6.1 Potential Evidence

Mobile device manufacturers typically offer a similar set of information handling features and capabilities, including Personal Information Management (PIM) applications, messaging and e-mail, and web browsing. The set of features and capabilities vary based on the era in which the device was manufactured, the version of firmware running, modifications made for a particular service provider, and any modifications or applications installed by the user. The potential evidence on these devices may include the following items:

 Subscriber and equipment  Audio and video recordings identifiers  Multi-media messages  Date/time, language, and other settings

 Instant messaging  Phonebook/Contact

 Web browsing activities information

 Electronic documents  Calendar information

 Social media related data  Text messages

 Application related data  Outgoing, incoming, and missed call logs

 Location information  Electronic mail

 Geolocation data  Photos Even esoteric network information found on a UICC may prove useful in an investigation. For

example, if a network rejects a location update from a phone attempting to register itself, the list of forbidden network entries in the Forbidden PLMNs (Public Land Mobile Networks) elementary file is updated with the code of the country and network involved [3GP05a]. This list is maintained on the UICC and is due to service being declined by a foreign provider. The mobile device of an individual suspected of traveling to a neighboring country might be checked for this information.

The items present on a device are dependent not only on the features and capabilities of the mobile device, but also on the voice and data services subscribed to by the user. For example, prepaid phone service may rule out the possibility for multi-media messaging, electronic mail, and web browsing. Similarly, a contract subscription may selectively exclude certain types of service, though the phone itself may support them.

Two types of computer forensic investigations generally take place. The first type is where an incident has occurred but the identity of the offender is unknown (e.g., a hacking incident). The second is where the suspect and the incident are both known (e.g., a child-porn investigation). Prepared with the background of the incident, the forensic examiner and analyst may proceed toward accomplishing the following objectives:

Gather information about the individual(s) involved {who}.

Determine the exact nature of the events that occurred {what}.

Construct a timeline of events {when}.

Uncover information that explains the motivation for the offense {why}.

Discover what tools or exploits were used {how}. In many instances the data is peripheral to an investigation or useful in substantiating or

refuting the claims of an individual about some incident. On occasion, direct knowledge, refuting the claims of an individual about some incident. On occasion, direct knowledge,

Installed executable programs may also have relevance in certain situations. Often times the most important data recovered is that which links to information held by the service provider. Service providers maintain databases for billing or debiting accounts based on call logs, which can be queried using the subscriber or equipment identifiers. Similarly, undelivered SMS text messages, multi-media, or voice messages may also be recoverable. This may allow an examiner to validate their findings as the data obtained from the device may be verified with the data obtained from the service provider.