Phone

Only available on StudyMode
  • Download(s) : 15
  • Published : January 31, 2013
Open Document
Text Preview
SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, VOL. 3, NO. 1, JUNE 2009 ISSN# 1941-6164

1

The Fraternal Clone Method for CDMA Cell Phones
Det. Cynthia A. Murphy
Abstract - There are times during the examination of CDMA cell phones where the available phone forensics tools do not allow the forensic examiner/analyst to extract the data they need from the device. At other times, the available tools may allow the forensic examiner/analyst to extract the full file system of a CDMA phone, but data contained in the file system is encoded in a proprietary manner and cannot be decoded using forensic tools such as EnCase or FTK. Additionally, there are a number of situations that might preclude a forensic examiner/analyst from using a camera to document the data on a phone, such as when the phone’s LCD screen is broken, the phone itself is broken, or the forensic examiner/analyst wishes to avoid physical manipulation of the phone to the extent possible during the examination. The CDMA Fraternal Clone method will allow the forensic examiner/analyst to transfer all user-created files and current settings from one CDMA phone into another phone, so that the target phone (CDMA Fraternal Clone) can be examined. The CDMA Fraternal Clone is used as a means to view the user created data and settings from the original phone in their native format allowing the forensic examiner/analyst to view and work with the extracted data in a way that emulates the original phone. Index Terms - CDMA Cell Phone, CDMA Clone, Mobile Phone, BitPim, broken cell phone, broken mobile phone, Mobile Phone Forensics, Cell Phone Forensics, Cell Phone Forensics Techniques, CDMA, ESN, MIN, CDMA Protected Files

The CDMA Fraternal Clone method will allow the forensic examiner/analyst to transfer all user-created files and current settings from one CDMA phone into another, so that the target phone (CDMA Fraternal Clone) can be examined. The CDMA Fraternal Clone is used as a vehicle to view the user created data and settings from the original phone in their native format. The CDMA Fraternal Clone process allows the forensic examiner/analyst to view and work with the extracted data in a way that emulates the original phone.

I. INTRODUCTION

T

HERE are times during the examination of CDMA cell phones where the available phone forensics tools do not allow the forensic examiner/analyst to extract the specific data they need from the device. At other times, the available tools may allow the forensic examiner/analyst to extract the full file system of a CDMA phone, but data contained in the file system is still encoded in a proprietary manner and cannot be decoded using forensic tools such as EnCase or FTK. When these situations arise, a common fall back method is to document the contents of the phone screen by screen, using a camera system such as Project-A-Phone or ZRT. There are a number of situations that might preclude an forensic examiner/analyst from using a camera to document the data on a cell phone using screenshots, such as when the phone’s LCD screen is broken, the phone itself is broken, or the forensic examiner/analyst wishes to avoid physical manipulation of the phone to the extent possible during the examination. With GSM cell phones, a common solution used during the examination of the phone is to clone the SIM card from the evidentiary phone and to insert the cloned SIM card into another GSM phone to complete the examination. This method is not an option for CDMA phones because the data exists on internal storage chips within the phone and not on a SIM card.

Figure 1: Using the CDMA Fraternal Clone method, it is possible to transfer user data and settings from a broken CDMA phone to an intact one in order to view data from the original phone in its native format.

II. USES AND LIMITATIONS OF THE CDMA FRATERNAL CLONE
METHOD

The CDMA Fraternal Clone method may be helpful to the forensic examiner/analyst under the following circumstances:...
tracking img