Thursday, February 23, 2017

Secrets and Evidence of Older Mobiles

It is good to learn that the Nokia 3310 may make a return, albeit with an Android operating system. The nostalgia for these types of mobile phones has clearly not been lost. What it might suggest is that consumers still want a mobile telephone to remain a mobile telephone and to look like one.

The older mobile phones I have in mind though are the ones that are still used in examinations, investigations and research. Since there is nostalgic sentiment in the air I thought you might be interested in some examples of older mobile phones from my lab toolkit.

Now these old buzzards are used for basic GSM telephony services. There isn't a universal SIM that will work with these as some from my collection operate with a 5-volt SIM and so on. Importantly they are used due to the fact they have an external antenna and extendable external antenna. In some investigation instances RSSI will show network detection and a small amount of RF power whereas mobiles/smartphones with embedded antennas show Emergency Calls Only.

You might recall I have written numerous articles on radio surveys and two that may seem appropriate to this discussion are:

CSA: Mobile Phones and Fringe Coverage

GSM Radio Test Measurements

The next selection of mobiles/smartphones each provide different radio characteristics due to the manufacturer's selection of RF chipset and functionality.

My five beauties, as I call them, are my Nokia 3210s. Great phones and they still operate perfectly well today. You can also see in the photo that all bar one mobile have embedded antenna. Some are mobile phones and some are smartphones. Combined they offer the ability for RF surveys and testing voice telephony, data downloads, instant messaging etc. The common laptop application Network Monitor (NMonitor/NetMonitor) still provides good feedback when connected to the Nokia 3210 (nmon activated). Blackberry requires a bit of setting up with applications such as MagicBerry, BBHTool, etc., and creating JAD-files (depending on what you want to achieve). Now with the Samsung models GT-I8160 and GT-I9100 both are used with 2G and 3G networks and illustrates the point that two models of smartphone from the same manufacturer display didn't RF survey details.

Now I wont bore you with an explanation of the details just to say these investigation RF surveys require knowing the various ServiceMode states. In particular, if you are conducting a PRACH and RACH survey, relevant to investigations for Access Requests (e.g. the phone is not in idle mode but seeking a service), then the GT-I9100 is useful in that it displays not just the LAC but also the Cell ID the RACH (access) request was made. Quite a few mobiles do not do this when looking into the ServiceMode states. You have to be quick, mind you, as the ServiceMode screen changes fairly quickly if you are not ready to take a photo.

Yet another, quite old-ish, mobile phone that I haven't shown so far is the Nokia 6303. The photo shown below should explain everything. But for those not familiar to testing and examination; where a charge in the billing appears for an SMS or at least details of a called number sent an SMS (even if sent message is free) it is quite possible the party receiving the message can read it but the message wont be saved. This is known as a Class 0 message (commonly referred to as a Flash Message). Depending on make and model of mobile phone, part or all of the message which is only held in RAM might still be recoverable, provided seizure and examination is undertaken and completed fairly quickly, as RAM is updating perpetually. 

The Nokia 6303 is one of those mobiles that the handset manufacturer in combination with mobile network operator enabled this feature as they foresaw revenue generation from it and also recognised that a reasonable memory storage capacity in handset and SIM card need not be blocked up with trivial messages.

The 6303 came with a 940 MB memory card for downloaded applications etc. This proved to be useful in an investigation where text messages didn't have alphabet characters but a series of dots and dashes. At first it was thought this was incomplete text chat messages or some sort of smiley face that didn't form properly when typed on the screen.

When reviewing hundreds of text messages recovered from a mobile or smart phone it is quite easy to overlook or ignore a message as being meaningless. However, I researched the matter and following testing the message turned out to be Morse Code. I tracked down the application for this and cross-checked with the device that had been examined.


So next time you see a text message with an odd presentation look closely to see if it has relevance and whether your mobile phone forensic suite software has the capability to either identify the message contains additional features or can translate the message.

Hope you have enjoyed this brief look at older mobile phones used in and for mobile forensic examination, investigations and research.

No comments: