The analysis of mobile devices is a fast moving area in digital forensics. Investigators frequently are challenged by devices which are not supported by existing mobile forensic tools. Low level techniques like de-soldering the flash memory chip and extracting its data provide an investigator with the exhibits internal memory, however, the interpretation of the data can be difficult as mobile device and flash chip manufacturers use their own proprietary techniques to encode and store data. The approach presented in this paper helps investigators to analyze this proprietary encoding by feeding a reference device identical to the exhibit with real data in a controlled way. This "artificial ageing" of the reference device is achieved using an isolated GSM/GPRS network plus additional software in a lab environment. After the ageing process is completed, the internal memory of the reference device can be acquired and used to reverse engineer the high level file system and the encoding of the data previously fed to the phone, like received SMS messages or calls. When sufficient knowledge about the interpretation of the memory image has been built up, it can be applied to the original evidence in order to analyze data and files relevant for the case. The successful operation of the solution is demonstrated in a proof of concept for SMS messages.
[1]
Mark Roeloffs,et al.
Forensic Data Recovery from Flash Memory
,
2007
.
[2]
Fred Piper,et al.
Feature: Cryptographic solutions for voice telephony and GSM
,
1998
.
[3]
Ing. M. F. Breeuwsma.
Forensic imaging of embedded systems using JTAG (boundary-scan)
,
2006,
Digit. Investig..
[4]
Jill Slay,et al.
Validation and verification of computer forensic software tools-Searching Function
,
2009
.
[5]
Gunnar Heine,et al.
GPRS: Gateway to Third Generation Mobile Networks
,
2003
.
[6]
Felix C. Freiling,et al.
The Forensic Image Generator Generator (Forensig2)
,
2009,
2009 Fifth International Conference on IT Security Incident Management and IT Forensics.