Upload
houston-rickard
View
759
Download
0
Embed Size (px)
Citation preview
Mobile Device Forensics
Sean Houston Rickard
University of North Carolina at Charlotte
ITIS 5250-001
Computer Forensics
Mobile Device Forensics 2
Table of Contents Abstract .......................................................................................................................................... 3
Chapter 1: Introduction ............................................................................................................... 4
The Purpose ............................................................................................................................... 5
Chapter 2: Mobile Device Technology ........................................................................................ 6
Current Technology .................................................................................................................. 6
Figure 1Hardware Characterization ............................................................................................ 7
Figure 2Android and iOS comparison ........................................................................................ 9
Chapter 3: Mobile Device Forensics ......................................................................................... 11
Computer Forensic Tool Testing ........................................................................................... 14
Requirements for Core Features ........................................................................................ 15
Requirements for Optional Features ................................................................................. 15
Chapter 4: Comparison of UFED 4PC Ultimate and Lantern 4 ............................................ 18
Cellebrite UFED 4PC .............................................................................................................. 19
Figure 3UFED 4PC User Interface ........................................................................................ 21
Lantern 4 .................................................................................................................................. 22
Figure 5Lantern 4 User Interface ........................................................................................... 24
Chapter 5: Conclusion ................................................................................................................ 26
References .................................................................................................................................... 27
Definition of Terms ..................................................................................................................... 28
Mobile Device Forensics 3
Abstract
As with any business or organization, law enforcement agencies work on a limited budget
which must be spread between multiple departments and priorities. With a limited budget,
agencies are limited as to what software and tools they may purchase and often must way the
capabilities of a specific tool versus the cost. This research paper will attempt to look at the
capabilities of mobile forensic software and compare it to the overall cost to determine which
software is better. With the ever increasing availability and rapid evolution of mobile devices
there is a number of mobile device forensic software on the market today. This research paper
will provide a simplistic look at mobile device technology, types of forensic analysis to be
performed on mobile devices, and lastly compare two mobile forensic software.
Mobile Device Forensics 4
Chapter 1: Introduction
In today’s society, mobile devices have become a major part of everyday life.
Approximately “90% of American adults have a cell phone, 58% of American adults have a
smartphone, 32% of American adults have an e-reader, and 42% of American adults have a
tablet computer” (Pew Research Center, 2014). On almost a daily basis we see technology
evolve and more mobile devices become available to the public. With increases in technology
also came crime. Mobile devices can be used in a number of different ways to facilitate and
commit crime. While there is no real way to track the number of crimes involving mobile
devices, in my experience, I believe it can easily be said that well over 80% of crime involves
some use of a mobile device. With mobile devices being utilized in some fashion during a large
portion of criminal activity, there is a lot of evidence which can be obtained and utilized for a
criminal investigation. The need to obtain this evidence had led many organizations to develop
software which is available for purchase. Today there is a wide variety of mobile device software
available, each providing its on specific platform, capabilities, and cost. Law enforcement
agencies across the US are limited due to budget constraints. In 2007, the average annual
operating budget per agency for all sheriff’s offices in the US was $9,962,000 (Sheriffs' Office,
2007 - Statistical Tables, 2012). Each agency must prioritize its budget leaving minimal
operating cost to expand to new tools and software. As law enforcement agencies modernize and
expand to combat crime utilizing technology, inevitably they are faced with decision of what tool
or software to purchase given the budget and the tool or software’s capabilities. The Cabarrus
County Sheriff’s Office is currently operating Cellebrite UFED 4PC Ultimate and Lantern 4 for
mobile device forensics.
Mobile Device Forensics 5
The Purpose
The purpose of this study is to determine which software provides the best capabilities for
the cost to Cabarrus County Sheriff’s Office. It is my hypothesis that due to each software’s own
capabilities and cost to the agency that neither are ultimately better than the other but provide
specific needs in specific situations. The only limitation I had for this research was access to the
forensic software. Due to time constraints, schedules, and available forensic tools my access was
limited to two (2) forensic tools over a period of 2 days. This research paper will provide a
simplistic look at mobile device technology, types of forensic analysis to be performed on
mobile devices, and lastly compare Cellebrite UFED 4PC Ultimate and Lantern 4.
Mobile Device Forensics 6
Chapter 2: Mobile Device Technology
While there are many different mobile devices on the market (cell phones, smart phones,
tablet computers, e-readers, mp3 players, ect…) the most common and the first was the cell
phone. Cell phones evolved from radio technology which was developed in the early 1900s’. The
first documented wireless telephone use was in 1946 by the Swedish Police (Tech-FAQ, n.d.). In
1947, Bell Laboratory proposed the idea of hexagonal cells for modern phones and in 1970 the
call handoff system was developed. With the assistance of AT&T the FCC approved and
allocated the frequencies of 824-894 MHZ Band to Advanced Mobile Phone Service (AMPS)
(Tech-FAQ, n.d.). According to Tech-FAQ (n.d.), in 1983 Motorola unveiled the first truly
portable cellular phone, the DynaTAC 8000X. Since then cell phone technology has grown by
leaps and bounds. Today cell phones have advanced from being a simple radio to essentially a
small computer with a radio.
Current Technology
Devices today, while very different in function, capabilities, and appearance are
composed of the same components: a microprocessor, read only memory (ROM), random access
memory (RAM), a radio module, a digital signal processor, a microphone and speaker, a variety
of hardware keys and interfaces, and a liquid crystal display (LCD). Cell phones can also support
external memory through Secure Digital (SD) memory, and other wireless communication such
as infrared, Bluetooth, Near Field Connection (NFC), and WiFi. Depending on the capabilities of
a phone it can either be classified as featured phone or a smartphone. Featured phones are cell
phones that perform minimal tasks and do not have the features of a smart phone. The Guidelines
Mobile Device Forensics 7
on Mobile Device Forensics (Ayers, Brothers, & Jansen, 2014) presented the following table to
demonstrate hardware characterization between feature phones and smartphones:
Figure 1Hardware Characterization
Mobile device memory, like any other computer contains both non-volatile and volatile memory.
Non-volatile memory, like the name suggests, does not change when the device loses power or is
overwritten during reboot. Volatile memory or Random Access Memory (RAM) on the other
hand is lost when the power is drained from the phone making it difficult to accurately capture.
Mobile device memory has evolved with technology. According to Guidelines on Mobile Device
Forensics (Ayers, Brothers, & Jansen, 2014):
Feature phones were among the first types of devices that contained NOR flash and RAM
memory. System and user data are stored in NOR and copied to RAM upon booting for faster
code execution and access. This is known as the first generation of mobile device memory
configuration. As smartphones were introduced, memory configurations evolved, adding NAND
flash memory. This arrangement of NOR, NAND and RAM memory is referred to as the second
Mobile Device Forensics 8
generation. This generation of memory configurations stores system files in NOR flash, user files
in NAND and RAM is used for code execution. The latest smartphones contain only NAND and
RAM memory (i.e., third generation), due to requirements for higher transaction speed, greater
storage density and lower cost. To facilitate the lack of space on mobile device mainboards and
the demand for higher density storage space (i.e., 2GB – 128GB) the new Embedded MultiMedia
Cards (eMMC) style chips are present in many of today’s smartphones. NOR flash memory
includes system data such as: operating system code, the kernel, device drivers, system libraries,
memory for executing operating system applications and the storage of user application
execution instructions. NOR flash will be the best location for data collection for first generation
memory configuration devices. NAND flash memory contains: PIM data, graphics, audio, video,
and other user files. This type of memory generally provides the examiner with the most useful
information in most cases. (p. 6)
Phones may also contain a Subscriber Identity Module (SIM) card. The SIM card’s
purpose is to authenticate the mobile phone device to a given network. The SIM card is a smart
card that contains a processor and persistent electronically erasable, programmable read only
memory (EEPROM). The EEPROM contains RAM for program execution and ROM containing
the operating system, user authentication and data encryption algorithms. Personal information,
phonebook entries, text messages, the last numbers dialed, and service information may also be
in the EEPROM (Ayers, Brothers, & Jansen, 2014). Another major part of a phone that needs to
be considered is the operating system. There have been many different operating system through
the years such as Blackberry, Windows CE, Symbian, Android, and Apple iOS. In recent years
the leading Operating systems have been Android and Apple iOS. According to IDC Corporate
USA (n.d.): android shipments lead the global smartphone market, with 283 million units
Mobile Device Forensics 9
shipped and over 84% of the market share in the third quarter of 2014 and iOS continues to drop
in market share, down to just 11.7% from 12.8% in the same quarter last year, representing the
growing shift of demand toward low-cost smartphones. Android and iOS operating system
provide a wide variety of capabilities. Below is a graph I located on Diffen (n.d.) which
compares Android and iOS:
Figure 2Android and iOS comparison
The last major part of a phone is its ability to download and install applications (apps). Android
and iOS operating system both have this capability with millions of apps available to each. Apps
Mobile Device Forensics 10
can be made by anyone with the right knowledge and can be made to perform any number of
task such as play a game, messaging, phone calls, internet browsing, ect. The possibilites for
apps is endless. When an app is downloaded and installed on a mobile device it creates a folder
to contain information from that app. All the data saved on the phone is accessible through
mobile device forensics depending on the type of analysis which is completed.
Mobile Device Forensics 11
Chapter 3: Mobile Device Forensics
According to Ayers, Brothers, and Jansen (2014), “Mobile device forensics is the science of
recovering digital evidence from a mobile device under forensically sound conditions using
accepted methods.” Conducting a forensic analysis of a mobile device can be conducted by hand
or through the use of one of the many software’s available. The job of a forensic tool is to aquire
data from the internal memory and SIM card without altering their content. To begin an analysis
of a mobile device you must first determine what time of analysis you want to complete. There
are 5 types of mobile device analysis: manual extraction, logical extraction, hex dumping/JTAG,
chip-off, and micro read (Ayers, Brothers, & Jansen, 2014). Predominately only manual
extraction, logical extraction, and hex dumping/JTAG are performed by law enforcment forensic
examiners. Chip-off and micro read examination are intensily involved and require a great deal
of knowledge, training, and specialized equipment to perform. The following excert is from the
Guidelines for Mobile Device Forensics (Ayers, Brothers, & Jansen, 2014) which gives a
detailed description of each:
Manual Extraction – A manual extraction method involves viewing the data content
stored on a mobile device. The content displayed on the LCD screen requires the manual
manipulation of the buttons, keyboard or touchscreen to view the contents of the mobile
device. Information discovered may be recorded using an external digital camera. At this
level, it is impossible to recover deleted information. Some tools have been developed to
provide the forensic examiner with the ability to document and categorize the information
Mobile Device Forensics 12
recorded more quickly. Nevertheless, if there is a large amount of data to be captured, a
manual extraction can be very time consuming and the data on the device may be
inadvertently modified, deleted or overwritten as a result of the examination. Manual
extractions become increasingly difficult and perhaps unachievable when encountering a
broken/missing LCD screen or a damaged/missing keyboard interface. Additional
challenges occur when the device is configured to display a language unknown to the
investigator; this may cause difficulty in successful menu navigation.
Logical Extraction – Connectivity between a mobile device and the forensics workstation
is achieved with a connection using either a wired (e.g., USB or RS-232) or wireless
(e.g., IrDA, WiFi, or Bluetooth) connection. The examiner should be aware of the issues
associated when selecting a specific connectivity method, as different connection types
and associated protocols may result in data being modified (e.g., unread SMS) or
different amounts or types of data being extracted. Logical extraction tools begin by
sending a series of commands over the established interface from the computer to the
mobile device. The mobile device responds based upon the command request. The
response (mobile device data) is sent back to the workstation and presented to the
forensics examiner for reporting purposes.
Hex Dumping and JTAG – Hex Dumping and Joint Test Action Group (JTAG)
extraction methods afford the forensic examiner more direct access to the raw Guidelines
on Mobile Device Forensics 18 information stored in flash memory. One challenge with
these extraction methods is the ability of a given tool to parse and decode the captured
data. Providing the forensic examiner with a logical view of the file system, and reporting
Mobile Device Forensics 13
on other data remnants outside the file system that may be present are challenging. For
example, all data contained within a given flash memory chip may not be acquired, as
many tools, such as flasher boxes, may only be able to extract specific sections of
memory [Bre07]. Methods used at this level require connectivity (e.g., cable or WiFi)
between the mobile device and the forensic workstation. Hex Dumping – this technique is
the more commonly used method by tools at this level. This involves uploading a
modified boot loader (or other software) into a protected area of memory (e.g., RAM) on
the device. This upload process is accomplished by connecting the mobile device’s data
port to a flasher box and the flasher box is in turn connected to the forensic workstation.
A series of commands is sent from the flasher box to the mobile device to place it in a
diagnostic mode. Once in diagnostic mode, the flasher box captures all (or sections) of
flash memory and sends it to the forensic workstation over the same communications link
used for the upload. Some flasher boxes work this way or they may use a proprietary
interface for memory extractions. Rare cases exist where extractions can be accomplished
using WiFi (i.e., early Jonathan Zdziarski (JZ) Methods) [Zdz12].
JTAG – Many manufacturers support the JTAG standard, which defines a common test
interface for processor, memory, and other semiconductor chips. Forensic examiners can
communicate with a JTAG-compliant component by utilizing special purpose standalone
programmer devices to probe defined test points [Wil05]. The JTAG testing unit can be
used to request memory addresses from the JTAGcompliant component and accept the
response for storage and rendition [Bre06]. JTAG gives specialists another avenue for
imaging devices that are locked or devices that may have minor damage and cannot be
properly interfaced otherwise. This method involves attaching a cable (or wiring harness)
Mobile Device Forensics 14
from a workstation to the mobile device’s JTAG interface and access memory via the
device’s microprocessor to produce an image [Bre07]. JTAG extractions differ mainly
from Hex Dumping in that it is invasive as access to the connections frequently require
that the examiner dismantle some (or most) of a mobile device to obtain access to
establish the wiring connections.
o Flasher boxes are small devices originally designed with the intent to service or
upgrade mobile devices. Physical acquisitions frequently require the use of a
flasher box to facilitate the extraction of data from a mobile device. The flasher
box aides the examiner by communicating with the mobile device using
diagnostic protocols to communicate with the memory chip. This communication
may utilize the mobile device’s operating system or may bypass it altogether and
communicate directly to the chip [Jon10]. Flasher boxes are often accompanied
by software to facilitate the data extraction process working in conjunction with
the hardware. Many flasher box software packages provide the added
functionality of recovering passwords from mobile device memory as well in
some configurations. (p.17-18)
In most situations, the type of investigation, the type of phone, the type of tool available
determines what type of analysis is completed. Ultimately, what information is the investigator
looking to gain from the analysis and which acquisition method would obtain that information?
Computer Forensic Tool Testing
In order to maintain reliability and consistency among mobile device forensic tools the
National Institute of Standards and Technology’s (NIST) Computer Forensic Tool Testing
Mobile Device Forensics 15
(CFTT) program routinely test new computer forensic software tools. The CFTT program has
developed six (6) core feature requirements and fifteen (15) optional feature requirements which
it then tests each new software against. The Smart Phone Tool Specification (National Institute
of Standards and Technology, 2010) list the requirements as follows:
Requirements for Core Features
1. A cellular forensic tool shall have the ability to recognize supported devices via the
vendor-supported interfaces (e.g., cable, Bluetooth, Infrared)
2. A cellular forensic tool shall have the ability to identify non-supported devices
3. A cellular forensic tool shall have the ability to notify the user of connectivity errors
between the device and application during acquisition.
4. A cellular forensic tool shall have the ability to provide the user with either a preview
pane or generated report view of data acquired.
5. A cellular forensic tool shall have the ability to logically acquire all application supported
data objects present in internal memory.
6. A cellular forensic tool shall have the ability to logically acquire supported data objects
without changing the data objects present on the device.
Requirements for Optional Features
1. A cellular forensic tool shall have the ability to recognize supported SIMs via the vendor
supported interface (e.g., PC/SC reader, proprietary reader, internal).
2. A cellular forensic tool shall have the ability to identify non-supported SIMs.
3. A cellular forensic tool shall have the ability to notify the user of connectivity errors
between the SIM reader and application during acquisition.
Mobile Device Forensics 16
4. A cellular forensic tool shall have the ability to acquire all application-supported data
objects present in the SIM memory.
5. A cellular forensic tool shall have the ability to provide a presentation of acquired data in
a human-readable format via a generated report.
6. A cellular forensic tool shall have the ability to provide a presentation of acquired data in
a human-readable format via a preview pane view.
7. A cellular forensic tool shall have the ability to provide the user with the opportunity to
unlock a password protected SIM before external reader SIM acquisition.
8. A cellular forensic tool shall have the ability to protect previously acquired data objects
within a saved case file from modification.
9. A cellular forensic tool shall have the ability to perform a physical acquisition of the
device’s internal memory for supported devices.
10. A cellular forensic tool shall have the ability to present data objects containing non-
ASCII characters acquired from the internal memory of the device or SIM via the
selected interface (i.e., preview pane, generated report). Non-ASCII characters shall be
printed in their native representation.
11. A cellular forensic tool shall have the ability to present the remaining number of
CHV1/CHV2 PIN unlock attempts.
12. A cellular forensic tool shall have the ability to present the remaining number of PUK
unlock attempts.
13. A cellular forensic tool shall have the ability to acquire internal memory data without
14. A cellular forensic tool shall have the ability to compute a hash for individual data
objects.
Mobile Device Forensics 17
15. A cellular forensic tool shall have the ability to acquire GPS related data present in the
internal memory. (p.6-8)
The results of each test completed by CFTT on mobile device forensic software tool is then
added to their website database (http://www.cftt.nist.gov/mobile_devices.htm ) for review. This
information is very important to law enforcement agencies because it very quickly determines
what the capabilities and limitations of the software.
Mobile Device Forensics 18
Chapter 4: Comparison of UFED 4PC Ultimate and Lantern 4
As stated earlier, The Cabarrus County Sheriff’s Office currently utilizes both UFED
4PC by Cellebrite and Lantern 4 by Katana. Detective Brian Schmitt is the primary computer and
mobile device forensic examiner for the department. In an interview on November 26, 2014,
Det. Schmitt stated, “I utilized both software on a regular basis and choose which software to use
depending on the type of phone I am going to exam. Both software are similar in what they will
recover, however each have their own pros and cons. Cellebrite is limited to only the devices it
says it can run whereas Lantern will run almost any android device and all iOS devices.
Although Lantern may run a device that Cellebrite will not sometimes the information that
Lantern does recover is limited. Cellebrite says it is the leader in iOS forensics, however;
Lantern will run way more because it is ran and developed specifically for iOS devices.” Det.
Schmitt went on to show me a specific phone which he examined in Lantern that would not work
on Cellebrite. The analysis in Lantern only showed what type of phone it was and no other
information. Det. Schmitt went on to say, “I don’t particularly favor one software over the other,
it ultimately depends on the device I need to examine. I often run a device through both software
just to make sure I don’t miss something.”
Comparing the capabilities of both software and the cost will better help determine which
software is more cost effective. Since I my time with both systems was limited the comparison of
both software will be completed through the use of both software user manuals and CFTT
testing.
Mobile Device Forensics 19
Cellebrite UFED 4PC
The following information was obtained from UFED Physical Analyzer – User Manual
(Cellebrite Ltd., 2014)
Operating System – Microsoft Windows XP with SP3or later
Computer Memory (RAM) required for installation
o 32 bit OS – 4GB
o 64 Bit – OS 8GB
Number of supported mobile devices
o Android Based devices – 1889
o iOS devices– 67
o Total Number of devices – 10,538
UFED Ultimate is made up of three components:
o The UFED unit enables logical, password, SIM, file system, and physical
extractions from mobile devices, which can then be saved to a USB flash drive,
SD memory card, or directly to your PC.
o UFED Physical Analyzer application provides an in-depth view of the device's
memory using advanced decoding, analysis, and reports. UFED Physical
Analyzer can decode all types of extractions created by the UFED Classic unit.
o Phone Detective application helps investigators quickly identify a mobile phone
by its physical attributes, eliminating the need to start the device and the risk of
device lock.
UFED Physical Analyzer has the following key features:
Mobile Device Forensics 20
o Decoding of the extraction with a layered view of memory content
Provides a detailed view of the Hex file
Reconstructs the device file system
Decode various Analyzed data types such as: Contact lists, SMS
messages, call logs, device information (IMSI, ICCID, user codes),
application information, and more
Provides a view of data files images, videos, databases, and so on
Provides access to both current and deleted data
Reveals device passwords (when applicable)
o Powerful extraction for iOS and GPS devices
o Provides intuitive and user friendly UI for browsing the extracted information
o Powerful analysis and search tools
Instant search for all project content
Advanced search based on multiple parameters
Instant search for data tables content
Watch list for highlighting information based on a predefined list of values
Time line for viewing all the events performed via the mobile device in a
single chronological view
Project analytics providing comprehensive activity analysis
Malware scanner to identify malware in the device
Ability to search the Hex by various parameters such as strings, bytes,
numbers, dates
Mobile Device Forensics 21
Ability to use regular extraction search (RegEx) to look for specific data
strings
Ability to bookmark memory locations for indexing of key areas for later
review
Ability to use Python shell commands for data analysis
o Plug-ins
Manage installed plug-ins
Write your own plug-ins using Python scripting language
o Reports:
Generate reports in various formats
Report customizing and personalizing (logo, header, etc.)
This is an example of the user interface for UFED 4PC
Figure 3UFED 4PC User Interface
Mobile Device Forensics 22
A review of the UFED v3.9.6.7 Test Report (National Institute of Standards and Technology,
2014) showed that an examination of a variety of android and iOS device, the UFED Physical
Analyzer performed better with android based devices.
Lantern 4
The following information was obtained from Lantern 4 Manual (Katana Forensics, Inc, 2014).
Operating System – Mac OSX 10.7 higher
o Computer Memory (RAM) required for installation – 4 GB
Supported mobile devices
Figure 4Lantern 4 Supported Devices
Here are some of the capabilities you will find in Lantern 4.0.
o Link Analysis between devices
o Recovery from Android Devices
o Recover Deleted SMS
o Read Gmail & Yahoo E-mail
o Parse Skype Calls & Messages
o Parse Facebook Data
Mobile Device Forensics 23
o Cellular Sites & WiFi Location Geo Data
o WiFi Connections History
o Improved Internet History
o Geo Locate Videos & Photos
o Application Usage Data
o Analysis from .dd Images & Backups
o Data Carving Images & Videos
o Timeline Analysis
o Bookmarking
o View Data while Processing Acquisition
o Physical Image E-mail Analysis
o Document Analysis
o Additional Geo Location data from physical images
o Arbitrary Analysis
o File system dump analysis from other applications
o Decryption and analysis from other providers
o Mac OS X Analysis
o Support for the Newest Skype SQlite Format
o SMS, MMS, and iMessage for iOS 6
o What’s App analysis
o Bookmarks and notation
Mobile Device Forensics 24
This is an example of the user interface of Lantern 4
Figure 5Lantern 4 User Interface
No examination has been completed of Lantern 4 by the National Institute of Standards and Technology.
During the interview on November 26, 2014 with Det. Schmitt he stated, “As for cost,
Cellebrite is by far the most expensive costing approximately $8000, 3 years ago to purchase the
product and approximately $3000 in annual maintenance. We just purchased the UFED 4PC
license this year which was originally $10,000 but was negotiated down to $4000 after trading in
the old unit. As for lantern, it was approximately $900 to purchase the product and $300 in
annual maintenance. Both software benefit this department equally and we will continue to use
both.” During the short opportunity I had to interact with both UFED 4PC and Lantern 4, I
personally favored the UFED 4PC which I felt had a better user interface. To that end, I have an
extensive amount of experience with Microsoft based operating systems over iOS which I feel
Mobile Device Forensics 25
affected my preference. Considering the Cabarrus County Sheriff’s Office worked on a
$2,282,640 operations budget for fiscal year 2014 (Cabarrus County, 2014) an expense of
$10,000 for the UFED 4PC license and a $3000 maintenance cost was a major one compared to
only $300 maintenance cost for Lantern. When comparing the overall cost and annual
maintenance to capabilities it is easy to see that Lantern 4 is the better product for the cost.
Mobile Device Forensics 26
Chapter 5: Conclusion
The need for law enforcement agencies across the US to invest in some form of mobile device
forensic software is imperative to keep up to speed with the evolution of crime. Due to many
budget constraints it is just as imperative to utilize the most cost effective software which
provides the most capabilities. The purpose of this study was to determine which software
provides the best capabilities for the cost to Cabarrus County Sheriff’s Office. The only
limitation I had for this research was access to the software. Due to time constraints, schedules,
and available forensic tools my access was limited to two (2) forensic tools over a period of 2
days. My original assumption that due to each software’s own capabilities and cost to the agency
that neither are ultimately better than the other but provide specific needs in specific situations.
After reviewing both UFED 4PC and Lantern 4 I found that Lantern 4 was the most cost
effective forensic tool. Both UFED 4PC and Lantern 4 both provide similar capabilities just in
different formats. Each software has its own pros and cons which make the other better and
worse than the other but the cost for each make it immediately clear which is more cost effective.
Mobile Device Forensics 27
References Ayers, R., Brothers, S., & Jansen, W. (2014). NIST Special Publication 800-101, Revision 1: Guidelines on
Mobile Device Forensics. National Institute of Standards and Technology.
Breeuwsma, M. (2006). Forensic Imaging of Embedded Systems using JTAG (boundary-scan). Digital
Investigations, Volume 3, Issue 1, 32-42.
Breeuwsma, M., Jongh, M. d., Klaver, C., Knijff, R. v., & Roeloffs, M. (2007). Forensic Data Recovery from
Flash Memory. Small Scale Digital Device Forensics Journal Vol. 1, No. 1.
Cabarrus County. (2014). Public Safety Budget. Retrieved from Cabarrus County:
https://www.cabarruscounty.us/government/departments/finance/budget/Budget/finance_bu
dget_public_safety_2015.pdf
Cellebrite Ltd. (2014, September). UFED Physical Analyzer - User Manual. Cellebrite Ltd.
Diffen. (n.d.). Android Vs iOS. Retrieved from Diffen: http://www.diffen.com/difference/Android_vs_iOS
IDC Corporate USA. (n.d.). Smartphone OS Market Share, Q3 2014. Retrieved from IDC:
http://www.idc.com/prodserv/smartphone-os-market-share.jsp
Jonkers, K. (2010). The forensic use of mobile phone flasher boxes 5. Digital Investigation 6, 168-178.
Katana Forensics, Inc. (2014). Lantern 4 Installation and Operation Manual. Washington, DC: Katana
Forensics, Inc.
National Institute of Standards and Technology. (2010). Smart Phone Tool Specification. Washington, DC:
National Institure of Standards and Technology. Retrieved from
http://www.cftt.nist.gov/documents/Smart_Phone_Tool_Specification.pdf
National Institute of Standards and Technology. (2014). Test Results for Mobile Device Acuisition tool:
UFED Physical Analyzer v3.9.6.7. NIST.
Pew Research Center. (2014, January). Mobile Technology Fact Sheet. Retrieved from Pew Research
Internet Project: http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/
Schmitt, B. (2014, November 26). Detective. (S. H. Rickard, Interviewer)
Sheriffs' Office, 2007 - Statistical Tables. (2012, December). Retrieved from Bureau of justice Statistics:
http://www.bjs.gov/content/pub/pdf/so07st.pdf
Tech-FAQ. (n.d.). The History of Cell Phones. Retrieved from Tech-FAQ: http://www.tech-
faq.com/history-of-cell-phones.html
Willassen, S. (2005). Forensic Analysis of Mobile Phone Internal Memory. Advances in Digital Forensics,
Vol. 194, (p. International Conference on Digital Forensics). 2006.
Zdziarski, J. (2012). iOS Forensic Investigative Methods. Retrieved from zdziarski:
http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-ForensicInvestigative-
Methods.pdf>
Mobile Device Forensics 28
Definition of Terms AMPS – Advanced Mobile Phone Service
ASCII – American Standard code for Information Interchange
CFTT – Computer Forensic Tool Testing
CHV1 – Card Holder Verification 1
CHV2 – Card Holder Verification 2
EEPROM – Electronically Erasable Programmable Read Only Memory
FCC – Federal Communication Commission
GPS – Global Positioning Satellite
ICCID – Integrated Circuit Card ID
IMSI – International Mobile Subscriber Identity
IrDA – Infrared Data Association
JTAG – Joint Test Action Group
LCD – liquid crystal display
MHZ – megahertz
NAND – Non-volatile storage technology that does not require power to retain power
NFC – Near Field Connection
NIST – National Institute of Standards and Technology
NOR – Non-volatile storage technology that does not require power to retain power
PIN – Personal Identity Number
PUK – PIN Unlock Key
RAM – Random Access Memory
ROM – Read Only Memory
SD – Secure Digital
SIM – Subscriber Identity Module
USB – Universal Serial Bus
WIFI – Local area wireless technology