Smartphone Forensics: Part 4
Although both iPhones and BlackBerrys command a disproportionate share of the smartphone market, many smartphone users have other types of smartphones that may also need to be forensically analyzed. Motorola phones are good examples. Motorola has manufactured a wide variety of smartphones that are similar in look and feel, but that may also differ from each other in a number of ways. Suppose that law enforcement suspects that evidence concerning a crime that has been committed exists on a Motorola p2k or p2k05 phone. On most of these phones it is first necessary to go to the Menu and then to the Flash&Backup function to start the processes of obtaining a copy of information stored on this device. A menu consisting of six backup selections will appear. These functions include:
• CG1 (Firmware)
• CG2 (Flex)
• CG3 (Langpack)
• CG15 (DRM graphics)
• CG18 (Digital signature)
CG1 contains the operating system, which is coded into firmware. CG2 is the memory region that contains both user data and applications; it thus is the most important portion of the phone’s memory to back up. CG3 contains firmware for digital signal processing that supports phone conversations. CG4 contains fonts used in the smartphone’s displays. CG15 contains graphics, such as the graphics for the various icons that are displayed on this smartphone. CG18 contains a unique digital signature for the phone that is being analyzed.
Of all the memory regions, CG2 is the most important in forensics investigations because user files potentially containing data of interest to investigations reside here. CG18 is likely to also be important in some forensics investigations because the digital signature in this region of memory provides a conclusive link between the phone itself and its memory contents. The contents of the other memory regions are in contrast seldom of interest in forensics investigations because although different memory regions contain particular types of information, there is likely to be no difference in content of one memory region (e.g., the DRM graphics region) on one phone to the same region on another. Still, it might be desirable to back up each of the ‘’less important’’ memory regions so that a forensics investigator can assert that the data capture process was exhaustive—that it included all memory regions. This could conceivably be important in a court case or investigation.
If you click on ‘’Select All,’’ all memory regions will be dumped. Once the desired memory region(s) have been selected, uncheck ‘’Cut empty bytes at the end of code groups;’’ otherwise, you will not obtain all the information from each memory region. Next select either SBF (for ‘’single binary file’’) or SMG (for multiple binary files). If you choose the former, all memory region data will be dumped to a single file. If you choose the latter, the contents of each memory region will be dumped to a separate, dedicated file. If you are dumping all the memory regions, choose SMG to know exactly what is dumped where; each output file will contain a particular region of memory. The alternative is writing all data to a single file. But if you are backing up only a single portion of memory e.g., the Flex region), having a single file for the output is appropriate. Finally, click on “Read Data.”
Download and install the USB driver from:
Next download and install a copy of P2k Commander, a file manager application for Motorola p2k phones, on the PC to which the data will be transferred. Visit:
Physically connect the PC on which P2k Commander has been installed to the phone. Start P2k Commander on the PC and then launch HyperTerminal there by going Start -> All Programs -> Accessories -> Communications -> HyperTerminal. Next select COM3 in the ‘’Connect To’’ dialog box. Select the following settings in the ‘’COM3 Properties’’ dialog box that will appear:
Bits per second: 115200
Data bits: 8
Stop bits: 4
Flow control: Hardware
Now put the phone in P2k mode by entering the following AT command in the command input area that will appear:
Data transfer will now begin.
Once more it should be apparent that making smartphone forensics dumps using procedures such as the ones described in this paper is not exactly the easiest thing in the world to do. Fortunately, commercial tools generally make the whole process somewhat easier, but there is plenty of room for mistakes even with the best of tools. The bottom line is that forensics in smartphones is not something to be taken lightly. If you are going to enter this arena, you need to make every effort to get up to speed quickly.