Mobile Devices
This exercise will provide you with a report containing the contents of an iPhone 3GS as acquired using Cellebrite Physical Analyzer software. This is the same type of report that a forensic examiner would supply to an investigator, prosecutor, opposing counsel, or other involved party.
The scenario of this exercise is as follows. An iPhone 3GS was found at a crime scene. Investigators have no idea at all as to who the owner is. The phone was dusted for fingerprints and no usable prints were recovered; no usable DNA was recovered from the phone, either.
Discarded property is one of the exceptions to the requirement of a search warrant. Under that principle, a search was initiated. The technician in the crime lab performed a physical acquisition of the phone using Cellebrite Physical Analyzer software, producing a UFDR file, which is a data extraction file that can be read by UFED Reader software.
The source of these files is NIST's Computer Forensic Reference Data Sets (CFReDS) Web site (http://www.cfreds.nist.gov/), specifically the Mobile Device Images page (http://www.cfreds.nist.gov/mobile/index.html).
In this exercise, you will:
1. Examine a report from the physical acquisition of a mobile device.
Preparation
|
Step |
Action |
|
1 |
Locate the UFEDReader.exe file in the Resources folder of this exercise. |
|
2 |
Locate the iPhone3GS_report.ufdr file in the Resources folder of this exercise. For other report formats, go to http://www.cfreds.nist.gov/mobile/cellebrite/index.htm and select an HTML, PDF, or XML version of the iPhone 3GS Physical Acquisition. You can also find different phone images from other types of phones on that page, as well. |
Examining Smartphone Data
|
Step |
Action |
|
1 |
Your task is to examine the data from the iPhone and try to determine who owns the phone, the service provider, roughly where (geographically) this phone has been used, the kinds of Web sites that the phone has visited, names of contacts, contents of e-mail and SMS messages, and any other information you find that might be of interest. For purposes of this exercise, you should feel free to look at any and all files that you want. |
|
2 |
Start the UFED Reader program. Open the UFDR file by clicking on File, Open and selecting the name of the dump file. It may take a few minutes to process the file. NOTE the information shown on the Extraction Summary page. |
|
3 |
You can double-click any of the entries in the leftmost pane, labeled Project Tree. In fact, you can navigate around the leftmost pane just as you would Windows Explorer. As an example, if you clicked on Emails, you should see this screen:
|
|
4 |
Continue looking at the various items of information on the phone. One particular items of interest will be images. Note that there are 2,969 images on the phone; this is a lot to slog through.
|
|
5 |
Rather than look at thousands of images, the Reader software provides a way to filter the output. Note the buttons at the top of the right pane with the images:
To test this, click (in this order), the M, funnel, and J buttons, which will display only JPEG files greater than 100 KB in size. This reduces the number of images to a manageable number. Of course, you also need to determine whether such filtering is proper and correct for your examination and analysis. |
|
6 |
For further information about Reader, look at the UFED Reader Manual by clicking on the Help, Manual pulldown menu. |
