Definitions

This glossary defines the terms used within this document.

Acquisition – The process by which digital data from a mobile device is copied into an image file.

There are several types of acquisitions:

• Logical acquisition: Extraction of a set of supported digital artifacts from the device memory.
• Selective acquisition: Extraction of a subset of supported digital artifacts from the device memory.
• File system acquisition: Extraction of the file system structure and content from the device memory.
• Physical acquisition: A copy of the device’s physical memory.
• UICC acquisition: Extraction of the supported artifacts from a UICC.
  

Active SQLite data – Table information that comprises the current state of the database (and all associated journal mode files) as the latest successful commit.

Analysis – The examination of acquired data for its significance and probative value.

Associated data – Data (e.g., graphics, address, notes, etc.) that are attached with a specific data object such as an address book entry/Contact, Multimedia Messaging Service (MMS) message,
etc.

Binary Large Object (BLOB) – A Binary Large Object is a string of binary data stored as a single entity within a database management system. BLOBs can typically be images, audio, Plists, or other multimedia objects.

Bluetooth – A wireless protocol that allows two similarly equipped devices to communicate with each other within a short distance (e.g., 9 m).

Boot loader – Software temporarily installed on a mobile device enabling access to perform physical data extraction, including unallocated data areas.

Casefile – A file containing case description data and possibly an image file containing data from an acquisition.

Chip-off – Data extraction that involves physically removing flash memory chip(s) from a mobile device.

Code Division Multiple Access (CDMA) – A spread spectrum technology for cellular networks based on the Interim Standard-95 (IS-95) from the Telecommunications Industry Association
(TIA).

CDMA Subscriber Identity Module (CSIM) – CSIM is an application to support CDMA2000 phones that run on a UICC, with a file structure derived from the Removable User Identity
Module (R-UIM) card.

Data Artifacts – Files or directories stored in the internal memory of a mobile device or UICC such as address book entries, Personal Information Management (PIM) data, call logs, text messages, stand-alone files (e.g., audio, documents, graphic, video).

Deleted File – A file that has been logically, but not necessarily physically, erased from the operating system. Deleting files does not always eliminate the possibility of recovering all or part of the original data.

Electronic Serial Number (ESN) – A unique 32-bit number programmed into CDMA phones when they are manufactured.

Examination – A technical review that makes the evidence visible and suitable for analysis, as well as tests performed on the evidence to determine the presence or absence of specific data.

Feature Phone – A mobile device that primarily provides users with simple voice and text messaging services.

File System – A software mechanism that defines how files are named, stored, organized, and accessed on logical volumes of partitioned memory.

Global Positioning System (GPS) – A system for determining position by comparing radio signals from several satellites.

Global System for Mobile Communications (GSM) – A set of standards for the second-generation cellular networks currently maintained by the 3rd Generation Partnership Project (3GPP).

Internal Memory (IM) – Volatile and non-volatile storage space for user data.

Instant Messages – A facility for exchanging messages in real-time with other people over the internet and tracking the progress of a given conversation.

Integrated Circuit Card ID (ICCID) – The unique serial number assigned to, maintained within, and usually imprinted on the UICC.

International Mobile Equipment Identity (IMEI) – A unique identification number programmed into GSM and the Universal Mobile Telecommunications System (UMTS) mobile devices.

International Mobile Subscriber Identity (IMSI) – A unique number associated with every GSM mobile phone subscriber maintained on a UICC.

Joint Test Action Group (JTAG) – A method for performing a physical data extraction involving connecting to Test Access Ports (TAPs) of supported devices and instructing the processor to transfer the raw data stored on memory chips.

Journal mode – SQLite functionality provides rollback abilities following Atomic, Consistent, Isolated, and Durable (ACID) transactions. This refers to either a -journal or -wal file.

Location Information (LOCI) – The Location Area Identifier (LAI) of the phone’s current location continuously maintained on the UICC when the phone is active and saved whenever the phone is turned off.

Logical acquisition: A bit-by-bit copy of active storage objects (e.g., Address book, Personal Information Management data, Call logs, text messages, stand-alone data files) that reside on a logical store (e.g., a file system partition).

Image File – A file created from the data present on a mobile device. This may be a stand-alone file (e.g., a binary bit-stream image of a digital device memory from a JTAG or chip-off acquisition) or may be embedded in another file (e.g., embedded in a case file).

Mobile Device Tool (MDT) –A tool capable of presenting and possibly acquiring the contents of the internal memory of a mobile device.

Mobile Devices – A hand-held device with a display screen with touch input and/or a keyboard may provide users with telephony capabilities. Mobile devices are used for both phones and tablets throughout this document.

Mobile Equipment Identity (MEID) – An ID number globally unique for CDMA mobile phones that identify the device to the network and can be used to flag lost or stolen devices.

Mobile Subscriber Integrated Services Digital Network (MSISDN) – The international telephone number assigned to a cellular subscriber.

Multimedia Messaging Service (MMS) – An accepted standard for messaging lets users send and receive messages formatted with text, graphics, audio, and video clips.

Personal Information Management (PIM) Applications – A core set of applications that provide the electronic equivalents of such items as an agenda, address book, notepad, and reminder list.

Personal Information Management (PIM) Data – The set of data types such as contacts, calendars, notes, memos, and reminders maintained on a mobile device.

Physical acquisition: A bit-by-bit acquire of the mobile device’s internal memory. This allows the recovery of more deleted data than a logical or file system data acquisition.

Personal Identification Number (PIN) – Many 4 to 8 digits in length are used to secure mobile devices from unauthorized access.

Personal Unblocking Key (PUK) – A key used to regain access to a Universal Integrated Circuit Card (UICC) whose PIN attempts have been exhausted.

Removable User Identity Module (R-UIM) – A card developed for cdmaOne/CDMA2000 handsets that extend the GSM Subscriber Identity Module (SIM) card to CDMA phones and networks.

Rollback journal – This is a file associated with each SQLite database that holds information used to restore the database file to its initial state during the course of a transaction while in journal mode. This file is located in the same directory as the database with the string “-journal” appended to its filename.

Short Message Service (SMS) – A cellular network facility that allows users to send and receive text messages made up of alphanumeric characters on their handset.

Smartphone – A full-featured mobile phone that provides users with personal computer-like functionality by incorporating PIM applications, native, hybrid, and web applications, enhanced internet connectivity, and email.

Stand-alone data – Data (e.g., audio, documents, graphics, video) is not associated with or has not been transferred to the device via MMS message.

SQLite – SQLite is an embedded Structured Query Language (SQL) relational database engine that implements a self-contained, serverless, zero-configuration, transactional SQL database engine.

SQLite Table – A data structure that organizes information into rows and columns. It is used to store and display data in a structured format.

Subscriber Identity Module (SIM) – A smart card chip specialized for use in GSM equipment.

Supported Data Artifacts – Data artifacts (e.g., subscriber, equipment information, PIM data, text messages, stand-alone data, MMS messages, and associated data) that the mobile device forensic tool can acquire according to the tool documentation.

Universal Integrated Circuit Card (UICC) – An integrated circuit card that securely stores the international mobile subscriber identity (IMSI) and the related cryptographic key to identify and authenticate subscribers on mobile devices. A UICC may be referred to as a: SIM, USIM, R-UIM, or CSIM and is used interchangeably with those terms.

UMTS Subscriber Identity Module (USIM) – A module similar to the SIM in GSM/General Packet Radio Service (GPRS) networks, but with additional capabilities suited to 3G networks.

User data – Data stored in the memory of a mobile device.

Volatile Memory – Memory that loses its content when power is turned off or lost.

Write-Ahead Log (WAL) – A file that records SQLite transactions that have been committed but not yet applied to the database. This file is in the same directory as the database with the string “-wal“appended to its filename. As of version 3.7.0 (dated 7/21/2010), this file type is the most commonly used method when SQLite journaling mode is enabled.