There are great challenges in the field of cell phone and mobile device

forensics due to the rapid changes it undergoes.

 The thought of losing your cell phone is terrifying because we store a
tremendous amount of information on our phones.
 The following items might be stored on mobile,depending on your
phone’s model:
o Incoming, outgoing, and missed calls
o Text and Short Message Service (SMS) messages
o E-mail
o Instant messaging (IM) logs
o Web pages
o Pictures
o Personal calendars
o Address books
o Music files
o Voice recordings
 Many people store more information on their cell phones as compared
to their computers, and with this variety of information, restoring
together the facts of a case is possible.
 Many countries allow cell phones to access bank accounts and transfer
funds from one phone to another.
 One of the most versatile devices ever invented is this handheld
device.
 Despite the usefulness of these devices in providing clues for
investigations, investigating cell phones and mobile devices is one of
the most challenging tasks in digital forensics.
 n spite of the fact that many cell phones use similar storage schemes,
there is no single standard for how and where messages are stored.
2.3.1 Mobile Phone Basics
 Till the end of 2008, there have been three generations of mobile
phones: analog, digital personal communications service (PCS), and
third-generation (3G).
 3G offers increased bandwidth as compared to the other technologies:
 For pedestrian use 384 Kbps is offered.
 In a moving vehicle 128 Kbps is offered.
 2 Mbps is for fixed locations, such as office buildings.
 With 3G's rapid adoption around the world, illicit activities-such as
identity theft, child pornography, and bank fraud-are expected to
increase rapidly.
 Sprint Nextel introduced the fourth-generation (4G) network in the
year 2009.
 The list of digital networks that are used in the mobile phone industry
are given below:

Digital Network Digital Network Description

Code Division Multiple Access (CDMA) Developed during World War

II, this technology was patented
by Qualcomm after the war.
It uses the full radio frequency
spectrum to define channels.
For example Sprint and
Verizon use CDMA networks.

Global System for Mobile Communications (GSM) This is also a common digital
network.It is used by
AT&Tand T-Mobile and is the
standard in Europe and Asia.
Time Division Multiple Access (TDMA) This digital network uses the
technique of dividing a radio
frequency into time slots. GSM
networks use this technique.
It also refers to a specific
cellular network standard
covered by Interim Standard
(IS) 136.

Integrated Digital Enhanced Network (iDEN) This is Motorola protocol

which combines several
services such as data
transmission, into one network.

Digital Advanced Mobile Phone Service (D-AMPS) This network is a digital

version of the original
analogstandard for cell phones.

Enhanced Data GSM Environment (EDGE) This is again a digital network

that is faster version of GSM,
is designed todeliver data.

Orthogonal Frequency Division Multiplexing This technology for 4G

(OFDM) networks uses energy more
efficientlythan 3G networks
and is more resistant to
interference.

2.3.2Technologies used by 4G network

4G networks can use the following technologies:
1. Orthogonal Frequency Division Multiplexing (OFDM):By dividing
radio waves over different frequencies using Orthogonal Frequency
Division Multiplexing (OFDM), power is more efficiently used and
interference is reduced.
2. Mobile WiMAX: This technology uses the IEEE 802.16e standard
and Orthogonal Frequency Division Multiple Access (OFDMA) and
isbelieved to support transmission speeds of 12Mbps.
3. Ultra Mobile Broadband (UTMS):It is also known as CDMA2000
EV-DO, this technology is expected tobe used by CDMA network
providers to switch to 4G and support transmission speeds of 100
Mbps.
4. Multiple Input Multiple Output (MIMO): This technology was
developed by Airgo and acquired byQualcomm, is expected to support
transmission speeds of 312 Mbps.
5. Long Term Evolution (LTE): This technology, designed for GSM
and UMTS technology, is expectedto support 45 Mbps to 144 Mbps
transmission speeds.

2.3.3Communication of the cells

 Mostly, geographical areas are divided into cells like honeycombs.
 The three main components thatare used forcommunication with these
cells are as follows:
1. Base transceiver station (BTS)—this component is Consist of radio
transceiver equipment that defines cells and communicates with
mobile phones. It is sometimes referred to as a cell phone tower,
although the tower is only one part of the BTS equipment.
2. Base station controller (BSC)—This combination of hardware and
software manages BTSs and assigns channels by connecting to the
mobile switching center.
3. Mobile switching center (MSC)—This component connects calls by
routing digital packets for the network and relies on a database to
support subscribers. This central database contains account data,
location data, and other key information needed during an
investigation. If you have to retrieve information from a carrier’s
central database, you usually need a warrant or subpoena.

2.3.4 Inside Mobile Devices

 Mobile devices can be a simple phones to small computers which is
also called smart phones.
 The hardware consists of a microprocessor, ROM, RAM, a digital
signal processor, a radio module, amicrophone and speaker, hardware
interfaces (such as keypads, cameras, and GPS devices), and an
LCDdisplay.
 Many of the devices have removable memory cards, and Bluetooth
and Wi-Fi are now included in some mobile devices,too.
 Basically, phones store system data in electronically erasable
programmable read-only memory(EEPROM), which enables service
providers to reprogram phones without having to access memory
chipsphysically.
 Many users take advantage of this capability by reprogramming their
phones to add features or switch to different service providers.
SIM Cards:-
 Subscriber identity module (SIM) cards are found most commonly in
GSM devices and consist of amicroprocessor and 16 KB to 4 MB
EEPROM.
 There are also high-capacity, high-density, super, and mega SIM cards
that boast as high as 1 GBEEPROM.
 SIM cards are similar to standard memory cards, except the connectors
are aligned differently.
 GSM refers to mobile phones as “mobile stations” and divides a
station into two parts: the SIM card and the mobile equipment (ME),
which is the remainder of the phone.
 The SIM card is necessary for the ME to work and serves these
additional purposes:-
a) Identifies the subscriber to the network
b) Stores personal information
c) Stores address books and messages
d) Stores service-related information

2.3.5 Acquisition Procedures for Cell Phones and Mobile Devices

 The cell phones and mobile devicesshould followproper search and
seizureprocedure. This procedure is as important as procedure for
computer.
 The main worries with mobile devices are loss of power and
synchronization with PCs.
 Since mobile devices have volatile memory, it is crucial that they don’t
lose power before youretrieve RAM data.
 Determine whether the device is on or offat the investigation scene.
 If it is off, leave it off, but find the recharger and attach it as soon as
possible.
 Notethis step in your log.
 If the device is on then check the battery’s current charge level on the
LCD display.
 Immediately disconnect any mobile device attached to a PC via a cable
or cradle/docking station. This step helps to prevent synchronization
that may occur automatically on a set schedule and overwrite data on
the device.
 When you are back in the forensics lab, you need to consider what can
be retrieved. It is very important to know where information is stored.
You should check these four areas for information:
1. The internal memory
2. The SIM cards
3. Any removable or external memory cards
4. The system server
 According to wiretap laws, checking system servers requires a search
warrant or subpoena, so you need one if you want to check voicemail.
 Information from the service provider to determine where the suspect
or victim was at the time of a call, to access backups of address books,
and more.
 You can retrieve information from a SIM card also. The information
that can be retrieved from SIM Card are:
1. Service-related data, such as identifiers for the SIM card and
subscriber
2. Call data, such as numbers dialed
3. Message information
4. Location information

2.3.7 Mobile Forensics Tools

 Paraben Software, a leader in mobile forensics software, poses
several tools, including Device Seizure that is used to acquire data
from a variety of phone models.
 Paraben also has the Device Seizure Toolbox containing assorted
cables, a SIM card reader, and otherequipment for mobile device
investigations.
 DataPilothas alikecollection of cables that can interface with Nokia,
Motorola, Ericsson, Samsung,Audiovox, Sanyo, and others.
 BitPim is another popular tool that is used to view data on many
CDMA phones, including LG, Samsung,Sanyo, and others. It offers
versions for Windows, Linux, and Mac OS X.
 By default BitPim stores files in My Documents\BitPim, so when we
start a new case, make sure we movethese files to another location first
so that they are not overwritten.
 A new tool, BitPim Cleaner by Mobile Forensics, Inc., moves these
files. MFI is a new vendor of mobileforensics software and offers
several affordable products as well as training.
 Cellebrite UFED Forensic System works with cell phones and PDAs.
This kit comes with several cables,includes handset support for phones
from outside the United States, and handles multiple languages.
 MOBILedit! is a forensics software tool containing a built-in write
blocker.
 It can connect to phones directly via Bluetooth, irDA, or a cable and
can read SIM cards by using a SIM reader. It’s also notable for being
very user friendly.
 Another tool is SIMCon used to image files on a GSM/3G SIM or
USIM card, including stored numbersand text messages.