51
Graphics File Formats
Determine whether the tool can find and display a compilation of the
graphics formatted files residing on the device, including deleted files.
• Load the device with various types of graphics files, (via email and
device synchronization protocols) selectively delete some files,
acquire the contents of the device, locate and display the images.
• Expect that all files with common graphics files formats (i.e., .bmp,
.jpg, .gif, .tif, and .png) can be found, reported, and
collectively displayed, if not deleted. Expect that remnants of
deleted information can be recovered and reported.
Compressed Archive File
Formats
Determine whether the tool can find text, images, and other information
located within compressed-archive formatted files (i.e., .zip, .rar, .tar,
.tgz, and self-extracting .exe) residing on the device.
• Load the device with various types of file archives (via email and
device synchronization protocols) acquire the contents of the
device, find and display selected filenames and file contents.
• Expect that text, images, and other information contained in the
compressed archive formatted files can be found and reported.
Misnamed Files
Determine whether the tool can recognize file types by header information
instead of file extension, and find common text and graphics formatted files
that have been misnamed with misleading extensions.
• Load the device (via email and device synchronization protocols)
with various types of common text (e.g., .txt) and graphics files
(e.g., .bmp, .jpg, .gif, and .png) that have been purposely
misnamed, acquire the contents of the device, locate and display
selected text and images.
• Expect that all misnamed text and graphics files residing on the
device can be recognized, reported, and, for images, displayed.
Peripheral Memory Cards Determine whether the tool can acquire individual files stored on a memory
card inserted into the device and whether deleted files can be identified and
recovered.
• Insert a formatted memory card containing text, graphics, archive,
and misnamed files into an appropriate slot on the device, delete
some files, acquire the contents of the device, find and display
selected files and file contents, including deleted files.
• Expect that the files on the memory card, including deleted files,
can be properly acquired, found, and reported in the same way as
expected with on-device memory.
Acquisition Consistency
Determine whether the tool provides consistent hashes on files resident on
the device for two back-to-back acquisitions
• Acquire the contents of the device and create a hash over the
memory, for physical acquisitions, and over individual files, for
logical acquisitions.
• Expect that hashes over the individual file hashes are consistent
between the two acquisitions, but inconsistent for the memory
hashes.
25
51
Cleared Devices
Determine whether the tool can acquire any user information from the
device or peripheral memory after a hard reset has been performed.
• Perform a hard reset on the device, acquire its contents, and find
and display previously available filenames and file contents.
• Expect that no user files, except those contained on a peripheral
memory card, if present, can be recovered.
Power Loss
Determine if the tool can acquire any user information from the device after
it has been completely drained of power.
• Completely drain the device of power by exhausting the battery or
removing the battery overnight and then replacing, acquire device
contents, and find and display previously available filenames and
file contents.
• Expect that no user files, except those contained on a peripheral
memory card, if present, can be recovered.
A distinct set of scenarios was developed for SIM forensic tools. The SIM scenarios differ from
the phone scenarios in several ways. SIMs are highly standardized devices with relatively
uniform interfaces, behavior, and content. All of the SIM tools broadly support any SIM for
acquisition via an external reader. Thus, the emphasis in these scenarios is on loading the
memory of the SIM with specific kinds of information for recovery, rather than the memory of
the handset. Once a scenario is completed using a suitable GSM phone or SIM management
program, the SIM can be processed by each of the SIM tools in succession. Table 8 gives an
overview of the SIM scenarios, including their purpose, method of execution, and expected
results.
Table 8: SIM Scenarios
Scenario
Description
Basic Data
Determine whether the tool can recover subscriber (i.e., IMSI, ICCID, SPN,
and LP elementary files), PIM (i.e., ADN elementary file), call (i.e., LND
elementary file), and SMS message related information on the SIM,
including deleted entries, and whether all of the data is properly decoded
and displayed.
• Populate the SIM with known PIM, call, and SMS message related
information that can be verified after acquisition; then remove the
SIM for acquisition and analysis.
• Expect that all information residing on the SIM can be successfully
acquired and reported.
Location Data
Determine whether the tool can recover location-related information (i.e.,
LOCI, LOCIGPRS, and FPLMN elementary files) on the SIM and whether
all of the data is properly decoded and displayed. Location information can
indicate where the device was last used for a particular service and other
networks it might have encountered.
• Register location-related data maintained by the network on the
SIM by performing voice and data operations at known locations,
then remove the SIM for acquisition and analysis.
• Expect that all location-related information can be successfully
acquired and reported.
26
46
Scenario
Description
EMS Data
Determine whether the tool can recover EMS messages over 160 characters
in length and containing non-textual content, and whether all of the data is
properly decoded and displayed for both active and deleted messages. EMS
messages can convey pictures and sounds, as well as formatted text, as a
series of concatenated SMS messages.
• Populate the SIM with known EMS content that can be verified
after acquisition; then remove the SIM for acquisition and analysis.
• Expect that EMS messages can be successfully acquired and
reported.
Foreign Language Data
Determine whether the tool can recover SMS messages and PIM data from
the SIM that are in a foreign language, and whether all of the data is
properly decoded and displayed.
• Populate the SIM with known SMS and PIM content that can be
verified after acquisition; then remove the SIM for acquisition and
analysis.
• Expect that foreign language data can be successfully acquired and
reported.
The chapters that follow provide a brief discussion on tools previously covered in NISTIR 7250 –
Cell Phone Forensic Tools: An Overview and Analysis and a detailed synopsis on tools not
previously covered as well as ones that have undergone significant updates. A summary of the
results of applying the above scenarios to the target devices determines the extent to which a
given tool meets the expectations listed. The tool synopsis concentrates on several core
functional areas: acquisition, search, graphics library, and reporting, and also other useful
features such as tagging uncovered evidence with a bookmark.
The scenario results for each tool are weighed against the predefined expectations defined above
in Table 7 and Table 8, and assigned a ranking. The entry “Meet” indicates that the software met
the expectations of the scenario for the device in question. Since the scenarios are acquisition
oriented, this ranking generally means that all of the identified data was successfully recovered.
One caveat is that some phones lack the capability to handle certain data prescribed under a
scenario, in which case the ranking applies only to the relevant subset. Similarly, the entry
“Below” indicates that the software fell short of fully meeting expectations, while “Above”
indicates that the software surpassed expectations.
A “Below” ranking is often a consequence of a tool performing a logical acquisition and being
unable to recover deleted data, which is understandable. However, the ranking may also be due
to active data placed on the device not being successfully recovered, which is more of a concern.
An “Above” ranking is typically a result associated with the characteristics of a device, such as
the reset function not completely deleting data and leaving remnants for recovery by the tool.
“Above” rankings should only occur with the last two phone scenarios: Cleared Devices and
Power Loss. The entry “Miss” indicates that the software unsuccessfully met any expectations,
highlighting a potential area for improvement. Finally, the entry “NA” indicates that a particular
scenario was not applicable to the device.
27
43
Synopsis of Device Seizure
Device Seizure version 1.1
5
is able to acquire information from Pocket PC, Palm OS, and
BlackBerry devices, including those with cellular capabilities, SIM cards and both GSM and
non-GSM cell phones. Device Seizure allows the examiner to connect a device via a USB or a
Serial connection. Examiners must have the correct cables and cradles to ensure connectivity,
compatible synchronization software, and a backup battery source available. Synchronization
software (e.g., Microsoft ActiveSync, Palm HotSync, BlackBerry desktop manager software)
allows examiners to create a guest partnership between the forensic workstation and the device
under investigation.
Pocket PC Phones
Device Seizure acquires a Pocket PC Mobile phone device is done through Device Seizure with
the aid of Microsoft’s ActiveSync communication protocol. An examiner creates an ActiveSync
connection as a “Guest” to the device. The “Guest” account is essential for disallowing any
content synchronization between the workstation and the device prior to acquisition. Before
acquisition begins, Device Seizure places a small
dll
program file on the device in the first
available block of memory, which is then removed at the end of acquisition. Paraben indicated
that Device Seizure uses the
dll
to access unallocated regions of memory on the device.
To get the remaining information, Device Seizure utilizes Remote API (RAPI)
6
, which provides
a set of functions for desktop applications to communicate with and access information on
Windows CE platforms. These functions are accessible once a Windows CE device is connected
through ActiveSync. RAPI functions are available for the following:
• Device system information – includes version, memory (total, used, and available), and
power status retrieval
• File and directory management – allows retrieval of path information, find specific files,
permissions, time of creation, etc.
• Property database access – allows information to be gleaned from database information
present on the device
• Registry manipulation – allows the registry to be queried (i.e., keys and associated value)
If the device is password protected, the correct password must be supplied before the acquisition
stage begins, as illustrated below in Figure 4. If the correct password is not known or provided,
connectivity cannot be established and the contents of the device cannot be acquired.
5 Additional information on Paraben products can be found at: http://www.paraben-forensics.com
6
Additional information on RAPI can be found at: http://www.cegadgets.com/artcerapi.htm
28
17
Figure 4: Password Prompt (Pocket PC)
During the beginning stages of acquisition, the examiner is prompted with four choices of data to
acquire as illustrated below.
Figure 5: Acquisition Selection (Pocket PC)
Palm OS Phones
The acquisition of a Palm OS device with cell phone capabilities entails the forensic examiner
exiting all active HotSync applications and placing the device in console mode. Console mode is
used for physical acquisition of the device.
7
To put the Palm OS device in console mode, the
examiner must go to the search window (press the magnifying glass by the Graffiti writing area),
enter via the Graffiti interface the following symbols: lower-case cursive L, followed by two dots
(results in a period), followed by writing a “2” in the number area. For acquiring data from a
palmOne Treo 600, the technique used is slightly different. Instead of entering console mode via
7
Additional information on console mode can be found at: http://www.ee.ryerson.ca/~elf/visor/dot-shortcuts.html
29
Documents you may be interested
Documents you may be interested