Welcome to the deep dive. You've asked us to get into the weeds on mobile device forensics using Chuck Eastams and in depth guide to Mobile device forensics as our map.
Yeah, it's quite a detailed guide.
Our goal today to really pull out the key stuff, how these devices get examined, what secrets they hold, and give you a solid handle on.
It all exactly. The source covers a lot, from the nitty gritty of wireless tech and hardware to specific forensic methods for iOS and Android, even advance things like JTAG, chip off data analysis, and crucially the legal side.
Right. So the mission for you, our listener, is to walk away with a good grasp of the core ideas and steps in mobile forensics. Think of it as getting you up to speed without having to wade through well everything yourself.
Makes sense. It's a complex field, definitely.
So let's kick things off with how these devices actually talk to each other wirelessly? The basics.
Okay, so the book lays the groundwork with wireless technology, makes sense, right, It's how they connect. It starts with electro magnetic waves. Talks about frequency, wavelength and that inverse relationship they have. Right.
One goes up the other goes down, but the speedy speed of light stays constant.
Exactly, and frequency measured in hurts, you know, cycles per second. We usually see killohertz, memohrts, gearherts, bigger.
Numbers like Wi Fi that's often two point four or five gigaherts, isn't it precisely?
Those are the carrier waves and the actual data that gets put onto the carrier using modulation. AM and FM are basic examples the book gives, but modern stuff is way more complex.
Okay, so radio waves are key. How do they fit into the tech landscape?
Well, they're fundamental for lots of wireless tech Wi Fi obviously, those eight or two point one one standards in Bluetooth often around two point four gigaherts too, devices talk without plugging things in.
Now, the book mentions some ways signals are transmitted. Spread spectrum techniques. Sounded a bit technical, Yeah.
It gets into that. They are clever ways to make the signal more secure or reliable by spreading it out. Okay, just frequency hopping FHSS jumps between frequencies harder to catch. Direct sequence DSSs spreads the signal wider to resist interference. Then CHIRP, spread spectrum CSS, and time hobbing THHSS, varying frequency over time or transmitting.
In bursts, different strategies for robustness. Got it? So, with everyone on their phones, how do cellular networks handle all that traffic?
Multiple access techniques, that's the key. FDMA gives everyone their own frequency channel. TDMA slices up time, gives everyone a slot. CDMA is interesting, uses unique codes so lots of people can share the same frequency. And QDMA that's more for short range.
Stuff, dividing up the airwaves efficiently. And this tech has really evolved, hasn't it massively?
The book maps it out GSM than adge the bridge to three G, than umts LTE and now well five G each generation faster, better capacity.
Five g's the big one. Now anything specific about its wireless side we should note?
Yeah, The big thing is a huge range of frequencies it uses. The book lists example like N seventy one down at six hunderdguards and N seventy seven way up round three to four getter hurts.
Wow, quite a spread.
It allows for much more data, lower latency. From a forensics view, maybe more data, different kinds of data could be recoverable.
Makes sense, and Wi Fi standards keep evolving too.
Oh yeah, beyond the common ones like GNN. You've got ad for super fast speeds AFT using old TV channels. That's the one, and now Wi Fi six acts and even Wi Fi seven are coming along. Channel bonding is a key trick there, combining channels.
For more speed and security is always a concern with.
Wireless, absolutely critical. The book runs through Wi Fi security. WEP totally broken, now avoid it definitely, Then WPA, WPA two and now WPA three, each getting stronger. Finding WEP on a device, big red flag for security.
Good point. Okay, solid wireless foundation. Let's get inside the device itself, the hardware.
Right, The physical bits. Antennas are fundamental. You've got omnidirectional sending signals everywhere, and directional which focus the signal. Okay, Key things are the radiation pattern, directivity, how focused it is, gain which is like signal.
Amplification measured in DBI or dbd exactly.
An efficiency, how well it converts power into radio waves, and.
The area around the antenna matters to different zones.
Correct, there's the reactive near field right next to it than the radiating near field or personal reason. And finally the far field the Fraunhoffer region.
And out there in the far field, the signal drops off quickly.
Yeah, follows the inverse square law. Power decreases significantly with.
Distance, and even with nothing blocking, you lose signal strength just traveling through air.
That's free space. Path loss gets worse with distance and also with higher frequencies. The book gives a simplified formula and mentions the freeze formula, which is more complete considering antenna games.
Okay. Now inside translating digital to analog signals, the DSP.
The digital signal processor yeh, yep, crucial role. It converts the phone's digital data into analog signals for transmission and vice versa for recep uses math like the discrete cosine transform, and importantly the Fourier transform.
Ah four, You transform always sounds complex? Can you break it down simply?
Sure? Think of a complex sound like a musical chord. The Fourier transform is like a prism for sound. It takes that complex wave and shows you all the individual notes, the frequencies that make it up, and how strong each one is.
Okay. That helps, like decomposing it exactly.
It decomposes a signal over time into its frequency components. The math uses integrals, which you can kind of think of as finding the area under the curve to figure out the strength of each frequency.
Got it. Another key piece the SIM card more than just the phone.
Number, right, Oh, absolutely, the Subscriber Identity module. SIM stores your MSI, the unique subscriber ID for.
The network International Mobile Subscriber identity right.
Plus the ICCID that's the simzone serial number, security keys, network info, pimpekey K codes. It's all on there, way more advanced than the old NAM systems.
And these cards have specific contacts and standards.
Yep, those little gold contacts. They handle power clock data in out. It all follows isoie C seven eight seventy two standards.
What other info is stored?
Well, the IMSI itself contains the MCC and MNC country and network codes. There's the LAI locationary identity with the LAC code. And they've shrunk over time, full size mini micro nano, iPhone five use nano and we have e.
Sims too, embedded sims right, And.
They have a simple file system master file MF, directory files, DF, elementary files EF for the actual data.
Amazing what's packed into that tiny chip. Then there's a CPU, the.
Central processing unit yep, the book calls it the brains, which is pretty accurate, executes all the instructions, runs the OS, apps, controls everything.
And radios are getting smarter too. Software defined Radio SDR.
Yeah, SDR is interesting. It means a lot of the radio functions like tuning, filtering, modulation are done in software instead of fixed hardware.
More flexible.
Exactly, you need an RF front end, fast and a good processor, but you can change what the radio does just by updating the software sports different standards more easily.
Very cool now. The book also mentioned things used to disrupt or monitor signals, jammers and MSI catchers.
Right, jammers illegally block signals. IMSI catchers try to grab phone identifiers often used for surveillance, important to be aware of in forensics.
Definitely highlights the dual nature of the tech. Okay, hardware covered, let's shift to the software running the show. iOS and Android makes sense.
Chapter three dives into iOS. Huge deal in forensics because well, iPhones are everywhere. Sure, big folks on the filesystem APFS Apple filesystem replace the older HFS plus around iOS ten point three. Key features are strong encryption, snapshots, fifty four bit file IDs, checksums for data integrity, really robust.
And iOS has that layered structure.
YEP four main layers, core OS at the bottom, core services media, and Coco touch for the user interface. Gestures all that. The book also flax security updates in iOS fourteen, like those little dots showing caarenramic.
Use ah yeah, the recording indicators.
Random Wi Fi Mac addresses, and something called blast or to sandbox I message data more secure.
Saw a mention of three tools. What's that about?
It's a third party tool can pull lots of info about an iPhone, specs, software's version apps, but the book notes getting the really sensitive stuff like call logs often means jail breaking the phone first.
Which isn't ideal forensically not usually no modifies the system, and iPhones pack a lot of sensors in screen.
Tech definitely Olid's greens haptic touch instead of the old pressure sensitive three D touch, and sensors galore, proximity light, magnetometer, accelerometer, gyro barometer, plus biometrics like touch ID and face.
ID apples big on security right very they.
Have a dedicated crypto processor use strong AES two hundred and fifty six bit encryption. Remember the FBI and the San Bernardino phone.
Yeah, that was a big deal.
Shows how tough it could be. Encryption is always on when locked. Tools like gray key exist. Trying to I pass this, but it's an ongoing battle. The book lists some older processors to A eight, A nine, A ten and their security features. Bottom line, you need to understand iOS internals even with fancy tools.
Okay, so iOS lockdown encrypted? What about Android? Different?
Beast entirely pretty much? Chapter four covers Android starts with those hidden codes.
You can dial ah the secret menus.
Exactly like hashtag ninety ninety I, dagger ashig, Zerosi ex chech for the Imei. Super useful, but the book warns they vary a lot between manufacturers. Got to search for device specific ones.
Good tip and interacting with the system ady B comes up a lot.
Android Debugging Bridge Yeah, it's a command line tool lets you talk to the device of developer modis on. You can pull files, add me, pull, restore, backups, reboot into recovery and dumpsies. Is incredibly powerful for grabbing system.
Info like listing files and system directories yep.
LL system ben is an example. Lots of useful commands listed in the.
Book, and Android uses different file systems than iOS.
Right, no single standard like ap fac F twofs from Samsung Flash Friendly files is to name jasha FS two yaffs. Depends on the device, the kernel version more fragmentation.
And security is more varied too.
Generally, yes, core Android has features, but manufacturers add their own stuff. The book mentions Adyntum encryption for devices that don't have hardware as support uses cha Chai and poly three to five.
Also, saft flashing tools mentioned odin Android Flash Tool.
Yeah, those let you write new firmware to the device. Can be used for updates, repairs, or trying to bypass security. But big warning, mess it up and you can break the.
Phone, render it useless, risky, very and since Android's open source, you can actually look at the code absolutely.
The book points to cs dot android dot com. Understanding the source code, how it boots, how security works can be invaluable for deep forensic work. There are even a couple of hands on labs in the chapter using codes in ADB cool.
So two very different operating systems needing different approaches. Okay, we know how they work, how do we actually get the data? Forensic techniques and tools right?
Chapter five starts with principles that apply to both. What can you recover? Call logs, messages, photos, videos, device info, GPS, network stuff pretty standardless.
First step is always documentation.
Always model, imei, sim details, OS version, get it all down. GPS is often huge. Tracking movements, checking.
Alibis are their official guidelines for this.
Yes, SWGD Scientific Working Group on Digital Evidence has best practices like their mobile forensics pyramid. NIST also has detailed guidelines for reports. What needs to be included like what examiner details, evidence, description, methods, used, findings, any limitations, data hiding. It also mentions DOOJ guidance on accuracy and even cites the Federal rules on expert reports. Needing enough detail for reproducibility.
So someone else could follow your steps and get the same result makes sense crucial for court Okay, specifically for iOS, any unique steps.
Or tools thing stop it syncing with iTunes or finder automatically preserve the state. Good point then tools doctor phone gets a mention. Oxygen Forensics known for being user friendly, good with location data. Mobile edit is noted as affordable cross platform axiom for magnet forensics two and Celebrate is often seen as the big comprehensive solution.
A whole toolkit available and for Android.
Chapter six circles back to Android, repeats the general principles airplane mode immediately is key mentions, SWGDE and NIST again, then really emphasizes using ADB shell commands.
For navigation and documentation.
Exactly, L sty list files, CD to change directories, and all those useful l's flags AL for details, A for hidden files, ALH for readable sizes, AR for recursive, altr to sort by time, useful.
Stuff, and looking inside the apps themselves.
Yeah, touches on decompiling Android apps APKs, using tools like Android Studio to see the underlying code. The focus here is more on free or low cost tools and methods for Android.
Okay, so different tools, different os quirks. But what if those standard software methods just don't work, say the phone's badly damaged or locked down tight Then you.
Get into the advance stuff. Chapter seven covers j TAG and chip off. These are last resorts based pl access exactly. You're bypassing the OS, going straight for the memory chips on the circuit board. JTAG Joint Test Action Group was originally for testing boards, but forensics adapted.
It sounds like you need serious electronic skill.
You really do. The chapter actually covers some basics DC versus AC power, watts, jewels, components like inductors, capacitors, resistors, even has table of symbols.
So how does j TAG actually work?
You connect to specific points on the board called the test access port or TP. There are pins like TDI, TDO, TCK, TMS, test data in, test data out, test clock, et cetera.
The connection points right.
You use these to talk directly to the chips using a standard protocol i e. E eleven forty nine point one. The big challenge finding those tap points. They aren't standardized across devices. Definitely, you'd specialized tools too, like a RIF box. The chapter shows it software mentions common errors, and again SWGDI, EE, NST have standards of practices around JTAG.
Highly specialized work. Okay, let's say you've got the data either normally or through JTAG. How do you make sense of it? Databases were mentioned.
Yeah, chapter eight. Mobile devices use databases extensively, often squadlight to store app data, contacts messages you name it. Understanding relational databases is key tables, keys, exactly tables hold the data, rows, records, calumns or attributes, primary keys, uniquely identify rose foreign keys, link related tables together. Helps organize data, avoid repetition, and.
You use SQL to query these databases.
Yeah, structured quarry language YEP. The chapter covers the basics. Select to get data, update to change it, delete, removing, insert to add, and where is crucial for filtering examples like selection contacts where city in New York or using like to find patterns and or to combine conditions between for ranges distinct for unique values, need brackets if column names have spaces.
So SQL proficiency is vital and squilight is the common one on phones. How do you view it?
Several ways? Command line or graphical tools like dB browser for Squidal or even Chrome extensions like squid Viewer lets you open the database files, browse tables, run SEQL queries directly.
Very useful, okay. Shifting gears a bit. Cell site analysis and smart TVs also covered.
Right chapter nine. Cell site analysis uses cell tower connection records to estimate where a phone was over time. You plot the tower connections on a map.
How accurate is that? Determining the exact handoff point between towers seems fuzzy.
It can be. Without detailed signal strength data, you might assume the handoff is midway between towers. There's always a margin of air, often biggest for the first tower connection.
But using multiple towers helps.
Yeah, it refines the location. If you have timestamps, you might even estimate average speed between tower locations, like the example in the book.
Shows interesting and smart. They're like big phones, now, aren't they?
Pretty much? Many run androids, so you can often use ADB for forensics and gable USB debugging connect via IP.
Use similar commands.
Yep, gump seas to get system info, ad B polled to grab filed like photos can be useful. Restarting the ADB server sometimes needed if connections fail.
Adapting techniques to new devices makes sense. But what about people trying to hide data?
Anti forensics AH Chapter ten Big topic starts with seganography, hiding data within other data.
Like hiding text in an image exactly.
The book shows how changing just one tiny bit in a pixel is invisible to us, but can hide information. The image or audio file is the channel Lots of tools exist to do.
This and ways to detect it.
STAG analysis right statistical analysis looking for noise patterns. Tools like STAG detect exist. The chapter shows an example using deep sound to hide a file in audio Exammers need to be aware.
This happens, okay, hiding data? What about scrambling it? Cryptography also huge phage.
Symmetric crypto uses the same key to encrypt and decrypt think filer disc encryption. Asymmetric uses different public private keys for secure communication signatures essential to understand for Iosandroid security.
How do they work? Basically?
Symmetric often involves substitution, swapping the letters bits and transposition shuffling them, done in multiple complex rounds using algorithms like AES. Asymmetric like RSA, relies on complex math with prime numbers to create the key.
Pairs and phones use specific types.
Yep AES two fifty six bit is common for full disc encryption on both platforms. Older stuff like A fifty one was used in GSM. Umts has its own authentication methods.
What about hashing different from encryption?
Totally different. Hashing is a one way process takes input, creates a fixed size fingerprint or hash can't go backwards. Used for integrity checking, making sure data hasn't changed. MD five, SAHA one, SA two fifty six are common examples.
Dot it and password tracking.
Trying to guess or find passwords to decrypt data. Brute force dictionary attacks rainbow tables, but strong encryption makes it very, very hard.
Seems like a constant cat and mouse game. Okay, we've covered tech and techniques, but none of it matters without the legal and ethical framework absolutely vital.
Chapter eleven dives into this. Starts with rules of evidence like FRE nine oh one nine oh two on authenticating digital evidence so it's admissible.
In court and keeping track of the avidance itself.
Crucial Chaining custody needs meticulous tracking logs software like ASIS or Evidence Tracker, barcodes even RFID got to prove the evidence wasn't tampered with.
And when examiners testify, they're experts, right.
Yes, explot test money relies on specialized knowledge. Federal Rule seven oh two defines who qualifies, and the Daubert Standard seys criteria for scientific reliability, testing, peer review, error rates, general acceptance. Forensic techniques have to meet these standards.
Can't just search any phone though warrants consent.
Fourth Amendment territory generally need a warrant based on probable cause, especially the expectation of privacy we have with phones. Consent is an exception, but it must be voluntary informed and the search can't exceed the scope of the consent given who can consent matters to owners sometimes parents.
And ethics foundational, I imagine, non negotiable.
The chapter mentions AAFS guidelines be professional, don't misrepresent qualifications or findings site sources properly. Your duty is to the scientific truth, not just winning a case. You have to report weaknesses too briefly. Touches on kerminl versus civil cases, PI licenses.
Scientific principles apply here too, definitely the.
Scientific method peer review for validating techniques Lowcard's principle. Every contact leaves a trace, even digitally.
And the final report ties it all together.
It has to summarize analysis conclusions based on detailed notes. Sans and DOJ have recommendations must include enough detail for another expert to reproduce your work. Quality controls key too. Lab accreditation like ISO twenty five Investigator training in search using validated methods.
Wow, we really have covered a massive amount of ground from wireless signals and hardware.
Through operating systems, file systems, specific forensic tools for iOS and Android.
Advance extraction like j TAG, data analysis with SQL, cell sites, even smart TVs.
And then anti forensics like stiganography and crypto, and finally the critical legal and ethical rules.
Yeah, quit the journey. Our aim was really to give you the listener, a solid practical understanding of this whole complex.
Field, hopefully equipping you with insights into the tech, the processes how digital evidence is uncovered.
So wrapping up this deep dive, here's something to chew on. Mobile tech keeps getting more complex, right, anti forensic techniques get smarter. What do you think are the biggest challenges ahead for mobile forensics? Where does innovation need to happen most it's.
That constant balancing act security versus privacy versus finding the truth in digital.
Evidence exactly, Definitely food for thought. We hope this exploration was valuable and feel free to keep digging into these topics. Thanks for joining us on the deep dive.