Mobile Device Evidence File
Device Seizure

GSM Mobile Device Evidence File – Device Seizure

The data contained in the image was acquired using Paraben’s Device Seizure version 2.1 build 3079.29886.  While forensic mobile device acquisition tools continue to improve, the forensic workstation must be configured allowing successful playback of audio and video files as well as displaying foreign languages.

Scenario

The mobile device (manufacture/model depicted in image filename) image and acquisition type (i.e., logical, physical) contains data present on the internal memory of the mobile device and/or the Subscriber Identity Module (SIM).  The logical internal memory acquisition contains two audio files (one .wav and one .mp3) and two video files (i.e., .3gp) present in the mobile device’s internal memory.  Your task is to load the mobile device acquisition image with Device Seizure, locate the personalized audio and video files, export them and successfully open the files via the forensic workstation.  The second task is to properly display French and Chinese text messages and phonebook entries found in both the device’s internal memory and the SIM internal memory.  The final task is to load the physical acquisition and locate the long note (3000 characters) located in PM Memory.

Answer

The mobile device logical internal memory image (i.e., nokia_6101_logical) contains two audio files of type .mp3 and .wav and two .3gp video files.   Additionally, phonebook and text message entries residing on the mobile device internal memory and Subscriber Identity Module (SIM) are illustrated below.
Phonebook entries in French and Chinese.

1. Aurélien
2. 阿恶哈拉            

Text messages in French and Chinese.

1. 阿恶哈拉噢怕他呀把的哈哈来了没品牌突永远宝贝得到共和国快快乐乐农事事顺心推托喜洋洋宝宝等等恍恍惚惚快快乐乐农民柔情似水推托一心一意阿恶
2. Conformément à la législation franÇaise liphone sera également propose nu et déblo permettant ainsi de choisir son opérateur.  Ceci aura toutefois un prix probablement 999 euros il devra en tout cas etre suffisamment prohibitif car dans ce cas apple ne touchera pas de commission sur les abonnements une exception franÇaise
3. Long Note begins with: The goal of the CFTT project at NIST is to establish a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware….

Creating this test image

The test image was created first by populating data onto the internal memory of a mobile device and associated media (i.e., subscriber identity module [SIM]) and acquiring the data with Paraben’s Device Seizure version 2.1. 
The test images provide mobile forensics specialists using Paraben’s Device Seizure the ability to determine if the forensic application and workstation are setup to display foreign character sets and to ensure that the forensic workstation is properly configured to support .3gp files and audio files.