-2009-2010 Copyright TMD Computer Forensics, LLC . All rights reserved.
CELL PHONE FORENSICS

Cell phone forensics is the science of retrieving data from a cellular phone under forensically sound conditions. The same sound forensic principles that are used in computer forensics, are used in examinations of cell phones. The exam of a cell phone can include data retrieval and examination of  information stored on a "SIM/USIM" card. The phone itself may also have removable memory to supplement the data stored on the SIM (Subscriber  Identification Module) card. The SIM or USIM card is akin to the hard disk contained in computers.

The SIM Card

The Subscriber Identity Module (SIM) in GSM and UMTS systems is the module that uniquely identifies the subscriber. It also holds other user-related information. The SIM therefore contains of great value to the investigator. The SIM  is only present in GSM system cell phones and contains the following data:


In practice; the stored text messages and dial numbers are those items of most value to the investigator. The usage of these storage areas vary with phone type. Most old phones use only the SIM for storage of such items. Modern phones however, normally use a combination of SIM and internal memory for the storage of text messages and dial numbers. It is in general not predictable whether such items are stored on SIM or in internal memory.
The capacity coupled with the cutting edge technology of many cell phones today can be also equipped with cameras, video capabilities, W-FI and  Bluetooth technology. WI-FI, short for wireless fidelity, allows the phone to connect to the Internet through a wireless connection. With Blue Tooth technology, the phone can also communicate directly with a computer, PDA or other mobile phone to sync and download information between each gadget. Should you have any further questions please contact us at support@tmdcomputerforensics.com

The following contents of modern mobile phones can have value as evidence

CDMA PHONES

Since there is no universal standard for cell phone technology in both the U.S. and Canada, your carrier either uses the GSM or CDMA technology with their plans and phones.  Some carriers use both technologies, but most use GSM or CDMA exclusively.  The main difference for the user to be aware of is how data is stored on a CDMA phone as compared to a GSM (Sim Card) phone. CDMA phones DO NOT contain a SIM. The data is stored on an EPROM chip inside the handset itself. This chip is not removable, without damaging the phone. The CDMA technology and storage of data is considered "volatile", which simply means it can be overwritten quickly and the deleted user data may not be able to be recovered through forensic tools. In contrast, in GSM phones in a majority of instances deleted data can be recovered from the SIM card.  It is not predictable whether deleted data stored on a CDMA's internal memory chip can be forensically recovered. Many factors cause this such as: type of phone,technology of carrier and phone maker,amount of memory in phone,file system type, and user initiated actions. Data that is already contained in the phone, and not deleted by the user, is in many instances able to be recovered by forensic tools, such as those used by TMD. 

Phone Internal Memory

Most modern phones utilize on-board flash memory for storage of information items. From being relatively small and unimportant only a few years ago, the internal memory has today become the most important source of digital evidence in mobile phones, since this is where most phones store the majority of information items.

        
Of all the above, it is also possible to retrieve deleted items. The storage time for deleted items may however vary, since the amount of available memory varies greatly from phone to phone. Experience shows, however, that it in most cases is possible to recover a large number of items that has been deleted by the user before the phone for seized and examined.

Flash Memory Cards

Many modern phones and PDA'a also, include a flash memory card for extending the storage capacity of the phone. The purpose of such cards is to extend the storage capacity for items such as MMS messages, pictures, MP3-music, sounds and other files that may be stored on the phone. From the phone operating system, the card is normally accessed as a file system where the user may move items. It is therefore clear that such cards may contain items of value to the investigator. It is however not possible in most cases for the user to use the flash cards for phone system items such as phone numbers, text messages, dialling lists, location information and such. These items are normally stored in the SIM or in phone internal memory without any possibility to copy them to the flash card.

PDA FORENSICS

Personal Digital Assistants (PDA's) are commonplace in today's society. Many individuals for both personal and professional purposes use them. PDAs vary in design and are continually undergoing change as existing technologies improve and new technologies are introduced. Most PDAs have comparable features and capabilities. They house a microprocessor, read only memory (ROM), random access memory (RAM), and a variety of hardware keys, LCD displays and more.

The operating systems (OS) consist of Palm, Windows CE and RIM/Blackberry to name a few. The latest PDAs also contain built-in Compact flash (CF) and combination Secure Digital (SD) and Multimedia Cards (MMC) that support memory and wireless communications. PDAs also have Internet access, and many have built in WI-FI and Bluetooth wireless technology. TMD can perform forensic examinations on many different makes and models of PDAs.

Potential information and data that can be found on PDAs include some of the following:

All of the above would also include any deleted or erased information that the user chose to erase. Should you have any questions or require further information please contact us at support@tmdcomputerforensics.com.