HTC Fuze Forensics
Colby Lahaie
The Senator Patrick Leahy Center for Digital Investigation
Introduction
Overview
Many people use their cell phones to do a variety of different things, from storing word documents, using programs, playing games, using the GPS for travel, and other such things. I am going to be researching how to acquire data off of the AT&T HTC 6850 Touch Pro/Fuze mobile phone. Data acquisition and analysis is one of the most important things that a forensic investigator would want to do because it is a way to extract and preserve all data. During this research and development, I am going to use specific tools such as MIAT (Mobile Internal Acquisition Tool) and a Cellebrite UFED Physical Pro to extract data from the HTC Fuze mobile phone. I am going to be looking for data, both active and deleted, that would be useful to a forensic investigator. Topics so far include:
· Retrieving contacts
· Retrieving call logs
· Retrieving images
· Retrieving audio and video
· Retrieving SMS text messages (active and deleted)
· Accessing the File System
· Retrieving internet history
Purpose
The purpose of this project is to find key aspects of the HTC Fuze that would be helpful during a forensics investigation. By doing this, we are trying to make it easier for law enforcement to extract data off mobile phones to use in criminal investigations. For most of this research, I will be using the Cellebrite UFED Physical Pro to extract most of the data from the phone.
Preliminary Tool List
1. Cellebrite UFED Physical Pro 1.1.9.6:
http://www.cellebrite.com/forensic-products/forensic-products.html?loc=seg
2. Windows Mobile Device Center (WMDC) 6.1.6965:
http://www.microsoft.com/download/en/details.aspx?id=3182
3. Raptor 2.0:
http://forwarddiscovery.com/Raptor
4. Mobile Internal Acquisition Tool (MIAT) 1.0:
5. FTK Imager 3.0.1.1467:
http://accessdata.com/support/adownloads#FTKImager
6. EnCase v6.19:
http://www.guidancesoftware.com/
Procedures
I am working with a new out of the box HTC Fuze phone so the first step in this project was to turn on the phone and plant “evidence” on the phone. I started off by adding fake contacts to the phone. Then, I took some random pictures and videos. I also used the phone’s internet browser to generate internet traffic/history. I finally attempted to make test calls and send some random text messages on the phone.
Cellebrite
The next step in this project was to acquire data off of the HTC Fuze using our Cellebrite UFED Physical Pro, which is a special device specifically, made for mobile device data extractions. I attached the HTC Fuze to the device via USB Cable No. 80. I then chose the different data extraction options that were supported for the HTC Fuze, which were “Extract Phone Data” and “Physical Extraction”. After each extraction, there will be a folder that is labeled the same name as the mobile phone or SIM card which will contain an examination report that will contain a summation of the data extracted from the phone/SIM card, a folder for each content type extracted, and a .ufd file to be analyzed with the UFED Physical Analyzer software.
.png)
Retrieving Contacts
I first started off by adding fake contacts to the HTC Fuze. I then attached the HTC Fuze to the Cellebrite and chose the “Extract Phone Data” option to extract the contacts data. In the outputted examination report that Cellebrite provides after the extraction, I was able to view the contacts that were on the phone’s memory, which contains the names and numbers of contacts. The Cellebrite extraction also extracts a .pbb file, which is a backup file for the phonebook, and a MD5 and SHA256 hash for the .pbb file.
Retrieving Call Logs
I then attempted to make some test calls, but they could not be sent because we did not have an active SIM, however; the calls still showed up in the outgoing calls lists and Cellebrite was able to provide the information in the examination report. The report shows the type of call, the phone number, the name of the contact, and the date and time that the calls were taken place. The extraction also provides a .clog file, which is a backup file of the call logs, and a MD5 and SHA256 hash for the .clog file.
Retrieving Images
I then took some random pictures with the HTC Fuze and was able to retrieve them from the phone with Cellebrite. In the outputted folder that Cellebrite provides, there will be a folder containing all of the images extracted from the phone and, in the examination report, it will provide information on the images such as: the file name, the file path, the file size, the date/time the image was taken, an MD5 and SHA256 of each image, and other information.
For part 2 of this project, see “HTC Fuze Forensics Part 2”.
If you have any comments, questions and/or suggestion please feel free to leave a comment here on the blog. Or feel free to email us at LCDI@champlain.edu, with ”HTC Fuze Forensics” in the subject.