High-profile example of mobile evidence in terrorism
2010 Times Square bombing attempt – Verizon call logs + GPS proved the suspect bought the vehicle.
Why are mobile phones central to criminal investigations?
Involved in almost all levels of criminal activity.
Standard practice to seize and examine a suspect’s phone even if they are only questioned, not charged
What does UE stand for in 5G?
User Equipment (the phone itself)
What is the role of gNodeB in 5G?
Part of RAN (Radio Access Network).
5G base station that handles radio communication, scheduling, and connects UE to the core network.
Has base station ID and GPS coordinates (either statically or dynamically established)
5G Core Network Functions - AMF
Access & Mobility Management - manages device registration, connection, authentication, and mobility w/in network
5G Core Network Functions - SMF
Session Management Function - session management, allocates IP addresses, selects UPF and controls QoS for data flow
5G Core Network Functions - PCF
Policy Control Function - provides policy rules (e.g., QoS, charging) for SMF and other functions to enforce
What do UDM do in 5G?
Unified Data Management - Stores and manages subscriber data, user identities and authentication credentials
What do AUSF do in 5G?
Authentication Server Function - Performs authentication of UE
What do UPF do in 5G?
User Plane Function - forwards user data traffic, enforces policies, and interacts with external data network
What is a “cell” in cellular networks?
Area covered by more than 3 base stations.
Each base station transmits on 3 frequency channels.
Frequencies are never reused in adjacent cells to avoid interference.
Difference between Soft Hand-Over and Hard Hand-Over?
Soft: Phone connects to new base station before releasing the old one
Hard: Old connection is dropped before new one is established
What is IMEI and its format?
International Mobile Equipment ID – uniquely identifies mobile device
Format: WW-XXXXXX-YYYYYY-Z
WW=TAC Reporting Body
XXXXXX=TAC Model
YYYYYY=Serial
Z=Check digit
Legal note about changing IMEI in the UK?
Tampering with IMEI is illegal under the Mobile Telephones (Re-programming) Act 2002 – up to 3 years in prison
How many IMEIs does a dual SIM phone have
2
What is IMSI and its format?
International Mobile Subscriber Identity – internationally unique number stored in the SIM card that identifies a user on a network
Format: MCC (3 digits) + MNC (2-3 digits) + subscriber number
What is ICCID?
Integrated Circuit Card Identifier - Identifies the physical SIM card itself
How does SIM card cloning work?
Attacker copies IMSI + Ki (authentication key) + ICCID onto another card.
Attacker can then make/receive calls, read SMS (incl. OTPs), use data plan, commit fraud
What memory types are in a SIM card?
EEPROM (Electronically Erasable Programmable ROM) : Writable hierarchical file system
ROM: OS, authentication, and encryption algorithms
What is a SIM card?
smart card with processor + memory
SIM Card - File System Structure
MF (Master File) – root
DF (Dedicated Files) – directories
EF (Elementary Files) – actual data
Key Elementary Files (EFs) on a SIM card for forensics (8)
EF_ICCID
EF_IMSI
EF_Ki (ciphering key)
EF_LOCI (last known location - very important)
EF_ADN (phone book)
EF_SMS (text messages)
EF_LND (last numbers dialled)
EF_MSISDN (subscriber phone number)
Preferred order of data extraction?
Physical image > Logical extraction
What is ADB and what does it require?
Android Debug Bridge – command-line tool allows the device to receive instructions, from a computer, via a USB cable
Requires USB debugging
-
Week 1 - Intro35
-
Week 2 - Digital Forensics Process27
-
Week 3 - Disk and Filesystem Forensics57
-
Week 4 - Data Encoding and Basic File Forensics20
-
Week 5 - Documents, Emails and Image Forensic32
-
Week 6 - OS and Memory Forensics35
-
Week 7 - Network Forensics36
-
Week 8 - Mobile Forensics35
-
Week 9 - Case Studies, Challenges and Legal Aspects5
