Evidence Collection Master 2019 Official Edition

Introduction

As the most professional Android mobile phone evidence collection software in China, the actual effect and efficiency of the evidence collection of evidence cannot be said. Here I will bring you the latest professional version of the evidence collection master. The detailed operation process is attached in the inside.

Source of evidence collection for evidence collection masters

In the process of mobile phone collection, the first step is to obtain electronic evidence of clue value from the relevant sources of the mobile phone. The mobile phone's SIM card, memory, external memory card, and mobile network operators' business databases together constitute an important source of evidence in mobile phone collection.

1. Mobile network operator

The call data record database and user registration information database of mobile network operators store a large amount of potential evidence. A record information in the call data record database includes the mobile phone number of the owner/called the user, the IMEI number of the master/called the mobile phone, the call duration, the type of service type and the start of the network service base station from the beginning of the starting end and the termination of the terminal. In addition, in the user registration information database, you can also obtain the user name, certificate number, address, mobile phone number, SIM card number and its PIN and PUK, IMSI numbers and the service type information opened. In the environment of my country's upcoming "real -name system", this information can play a huge substantial role in the process of investigation and evidence collection in the future.

2. SIM card

In the mobile communication network, the mobile phone and the SIM card together form a mobile communication terminal device. The Sim (SubscribeidentityModule) card is the customer recognition module, which is also known as the user identification card. The mobile communication network is used to identify the user's identity through this card, and at the same time encrypt the voice information of the user during call. At present, the storage capacity of common SIM cards has 8KB, 16KB, 32KB and 64KB. From the content point of view, the data information stored in the SIM card can be roughly divided into five categories:

(1) Original data stored by SIM card manufacturers.

(2) The inherent information stored in the mobile phone mainly includes various authentication and encrypted information, GSIM's IMSI code, CDMA's min code, IMSI authentication algorithm, and encrypted key generation algorithm.

(3) Personal data stored during the use of mobile phones, such as short messages, telephone, schedule and call record information.

(4) The data on the mobile network includes the automatic deposit and updated network services and user information data that the user is automatically stored and updated during the use of the SIM card. For example Essence

(5) Other related mobile phone parameters, including personal identification number

(PIN), as well as information such as unlocking the personal unlocking number (PUK).

3. Inner/external memory card

With the enhancement of mobile phone functions, the capacity of the built -in storage chip of mobile phones is expanding. Mobile phone memory is different from the storage data

It can be divided into two parts: dynamic storage area and static storage area (see Figure 1). The temporary data generated during the dynamic storage area mainly stored operating system instructions and user applications, while the static storage area preserves the operating system, various configuration data, and some user personal data.

From the perspective of mobile phone survey and evidence collection, data in static storage areas often has greater evidence value. GSIM mobile phone recognition numbers IMEI, CDMA mobile phone recognition number ESN, phone thin data, sending and receiving and editing SMS, main/called call records, mobile ringtones, date time, and network settings can be obtained in this storage area. However, in different mobile phones and mobile networks, these data will be different in reading methods and content formats. In addition, in order to meet people's personalized needs for mobile phone functions, many brand models have provided external memory cards to expand storage capacity. The common external memory cards on the market are SD, MiniSD and Memorystick. External memory cards are an important source of evidence when dealing with cases involving copyrights or rights.

Evidence collection master evidence collection process

Step 1: Preparation

First, download a picture of ". JPG" format from Baidu to copy it to the inside storage space root directory. The file is called "Meiya.jpg", as shown in Figure 1.

Send a text message to the number "1234567890" (of course, of course, this number does not exist), which is "Mobile Forensics", as shown in Figure 2.

Step 2: Delete relevant information

Delete the picture "Meiya.jpg" shown in Figure 1 in the mobile phone file manager; delete the text message just sent in the mobile phone, as shown in Figure 3.

Step 3: Use your mobile assistant to get text messages

Connect your mobile phone to the computer and use Xiaomi mobile phone assistant and 91 mobile phone assistant to view and export text messages. No text messages just deleted were found.

Step 4: Use ADB Shell to view files

Install adb.exe on the computer ("ADB" is "Android Debug "Bridge" abbreviation, most of the mobile phone assistants comes with it and installed Adb.exe), switch the working directory to the directory where ADB.EXE is located in the command prompt, and enter "ADB Shell" into ADB into ADB Shell mode, then enter "su" to get root permissions, enter "CD /MNT /SDCARD" to switch the current working path to the inside of the mobile phone to storage space, and enter "LS LS -L "View detailed file/folder list, and did not find the picture" Meiya.jpg "just deleted. As shown in Figure 4.

Step 5: Get mobile phone mirror image

Use the "Android mirror download" tool in the DC-4500 mobile phone evidence collection system to obtain the DD image of the mobile phone "/Data" partition, as shown in Figure 5.

Step 6: Analysis mirror

Use Winhex to open the DD image just created, and find the content as shown in Figure 6 near its offset 02BE522FB. We can see the text message content "Mobile "Forensics" and found the number 1234567890 nearby, and also found a string of numbers "11 ****** 39" nearby, which is the Xiaomi account logged in this phone.

Next, I still found the content as shown in Figure 7 in the attachment of mirror files 005ccfff0. According to experience, there is a file header in the ". Jpg" format picture. "The end of the format file. Save the content between this into a file "Unnamed" and use the "Windows Photo Viewer" to open smoothly, as shown in Figure 8.

Analysis of the results of evidence collection

Step 3 represents logical extraction. Various mobile phone assistants can perform basic logical extraction. This logical extraction uses the API of the Android system to read SMS, but the system does not obtain the API that has been deleted, so logical extraction cannot be obtained To the deleted text message. In fact, logical extraction can also be backed up by backing up the relevant data and then parsing. For example, Miabacco's mobile phone evidence product DC4501, FL-900, etc. can extract some deleted text messages from the backup file of the Android phone.

Step 4 represents logic browsing. It is also well understood that "Meiya.jpg" cannot be seen in adb shell, because the picture has been deleted, Adb The file system can only be displayed in the shell system. After the file is deleted, the file system believes that this file no longer exists.

Step 5 and 6 represent physical acquisition. The mirror obtained by the above example is not the real "physical mirror image". The more thorough physical mirror image is through the chip OFF (removal chip) is waiting offline to obtain mirror. This method is the most comprehensive through physical mirrors and the best effect in evidence collection. The reason why it can be restored on the mobile phone is because the original content is not covered, as long as the original data is still there, it can be recovered. This is like applying some chapters in the directory of a book. If you only look at the directory, you will think that these chapters do not exist, but as long as the specific content of these chapters has not been applied, find it one page by page, and then find it. Can be found.

At present, the Android system does not have a full encryption of the storage device. As long as the physical mirror is obtained, and then the hexadecimal editor is used to view, you can find a lot of clues. Of course, viewing this requires a lot of knowledge and rich experience in the signatures of common documents, codes, and the efficiency is often not high. When some files are partially damaged, the knowledge of file carving may be needed. You can use some automated tools, such as open source scalpel.

The partitions in the Android system are generally EXT4 file systems, and the use of the corresponding data recovery software can also be easily recovered by data. For example, in this example, the use of the electronic data analysis system of the evidence collection master loads this DD mirror, and uses the signature to restore 25,177 pictures, including the one deleted in the example. As shown in Figure 9, Figure 10.

At present, most mobile phones are connected to the computer to view and manage the files in the mobile phone. Some of the programs that rely on the SDCARD partition are abnormal. The MTP mode is above the file system layer, and data recovery cannot be performed in the MTP connection mode. There is no concern for making physical mirrors.

In addition, during the operation of the mobile phone, the system operation, program operation, and user operations will continue to change the data in the mobile phone. From the perspective of maintaining the originality of the inspection materials, making mobile mirror images is the best choice.

Evidence collection master update log

1. Fix some bugs

2. Optimized some functions