Popular in Mobile Digital Forensics I
Popular in Information technology
verified elite notetaker
This 22 page Class Notes was uploaded by James Cha on Friday February 20, 2015. The Class Notes belongs to TINFO444 at University of Washington taught by John Bair in Winter2015. Since its upload, it has received 100 views. For similar materials see Mobile Digital Forensics I in Information technology at University of Washington.
Reviews for TINFO444ExamStudyGuide.pdf
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 02/20/15
T INFO 444 Mobile Digital Forensics I Exam 2 Study Guide Using BitPim VVhatisit A free open source program that allows users control over certain types of stored data on Code Division Multiple Access CDMA handsets Can 0 O 0 Help Menu 0 Primarily uses Python and works with most Qualcomm based chipsets operate in Windows OS X and Linux operating systems Manages content such as Phone Book Ringtones Wallpapers Calendar Entries SMS Media Todo T9 Editor Memo OOOOOOOOO File System Purpose Introduces students to an automated tool that expands on AT commands Teaches students to conduct troubleshooting techniques Requires students to understand how to use nontraditional forensic tools to acquire data Teaches students to use BitPim to allow file system acquisitions BitPim supplies a help menu that is very thorough Includes a Troubleshooting section that specifically addresses ports and serial communications Sections in the help menu includes Working with the code Overview Below is what you will see when BitPim is opened with a connected phone device BitPim E le Edit Data li errir Debug Help en 7 Fail 0 a re El BitPim H pm Welcome P h E l we on Weloome to BitPim 3mg Medina cinema lf you are new to BillPi m pllease take the M quotquot quot MEMO BitPim39s homepage is unremhitpimorg The projth page is wmsourceforgenetiproiectsihitpim Tedle OWE 3MB You may be interested in upgrade information or the version history ya can HMO lf you have any problems or questions pllearse need litre information about support P Ilanj List El T9 Edi quotEm Praise andl contributions are allwarys welcomel Hl ystem Log Protocol txogr orhamphmemcmmDereded 5157 i 4 9113 Getting iilE Reading brewiamsflM iar ememaammememam amed quot On the bottom right area of BitPim users will see what communication port a device that has been detected has connected to This will not show if a phone has not been connected to Windows or the device is not supported east i game Getting nus remarrmg eieeramertmegjei quot The bottom left area of BitPim provides the user with the status of the program This will be a green circle showing Ready or a red circle stating Busy when loading the FileSystem of the device To the right of the program status is a box that will indicate what is being extracted or written to the target phone Note Examiners who are using BitPim for forensic purposes must be aware that certain settings will not be utilized Furthermore BitPim has features that should always be enabled to keep the program from writing to the target phone For this reason this lab does not follow the menu suggestion in every instance File Edit Eaten lifiew Dieting Help quot In the upper left corner of BitPim the user will see a series of words that can be clicked to access additional dropdowns IFiIeLI Edit State View Debug Help l uCardE e rteupwareu E51 Gentaichhu EH Eallendar i alenrdlar EMS i251 Call lliisttery Med a tie Feldler Med a tie Hp le quot For this lab we will only focus on exporting data from the device The other settings can be useful for consumer nonforensic applications File I Editxl Data trim Debug Help Eel eet All inn A l New EZtrlhl Keller Etrlli Paete Etrl uquot Delete Flena rne FE Detect Phene Settings quot The Edit dropdown has commands that you can use and will most likely be using Copy Paste and Delete most often Date 391 trial Debug Help quotGet Phne Data Send P39lhrlnie Data Hieteri eel Data Create New Etmargie quot The Data dropdown will have 2 features that you will use for the lab which are Get Phone Data and Create new Storage Send Phone Data should NEVER be used for forensic acquisitions I7 View liehugi Help Eelurnne P h on El l P reel ew I ew wanteel legging I Clear Legs fr Wm Hl ystrem P39ll39lrlnre llnf quot The View dropdown will have areas that by default will be unchecked When checking the View protocol logging and View Filesystem two additional tabs will be added to the file system tree to the bottom left in BitPim 535 my Protocol Long ehug Hel Electram ngi I III quot The Debug dropdown feature is not needed for this course but it allows users to record a dat file to send to developers for troubleshooting and other issues Tt llllli C l i El E Hiaw39ll39rm FM Suppn L Er tf l Check for Update h wt quot The Help dropdown can be utilized to locate additional documentation on specific areas covered in this chapter It also provides the BitPim user with quick access to specific topics commonly addressed within the Help menu These are listed in the Help dropdown as Tour Contents HowTos FAQ and Support Directly below the Support button will be the model of device currently connected to BitPim if supported This may also read quotOther CDMA Phone This is followed by Check for Update and About quot Under the dropdown menus there are useful shortcut icons The first icon Cell Phone with arrow pointing right is the Get Phone Info shortcut and by default it will be grayed out Once a supported device is recognized by model number within BitPim this icon will no longer be grayed out The following 4 icons will not be used in this lab J Eat from Prime 3mm drll E Plhgm milk D Edde B w lh i D lama B Memo deu E arms rm ll s my z z D Fi U351 TE User DE quot When clicking Get Phone Info the user will be able to get certain data from the phone device When the user has checked which data they want to acquire the informationdata will be added onto BitPim and the Log which the user will then be able to export into a file quot This icon is the Phone Info icon and if the device connected is supported by model number this will populate accordingly with associated information about the device This information will not always contain every field and is model specific quot This icon is the Detect Phone icon and will launch the Enter Phone Owner s Name window This feature will only work when the phone is supported by BitPim at quot This icon is a shortcut for Edit Settings and it will be one of the more frequent commands students will utilize during labs BitPim Settings Rm Einly maltsmmage Em g FilE Fhm1E 1sz IllEm Fmi Em Tunaml 55E med r Llp EE Ei rillp Task Ear 1min B madamiota mm m the m E mm m mml m E m m m mml mk m LE V ll 0mm 7 3J5 Q Hmyss twi l thEmaayiah B am l imlmnm mama Traymhmh rm a Place Eitii39irn loan in title System Tray when Closed ulm EiEct atsiarm Q DEECtph 39iE attrimim 513mm ll mlllHEbl quot The top is the Read Only setting and it is imparative that this setting is always checked before each exam so it blocks writing anything to the phone The Disk storage setting is the location where the exaction will be held The default settings are in the documents folder under BitPim The Config file is created by BitPim and by default is also stored in the same location as disk storage This quotconfigquot file must be cleared out between each exam to keep the previous configuration exam settings from contaminating the next one The Phone Type is a dropdown box that allows the user access to the different supported model phones The Com Port setting allows the user to select the communication port they wish to connect to The remaining settings will not be used for this lab quot The last icon is a shortcut for the Help Menu I minim Phone A 1quot Phantom L Media Ealiemdiam 39 HEM T dl i EMS L Cairn rising Filmy List TE Editor my Protocol Luigi 334 quot The left area of BitPim is the Phone Tree and this is where users that have phones that are supported by model number will see the associated supported files that were parsed in the Phone Tree The Media SMS and Call History tabs can be expanded and these fields will have additional subdivided areas If the target phone supports removable MicroSD media these fields will show the media located there in parenthesis This area is where the File System Log and Protocol Log will show if the user has checked them under the View dropdown menu I 359 12212122 2212 21222 21121112 Walt Dam Phune nuk I112quot T311112 at2 HumbEr ura un Mame 12122122 22222212 121252 33 3125211 112211 322212 12222122 222222 122221 133 3125211 22112 122212 12122122 22222222 225123 132212222222 221112 22222122 Inc2122 222222 12 112122 125213222122 22222 T222 12122122 222222 12 121212 125213222122 22221 T222 12222122 222222 13 112222 132215222211 22212 T1231 12222222 222222 21 15321 132212222252 22321 T2 utgim39ingi W223 151223 1322 112212211521 22213 Tq 12122122 222222 12 122252 13221252312 221122 5222 12122122 22222223 135122 13221212231 22122 2122 12222122 222222 22 221221 13221212231 22222 2122 12122122 22222221 12323 132212222232 2212122221 12122122 222222 22 122252 133 2222122 22121 222m 39 12222222 222222 23 125122 132212223122 22332 11222 2121 2121 quotquot quot HEW 122221122 222222 222252 1231222221 22222 11221222 L22 1122222 222222 121225 231222221 112222222 221222 L22 212222 222222 222132 23122221 1222212 1122222 222223 112325 33 222231 22222222 12122122 22222222 225522 33 222231 1122211222 122222 2222222 12323 331222221 22222222 122222 2222222 122252 231222221 222211222 121212122 2222 12 12322 331221 3225 11122 Inc12min 2222 22 1 223323 352 53223233 22222 Iii1225212 12122122 222222 11 223522 132215221213 22231 112222 12222222 22222222 123235 2312123152 221132 1222 H5522 22222222 221152I 33 233 3352 11113121 12122122 22222225 3522 33 2123152 1222 1112222 22222222 222131 33 2123152 1222 122222 22222225 215213 1331 2123152 1222 12122122 22222222 225225 2312222222 22221 12222 12222122 222222 22 12222 2312222222 22151 12222 12122122 22222212 211223 213222522212 221115 H222 12222 222222 22 123222 331213 2222 222 2 1122222 222222 22 12223 23 211 2222 222 2 quot When the user has acquired data from the phone device in Get Phone Data the user can then see information such as the call history on the phone device as well as other areas such as SMS history Phone Book etc IEg nm 1351599 Chanting fnrmnda1 SEEl am a Ewmm 1351599 Chanting fnr mndal EPHTEEEH 1351599 Chanting fnrmnda1 EB e E an51nnn F hanannlk 1351599 Chanting fnr mutta1 EEH E i WIEE E E Mh 1351599 Chanting fnrmnda1 EE w 1351599 Chanting fnrmnda1 EEHTEEEE E m d a i 155155511r Chanting fnr mudEl 5551 55551 Mama 155155511r Chanting fnr mata1 SEE mat Talus 1351599 Chanting fnrmnda1 EE a E 13515994 Chanting fnrmnda1 EPHltHBEEHEDIE 135159961 Litaly pnnts 135159961 Datant Ehnna naanlt I 135159961 Chanting fnrmnda1 EEHTHBEHEIH 135159961 Chanting fnrmnda1 SEE H333 135159961 Chanting fnrmnda1 5aH Henn 135159961 Chanting fnrmnda139 325 135159961 Litaly pnrts 135159961 Datant Phnna nasnlt I 135159961 Chanting fnrmnda139335 135159961 Litaly pnnts 135159961 Datant Ehnna nannlt I WWW 155155551 Chanting fnr innEial quot55 Hu ys m 155155551 Lita1 parts 1 135159961 Datant Phnna nasnlt I quotquot L33quot 155155551 Chanting fnr maida1 quot55m ulp t g 135159961 Litaly pnnts 135159961 Datant Ehnna naanlt I 135159961 Chanting fnrmnda139 3m 135159961 Litaly pnrt5 135159961 Datant Phnna nannlt I 135159961 Chanting fnrmnda139 3m Sprint 135159961 Litaly pnrts 135159961 Datant Phnna nasnlt I 135159961 Chanting fnrmnda1 3m 135159961 Litaly pnnts 135159961 Datant Phnna nannlt I 135159961 Chanting fnrmnda139 Tl 135159961 Litaly pnrtn 135159961 Datant Phnna nannlt I 135159961 Chanting fnrmnda139 1mm 135159961 Litaly pnnts 135159961 Datant Ehnna naanlt I 135159961 Chanting fnrmnda139 I 33 135159961 Chanting fnrmnda139 amp 135159961 Litaly pnrtn 135159961 Datant Phnna nannlt I quot When the user has viewed the Log they will be able to see what commands are being sent to the phone Compared to the Protocol Log the Log file is more static and generally easier to read during the live pull Both logs can help understand protocols that are needed for the target phone to obtain specified data Also users can use the logs to help trouble shoot communication port problems and errors that may take place within specific areas of the file system Exporting Data Users will have options when choosing to export their data by going to the File dropdown menu gt Export The fields are fairly selfexplanatory as the user will be able to select which sections they will want to export and to where I File Edit View Deng Hel Print 39l I import F 7 quot Export I I r LEM Export EMS quotlg mama1 C ill39h lCEm WE Ema Emmi rmquot IE3139 Med allendlar lam ilenr armamme Emt mt Mam 5M5 SEl El edl l V Tl dl i llll History MI 1 m 1 Media to Folder HM m Medlmm tuf p File 9 we W General Steps to Acquire Data Overview 1 Before launching BitPim clear out the cache This can be done manually or by using MFI BitPim Cleaner Ensure that the Read Only quotBlock writing anything to the phone is checked This can be accessed through Edit dropdown menu 9 Settings Enable the File system view and Protocol Log This is always off by default It can be located in View dropdown menu 9 View Protcol Logging and View 9 View File system This will create tabs in the Phone Tree with the same names Determine if your phone is supported in the dropdown connect to the communication port Click the 5 the Phone Type drop down If it is not supported select Other CDMA Phone to obtain the file icon which will bring up the BitPim Settings window Locate the phone model in system Select a communication port if needed by using the Com Port Browse icon which will launch the Choose comm port window The communication port may need to be changed depending on if the phone connects If the model was located in step 4 then Get Phone Data icon Once selected users will see the logical data that BitPim supports Check the desired fields and once OK is clicked the acquisition will begin If an error occurs use Other CDMA Phone setting in step 4 This process may take a few minutes Watch the acquisition process by clicking on the Log file in the Phone Tree If any errors occur begin with step lor try step 4 again but change the communication port COM 7 Save or export the parsed data Users should be mindful that in many cases screenshots work better than exporting to a csv Susteen Secure View for Forensics What is it Susteen Inc started in 1992 as a consumer based hardware solution for individuals who wanted to transfer contacts and other data from one phone to another or Personal Directory Assistant PDA Susteen kits were labeled DataPilot and consisted of cables with the more common connection types for 0 Motorola 0 LG 0 Samsung Later developed a forensic product for law enforcement and other professions who were extracting mobile data 0 Susteen Secure View for Forensics was created and began as a logical extraction tool I Today Secure View also supports physical extractions on certain model types Three main products sold by Susteen O DataPilot 0 Secure View for Forensics 3 O Mobile Genie I Targeted as a software solution for commercial wireless vendors who want to support customers data transfers during sales of new phones Overview Once Secure View is installed users can launch the shortcut icon The program will determine if iTunes has been installed and provide feedback as to which version is needed The latest iPhone may require iTunes v120 Please update iTunes to 39 the latest version 39 r 7 39 I 0 V 39lEVL Once finished you will be prompted with the Home Screen Secure View 3 r r 392 E l 11 rah l 1 mix3c turg Az iitnrv 5113 Current Version Nov 2014 Ver3180 Latest Version 3180 7 iigi2r9if f IE I rmnm MOBILE FORENSICS Acquire Phone will bring up another window that allows the user to choses between Logical Physical and iPhone Passcode I Acquire I Analyze Report Tools Option Help Phonequot SIM Cardquot w stin svSmart ACQUIRE I ANALYZE I REPORT Logical a b llllllll Physical iPhone Passcode J Note We will only be conducting Logical exams only Once Logical has been clicked the type of device Phone must be selected Source Phone m Q Or select buttons below J From here you can either search for your device by Carrier Phone or Model or through the buttons If your device is neither an Android or an iPhone you can look for it through the Other Phones button then choosing the Carrier Phone and Model Other Phones k Source Carrier Cancel Alltel NEXTEL Unlocked ATampT Cingular Qwest Verizon Boost Mobile SouthernLINC Virgin Mobile Cricket Sprint kajeet TMobile MetroPCS US Cellular Source Phone Recent Phones m Cancel Apple Motorola Samsung Audiovox NOKIA Smartphone Casio PANTECH Sony Ericsson PC D UTSta rcom Kyocera Palm k Source Phone Model a Cancel V325 V750 Adventure W766 entice V325i vseo BARRAGE Xoom M2600 V325Xi VU3O rapture ZN4 Krave V60 Series W315 V65p W385 Verizon Once the model is selected users will see another window that will request a selection be made on the Method of transfer Method of transfer a Bluetooth Using the cable is the most easiest and efficient Once Cable is chosen you will be able to choose what content of the device you would like to see Contacts Call History J Calendar Messages M g ImagesVideos RingtonesMusic J1 Once selected you will be prompted about connecting the appropriate cable Source Phone Motorola V325i Connect the appropriate cable and phone scorpion kg to a USB port now Motorola39s If the cable is already connected disconnect and wait 3 seconds then 0R connect again or click Already connected and continue YEL01 Wait until the phones are found before moving to the next step Already connected n When you are ready the Transferring process will begin Us ri ring phsn an H 1 Ca nssl Taslr Status Ir Read Esnaris Iintsrmatisnm Executing acl Images and vidsssm sad Ringtsr ias and Musism Read Massages sad Calendar acl Call Historyrm sad Contacts Once the acquisition is complete users will see a window that indicates the phone can be disconnected and the following window will allow you to input CaseFile information for your exam scan The illi39isins may be isssnnscts nswl Case File Number EKEI miner39s Name Elna rtm ant Address Lo go ima ale Add this information to My Info Select My Info Once your information has been filled you will have a choice to Do Nothing Analyze with strobe or Show Report ts Acquisition has been completed successfully What would you like to do next Do Nothing Analyze with strobe Show Report We will be choosing to Show Report which will bring up the Content you chose previously C UsersolmDesktopSecure Vi ew2015 1 4 141533Motorola U325i Please click buttons below for the details You can view all the content on your phone device that was completed during the acquisition phase Secure View 3 V er 3180 CasefFile Number Examiner s Name Department GTeenwich Mean Time Start 0110412015 221330 End 0110412015 2237 24 Paci c Standard Time 81am 0110412015 141330 End 0110412015 14324 Counny US R Phone Make Motorola L6 Phone Model V325i Phone Number 253307055 ESNH DVIEIJ MED 14179 193A
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'