1

UNIT V

Dept. of Computer Engg., SKNCOE 2

Contents

1. Digital Evidence on Windows systems2. Digital Evidence on Unix systems3. Digital Evidence on Mobile Devices4. Intellectual Property Rights

3

1. Digital Evidence on Windows systems

5.1. File Systems

5.2 Data Recovery

5.3 Log Files

5.4 Registry

5.5 Internet Traces

5.6 Program Analysis

4

1. Digital Evidence on Windows systems

• Given the popularity of Microsoft Windows, digital investigators will encounter these systems as sources of digital evidence

• powerful commercial forensic tools have been developed to facilitate the forensic examination of Windows systems

• these tools can be used by individuals with limited knowledge and experience to perform complex operations

• Understanding file systems helps appreciate how information is arranged, giving insight into where it can be hidden on a Windows system and how it can be recovered and analyzed

• Given the variety of Windows operating systems and applications, it is not possible to describe or even identify every possible source of information that might be useful in an investigation.

5.1)File Systems

• The simplest Windows file systems to understand are the FAT (file allocation table) file systems: FAT12, FAT16, and FAT32.

• Although relatively old, FAT file systems are still used on many storage systems such as removable storage media in digital cameras and mobile devices.

• Given their widespread use and simple structure, FAT file systems are a good starting point for forensic analysts to understand file systems and recovery of deleted data.

• File system types:

1. FAT

2. NTFS

5.1.1) FAT File Systems• A FAT formatted volume uses directories and tables to

organize files and folders. • The root folder (e.g., C:\) is at a pre-specified location on the

volume so that the operating system knows where to find it.• On FAT, the creation date-time stamp is more precise than

other date-time stamps.• But FAT file systems do not record the last accessed time, but

only the last accessed date. • In addition to indicating where the file begins, the starting

cluster directs the operating system to the appropriate entry in the FAT.

• The FAT can be thought of as a list with one entry for each cluster in a volume.

• Each entry in the FAT indicates what the associated cluster is being used for.

Cont..

Cont..• when a file is deleted, the corresponding entry in the FAT is set

to zero.• If a FAT entry is greater than zero, this is the number of the

next cluster for a given file or folder.• For instance, the root folder indicates that file “skyways-

getafix.doc” begins at cluster 184. • The associated FAT entry for cluster 184, shown in bold,

indicates that the file is continued in cluster 185. • The FAT entry for cluster 185 indicates that the file is

continued in cluster 186, and so on , until the end-of-file (EOF) marker in cluster 225 is reached.

• In this example, Cluster 226 relates to a different file (“todo.txt”) that occupies only one cluster and therefore does not need to reference any other clusters and simply contains an EOF.

Cont..• Subdirectories are just a special type of file containing

information such as names, attributes, dates, times, sizes, and the first cluster of each file on the system.

• When an individual instructs a computer to open a file in a subfolder (e.g. “C:\skncoe\unit5.ppt”), the operating system goes to the root folder, determines which cluster contains the desired subfolder (cluster for “skncoe”), and uses the folder information in that cluster to determine the starting cluster of the desired file.

• The folder also contains long file names and the cluster associated with the entries is not the actual starting cluster.

• If the file is larger than one cluster, the operating system refers to FAT for the next cluster for this file.

• The entire file is read by repeating this “chaining” process until an EOF marker is reached.

5.1.2) NTFS File Systems

• NTFS is significantly different from FAT, storing file system information in several system files including a Master File Table (named $MFT), supporting larger disks more efficiently (resulting in less slack space), and providing file and folder level security using Access Control Lists (ACLs).

• NTFS is designed with a storing a copy of the $BOOT system file at both the beginning and end of the volume.

• In addition, a copy of the first four records in the $MFT file is stored in another system file named $MFTMIRR (MFT Mirror) in computer forensics tools, is a partial backup of the MFT. The MFT Mirror contains  a backup of the first 4 NTFS system files. The MFT Mirror is designed to allow for as error handling, and can allow for recovery of deleted partitions located in the middle of the volume.

• These copies of information can be useful from a forensic perspective when attempting to recover files.

Cont..• The $MFT contains a list of records, each 1024 bytes in

length, that store most of the information needed to locate data on the disk.

• Each entry in the $MFT represents a file or folder, and stores associated attributes including $STANDARD_INFORMATION and $DATA.

• The $STANDARD_INFORMATION attribute stores the created, last modified, and last accessed dates and times.

• The $DATA attribute either contains the actual file contents of small files (called resident files) or the location on disk of large files (non-resident files)

Cont..• NTFS creates MFT entries as they are needed and, when a

file is deleted, NTFS simply marks the associated MFT entry as deleted and available for a new file.

• It is possible to recover all of the information about a deleted file from the MFT entry, including the data for resident files and the location of data on disk for non-resident files.

• However, recovering deleted files in NTFS can be complicated by the fact that unused entries in the MFT are reused before new ones are created.

• Therefore, when a file is deleted, the next file that is created may overwrite the MFT entry for the deleted file.

13

5.2 Data Recovery• it is important to understand the underlying process of recovery

to explain them in court or perform them manually in situations where the tools are not suitable.

• There are two main forms of data recovery in FAT and NTFS file systems: recovering deleted data from unallocated or slack space.

• On NTFS, when a deleted file is recoverable, the process is generally more reliable because the MFT entry for each file contains a list of clusters that were allocated to the file. Therefore, it is possible to recover files that are fragmented.

• The process of recovering deleted directories involves searching unallocated space at the beginning of all directories.

5.2.1 Windows-Based Recovery Tools• The recovery process is time consuming and must be performed

on a working copy of the original disk.

14

• tools like EnCase, FTK, and X-Ways can use a bitstream copy of a disk to display a virtual reconstruction of the file system, including deleted files, without actually modifying the FAT.

• Most Windows-based forensic tools can also be used to recover deleted files on NTFS volumes.

5.2.2 Unix-Based Recovery Tools• tools such as the Sleuth Kit and SMART 6 can be used to recover

deleted files from FAT and NTFS file systems.• recover slack space from FAT and NTFS systems using “dls -s”

command.5.2.3 File Carving with Windows• Forensic tools such as EnCase, FTK, and X-Ways have file carving

functionality and can be configured with user-defined file headers and footers.

• In addition, specialized file carving tools such as DataLifter can recover many types of files including graphics, word processing, and executable files.

15

5.2.4 Dealing with Password Protection and Encryption• usually desirable, for digital investigators to overcome password

protection or encryption on a computer they are processing. • hexadecimal editor like X-Ways to simply remove the password

within a file.

5.3)Log Files• major goal and log files can record which account was used to access

a system at a given time. • User accounts allow two forms of access to computers:

1. interactive login

2. access to shared resources. • Both forms of access can significantly expand the pool of suspects in an

investigation. • If illegal materials are found on a computer, individuals with

legitimate access to the computer are the obvious suspects. • However, there is the possibility that someone gained unauthorized

access to the computer and stored illegal materials on the disk. • Similarly, if secret information is stolen from a computer system or a

computer is used to commit a crime, it is possible that someone gained unauthorized access to the computer.

• System log files can contain the information about user accounts that were used to commit a crime and can show that a user account might have been stolen.

17

5.4 Registry

• Windows systems use the Registry to store system configuration and usage details in what are called “keys.”

• Windows 95 and 98 uses “system.dat” and “user.dat.”Windows NT/2000/XP “%systemroot%\system32\config”

• RegRipper, EnCase and FTK can be used to extract specific information from Registry files.

• Registry keys are stored in hexadecimal format but can be converted to ASCII and saved to a text file using the “Save Subtree As” File menu option of regedt32.

18

• For instance, the following Registry key shows the names of files that were played recently using Windows MediaPlayer (“<sid>” is substituted for the security identifier of the user on the system):

Key Name: HKEY_USERS\<sid>\Software\Microsoft\MediaPlayer\Player\RecentURLList

Class Name: <NO CLASS>Last Write Time: 5/9/2003 - 1:48 PMValue 0Name: URL0Type: REG_SZData: H:\song\movie1.aviValue 1Name: URL1Type: REG_SZData: H:\song\movie2.avi

19

5.5 Internet Traces• Accessing the Internet leaves a wide variety of information on a

computer including Web sites, contents viewed, and newsgroups accessed.

• Additionally, some Windows systems maintain a log of when the modem was used and some Internet dial-up services maintain detailed log of connections

5.5.1 Web Browsing• When an individual first views a Web page, the browser caches the page

and associated elements such as images on disk• The number of times that a given page was visited is recorded in some

Web browser history databases.• Firefox 3 maintains a database of Web sites visited in a SQLite file

named “Places.sqlite,”• Internet Explorer maintains similar information in files named

“index.dat.”• Some Web sites redirect browsers to different locations and even make

unauthorized changes to a system

20

• Web browsers also store temporary files in a cache folder to enable quicker access to frequently visited pages.

• Even after these temporary files are deleted, they can be recovered to reveal a significant amount of information such as Web-based e-mail

• Some Web sites keep track of an individual’s visits and interests by placing information in cookie files associated with the Web browser.

5.5.2 Usenet Access• In addition to storing all of the URLs that have been accessed,

Web browsers with Usenet readers keep a record of which Usenet newsgroups have been accessed.

• The following contents of a “news.rc” file shows newsgroups that were subscribed

21

5.5.3 E-mail• E-mail clients often contain messages that have been sent from

and received at a given computer. • While Netscape and Eudora store e-mail in plain text files,

Microsoft Outlook, Outlook Express, IBM Lotus Notes, Novell GroupWise, and America Online (AOL) use proprietary formats that require special tools to read.

5.5.4 Other Applications• Yahoo Pager, AOL IM, and other Instant Messenger programs do

not retain archives of messages by default but may be configured to log chat sessions.

• We can get information from hard disk or monitoring the traffic.5.5.5 Network Storage• An important component of any forensic examination is

identifying any remote locations where digital evidence may be found

22

• A victim might maintain a Web site or an offender may transfer incriminating data to another computer on the Internet or a home or corporate network.

• storing e-mail, some ISPs give their customers storage space for Web pages and other data.

23

5.6 Program Analysis• When performing a functional reconstruction of a system or

application to gain a better understanding of associated digital evidence, it is often desirable to perform empirical testing.

• For instance, when investigating a computer intrusion, it may be useful to analyze a malicious program

• The three primary approaches to analyzing a program are to (a) examine the source code, (b) view the program in compiled form, and (c) run the program in a test environment.• simple methods of running a program in a test environment. So

program analysis is to use VMWare• Once a suitable test environment has been created, it is advisable

to create a baseline of the system.• In some cases, it may be desirable to observe processes and

network traffic related to a given program.

2. Digital Evidence on UNIX Systems

• UNI X Evidence Acquisition Boot Disc

• File Systems• Overview of Digital Evidence

Processing Tools• Data Recovery• Log Files• File System Traces• Internet Traces

25

2.1 UNIX Evidence Acquisition Boot Disc• Linux systems provide an excellent platform for forensic

examination with tools• Notably, an evidence acquisition boot disk with Linux for Intel-

based systems can be used to boot and access a Windows computer.

• For instance, Helix (http://www.e-fense.com/) is a bootable Linux CD-ROM that can be used to acquire evidence from Intel-based systems.

2.2 File Systems• Reiser, ext2, and ext3 (Extended File Systems 2 and 3) that

have similar structures.• simpler than their Windows, containing only a list of

filenames and their associated inode (index node) numbers which contains all information about the file, apart from its name.

26

27

28

• each block group contains duplicates of critical file system components, that is, the superblock and group descriptors, to facilitate recovery if the primary copy is damaged

• The superblock contains information about the file system such as block size, number of blocks per block group, the last time the file system was mounted, last time it was written to, and the sector of the root directory’s inode.2

• Group descriptors for all of the block groups are duplicated in each block group in case of file system corruption

• If the inode table itself is damaged, it becomes more difficult to reconstruct the files in that block group.

29

2.3 Overview of Digital Evidence Processing Tools• Linux contains many useful utilities that are designed to work

together—the output of one tool can be fed into another tool easily. This ability to pipe output from one program into another creates great flexibility.

• Linux supports many file system types and can be used to examine media from UNIX, Windows, Macintosh, and other more

• Linux is open source, creating a large technical support base and allowing digital evidence examiners to verify and augment its operation.

• The grep command on Linux provides this keyword search capability. Once a system with useful evidence has been identified, a full bitstream copy can be made.

• When dealing with hard drives that have multiple partitions, it is advisable to make a bitstream copy so original drive is preserved

30

2.4 Data Recovery• UNIX does not have file slack space. When UNIX creates a new file,

it writes the remainder of the block with zeros and sets them as unallocated.

• Some tools, such as testdisk7 and gpart8 are available for recovering deleted partitions on UNIX and Windows systems.

• There are only a few tools, such as tarfix, fixcpio, tarx, and tar-aids, for repairing damaged files on UNIX.

2.4.1 UNIX-Based Tools• recovering deleted files on UNIX systems is to search for inodes and

recover the associated data.• Once the inode number of a deleted file is known, the contents of

the file can be accessed using icat,• The SMART tool also uses this approach to recover deleted files

31

2.4.2 Windows-Based Tools• Forensic Toolkit (FTK) recovers deleted files and folders from ext2 file

systems into an area called “[orphan],”• Tool uses inode numbers to reference recovered items and provides

convenient representations of recovered files such as the deleted TAR file.

2.4.3 File Carving with UNIX• This tool can be instructed to search for any type of file by adding the

appropriate header and footer information to its configuration file, “foremost .conf.”

• Another approach to recovering data is implemented in Lazarus from TCT.

• Lazarus automatically classifies digital data in the following way:1. Read a chunk of data (default 1k).2. Determine if the chunk is text or binary data:• a. If text, attempt to classify it on the basis of its contents (e.g., html).• b. If binary, attempt to classify it using the UNIX file command

32

3. If the chunk was successfully classified, compare it with the previous chunk:a. If they are of the same class, assume they are in the same file.b. If they are not of the same class, assume they are in different files.

4. If the chunk was not successfully classified, compare it with the previous chunk:a. If they are of the same type (binary or text), assume they are in the same file.b. If they are of different types (binary or text), assume they are in different files.

2.4.4 Dealing with Password Protection and Encryption• UNIX systems, called a “Beowulf cluster,” can be used to attempt to break

weak encryption, this approach is rarely effective against strong encryption like PGP.

• UNIX system, it may be possible to bypass the logon password by booting into single user mode in such cases tools are used.

33

2.5 Log Files• Logons and logoffs, or any event on a UNIX computer for that

matter, can create entries in one or more system log files.• Additionally, servers running on UNIX machines may have logs that

can be useful for reconstructing events

2.6 File System Traces• Applications can leave traces on disk either directly in temporary

files or indirectly through swap space.• UNIX systems have a “/proc” file system with information• relating to processes running in memory that can be useful for

gaining a more complete picture of what was occurring on a system• When a file is added to or moved out of a directory, the inode

change time of the directory listing (“.”), as well as the last modified and accessed times, is updated.

34

• Digital investigators can focus on these periods of high activity, looking for related log files and other data that may help them determine what occurred.

35

2.7 Internet Traces• UNIX was specifically designed with networking in mind and has

many applications for accessing the Internet.2.7.1 Web Browsing• most common Web browsers on UNIX systems is Mozilla Firefox.• details such as the date and time a particular Web site was

accessed are stored in other tables in the places.sqlite database• On versions of UNIX that use the Netscape browser, a history of

Web sites that were accessed is stored in a Berkeley DB file called “history.dat,” and information about cache files is stored in a Berkeley DB file called “index.db.”

2.7.2 E-mail• On UNIX systems that receive e-mail, incoming messages are held

in “/var/ spool/mail” in separate files for each user account until a user accesses them.

36

• Outgoing messages are stored temporarily in “/var/spool/mqueue/ mail” but are generally deleted after they are sent.

• Incoming and outgoing e-mail messages may also be stored in files under the home directories of each user.

• UNIX generally stores e-mail in text files, making them easier to process.

2.7.3 Network Traces• As with Windows, individual applications like ncftp retain logs when

used to transfer files from remote computers and SSH can store a list of public keys for each host that was accessed in files named “known_hosts.”

• UNIX computers can be configured to send logs to remote systems in the /etc/ syslog.conf

• Additionally, the /etc/printcap file is used to send print jobs to remote systems

37

3. Digital Evidence on Mobile Devices

3.1 Mobile Device

Forensics

3.2 Types of Evidenc

e on Mobile Devices

3.3 Handlin

g Mobile Devices

as Sources

of Evidenc

e

3.4 Forensic Preservation of Mobile Devices

3.5 Forensic Examination and Analysis

of Mobile Devices

3.6 Forensic Acquisition and

Examination of

SIM Cards

3.7 Investig

ative Reconstruction Using

Mobile Devices

3.8 Future Trends

38

3. Digital Evidence on Mobile Devices

• Integral part of peoples’ daily lives• effectively providing a computer in a pocket.• these handheld devices can contain personal information so it creates

opportunities for criminals and investigators alike.• can help address the crucial questions in an investigation, revealing

whom an individual has been in contact with, what they have been communicating about, and where they have been.

3.1 Mobile Device Forensics• Mobile devices are dynamic systems that present challenges from a

forensic perspective.• 5new phone models are released every week this growing number

and variety of mobile devices makes it difficult to develop a single process or tool to address all eventualities.

• As with any computer, interacting with a mobile device can destroy or alter existing evidence.

39

• The underlying reason for this persistence of deleted data on mobile devices is in the use of Flash memory chips to store data. Flash memory is physically durable against impact, high temperature, and pressure, making it more difficult to destroy.

3.1.1 Fundamentals of Mobile Device Technology• Mobile has input & output through which we perform operation • perform more advanced examination, specially designed tools are

needed to interface with the device.• acquire specific information from a mobile device via a cable• Mobile devices use radio waves to communicate over networksTypes are 1. GSM 2. CDMA & in US iDEN.• GSM devices are assigned a unique number called the International

Mobile Equipment Identity (IMEI), which includes a serial number for the device. On CDMA phones, the (ESN) is an 11-digit number with the first three digits designating the manufacturer and the remainder unique to the device.

40

3.1.2 SIM Cards• GSM devices use SIM cards to authenticate with the network and

store various information, including some user-generated activities. • SIM cards are comprised of a microprocessor, ROM, and RAM, and

are assigned a unique Integrated Circuit Card Identifier (ICC-ID).• ICC-ID contains the 1. mobile country code (MCC), 2. mobile network code (MNC), 3. serial number of the card.• The SIM card contains info relating to the network and user,

including an authentication key needed to establish a connection with the network, the subscriber’s personal identification number (PIN) and the subscriber’s phone number, which is called the Mobile Subscriber ISDN (MSISDN).

41

• The SIM also contains an International Mobile Subscriber Identity (IMSI) that is uniquely associated with the subscriber and is comprised of a country code, a mobile network code, and subscriber identification number.

• A SIM card may also contain a Temporary Mobile Subscriber Identity (TMSI) and Location Area Identity (LAI). The TMSI is often used over the radio link

42

3.2 TYPES OF EVIDENCE ON MOBILE DEVICES

• The forensic benefit of mobile devices in an investigation varies, depending on the criminal acts being investigated, the capability of the mobile device, and how it has been used.

• Data associated with mobile phones is found in a number of locations; embedded memory, attached removable memory, & the Subscriber Identity Module (SIM) card.

• it is advisable to determine its full functionality to get a better sense of what types of digital evidence it may contain.

3.2.1 Location Information• Some mobile devices record the location of cellular towers they

contacted, potentially providing a historical record of the user’s

• GPS-enabled devices may also contain remnants of past locations and maps that can be useful in an investigation.

43

44

3.2.2 Malicious Code on Mobile Devices

• Mob. are becoming prime targets for computer criminals to steal money or valuable information.For instance, a fake banking application for Android devices

• More sophisticated malware allows criminals to intercept SMS associated with online banking transactions, enabling them to steal money directly

• In addition, programs are available to monitor activities on mobile devices, these programs are sometimes called spouseware,

Online site is MobileSpy: through which we can see running activities on mob

45

3.2.3 Thinking Outside of the Device

• Digital investigators must always keep in mind that mobile devices can connect to various networks via cellular towers, WiFi access points, and Bluetooth.

• The networked nature of mobile devices creates opportunities and dangers from a forensic standpoint.

• Network service providers may provide information for consistency with the data extracted from the phone.

• Digital investigators can obtain information about online accounts that have been used on mobile devices to connect with cloud-based services such as Gmail.

• Digital investigators can also use information from mobile devices to learn more about the user’s social network.

46

3.3 HANDLING MOBILE DEVICES AS SOURCES OF EVIDENCE

• Recall that the purpose of a forensically sound process is to document that the evidence is what you claim and has not been altered or substituted since collection.

• At a minimum, all steps taken to extract data should be recorded to support transparency and repeatability, enabling others to assess and repeat your work.

• Steps are1. Verify – MD5 2. Acquisition 3. Documentation

• some devices can receive data through wireless networks that might bring new evidence but might overwrite existing data

• an investigator must make a calculated decision to either prevent or allow the device to receive new data over wireless networks as depicted in Figure 20.10

47

FIGURE 20.10Flowchart of handling mobile devices.

48

3.4 FORENSIC PRESERVATION OF MOBILE DEVICES

• Given the variety of mobile devices, it should come as no surprise that there is no single, standardized method of accessing all of them to extract data using software or hardware.

• fact is that no single tool will cover all mobile devices nor will a single tool cover all situations. The current available methods for extracting data from mobile devices are summarized in Table 20.2

• It is generally advisable to acquire data from a mobile device using two or more of the methods in Table 20.2 in order to compare the results to ensure the information

• The most common automated method of accessing devices is using a data cable, followed by a wireless means such as Bluetooth

• Be aware that a blank or broken display may simply indicate that the screen is damaged and it may still be possible to extract evidence via cable

49

50

3.4.1 Mobile Device Forensics Tools• Forensic tools are in constant development to provide a convenient

means of extracting specific data from various mobile devices, typically logically via cable, infrared, and Bluetooth or physically via cable or JTAG.

• All of these tools function in a similar way, sending commands to the phone and recording responses that contain information stored in the phone’s memory.

• The information that can be extracted using these methods depends on both the connection mechanism and model of the phone.

• vendor synchronization systems• Tools are:1. MicroSystemation XRY2. Cellebrite Universal Forensic Extraction Device (UFED)is a self-

contained, portable mobile phone3. Logicube CellDEK4. MOBILedit!

51

3.4.2 Software Agents• Some forensic tools transfer and run an executable commonly called

a software agent on the mobile device in order to acquire data from the device.

• it provides a degree of trust and control over the process.• it may be necessary to explain that the acquired digital evidence is

trustworthy despite any concerns raised by the use of a software agent on the device.

3.4.3 Bootloaders• When a mobile device is powered on, the first code it executes is

called a boot loader. This code has very basic functionality and is comparable to the BIOS on Intel computers.

3.4.4 Flasher Boxes• Flasher boxes can also dump the contents of physical memory from

mobile devices.• The Twister Flasher box can read the physical memory from a variety

of mobile devices, including many Nokia models.

52

3.4.5 JTAG• JTAG (Joint Action Test Group) refers to the IEEE 1149.1 standard• The JTAG standard specifies an interface for standardized

approaches to test integrated circuits, interconnections between components, and a means of observing and modifying circuit activity during a component’s operation

• JTAG is common across multiple device manufacturers and there are multiple devices that extract memory structures through JTAG.

3.4.6 Chip off Extraction• Extracting the memory chips from a phone and reading them

directly is by far the most exacting extraction method, but has the advantage of interfacing data in the most direct method.

• The output from chip extraction is forensically the cleanest, relying on no intermediate communications systems or on the device in any way.

53

3.5 FORENSIC EXAMINATION AND ANALYSIS OF MOBILE DEVICES• The purpose is to find and extract information related to an

investigation, including deleted data. • Whether data from a mobile device was acquired logically or

physically ■ Survey the available items to become familiar with the main sources of information on the mobile device. ■ Recover any deleted items including fi les, SMS messages, call logs, and multimedia. ■ Harvest metadata from active and recovered items such as date-time stamps, file names, and whether messages were read and calls were incoming, outgoing, or missed. ■ Conduct a search and methodical inspection of the evidence, including keyword searches for any specifi c, known details related to the investigation.

54

3.5.1 File System Examination on Mobile Devices• All mobile devices have some form of file system, ranging from

simple, proprietary one to more complex, standard ones• The file system on many CDMA devices can be viewed using BitPim• Some mobile devices use the FAT file system to arrange data in

memory, others use Linux ext2/ext3 file systems, and iPhones use HFSX

3.5.2 Data Recovery on Mobile Devices• When common file systems are used such as FAT, HFS, and ext2/3, it

may be possible to recover deleted files using file system tools

3.5.3 Data Formats on Mobile Devices• A peculiarity of mobile devices is that they store SMS messages not

in ASCII but using a 7-bit alphabet.

55

• Certain data on mobile devices, particularly phone numbers, are stored in nibble reversed format. This means that each byte in the number is stored in reverse order.

For instance, the phone number 12036452774 is 2130462577F4 in nibble reversed format

• For instance, a little-endian UNIX date-time stamp C7 BE FE 49, which equates to May 4, 2009, at 10:09:11 AM, would be stored as 49 FE BE C7 on a Motorola device

56

3.6 FORENSIC ACQUISITION AND EXAMINATION OF SIM CARDS• In GSM/UMTS mobile devices, it is also important to inspect the

contents of associated SIM cards. • individual uses in different SIM in diff countries or diff purposes.• The hierarchical storage structure of a SIM card is relatively

straightforward, and the content of each file is defined in the GSM Technical Specification

• There is one master file that contains references to all other files on the SIM card. Each file is addressed using a unique two-byte hexadecimal value, with the first byte indicating whether it is a master fi le, dedicated file, or elementary file:

• 3F = Master fi le (MF)• 7F = Dedicated fi le (DF)• 2F = Elementary fi le under the master fi le• 6F = Elementary fi le under a dedicated fi le

57

58

3.6.1 SIM Security• Users can set a personal identification number (PIN) to restrict

access to their SIM card. • Brute force attacks against the PIN are generally ineffective unless

the manufacturer default was never reset by the user, because three failed PIN attempts will result in the SIM being locked. Fortunately, some phones have a PIN unblocking key (PUK) in their documentation

59

3.7 INVESTIGATIVE RECONSTRUCTION USING MOBILE DEVICES

3.7.1 Temporal Analysis• One of the most common forms of temporal analysis is creating a

timeline of events to gain a greater understanding of what occurred around the time of a crime and to help investigators identify patterns and gaps, potentially leading to other sources of evidence.

3.7.2 Relational Analysis• A full relational analysis can include the geographic location of

mobile devices and the associated users, as well as any communication/transaction that occurred between them.

• Another form of relational analysis is determining how one item of evidence relates to another. This form of analysis is often called evaluation of source,

60

3.7.3 Functional Analysis• Forensic examiners perform a functional analysis to determine how

a particular function or program on a mobile device works and how the device was configured at the time of the crime.

4. Intellectual property Rights(IPR)

What Is IP?

Intellectual property (IP) refers to:

Creations of the mind Inventions Literary and Artistic Works Designs Symbols Names and Images used in commerce.

Intellectual Property Rights refers to the legal rights granted with the aim to protect the creations of the intellect.

Under intellectual property law, owners are granted certain exclusive rights to a variety of intangible assets, such as musical, literary, and artistic works; discoveries and inventions; and words, phrases, symbols and designs.

What Is IPR?

Key Elements Of IPR

IPR

Trademarks

Trade Secrets

Patents

Copyrights

Patents

Trade marks

Trade Secrets

Copyright

Copyrights Copyright describes rights provided to the authors of

“original works of authorship "including literary, dramatic, musical, artistic, and certain other intellectual works.

The copyright protects the form of expression rather than the subject matter of the writing. For example, a description of a machine could be copyrighted, but this would only prevent others from copying the description; it would not prevent others from writing a description of their own or from making and using the machine.

Copyrights are registered by the Copyright Office

Trademarks A trademark is a name, symbol, or device that is used

in trade with goods to indicate the source of the goods and to distinguish them from the goods of others.

Trademark rights may be used to prevent others from using a confusingly similar mark, but not to prevent others from making the same goods or from selling the same goods or services under a clearly different mark.

Trademarks are especially important when consumers and producers are far away from one another.

Trade marks

Name

Logotype

Symbol

Slogan

Shape

Color

Patents A patent is an exclusive right granted for an invention, which

is a product or a process that provides, in general, a new way of doing something, or offers a new technical solution to a problem.

A property right to the inventor, issued by Government’s Patent and Trademark Office.

In order to be patentable, the invention must fulfill certain conditions.

Patent protection means that the invention cannot be commercially made, used, distributed or sold without the patent owner's consent.

These patent rights are usually enforced in a court, which, in most systems, holds the authority to stop patent infringement. Conversely, a court can also declare a patent invalid upon a successful challenge by a third party.

Trade secrets

Trade secrets are classified as any information that may be used in operation of a business and that is sufficiently valuable to afford an actual or potential economic advantage.

Trade Secret includes: I. Financial information II. Commercial information III. Technical and Scientific information

Examples of trade secrets –Formulas for products, such as the formula for Coca-Cola

Duration

71

Thank You