XRY Forensics
XRY- Part 1
Note that when you install on PC, have option to use MSAB drivers all the time or only when wizard is running
Can change by going to system tray on double clicking XRY sys tray tool
Cables:
Where can evidence be located?
Contacts on sim and handset
Pictures on handset and memory card
In short, all over!
Introduction to Mobile Networks
Should note that mobile phones are increasingly faster and smarter
Mobil networks can follow the FSM or CDMA
GMS- 210 countries
CDMA- 46
GSM-
Put customer information on removable sim card
All providers must accept GSM-compliant phone on the network if it has one of their sim cards inserted
CDMA
Can only switch networks with providers permission
Provider doesn’t have to accept phone on to its network
Introduction to SIM cards
To pull maximum data, should examine every area independently
Sim cards- mandatory in GSM networks
Smart card consisting of:
Processor
Storage
Digitally contain:
ICCID (card identifier)
IMSI( subscriber identity)
Text based user data (e.g. SMS, contacts and calls)
3GPP
Sim cards- come in different sizes!
GSM SIM cards
2g
3g
Multi application card
ICCID- Uniquely identifies the card
- 19 or 20 digits in left
- ALWAYS stored digitally in the card
- Cannot be edited on a normal SIM
- Often printed on outside
- Can determin issuing service provider and country from the ICCID
Is found in the general information category on XRY
Note that 4g carries the most data out of anything
ICCID from Sim Card
IMSI
Unique identifier
Always stored digitally on the card- cannot be edited on normal sim
Often, not known that it is there
IMSI can give the issuing service provider and country
Sim authentication Key
Used by SIM to identify itself
Specially designed so that the key cannot be compromised digitally
If results from algorithm of sim is same to network will allow access
Dangers
Could delete call register entries if sim knows it has changed phone
CDMA Sim cards
Behaves like other CDMA handsets
But is not GSM standard
Cannot be read by XRY
SIM Card Reader
SIM cards can be stored on one or more phone numbers
When message is deleted, it is flagged to indicate not required- but is still available
(U) Sim cards can contain the following
Static network data
Dynamic network data
Phonebook
SMS messages
Call information
Phone number
Handsets
XRY has a guide of handsets it can examine
Can use the IMEI to identify a model
Examination
Can be logical or physical
Sim Cloning and Logical Extractions
Can use tools such as SIM Id cloner
Through cloning, can have the IMSI and the ICCID
May not have contacts and calls however
Why do it?
Most common scenarios
It isolates the phone from the network
Maintains call records on the handset
Less common
Handset with no SIM card
What can happen if in the original SIM card is not cloned?
Could allow the phone to connect to the network
Could make changes to call registers
Handset may detect and change call registry
Note: XRY can perform this with the SIM ID cloner tool
Handset extraction with the cloned SIM
SMS messages will be shown, however time stamps may not be all that reliable
Introducing Location Data
Often contained in the metadata of a XRY report
Can assist massively
But, it is not 100% accurate
Other areas including location data
Cell tower information
- Location calculated from distance to cell towers
Wireless Network Information
- Databased that is pushed to device
Apps location data
- Geotags in metadata (think Snapchat)
Cell site triangulation
Can use three towers to get location within around ¾ of a square mile from exact location
Better in densely populated urban areas
Wifi Router Information
Big location errors if this is physical removed
BE CAREFUL! A message from Thailand could show up as someone being in Thailand!
Common challenges in Mobile Forensics
Bluetooth- can leave a footprint
SIMS may be locked- SIM card can be permedntantly disabled after 10 incoprrect attempts
Can sometimes use the service provider defaults, for example the PUK
Comments
Post a Comment