Forwarded from: Elizabeth Lennon 

ITL BULLETIN FOR JUNE 2007

FORENSIC TECHNIQUES FOR CELL PHONES

Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce

The data that is captured on mobile phones can be a source of valuable 
information to organizations that are investigating crimes, policy 
violations, and other security incidents. The science of recovering 
digital evidence from mobile phones, using forensically sound conditions 
and accepted methods, is called mobile phone forensics. In general, 
forensic science is the application of scientific principles for legal, 
investigative, and public policy purposes. Digital forensic science 
refers to the preservation, acquisition, examination, analysis, and 
reporting of electronic data collected and stored on computer and 
network systems and on many digital devices.

The digital forensic community faces special challenges when 
investigating crimes and incidents involving mobile phones. While cell 
phones are widely used for both personal and professional applications, 
the technology of cell phones is continually changing as new designs and 
improved techniques are introduced. As a result of the rapid pace of 
change, the established guides that provide advice on the application of 
computer forensics usually do not cover cell phones, especially those 
with advanced capabilities.

The Information Technology Laboratory of the National Institute of 
Standards and Technology (NIST) recently issued a new guide to help 
organizations develop appropriate policies and procedures for dealing 
with the information on cell phones, and for preparing their forensic 
specialists to adopt new techniques when cell phones are involved. 
Developed with the support of the Department of Homeland Security, the 
guide provides basic information about the characteristics of cell 
phones and explains the issues to be considered when organizations are 
conducting incident response and other types of investigations.

Guidelines on Cell Phone Forensics

Guidelines on Cell Phone Forensics: Recommendations of the National 
Institute of Standards and Technology was issued in May 2007 as NIST 
Special Publication (SP) 800-101. Written by Wayne Jansen and Rick Ayers 
of NIST, SP 800-101 provides an in-depth examination of mobile phones, 
the technology involved, and the management of forensic procedures. It 
covers phones with advanced features beyond simple voice communication 
and text messaging, and details their technical and operating 
characteristics. The guide discusses procedures and techniques involved 
in cell phone forensic activities, as well as available forensic 
software tools that support those activities.

The extensive reference list in NIST SP 800-101 provides a rich 
selection of in-print and online resources for cell phone products and 
services, as well as discussions of the application of forensic 
techniques. The appendices to the guide include an acronym list, a 
glossary of terms used in the guide, and a detailed view of the steps 
involved in the acquisition of a cell phone with Universal Mobile 
Telecommunications System capabilities. Another section of the 
appendices provides information about the contents of records collected 
by cellular network carriers involving event and call data.

While not providing specific legal advice to organizations, the guide 
covers the information and principles that will enable organizations to 
establish the policies and procedures needed for an effective forensics 
program developed in conjunction with their legal advisors, agency 
officials, and managers.

NIST SP 800-101 is available from NISTs website at: 
http://csrc.nist.gov/publications/nistpubs/index.html. 

Cell Phone Technology

In the United States, digital cellular networks have been developed 
based on different and incompatible sets of standards. Two types of 
digital cellular networks dominate: Code Division Multiple Access (CDMA) 
and Global System for Mobile Communications (GSM) networks. Other 
commonly implemented cellular networks include Time Division Multiple 
Access (TDMA) and Integrated Digital Enhanced Network (iDEN). iDEN 
networks use a proprietary protocol designed by Motorola, while the 
others follow standardized open protocols. Also available is a digital 
version of the original analog standard for cellular telephone phone 
service called Digital Advanced Mobile Phone Service (D-AMPS).

Mobile phones work with certain subsets of these network types, with the 
service provider supplying the phone and the details of the service 
agreement. For example, a service provider or network operator for a GSM 
network that has some older TDMA network segments in operation might 
supply a phone that has GSM voice and data capabilities, and TDMA 
capabilities. Such a phone would not be compatible with CDMA networks.

Mobile phones can also be acquired without service from a manufacturer, 
vendor, or other source, and the service can be arranged separately with 
a service provider or network operator, provided that the phone is 
compatible with the network. When in operation, mobile phones may 
contact compatible networks operated for or by another service provider, 
and gain service. To administer the cellular network system, provide 
subscribed services, and accurately bill or debit subscriber accounts, 
data about the service contract and associated service activities are 
captured and maintained by the network system.

Cellular networks provide coverage based on dividing a large 
geographical service area into smaller areas of coverage called cells. 
These cells can often utilize unused radio frequencies in the limited 
radio spectrum, enabling more calls to take place than might be possible 
otherwise.  As a mobile phone user moves from one cell to another, 
active connections must be monitored and effectively passed along 
between cells to maintain the connection

The main components of cellular networks are: the Base Transceiver 
Station (BTS), the radio transceiver equipment that communicates with 
the mobile phones; the Base Station Controller (BSC), which manages the 
transceiver equipment and performs channel assignment; and the Mobile 
Switching Center (MSC), the switching system for the cellular network. 
The BSC and the BTS units it controls are sometimes collectively 
referred to as a Base Station.

Cell Phone Characteristics

Cell phones are highly mobile communications devices that perform 
functions such as organizing digital data and carrying out basic 
personal computing activities. Designed for mobility, these phones are 
compact in size, battery powered, and lightweight. Most cell phones have 
a basic set of comparable features and capabilities. They are composed 
of a microprocessor, read only memory (ROM), random access memory (RAM), 
a radio module, a digital signal processor, a microphone and speaker, a 
variety of hardware keys and interfaces, and a liquid crystal display 
(LCD). The operating system (OS) of the device is held in ROM, which can 
be erased and reprogrammed electronically when the proper tools are 
used. The RAM, which may be used to store user data, is supported by 
batteries. If the batteries fail, the information can be lost.

The newest cell phones are equipped with system-level microprocessors 
that reduce the number of supporting chips required to operate the phone 
and include considerable memory capacity. Other capabilities include 
card slots that support removable memory cards or specialized 
peripherals, such as wireless capabilities. Wireless communications 
capabilities may also be built into the phone.

Different devices have different technical and physical characteristics, 
such as size, weight, processor speed, and memory capacity. Devices may 
also use different types of expansion capabilities to provide additional 
functionality. Cell phones may have the capabilities of other devices 
such as personal digital assistants (PDAs), global positioning systems, 
and cameras. While there are many different types of cell phones, they 
can be generally characterized as: basic phones that are primarily 
simple voice and messaging communication devices; advanced phones that 
offer additional capabilities and services for multimedia; and smart 
phones or high-end phones that combine the capabilities of an advanced 
phone with those of a PDA.

Forensic Tools

The application of forensic software tools to cell phones is a very 
different process from the forensic process used with personal 
computers. The latter devices are primarily designed as general-purpose 
systems, while cell phones are designed more as special-purpose 
appliances that perform a set of predefined tasks. Since cellular phone 
manufacturers tend to rely on different proprietary operating systems 
rather than the more standardized approach found in personal computers, 
there are different toolkits for use with mobile devices. Also, the 
toolkits are often limited to a narrow range of distinct platforms for a 
manufacturers product line, an operating system family, or a type of 
hardware architecture. Since the technology of cell phones is frequently 
updated, tool manufacturers must update their tools continually to keep 
their coverage current. As a result, the development of tools for newer 
models of cell phones frequently lags behind the introduction of new 
models.

Forensic tools acquire data from a device by both physical acquisition 
and logical acquisition methods. Physical acquisition involves a 
bit-by-bit copy of an entire physical store of data, such as a memory 
chip. Logical acquisition involves a bit-by-bit copy of logical storage 
objects, such as directories and files that are located in a file 
system. Physical acquisition has advantages over logical acquisition, 
since it allows deleted files and any data remnants present to be 
examined. Extracted device images need to be parsed, decoded, and 
translated to uncover the data present. The work is tedious and 
time-consuming to perform manually.  Physical device images can be 
imported into a tool to automate examination and reporting; however, 
only a few tools tailored for obtaining cell phone images are currently 
available. Although logical acquisition is more limited than physical 
acquisition, the system data structures are usually easier for a tool to 
extract. The logical acquisition of data provides a more natural and 
understandable organization of the data for use during examination. Both 
types of acquisition are useful.

Steps in the Investigation

Investigations and incidents are handled in different ways depending 
upon the circumstances and severity of the incident, and on the 
experience of the investigation team. Organizations can advance the 
effective application of cell phone forensics by carefully planning the 
steps in the investigative process:

* Defining the procedures and principles that will apply when dealing 
  with digital evidence, and establishing roles and responsibilities for 
  the personnel involved.

* Preserving the evidence related to the investigation through 
  appropriate search, recognition, documentation, and collection 
  procedures, without altering or changing the content of data on 
  devices and media.

* Acquiring information from a digital device and its peripheral 
  equipment and media in a controlled setting, such as a laboratory.

* Examining and analyzing digital evidence through the application of 
  established scientifically based methods, fully describing the content 
  and state of the data.

* Reporting on the investigation by preparing a detailed summary of all 
  of the steps taken and the conclusions reached in the investigation of 
  a case, maintaining a careful record of all actions and observations, 
  describing results of tests and examinations, and explaining the 
  inferences drawn from the evidence.

NIST Recommendations for the Application of Cell Phone Forensics

NIST recommends that organizations implement the following 
recommendations to facilitate the application of efficient and effective 
digital forensic activities involving cell phones and cellular devices.

Ensure that organizational policies contain clear statements about 
forensic considerations involving cell phones.

At a high level, policies should allow authorized personnel to perform 
investigations of cell phones that have been issued by the organization 
when there are legitimate reasons for such investigations and they are 
conducted under the appropriate circumstances. The forensic policy 
should clearly define the roles and responsibilities of the workforce 
and of any external organizations performing or assisting with the 
organizations forensic activities. The policy should also indicate 
internal teams and external organizations to be contacted under various 
circumstances.

Create and maintain procedures and guidelines for performing forensic 
tasks on cell phones.

Guidelines should focus on general methodologies for investigating 
incidents using forensic techniques. While developing comprehensive 
procedures tailored to every possible situation is not generally 
feasible, organizations should consider developing step-by-step 
procedures for performing all routine activities in the preservation, 
acquisition, examination and analysis, and reporting of digital evidence 
found on cell phones and associated media. The guidelines and procedures 
should facilitate consistent, effective, accurate, and repeatable 
actions carried out in a forensically sound manner, suitable for legal 
prosecution or disciplinary actions. The guidelines and procedures 
should support the admissibility of evidence into legal proceedings, 
including seizing and handling evidence properly, maintaining the chain 
of custody, storing evidence appropriately, establishing and maintaining 
the integrity of forensic tools and equipment, and demonstrating the 
integrity of any electronic logs, records, and case files. The 
guidelines and procedures should be reviewed periodically and also 
whenever there are significant changes in cell phone technology that 
affect them.

Ensure that organizational policies and procedures support the 
reasonable and appropriate use of forensic tools for cell phones.

Policies and procedures should clearly explain what actions are to be 
taken by a forensic unit under various circumstances commonly 
encountered with cell phones. They should also describe the quality 
measures to apply in verifying the proper functioning of any forensic 
tools used in examining cell phones and associated media. Procedures for 
handling sensitive information that might be recorded by forensic tools 
should also be addressed. Legal counsel should carefully review all 
forensic policy and high-level procedures for compliance with 
international, federal, state, and local laws and regulations, as 
appropriate.

Ensure that the organizations forensic professionals are prepared to 
conduct activities in cell phone forensics.

Forensic professionals, especially first responders to incidents, should 
understand their roles and responsibilities for cell phone forensics and 
receive training and education on related forensic tools, policies, 
guidelines, and procedures. Forensic professionals should also consult 
closely with legal counsel in general preparation for forensics 
activities, such as determining which actions should and should not be 
taken under various circumstances. In addition, management should be 
responsible for supporting forensic capabilities, reviewing and 
approving forensic policy, and examining and endorsing unusual forensic 
actions that may be needed in a particular situation.

More Information

NIST publications assist organizations in planning and implementing a 
comprehensive approach to information security. Publications dealing 
specifically with digital forensics include:

NIST SP 800-72, Guidelines on PDA Forensics, by Wayne Jansen and Rick 
Ayers, helps organizations develop policies and procedures for personal 
digital assistants (PDAs) and assists forensic specialists in dealing 
with situations involving PDAs.

NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident 
Response, by Karen Kent, Suzanne Chevalier, Tim Grance, and Hung Dang, 
provides detailed information on establishing a forensic capability, 
including the development of policies and procedures and the use of 
forensic techniques to assist with computer security incident response.

These publications and other security-related publications are available 
from NISTs website: http://csrc.nist.gov/publications/nistpubs/index.html 

Disclaimer

Any mention of commercial products or reference to commercial 
organizations is for information only; it does not imply recommendation 
or endorsement by NIST, nor does it imply that the products mentioned 
are necessarily the best available for the purpose.


Elizabeth B. Lennon
Writer/Editor
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 975-2378


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com