Mobile Forensic Investigations: A Guide to Evidence Collection, Analysis, and Presentation by Reiber Lee

Author:Reiber, Lee [Reiber, Lee]
Language: eng
Format: epub
Publisher: McGraw-Hill Education
Published: 2015-11-22T05:00:00+00:00

Collecting the Device Physically

If the feature phone has been powered off and is locked or disabled, or after completing a logical extraction of the mobile device, the examiner should do a physical collection of the device. A physical collection of a feature phone is critical and advisable in all situations if the device is supported for a simple reason: deleted data is almost never available in a feature phone’s file system with a logical collection. If deleted data is required for a case, a physical collection of a feature phone is necessary.

Cellebrite supports the most feature phones for both GSM and CDMA physically, with Micro Systemation coming in second because of its limited CDMA support. Unlike a smart phone, a feature phone’s physical image includes only a small part of the device’s internal memory. With a feature phone’s memory measured in megabytes, this does not yield a lot of additional data, but when possible a physical image should be obtained.

When collecting a feature phone physically with a mobile forensic tool, the examiner should remove the UICC and the memory card from the device prior to starting the acquisition. Methods for obtaining a physical collection of feature phones were derived from the methods and code used by service tools, as discussed in Chapter 6 . Overheating has been known to occur during acquisition, which could damage the UICC and memory card if they are inserted in the device at the time of the physical collection. Also, the UICC and memory card are not needed, nor are they a part of the area the tool will read to obtain the internal memory area.

If using other means, such as a flasher box, JTAG, or chip-off, the examiner should follow the procedures described in Chapter 6 . Prior to the examiner beginning the physical acquisition, it is critical that a logical collection occur.

After a collection is completed, the examiner can analyze the information obtained in the physical collection. This is a labor-intensive process, because a lot of forensic tools currently do not support the decoding of the feature phone’s file system. Tools such as Micro Systemation XRY and Cellebrite Physical Analyzer do allow for the decoding of many feature phone file systems. These file systems can then be compared with the logical extraction during the critical data analysis phase. File system and data analysis for feature phones are covered in Chapter 9 .

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.