Sunday, April 15, 2012

Examination Techniques8: Simple Experiments2

Examination Techniques8: Simple Experiments2

Continuing the discussion to offer suggestions on ways to generate test methodologies in order that down the line it might be possible to create validation and verification processes, practices and procedures for mobile phone examination (device under test (DUT)). 

Assuming that an examiner is satisfied as to when s/he is using the appropriate tool that it will extract and harvest data from the make/model (DUT) under examination, there will still be the prior query what exactly is this tool communicating to the DUT? For instance, considering logical data as opposed to physical data, does the tool intended for use provide an "output log" that contains the communications (commands) sent to the DUT (e.g. APDU or AT+ etc etc) so that the examiner:

- can corroborate what is being instructed to the DUT when that tool is applied to it?
- comprehend are the responses (data) received from the DUT to be expected or are the data incomplete?
- Should the data be incomplete, is that because the commands are incorrect in their instructions which data are to be extracted or is it because the handset has not stored any further data other than that data returned in response to the command sent?

The objective of this simple experiment is to observe the content of any harvested logical data so that when dealing with physical (deleted) data recovery an examiner can start to build a template, from known logical data samplings, in order to apprehend some understanding of any deleted data that has been recovered as to what maybe there and what maybe missing.

Previous discussions relevant to this topic:
Examination Techniques6: Simple Experiments - http://trewmte.blogspot.co.uk/2012/03/examination-techniques6-simple.html

Examination Techniques5: Validation and Verification - http://trewmte.blogspot.co.uk/2012/03/examination-techniques5-validation-and.html

External links:
http://www.forensicfocus.com/Forums/viewtopic/t=8879/

No comments: