network.
See iDEN
International Mobile Subscriber
Identity. See IMSI
international numbering plans, 330
International Organization on
Computer Evidence. See IOCE
International Society of Forensic
Computer Examiners. See ISFCE
International Telecommunication
Union. See ITU
Internet
communications, capturing, 197-200
First Amendment and, 249-251
Integrated Drive Electronics. See IDE
history of forensics (1990s), 15
Intelius, 174
online investigations, 162-163
intellectual property, E.U., 280
intent, email, 5
background searches, 182-187,
190-195
interfaces
online crime, 195-197
APIs (application programming
interfaces), 189
Safari browser, 406
undercover, 163-167, 170
website evidence, 171-173
searching for evidence, 9
SATA (Serial ATA), 83-93
Internet Explorer, 170
SCSI (Small Computer System
Interface), 81-82
Internet Explorer Mobile, 347
Windows 7, 67-68
Internet Relay Chat. See IRC
Internet Protocol. See IP
intermediate appellate courts, 243
Internet service providers. See ISPs
Internal Revenue Service. See IRS
Interpol, 17, 20
International Association of Computer
Investigative Specialists. See IACIS
International Child Sexual Exploitation
image database. See ICSE DB
international collaboration, 17
international databases, 194
International Mobile Equipment
Identity. See IMEI
9780789741158_forensics.indb 480
databases, 194
image evidence, 382
INTERPOL Child Abuse Image
Database. See ICAID
INTERPOL Computer Forensics
Analysis Unit, 17
intrusion detection systems. See IDS
11/20/14 10:49 PM
iPhones
Intrusion Kill Chains, 310
inventory control, private sector labs,
120
investigations
documents, 210
crime scenes, 211
documenting evidence, 214-220
expert witnesses, 227-230
481
investigator skills, 10
communication, 11
computer science, 10
confidentiality, 12
continuous learning, 11
legal expertise, 11
linguistics, 11
Invisible Internet Project. See I2P
obtaining evidence from service
providers, 211
IOCE (International Organization on
Computer Evidence), 17
seizing evidence, 213-214
IOCs (indicators of compromise), 312
tools, 220-222
IOReg Info, 398
writing reports, 222-227
iOS, 410. See also Apple
eDiscovery, 119
iOS 7, 410
evidence. See also evidence
iOS 8, 410-411
cellphones, 10
IP (Internet Protocol), 192
email, 5-7
iPads, 394, 413. See also Apple
images, 7-8
iPhones, 394, 413-418, 425-426. See
also Apple
Internet searches, 9
video, 8-9
websites visited, 9
mobile forensics, documentation, 354
network attacks, 313
online, 162-163
background searches, 182-187,
190-195
evidence, 418
imaging software, 417
Mail, 419
operating modes, 417-418
Safari browsers, 419
Skype, 420
SQLite databases, 420
online crime, 195-197
theft, 427
undercover, 163-167, 170
Touch ID, 416
website evidence, 171-173
versions, 414-416
purpose of, 225
Viber, 422
SCSI (Small Computer System
Interface), 82
9780789741158_forensics.indb 481
11/20/14 10:49 PM
482
iPods
iPods, 393, 412
IRC (Internet Relay Chat), 180-182
JPEG (Joint Photographic Experts
Group), 7, 139, 379
Iridium Communications, 360
JTAG (Joint Test Action Group), 341
IRS (Internal Revenue Service), 16
Judex, 279
IRT (Incident Response Team), 17
judges, 241
IsAnybodyDown, 375
juries, 239-241, 263
ISFCE (International Society of
Forensic Computer Examiners), 21
jurisdiction, 242
ISPs (Internet service providers), 253,
265
IT (information technology), 120
ITU (International Telecommunication
Union), 333
Ivanov, Alexey, 195, 257
K
Kagan, Elena, 260
Kaminski, John, 103
Katz, Charles, 252
Katz v. United States, 252
Kee, Eric, 381
J
Kelley, Coby, 10
Kernell, David, 169
Jablin, Fred, 363
Jackson, Michael, 427
jammers, cellular telephones, 142
Jay, John, 271
JEIDA (Japan Electronic Industry
Development Association), 375
jihadist groups, 178
jobs
openings, attacks, 310
kernels, 42
Kerzic, Duane, 19
keys, DEFAULT, 52
keystroke loggers, 196
Knock and Talk, 254
Krieger, Mike, 377
Kubasiak, Ryan, 390
Kumho Tire Co. v. Carmichael, 273
opportunities, 12-14
Jobs, Steve, 391. See also Apple
L
Joint Photographic Experts Group. See
JPEG
labels (evidence), 130
Joint Test Action Group. See JTAG
labs
Jones, Antoine, 260
journaling, 45, 401
journalspace.com, 186
9780789741158_forensics.indb 482
ASCLD/LAB (American Society of
Crime Laboratory Directors/Lab
Accreditation Board), 117-119
11/20/14 10:49 PM
Library of Congress
budgets, 141
evidence
Foreign Intelligence Surveillance
Act (FISA- 1978), 266
access restrictions, 141-143
PROTECT Act of 2003, 270
private sector labs, 119-121
USA PATRIOT Act, 268-270
requirements, 117-124, 128-132,
137-141, 144
layouts, 121, 124, 128-131, 137-139
constitutional, 248-277
Fifth Amendment, 263-264
First Amendment, 248-251
lands, 102
Fourth Amendment, 251-263
Larson, Stephen, 6
Sixth Amendment, 264-265
Last Numbers Dialed. See LND
latitude, images, 139
law enforcement. See also investigator
skills
access to personal information,
193-195
training, 19-24
European, 278-279
layouts of labs, 121, 124, 128-131,
137-139
Layshock et al v. Hermitage School
District et al, 249
Layshock, Justin, 249
LeadsOnline, 179
Law Enforcement Services Portal. See
LESP
LEAP (Local Number Portability
Enhanced Analytic Platform), 169
Lawful Intercept Configuration Guide,
268
Leap Second Bug, 223
laws
Leavenworth, Kansas, 372
Congressional legislation, 265
Communications Assistance for Law
Enforcement Act (CALEA) (47
U.S.C. § 1002), 268
Computer Fraud and Abuse Act (18
U.S.C. § 2511), 267
Corporate Espionage (18 U.S.C. §
1030(a)(1)), 267
483
leap seconds, 223
legal considerations, mobile forensics,
360-363
legal expertise, investigative skills, 11
Lempel, Ziv, Welch (LZW) lossless data
compression algorithm, 380
LESP (Law Enforcement Services
Portal), 374
Lewinsky, Monica, 169
Digital Millennium Copyright Act
(DMCA) (1998), 270-271
Lewis Mills High School, Connecticut,
251
Federal Wiretap Act of 1968,
265-266
libraries, Pictures Library, 68
9780789741158_forensics.indb 483
Library of Congress, 3
11/20/14 10:49 PM
484
linear filtering (images)
linear filtering (images), 381
linguistics, 11
LinkedIn, 190
Linux systems, 193, 293
lists, evidence, 212
M
Mac computers, 128. See also Apple
forensics, 398
Litvenko, Alexander, 8
Apple mobile devices, 409-418,
425-426
live forensics, 193
case studies, 426-427
livejournal.com, 186
deleted file recovery, 401
LND (Last Numbers Dialed), 335
DMG file system, 401
local databases, 194
Epoch Time, 399-400
Local Number Portability Enhanced
Analytic Platform. See LEAP
IOReg Info, 398
Locard, Edmond, 4
Location Services
iPhones, 425
Skype, 420
Viber, 423-425
locations
cell towers, 322
labs, 143
Lock and Cide, 221
lockers, evidence, 122
locking SIM cards, 418
logical extraction, mobile forensics,
358
logical file sizes, 68
logical storage, 34. See also storage
logs, NTFS, 45
longitude, images, 139
lookups, 169
Lopatka, Sharon, 5
lossless compression, 139
lossy compression, 139
journaling, 401
operating systems, 404-409
PList files, 404
PMAP Info, 399
SQLite databases, 404
history of, 393-396
MFS (Macintosh File System),
397-398
Mac Marshal, 137
Mac mini servers, 391
Mac OS Extended (HFS+), 397
Mac OS X 10.6 (Snow Leopard), 80
MacBooks, 391
Madison, James, 248, 271
Magnet Forensics, 197
Magnetic Media Program (FBI), 15
magnetic tapes, 107-108
magstripe encoders, 154
mail expire (www.mailexpire.com), 166
Mail (iPhones), 419
Mailinator, 167
Lounsbury, Mark, 278
9780789741158_forensics.indb 484
11/20/14 10:49 PM
metadata
Major Industry Identifier. See MII
memory. See also RAM
Major League Baseball (MLB), 447
as evidence, 214
malware, antivirus software, 138
flash, reading, 99-100
Manning, Bradley, 171
handsets, 338
Mann, Matthew, 256
RAM, 92
manual examinations, mobile forensics,
358-360
removable, 93
Marbury v. Madison, 248
masking identities, 167, 170-171
Mason, George, 248
Master Boot Code, 44
Master Boot Record. See MBR
Blu-ray discs, 104
CD-RW (compact disc-rewritable),
103
CDs (compact discs), 102
CF (CompactFlash) cards, 98
Master File Table. See MFT
DVDs, 103
Master Partition Table, 44
external hard drives, 95-96
Mattel vs. MGA Entertainment, Inc., 6
FireWire, 94
MBR (Master Boot Record), 44
floppy disks, 104-106
McCaffrey, Kate, 427
magnetic tapes, 107-108
MCC (Mobile Country Code), 329
ROM, 42
McGuire, Mark, 447
Memory Sticks, 98
McIntyre v. Ohio Elections CommMn,
(1995), 271
MMCs (MultiMedia cards), 96
MD5 algorithm, 5, 374
media
analysis, 226
partitions, 410
medical record theft, 196
megapixels, 378
Megaproxy.com, 169
MEID (Mobile Equipment Identifier), 328
Meier, Megan, 196, 445
Melendez-Diaz v. Massachusetts, 265
Mellon, John, 21
memberships searching user groups,
178-179
9780789741158_forensics.indb 485
485
SD (Secure Digital) cards, 97-98,
101
USB flash drives, 95
xD (Extreme Digital) cards, 99
Zip disks, 107
Vista (Windows), 57
Memory Sticks, 98
Mesa Verde High School, 163
metadata, 132
EXIF (Exchangeable Image File
Format), 377-380
files, 7, 58
images, 139, 377
11/20/14 10:49 PM
486
methodologies, reports
methodologies, reports, 226
iPhones, 413-418, 425-426
Metropolitan Transportation Authority
(MTA), 12
security, 411
MOBILedit, 355
MFS (Macintosh File System), 397-398
Mobile Equipment Identifier. See MEID
MFT (Master File Table), 46-47
mobile forensics, 320-322
Michigan State Police, 262
Micro Systemation, 356
Microsoft. See also Windows operating
systems
evidence, 338, 347-350, 353-354
GPS providers, 360
handsets, 338-339, 354-358
email access, 6
legal considerations, 360-363
Windows Phone, 347
manual examinations, 358-360
Word, 8
networks, 322, 325, 328, 338
MiFi (My Wireless Fidelity), 332
operating systems, 339-347
MII (Major Industry Identifier), 149
SIM cards, 334-337
Miller v. California, 413 U.S. 15 (1973),
251
Mobile Network Operators. See MNOs
MIME (Multipurpose Internet Mail
Extensions), 301
Mobile Stations, 326
MIND/FIND (Fixed Interpol Network
Database and Mobile Interpol
Network Database), 194
Miranda v. Arizona, 264
Mobile Phone Examiner. See MPE+
Mobile Subscriber Identity Number.
See MSIN
Mobile Subscriber ISDN. See MSISDN
Mobile Switching Center. See MSC
MMCs (MultiMedia cards), 96
Mobile Virtual Network Operators. See
MVNOs
MMS (Multimedia Messaging Service),
211, 338
modes, iPhones, 417-418
mobile apps, 221
MNOs (Mobile Network Operator), 331
Mobile Country Code. See MCC
mobile devices (Apple), 409
iOS, 410
iOS 7, 410
modifying images, 381
monitoring blogs, 186-187
Mountain Standard Time. See MST
Moussaoui, Zacharias, 438-441
MPE+ (Mobile Phone Examiner), 355
MSC (Mobile Switching Center), 322
iOS 8, 410-411
MSIN (Mobile Subscriber Identity
Number), 329
iPads, 413
MSISDN (Mobile Subscriber ISDN), 330
MST (Mountain Standard Time), 223
9780789741158_forensics.indb 486
11/20/14 10:49 PM
networks
MTA (Metropolitan Transportation
Authority), 12
NCFI (National Computer Forensics
Institute), 16
MultiMedia cards. See MMCs
NCIC (National Crime Information
Center), 194
Multimedia Messaging Service. See
MMS
multiple displays (Mac), 406
NCMEC (National Center for Missing
and Exploited Children), 15, 374
Multipurpose Internet Mail Extensions.
See MIME
NCTC (National Counterterrorism
Center), 194
murder, 3
NETCRAFT, 172
Murray, Conrad, 427
Network Analyzer, 221
MVNOs (Mobile Virtual Network
Operators), 331
network layer (Layer 3), 306
MySpace, 190, 250
487
networks
myths about forensics, 3-4
APTs (Advanced Persistent Threats),
310-313
My Wireless Fidelity. See MiFi
attack investigations, 313
backing up to, 62
N
National Center for Missing and
Exploited Children. See NCMEC
cellular, 322, 328-338
forensics
devices, 294
National Computer Forensics Institute.
See NCFI
DHCP (Dynamic Host
Configuration Protocol) servers,
298
National Counterterrorism Center
(NCTC), 194
DNS (Domain Name System)
servers, 301
National Crime Information Center. See
NCIC
firewalls, 304
National Institute of Science and
Technology. See NIST
National Labor Relations Board (NLRB),
163
IDS (intrusion detection systems),
304
OSI (Open Systems
Interconnection), 305-310
National White Collar Crime Center.
See NW3C
ports, 305
navigating Windows 7, 67-68
routers, 302-304
9780789741158_forensics.indb 487
proxy servers, 295
11/20/14 10:49 PM
488
networks
SMTP (Simple Mail Transport
Protocol) servers, 299-301
subscriber authentication, 331
tools, 293-294
hexadecimal, 37-38
international numbering plans, 330
NW3C (National White Collar Crime
Center), 20
Web servers, 295-297
GSM (Global System for Mobile
Communications), 127
O
P2P (peer-to-peer), 171
Objective-C, 401
pedophile, 178
O’Brien, James, 381
professional, 190
obtaining evidence from service
providers, 211
social. See social networking
Neustar (www.neustar.biz), 169
Ochoa III, Higinio O., 427
New Technology File System. See
NTFS
O’Connor v. Ortega, 480 U.S. 709
(1987), 252
New York City Department of
Education, 20
Office Hub, 347
New York Court of Appeals, 261
OLAF (European Anti-fraud Office), 281
New York Police Department, 193, 383
Olmstead, Roy, 252
New York State Supreme Court, 263
Olmstead v. United States, 277 U.S. 438
(1928), 252
New York v. Perez, 263
New York v. Weaver, 261
newsgroups, 184
nibbles, 38
Ninth Circuit Court, 253, 258, 447
NIST (National Institute of Science and
Technology), 224, 348
NLRB (National Labor Relations Board),
163
notifications (Macs), 406
NTFS (New Technology File System), 45
numbers
Ohio v. Johnson, 261
online communications, capturing,
197-200
online investigations, 162-163
online crime, 195
credit cards, 195
cyberbullying, 196
identity theft, 195
medical records, 196
social networks, 196-197
undercover, 163-164
allocation blocks, 397
background searches, 182-187,
190-195
formats, 37-42
generating email accounts, 165-167
9780789741158_forensics.indb 488
11/20/14 10:49 PM
pedophiles
generating identities, 164
OS X (Mac), 391, 405-406
masking identities, 167, 170
outing, 444
website evidence, 171-173
ownership
online polls, 444
email, 5
online proxy, 169
USB devices (Windows 7), 63
Open Systems Interconnection. See
OSI
operating modes (iPhones), 417-418
operating systems
Android, 184
boot processes, 42-44
iOS, 410
P
P2P (peer-to-peer) networks, 171
Pace University, 20
packet sniffers, 294
Palin, Sarah, 169, 195
iOS 7, 410
Palo Alto Police, 427
iOS 8, 410-411
Paraben, 13
journaling, 401
Parallel ATA. See PATA
Mac forensics, 404
partitions, 34, 44
OS X, 405-406
media, 410
TDM (Target Disk Mode), 408-409
root, 410
mobile, 339-347
Passware, 138
Windows
password-cracking software, 4,
138-139
conversion, 37-42
features, 53
file storage, 34-36
file systems, 44-50
Registry, 50-52
Vista, 53-59
Windows 7, 59-69
Windows 8.1, 70-72
opportunities, job, 12-14
Oregon v. Meredith, 261
Ortega, Magno, 252
OSI (Open Systems Interconnection),
305-310
9780789741158_forensics.indb 489
489
Password Recovery Toolkit. See PRTK
passwords
Apple ID, 412
iCloud Keychain, 406
PATA (Parallel ATA), 83, 86-93
paths, Registry (Windows 7), 66
PATRIOT Act, 16, 254, 268-270
Paul, Christopher Neil, 383
PCs (personal computers), 14, 128
pedophiles
email as evidence, 5
networks, 178
11/20/14 10:49 PM
490
peer-to-peer
peer-to-peer. See P2P
physical memory, Vista (Windows), 57
pen registers, 258
physical security of labs, 142
People Hub, 347
physical storage, 34
People v. Diaz, 256
Pictures Library, 68
People v Spinelli, 35, 77, 81, 263
pictures, 8. See also images
performance-enhancing drugs (PEDs),
447
Pin Unblocking Key. See PUK
pipl.com, 176
persistent cookies, 199
Pirate Bay, 173
personal computers. See PCs
pits, 102
personal information, law enforcement
access to, 193-195
pixels, 378
Personal Unblocking Code. See PUC
PhotoDNA, 374
photographs, 375. See also images
applications, 376
plain error, 255
plaintiffs, 119, 239
plain view doctrine, 254
platters, 35
Playstation 3, 270
Facebook, 376
Please Rob M, 188
Flickr, 376
PList files, 401-404
Instagram, 377
plutil (property list utility), 402
SnapChat, 377
PMAP Info, 399, 402
evidence, 380
case studies, 382-383
comparing digital to analog, 381
FRE (Federal Rules of Evidence),
380
PNG (Portable Network Graphics), 7,
380
pornography
child. See child pornography
in classrooms, 277
EXIF (Exchangeable Image File
Format), 377-380
Portable Network Graphics. See PNG
file systems, 375
PowerBook laptops, 391
metadata, 377
precedents, 240
ports, 305
physical evidence, 4. See also evidence
predictive coding, 226
physical extractions, mobile forensics,
358
preparation for expert witnesses, 228
physical file size, 35
press releases, attacks, 311
presentation layer (Layer 6), 308
physical layer (Layer 1), 306
9780789741158_forensics.indb 490
11/20/14 10:49 PM
raster graphics
491
prevalence, email as evidence, 6
providers (GPS), 360
Prince Edward Island, 188, 374
proxy servers, 295
Prince, Phoebe, 196, 444
proxy services, 169
privacy. See also access
PRTK (Password Recovery Toolkit), 4,
120
email, 253
E.U, 279-280
India, 282
private investigation firms, 13
private sector labs, 119-121
probable cause, 252
PSAP (Public Safety Access Point), 363
PSTN (Public Switched Telephone
Network), 322
public records, 191
Public Safety Access Point. See PSAP
probate court, 244
Public Switched Telephone Network.
See PSTN
processes
PUC (Personal Unblocking Code), 337
boot, 42-44
PUK (Pin Unblocking Key), 326, 337
MD5 hashing, 5
purpose of investigations, 225
ware-leveling, 91
processing handsets, 338
ProDiscover, 313
professional networks, 190
promiscuous mode, 294
Q
Quick Look, 398
Quon, Jeff, 266
property list utility. See plutil
property (stolen), searching, 179-187
prosecution (documentation), 210
R
crime scenes, 211
documenting evidence, 214-220
expert witnesses, 227-230
obtaining evidence from service
providers, 211
seizing evidence, 213-214
tools, 220-222
writing reports, 222-227
Rader, Dennis Lynn, 441. See also BTK
killer
RAID (Redundant Array of Independent
(or Inexpensive) Disks), 92-93, 293
RAM (random access memory), 9, 92,
293
as evidence, 214
imaging, 133, 137
prosecution affidavits, Zacharias
Moussaoui, 440
raster-based graphics, 139. See also
images
PROTECT Act of 2003, 16, 270
raster graphics, 378
9780789741158_forensics.indb 491
11/20/14 10:49 PM
492
Ravi, Dharun
Ravi, Dharun, 446
RAW files, 379
Regional Computer Forensics
Laboratory. See RCFL
RAW formats, 139
Registry Viewer, 52
RCFL (Regional Computer Forensics
Laboratory), 18-19
Registry (Windows), 52
reading flash memory, 99-100
analysis, 65-66
online communications capture, 200
read-only memory. See ROM
regulatory law, 240
ReadyBoost, Vista (Windows), 57
reliability, 92
Real Time Crime Center. See RTCC
removable memory, 93. See also
memory
Research in Motion. See RIM
reconnaissance, 310
Blu-ray discs, 104
Record Management Systems (RMS),
194
CD-RW (compact disc-rewritable), 103
records
cellular phones, 361
public, 191
subscriber, 326
recovery. See also PRTK
deleted files, 4, 401
digital data, 3
evidence
cellphones, 10
email, 5-7
images, 7-8
Internet searches, 9
types of, 5
video, 8-9
websites visited, 9
Recovery Mode (iPhones), 417
Recycle Bin, 92
Redundant Array of Independent (or
Inexpensive) Disks. See RAID
CDs (compact discs), 102
CF (CompactFlash) cards, 98
DVDs, 103
external hard drives, 95-96
FireWire, 94
floppy disks, 104-106
magnetic tapes, 107-108
Memory Sticks, 98
MMCs (MultiMedia cards), 96
SD (Secure Digital) cards, 97-98, 101
USB flash drives, 95
xD (Extreme Digital) cards, 99
Zip disks, 107
reports (investigations), 210
crime scenes, 211
documenting evidence, 214-220
expert witnesses, 227-230
obtaining evidence from service
providers, 211
seizing evidence, 213-214
9780789741158_forensics.indb 492
11/20/14 10:49 PM
searches
tools, 220-222
Rule 52(b), 255
writing reports, 222-227
Rule 902(11), Rule 902(12), 275
Research in Motion. See RIM
Rules of Criminal Procedure, 255
resource forks, 397
Russian hackers, 257
Restoration of images, 381
Ryan, Steven, 262
493
restoration points (Windows 7), 61
revenge porn, 375
reverse lookups, 169
RF Shield Boxes, 351
Rigmaiden, Daniel David, 258
Riley v. California, 263
RIM (Research in Motion), 345
RMS (Record Management Systems),
194
Rodriguez, Alex, 447
Rombom, et al. v. Weberman et al., 6
ROM (read-only memory), 42
rootkits, 45
root partitions, 410
Rountree, Piper, 10, 363
router.config file, 171
S
Safari browsers, 406-408, 419
safety, labs, 140
Samsung Galaxy, 340
Sanchez, Rodolfo, 12
Sarbanes-Oxley Act, 119
SATA (Serial ATA), 83-93, 128
satellite communication services, 360
saving digital photographs, 375
SCA (Stored Communications Act), 6,
253, 265
Scientific Working Group on Digital
Evidence. See SWGDE
Router Marshal, 193
Scientific Working Group on Imaging
Technologies. See SWGIT
RouterPasswords.com, 193
screen capture software, 197-198
routers, 193, 302-304
screwdrivers, 128
routes, 363
scripting languages, 298
Royal Canadian Mounted Police
(RCMP), 188, 374
SCSI (Small Computer System
Interface), 81-82
RTCC (Real Time Crime Center), 193
SD (Secure Digital) cards, 97-98, 101
rules
Search Bug, 175
best evidence, 276
searches
exclusionary, 251
background searches, 173-174,
177-187, 190-195
FRE (Federal Rules of Evidence), 380
digital surveillance as, 258
evidence admissibility, 271-276
9780789741158_forensics.indb 493
11/20/14 10:49 PM
494
searches
Internet as evidence, 9
servers
and seizure, 261
DHCP (Dynamic Host Configuration
Protocol), 298
stolen property, 183-187
DNS (Domain Name System), 301
Vista (Windows), 57
Mac mini, 391
warrantless searches, 254-257
OS X Server, 391
warrants (Fourth Amendment),
252-254
proxy, 295
search incident to a lawful arrest, 256
Windows 7, 69
SEC (Securities and Exchange
Commission), 13, 119
sectors, 34
SMTP (Simple Mail Transport
Protocol), 299-301
Web, 9, 295-297
worksheets, 218-220
services (digital photographs), 376
Secure Digital cards. See SD cards
Facebook, 376
SecureDrop, 171
Flickr, 376
Secure Techniques for Onsite Preview.
See STOP
Instagram, 377
SnapChat, 377
Securities and Exchange Commission.
See SEC
session layer (Layer 5), 308
security
sessions
Android, 343
cookies, 199
Apple, 411-412
on compact discs, 103
APTs (Advanced Persistent Threats),
310-313
Sewell, Dara K., 440
attacks. See attacks
Shield Boxes, 351
evidence lockers, 122
Short Message Service. See SMS
firewalls, 304
forensics, comparisons, 3-4
labs, access restrictions, 141-143
Windows 8.1, 72
sexting, 444
Shugart Associates, 81
signal jammers, 142
SIM cards, 329-337, 418
SIMCon, 356
seizing evidence, 213-214
Simple Mail Transport Protocol. See
SMTP
September 11, 2001, 268. See also
terrorists
SIM (Subscriber Identification Module)
cards, 127
Serial ATA. See SATA
9780789741158_forensics.indb 494
11/20/14 10:49 PM
SSDs (solid state drives)
Sixth Amendment (U.S. Constitution),
264-265
skills of investigators, 10
communication, 11
495
MySpace, 190
Twitter, 189
soft handoffs, 325
software, 130. See also applications
computer science, 10
antivirus, 138
confidentiality, 12
bit-stream imaging, 131, 137
continuous learning, 11
firewalls, 304
legal expertise, 11
IDS (intrusion detection systems), 304
linguistics, 11
mobile forensics, 354-355
skimmers, 8, 152-155
skipease.com, 176
Skype, 183, 420
slack, files, 35
sleepimage files, 404
password-cracking, 138-139
Tor, 170
virtual machines, 138
solid state drives. See SSDs
Sleuthkit, 132, 137
Sony Computer Entertainment America
v. George Hotz, 270
Small Computer System Interface. See
SCSI
Sony Music Entertainment v. Does, 271
SMART files, 137
sound recordings, 270
SmartCarving, 140
South Dakota v. Opperman (1976) 428
U.S. 364 (96 S.Ct. 3092), 262
smartphones, 340. See also mobile
forensics
Southwest Airlines, 363
Smith v. Maryland, 442 U.S. 735 (1979),
258
Spencer, Elliot, 16
SMS (Short Message Service), 337
SMTP (Simple Mail Transport Protocol)
servers, 299-301
Souza, Dawnmarie, 163
spindles, 35
spoleo.com, 176
spoliation of evidence, 12
Smyth v. The Pillsbury Company, 266
sports case studies, 447-448
Snagit, 198
Spotlight, 398
SnapChat, 377
Spring.me, 444
Snowden, Edward, 171
SpyDialer.com, 168
social networking, 187
SQLite databases, 340, 404, 420
crimes, 196-197
SSDs (solid state drives), 90-91
Facebook, 187-188
Foursquare, 190
9780789741158_forensics.indb 495
11/20/14 10:49 PM
496
standards
standards
OSI (Open Systems Interconnection),
305-310
Unicode, 42
subpoenas, 264
subscriber evidence, 326, 331
Subscriber Identification Module cards.
See SIM cards
standby counsel objections, Zacharias
Moussaoui, 439
subscriber records, 326
standing, 256
Supreme Court, 242
state appellate courts, 243
Supreme Court of California, 256
state courts, 243
surveillance
state laws, GPS tracking devices,
261-262
State of Connecticut v. John Kaminski,
103
State v. Armstead, 275
Suicide Prevention Law (Act 114), 445
as search, 258
video, 8. See also video
suspects, background searches,
173-187, 182-195
statutory law, 240
SWGDE (Scientific Working Group on
Digital Evidence), 119
Stengart vs. Loving Care Agency, Inc.,
6
SWGIT (Scientific Working Group on
Imaging Technologies), 381
steroids, 447
Symbian, 345
Sticky Notes (Windows 7), 65
SYN flood attacks, 308
statistics, websites, 172
SYN-SYN-ACK handshakes, 307
sting operations, 164
Stingray, 258
system configuration, Registry
(Windows), 50-52
stolen goods, tracking, 427
System Software Personalization, 410
stolen property, searching, 183-187
System Status, 221
STOP (Secure Techniques for Onsite
Preview), 20
Systrom, Kevin, 377
storage, 34. See also memory
digital photographs, 375
files, 34-36
Stored Communications Act (SCA), 6
structure
of United States legal system, 239-244
of reports, 224, 227
T
table of contents. See TOCs
tables
byte conversion, 36
MFTs, 46-47
tablets, 361
subnet masks, 299
9780789741158_forensics.indb 496
11/20/14 10:49 PM
tools
TAC (Type Allocation Code), 326
497
Tagged Image File Format. See TIFF
Threat and Local Observation Notice.
See TALON
tags (Macs), 406
three-message handshakes, 307
Tails, 170
TIFF (Tagged Image File Format), 7, 380
TALON (Threat and Local Observation
Notice), 194
Time Division Multiple Access. See
TDMA
tampering with evidence, 6, 130
Tinker, John, 249
Tandy, 14
Tinker, Mary Beth, 249
Target Disk Mode. See TDM
Tinker v. Des Moines Independent
Community School District, (1969),
249
TCP (Transmission Control Protocol),
307
TDM (Target Disk Mode), 408-409
TDMA (Time Division Multiple Access),
333
tech forums, attacks, 311
Tech Pathways, 313
Tellme, 347
Temporary Mobile Subscriber Identity.
See TMSI
TLO (Terrorism Liaison Officer), 194
TMSI (Temporary Mobile Subscriber
Identity), 331
Tobolski, Donny, 163
TOCs (table of contents), 103, 225
TomTom, 362. See also GPS
tools, 4
Adroit Forensics, 140
Tenth Circuit U.S. Court of Appeals, 255
AIM, 183
Terrorism Liaison Officer (TLO), 194
Android, 344
terrorists, 194
BitLocker, 10, 59
attacks, 194
bit-stream imaging, 4
blogs, 186
Boot Camp, 80
The-cloak.com, 169
COFEE, 63
theft
Disk Defragmenter, 54
credit cards, 195
identity, 195
Disk Jockey PRO Forensic Edition, 86,
89
iPhones, 427
Disk Utility, 406
medical records, 196
documentation, 214, 220-222
The Onion Router. See TOR
Chain of Custody forms, 215
theories, Transfer of Evidence, 4
computer worksheets, 216-217
theultimates.com, 174
9780789741158_forensics.indb 497
11/20/14 10:49 PM
498
tools
HDD (hard disk drive) worksheets,
217-218
TOR (The Onion Router), 68
server worksheets, 218-220
touch screens (Windows 7), 64
Touch ID (iPhones), 416
Epoch Time, 399-400
TPM (Trusted Platform Module), 59
EXIFextracter, 378
tracking
ExifTool, 378
changes, 45
FileVault, 405
GPS, 258-262, 363
FTK Imager, 47-48
stolen goods, 427
GREP (Global Regular Expressions
Print), 147-149
tracks, 34, 103, 363
I2P (Invisible Internet Project), 171
traffic
trackpoints, 362
ILook, 16
court, 244
IM (Instant Messenger), 182
stops (Fourth Amendment), 262-263
IOReg Info, 398
training, 19-24
iPhones, 417
Transfer of Evidence theory, 4
labs, 128
Transmission Control Protocol. See
TCP
Magnet Forensics, 197
networks, 293-294
PMAP Info, 399
PRTK (Password Recovery Toolkit),
120
plutil (property list utility), 402
triage forensics, 193
Trial Courts of Limited Jurisdiction, 244
tricking, 444
TRIM, 92
Trojan horses, 196, 311
Trusted Platform Module. See TPM
Snagit, 198
tweetpaths.com, 189
Skype. See Skype
TwitPic, 189
TwitPic, 189
Twitter, background searches, 189
validation, 348
Type Allocation Code. See TAC
Vere Software, 197
types
video, 199
of cellular service carriers, 331-334
WayBackMachine, 171
of compression, 139
WhatsApp, 423
of cookies, 199
TopSites.plist file, 408
Tor, 170
9780789741158_forensics.indb 498
11/20/14 10:49 PM
USB (universal serial bus)
of evidence, 5
Unique Device Identifiers. See UDIDs
cellphones, 10
United States legal system, 239-244
email, 5-7
United States Secret Service. See
USSS
images, 7-8
Internet searches, 9
video, 8-9
websites visited, 9
of images, 7, 378
499
United States v. Carey, 254
United States v. Jones, 260
United States v. Leon, 468 U.S. 897
(1984), 253
United States v. Lori Drew, 445
United States v. Magana, 512 F.2d
1169-1171 (9th Cir. 1975), 260
U
United States v. Mann (No. 08-3041,
256
UCD (University College Dublin), 20
UDIDs (Unique Device Identifiers), 411
United States v. McConney, 728 F.2d
1195, 1199 (9th Cir.), 254
UFED (Universal Forensics Extraction
Device), 357
United States v. Tank, 275
UICC (Universal Integrated Circuit
Card), 328
United States v. Ziegler, 253
UMTS (Universal Mobile
Telecommunications System), 334
unallocated storage space, 33
undercover investigations, 163-164.
See also investigations
background searches, 173-174,
177-187, 190-195
email, generating, 165-167
identities
generating, 164
masking, 167, 170
website evidence, 171-173
Unicode, 42
United States v. Warshak, 253
Universal Forensics Extraction Device.
See UFED
Universal Integrated Circuit Card. See
UICC
Universal Time Coordinated. See UTC
University College Dublin. See UCD
unlocking SIM cards, 418
UPS (uninterruptible power supply), 140
URIs (uniform resource identifiers), 296
USA PATRIOT Act, 14-16, 254, 268-270
USB (universal serial bus)
flash drives, 95
ownership of, 63
uniform resource identifiers. See URIs
uninterruptible power supply. See UPS
9780789741158_forensics.indb 499
11/20/14 10:49 PM
500
U.S. court system
U.S. court system, 241
vector graphics, 379
appeals courts, 242
Vere Software, 197
federal appellate courts, 242
verification, MD5 hashing, 5
federal courts, 242
versions
intermediate appellate courts, 243
iPhones, 414-416
state appellate courts, 243
Windows
state courts, 243
Vista, 53-59
Supreme Court, 242
Windows 7, 59-69
Trial Courts of Limited Jurisdiction,
244
Windows 8.1, 70-72
Viber, 422
U.S. District Courts, 243
video
U.S. District Court of Arizona, 258
evidence, 8-9
usenet groups, 184
online communication capture, 199
user groups, searching, 178-179
tools, 199
U.S. Naval Research Laboratory, 170
USSS (United States Secret Service),
16
U.S. v. Daniel David Rigmaiden, 258
U.S. v. Dunn, 480 U.S. 294 (1987), 259
U.S. v. Jones, 261
U.S. v. Knotts 460 U.S. 276 (1983), 259
U.S. v. McIver, 259
U.S. v. Pineda-Moreno, 259
viewing
BIOS, 42
cookies, 199-200
Event Viewer
Vista (Windows), 55
Windows 7, 66-67
Registry Viewer, 52
residences, 195
U.S. v. Simpson, 255
Virginia Declaration of Rights, 248
UTC (Universal Time Coordinated), 223
Virginia Polytechnic, 3
Virtual Global Taskforce, 17
virtual machine software, 138
V
viruses, 45, 311
VLR (Visitor Locator Register), 331
vacuuming, 404
Volume Shadow Copy, 58, 313
validation tools, 348
values, bits, 37
vBulletin, 178
9780789741158_forensics.indb 500
11/20/14 10:49 PM
X-Ways Forensics
W
501
storage, 34-36
Vista, 53-59
Wantirna South, Melbourne, Australia,
427
ware-leveling, 91
warrantless searches, 254-257
Warshak, Steve, 253
Washington v. Jackson, 150 Wash.2d
251, 76 P.3d 217 (Wash. 2003), 261
WayBackMachine, 171
Wayne, Ronald, 391
waypoints, 363
WCDMA (Wide Band CDMA), 333
Windows 7, 59-69
Windows 8.1, 70-72
Windows Phone, 347
WinHex, 132
wireless capabilities, 352-353
wireless devices (Apple), 395
Wireless Fidelity (WiFi) connections,
142
witnesses, expert, 227-230, 273-274
Wolf, Cassidy, 375
weaponization, attacks, 311
Word (Microsoft), 8. See also
documents
Web browsers, 67-68, 296
workbenches, lab layouts, 122
Web hosting, private sector labs, 121
worksheets, 216-217
Web servers, 9, 295-297
webcasting, 270
websites, evidence, 171-173, 9
Weeks v. United States, 232 U.S. 383
(1914), 251
Weiner, Charles R., 266
WhatsApp, 423-425
HDDs (hard disk drives), 217-218
servers, 218-220
workstations, lab layouts, 122
Wozniak, Steve, 391. See also Apple
write-blockers, 100, 124
writing reports, 222-227
whistleblowers, 171
Windows bitmap (BMP, 7
X
Windows File Registry, applying, 200
Windows Live Messenger, 184
XAMN tool (Micro Systemation), 356
Windows operating systems, 53
xD (Extreme Digital) cards, 99
boot processes, 42-44
XML (Extensible Markup Language), 56
conversion, 37-42
XMPP (Extensible Messaging and
Presence Protocol), 182
file systems, 44-50
Registry, 50-52
Safari for, 408
9780789741158_forensics.indb 501
XOR algorithm, 183
XPath (XML Path Language), 57
X-Ways Forensics, 132
11/20/14 10:49 PM
502
Yahoo!
Y
Z
Yahoo!
zabasearch.com, 174
email access, 6
Zdziarski, Jonathan, 390
Messenger, 183
Zeus, 196
Yemen, 187
Ziegler, William Wayne, 253
zillow.com, 195
Zip disks, 107
9780789741158_forensics.indb 502
11/20/14 10:49 PM