cell phone forensics research

Mobile Device Forensics

Sean Houston Rickard

University of North Carolina at Charlotte

ITIS 5250-001

Computer Forensics

Mobile Device Forensics 2

Table of Contents Abstract .......................................................................................................................................... 3

Chapter 1: Introduction ............................................................................................................... 4

The Purpose ............................................................................................................................... 5

Chapter 2: Mobile Device Technology ........................................................................................ 6

Current Technology .................................................................................................................. 6

Figure 1Hardware Characterization ............................................................................................ 7

Figure 2Android and iOS comparison ........................................................................................ 9

Chapter 3: Mobile Device Forensics ......................................................................................... 11

Computer Forensic Tool Testing ........................................................................................... 14

Requirements for Core Features ........................................................................................ 15

Requirements for Optional Features ................................................................................. 15

Chapter 4: Comparison of UFED 4PC Ultimate and Lantern 4 ............................................ 18

Cellebrite UFED 4PC .............................................................................................................. 19

Figure 3UFED 4PC User Interface ........................................................................................ 21

Lantern 4 .................................................................................................................................. 22

Figure 5Lantern 4 User Interface ........................................................................................... 24

Chapter 5: Conclusion ................................................................................................................ 26

References .................................................................................................................................... 27

Definition of Terms ..................................................................................................................... 28


Abstract

As with any business or organization, law enforcement agencies work on a limited budget

which must be spread between multiple departments and priorities. With a limited budget,

agencies are limited as to what software and tools they may purchase and often must way the

capabilities of a specific tool versus the cost. This research paper will attempt to look at the

capabilities of mobile forensic software and compare it to the overall cost to determine which

software is better. With the ever increasing availability and rapid evolution of mobile devices

there is a number of mobile device forensic software on the market today. This research paper

will provide a simplistic look at mobile device technology, types of forensic analysis to be

performed on mobile devices, and lastly compare two mobile forensic software.


Chapter 1: Introduction

In today’s society, mobile devices have become a major part of everyday life.

Approximately “90% of American adults have a cell phone, 58% of American adults have a

smartphone, 32% of American adults have an e-reader, and 42% of American adults have a

tablet computer” (Pew Research Center, 2014). On almost a daily basis we see technology

evolve and more mobile devices become available to the public. With increases in technology

also came crime. Mobile devices can be used in a number of different ways to facilitate and

commit crime. While there is no real way to track the number of crimes involving mobile

devices, in my experience, I believe it can easily be said that well over 80% of crime involves

some use of a mobile device. With mobile devices being utilized in some fashion during a large

portion of criminal activity, there is a lot of evidence which can be obtained and utilized for a

criminal investigation. The need to obtain this evidence had led many organizations to develop

software which is available for purchase. Today there is a wide variety of mobile device software

available, each providing its on specific platform, capabilities, and cost. Law enforcement

agencies across the US are limited due to budget constraints. In 2007, the average annual

operating budget per agency for all sheriff’s offices in the US was $9,962,000 (Sheriffs' Office,

2007 - Statistical Tables, 2012). Each agency must prioritize its budget leaving minimal

operating cost to expand to new tools and software. As law enforcement agencies modernize and

expand to combat crime utilizing technology, inevitably they are faced with decision of what tool

or software to purchase given the budget and the tool or software’s capabilities. The Cabarrus

County Sheriff’s Office is currently operating Cellebrite UFED 4PC Ultimate and Lantern 4 for

mobile device forensics.


The Purpose

The purpose of this study is to determine which software provides the best capabilities for

the cost to Cabarrus County Sheriff’s Office. It is my hypothesis that due to each software’s own

capabilities and cost to the agency that neither are ultimately better than the other but provide

specific needs in specific situations. The only limitation I had for this research was access to the

forensic software. Due to time constraints, schedules, and available forensic tools my access was

limited to two (2) forensic tools over a period of 2 days. This research paper will provide a

simplistic look at mobile device technology, types of forensic analysis to be performed on

mobile devices, and lastly compare Cellebrite UFED 4PC Ultimate and Lantern 4.


Chapter 2: Mobile Device Technology

While there are many different mobile devices on the market (cell phones, smart phones,

tablet computers, e-readers, mp3 players, ect…) the most common and the first was the cell

phone. Cell phones evolved from radio technology which was developed in the early 1900s’. The

first documented wireless telephone use was in 1946 by the Swedish Police (Tech-FAQ, n.d.). In

1947, Bell Laboratory proposed the idea of hexagonal cells for modern phones and in 1970 the

call handoff system was developed. With the assistance of AT&T the FCC approved and

allocated the frequencies of 824-894 MHZ Band to Advanced Mobile Phone Service (AMPS)

(Tech-FAQ, n.d.). According to Tech-FAQ (n.d.), in 1983 Motorola unveiled the first truly

portable cellular phone, the DynaTAC 8000X. Since then cell phone technology has grown by

leaps and bounds. Today cell phones have advanced from being a simple radio to essentially a

small computer with a radio.

Current Technology

Devices today, while very different in function, capabilities, and appearance are

composed of the same components: a microprocessor, read only memory (ROM), random access

memory (RAM), a radio module, a digital signal processor, a microphone and speaker, a variety

of hardware keys and interfaces, and a liquid crystal display (LCD). Cell phones can also support

external memory through Secure Digital (SD) memory, and other wireless communication such

as infrared, Bluetooth, Near Field Connection (NFC), and WiFi. Depending on the capabilities of

a phone it can either be classified as featured phone or a smartphone. Featured phones are cell

phones that perform minimal tasks and do not have the features of a smart phone. The Guidelines


on Mobile Device Forensics (Ayers, Brothers, & Jansen, 2014) presented the following table to

demonstrate hardware characterization between feature phones and smartphones:

Figure 1Hardware Characterization

Mobile device memory, like any other computer contains both non-volatile and volatile memory.

Non-volatile memory, like the name suggests, does not change when the device loses power or is

overwritten during reboot. Volatile memory or Random Access Memory (RAM) on the other

hand is lost when the power is drained from the phone making it difficult to accurately capture.

Mobile device memory has evolved with technology. According to Guidelines on Mobile Device

Forensics (Ayers, Brothers, & Jansen, 2014):

Feature phones were among the first types of devices that contained NOR flash and RAM

memory. System and user data are stored in NOR and copied to RAM upon booting for faster

code execution and access. This is known as the first generation of mobile device memory

configuration. As smartphones were introduced, memory configurations evolved, adding NAND

flash memory. This arrangement of NOR, NAND and RAM memory is referred to as the second


generation. This generation of memory configurations stores system files in NOR flash, user files

in NAND and RAM is used for code execution. The latest smartphones contain only NAND and

RAM memory (i.e., third generation), due to requirements for higher transaction speed, greater

storage density and lower cost. To facilitate the lack of space on mobile device mainboards and

the demand for higher density storage space (i.e., 2GB – 128GB) the new Embedded MultiMedia

Cards (eMMC) style chips are present in many of today’s smartphones. NOR flash memory

includes system data such as: operating system code, the kernel, device drivers, system libraries,

memory for executing operating system applications and the storage of user application

execution instructions. NOR flash will be the best location for data collection for first generation

memory configuration devices. NAND flash memory contains: PIM data, graphics, audio, video,

and other user files. This type of memory generally provides the examiner with the most useful

information in most cases. (p. 6)

Phones may also contain a Subscriber Identity Module (SIM) card. The SIM card’s

purpose is to authenticate the mobile phone device to a given network. The SIM card is a smart

card that contains a processor and persistent electronically erasable, programmable read only

memory (EEPROM). The EEPROM contains RAM for program execution and ROM containing

the operating system, user authentication and data encryption algorithms. Personal information,

phonebook entries, text messages, the last numbers dialed, and service information may also be

in the EEPROM (Ayers, Brothers, & Jansen, 2014). Another major part of a phone that needs to

be considered is the operating system. There have been many different operating system through

the years such as Blackberry, Windows CE, Symbian, Android, and Apple iOS. In recent years

the leading Operating systems have been Android and Apple iOS. According to IDC Corporate

USA (n.d.): android shipments lead the global smartphone market, with 283 million units


shipped and over 84% of the market share in the third quarter of 2014 and iOS continues to drop

in market share, down to just 11.7% from 12.8% in the same quarter last year, representing the

growing shift of demand toward low-cost smartphones. Android and iOS operating system

provide a wide variety of capabilities. Below is a graph I located on Diffen (n.d.) which

compares Android and iOS:

Figure 2Android and iOS comparison

The last major part of a phone is its ability to download and install applications (apps). Android

and iOS operating system both have this capability with millions of apps available to each. Apps


can be made by anyone with the right knowledge and can be made to perform any number of

task such as play a game, messaging, phone calls, internet browsing, ect. The possibilites for

apps is endless. When an app is downloaded and installed on a mobile device it creates a folder

to contain information from that app. All the data saved on the phone is accessible through

mobile device forensics depending on the type of analysis which is completed.


Chapter 3: Mobile Device Forensics

According to Ayers, Brothers, and Jansen (2014), “Mobile device forensics is the science of

recovering digital evidence from a mobile device under forensically sound conditions using

accepted methods.” Conducting a forensic analysis of a mobile device can be conducted by hand

or through the use of one of the many software’s available. The job of a forensic tool is to aquire

data from the internal memory and SIM card without altering their content. To begin an analysis

of a mobile device you must first determine what time of analysis you want to complete. There

are 5 types of mobile device analysis: manual extraction, logical extraction, hex dumping/JTAG,

chip-off, and micro read (Ayers, Brothers, & Jansen, 2014). Predominately only manual

extraction, logical extraction, and hex dumping/JTAG are performed by law enforcment forensic

examiners. Chip-off and micro read examination are intensily involved and require a great deal

of knowledge, training, and specialized equipment to perform. The following excert is from the

Guidelines for Mobile Device Forensics (Ayers, Brothers, & Jansen, 2014) which gives a

detailed description of each:

Manual Extraction – A manual extraction method involves viewing the data content

stored on a mobile device. The content displayed on the LCD screen requires the manual

manipulation of the buttons, keyboard or touchscreen to view the contents of the mobile

device. Information discovered may be recorded using an external digital camera. At this

level, it is impossible to recover deleted information. Some tools have been developed to

provide the forensic examiner with the ability to document and categorize the information


recorded more quickly. Nevertheless, if there is a large amount of data to be captured, a

manual extraction can be very time consuming and the data on the device may be

inadvertently modified, deleted or overwritten as a result of the examination. Manual

extractions become increasingly difficult and perhaps unachievable when encountering a

broken/missing LCD screen or a damaged/missing keyboard interface. Additional

challenges occur when the device is configured to display a language unknown to the

investigator; this may cause difficulty in successful menu navigation.

Logical Extraction – Connectivity between a mobile device and the forensics workstation

is achieved with a connection using either a wired (e.g., USB or RS-232) or wireless

(e.g., IrDA, WiFi, or Bluetooth) connection. The examiner should be aware of the issues

associated when selecting a specific connectivity method, as different connection types

and associated protocols may result in data being modified (e.g., unread SMS) or

different amounts or types of data being extracted. Logical extraction tools begin by

sending a series of commands over the established interface from the computer to the

mobile device. The mobile device responds based upon the command request. The

response (mobile device data) is sent back to the workstation and presented to the

forensics examiner for reporting purposes.

Hex Dumping and JTAG – Hex Dumping and Joint Test Action Group (JTAG)

extraction methods afford the forensic examiner more direct access to the raw Guidelines

on Mobile Device Forensics 18 information stored in flash memory. One challenge with

these extraction methods is the ability of a given tool to parse and decode the captured

data. Providing the forensic examiner with a logical view of the file system, and reporting


on other data remnants outside the file system that may be present are challenging. For

example, all data contained within a given flash memory chip may not be acquired, as

many tools, such as flasher boxes, may only be able to extract specific sections of

memory [Bre07]. Methods used at this level require connectivity (e.g., cable or WiFi)

between the mobile device and the forensic workstation. Hex Dumping – this technique is

the more commonly used method by tools at this level. This involves uploading a

modified boot loader (or other software) into a protected area of memory (e.g., RAM) on

the device. This upload process is accomplished by connecting the mobile device’s data

port to a flasher box and the flasher box is in turn connected to the forensic workstation.

A series of commands is sent from the flasher box to the mobile device to place it in a

diagnostic mode. Once in diagnostic mode, the flasher box captures all (or sections) of

flash memory and sends it to the forensic workstation over the same communications link

used for the upload. Some flasher boxes work this way or they may use a proprietary

interface for memory extractions. Rare cases exist where extractions can be accomplished

using WiFi (i.e., early Jonathan Zdziarski (JZ) Methods) [Zdz12].

JTAG – Many manufacturers support the JTAG standard, which defines a common test

interface for processor, memory, and other semiconductor chips. Forensic examiners can

communicate with a JTAG-compliant component by utilizing special purpose standalone

programmer devices to probe defined test points [Wil05]. The JTAG testing unit can be

used to request memory addresses from the JTAGcompliant component and accept the

response for storage and rendition [Bre06]. JTAG gives specialists another avenue for

imaging devices that are locked or devices that may have minor damage and cannot be

properly interfaced otherwise. This method involves attaching a cable (or wiring harness)


from a workstation to the mobile device’s JTAG interface and access memory via the

device’s microprocessor to produce an image [Bre07]. JTAG extractions differ mainly

from Hex Dumping in that it is invasive as access to the connections frequently require

that the examiner dismantle some (or most) of a mobile device to obtain access to

establish the wiring connections.

o Flasher boxes are small devices originally designed with the intent to service or

upgrade mobile devices. Physical acquisitions frequently require the use of a

flasher box to facilitate the extraction of data from a mobile device. The flasher

box aides the examiner by communicating with the mobile device using

diagnostic protocols to communicate with the memory chip. This communication

may utilize the mobile device’s operating system or may bypass it altogether and

communicate directly to the chip [Jon10]. Flasher boxes are often accompanied

by software to facilitate the data extraction process working in conjunction with

the hardware. Many flasher box software packages provide the added

functionality of recovering passwords from mobile device memory as well in

some configurations. (p.17-18)

In most situations, the type of investigation, the type of phone, the type of tool available

determines what type of analysis is completed. Ultimately, what information is the investigator

looking to gain from the analysis and which acquisition method would obtain that information?

Computer Forensic Tool Testing

In order to maintain reliability and consistency among mobile device forensic tools the

National Institute of Standards and Technology’s (NIST) Computer Forensic Tool Testing


(CFTT) program routinely test new computer forensic software tools. The CFTT program has

developed six (6) core feature requirements and fifteen (15) optional feature requirements which

it then tests each new software against. The Smart Phone Tool Specification (National Institute

of Standards and Technology, 2010) list the requirements as follows:

Requirements for Core Features

1. A cellular forensic tool shall have the ability to recognize supported devices via the

vendor-supported interfaces (e.g., cable, Bluetooth, Infrared)

2. A cellular forensic tool shall have the ability to identify non-supported devices

3. A cellular forensic tool shall have the ability to notify the user of connectivity errors

between the device and application during acquisition.

4. A cellular forensic tool shall have the ability to provide the user with either a preview

pane or generated report view of data acquired.

5. A cellular forensic tool shall have the ability to logically acquire all application supported

data objects present in internal memory.

6. A cellular forensic tool shall have the ability to logically acquire supported data objects

without changing the data objects present on the device.

Requirements for Optional Features

1. A cellular forensic tool shall have the ability to recognize supported SIMs via the vendor

supported interface (e.g., PC/SC reader, proprietary reader, internal).

2. A cellular forensic tool shall have the ability to identify non-supported SIMs.

3. A cellular forensic tool shall have the ability to notify the user of connectivity errors

between the SIM reader and application during acquisition.


4. A cellular forensic tool shall have the ability to acquire all application-supported data

objects present in the SIM memory.

5. A cellular forensic tool shall have the ability to provide a presentation of acquired data in

a human-readable format via a generated report.

6. A cellular forensic tool shall have the ability to provide a presentation of acquired data in

a human-readable format via a preview pane view.

7. A cellular forensic tool shall have the ability to provide the user with the opportunity to

unlock a password protected SIM before external reader SIM acquisition.

8. A cellular forensic tool shall have the ability to protect previously acquired data objects

within a saved case file from modification.

9. A cellular forensic tool shall have the ability to perform a physical acquisition of the

device’s internal memory for supported devices.

10. A cellular forensic tool shall have the ability to present data objects containing non-

ASCII characters acquired from the internal memory of the device or SIM via the

selected interface (i.e., preview pane, generated report). Non-ASCII characters shall be

printed in their native representation.

11. A cellular forensic tool shall have the ability to present the remaining number of

CHV1/CHV2 PIN unlock attempts.

12. A cellular forensic tool shall have the ability to present the remaining number of PUK

unlock attempts.

13. A cellular forensic tool shall have the ability to acquire internal memory data without

14. A cellular forensic tool shall have the ability to compute a hash for individual data

objects.


15. A cellular forensic tool shall have the ability to acquire GPS related data present in the

internal memory. (p.6-8)

The results of each test completed by CFTT on mobile device forensic software tool is then

added to their website database (http://www.cftt.nist.gov/mobile_devices.htm ) for review. This

information is very important to law enforcement agencies because it very quickly determines

what the capabilities and limitations of the software.

http://www.cftt.nist.gov/mobile_devices.htm


Chapter 4: Comparison of UFED 4PC Ultimate and Lantern 4

As stated earlier, The Cabarrus County Sheriff’s Office currently utilizes both UFED

4PC by Cellebrite and Lantern 4 by Katana. Detective Brian Schmitt is the primary computer and

mobile device forensic examiner for the department. In an interview on November 26, 2014,

Det. Schmitt stated, “I utilized both software on a regular basis and choose which software to use

depending on the type of phone I am going to exam. Both software are similar in what they will

recover, however each have their own pros and cons. Cellebrite is limited to only the devices it

says it can run whereas Lantern will run almost any android device and all iOS devices.

Although Lantern may run a device that Cellebrite will not sometimes the information that

Lantern does recover is limited. Cellebrite says it is the leader in iOS forensics, however;

Lantern will run way more because it is ran and developed specifically for iOS devices.” Det.

Schmitt went on to show me a specific phone which he examined in Lantern that would not work

on Cellebrite. The analysis in Lantern only showed what type of phone it was and no other

information. Det. Schmitt went on to say, “I don’t particularly favor one software over the other,

it ultimately depends on the device I need to examine. I often run a device through both software

just to make sure I don’t miss something.”

Comparing the capabilities of both software and the cost will better help determine which

software is more cost effective. Since I my time with both systems was limited the comparison of

both software will be completed through the use of both software user manuals and CFTT

testing.


Cellebrite UFED 4PC

The following information was obtained from UFED Physical Analyzer – User Manual

(Cellebrite Ltd., 2014)

Operating System – Microsoft Windows XP with SP3or later

Computer Memory (RAM) required for installation

o 32 bit OS – 4GB

o 64 Bit – OS 8GB

Number of supported mobile devices

o Android Based devices – 1889

o iOS devices– 67

o Total Number of devices – 10,538

UFED Ultimate is made up of three components:

o The UFED unit enables logical, password, SIM, file system, and physical

extractions from mobile devices, which can then be saved to a USB flash drive,

SD memory card, or directly to your PC.

o UFED Physical Analyzer application provides an in-depth view of the device's

memory using advanced decoding, analysis, and reports. UFED Physical

Analyzer can decode all types of extractions created by the UFED Classic unit.

o Phone Detective application helps investigators quickly identify a mobile phone

by its physical attributes, eliminating the need to start the device and the risk of

device lock.

UFED Physical Analyzer has the following key features:


o Decoding of the extraction with a layered view of memory content

Provides a detailed view of the Hex file

Reconstructs the device file system

Decode various Analyzed data types such as: Contact lists, SMS

messages, call logs, device information (IMSI, ICCID, user codes),

application information, and more

Provides a view of data files images, videos, databases, and so on

Provides access to both current and deleted data

Reveals device passwords (when applicable)

o Powerful extraction for iOS and GPS devices

o Provides intuitive and user friendly UI for browsing the extracted information

o Powerful analysis and search tools

Instant search for all project content

Advanced search based on multiple parameters

Instant search for data tables content

Watch list for highlighting information based on a predefined list of values

Time line for viewing all the events performed via the mobile device in a

single chronological view

Project analytics providing comprehensive activity analysis

Malware scanner to identify malware in the device

Ability to search the Hex by various parameters such as strings, bytes,

numbers, dates


Ability to use regular extraction search (RegEx) to look for specific data

strings

Ability to bookmark memory locations for indexing of key areas for later

review

Ability to use Python shell commands for data analysis

o Plug-ins

Manage installed plug-ins

Write your own plug-ins using Python scripting language

o Reports:

Generate reports in various formats

Report customizing and personalizing (logo, header, etc.)

This is an example of the user interface for UFED 4PC

Figure 3UFED 4PC User Interface


A review of the UFED v3.9.6.7 Test Report (National Institute of Standards and Technology,

2014) showed that an examination of a variety of android and iOS device, the UFED Physical

Analyzer performed better with android based devices.

Lantern 4

The following information was obtained from Lantern 4 Manual (Katana Forensics, Inc, 2014).

Operating System – Mac OSX 10.7 higher

o Computer Memory (RAM) required for installation – 4 GB

Supported mobile devices

Figure 4Lantern 4 Supported Devices

Here are some of the capabilities you will find in Lantern 4.0.

o Link Analysis between devices

o Recovery from Android Devices

o Recover Deleted SMS

o Read Gmail & Yahoo E-mail

o Parse Skype Calls & Messages

o Parse Facebook Data


o Cellular Sites & WiFi Location Geo Data

o WiFi Connections History

o Improved Internet History

o Geo Locate Videos & Photos

o Application Usage Data

o Analysis from .dd Images & Backups

o Data Carving Images & Videos

o Timeline Analysis

o Bookmarking

o View Data while Processing Acquisition

o Physical Image E-mail Analysis

o Document Analysis

o Additional Geo Location data from physical images

o Arbitrary Analysis

o File system dump analysis from other applications

o Decryption and analysis from other providers

o Mac OS X Analysis

o Support for the Newest Skype SQlite Format

o SMS, MMS, and iMessage for iOS 6

o What’s App analysis

o Bookmarks and notation


This is an example of the user interface of Lantern 4

Figure 5Lantern 4 User Interface

No examination has been completed of Lantern 4 by the National Institute of Standards and Technology.

During the interview on November 26, 2014 with Det. Schmitt he stated, “As for cost,

Cellebrite is by far the most expensive costing approximately $8000, 3 years ago to purchase the

product and approximately $3000 in annual maintenance. We just purchased the UFED 4PC

license this year which was originally $10,000 but was negotiated down to $4000 after trading in

the old unit. As for lantern, it was approximately $900 to purchase the product and $300 in

annual maintenance. Both software benefit this department equally and we will continue to use

both.” During the short opportunity I had to interact with both UFED 4PC and Lantern 4, I

personally favored the UFED 4PC which I felt had a better user interface. To that end, I have an

extensive amount of experience with Microsoft based operating systems over iOS which I feel


affected my preference. Considering the Cabarrus County Sheriff’s Office worked on a

$2,282,640 operations budget for fiscal year 2014 (Cabarrus County, 2014) an expense of

$10,000 for the UFED 4PC license and a $3000 maintenance cost was a major one compared to

only $300 maintenance cost for Lantern. When comparing the overall cost and annual

maintenance to capabilities it is easy to see that Lantern 4 is the better product for the cost.


Chapter 5: Conclusion

The need for law enforcement agencies across the US to invest in some form of mobile device

forensic software is imperative to keep up to speed with the evolution of crime. Due to many

budget constraints it is just as imperative to utilize the most cost effective software which

provides the most capabilities. The purpose of this study was to determine which software

provides the best capabilities for the cost to Cabarrus County Sheriff’s Office. The only

limitation I had for this research was access to the software. Due to time constraints, schedules,

and available forensic tools my access was limited to two (2) forensic tools over a period of 2

days. My original assumption that due to each software’s own capabilities and cost to the agency

that neither are ultimately better than the other but provide specific needs in specific situations.

After reviewing both UFED 4PC and Lantern 4 I found that Lantern 4 was the most cost

effective forensic tool. Both UFED 4PC and Lantern 4 both provide similar capabilities just in

different formats. Each software has its own pros and cons which make the other better and

worse than the other but the cost for each make it immediately clear which is more cost effective.


References Ayers, R., Brothers, S., & Jansen, W. (2014). NIST Special Publication 800-101, Revision 1: Guidelines on

Mobile Device Forensics. National Institute of Standards and Technology.

Breeuwsma, M. (2006). Forensic Imaging of Embedded Systems using JTAG (boundary-scan). Digital

Investigations, Volume 3, Issue 1, 32-42.

Breeuwsma, M., Jongh, M. d., Klaver, C., Knijff, R. v., & Roeloffs, M. (2007). Forensic Data Recovery from

Flash Memory. Small Scale Digital Device Forensics Journal Vol. 1, No. 1.

Cabarrus County. (2014). Public Safety Budget. Retrieved from Cabarrus County:

https://www.cabarruscounty.us/government/departments/finance/budget/Budget/finance_bu

dget_public_safety_2015.pdf

Cellebrite Ltd. (2014, September). UFED Physical Analyzer - User Manual. Cellebrite Ltd.

Diffen. (n.d.). Android Vs iOS. Retrieved from Diffen: http://www.diffen.com/difference/Android_vs_iOS

IDC Corporate USA. (n.d.). Smartphone OS Market Share, Q3 2014. Retrieved from IDC:

http://www.idc.com/prodserv/smartphone-os-market-share.jsp

Jonkers, K. (2010). The forensic use of mobile phone flasher boxes 5. Digital Investigation 6, 168-178.

Katana Forensics, Inc. (2014). Lantern 4 Installation and Operation Manual. Washington, DC: Katana

Forensics, Inc.

National Institute of Standards and Technology. (2010). Smart Phone Tool Specification. Washington, DC:

National Institure of Standards and Technology. Retrieved from

http://www.cftt.nist.gov/documents/Smart_Phone_Tool_Specification.pdf

National Institute of Standards and Technology. (2014). Test Results for Mobile Device Acuisition tool:

UFED Physical Analyzer v3.9.6.7. NIST.

Pew Research Center. (2014, January). Mobile Technology Fact Sheet. Retrieved from Pew Research

Internet Project: http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/

Schmitt, B. (2014, November 26). Detective. (S. H. Rickard, Interviewer)

Sheriffs' Office, 2007 - Statistical Tables. (2012, December). Retrieved from Bureau of justice Statistics:

http://www.bjs.gov/content/pub/pdf/so07st.pdf

Tech-FAQ. (n.d.). The History of Cell Phones. Retrieved from Tech-FAQ: http://www.tech-

faq.com/history-of-cell-phones.html

Willassen, S. (2005). Forensic Analysis of Mobile Phone Internal Memory. Advances in Digital Forensics,

Vol. 194, (p. International Conference on Digital Forensics). 2006.

Zdziarski, J. (2012). iOS Forensic Investigative Methods. Retrieved from zdziarski:

http://www.zdziarski.com/blog/wp-content/uploads/2013/05/iOS-ForensicInvestigative-

Methods.pdf>


Definition of Terms AMPS – Advanced Mobile Phone Service

ASCII – American Standard code for Information Interchange

CFTT – Computer Forensic Tool Testing

CHV1 – Card Holder Verification 1

CHV2 – Card Holder Verification 2

EEPROM – Electronically Erasable Programmable Read Only Memory

FCC – Federal Communication Commission

GPS – Global Positioning Satellite

ICCID – Integrated Circuit Card ID

IMSI – International Mobile Subscriber Identity

IrDA – Infrared Data Association

JTAG – Joint Test Action Group

LCD – liquid crystal display

MHZ – megahertz

NAND – Non-volatile storage technology that does not require power to retain power

NFC – Near Field Connection

NIST – National Institute of Standards and Technology

NOR – Non-volatile storage technology that does not require power to retain power

PIN – Personal Identity Number

PUK – PIN Unlock Key

RAM – Random Access Memory

ROM – Read Only Memory

SD – Secure Digital

SIM – Subscriber Identity Module

USB – Universal Serial Bus

WIFI – Local area wireless technology

cell phone forensics research

Documents