Basics of Cellular Evidence -...
-
Upload
truongtuyen -
Category
Documents
-
view
217 -
download
2
Transcript of Basics of Cellular Evidence -...
Collection and Acquiring Cell Phones
Unique Preservation Issues – Phone must be isolated from the network. – Data can be destroyed very easily by police, first
responders, others. – Turning the phone on can destroy data
permanently Preservation Phones should be left in the original condition and placed in a Faraday bag.
Collection and Acquiring Cell Phones • Cop “thumbs through” the phone at the scene.
– Phone is collected and either turned off and placed in evidence
– Phone is collected and left on and placed in evidence
• Cop pulls phone from evidence and does a “thumb forensics” exam with no records or documentation.
Dangers Of “Thumb Forensics”
• Usually cannot tell if something has been deleted • Usually cannot tell if anything has been created
Logical Acquisition Of A Cell Phone How it Works • Using forensic software and hardware, a connection is made to the phone and the
forensic tools “ask” for the data from the phone. • Based on modem technology
Data That Can Be Recovered • Can recover only data that is still present on the phone (information that has not been deleted) • Data that can be recovered includes: contacts, call history, images, videos, email, text messages, address book, etc.
Logical Acquisition Of A Cell Phone Why do a logical acquisition of a cell phone when you could get the same information using “Thumb Forensics”? • Verification • Advanced Reporting • Will Stand Up In Court • Forensic Best Practices
Physical Acquisition Of A Cell Phone How it Works • Using forensic software and hardware, the physical memory of the phone or a
device in the phone is recovered. This allows for the recovery of deleted data. • Deleted data can be recovered from SIM Cards, Media Cards, and on some phones
the physical memory itself.
Data That Can Be Recovered • If the physical memory of the phone can be accessed, or a SIM Card or Media card
is present in the phone it is possible to recover any type of deleted data.
Physical Acquisition Of A Cell Phone How it Works • Like a computer acquisition • Forces the cell phone to give up its data
Deleted information can be recovered if a physical acquisition can be Performed.
Physical Acquisition Of A Cell Phone How it Works • This data was manually carved out to recover a deleted
picture.
• A qualified examiner can “read” what you see above. If an examiner cannot, then they will not be able to get back the deleted picture since it must be manually recovered.
• The next slide shows the picture that was recovered.
Manual Examination of A Cell Phone
Manual Examination: The last resort in cell phone examinations • If no option is available to examine a cell phone logically or
physically, a manual examination is performed. • A manual examination of a cell phone should follow best
forensics practices.
Manual Examination of A Cell Phone 1. A camera is used to take pictures of the screen as an examiner manipulates the
phone using the keypad. 2. A video camera should record the entire examination so that a record is kept
showing that no information was modified or deleted. 3. Without full documentation of the process, there is no way to know if someone
deleted information in the process of a manual examination.
How Telephones Work The Telephone 132 years old and the technology has not changed It’s still basically tin cans and strings.
1. Your voice vibrates the tin can
2. Tin can vibrates the string
3. Wave travels along string
4. Causes identical vibration on receiving can.
5. Sound is reproduced
Telecommunication Evolves The Goal Transport sound from point A to point B with as little distortion as possible. The Patent: The vibration produces an electric current that can be carried over a wire and reproduced at a distant point.
Alexander Graham Bell (and Others)
Basics of Telephones
1875
String
Electricity
Fiber Optics (light) 1975
1946 (yes)
Radio
Telephony Evolved, but the principle has never changed…phones are still tin cans
Basics of a Mobile Phone
Mobile Phones The ‘string’ is simply a radio channel The technology has not changed
It’s still basically tin cans and strings. You listen to a simple radio receiver You are a broadcaster when you speak
Exactly Like an AM/FM Radio or a Broadcast Station
Central Office
The Cellular System – A Cell Site
• Controls Antenna Power • Manages Connections • Talks to a Radio Network Controller
Antennas send and receive signals from phones
Base Station Transceiver
Anatomy of the Cellular System
• Manages the network of cell sites through the Radio Network Controllers
Multiple Cell Sites Connect to Radio Network Controller via Land Lines
Mobile Switching Center
The Hook Up!
Tower A Tower B
4.1 Miles 1.3 Miles
On power up your phone tunes to a known frequency
and starts to listen
The Hook Up! – Choosing a Tower
Tower A Tower B
How does the phone choose a tower?
Pick me! Pick me!
Power Up Connects to Strongest Signal
Tower A Tower B
4.1 Miles 1.3 Miles
Registration
95dbm 85dbm
The closest tower will normally have the strongest signal
Power Up Connects to Strongest Signal
Tower A Tower B
3.0 Miles 3.0 Miles
Registration
95dbm 85dbm
When equally distant from both towers, the power output from the antennas may come into play.
Power Up Connects to Strongest Signal
Tower A Tower B
3.0 Miles 3.0 Miles
Registration
95dbm 85dbm
When equally distant from both towers, occlusion may be the deciding factor.
I can’t see you Tower A!
Power Up Connects to Strongest Signal
Tower A Tower B
3.0 Miles 3.0 Miles
Registration
95dbm 85dbm
Sorry, all channels are busy!
Channels must be available for the phone to use.
Cellular Coverage
To the public network
Mobile Switch Base Station
Mobile Radio Phone
Each Base Station Has about 100 Channels. You need two channels for a phone call so up to 50 people can make calls at the same time.
Mobile Radio Phone (in an area of no service)
Cellular – Go Small, Not Big and Reuse Channels
Tower A Tower B
1 Mile
Channel 850 Channel 900
Channel 860 Channel 910
5 4 3 2 1
Tower A Channel 850 Channel 900
Fill the Gaps with Towers with different channels
Miles: 6 5 4 3 2 1
Tower B Channel 860 Channel 910
Tower C Channel 870 Channel 920
36
January 11, 2007
1 6 4
5
2 7 3
By repeating this pattern, any size city can be fully covered
by a cellular system.
In rural areas, you may only need one cell tower.
In big cities you may need
hundreds of cell towers
City Wide Coverage
One City 110 square miles
January 11, 2007
1 6 4
5
2 7 3
January 11, 2007
1 6 4
5
2 7 3
5
January 11, 2007
1 6 4
5
2 7 3
Each Cluster is called a LOCATION
AREA
36
January 11, 2007
1
6 4
5
2
7 3
Each Cellular Site may Have 100 Channels. Rather than have 1 big cell that serves 100 people, we have 7 cells, that serves about 350 people.
Go Small-Serve More Customers
Cellular Phone Coverage – The “MATH”
Show your work! Cell Site with a 1 mile
radius
Area = PiR2
So if: Pi=3.14159 R=1 mile Then Area=3.14 Mile2
1 square miles = 640 acres
3.14 square miles = 2010 acres.
Northern Orientation
• Legal Proof of a Service Provided • A Technical Road Map of a Call • A Financial Transaction Record
Call Detail Records (CDRs)
• When did the incident occur? • Time factor for deciding which calls to
include.
•What phones were involved. • Defendant, co-defendants, victim or
possible witnesses.
•Where did the incident occur? • For plotting calls versus location.
Case Development
• Do we have sector information? • Without sectors we are limited to the total
tower coverage and so are they.
• Do we have tower orientation? • Without tower orientation, we have to
guess based on past experience.
Case Development
Place our co-defendant’s phone
Call from Smith to Wesson at 9:14PM in Sector 3
Call from Smith to Wesson at 9:10PM in Sector 1
Crime Scene
Correct Case Analysis Steps • Perform an independent analysis of the telephony
facts of the matter. • Build a timeline • Place calls along timeline • Develop Map of towers for correct date of incident
(Radio Frequency Plan aka Coverage Map) • Show location and path of phones based on discovery • Get original data sources • AFTER analysis of phones, THEN review incident in
light of facts to form opinion, rather than unscientifically using cell phone evidence to fit the desired facts of the incident.
Best Location Is A 911 Call
1 2 3 4
6
7
Public Telephone Network
Public Data
Network 5
Mobile Phone
Base Station GPS Location 1 mile radius
655 acres Mobile Switching Center Public Telephone Network
Home Location Register
Public Data Network
Mobile Position Center
56
Absent of 911, a Resolution of about 655 acres is generally the best accuracy
E-911 Location
E-911 System Consists of 2 Phases • Phase 1 and Phase 2 • Phase 2 is the best location • Phase 2 is not always available
E-911 Location
E-911 System Consists of 2 Phases • Phase 1 requirement is:
• Calling Number • Sector of a cell tower (hundreds of acres)
E-911 Location
E-911 System Consists of 2 Phases • Phase 2 requirement is:
• Calling Number • GPS location with 150 feet accuracy.
• Must be manually updated by 911 operator to get best accuracy.