Advanced Cell phone forensics at the lowest level
As more new cell phone technologies emerge, the digital forensics science has no record of published information on the specific protocols used for forensic acquisition and analysis of cell phones, PDAs, and smart phones. There are new cell phone technologies including OBEX, FBUS, SYNCML, BREW, and IDEN which are not disclosed to the public and law enforcement. Since cellular phones forensics is proprietary, it makes the process difficult. Therefore, there needs to be a way to acquire this information and display in a meaningful way for law enforcement and the respective authorities. The purpose is to penetrate cell phones using advanced cell phone forensics and data recovery at the lowest level.
This paper will give a short overview of the suggestions of processing forensics at the lowest level while analyzing these technologies.
Brew stands for Binary Runtime Environment for Wireless. It was developed by Qualcomm as an application development platform in 2001 for CDMA, GSM/GPRS, and UMTS mobile cellular devices. Currently the latest version is BREW 3.1 version. Brew is being platform independent, is used for programming applications, games, wireless implementations, sending messages, and etc. BREW Application Execution Environment (AEE) must be present on the phone in order for BREW to run. A function in BREW that allows for a sending SMS commands is ‘ITAPI_SendSMS’. Often Brew is compared to J2ME since most of Europe uses J2ME while BREW is used in the U.S. and Japan.
Hayes AT Commands and Diagnostic mode
Diagnostic mode is a certain state of the cell phone where deeper functions and information of a phone may be accessed. Typically called “DM mode”, phones before they can be fully extracted are put in “DM mode” first. BitPim a program for extracting data from CDMA phones uses this mode on phones before tapping into the data and file system. Since most cell phones can function as a modem, AT commands can be executed to perform certain functions and information reporting. For CDMA phones, via Hyperterminal, the command “AT$QCDMG” allows for some CDMA phones to be put into diagnostic mode. BitPim also has this functionality automatically incorporated into its program. To utilize a Brew environment via Hyperterminal, the command ‘AT$BREW’ may allow some phones to go into Brew mode. Typically BitPim first changes the phone into DM mode before entering Brew mode to perform extraction and functions.
Bitpim is a open source program that runs on the Python programming language while extracting forensic information such as phonebook, calls made, SMS, and etc from many CDMA phones. Some of the features of Bitpim allow users to access the file system in hex code.
According to Embedtronics, Nokia “FBUS is a bi-directional serial type bus running at 115,200bps, 8 data bits.” Gnokii is an open source program that allows more capability than Hayes AT commands on Nokia AT compatible phones and has many functions such as: identifying a phone, read memory status, read SMS messages, read/write bitmaps, read network info, create/delete SMS folders, read RF/battery level, and etc.
Significance to Investigation
Although Hayes AT commands can extract a significant amount of data acquisition data, protocols such as BREW and FBUS, allows forensic investigators to process cell phones further and with more options. As many protocols are still making there way to investigators, this paper helps to identify data acquisition at the lowest level.
The purpose of this paper was to penetrate cell phone suing advanced cell phone forensics and data recovery at the lowest level. Technical specifications of FBUS and BREW were described to assist law enforcement and the Purdue Cyber forensics program.