Popular in Mobile Digital Forensics I
Popular in Information technology
This 12 page Class Notes was uploaded by James Cha on Friday February 13, 2015. The Class Notes belongs to TINFO444 at University of Washington taught by John Bair in Winter2015. Since its upload, it has received 78 views. For similar materials see Mobile Digital Forensics I in Information technology at University of Washington.
Reviews for TINFO444Week6Notes.pdf
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 02/13/15
T INFO 444 Mobile Digital Forensics l Week 6 Using BitPimMFI BitPim CleanerChapter 56 Lab What is BitPim BitPim is a free open source program that allows users control over certain types of stored data on CDMA handsets Primarily uses Python programming language and works with most Qualcomm based chipsets Can operate in Windows OS X and Linux operating systems Some of the content that BitPim can manage OOOOOOOOO Phone book Ringtones Wallpapers Calendar entries SMS Media Todo T9 editor Memo File system Purpose 0 Help Menu Introduces students to an automated tool that expands on AT commands Teaches students to conduct troubleshooting techniques Requires students to understand how to use nontraditional forensic tools to acquire data Teaches students to use BitPim to allow file system acquisitions BitPim supplies a help menu that is very thorough Includes a Troubleshooting section that specifically addresses ports and serial communications Sections in the help menu includes 0 Working with the code Overview Below is what you will see when BitPim is opened with a connected phone device BitPim E File Edit Data ll View Debug Help 0 I test 7 El BitPim PM Welcome quot393 339P thl one W Welcome to lBlllle fluE Medial glam lt you are new to lEiithl m please take the m quotquot quot MEMO lEilithlm39s homepage is wmhitpimorg quotlitre projth page is wwmsourceforgeunetiproiectslhitpim quotlodlo anquot EMS You may be intenestedl in upgrade information or the version history EVE can Hug lt you have any problems or questions please neadl litre information about support Play trst m Edi mm Haise andl contributions are always welcomel Log Protocol loogr chammmemccmm paraded W57 911mg Getting llllllE Reading briewian rs lMljar other more plume m E tm roe quot On the bottom right area of BitPim users will see what communication port a device that has been detected has connected to This will not show if a phone has not been connected to Windows or the device is not supported W H some Getting nra Ftear npgr EUIMIEWSHEHEJHE quot The bottom left area of BitPim provides the user with the status of the pgoram This will be a green circle showing Ready or a red circle stating Busy when loading the FileSystem of the device To the right of the program status is a box that will indicate what is being extracted or written to the target phone Note Examiners who are using BitPim for forensic purposes must be aware that certain settings will not be utilized Furthermore BitPim has features that should always be enabled to keep the program from writing to the target phone For this reason this lab does not follow the menu suggestion in every instance File Edit ata wee debug Help quot In the upper left corner of BitPim the user will see a series of words that can be clicked to access additional dropdowns quot39Flle Edit Data wee debug Help age er e mupeeare C 39ll39 Centacie Ell Calendar 39iEalerldal EMS Sill IIiZaII llistely Media tel Media tel Eip File Print Impart I Etpdrt Ir quot For this lab we will only focus on exporting data from the device The other settings can be useful for consumer nonforensic applications File quot39Eerll ata wee debug Help Eel eel All Etrl5l New Etrlll Eel EtrlEC E39m39 Peete Etrl li39 Delete ene rne FE Detect Phene Setting quot The Edit dropdown has commands that you can use and will most likely be using Copy Paste and Delete most often E mm ohug HEI Get P hooo Data Send Phone Data Hiotorical Data Emma fallow Storage quot The Data dropdown will have 2 features that you will use for the lab which are Get Phone Data and Create new Storage Send Phone Data should NEVER be used for forensic acquisitions Imoge ougi HEI Eolurnno P h on elooola P revi new allquot Him protocol llogig inlgi I Clear Logo of ow magithem Phone llli39lfo quot The View dropdown will have areas that by default will be unchecked When checking the View protocol logging and View Filesystem two additional tabs will be added to the file system tree to the bottom left in BitPim Protocol Log Dieting Help Doto Rocom ogi quot The Debug dropdown feature is not needed for this course but it allows users to record a dat file to send to developers for troubleshooting and other issues Tum Content Howl rm F Supp LErHEEEEIJ Check for Minnie llmmt quot The Help dropdown can be utilized to locate additional documentation on specific areas covered in this chapter It also provides the BitPim user with quick access to specific topics commonly addressed within the Help menu These are listed in the Help dropdown as Tour Contents HowTos FAQ and Support Directly below the Support button will be the model of device currently connected to BitPim if supported This may also read quotOther CDMA Phone This is followed by Check for Update and About H 1v quot Under the dropdown menus there are useful shortcut icons The first icon CellPhone with arrow pointing right is the Get Phone Info shortcut and by default it will be grayed out Once a supported device is recognized by model number within BitPim this icon will no longer be grayed out The following 4 icons will not be used in this lab J Eat from Prime 3mm drll E Plhgm milk D Edde B w lh i D lama B Memo deu E arms rm ll s my z z D Fi U351 TE User DE quot When clicking Get Phone Info the user will be able to get certain data from the phone device When the user has checked which data they want to acquire the informationdata will be added onto BitPim and the Log which the user will then be able to export into a file quot This icon is the Phone Info icon and if the device connected is supported by model number this will populate accordingly with associated information about the device This information will not always contain every field and is model specific quot This icon is the Detect Phone icon and will launch the Enter Phone Owner s Name window This feature will only work when the phone is supported by BitPim at quot This icon is a shortcut for Edit Settings and it will be one of the more frequent commands students will utilize during labs BitPim Settings Rm Einly maltsmmage Em g FilE W Tsz IllEm Fmi Em Tunaml 55E med r Llp EE Ei rillp Task Ear 1min B madamiota mm m the m E mm m mml m E m m m mml mk m LE V ll 0mm 7 3J5 Q lmyEmma thEmaayiah B am l imlmnm mama Trayahmmmm Place Eitii39irn Tamil in title System Tray when Closed ulm EiEct atsiarm Q DEECtph 39iE attriigaim 513mm ll mlllHEbl quot The top is the Read Only setting and it is imparative that this setting is always checked before each exam so it blocks writing anything to the phone The Disk storage setting is the location where the exaction will be held The default settings are in the documents folder under BitPim The Config file is created by BitPim and by default is also stored in the same location as disk storage This quotconfigquot file must be cleared out between each exam to keep the previous configuration exam settings from contaminating the next one The Phone Type is a dropdown box that allows the user access to the different supported model phones The Com Port setting allows the user to select the communication port they wish to connect to The remaining settings will not be used for this lab quot The last icon is a shortcut for the Help Menu I minim Phone A 1quot Phantom L Media Ealiemdiam 39 HEM T dl i EMS L Cairn rising Filmy List TE Editor my Protocol Luigi 334 quot The left area of BitPim is the Phone Tree and this is where users that have phones that are supported by model number will see the associated supported files that were parsed in the Phone Tree The Media SMS and Call History tabs can be expanded and these fields will have additional subdivided areas If the target phone supports removable MicroSD media these fields will show the media located there in parenthesis This area is where the File System Log and Protocol Log will show if the user has checked them under the View dropdown menu I 359 12212122 2212 21222 21121112 Walt Dam Phune nuk I112quot T311112 at2 HumbEr ura un Mame 12122122 22222212 121252 33 3125211 112211 322212 12222122 222222 122221 133 3125211 22112 122212 12122122 22222222 225123 132212222222 221112 22222122 Inc2122 222222 12 112122 125213222122 22222 T222 12122122 222222 12 121212 125213222122 22221 T222 12222122 222222 13 112222 132215222211 22212 T1231 12222222 222222 21 15321 132212222252 22321 T2 utgim39ingi W223 151223 1322 112212211521 22213 Tq 12122122 222222 12 122252 13221252312 221122 5222 12122122 22222223 135122 13221212231 22122 2122 12222122 222222 22 221221 13221212231 22222 2122 12122122 22222221 12323 132212222232 2212122221 12122122 222222 22 122252 133 2222122 22121 222m 39 12222222 222222 23 125122 132212223122 22332 11222 2121 2121 quotquot quot HEW 122221122 222222 222252 1231222221 22222 11221222 L22 1122222 222222 121225 231222221 112222222 221222 L22 212222 222222 222132 23122221 1222212 1122222 222223 112325 33 222231 22222222 12122122 22222222 225522 33 222231 1122211222 122222 2222222 12323 331222221 22222222 122222 2222222 122252 231222221 222211222 121212122 2222 12 12322 331221 3225 11122 Inc12min 2222 22 1 223323 352 53223233 22222 Iii1225212 12122122 222222 11 223522 132215221213 22231 112222 12222222 22222222 123235 2312123152 221132 1222 H5522 22222222 221152I 33 233 3352 11113121 12122122 22222225 3522 33 2123152 1222 1112222 22222222 222131 33 2123152 1222 122222 22222225 215213 1331 2123152 1222 12122122 22222222 225225 2312222222 22221 12222 12222122 222222 22 12222 2312222222 22151 12222 12122122 22222212 211223 213222522212 221115 H222 12222 222222 22 123222 331213 2222 222 2 1122222 222222 22 12223 23 211 2222 222 2 quot When the user has acquired data from the phone device in Get Phone Data the user can then see information such as the call history on the phone device as well as other areas such as SMS history PhoneBook etc IEg nm 1351599 Chanting fnrmnda1 SEEl am a Ewmm 1351599 Chanting fnr mndal EPHTEEEH 1351599 Chanting fnrmnda1 EB e E an51nnn F hanannlk 1351599 Chanting fnr mutta1 EEH E i WIEE E E Mh 1351599 Chanting fnrmnda1 EE w 1351599 Chanting fnrmnda1 EEHTEEEE E m d a i 155155511r Chanting fnr mudEl 5551 55551 Mama 155155511r Chanting fnr mata1 SEE mat Talus 1351599 Chanting fnrmnda1 EE a E 13515994 Chanting fnrmnda1 EPHltHBEEHEDIE 135159961 Litaly pnnts 135159961 Datant Ehnna naanlt I 135159961 Chanting fnrmnda1 EEHTHBEHEIH 135159961 Chanting fnrmnda1 SEE H333 135159961 Chanting fnrmnda1 5aH Henn 135159961 Chanting fnrmnda139 325 135159961 Litaly pnrts 135159961 Datant Phnna nasnlt I 135159961 Chanting fnrmnda139335 135159961 Litaly pnnts 135159961 Datant Ehnna nannlt I WWW 155155551 Chanting fnr innEial quot55 Hu ys m 155155551 Lita1 parts 1 135159961 Datant Phnna nasnlt I quotquot L33quot 155155551 Chanting fnr maida1 quot55m ulp t g 135159961 Litaly pnnts 135159961 Datant Ehnna naanlt I 135159961 Chanting fnrmnda139 3m 135159961 Litaly pnrt5 135159961 Datant Phnna nannlt I 135159961 Chanting fnrmnda139 3m Sprint 135159961 Litaly pnrts 135159961 Datant Phnna nasnlt I 135159961 Chanting fnrmnda1 3m 135159961 Litaly pnnts 135159961 Datant Phnna nannlt I 135159961 Chanting fnrmnda139 Tl 135159961 Litaly pnrtn 135159961 Datant Phnna nannlt I 135159961 Chanting fnrmnda139 1mm 135159961 Litaly pnnts 135159961 Datant Ehnna naanlt I 135159961 Chanting fnrmnda139 I 33 135159961 Chanting fnrmnda139 amp 135159961 Litaly pnrtn 135159961 Datant Phnna nannlt I quot When the user has viewed the Log they will be able to see what commands are being sent to the phone Compared to the Protocol Log the Log file is more static and generally easier to read during the live pull Both logs can help understand protocols that are needed for the target phone to obtain specified data Also users can use the logs to help trouble shoot communication port problems and errors that may take place within specific areas of the file system Exporting Data Users will have options when choosing to export their data by going to the File dropdown menu gt Export The fields are fairly selfexplanatory as the user will be able to select which sections they will want to export and to where I File Edit View Deng Hel Print 39l I import F 7 quot Export I I r LEM Export EMS quotlg mama1 C ill39h lCEm WE Ema Emmi rmquot IE3139 Med allendlar lam ilenr armamme Emt mt Mam 5M5 SEl El edl l V Tl dl i llll History MI 1 m 1 Media to Folder HM m Medlmm tuf p File 9 we W General Steps to Acquire Data Overview 1 Before launching BitPim clear out the cache This can be done manually or by using MFI BitPim Cleaner Ensure that the Read Only quotBlock writing anything to the phone is checked This can be accessed through Edit dropdown menu 9 Settings Enable the File system view and Protocol Log This is always off by default It can be located in View dropdown menu 9 View Protcol Logging and View 9 View File system This will create tabs in the Phone Tree with the same names Determine if your phone is supported in the dropdown connect to the communication port Click the f the Phone Type drop down If it is not supported select Other CDMA Phone to obtain the file icon which will bring up the BitPim Settings window Locate the phone model in system Select a communication port if needed by using the Com Port Browse icon which will launch the Choose comm port window The communication port may need to be changed depending on if the phone connects If the model was located in step 4 then Get Phone Data icon Once selected users will see the logical data that BitPim supports Check the desired fields and once OK is clicked the acquisition will begin If an error occurs use Other CDMA Phone setting in step 4 This process may take a few minutes Watch the acquisition process by clicking on the Log file in the Phone Tree If any errors occur begin with step lor try step 4 again but change the communication port COM 7 Save or export the parsed data Users should be mindful that in many cases screenshots work better than exporting to a csv
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'