TechDaily.ai

techdaily.ai, your source for technical information. This podcast is sponsored by Stonefly, your trusted solution provider and adviser in enterprise storage, backup, disaster recovery, hypercon converged in VMware, HyperV, Proxmox cluster, AI servers, SA3650, a turnkey security appliance, and public and private cloud. Check out stonefly.com or email your project requirements to sales stonefly.com. Okay, let's break down a really crucial area of modern investigation. digital forensics. We're focusing specifically on uh mobile devices and the networks they connect to.
Yeah, it's a huge topic.
It really is. Think of this deep dive as well a shortcut to getting your head around the core concepts of this, you know, increasingly vital field.
And what's amazing really is just how embedded these devices are in everything we do. Personal life, work life, we've got everything from basic phones just for calls right up to these super powerful smartphones and tablets that are always connected. They just generate and store this incredible amount of digital information
and that variety that's where the challenge often starts when these things become part of an investigation, isn't it?
Absolutely. It presents some real hurdles.
Exactly. So, our goal here really is to pull out the essential understanding you need to kind of navigate these digital trails. We'll be looking at the critical steps.
Mhm.
You know, the the right way to preserve potential evidence, the different ways to actually get the data, how experts then analyze it, and uh finally, how you report those findings effectively.
And thinking bigger picture. There's this massive challenge facing the field, the growing backlog in digital forensic labs. It's quite significant.
Oh, yeah. I've heard about that.
Which really underscores why understanding on-site triage, those first steps you take right where the device is found, is becoming so incredibly important,
right? You need that quick assessment. And to even start with that, you really have to get what makes these devices tick. Both the physical bits and the software running on them.
The hardware and the software. Yeah.
So, let's maybe start by looking looking at the different types of mobile devices out there. You got your basic feature phones, mostly calls and texts, simple stuff. Then you leap up to smartphones, which are basically pocket computers now.
Yeah.
And tablets, too. The ones that can connect to cellular networks.
And the key thing, I think, is that while they all do the basics, you know, voice calls, texting, maybe some simple P maps like contacts and calendars.
The differences are really critical when it comes to forensics. Smartphones have way more processing power. much better screens and they run complex operating systems like Android, iOS. They're built for multitasking. That's a world away from the simpler systems on feature phones.
Okay. So, let's think about where all this data actually lives inside the device. It's fascinating, right? You've got volatile memory, RAM.
Yeah. The short-term stuff.
Exactly. Like the devices working memory holds what you're actively using, but poof, gone when the power is cut, right?
Then you have nonvolatile memory, things like noran flash, even solid state drive. In some cases, this stuff holds on to data even with no power. That's the key.
And it's interesting how the use of these memory types has actually changed over time. Early mobiles, they mostly use nor flash for pretty much everything. The OS, user data. It all got copied to RAM when you turned it on.
Okay.
Then as smartphones got smarter, they brought in nan flash specifically for user files, photos, messages, all that. Nor still held the system stuff.
So it split
kind of. But now modern smartphones They often rely just on nan flash and RAM. It's faster, gives you more storage, cheaper, too. Often it's in the form of these embedded multimedia cards, eMMC's.
So, practically speaking, what does that mean for getting the data out? RAM being volatile is super tricky to capture, right?
Notoriously difficult. Yeah. Needs power.
Nor flash has key system info, maybe more relevant for older devices, but for most investigations today, it sounds like NANFL flash is the main target. That's where the user's personal data is
that's generally right. Photos, videos, messages. Most of the juicy stuff is in NAND. So, yeah, modern investigations, they're heavily focused on getting data from NAND.
And you mentioned NAND flash uses things like wear leveling.
What's that about?
Ah, right. Wearle leveling and garbage collection. There are techniques to make the nan memory last longer. Basically spreading the data writing around.
Okay.
A side effect is that you can end up with multiple copies or fragments of files scattered in different spots in the memory.
Oh, so that could be be good or bad for forensics?
Exactly. It's a challenge because it complicates things, but it's also an opportunity because deleted files might leave traces behind that you can potentially piece together.
Interesting. Okay, let's switch gears a bit. UICC's, we usually call them SIM cards,
right? The little chips.
They're fundamental for connecting to cell networks, right? Store subscriber info. Often PIN protected.
Yep. And there's the PUK, the personal unblocking key if you mess up the PIN too many times.
Don't want to mess that up though.
No. Get the PUK wrong too many times. And the card is basically bricked. Permanently unusable.
Ouch. And these UICC's, they come in different sizes, don't they? Mini, micro, nano.
Yeah. But the key thing is they follow different specs than say a removable SD card. They're specifically for the network connection.
Gotcha. And while we're on cellular stuff, understanding the actual network tech is important too, right?
Definitely.
So in the US, we've had different systems like CDMMA and GSM they handle calls differently
and older ones like TDMA IDEN
right but today it's mostly LTE which sort of evolve from both CDMMA and GSM paths
pretty much yeah LTE is dominant now and those underlying differences say between GSM and CDMMA they actually affect how call records and message data are stored and how investigators might access them
okay and how does the network actually cover an area I bet you hear about cells
right cell-based coverage the network divides the land into to these geographic areas or cells. Each cell has a tower. This lets them reuse radio frequencies efficiently.
Smart.
And as your phone moves, say you're driving, moving from one cell to another. The network hands off your connection seamlessly so you don't drop the call. Hopefully.
Hopefully. So, what's the structure behind that? You've got the tower talking to the phone.
That's the node B or base transceiver station, BTS.
Okay.
Those are managed by a radio network controller and RNC. And the big brain is the mobile switching center. the MSC that controls calls and connections. Plus, there are key databases like the HLR, home location register, and VLR, visitor location register that tracks subscriber info.
Wow, complex. And how do phones stay connected when moving between different networks like roaming?
Ah, that's where mobile IP comes in. It lets a device keep its same IP address even when it hops onto a different network.
Okay.
And then, of course, for really remote places, you have satellite phones. They skip the ground towers and talk straight to satellites,
right? different piece al together.
Okay, so we've got a handle on the devices and networks. Now the big question, how do we actually get the data off them for forensics? We're talking tools now.
Mobile forensic tools. Yeah. And the methods range from well pretty simple to extremely technical.
Tell me more.
Well, what's really striking is how the required skill and frankly the invasiveness ramps up. At the basic end, you've got manual extraction.
Just looking at the screen
pretty much just viewing what's displayed. Then logical extraction. You connect the phone to a computer, pull off the accessible data, standard stuff.
Okay.
Then it gets more involved. Hex dumping or JTAG, that's joint test action group. That involves connecting more directly physically to access the memory.
That's tricky.
It is. And then you have chip off forensics where you physically remove the memory chip from the board.
Wow.
And even micro readad analysis looking at the chip under a microscope. So you see the progression. Logical is faster, less risky, but physical methods like JTAG or Chip Off might let you find deleted data. It's a trade-off.
And that's where the risks really come in, I guess, especially with chip off.
Huge risks. The more invasive you get, the higher the chance of damaging the device or altering the data if you don't know exactly what you're doing. Proper training, expertise, absolutely critical, non-negotiable really.
Yeah, I can imagine. And then even before you get to extraction, there's the lock screen. Right. Right.
Getting past that
the first hurdle often. Yeah, there are various ways special iz third party tools exist. Sometimes J-TAG can bypass locks, flasher boxes.
Flasher boxes.
Yeah. Tools often used for phone repair or modification, but they can sometimes be used forensically. And there are device specific attacks, too. Exploits that target software bugs.
And what about non-technical ways?
Oh, sure. Sometimes the simplest way works. Interview the owner, ask for the passcode, maybe it's written down somewhere you seized.
For GSM phones, sometimes the service provider can give you the PUK. which might help, but just trying random default passcodes, that's risky. Could trigger a wipe.
Yeah, don't want that. This brings up a really important point, though. How do you know the tools you're using are even reliable?
Great question. Validation, it's paramount. Forensic tools aren't perfect. They might not be able to recover all the data. Sometimes reports are inconsistent. Sometimes they decode things wrong.
Seriously?
Oh, yeah. Even software updates for the tool can sometimes break something that used to work. Regressions happen.
So, how do you verify? That's where forensic hash validation comes in. You create a unique digital fingerprint, a hash of the data before you start and after you acquire it. If the hashes match, you know the data hasn't been altered. It maintains integrity.
Okay, that makes sense. So all these tool issues, the risks, it really points back to the very first step, doesn't it? Preservation.
Absolutely. It's foundational. It's not just about grabbing the data later. It's about handling that potential evidence correctly from the second it's identified. Right. So, break that down. What does preservation actually involve?
Well, it starts with securing the scene itself where the device was found. Then meticulous documentation, photos, notes, everything. Then critically isolating the device.
Isolating from what?
From networks, Wi-Fi, cellular, Bluetooth. You need to stop it communicating. Then proper packaging, safe transportation. You get the idea. Any misstep could lose data or even contaminate other physical evidence on the phone like fingerprints.
And why is isolating it from network so vital? Because you want to prevent remote commands like someone remotely locking or wiping the phone. That's a real threat.
Wow.
Plus any incoming or outgoing communication calls, texts, app updates, even GPS pings can change the data on the device. You want it frozen in time as much as possible.
So, how do you do that?
Practically speaking,
common first steps are putting it in airplane mode if you can access the screen or just powering it down completely.
Okay.
Then there are specialized gilded container often called Faraday bags or pouches. They block radio signals
like a little signal proof baggie
essentially. Yeah. And for more involved work, there are specialized techniques too. Things called cellular network isolation cards or CNIC's.
CNIC's. What are they?
They're like dummy SIM cards. They go in the SIM slot and basically tell the phone don't connect to the network. Prevents it from reaching out to the cellular network.
Clever.
You can also use shielded rooms or Faraday tents to create isolated workspaces. Sometimes You can ask the service provider to remotely cut service to the phone, but that can take time. Jamming or spoofing devices exist, too, but using them can have legal issues, so that's usually a last resort or need specific authorization.
These CNIC's sound useful, but are they foolproof?
Not always. Their effectiveness can depend on the phone model, the network type. They might not work for every situation.
And definitely don't just stick in a SIM card from a different provider thinking it'll isolate it. On some phones, that can actually trigger a security wipe. Bad idea.
Good to know. Okay, so going back to those lab backlogs we mentioned, that makes on-site triage even more critical. What does that look like in practice?
On-site triage is about doing a quick initial data pull and a preliminary look see right there at the scene.
So, not the full deep dive.
No, not at all. The goal is to get immediate actionable intelligence, see if there's anything urgent, and figure out if the device even needs to go back to the lab for the full timeconsuming examination. What are the upsides of doing that triage right there?
Well, connecting back to the backlog is it can massively reduce the lab's workload. Huge benefit. It gives investigators potentially crucial info right away.
Makes sense.
It helps allocate resources better. Maybe this phone isn't as important as initially thought. The tools for triage are often a bit simpler, so maybe less intensive training needed for first responders. And critically, you might get a chance to collect data while the phone is still unlocked before it locks itself. itself.
Ah, yeah. That window of opportunity. Yeah. When you're doing triage, how do you pick the right tool? There must be loads.
It really depends heavily on the make and model of the phone. This is where honestly the device manual or even just a quick web search can be your best friend.
Really just googling it
sometimes. Yeah. For basic info. But when choosing a forensic tool itself, you want something that's reasonably easy to use, especially for triage. It needs to be comprehensive. Pull as much data as possible for that level. Accuracy is key. OB Obviously, you want it to be deterministic, meaning if you run it twice on the same data, you get the exact same result and verifiable. You need to be able to check its findings.
Okay, makes sense. So, you've preserved the device, maybe done some triage. The next big phase is acquisition, the main data pull. What do you need to think about here?
Acquisition needs to follow established tested procedures. Very important. You need to consider was the device on or off when found? Should you power it on or off for the acquisition process? That can vary. their memory cards inside need to handle those too. And be aware the act of acquisition itself, connecting cables, running software, it can sometimes change small things like time and date stamps on files. Need to document that,
right? And we talked about different methods, logical, manual, physical.
Yeah. So logical acquisition grabs what the operating system easily gives up. Manual is just looking at the screen, maybe taking photos. Physical using J-TAG or chip off goes for the raw data on the memory chip itself. That's where We might find deleted stuff,
but it's riskier.
Much riskier and more complex. So, the method you choose really dictates what kind of data you can get and the potential impact on the device.
Are there specific things to watch out for with say iPhones versus Androids?
Oh, absolutely. GSM phones, you need to think about the phone and the UIC, the SIM card.
iPhones or iOS devices have strong built-in encryption called data protection. That's a major hurdle, right? Android devices often have those gesture pattern. locks which needs specific techniques to bypass and even the UICC itself can be examined forensically using special commands called APDUs
application protocol data units commands to talk directly to the card.
Gotcha. And what about data that's not actually on the phone itself?
Good point. Synced devices are huge. Think computers the phone was plugged into. Backups stored elsewhere. And of course the cloud.
Ah, the cloud.
Yeah. So much mobile data gets backed up or mirrored to services like iCloud or Google. drive but cloud forensics and that's a whole other complex area data spread everywhere different legal rules big challenges there
okay so let's say you've managed to acquire the data navigated the cloud complexities now you analyze it this feels like where the detective work really happens
it absolutely is and it's usually a partnership the forensic analyst doing the technical work and the case investigator providing the context you know what are we actually looking for
right so what kind of evidence are you typically digging for on a phone Oh, a huge range. You've got the basic PM data, personal information manager stuff like contacts, calendar entries, then text messages, call logs, web browsing history, any documents stored on it, social media app data,
app data is probably massive now,
huge installed apps, location information from GPS or cell towers, even network data stored on the UIC sometimes. It's a treasure trove potential.
And what's the ultimate goal of sifting through all that?
You're trying to answer the key questions. Who is involved. What actually happened? When did it happen? Building a timeline, maybe why did it happen? Looking for motives, what tools or apps were used. And crucially, you often use records from the service provider like call detail records to back up or corroborate what you find on the phone itself.
Right. Comparing the two. You mentioned enhanced 911 data, too.
Yeah. E 911. Sometimes location data generated for emergency calls can be relevant in establishing where someone was.
So, how do analysts use the forensic software to actually find the needles in the haststack.
It involves several steps. First, searching the data using keywords, dates, phone numbers, whatever is relevant. Then, identifying specific items that look like evidence.
Okay?
Then you create bookmarks or tags for those important pieces. And finally, you pull all those key findings together into a report. And again, you need to trust your tools. That's where things like the CFT project, computer forensics tool testing come in. They test and validate tools.
Coming up with the right search term must be an art in itself.
It really is. You need a systematic approach. Think about who the people are, what subjects they might be talking about, what time frames are important. Key areas are figuring out ownership and who used the device, analyzing specific apps and files, nailing down timelines, using timestamps, and looking for any attempts to hide data
like hidden partitions or deleted files.
Exactly. Good forensic tools have powerful search functions built in to help with all this.
You mentioned call detail records. CDRs a couple of times. What exactly do they show?
So CDRs are kept by the phone company mainly for billing, but they capture a lot the phone numbers involved in a call or text, the date and time, how long a call lasted
and location.
Yes, often the cell tower the phone was connected to at the start and end of the call. That can give you a general location. Subscriber records also give you the account holder's info, name, address, maybe the specific device identifier like an IMEI number.
So analyzing those CDRs can show communication patterns. And that cell site info gives you a rough idea of where someone was
precisely. You can map out calls, see who talked to whom and when, and by looking at which cell towers were used, sometimes combined with maps showing tower coverage areas, you can estimate likely locations and track movements over time. It's not GPS precise, but very useful.
You can request these records using the phone number or the device ID.
Usually, yes. With the proper legal authority, service providers will supply CDRs. and subscriber records based on those identifiers.
Okay, makes sense. So after all the analysis, the final step is reporting. What makes a good forensic report?
Clarity and thoroughess. Solid documentation is key. The report needs to detail all the steps you took, what you observed, and the conclusions you drew based only on the evidence found.
Stick to the facts.
Absolutely. Most forensic tools have reporting features built in, which helps organize everything and keeps the presentation consistent with how the tool displayed data and Importantly, you only include what's actually relevant to the investigation. Keep it focused.
techaily.ai, your source for technical information. This podcast is sponsored by Stonefly, your trusted solution provider and adviser in enterprise storage backup disaster recovery, hypercon converged in VMware, HyperV, Proxmox cluster, AI servers, SA365, a turnkey security appliance, and public and private cloud. Check out stonefly.com or email your project requirements to sales@ stonefly.com. Wow. It's really clear that mobile device forensics is incredibly complex, isn't it? And just constantly changing, playing catch-up with the tech, but so critical in today's world.
Definitely. And understanding these basics, these guidelines and procedures. It's not just for specialized law enforcement anymore. It's relevant for well almost anyone who might deal with digital evidence from phones, whether in business, IT, legal.
Yeah. It touches so many areas. And the speed at which mobile tech evolves just keeps throwing new challenges at the forensics community, doesn't it?
Constantly. New encryption methods, new operating system features, new apps, storing data in new ways. It's a continuous race. Which leads to maybe a final thought for you, our listeners, to ponder as our lives get more and more tangled up with these devices we carry everywhere.
Mhm.
The ability to ethically effectively pull out and understand the data they hold. It stops being just a technical skill, right? It becomes something more fundamental. It's almost about understanding ourselves and the digital reflection of the world around us.
A powerful thought. techdaily.aI your source for technical information. This deep dive was sponsored by Stonefly.