08 - Mobile Devices

Class: CYBR-405

Notes:

Objectives:

• Describe the components of mobile devices and cellular networks
• Explain mobile device evidence sources
• Describe mobile device security features
• Explain mobile device acquisition processes
• Describe how to extract and analyze mobile device evidence
• Describe mobile device forensics tools

Mobile Device Types

• Mobile devices include:
  • cell phones,
  • tablets,
  • drones,
  • wearable devices, and
  • personal digital assistant (PDA) devices.
• All these devices have basic features such as network communication abilities and cameras. What makes them different are other features such as near-field communications (NFC) and cellular network communication

Cellular Networks

• First-generation technology allowed for analog voice communications with cellular phones.
• Second-generation technology allowed for digital communication between cellular phones, improving the voice quality, and SMS texting between devices.
• Third-generation (3G)$ technology introduced features that allowed users to communicate while a mobile device was moving and supported mobile web browsing, low-resolution picture sharing, and video streaming.
• Fourth-generation (4G) technology, which is still widely used around the world, introduced updates to cellular networks that improved call resiliency and allowed for gaming and high-definition video streaming.
• Fifth-generation (5G) technology, which is the newest generation of cellular networks, provides greater speed than 4G as well as infrastructure for machine-tomachine communications.
• Sixth-generation (6G) technology, which is expected to be available sometime after 2030, is in the preliminary design phase and will provide speed and reliability improvements over 5G.

Cellular Networks

How do you know?

• The International Mobile Subscriber Identity (IMSI) is unique to each SIMleSIM card and is used by a cellular network to track it.
• The International Mobile Equipment Identity (IMEI) is unique to each device's hardware and is used by examiners to identify devices.

Inside Mobile Devices

• Internal Storage - onboard system and memory storage.
• External Storage
  • some mobile devices have user-removeable memory cards (e.g. Mini SD and Micro SD) for additional storage.
  • Subscriber identity module (SIM) - is like an external memory cards and contain information such:
    • Service-related data, such as identifiers for the SIM card and subscriber
    • Call data, such as numbers dialed
    • Message information
    • Location information
• Cloud Storage -can be used to sync and back up data.

Evidence

• Incoming, outgoing, and missed calls
• Multimedia Message Service (MMS) and Short Message Service (SMS) text messages
• Instant messaging (IM) logs
• Emails
• Webpages and browser histories
• Photos, videos, and music files
• Calendars and address books
• Social media account information
• GPS data
• Voice recordings and voicemail
• Bank account logins
• Features that allow access to your home
• Historical location information

Do you need a search warrant to analyze a mobile device already in your possession (e.g. a phone in arrestee’s jail property)?

Case Law - Riley v. California (2014)

• In 2014, the U.S. Supreme Court ruled unanimously in Riley v. California that a search warrant is required before an arresting officer can begin examining a phone's contents.
• Furthermore, because phones often contain private or sensitive information, any information that doesn't pertain to the case must be redacted from the public record

Do you need a search warrant to compel the use of biometrics to unlock a phone? (e.g. using face or thumbprint)

Case Law

• In 2024, the U.S. $9{}^{\text{th }}$ Circuit Appeals Court ruled unanimously in United States v. Jeremy Travis Payne that compelling biometrics does not violate $5^{\text{th }}$ Amendment protections.

United States v. Brown (D.C. Cir 2025)

The U.S. Court of Appeals for the D.C. Circuit held that compelling a suspect to unlock a phone with a thumbprint violated the Fifth Amendment's protection against selfincrimination.

The court reasoned that forced biometric unlocking constituted a testimonial act because it disclosed the defendant's control over and access to the device's contents, similar to revealing knowledge.

This case is a major departure from prior rulings that treated compelled biometrics as non-testimonial.

Cellular Service Provider Logs

• Call Detail Records (CDR)
  • Date and time of call, typically displayed in UTC
  • Number of seconds it took to place the call
  • The caller's phone number
  • Duration of the call
  • Identification number of the cell phone
  • Whether the call was received or initiated by the cell phone
  • The cell tower location used to make the call.
• Cell Site Location Information (CSLI)
  • "Cell Tower Dumps" contain a list of one or multiple cell phone numbers that have been registered through specific cell phone towers.
• Cell Phone Pinging Report
  • Cellular providers can track a cell phone subscriber's location in real time using their pinging service to record the exact latitude and longitude of the cell phone.

Seizing and Securing Mobile Devices

• The main concerns when working with mobile devices are

  • loss of power
  • synchronization with cloud services
  • remote wiping
  • encryption

• Use one of the following options to isolate the device from incoming signals:

  • Turn on airplane mode if this feature is available on the device.
  • Place the device in a paint can, preferably one painted with radio wave-blocking paint. (test it first)
  • Use a Faraday bag, which is a special bag that is made of material that blocks electromagnetic waves, preventing communication to or from a mobile device. Some Faraday bags provide a power source to the mobile device.

Data Extraction

• As a standard practice, before performing any data extractions, research the specific mobile device's features (e.g. phonescoop.com). Learn as much about it as possible before initiating the extraction.
• Use a standardized and repeatable method for collection

Two Most Common Extraction Methods

• Logical extraction utilizes the mobile device's application programming interface (API) tools to communicate with the mobile device and extract the data to the forensics workstation
• Physical extraction is similar to a physical acquisition of a regular computer.

Mobile Device Management (MDM)

• MDM provides administrators with policy and technical controls for managing an organization's mobile devices.
  • The purpose of MDM tools is to protect an organization's confidential and trade secret information.
  • For examiners, extracting data from a device that has MDM enabled is difficult or impossible.
  • MDM is designed to resist attempts by a mobile forensics extraction tool such as Cellebrite or XRY.
  • Administrators can also set up MDM software so that data is automatically wiped if there are any attempts to alter the phone's security features.

Perform the Extraction

• The general procedure for performing an extraction is as follows:
  • Connect the mobile device to the forensics workstation
  • Perform the acquisition based on the type of data needed (if possible)
  • Monitor the extraction to ensure it is progressing and correct errors
  • During the extraction, make the effort to ensure nothing touches the screen of the mobile device
  • When the extraction is completed, restore the device's original settings
  • Power off the device and put it back in the evidence locker

Advanced Extraction Methods

• Joint Test Action Group (JTAG) Extraction
  • An examiner can attach electrical leads to a specific interface on the mobile device circuit board, called a test access port (TAP), to send and receive data from the mobile device.
• Chip-Off Extraction
  • A chip-off extraction is performed by desoldering the physical memory chip from the mobile device circuit board and then placing the chip in a memory chip reader.
• Micro-Read Extraction
  • An examiner uses an electron microscope to manually read each of the logicgates of the memory cells to extract each bit of data from a memory chip.

Jailbreaking

Jailbreaking a phone refers to the process of removing restrictions imposed by the device's manufacturer, typically on iOS devices like iPhones and iPads. This allows users to install apps and tweaks that aren't available through the official app store, customize the operating system, and access system files. While jailbreaking can provide more control and flexibility, it can also void warranties, expose the device to security risks, and lead to instability.

SQLite

• SQLite is a C-language library that implements a small, fast, self-contained, highreliability, full-featured, SQL database engine. SQLite is the most used database engine in the world. SQLite is built into all mobile phones and most computers and comes bundled inside countless other applications that people use every day.

Common Evidence Types

Modern phones document a person's timeline of life.

• Call logs
• SMS and MMS messages
• Instant messaging apps
• Emails
• Photos and videos
• GPS data
• Browser history
• Social media data
• App databases
• Voicemail
• Banking and authentication artifacts

Week 8 Summary

• Mobile devices are constantly communicating computers that store personal, network, cloud, and location data. Because of their privacy implications, they are also one of the most legally protected forms of digital evidence.
• Understanding mobile forensics requires knowledge of hardware, cellular networks, cloud services, encryption, and constitutional law.
• IMSI
  • Identifies the SIM or subscriber account
  • Used by cellular networks
• IMEI
  • Identifies the physical device hardware
  • Used by investigators to tie activity to a specific phone
• SIM can change. IMEI cannot.