1、Designation: E3046 15Standard Guide forCore Competencies for Mobile Phone Forensics1This standard is issued under the fixed designation E3046; the number immediately following the designation indicates the year oforiginal adoption or, in the case of revision, the year of last revision. A number in p
2、arentheses indicates the year of last reapproval. Asuperscript epsilon () indicates an editorial change since the last revision or reapproval.1. Scope1.1 This guide identifies the core competencies necessaryfor the handling and forensic processing of mobile cellular(cell) telephones (phones). It app
3、lies to both first respondersand laboratory personnel.1.2 Different levels of cell phone analysis are discussed aswell as the basic skills required at each of these levels.1.3 This guide does not address core competencies forchip-off or MicroRead extraction methods.1.4 Refer to the Scientific Workin
4、g Group on Digital Evi-dence (SWGDE) Guidelines and Recommendations for Train-ing in Digital and Multimedia Evidence for general trainingrequirements of forensic practitioners.1.5 This standard does not purport to address all of thesafety concerns, if any, associated with its use. It is theresponsib
5、ility of the user of this standard to establish appro-priate safety and health practices and determine the applica-bility of regulatory limitations prior to use.2. Referenced Documents2.1 2.1 SWGDE Documents:2SWGDE Guidelines and Recommendations for Training inDigital and Multimedia EvidenceSWGDE Mi
6、nimum Requirements for Quality Assurance inthe Processing of Digital and Multimedia EvidenceSWGDEs Best Practices for Mobile Phone ForensicsSWGDE Best Practices for Examining Mobile Phones UsingJTAG2.2 NIST Documents:3NIST Special Publication 800-101 Revision 1Guidelineson Mobile Device Forensics3.
7、Significance and Use3.1 This guide provides an outline of the knowledge, skills,and abilities all practitioners of mobile phone forensics shouldpossess. The core competencies provide a basis for training andtesting programs. This basis is suitable for certification,competency, and proficiency testin
8、g.4. Core Competencies Overview4.1 First responders are defined as individuals that might beresponsible for the collection and minimal examination of amobile phone. There are two levels of first responders. Level 1first responders are individuals that collect or manually exam-ine mobile phones or bo
9、th. Level 2 first responders areindividuals that use a tool or software to extract data from themobile phone. Laboratory personnel are defined as individualsthat might be responsible for the collection and extensiveexamination of a mobile phone in a laboratory environmentand their competencies are o
10、utlined in Section 7 below. The useof any tool to download/extract data from a mobile phonenecessitates that proper training be completed by the individualusing that tool.4.2 The mobile phone forensics field continues to be dy-namic and shares some aspects of traditional computer foren-sics. A pract
11、itioner should have an overall understanding ofmobile forensics analysis and can remain current by readingtrade journals, taking classes, participating in professionalorganizations, taking continuing education, on-the-job training,and hands-on experience.4.3 An examiner shall adhere to:4.3.1 All app
12、ropriate standard operating procedures, andpolicies and4.3.2 A code of ethics including neutrality in the scientificprocesses.4.4 An examiner should apply all principles as defined inthe SWGDE Minimum Requirements for Quality Assurance inthe Processing of Digital and Multimedia Evidence.4.5 An exami
13、ner might be assigned casework that fallswithin one or more of the following levels and should,therefore, have the appropriate level of training to perform theexamination.4.6 The concept of levels of extraction for mobile devices isnot new to the mobile forensics field, but, it is important that1Thi
14、s guide is under the jurisdiction of ASTM Committee E30 on ForensicSciences and is the direct responsibility of Subcommittee E30.12 on Digital andMultimedia Evidence.Current edition approved Dec. 1, 2015. Published February 2016. DOI: 10.1520/E3046-15.2Available from the Scientific Working Group on
15、Digital Evidence (SWGDE),https:/www.swgde.org.3Available from National Institute of Standards and Technology (NIST), 100Bureau Dr., Stop 1070, Gaithersburg, MD 20899-1070, http:/www.nist.gov.Copyright ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United St
16、ates1the reader have a basic understanding of this concept to bestcomprehend the technical aspects of this document.4The levelof extraction technique used will be dependent on the requestand the specifics of the investigation. Higher levels of analysisrequire a more comprehensive examination, additi
17、onal skills,and might not be applicable nor possible for every device orsituation. The levels are:4.6.1 ManualA process that involves the manual manipu-lation of the keypad and handset display to document datapresent in the mobile phones internal memory.4.6.2 LogicalA process that provides access to
18、 the useraccessible files. This process will not generally provide accessto deleted data. This includes file system extractions.4.6.3 Hex Dumping/Joint Test Action Group (JTAG)Aprocess that provides the forensic examiner more direct accessto the raw information stored in flash memory of a mobilephon
19、es data. This might provide access to deleted data that hasnot been overwritten.4.6.4 Chip-OffA process that involves the direct readingand extraction of data as contained within a memory chip(generally requiring removal) to then conduct analysis on thedata extracted. This includes In-System Program
20、ming (ISP).4.6.5 MicroReadA process that involves the use of ahigh-power microscope to provide a physical view of theelectronic circuitry of memory. This would typically be usedwhen acquiring data from physically damaged memory chips.5. Core Competencies for First Responders (Level 1)5.1 The compete
21、ncies listed below outline the minimumrequirements for a first responder manually analyzing a mobilephone in the field without the use of an examination tool. Anexample of a Level 1 first responder would be a patrolofficer/case agent who encounters a mobile phone during thecourse of an investigation
22、.5.2 Three examples of manual examinations include: (1)browsing through a mobile phones handset to view the datastored in the phone, (2) photographing or videotaping the datafound on the screen, or (3) manually transcribing the data asviewed on the screen of a device.5.3 The Level 1 first responder
23、shall understand:5.3.1 Proper evidence handling, labeling, preservation, andseizure (for example, obtain the personal identification number(PIN) or pattern lock codes before seizure);5.3.2 Possible damage that can be caused to mobile devicesby exposure to fluids (bodily or other) as well as the prop
24、erevidence preservation and decontamination procedures basedon the substance(s) involved;5.3.3 Consequences and risks associated with manipulatingthe mobile phone to be examined;5.3.4 Placing a foreign subscriber identification module(SIM) or memory cards in different computers or mobilephones might
25、 modify data;5.3.5 Removal and replacement of a battery might cause thephone to restart;5.3.6 Applicable legal authority and case law;5.3.7 Importance of proper documentation;5.3.8 Need to verify the data as recorded from the mobilephone;5.3.9 Importance of creating a report of their findings; and5.
26、3.10 Understand the possible need to prioritize processinga phone for other traditional forensic evidence (for example,fingerprints/deoxyribonucleic acid (DNA)/blood/trace evi-dence issues) as well for data extraction.6. Core Competencies for First Responders (Level 2)6.1 Level 2 includes all Level
27、1 competencies plus thefollowing competencies. Examples of these types of examina-tions include: extraction and analysis of data call loginformation, multimedia data file carving and timeline creationof timestamp and other file system metadata.6.2 The competencies listed in 6.3 give the minimumrequi
28、rements for a first responder that uses an examination toolto analyze a mobile phone. An example of a Level 2 firstresponder would be a properly trained patrol officer/case agentwho uses a software or hardware device to conduct logical andfile system examinations and download data (for example,conta
29、cts, call history, text messages (short message service/multimedia messaging service (SMS/MMS), pictures, video,audio, voicemail, e-mail, application data, website history,device information, calendar, notes, etc.) from a mobile phone.6.3 The Level 2 first responder shall:6.3.1 Define important acro
30、nyms used to describe cellphone components and their functions;6.3.2 Identify the following types of cell phones: globalsystem for mobile communications (GSM), code divisionmultiple access (CDMA), and integrated digital enhancednetwork (iDEN);6.3.3 Identify what information can be stored in a handse
31、t;6.3.4 Identify what information can be stored on a SIMcard;6.3.5 Identify other locations where information can bestored;6.3.6 Understand the legal issues associated with mobilephones (for example, scope of warrant, consent, case law,licensing by state, opening unopened voicemail, and certifica-ti
32、on requirements);6.3.7 Have the ability to isolate a cell phone from theprovider signal by powering off the phone, using radiofre-quency (RF) shielding, or disabling all radio communications;6.3.8 Have the ability to explain the advantages and disad-vantages of powering off the mobile phone;6.3.9 De
33、scribe methods and tools for processing mobilephones as outlined in NIST Special Publication 800101,Revision 1, Section 3.1;6.3.10 Understanding the importance of the use of a com-patible extraction cable and any required device driver and theimplications of using incompatible cables or drivers for
34、dataextraction;6.3.11 Have knowledge of tool functionality, theirlimitations, and the possible need for additional examination(for example, logical dumps of data may not retrieve deleteddata from the handset, SIM card, or memory cards);4Please see NIST Special Publication 800101, Revision 1, Section
35、 3.1, foradditional information.E3046 1526.3.12 Understand the need to perform tool testing,maintenance, and validation;6.3.13 Understand SWGDEs Best Practices for MobilePhone Forensics;6.3.14 Understand the difference between read versus un-read messages and how processing a mobile phone can altert
36、hem;6.3.15 Understand that data from media cards might not beextracted using some software or hardware devices; and6.3.16 Have the ability to explain in court the use of utilizedtools.7. Core Competencies for Laboratory Personnel7.1 The competencies listed in 7.2 7.6 outline the mini-mum requirement
37、s for an examiner performing analysis onmobile phones in a laboratory environment. This level ofanalysis is designed for the forensic examiners working in aforensic laboratory setting and includes all competencies aspreviously identified in Levels 1 and 2.7.2 Universal Integrated Circuit Card (UICC)
38、/SubscriberIdentity Module (SIM) ProcessingLaboratory personnel shallhave knowledge of:7.2.1 Various types of identity cards (for example, SIM,universal subscriber identity module (USIM), CDMA sub-scriber identity module (CSIM), and removable user identitymodule (RUIM).7.2.2 UICC card identification
39、 (international mobile sub-scriber identity (IMSI) versus integrated circuit card identifier(ICCID);7.2.3 Physical characteristics of various UICC card sizes(for example, standard, mini, micro, and nano);7.2.4 Creation and correct use of a cellular network isolationcard (CNIC) for network isolation;
40、7.2.5 Types and locations of data stored on UICC cards;7.2.6 Cellular Service Related InformationICCID, IMSI,and mobile station international subscriber directory number(MSISDN);7.2.7 Phonebook and Call InformationAbbreviated andlast dialed numbers;7.2.8 Messaging InformationSMS and enhanced messag-
41、ing service (EMS); and7.2.9 Location information (LOCI) and general packet radioservice location (GPRSLOCI).7.3 Handset ProcessingLaboratory personnel shall:7.3.1 Understand the differences between feature phonesand smartphones;5and7.3.2 Have the ability to identify mobile phones that containmore th
42、an one SIM card.7.4 7.4 Manual/Logical/Hex Dump/Joint Test Action Group(JTAG) Extraction Techniques:7.4.1 Understand the difference between logical (Levels 1and 2) and physical (Levels 35) analysis, the types of data thatcan be extracted at each level and how each tools extractionmethod applies to t
43、hat tool. Additional information on JTAGextraction best practices can be found in: SWGDE BestPractices for Examining Mobile Phones Using JTAG.7.4.2 Understand: Chip-off, hex dumping/JTAG (BoundaryScan (that is, physical extractions) result in the creation of abit-by-bit copy of the internal memory i
44、n a mobile phone. Thedata extracted provides advantages over logical examinationsby providing the examiner access to allocated and unallocateddata stored on the mobile phone. Some limitations of the thesemethods include: (1) the difficulty to decode data due to closedfile systems, (2) the length of
45、time necessary for the analysis,and (3) the need to use multiple tools to process the data mightbe required.7.4.3 Understand the different connectivity options (cable/Bluetooth6/infrared detection and array (IrDA).7.4.4 Understand the need to use a battery with a sufficientcharge capable of completi
46、ng the data extraction (batterycharge 50 % or higher).7.4.5 Have the ability to power a device when the manu-facturer power cable is not present or not functioning (variabledirect current (dc) power supply).7.4.6 Have the ability to differentiate between varioussecurity features including, but not l
47、imited to: handset lock,PIN lock, and personal unlocking key (PUK).7.5 Memory Card ProcessingLaboratory personnel shall:7.5.1 Have the ability to image and process memory cardsusing computer forensic tools and best practices,7.5.2 Understand that processing memory cards while in amobile phone might
48、not provide deleted data from the memorycard, and7.5.3 Understand that processing a memory card while inthe mobile phone might provide different results than process-ing it externally.7.6 Damaged Mobile PhonesMobile phones might bedamaged when received in the laboratory for processing. Thetype of da
49、mage will determine the method to repair the phonefor data extraction. The examiner should be able to understand:7.6.1 How to recognize and process phones that are physi-cally damaged,7.6.2 Proper ways to decontaminate a mobile phone dam-aged by fluids (for example, water and bodily fluids),7.6.3 How to process a mobile phone that has a damagedscreen,7.6.4 How to repair minor damage to mobile phone systemboards, and7.6.5 When a phone is unable to be processed based on thelaboratorys capabilities and when to use a higher level ofanalysis.7.7 Backup DataSo
