Data Acquisition from Cell Phone using Logical Approach

Cell phone forensics to acquire and analyze data in the cellular phone is nowadays being used in a national investigation organization and a private company. In order to collect cellular phone flash memory data, we have two methods. Firstly, it is a logical method which acquires files and directories from the file system of the cell phone flash memory. Secondly, we can get all data from bit-by-bit copy of entire physical memory using a low level access method. In this paper, we describe a forensic tool to acquire cell phone flash memory data using a logical level approach. By our tool, we can get EFS file system and peek memory data with an arbitrary region from Korea CDMA cell phone.

Authors:

• Keonwoo Kim
• Dowon Hong
• Kyoil Chung
• Jae-Cheol Ryou

Keywords:

• Forensics
• logical method
• acquisition
• cell phone
• flash memory.

References:

[1] NIST, Cell Phone Forensic Tools: An Overview and Analysis. NISTIR
7250, 2005.
[2] NIST, Guidelines on Cell Phone Forensics. Draft Special Publication
800-101.
[3] http://www.guidancesoftware.com/
[4] Marcel B., Martien de J, Coert K, Ronald van der K and Mark R., Forensic
Data Recovery from Flash Memory. Small Scale Digital Device Forensics
Journal, Vol. 1, No. 1, June 2007.
[5] M. F. Breeuwsma, Forensic imaging of embedded systems using JTAG
(boundary-scan). Digital Investigation, Vol. 3, Ed. 1, March 2006.
[6] Eran G. and Sivan T. Algorithms and data structure for flash memories.
ACM Computing ACM Computing Surveys, Vol. 37, No. 2, June 2005,
pp. File system copied to PC Memory copied as file 138-163.