November 15, 2007

GSM Mobile Device and Associated Media Tool Specification 

Draft 2 for public comment of Version 1.0

Abstract
Mobile devices incorporating cellular capabilities are ubiquitous and contain a wealth of personal information useful in criminal cases, civil disputes, employment proceedings, and recreation of incidents.  Due to the rapid rate of mobile devices appearing on the market, cellular forensic tools capable of data acquisition are continually evolving.  In general, forensic examination of mobile devices is a small part of digital forensics.  Consequentially, tools possessing the ability to acquire data from these devices are relatively new and continually expanding. 

This paper defines requirements for mobile device applications capable of acquiring data from mobile devices operating over a Global System for Mobile communication (GSM) network, test methods used to determine whether a specific tool meets the requirements, and assertions derived from requirements producing measurable results.* The assertions are described as general statements of conditions that can be checked after a test is executed.  Each assertion generates one or more test cases consisting of a test protocol and the expected test results.  The test protocol specifies detailed procedures for setting up the test, executing the test, and measuring the test results.

As this document evolves through comments updated versions will be posted at http://www.cftt.nist.gov.

3.     Scope

The scope of this specification is limited to software tools capable of acquiring GSM devices and related media (i.e., SIM).  The specifications are general and capable of being adapted to other types of mobile device software tailored for non-GSM devices.

4. Glossary

This glossary was added to provide context in the absence of official definitions recognized by the computer forensics community.

• Access card/Radio isolation card: Subscriber Identity Modules (SIMs) that contain necessary data elements allowing GSM equipment to operate without network connectivity.
  
• Associated data: Multi-media data (i.e., graphic, audio, video) that are attached and delivered via a multi-messaging service (MMS) message.
  
• Acquisition File: A snapshot of data contained within the internal memory of a target device or associated media (i.e. SIM).
  
• Case File: A file generated by a forensic tool that contains the data acquired from a mobile device or associated media and case-related information (e.g., case number, property/evidence number, agency, examiner name, contact information, etc.) provided by the examiner.
  
• Cellular phone: A device whose major function is primarily handling incoming/outgoing phone calls with limited task management applications.
  
• CFT: Cellular Forensic Tool.
  
• Enhanced Message Service (EMS): Text messages over 160 characters or messages that contain either Unicode characters or a 16x16, 32x32 black and white image.
  
• Flash memory: Non-volatile memory that retains data after the power is removed.
  
• GSM: Global System for Mobile communications is an open, digital cellular technology used for transmitting mobile voice and data services.
  
• Hashing: The process of creating a digital fingerprint by issuing a mathematical algorithm against a data element to produce a numeric value.
  
• Human-readable format: Data (e.g., text, images) that is presented in a format that is able to be displayed and interpreted without decoding.
  
• IM: Internal Memory.
  
• Logical acquisition: Implies a bit-by-bit copy of logical storage objects (e.g., directories and files) that reside on a logical store (e.g., a file system partition).
  
• Mobile Subscriber International Subscriber Directory Number (MSISDN): is intended to convey the telephone number assigned to the subscriber for receiving calls on the phone.
  
• Multimedia Messaging Service (MMS) message: Provides users with the ability to send text messages containing multimedia objects (i.e., graphic, audio, video).
  
• Preview pane: Section of the Graphical User Interface (GUI) that provides a snapshot of the acquired data.
  
• Physical acquisition: A bit-by-bit copy of the data layer.
  
• Personal Information Management (PIM) data: Data that contains personal information such as: calendar entries, to-do lists, memos, reminders, etc.
  
• Personal Identification Number (PIN): A numeric code used for preventing unauthorized access to a device generally associated with the SIM.  PIN1 is the primary means of access to a handset.  PIN2 when activated provides additional security for a small set of features (e.g., resetting call meters, changing fixed dialing numbers).
  
• PIN UnlocK Code (PUK): A required code to unlock a disabled SIM due to three successive incorrect PIN attempts.  PUK1 and PUK2 are used to unblock PIN1 and PIN2 respectively.
  
• Short Message Service (SMS): A service used for sending text messages (up to 160 characters) to mobile devices.
  
• Subscriber Identity Module (SIM): A smart card which contains essential subscriber information and additional data providing network connectivity to mobile equipment operating over a GSM network.
  
• Smart phone: A full-featured mobile phone that provides users with personal computer like functionality by incorporating PIM applications, enhanced Internet connectivity and email operating over an Operating System supported by superior processing and high capacity storage.
  
• Stand-alone data: Data (e.g., graphic, audio, video) that is not associated with or has not been transferred to the device via email or MMS message.
  
• User data: Data populated onto the device using applications provided by the device.

5.     Handset Characteristics - Internal Memory

Mobile devices, designed with the primary purpose of placing and receiving calls, maintain data in flash memory.  Typically, the first part of flash memory is filled with the operating system and the second part is allocated for user data.  Although information is stored in a proprietary format, forensic tools tailored for mobile device acquisition should minimally be able to perform a logical acquisition for supported devices and provide a report of the data present in the internal memory.  Tools that possess a low-level understanding of the proprietary data format for a specific device may provide examiners with the ability to perform a physical acquisition and generate reports in a meaningful (i.e., human-readable) format.  Currently, the tools capable of performing a physical acquisition on a mobile device are limited.

6.     SIM Characteristics

Due to the GSM 11.11¹ standard, mobile device forensic tools designed to extract data from a SIM via an external reader should be able to properly acquire, decode, and present data in a human- readable format.  An abundance of information is stored on the SIM such as Abbreviated Dialing Numbers (ADNs), Last Numbers Dialed (LND), Short Message Service (SMS) messages, subscriber information (i.e., IMSI), and location information (i.e., Location Information [LOCI], General Packet Radio Service Location [GPRSLOCI]).  Tools optionally should provide support for Universal Subscriber Identity Modules (USIMs), the third generation (3G) card which carries out the same functions as its 2G cousin (i.e., SIM). 

Optionally, mobile device forensic tools should provide the ability to create an access SIM² in the event that the mobile equipment (ME) is found without the SIM present.  Devices found without the SIM present may cause difficulty in acquiring the internal memory of the related device.  Therefore, the ability to create an access card bypasses this problematic situation and allows for completion of internal memory acquisition.

7.     Digital Evidence

The amount and richness of data contained on mobile devices is dependent upon device type (i.e., low-end, high-end) and personal usage.  However, there is a core set of data that computer forensic tools can recover that remains somewhat consistent on all devices with cellular capabilities.  GSM devices provide two areas for data storage: device internal memory and the SIM.  Tools should have the ability to recover the following data elements stored in the device’s internal handset memory:

• International Mobile Equipment Identifier (IMEI)
• Personal Information Management (PIM) data – (e.g., Address book, Calendar entries, to-do list, Tasks)
• Call Logs -- Incoming and outgoing calls
• SMS text messages
• Multi-media Messages (MMS)/email -- and associated data
• File Storage -- Stand-alone files such as audio, graphic and video

Tools shall have the ability to recover the following data elements stored on the SIM memory:

• Service Provider Name (SPN)
• Integrated Circuit Card Identifier (ICCID)
• International Mobile Subscriber Identity (IMSI)
• Mobile Subscriber International ISDN Number (MSISDN)
• Abbreviated Dialing Numbers (ADNs)
• Last Numbers Dialed (LND)
• Short Message Service (SMS) -- read, unread, deleted (that have not been overwritten)
• Enhanced Message Service (EMS) -- messages over 160 characters
• Location Information (LOCI)
• General Packet Radio Service (GPRS) location -- GPRSLOCI

8.     Test Methodology

To provide concise test results of tools capabilities, the following test methodology will be strictly followed.  The forensic application under evaluation will be installed on a dedicated (i.e., no other forensic applications are installed) host machine operating over the required platform as specified by the application.  Two identical GSM devices will function as the source and target devices.  The internal memory of the source device will be populated with a pre-defined dataset as will the SIM.  Source, target devices and associated media (i.e., SIM), subsequent to initial data population, will be stored in a protected state eliminating the possibility of data modification due to network connectivity.  The source SIM will be populated onto re-writeable SIMs (i.e., access cards), not capable of radio activity.  Each succeeding test entails recreating the host testing environment for each specific tool tested and re-populating the target device and access SIM.  During the acquisition process, all data transmissions (sent and received data packets) between the device and application will be captured and logged via a port monitoring utility. 

The following data elements will be used for populating the internal memory of the cellular device: Address book, PIM data, call logs, SMS messages, MMS messages/email with attachments (i.e., images, audio, video) and stand-alone data files (i.e., audio, graphic, video).  The following data elements will be used for populating the SIM: Abbreviated Dialing Numbers (ADNs), Last Numbers Dialed (LND), Short Messaging Service (SMS) messages marked as Read, Unread and Deleted, EMS messages, and location (LOCI) information.

9.     Requirements

The requirements are in two sections: 9.1 and 9.2.  Section 9.1 lists requirements that all acquisition tools shall meet.  Section 9.2 lists requirements that the tool shall meet on the condition that specified features or options are offered by the tool. 

9.1    Requirements for Core Features

The following requirements are mandatory and shall be met by all mobile device forensic tools capable of acquiring internal handset memory and SIM memory.

Internal Memory Requirements:

CFT-IM-01     A cellular forensic tool shall have the ability to recognize supported devices via the vendor supported interfaces (e.g., cable, Bluetooth, Infrared).
CFT-IM-02     A cellular forensic tool shall have the ability to identify non-supported devices.
CFT-IM-03     A cellular forensic tool shall have the ability to notify the user of connectivity errors between the device and application during acquisition.
CFT-IM-04     A cellular forensic tool shall have the ability to provide the user with either a preview pane or generated report view of data acquired.
CFT-IM-05     A cellular forensic tool shall have the ability to logically acquire all application supported data elements present in internal memory without modification.

SIM Requirements:
CFT-SIM-01     A cellular forensic tool shall have the ability to recognize supported SIMs via the vendor supported interface (e.g., PC/SC reader, proprietary reader).
CFT-SIM-02     A cellular forensic tool shall have the ability to identify non-supported SIMs.
CFT-SIM-03     A cellular forensic tool shall have the ability to notify the user of connectivity errors between the SIM reader and application during acquisition.
CFT-SIM-04     A cellular forensic tool shall have the ability to provide the user with the opportunity to unlock a password protected SIM before acquisition
CFT-SIM-05     A cellular forensic tool shall have the ability to provide the user with either a preview pane or generated report view of data acquired.
CFT-SIM-06     A cellular forensic tool shall have the ability to acquire all application supported data elements present in the SIM memory without modification

9.2    Requirements for Optional Features

The following requirements define optional tool features.  If a tool provides the capability defined, the tool is tested as if the requirement were mandatory.  If the tool does not provide the capability defined, the requirement does not apply.

The following optional features are identified:    

• Presentation
• Protection
• Physical acquisition
• Access Card/Radio Isolation Card creation
• Log file creation
• Foreign language character support
• Remaining PIN attempts
• Remaining PUK attempts
• Stand-alone acquisition
• Hashing

9.2.1 Presentation

Requirements CFT-IMO-01 through CFT-IMO-02 apply to Optional Internal Memory Requirements.  Requirements CFT-SIMO-01 through CFT-SIMO-02 apply to Optional SIM Requirements.

CFT-IMO-01  A cellular forensic tool shall have the ability to provide a presentation of acquired data in a human-readable format via a generated report.
CFT-IMO-02  A cellular forensic tool shall have the ability to provide a presentation of acquired data in a human-readable format via a preview pane view.

CFT-SIMO-01 A cellular forensic tool shall have the ability to provide a presentation of acquired data in a human-readable format via a generated report.
CFT-SIMO-02 A cellular forensic tool shall have the ability to provide a presentation of acquired data in a human-readable format via a preview pane view.

9.2.2 Protection

Requirement CFT-IMO-03 applies to Optional Internal Memory Requirements.  Requirement CFT-SIMO-03 applies to Optional SIM Requirements.

CFT-IMO-03  A cellular forensic tool shall have the ability to protect the overall case file and individual data elements from modification.

CFT-SIMO-03 A cellular forensic tool shall have the ability to protect the overall case file and individual data elements from modification.

9.2.3 Physical Acquisition

Requirement CFT-IMO-04 applies to Optional Internal Memory Requirements.  Requirement CFT-SIMO-04 applies to Optional SIM Requirements.

CFT-IMO-04 A cellular forensic tool shall have the ability to perform a physical acquisition of the device’s internal memory without modification for supported devices.

CFT-SIMO-04 A cellular forensic tool shall have the ability to perform an acquisition of the data present on supported Subscriber Identity Modules (SIMs) without modification.

9.2.4 Access Card Creation

Requirement CFT-IMO-05 applies to Optional Internal Memory Requirements.

CFT-IMO-05  A cellular forensic tool shall have the ability to create an access card following manufacturer suggested protocols.

9.2.5 Log Files

Requirement CFT-IMO-06 applies to Optional Internal Memory Requirements.  Requirement CFT-SIMO-05 applies to Optional SIM Requirements.

CFT-IMO-06  A cellular forensic tool shall have the ability to create user-accessible and readable log files outlining the acquisition process.

CFT-SIMO-05 A cellular forensic tool shall have the ability to create user-accessible and readable log files outlining the acquisition process.

9.2.6 Foreign Language

Requirement CFT-IMO-07 applies to Optional Internal Memory Requirements.  Requirement CFT-SIM-06 applies to Optional SIM Requirements.

CFT-IMO-07  A cellular forensic tool shall have the ability to present data objects containing foreign language character sets acquired from the internal memory of the device via the suggested interface (i.e., preview pane, generated report).  Non-ASCII characters shall be printed in their native format (e.g., Unicode UTF-8).

CFT-SIMO-06 A cellular forensic tool shall have the ability to present data objects containing foreign language character sets acquired from the SIM via the suggested interface (i.e., preview pane, generated report).  Non-ASCII characters shall be printed in their native format (e.g., Unicode UTF-8).

9.2.7 PIN Attempts

Requirement CFT-SIMO-07 applies to Optional SIM Requirements.

CFT-SIMO-07 A cellular forensic tool shall have the ability to present the remaining number of CHV1/CHV2 PIN unlock attempts.

9.2.8 PUK Attempts

Requirement CFT-SIMO-08 applies to Optional SIM Requirements.

CFT-SIMO-08 A cellular forensic tool shall have the ability to present the remaining number of PUK unlock attempts.

9.2.9 Stand-alone Acquisition

Requirement CFT-IMO-08 applies to Optional Internal Memory Requirements.

CFT-IMO-08 A cellular forensic tool shall have the ability to acquire internal memory data without modifying data present on the SIM.

9.2.10 Hashing

Requirement CFT-IMO-09 through CFT-IMO-10 apply to Optional Internal Memory Requirements.  Requirement CFT-SIMO-09 through CFT-SIMO-10 apply to Optional SIM Requirements.

CFT-IMO-09 A cellular forensic tool shall have the ability to provide a hash for individual data elements.
CFT-IMO-10 A cellular forensic tool shall have the ability to provide a hash for the overall case file.

CFT-SIMO-09 A cellular forensic tool shall have the ability to provide a hash for individual data elements.
CFT-SIMO-10 A cellular forensic tool shall have the ability to provide a hash for the overall case file.