Mobile device manufacturers typically offer a similar set of information handling features and capabilities, including Personal Information Management (PIM) applications, messaging and e-mail, and web browsing. The set of features and capabilities vary based on the era in which the device was manufactured, the version of firmware running, modifications made for a particular service provider, and any modifications or applications installed by the user. The potential evidence on these devices may include the following items:
- Subscriber and equipment identifiers
- Date/time, language, and other settings
- Phonebook/Contact information
- Calendar information
- Text messages
- Outgoing, incoming, and missed call logs
- Electronic mail
- Audio and video recordings
- Multi-media messages
- Instant messaging
- Web browsing activities
- Electronic documents
- Social media related data
- Application related data
- Location information
- Geolocation data
Even esoteric network information found on a UICC may prove useful in an investigation. For example, if a network rejects a location update from a phone attempting to register itself, the list of forbidden network entries in the Forbidden PLMNs (Public Land Mobile Networks) elementary file is updated with the code of the country and network involved [3GP07]. This list is maintained on the UICC and is due to service being declined by a foreign provider. The mobile device of an individual suspected of traveling to a neighboring country might be checked for this information.
The items present on a device are dependent not only on the features and capabilities of the mobile device but also on the voice and data services subscribed to by the user. For example, prepaid phone service may rule out the possibility for multi-media messaging, electronic mail, and web browsing. Similarly, a contract subscription may selectively exclude certain types of service, though the phone itself may support them.
Two types of computer forensic investigations generally take place. The first type is where an incident has occurred, but the offender’s identity is unknown (e.g., a hacking incident). The second is where the suspect and the incident are known (e.g., a child-porn investigation). Prepared with the background of the incident, the forensic examiner and analyst may proceed toward accomplishing the following objectives:
- Gather information about the individual(s) involved who.
- Determine the exact nature of the events that occurred what.
- Construct a timeline of events when.
- Uncover information that explains the motivation for the offense why.
- Discover what tools or exploits were used how.
In many instances, the data is peripheral to an investigation or useful in substantiating or refuting an individual’s claims about some incident. On occasion, direct knowledge, motivation, and intention may be established. Most of the evidence sources from mobile devices are: contact data, call data, messaging, pictures, video, social media, or Internet-related information. User applications potentially provide other evidence sources. User files placed on the device for rendering, viewing, or editing are other important evidence sources. Besides graphic files, other relevant file content includes audio and video recordings, spreadsheets, presentation slides, and other similar electronic documents.
Installed executable programs may also have relevance in certain situations. Often the most important data recovered is that which links to information held by the service provider. Service providers maintain databases for billing or debiting accounts based on call logs, queried using the subscriber or equipment identifiers. Similarly, undelivered SMS text messages, multi-media, or voice messages may also be recoverable. This may allow an examiner to validate their findings as the data obtained from the device may be verified with the data obtained from the service provider.
22 For more information, visit: http://transition.fcc.gov/pshs/services/911-services/enhanced911/archives/factsheet_requirements_012001.pdf..