Forensic response for smartphones 101

Let’s start with a quick network background.

To achieve a proper forensic on a smartphone, the responsible must know the fundamentals of mobile network technologies. The concepts will vary on what technologies should be used and the implications involved, along with the internal OS specifications, work, and how their architecture.

Inside a GSM database (GSM network) you’ll have two particular records, the HLR and the VLR registers.

The HLR which stands for Home Location Register, stores the permanent data of the device, such as the phone number, along with the VLR which stands for Visitor Location Register which is used for temporary data like the IMEI code or any geo-based information.

This basic knowledge is required, specifically on how to interpret the recent phone-ENodes connections to trace the location, and the last activity is done with the device. For more information, please refer to this post, which is way better explained.

That’s the main part of the network. Additionally, you’ll need to know that the storage information of the device is completely independent of the SIM card.

The SIM card is a chip that requires your phone company provider just to identify your phone number in their network. This chip is a low-level capacity and it’s protected with a PIN code. Besides this PIN code, there is a PUK (Personal Unblocking Key) code, that is used to recover the PIN code from a SIM card, this PUK code is printed on the card that comes with your SIM card.

So, with a PUK code, you can re-generate a new PIN code from a SIM card and access your information. However, most smartphones today also have an internal authentication mechanism that can be found in passwords, passcodes, graphical patterns, or a biometrical auth system.

The most basic information accessible in a forensic incident is contact lists, phone historical records, SMS, emails, chats, geolocalization records, network connections, and wifi credentials.

Of course, this will vary based on the state of the phone and the conditions present just in time for the analysis phase.

So, with all that said, let’s move on to how to perform forensics practices on smartphones.

The ideal scenario starts with preserving the state of the phone, regardless it’s powered or not, of course, a bonus point for this will be to have an unblocked phone.

A few basic pre-condition statements are:

If by any means there is a risk of data loss, a Faraday box will be required, this is great for an electromagnetic aisle.

If your phone is powered off, by the moment it gets re-connected make sure to disable any synchronization activity with the OS until everything is controlled.

After this, we should be ready to start the procedure, as basic as it can be, you’ll need to perform a phone disk image copy, and after that, you can use a professional mobile-first program to run further analysis.

You’ll need to be familiar with chain custody treatment, how to handle and protect data copies, corroborate data integrity, and much more. And of course, based on your analysis results, perform a correspondent examination and reporting.

As for tools, this is a vast aspect to discuss, of course, the silver bullet is to locate a professional suite for smartphones, but as always it can come with limitations. So, to collect the most of it you’ll need to test a bunch of tools and figure out your selection.