Table of Contents for

System Forensics, Investigation, and Response, 3rd Edition

A mobile switching center (MSC) is the switching system for the cellular network, responsible for routing calls between base stations and the public switched telephone network (PSTN). MSCs are used in 1G, 2G, 3G, and Global System for Mobile (GSM) communications networks. You will learn about 3G and GSM networks later in this section. The MSC processes all the connections between mobile devices and between mobile devices and landline phones.

The base transceiver station (BTS) is the part of the cellular network responsible for communications between the mobile phone and the network switching system. The BTS, together with a base station controller (BSC), makes up the base station system (BSS). The BSC is a central controller coordinating the other pieces of the BSS. The BSS is the combined radio transceiver equipment between the actual cellular devices and the MSC.

The home location register (HLR) is a database used by the MSC that contains subscriber data and service information. It is related to the visitor location register (VLR), which is used for roaming phones.

The subscriber identity module (SIM) is a memory chip that stores the International Mobile Subscriber Identity (IMSI). It is intended to be unique for each phone and is what you use to identify the phone. Many modern phones have removable SIMs, which means you could change out the SIM and essentially have a different phone with a different number. A SIM card contains its unique serial number—the ICCID—the IMSI, security authentication, and ciphering information. The SIM will also usually have network information, services the user has access to, and two passwords. Those passwords are the personal identification number (PIN) and the personal unlocking code (PUK).

Electronic serial numbers (ESNs) are unique identification numbers developed by the U.S. Federal Communications Commission (FCC) to identify cell phones. They are now used only in code division multiple access (CDMA) phones, whereas GSM and later phones use the International Mobile Equipment Identity (IMEI) number. The first 8 bits of the ESN identify the manufacturer, and the subsequent 24 bits uniquely identify the phone. The IMEI is used with GSM and Long Term Evolution (LTE), as well as other types of phones.

The personal unlocking code (PUK) is a code used to reset a forgotten PIN. Using the code returns the phone to its original state, causing loss of most forensic data. If the code is entered incorrectly 10 times in a row, the device becomes permanently blocked and unrecoverable.

Each SIM is identified by its integrated circuit card identifier (ICCID). These numbers are engraved on the SIM during manufacturing. This number has subsections that are very important for forensics. This number starts with the issuer identification number (IIN), which is a seven-digit number that identifies the country code and issuer, followed by a variable-length individual account identification number to identify the specific phone, and a check digit.

Although this section covers terms as well, they are terms specific to networks. Therefore, they are listed separately. Knowing the types of networks used may be the most fundamental part of understanding mobile devices. The network-specific terms are as follows:

• Global System for Mobile (GSM) communications—The Global System for Mobile (GSM) communications is a standard developed by the European Telecommunications Standards Institute (ETSI). Basically, GSM is the 2G network.

• Enhanced Data Rates for GSM Evolution (EDGE)—Enhanced Data Rates for GSM Evolution (EDGE) does not fit neatly into the 2G-3G-4G continuum. It is technically considered 2G+, but was an improvement on GSM (2G), so it can be considered a bridge between 2G and 3G technologies.

• Universal Mobile Telecommunications System (UMTS)— Universal Mobile Telecommunications System (UMTS) is a 3G standard based on GSM. It is essentially an improvement of GSM.

• Long Term Evolution (LTE)—Long Term Evolution (LTE) is a standard for wireless communication of high-speed data for mobile devices. This is what is commonly called 4G.

• Wireless Fidelity (Wi-Fi)—Most cellular phones and other mobile devices today are able to connect to Wi-Fi networks. Wireless networking has become the norm, and free Wi-Fi hotspots can be found in restaurants, coffee shops, hotels, homes, and many other locations.

The iOS operating system is used by iPhone, iPod, and iPad. It is a relatively new operating system, originally released in 2007 for the iPod Touch and the iPhone. The user interface is completely based on touching the icons directly. It supports what Apple calls gestures: swipe, drag, pinch, tap, and so on. The iOS operating system is derived from OS X.

There are four layers to iOS. The first is the Core OS layer. This is the heart of the operating system. Next is the Core Services layer, which is how applications interact with the iOS. Next is the Media layer, which is responsible for music, video, and so on. Finally, there is the Cocoa Touch layer, which responds to the aforementioned gestures.

In normal operations, iOS uses the HFS+ file system, but it can use FAT32 when communicating with a PC. The iOS contains several elements in the data partition:

• Calendar entries

• Contacts entries

• Note entries

• iPod_control directory (this directory is hidden)

• iTunes configuration

• iTunes music

Of particular interest to forensic investigation is the folder iPod_control\device\sysinfo. This folder contains two very important pieces of information:

• Model number

• Serial number

The iOS runs on iPhones, iPods, and iPads. This means that once you are comfortable with the operating system on one Apple device, you should be comfortable with any Apple device. This applies not just to the features that users interact with, but also to the operating system fundamentals. Thus, if you have experience with forensics on an iPhone, you will have no problem conducting a forensic analysis of an iPad.

The Android operating system is a Linux-based operating system, and it is completely open source. If you have a programming and operating systems background, you may find it useful to examine the Android source code from http://source.android.com.

Android was first released in 2003 and is the creation of Rich Miner, Andy Rubin, and Nick Sears. Google acquired Android in 2005, but it still keeps the code open source. The versions of Android have been named after sweets:

• Version 1.5 Cupcake

• Version 1.6 Donut

• Version 2.0–2.1 Éclair

• Version 2.2 Froyo

• Version 2.3 Gingerbread

• Version 3.1–3.2 Honeycomb

• Version 4.0 Ice Cream Sandwich

• Version 4.1–4.2 Jelly Bean

• Version 4.4 Kitkat, released in 2013

• Version 5.0 Lollipop, released in November 2014

• Version 6.0 Marshmallow, released in October 2015

• Version 7.0 Nougat, released in August 2016

The differences from version to version usually involve adding new features, not a radical change to the operating system. This means that if you are comfortable with version 1.6 (Donut), you will be able to do forensic examination on version 4.2 (Jelly Bean).

Although the Android source code is open source, each vendor may make modifications. This means even the partition layout can vary. However, there are common partitions that are present on most Android devices (phones or tablets).

• The boot loader partition is necessary for hardware initialization and loading the Android kernel. This is unlikely to have forensically important data.

• The boot partition has the information needed to boot up. Again, this is unlikely to have forensically important data.

• The recovery partition is used to boot the phone into a recovery console. Although the partition may not have forensically relevant data, sometimes you may need to boot into recovery mode.

• The user data partition is the one most relevant to forensic investigations. Here you will find the majority of user data, including all the data for apps.

• The cache partition stores frequently accessed data and recovery logs. This can be very important for forensic investigations.

• The system partition is not usually important for forensic examinations.

Remember that Android is Linux-based. If you have an image of an Android phone you may be able to execute Linux commands on it. For example, using cat proc/partitions will reveal to you the partitions that exist on the specific phone you are examining.

In addition to these partitions, there are specific directories that may yield forensic evidence:

• The acct directory is the mount point for the control group and provides user accounting.

• The cache directory stores frequently accessed data. This will almost always be interesting forensically.

• The data directory has data for each app. This is clearly critical for forensic examinations.

• The mnt directory is a mount point for all file systems and can indicate internal and external storage such as SD cards. If you have an Android image, the Linux ls command used on this directory will show you the various storage devices.

To extract data from an Android phone or tablet, it must be in developer mode. How you get there has changed with different versions. Where to access developer mode in certain versions of Android is given here:

• Developer Options on Gingerbread (Android 2.3):

• Settings> Applications> Development> USB Debugging

• Developer Options on Ice Cream Sandwich (Android 4.0):

• Settings> Developer Options> USB Debugging

• Developer Options on Jelly Bean (Android 4.1):

• Settings> Developer Options> USB Debugging

• Open Settings> About on your Android phone or tablet.

• Developer Options on Jelly Bean (Android 4.2):

• If you have a Samsung Galaxy S4, Note 8.0, Tab 3, or any other Galaxy device with Android 4.2, open Settings> More tab> About and tap it.

• Developer Options on Jelly Bean (Android 4.3):

• If you have a Galaxy Note 3 or any Galaxy device with Android 4.3, go to Settings> General> About, and then tap the Build Version seven times.

• Now scroll to the Build Number and tap it seven times.

• After tapping the Build Number 7 times, you will then see a message “You are now a developer!” If you have a Galaxy S4 or any other Samsung Galaxy device with Android 4.2, the message reads as follows: “Developer mode has been enabled.”

• Return to the main Settings menu, and now you’ll be able to see Developer Options.

• Tap on Developer Options and tap on the box in front of USB Debugging to enable it.

• To disable USB Debugging mode later, you can uncheck the box before the option.

• To enable Developer Options, go to Settings> Developer Options and tap on the on/off slider at the top of the page.

Another great technique with Android phones is to use the adb (Android Debugging Bridge) shell. Basically, you connect the phone to your forensics workstation with a USB cable, and then use the adb shell to extract data. Some basic adb shell commands are given here:

// launch adb and see available commands
adb
// start a shell; this will let you issue Linux shell commands!
adb shell
// if you have gestures on the phone and you want to
// copy them to the test directory on your system
adb pull /sdcard/gesture ~/test
//uninstall an application (not something you normally
// do in a forensic exam
adb uninstall <packagename>
//list all applications in the order of their memory
//consumption.
adb shell procrank

adb shell is tedious and manual, but can provide an alternative to rather expensive phone forensics software. Of course, you will need to know the Android file structure quite well to effectively use the adb shell.

Microsoft has produced several variations of Windows aimed at the mobile market. The company’s first foray into the mobile operating system market was Windows CE. That operating system was also released as the Pocket PC 2000, which was based on Windows CE version 3. In 2008, Windows Phone was released. It had a major drawback in that it was not compatible with many of the previous Windows Mobile apps. In 2010, Microsoft released Windows Phone 7.

More recently, Microsoft has moved in the same direction as Apple with Windows 8 being its primary operating system. Windows 8 is shipped on PCs, laptops, phones, and tablets. Microsoft continued this theme with Windows 10. This means that once you are comfortable with the operating system on one device, you are going to be able to conduct forensic examinations on other devices running Windows 8, or Windows 10.