NIST SP800-101：手机取证指南：技术特性与法律调查应用

需积分: 10 100 浏览量更新于2024-07-16 收藏 1.45MB PDF 举报

NIST SP800-101,正式名称为《NIST关于移动电话法医指南》，是由美国国土安全部赞助的一份专门针对手机取证的官方建议。这份指南旨在为执法机构、应急响应团队以及其他调查类型的人员提供基础信息，帮助他们理解和处理与手机（包括智能手机）相关的数字证据。它关注了手机的特性，特别是智能手机的高级功能，如存储的数据类型、操作系统、应用程序以及可能存在的加密和隐私设置。该指南涵盖了在调查过程中应考虑的关键环节，包括证据的收集、保护、分析和报告过程。它阐述了如何在合法性和隐私权之间寻求平衡，尤其是在组织安全人员和法律调查人员面对手机数据时，如何遵循当地的、州的、联邦的和国际的法律和规定。它并不是一个详尽无遗的法医调查步骤手册，也不提供法律咨询，而是为读者提供了一种理解手机技术及其可能涉及的法医分析方法的视角。 NIST SP800-101的内容基于作者的专业意见和现有法医指南的参考，强调了实践中的最佳做法，但读者在实施这些推荐时，必须与管理层和法律官员紧密合作，确保符合具体环境下的法律要求。指南中的技术和方法可能随着科技发展而更新，因此，持续学习和适应新技术对于保持与法医调查的最新标准至关重要。 NIST SP800-101为手机取证领域提供了一份实用的指导，它帮助专业人士应对日常调查中遇到的复杂问题，同时提醒他们在执行任务时需遵守严格的法律框架，以维护公正和合法的程序。

Guidelines on Cell Phone Forensics

Subsystem. The transceivers at the BTS can be configured in a variety of ways. A typical

configuration involves three distinct sectors of 120 degree coverage: 0 degrees North to 120

degrees Southeast, 120 degrees Southeast to 240 degrees Southwest, and 240 degrees

Southwest to 360 degrees North. A cell identifier uniquely identifies the BTS and sector

involved in servicing a call.

Figure 1: Cellular Network Organization

The MSC controls a set of BSCs and manages overall communications throughout the cellular

network, including interfacing to the public switch telephone network. To perform its tasks,

the MSC uses several databases. A key database is the central repository system for subscriber

data and service information, called the Home Location Register (HLR). Another database

used in conjunction with the HLR for mobile phones roaming outside of their service area is

the Visitor Location Register. Account information, such as data about the subscriber (e.g., a

billing address), the subscribed services, and the location update last registered with the

network are maintained at the HLR and used by the MSC to route calls and messages and to

generate usage records called call detail records. The subscriber account data and call detail

records are often a valuable source of evidence in an investigation.

2.2 Mobile Phone Characteristics

Mobile phones are highly mobile communications devices that perform an array of functions

ranging from that of a simple digital organizer to that of a low-end personal computer.

Designed for mobility, they are compact in size, battery powered, and lightweight. Most cell

phones have a basic set of comparable features and capabilities. They house a microprocessor,

read only memory (ROM), random access memory (RAM), a radio module, a digital signal

processor, a microphone and speaker, a variety of hardware keys and interfaces, and a liquid

crystal display (LCD). The operating system (OS) of the device is held in ROM, which with

the proper tools typically can be erased and reprogrammed electronically. RAM, which for

Guidelines on Cell Phone Forensics

certain models may be used to store user data, is kept active by batteries, whose failure or

exhaustion causes that information to be lost.

The latest cell phones come equipped with system-level microprocessors that reduce the

number of supporting chips required and include considerable memory capacity. Built-in Mini

Secure Digital (MiniSD)

, MultiMedia Card Mobile (MMCmobile)

, or other types of card

slots support removable memory cards or specialized peripherals, such as an SDIO WiFi card.

Wireless communications such as infrared (i.e., IrDA) or Bluetooth may also be built into the

device.

Different devices have different technical and physical characteristics (e.g., size, weight,

processor speed, memory capacity). Devices may also use different types of expansion

capabilities to provide additional functionality. Furthermore, cell phone capabilities

sometimes include those of other devices such as PDAs, global positioning systems, and

cameras. Overall, they can be classified as basic phones that are primarily simple voice and

messaging communication devices; advanced phones that offer additional capabilities and

services for multimedia; and smart phones or high-end phones that merge the capabilities of an

advanced phone with those of a PDA. Table 1 highlights the general hardware characteristics

of basic, advanced, and smart phone models, which underscore this diversity.

Table 1: Hardware Characterization

Basic Advanced Smart

Processor

Limited Speed Improved Speed Superior Speed

Memory

Limited Capacity Improved Capacity

Superior Capacity, Built-in

Hard Drive Possibility

Display

Grayscale Color

Large size, 16-bit Color

(65,536 colors) or Higher

Card Slots

None MiniSD or MMCmobile MiniSDIO or MMCmobile

Camera

None Still Still, Video

Text Input

Numeric Keypad

Numeric Keypad, Soft

Keyboard

Touch Screen,

Handwriting Recognition,

Built-in QWERTY-style

Keyboard

Cell

Interface

Voice and Limited Data

Voice and High Speed

Data

Voice and Very High

Speed Data

Wireless

IrDA IrDA, Bluetooth IrDA, Bluetooth, WiFi

Battery

Fixed, Rechargeable

Lithium Ion Polymer

Removable,

Rechargeable Lithium Ion

Polymer

Removable,

Rechargeable Lithium Ion

Note that the characteristics used in this classification scheme are illustrative. The features of

actual devices do vary and can span more than one category identified. Over time, advanced

The Secure Digital home page can be found at: http://www.Sdcard.org

The MultiMediaCard home page can be found at: http://www.mmca.org

Guidelines on Cell Phone Forensics

features also tend to appear in more basic phones as new ones are added to the high end.

Though the lines among this classification scheme are somewhat fuzzy and dynamic, it

nevertheless serves as a general guide.

Despite the type of cell phone, nearly all devices support voice and text messaging, a set of

basic Personal Information Management (PIM) applications that includes phonebook and date

book facilities, and a means to synchronize PIM data with a desktop computer. More

advanced devices also provide the ability to perform multimedia messaging, connect to the

Internet and surf the Web, exchange electronic mail, or chat using instant messaging. They

may also provide enhanced PIM applications that work with specialized built-in hardware,

such as a camera.

Finally, very high-end devices called smart phones add PDA-like capability for reviewing

electronic documents (e.g., reports, briefing slides, and spreadsheets) and running a wide

variety of general and special-purpose applications. Smart phones are typically larger than

other phones, support a bigger-size display (e.g., ¼ VGA and higher), and may have an

integrated QWERTY keyboard or touch sensitive screen. They also offer more extended

expansion capabilities through peripheral card slots, other built-in wireless communications

such as Bluetooth and WiFi, and synchronization protocols to exchange other kinds of data

beyond basic PIM data (e.g., graphics, audio, and archive file formats). Table 2 lists the

differences in software capabilities found on these device classes.

Table 2: Software Characterization

Basic Advanced Smart

Proprietary Proprietary

Linux, Windows Mobile, RIM

OS, Palm OS, Symbian

PIM

Simple Phonebook Phonebook and Calendar

Reminder List, Enhanced

Phonebook and Calendar

Applications

None MP3 Player

MP3 Player, Office

Document Viewing

Messaging

Text Messaging

Text with Simple

Embedded Images and

Sounds (Enhanced Text)

Text, Enhanced Text,

Full Multimedia Messaging

Chat

None SMS Chat Instant Messaging

None

Via Network Operator’s

Service Gateway

Via POP or IMAP Server

Web

None Via WAP Gateway Direct HTTP

Wireless

IrDA IrDA, Bluetooth IrDA, Bluetooth, WiFi

The basic and advanced cell phones typically use a company proprietary operating system. A

number of companies specializing in embedded software also offer real-time operating system

solutions for manufacturers of portable devices, including cell phones. Nearly all cell phones

claiming to be smart phones use one of the following operating systems: Palm OS, Windows

Mobile (phone edition), RIM OS, Symbian OS, or Linux. Unlike the more limited, real-time

kernels in basic and advanced phones, these operating systems are multi-tasking and full-

featured, designed specifically to match the capabilities of high-end mobile devices. Besides a

wide array of applications, they often come complete with a Java Virtual Machine and native

Guidelines on Cell Phone Forensics

application support using a Software Development Kit (SDK) for C++ or another language.

Characteristics of a wide range of past, current, and future cell phones can be found on

manufacturer and vendor Web sites, as well as product review sites.

2.3 Identity Module Characteristics

Subscriber Identity Modules are synonymous with mobile phones and devices that interoperate

with GSM cellular networks. Under the GSM framework, a cellular phone is referred to as a

Mobile Station and is partitioned into two distinct components: the Subscriber Identity Module

(SIM) and the Mobile Equipment (ME). As the name implies, a SIM is a removable

component that contains essential information about the subscriber. The ME, the remaining

radio handset portion, cannot function fully without one. The SIM’s main function entails

authenticating the user of the cell phone to the network to gain access to subscribed services.

The SIM also provides storage for personal information, such as phone book entries and text

messages, as well as service-related information.

The SIM-ME partitioning of a cell phone stipulated in the GSM standards has brought about a

form of portability. Moving a SIM between compatible cell phones automatically transfers

with it the subscriber’s identity and the associated information and capabilities. In contrast,

present-day CDMA phones do not employ a SIM. Analogous SIM functionality is instead

directly incorporated within the device. While SIMs are most widely used in GSM systems,

comparable modules are also used in iDEN phones and UMTS user equipment (i.e., a USIM).

Because of the flexibility a SIM offers GSM phone users to port their identity, personal

information, and service between devices, eventually all cellular phones are expected to

include (U)SIM-like capability. For example, requirements for a Removable User Identity

Module (R-UIM), as an extension of SIM capabilities, have been specified for cellular

environments conforming to TIA/EIA/IS-95-A and -B specifications, which include Wideband

Spread Spectrum based CDMA [3GP02].

At its core, a (U)SIM is a special type of smart card that typically contains a processor and

between 16 to 128 KB of persistent electronically erasable, programmable read only memory

(EEPROM). It also includes RAM for program execution and ROM for the operating system,

user authentication and data encryption algorithms, and other applications. The (U)SIM’s

hierarchically organized file system resides in persistent memory and stores such things as

names and phone number entries, text messages, and network service settings. Depending on

the phone used, some information on the (U)SIM may coexist in the memory of the phone.

Information may also reside entirely in the memory of the phone instead of available memory

reserved for it in the file system of the (U)SIM [Wil05, Jan06].

The (U)SIM operating system controls access to elements of the file system [3GP05a].

Actions such are reading or updating can be permitted or denied unconditionally, or allowed

conditionally with certain access rights. Rights are assigned to a subscriber through 4-8 digit

Personal Identification Number (PIN) codes. PINs protect core (U)SIM subscriber-related

data and certain optional data. PIN codes can be modified by the subscriber, and their function

disabled or enabled. A preset number of attempts, usually three, are allowed for providing the

correct PIN code to the (U)SIM before further attempts are blocked completely, rendering

communications inoperative. Only by providing a correct PIN Unblocking Key (PUK) can the

For example, specifications and product reviews for many current cell phones can be found at http://www.cnet.com.

Guidelines on Cell Phone Forensics

value of a PIN and its attempt counter be reset on the (U)SIM. If the number of attempts to

enter the correct PUK value exceeds a set limit, normally ten attempts, the card becomes

blocked permanently. The PUK for a PIN can be obtained from the service provider or

network operator by providing the identifier of the SIM (i.e., its Integrated Circuit Chip

Identifier or ICCID). The ICCID is normally imprinted on the (U)SIM, but can also be read

from an element of the file system.

(U)SIMs have a width of 25 mm, a height of 15 mm, and a thickness of .76 mm, which is

roughly the footprint of a postage stamp. Though similar in dimension to a MiniSD or an

MMCmobile removable memory card supported by some cell phones, (U)SIMs follow a

different set of specifications with vastly different characteristics. For example, their pin

connectors are not aligned along a bottom edge as with removable media cards, but instead

form a circular contact pad integral to the smart card chip, which is embedded in a plastic

frame, as shown in Figure 2. (U)SIMs also employ a broad range of tamper resistance

techniques to protect the information they contain.

Figure 2: (U)SIM Format

The slot for the (U)SIM card is normally not accessible from the exterior of the phone to

facilitate frequent insertion and removal as with a memory card. Instead, it typically is found

in the battery compartment under the battery. When a (U)SIM is inserted into a phone handset

and pin contact is made, a serial interface is used for communicating between them. A

(U)SIM can be removed from a phone and read using a specialized (U)SIM reader and

software through the same interface. Standard-size smart card adapters are also available for

(U)SIMs, which allows them to be inserted into and read with a conventional smart card

reader.

Authenticating a device to a network securely is a vital function performed via the SIM.

Cryptographic key information and algorithms within the tamper resistant module provide the

means for the device to participate in a challenge-response dialogue with the network and

respond correctly, without exposing key material and other information that could be used to

clone the SIM and gain access to a subscriber’s services. Cryptographic key information in the

SIM also supports stream cipher encryption to protect against eavesdropping on the air

interface [Ved93, Wil03].

剩余103页未读，继续阅读

艾米的爸爸

粉丝: 801
资源: 314

NIST SP800-101：手机取证指南：技术特性与法律调查应用

NIST SP800-30信息安全文档

NIST SP800-177r1.pdf

NIST SP800-153.pdf

NIST SP800-101r1.pdf

NIST SP800-170.pdf

NIST SP800-176.pdf

NIST SP800-50.pdf

NIST SP800-77.pdf

NIST sp800-27.pdf

NIST SP800-65.pdf

最新资源