Today’s IMEI(SV)

IMEII helped with a couple of posts in the last month that dealt with International Mobile (Station) Equipment Identity (IMEIs) produced and displayed by both mobile forensic software and also by the carriers themselves.  The assistance was primarily dealing with examiners finding a discrepancy with what the carrier was showing in Call Detail Records (CDRs) and what was produced by the mobile forensic software and even the identification label on the device themselves.  Lets cover a little bit of information on IMEI numbers first.

IMEI numbers are used as a serial number for the device.  Much like the serial number you might find on other items like cameras, TVs and stereos.  However, the IMEI is also used by the mobile carrier to identify the device over the cellular network via the Equipment Identity Register (EIR).  This helps to deliver content, assist with subscriber to equipment correlation, equipment maintenance and equipment allocation.

The IMEI is a 15 digit number composed of several subsections: Type Allocation Code (TAC), Serial Number(SN) and a Check-Digit(CD).  Since 2004 however IMEI Software Version numbers or IMEISV are being used to assist with a carrier’s identification of the software version running on the device.  This feature can assist with upgrades, notification to users and maintenance of the user device by the carrier.  This number is composed of the TAC, SN and SV for a total of 16 digits (sometimes 17).  The check digit is generally dropped from the IMEISV.  The check digit can be calculated, if missing, by dropping the SV digits and using Luhns Algorithm against the remaining digits starting at the right most digit.  The layout of both the IMEI and IMEISV is described below.

T = TAC digit
N = Serial Number digit
C = Check Digit
S = Software Version digit



What becomes confusing to examiners is the fact that some mobile forensic software will report two IMEI numbers and identify one as the calculated and the other as the IMEI.  Furthermore, telco carriers will often send back CDRs that display the IMEISV and not IMEI.  Since they are slightly different (last two digits typically) the comparison with the IMEI that is listed on the identification label or displayed by the mobile forensic software does not match.  These discrepancies can lead to problems when documenting and even testifying to the identity of the device if not clearly understood.

For both the IMEI AND IMEISV The most important numbers are the first 8 and the next 6 (TAC and Serial Number).  The numbers following will either be the check digit (with a 0 filler to reach 15 digits) or the software version composed of two digits.  What should also be known is that the two software digits can change over time based upon an update to the device’s software.  With today’s devices this can be a frequent occurrence!  With Android devices pressing the common *#06# will list the IMEISV in the form of 17 digits (TTTTTTTT-NNNNNN-C / SS) whereas iOS devices will simply display the common 15 (TTTTTTTT-NNNNNN-C).  However, both CDR data from carriers and mobile forensic software often only list the standard IMEI number while others list the IMEISV.  At times some mobile forensic software lists both!

As long as the examiner understands that the significant numbers within the IMEI or IMEISV are the first 8 and following 6 clarity can easily be demonstrated and described when requested to do so.

By knowing:

  •  the exact IMEI that is listed on the identification label can be derived from the IMEISV to show unequivocally they are the same,
  • that the multiple IMEIs listed by the forensic tool are just the IMEI and IMEISV,
  • and the returned IMEI from a telco that is off by a few digits is the IMEISV not the anticipated IMEI, you can make an informed analysis and conclusion.

More tips and information can be found in my book, Mobile Forensic Investigations: A Guide to Evidence Collection, Analysis, and Presentation

Good Luck!

Posted in Information | Tagged , , , , | Leave a comment

Chasing Digital Device Tech

networkAs everyone knows, mobile digital devices and the data contained on these devices is here to stay.  I do not think anyone ever thought a small mobile telephone would ever fade away, but the growth of the tech is another story.  I would argue Moore’s Law is challenged by the smart-device’s of today with growth of components exceeding any expectation.  This frequently used compounding yardstick in tech is often the driving force behind mobile device manufacturing and research.  As the article suggests these companies are really competing against themselves – determined to build a better digital mousetrap.  Honestly, the mousetrap is built to mesmerize the consumer into a yearly upgrade.  Upgrading our tech to keep up with the technological advances steamrolling across the globe is often mind boggling; far exceeding any manufactures’ forecast.  Yes,  we digital consumers must have the newest tech – no matter the probability the tech will be outdated at the time of release.  This inundation of tech is often a tsunami, but is what  creates the digital landscape of our lives.

The digital finger print in our everyday lives is nothing short of amazing – from computerized kitchens, cars, homes and businesses our lives have been immersed and essentially governed by tech.  Just contemplating the likelihood of not interacting with some form of  programmable tech every day is an impossibility – just Google it!

What about our global digital landscape – is that any different?  Our nations, our countries, our world are attached to a digital grid with exponential growth and potential; often controlled, captured, manipulated and infiltrated. Preparing for tomorrow with innovation, organization and leading edge leadership today is a necessity.  This means tech is not going to wait for our ok to advance,  or to gain knowledge on how it operates, stores data, sends data or hides data. Tech will continue to compound without our ok, and the digital landscape will continue to encompass even more of our daily lives.  It is not the self-reliance on tech that is alarming, but more the self-imposed ignorance that data within the tech actually exists that is chilling.  Proactive conversation and understanding rather than reactive pretext and conjecture is how to navigate the evolving global digital landscape.

Today we need forward thinking, thought leaders with a unique set of problem solving skills.  These should be baseline traits of the digital forensic road warrior of today.  In order to combat this digital environment one cannot wait for a better tool, feature or method, but take the lead and build it, devise it or craft it.  This was the idea behind not only my book, Mobile Forensics Investigation: A Guide to Evidence Collection, Analysis, and Presentation, but also the SQLQuery Builder application.

The Mobile Forensics Investigation (MFI) book is a way for any examiner to gain a better angle and understanding of completing a holistic mobile device examination without reliance on automation.  The SQLQuery Builder gives the power to the user to create powerful queries to collect and extract from SQLite database files used throughout the digital world to store valuable evidence.  Using both of these in conjunction with any digital investigation hopefully can start to fill the technology awareness chasm.

Today’s digital examiner is facing an onslaught of data from the massive number of digital endpoints, which are constantly barraged by an endless supply of both malicious and benign information. Being proactive and not reactive in our investigative approach can help to overcome our already extraordinary forensic deficit.  However, this is entirely up to you..


Posted in Information, Products | Tagged , , , , , | Leave a comment

Mobile Forensics Investigation: A Guide to Evidence Collection, Analysis, and Presentation

AftMobileForensicser all of the requests to dump my brain into a book I finally listened producing MobileForensics Investigation: A Guide to Evidence Collection, Analysis, and Presentation. It is currently in most book outlets and also McGraw-Hill Education for pre-order since it will not be on the rack until after the summer.  It is my hope this book makes it into every university forensic program and onto every examiners desk.  No need to rely on a vendor to support your mobile forensic curriculum, this book covers it all – from beginning to end – to turn an investigator into an examiner.

Mobile Forensics Investigation: A Guide to Evidence Collection, Analysis, and Presentation leads examiners through the mobile forensics investigation process, from isolation and seizure of devices, to evidence extraction and analysis, and finally through the process of documenting and presenting findings. This book is not just for those starting out in mobile forensics, but contains information for the seasoned examiner. This book not only gives you knowledge of available mobile forensics tools, but describes and documents how these tools work to collect and analyze mobile device data.  The valuable information will allow you to better collect analyze and present your findings and processes in a court of law or discovery forum.  This holistic approach to mobile forensics, featuring the technical alongside the legal aspects of the investigation process, sets this book apart from the competition. This timely guide is a much-needed resource in today’s mobile computing landscape.

  • Provides you with a holistic understanding of mobile forensics from the basics to advanced analysis
  • Notes offer personal insights from the author’s years in law enforcement
  • Tips highlight useful mobile forensics software applications, including open source applications that anyone can use free of charge
  • Case studies document actual mobile forensic cases
  • Photographs demonstrate proper legal protocols, including seizure and storage of devices, and screenshots showcase mobile forensics software at work
  • Advanced techniques feature SQLite parsers and Python scripts

I hope the community enjoys the book as much as I did writing it.  Feel free to use the Amazon link below to pre-order your copy!

Posted in Information, Products | Tagged , , , | Leave a comment

iOS Timeline with CookieMonster

Giving a video/blog post a try.  Today, I am looking at the Cookies.binarycookies files contained within the Library/Cookies folder on iOS devices – generally in the Application folders. Many apps contain this file when utilizing their built in web browsers.  When used by an investigator to create a mobile device timeline, these files can be of great use.

The tools that are used in the video are all available for FREE.

Hope you enjoy this information and content.

Posted in Information | Tagged , , , , , | Leave a comment

Android Driver Problems Solved

Processing of an Android device with a solution running on a Windows computer can at times be difficult. Not because of windows, but because of the many different types of Android device profiles available. At last count there were over 12,000 different types of Android profiles from smart phones to tablets to IoT. This can obviously create problems when connecting this device to a solution running on a Windows platform if the particular driver for that device is unavailable. Just Google “<device name> + driver” right? This typically will yield a plethora of results where 99% are either fake or a link to an advertiser. But first, why does an examiner need a driver anyway?

For any communication to occur a driver must be installed whether it be a keyboard, mouse and in this context, a mobile device. Simply, a driver is a piece of software that acts as the middle man – converting communication from a device to a format whereas the Windows OS will understand and move on to the targeted application. Think of it as a translation service. As mentioned, this is a simple explanation for one type of driver, but makes the point – Android ADB drivers are needed for an application to communication via the Windows system to the attached Android device.

An Android device must have ADB available when conducting a logical or physical collection (Of course JTAG and ChipOff are exceptions). Some may say ADB is not needed for a physical collection via USB because the device is locked and the examiner could not switch ADB on. So, since they could not enable ADB it therefore was not enabled and subsequently the data was still extracted. This is type of conjecture is generally false because solutions that utilize a bypass method for Androids are using custom ROMs or images that will enable root and thus ADB = ON. This allows for installation of vulnerabilities to obtain access to the device’s file system that is typically unavailable due to device permissions. So, again ADB is needed to access the device and as such a driver will be needed.

Instead of spending hours looking for a driver, an examiner should install the Universal ADB driver from Koush. This Universal ADB driver is hosted on the Github repository. There is not a need to download the source code and compile the application because an already compiled Windows installer can be located at the bottom of the page. This Universal ADB driver is updated continuously by Koush and has been used in many of my examinations when ADB drivers could not be found elsewhere. Koush is also the developer of the ClockworkMod that many mobile forensic solutions physical collection techniques are based upon and a frequent contributor to the Android community. This Universal driver is a package that contains the vendor (VID) and product IDs (PID) that have been rolled into a single driver and once installed are registered within the Windows system. When the examiner plugs in a device, ADB will now be recognized when previously Windows was unable to find a suitable driver. With ADB now available the device can be collected with the tool of choice.

Enjoy and Good Luck!

Posted in Information, Training | Tagged , , , , | Leave a comment

Burners and BackDoors

Throughout the evolution of mobile device examinations there has always been obstacles imposed by the carriers.  From locking a device’s USB port, to removing the ability of software to use development level protocols.  This is not a new tactic for carriers and has been going on for some time down.  By limiting access to the device, carriers can lower the cost of the device and then impose fees for the transfer or backup of the data to a designated server or utilize a custom firmware full of bloatware to recoup some of the device cost.   This method is not to eliminate an examiner’s ability to obtain the device data, but to save and make money.

Back while working as a LE examiner I had to constantly deal with Cricket branded Kyorcera devices that could not even be recognized by any software so a SPC code had to be utilized that allowed access to the underlying file system.  Then along came Trac and Virgin Mobile who introduced a few devices that also had this limitation.  Most of these devices have hidden menus that will allow for the service providers to gain access and make updates when needed.  The problem, finding hidden menus for these devices can be a lot of work!  They however, do exist.  Legacy Trac phones like to use the ##7764726290 code to enter the service menu which happens to spell out ##PROGRAMAZ0.  Virgin Mobile Legacy devices generally use 0000000 and then selecting option and then ##847446 which conveniently spells VIRGIN!  Of course, running into these legacy devices is not typical with our world swiftly moving to smart devices.  So what about some of these smart devices?

In today’s mobile device walmartizati0n, anyone can get a smart device for under $30 USD.  That means, these carriers need to lock these devices down in order to keep the price down.  Again, the ports are locked – but with Android devices there are also some things an examiner can look for to obtain access.
NOTE: Of course, there are many variables, but in this example has been used on several cheap Verizon Android devices.
The LG G2 VS980 is one of the tested devices.  The examiner first realizes there may be a problem when the device is plugged into the computer or mobile solution and see that it is not recognized.  This is baffling to the examiner because this occurs even after going into the settings and turning on ADB!  This creates a problem since the device must be recognized as an ADB device in order for communication to occur via a USB cable solution.  At this point most examiners believe there is one of two solutions – JTAG or chip off.  However, before going down that road an examiner should look for a hidden menu.

Some Android devices when they are plugged in have a menu that comes up with several options: Charging, Media Sync and Internet.  This menu is much different than what will be seen by a device that has not been subsidized. Typically devices will display only MTP or PTP choices.  In the case of this modified menu and selecting Internet the examiner will receive another menu showing Modem and Ethernet.  By selecting Modem the device will release the restriction on ADB since the device must use ADB for allowing the tethering to the attached computer.   Once ADB is visible – any mobile solution that is capable of processing Android devices will have success.

Looking for the hidden menus on these devices can allow an examiner that may not have access to JTAG or chip off skills or training the ability to process the device with a USB cable and their solution of choice.   Good luck!

Posted in Information, Training | Tagged , , , , , | Leave a comment

Mobile Forensics and Today – Interview with James Howe

The Mobile Forensic Examiner welcomed James Howe to the show.  James is a forensic examiner in Columbus and says digital evidence from mobile devices is used in just about every case.  Furthermore, he says smart devices account for 90% of his investigations and having tools that conform to the many different situations is critical.  Listen to how James uses tools to get the job done and uncover some great digital gold.

Posted in Podcasts | Tagged , , , , | Leave a comment

The Paradigm Shift

There is a shift in the force. Using a statement that most still understand, no matter what age group you might come from. This Paradigm Shift comes in the form of digital forensics, specifically mobile device forensics. Said simply enough, people want more. Examiners are tired with the push button approach and are wanting more, an ability to customize, the ability to control the examination, to control the bleeding edge of applications in mobile devices, and to have the power to uncover the smoking gun without first falling into the rabbit hole.

Automation is not a bad thing; it allows for repetitive tasks, training level fluctuations, time commitment and sometimes instantaneous results. On the other hand automated tools, without the ability of allowing the practitioner to control the examination, are tools that guess at what might be important to a specific examination, application and vector. As we all know, predicting the course of your examination is like predicting what your teenager might say to you when you ask them about their day. So pure automation that comes with mobile forensic tools is like guessing what you want to see, what application might be important to your investigation or what your examination should look like. Without giving the ability to conform to the task at hand you are relegated to subscribing to what a company believes is important to your investigation from their own research. So if their research does not show a mobile application is not in the top 10 from their polling of their “people in the know” good luck in handling that case with that tool.

As indicated in the title the times are changing. In my many conversations with actual examiners they are fed up with tools that only a give what the company believes is the needed information without allowing for a deep dive analysis. So, they are moving to tools that allow them to dive into the data, support any contingency and build support for themselves. Tools like AccessData’s MPE+ allow for all these contingencies because it is built by forensic examiners, by software developers that understand the need to give the power to the examiner and not guess as to what should be important.

Technology changes at a break neck pace and your examination today might involve a zero day application supported by no automated mobile forensic solutions. If that is the case, look for a tool that will allow you to adjust to these contingencies and allow you to take control of your investigation.

Posted in Information | Tagged , , , , , , , | Leave a comment

Training, Talks and Mobile Forensics – Interview with Glenn Baard

Today on the Mobile Forensic Examiner I spoke with Glenn Baard the CTO for PATC.  They not only train on mobile forensics but also still work forensic cases for many LE agencies that either do not have the tools, or experience.  Glenn has some great experiences under his belt so take a listen as we discuss mobile forensic trends, software, MPE+ and the new nFIELD.

Posted in Podcasts | Tagged , , , , , | Leave a comment

Supreme Court, Mobile Devices and Forensics – With Tyler Clarke

Fantastic talk today with Tyler Clarke with Reno Police.  We spoke about the recent Supreme Court Decision, Mobile Forensics and where it is going, today’s digial data and much more.  I have to say speaking to Tyler made me want to jump back into the examinations again.  Enjoy.


Posted in Podcasts | Tagged , , , , , , , | Leave a comment