Anyone read the article in Forensic Magazine August/September 2009 issue titled "Examining Cellular Phones and Handheld Devices" by Don L. Lewis?
Anyone read the article in Forensic Magazine August/September 2009 issue titled "Examining Cellular Phones and Handheld Devices" by Don L. Lewis?
Yes what do you seek in the write up? U can access it on http//
Seek? Your opinions and insight into the article.
I was reading the paper version.
Don writes
[It is crucial to understand that there are a number of obstacles which may be encountered while conducting examinations of handheld devices. The most rudimentary devices may have a limited storage capacity. This can create situations where evidence can easily be lost or overlooked. In some devices, there may only be space for twenty stored call history entries, with a FIFO scheme. FIFO is the acronym for “first in first out.” This creates a situation where the first entry is replaced once the available storage space has been filled. In our example, the moment we receive entry twenty- one, our first entry will be deleted and the new entry (twenty first) is added to our storage space. If we have a phone that has been in storage for several days/weeks/months, and we power it on in an unprotected state, it will connect to the service provider’s network and begin adding queued data that was not available when the device was powered off. This will result in the loss of potentially valuable evidence, by overwriting older and/or deleted entries)
This would be avoided if the sim was done first and the a clone/access card system was used to open the handset,as the faraday causes more problems than it saves
In the article it states "logical, physical, and data dump (also known as a hex dump)."
I am not sure I could agree with this statement, but that is because I am not sure what the author intends to be understood by it?
¬ logical - I understand that point
¬ physical - I understand that point too
It is this statement "data dump (also known as a hex dump)."
Data dump/hex dump is a term given to mean an activity (to dump something) that has taken place or may be performed in the future and, as I understand it, it is not meant to describe a parameter where data are recovered (located), whether recorded or deleted so to speak. So if data dump/hex dump doesn't mean recover logically recorded data or physical data comprising all data located in files, *slack-space and free space what data are data dump/hex dump referring to?
*With respect to the term slack space, which arises from its discovery(many years back) from our professional colleagues over in computer forensics, I have used that with reference to mobile phones and SIM cards for the following reasons
When recovering data blocks from assigned offsets in memory it is possible to recover remnants (some may say artefacts) that remain connected with a 'file' (if you don't mind me using that as a loose term) but not accessible in that file by the user (its the old data from where the file has been updated, perhaps).
SIM cards too have another form of 'active' slack space data that can remain in use even after a main file has been deleted, even though the main file created the slack space data. This is because some data need to be recorded in extensions and chaining files in SIM that remain in the active slack space area that might need to be retained because they may be used by another file or application. So whilst a main file can be deleted the remnants in active slack space may not be deleted after the main file has gone.
[quote= This would be avoided if the sim was done first and the a clone/access card system was used to open the handset,as the faraday causes more problems than it saves
Unfortunately, with CDMA phones, this is not an option. The main options are either faraday, as described in Don's article, or placing the phone in offline/airplane mode either via the phone's menu or with BitPim.
Joe
Joe,
I wasnt aware of the cdma set up, I only deal in GSM, how come you cannot clone the SIM etc,for my own knowledge base I would be interested thanks
bigjon,
CDMA phones do not have SIM cards in them. All data is programmed directly into the phone by the service provider at the time of purchase. Service providers will also transfer the data when you upgrade to or purchase a new phone.
Hope this helps. Any other questions about CDMA, just ask. (I might be able to answer….. ? )
Joe
jmech, I always thought that CDMAs do not have a SIM, but they do have an equivalent on-board storage which has similar information.
I could be completely wrong, I just recall some black market phones in Malaysia that would work on Verizon network after some programming.
What I have read is that CDMA phones can have a R-UIM (Removable User Identity Module) which has been superceded by CSIM on a UICC card operated as an extension of GSM SIM.
The technical spec is here
http//
China, India, Thailand and Japan use them apparently.
I am wondering, but I haven't checked it out, haven't we seen Dual SIM card mobile phones coming in from China which may contain CSIM in UICC and GSM SIM in order to work with the two RF chipsets in the handset. Isn't the Samsung D880 ( http//