Android version 6 Marshmallow introduced the gatekeeper lock format. Additionally, some Android devices which ship with v6 or later will have Full Disk Encryption enabled. This page aims to summarise security configuration details relating to Android devices. To determine whether an Android device is hardware-backed, navigate to Settings – Security – Credential Storage – Storage type. […]
This page is intended to act as a resource for phone forensic examiners who are working with physical extractions (“hex dumps”) of mobile phone handsets. It aims to provide advice as well as usable search terms and regular expressions that phone examiners can use to find key data within a mass of hex data.
Most mobile phone handset manufacturers provide some form of security code or PIN function on their devices which is separate to the PIN mechanism provided by the SIM.
Some communications service providers (CSPs) issue their SIM cards pre-configured with the same default PIN on all of their cards. This practice is by no means universal worldwide and in some countries, different default PINs are set on each SIM issued. The table below attempts to document the behaviour of each network provider.
GSM and 3G SIM cards are configured with two identifiers: an ICCID and an IMSI. The ICCID (Integrated Circuit Card Identifier) can be thought of as the serial number of the card itself whereas the IMSI (International Mobile Subscriber Identity) is analagous to an account number for the mobile subscriber.
All Android devices will have the facility to provide external storage which could be one or both of the following: Removable microSD card – some, but not all Android devices provide a microSD card slot eMMC chip soldered to the circuit board of the device – some, but not all devices may contain an eMMC […]
https://dev.controlf.net/wp-content/uploads/2018/07/controlf-logo.png00Richard Sladehttps://dev.controlf.net/wp-content/uploads/2018/07/controlf-logo.pngRichard Slade2017-07-13 20:52:522018-11-06 13:07:39Example cover sheet for a mobile forensic extraction
This document is intended to accompany the slide presentation “Has Anyone Seen A Career Path Around Here?” first delivered by Kevin Mansell in June 2014. About this document This document is intended to accompany the slide presentation by Kevin Mansell of Control-F, entitled “Has anyone found a career path?” and provides further detail than can […]
https://dev.controlf.net/wp-content/uploads/2018/07/controlf-logo.png00Richard Sladehttps://dev.controlf.net/wp-content/uploads/2018/07/controlf-logo.pngRichard Slade2014-11-01 12:58:212018-11-01 13:11:29Proposed Model for Defining the Role of a Mobile Forensic Examiner
Kevin Mansell was invited to address over a hundred phone examiners from the law enforcement community at the Mobile Telephone Examiner’s Conference in February 2009. Kevin delivered a presentation titled ‘How Big Is Your Iceberg?’ which is now frequently referred to simply as ‘The Iceberg’ presentation.
Security configuration of Android devices
Android version 6 Marshmallow introduced the gatekeeper lock format. Additionally, some Android devices which ship with v6 or later will have Full Disk Encryption enabled. This page aims to summarise security configuration details relating to Android devices. To determine whether an Android device is hardware-backed, navigate to Settings – Security – Credential Storage – Storage type. […]
Regular expressions and search terms for phone examiners
This page is intended to act as a resource for phone forensic examiners who are working with physical extractions (“hex dumps”) of mobile phone handsets. It aims to provide advice as well as usable search terms and regular expressions that phone examiners can use to find key data within a mass of hex data.
Default Handset Security Codes
Most mobile phone handset manufacturers provide some form of security code or PIN function on their devices which is separate to the PIN mechanism provided by the SIM.
Default SIM PINs
Some communications service providers (CSPs) issue their SIM cards pre-configured with the same default PIN on all of their cards. This practice is by no means universal worldwide and in some countries, different default PINs are set on each SIM issued. The table below attempts to document the behaviour of each network provider.
IMSI and ICCID Prefixes
GSM and 3G SIM cards are configured with two identifiers: an ICCID and an IMSI. The ICCID (Integrated Circuit Card Identifier) can be thought of as the serial number of the card itself whereas the IMSI (International Mobile Subscriber Identity) is analagous to an account number for the mobile subscriber.
Android folder paths for microSD and eMMC storage
All Android devices will have the facility to provide external storage which could be one or both of the following: Removable microSD card – some, but not all Android devices provide a microSD card slot eMMC chip soldered to the circuit board of the device – some, but not all devices may contain an eMMC […]
iOS Photo Attribution flowchart
Flowchart for assisting in attributing photos which may have been synchronised via PhotoStream or shared via iCloud Photo Sharing.
Example cover sheet for a mobile forensic extraction
Suggested wording for a cover sheet that might accompany a mobile device extraction report.
Proposed Model for Defining the Role of a Mobile Forensic Examiner
This document is intended to accompany the slide presentation “Has Anyone Seen A Career Path Around Here?” first delivered by Kevin Mansell in June 2014. About this document This document is intended to accompany the slide presentation by Kevin Mansell of Control-F, entitled “Has anyone found a career path?” and provides further detail than can […]
Mobile Telephone Examiner’s Conference, Blackpool
Kevin Mansell was invited to address over a hundred phone examiners from the law enforcement community at the Mobile Telephone Examiner’s Conference in February 2009. Kevin delivered a presentation titled ‘How Big Is Your Iceberg?’ which is now frequently referred to simply as ‘The Iceberg’ presentation.