1 Introduction

Due to unparalleled rapid growth of ubiquitous communication technologies and the shrinking physical size of portable communication devices, voluminous individuals are carrying more than one mobile phone from leisure motivation to business purpose globally. Undoubtedly, the mushrooming proliferation of mobile phones in our societies spectacularly changed the ways of communication. Evidently, these mobile communication devices become portable data carries. Under such circumstances, the data stored in those devices could be more confidential than those deposited in desktop computers. Currently, mobile phones outsell personal computers several times in the global market. Nevertheless, the digital forensics (DF) of mobile communication devices still enormously lags behind that of computer forensics [1].

Unfortunately, these cutting-edge mobile communication gadgets became the utilities for committing heinous criminal incidents in the modern society by sophisticated technology-savvy perpetrators. Hence, cellular phone data is significantly approved as the probative evidence in US courts. Compellingly, this handheld multimedia communicating device is one of the most multitalented masterpieces of equipments ever invented for human beings. The vast range of the above illegal behaviors could range from negligible online pranks to devastating cyberterrorist attacks. Nowadays, some mobile multimedia communication devices are indisputably acting as mini portable computers.

Indeed, mobile multimedia communication devices are being applied in a mixture of distinct arenas. Unsurprisingly, more and more people utilize mobile phones to directly transfer money between accounts by the virtue of the current banking systems due to the portability, scalability, usability, and the interoperability of modern mobile phones. Generally speaking, a smart phone is a mobile phone with more features encompassing the functionalities of sending short message service (SMS) or e-mails, playing audio/video clips, taking snapshots or recording videos, conducting instant message (IM), and surfing on the Internet. In addition, the add-on content management software packages can deal with personal calendars and address books. Manifestly, countless users store a wealth of critical information within these mobile multimedia communication devices than desktop computers especially in some criminal cases. Therefore, the DF of the above devices plays a crucial role in a cybercrime investigation. Simultaneously, huge amount of smart phone application programs (APs) are being developed in a rapid pace encompassing word processors, spreadsheets, and data-based utilities.

Apparently, the diversity of the embedded OS in mobile multimedia communication devices makes the DF of mobile phone more difficult then desktop computers. Therefore, investigating smart phones is one of the most challenging tasks in DF realm with respect to those cutting-edge devices. Due to the variety of smart phone manufactures and the corresponding embedded OS being deployed, it is hard to have a single standard for how and where smart phones store messages although many smart phones exploit similar storage schemes. Unlike most people who start scrolling through contact lists, most recent incoming/outgoing calls, or missed calls, this paper suggested the general criteria for the anti-cyberterrorist squad team or the DF practitioners to ponder when they deal with the unprecedented cyberterrorist attacks via the smart phones. Investigating cell phones or mobile devices is one of the most challenging tasks in DF. Proper search and seizure procedures for cell phones and mobile devices are as important as those for computers. Cyberterrorist attacks by means of smart phones is an imminent and urgent issue.

Cyberterrorism has become a hotly debated research issue in the past decades because of the convergence of mobile computing powers and the fledging multimedia communication computing capabilities. Without loss of generality, cyberterrorism is the exploitation of computer network tools to incur malfunction, cripple, or shut down critical infrastructures such as energy, transportation, and government operations [25]. Traditional terrorist or extremist attacks launched devastating attacks in metropolitan areas with deadly explosive materials. Nowadays, modern terrorists are capable of executing traditional terrorist behaviors via state-of-the-art ubiquitous multimedia communication tools, which radically transform the way we live and provide unprecedented opportunities for committing cyber crimes that we were not able to foresee two decades ago [6, 7].

Corollary, the modern terrorist attacks could impose catastrophic slaughter or injury upon civilians, corporations, and the governments by just several keyboard punches in a public café and the unscrupulous syndicate are physically thousands of miles away from those critical infrastructure systems, which range from water-treatment stations to chemical disposal plants. The critical infrastructure systems provide the fundamental functionalities for governments and industry operators in most cases. Crucially, protecting national critical infrastructure assets from cyber attacks is an extraordinarily challenging task for the governments worldwide.

For every mobile phone, the user can often find a unique ID embedded on the printed circuited board beneath the battery pack. The ID is known as international mobile equipment identity (IMEI). This exclusive identifier is assigned to every GSM, WCDMA, and iDEN mobile phone, as well as some satellite phones. The IMEI number is capable of exclusively identifying a specific mobile phone being used in a cellular network. Demonstrably, the law enforcement agencies can use this number to query the mobile carriers for detailed reports of the wireless communication concerning a distinct subscriber during a certain time period as probative evidences in a court of law.

The essence of the paper was to provide the law enforcement agencies as well as the DF practitioners with appropriate knowledge and procedures respecting the criminal incident using smart phones via the case review we constructed in this research. The paper suggested solid guidelines for them to collect, analyze, submit, and preserve those probative digital evidences concerning the cybercrimes exploiting smart phones.

We organized the paper as follows. In Sect. 2, we briefly reviewed the related research of portable electronic communication devices, especially the smart phones. In Sect. 3, we conducted a potential cyberterrorist attack review with step-by-step approach. In Sect. 4, we reconstructed the hypothetical cyberterrorist conspiracy and performed a comprehensive analysis and discussion of the scenarios. Finally in Sect. 5, we stated the conclusion of our paper.

2 Related researches of portable electronic communication devices forensics

2.1 Computer forensics and the DF of smart phones

In the recent decade, computer forensics has become much more emphasized by law enforcement agencies to deal with thriving cyber crimes. If we state computer forensics in a generic manner, it encompasses the procedure of identification, collection, extraction, preservation and interpretation of the digital data that was present concerning a computer incident or confidentiality breached. The above serial procedures are considered to the standard operating procedures (SOP) with respect to the mushrooming cyber crimes. Similar domain knowledge and concepts can be adopted into mobile DF arena. Digital evidences are easily compromised or contaminated during related procedures. Hence, making image files of the RAM or internal/portable storages will be the decent strategy to fulfill the goal of DF.

The pervasive usage of mobile telecommunication devices has been exponentially expanded. Obviously, ubiquitous mobile networks have dramatically shifted the ways of communication in contemporary era. Mobile phones are utilized throughout the world in record numbers and their versatile functionalities rival those of desktop computers in many aspects. This prevalence will unquestionably link them to a greater number of crimes where they definitely play a critical role [8]. Mobile phones contain an overabundance of information in the handsets and the subscriber identity module (SIM) cards implanted within the handsets. SIM cards are commonly found in GSM devices and consist of a microprocessor and electronically erasable programmable read-only memory (EEPROM) with capacity ranging from 16 kB to 4 MB.

Generally speaking, the utilization of the SIM card encompasses from identifying the subscriber of the telecommunication network, storing personal information or service-related information, and address books as well as messages. Regrettably, the ever growing technology brings negative impacts in furtherance of criminal conspiracies. Mobile phones often play an essential role regarding certain criminal cases. There are a number of DF toolsets for downloading the SIM data in a forensically sound manner. These toolsets include forensics examination, SIM readers, and the manufacturer’s tools. Currently, PhoneBase, SIMIS, Paraben’s Device Seizure, and Oxygen Forensic Manager are the popular DF toolkits commercially available [9]. The above toolsets may utilize special cables, Wi-Fi, Bluetooth, or Infrared to extract stored data from modern handsets. The collective digital trails are probative evidences in a court of law concerning criminal cases in the United States. There is no doubt that those DF toolsets must provide flexible functionalities and sustain reliability during the associate DF investigations.

Without loss of generality, a mobile phone is also referred to as a cellular phone. As communication technology keeps progressing, small scale digital device forensics (SSDDF) is an extremely new research arena for scientists and the associate researchers, who are in dire need of directions. The small and versatile nature of the appliances makes these multimedia handheld communication devices difficult to be identified and investigated [10]. In the mobile phone realm, the personal digital assistant (PDA) is another technical breakthrough for mobile communication devices. As the functionalities of a modern PDA increase, this also stimulated the migration to the emergence of a smart phone. Hence, a smart phone could be considered as a PDA with the cellular communication capability embedded. The hardware of a smart phone consists of a microprocessor, ROM, RAM, a digital signal processor, a radio module, a microphone, a speaker, a keypad, a camera, GPS function, and the touch screen. Most smart phones have removable memory cards, where precious intangible digital data will be stored.

Contemporary smart phones usually have two or more of the following communication interfaces: GSM, GPRS, and UTMS embedded functionalities for long-distance communications. In the meanwhile, they use Bluetooth, IrDA (Infrared Device Application), and Wi-Fi (Wireless Fidelity) for short distance data transmission. Basically, they utilize three memory locations to store the data to be acquired: the SIM card, the memory card (MMC or SD), and the internal memory, which is composed of a unique block memory chip [1114]. Typically, cellular phones store system data in EEPROM, which enables mobile carriers to reprogram phones without having to physically access memory chips. The OS is permanently burned in the ROM, which is the nonvolatile memory.

Fundamentally, smart phones are mobile phones with additional sophisticated functionaries equipped that are similar to those of desktop computers. As technology keeps progressing, the miniaturized multimedia handheld communication devices are capable of storing massive amounts of information with less consumption of battery power. Therefore, the overall performance of a smart phone represents miniature desktop computers with respect to the embedded or add-on APs. At the moment, a smart phone is the representative of modern handheld mobile multimedia communication devices with heterogeneous hardware design and the corresponding operating system (OS) being installed. The OS of a smart phone also spectacularly varies according to the hardware manufacturers. Symbian OS, iPhone OS, BlackBerry, Windows Mobile, Linux, RIM and Palm WebOS are the popular OSs in the current market. As more and more crime syndicates take advantage of these cutting-edge handheld multimedia communication devices to commit sinister acts, the law enforcement agencies are dedicating themselves to alleviate this severe threat based on utilizing appropriate DF toolsets. Definitely, the DF of mobile equipment (ME) has become a fiercely researched realm. The challenges in this research arena include the diversity of the embedded OSs with shorter product life cycle and the miscellaneous smart phone manufacturers worldwide. These factors hinder the DF examiners from retrieving smart phone contents in a forensically sound way efficiently. Besides, the proprietary nature of smart phones causes the majority of problems in this forensics arena. Moreover, every manufacturer uses its own proprietary protocols to communicate with the devices, leading to a black box analysis phenomena [11].

2.2 Contemporary DF toolkits of smart phones and other methodologies

OS plays an essential role during the DF of mobile devices. Due to the diversity of current OS for mobile devices, the DF staffs should have a sound understanding concerning the current mobile device being investigated. Hence, knowing distinct OSs in the related field is unquestionable. Pervasively, WinCE is a built-in modular OS, which serves as the foundation for many mobile communication devices. In other words, the OS was burned on a flash ROM as a close system. WinCE is a multitasking OS, where many threads can execute at the same time. Generally speaking, WinCE is applied in AutoPC, PocketPC 2000/2002, Mobile 2003, Mobile 2003 SE, Mobile 5.0/6.0, and Smartphone 2002/2003 as an embedded OS [15].

The most common tools that were used to access the smart phones’ memory are the manufacturer toolkits, which are software packages for data synchronization of the device and computer. However, those APs are not designed for forensics related purposes. There is a risk of accidently modifying the data on the phone if those tools are not properly used [1618]. Utilizing DF sound toolkits is the most common method to retrieve the related data from the mobile phones either via open sources or commercial packages. Device Seizure, PDA Seizure, Oxygen Phone Manager, GSM XRY, and TULP 2G are the representative forensics sound toolkits in the current market. Each DF toolkit has its own characteristics and some distinct purposes. Consequently, it would be hard to evaluate the advantages and disadvantages of these DF tools in an absolute way because the complexity of DF concerning smart phones is above expectation in some cases. However, we still tabularized the DF functionalities with respect to SIM Card, GSM, and CDMA mobile phones in Fig. 1 [16].Footnote 1 For example, when Device Seizure acquires a mobile phone, it saves the collected data in a proprietary case file that is only accessible by itself and the case file is protected by MD5 and SHA1 hashes. Device Seizure recognizes.pds file as the primary file to open the case file [8]. During the investigation stages, decisive, confidential, and private information could be extracted, analyzed, and preserved from permanent or nonvolatile storages. In some cases, volatile memory plays an important part in the associate processes and procedures with respect to the investigating case. Different DF experts might have their preferences when they choose the forensics tools. Also, the diversity of OS of smart phones and proprietary file format decides which DF toolkit would be feasible.

Fig. 1
figure 1

The tabularized DF functionalities with respect to SIM Card, GSM, and CDMA mobile phones

Full size image

Other DF researchers suggest the mobile internal acquisition tool (MIAT) method, which means a piece of software will be installed into SD/MMC instead of applying cables to fulfill the data acquisition task. MIAT method can retrieve all Symbian file system, which is its advantage compared to other DF toolsets. [11]. When the DF examiners apply MIAT methodology, the mobile devices need to be switched off. If the SIM card or the removable memory card is inserted in the smart phone, the DF staffs must remove them to proceed with the data acquisition. Once the SIM card or the memory card has been acquired, the DF staffs can use the host memory card to acquire the internal memory. Another distinguished characteristic of MIAT methodology is that data acquisition of multiple smart phones can be executed in parallel due to the fact that MIAT method does not need specific cables for each distinct manufacture or model. In other words, it waives the DF workstation to connect to the mobile device being investigated. An IMEI number is only used to identify the device and does not relate to a specific individual or organization. Although the SIM card of the stolen mobile phone was replaced, the IMIE protection scheme will render the stolen phone useless. In this proposed research paper, we would like present other digital evidences except this inimitable number. Each smart phone has a unique IMEI number. The DF staffs can use the IMEI number to specifically discover the manufacturer and the model of the current ME. The format of a 15-digit IMEI number is presented as the following: AABBBB-CC-DDDDDD-E. The first six digits, AABBBB, are the type approval code (TAC) with the first two digits representing the country code. The two digits, CC, are the final assembly code (FAC) symbolizing the device manufacturer. The six digits, DDDDDD, are the serial number (SNR) indicating the device serial number. The last digit, E, is the spare code [http://www.tech-faq.com]. Figure 2 illustrates the structure of IMEI code structure.

Fig. 2
figure 2

The IMEI code structure

Full size image

3 Digital evidences collection, analysis, and investigation of a smart phone via the Wi-Fi connection: a digital forensics case review regarding a potential cyberterrorist attack triggering by Twitter

The anti-cyberterrorism squad team received reliable intelligence concerning upcoming terrorist attacks with unknown plots. The only information being obtained was that the leader of the cyberterrorist campaign was joining a tour near the San Francisco Bay area. The identity, photo, and nationality of the suspect had been confirmed and being disseminated across the anti-cyberterrorism communication channels. The anti-cyberterrorism squad team was allocating any resources available trying to prevent the terrorist attack from occurring.

3.1 Step 1

The anti-cyberterrorism squad team immediately investigated all the local travel agencies, who were servicing the Bay area tours. Shortly, the suspect had been located. The squad team found the tourist was having a cup of coffee on the bench of the cruise. After an officer questioned the suspect, the suspect played naive and strongly expressed willingness to cooperate with the law enforcement officers for further investigations. The only mobile communication device the suspect carried was a smart phone, Asus M530w. The officer started to scrutinize the smart phone and proceeded with the necessary investigations on the spot. The following steps were seriously taken place accordingly from the DF point of view.

3.2 Step 2

The suspect denied using the smart phone to call anyone or activate any APs since the tour began. In the meanwhile, the anti-cyberterrorism squad team found out that there were public Wi-Fi hot spots available on the cruise. The officer easily picked up an access point signal and completed the Wi-Fi connection through the suspect’s smart phone, whose wireless connection functionality was disabled before. Simultaneously, the screen of the smart phone was photo taken by the officer. The following initial information was recorded by the investigation squad team. The gathered information suggested that the current smart phone was connected to a wireless router, Planexuser, with IP 192.168.1.2, as Table 1 indicates.

Table 1 The gathered information after the smart phone was connected to an access point
Full size table

The officer immediately contacted the system administrator of the AP on the cruise based on the media access control (MAC) address, 00:13:E0:88:05:99 h . It turned out that this smart phone was positively connected to the AP with DHCP, 192.168.1.2, as Fig. 3 shows. Obviously, this digital evidence strongly contradicted the suspect’s initial statements.

Fig. 3
figure 3

The MAC address, 00:13:E0:88:05:99 h , was positively connected to the AP with DHCP, 192.168.1.2

Full size image

At this moment, the law enforcement officers concluded that the suspect was lying regarding the previous statements. This suggested that additional operations were necessary to be enforced instantaneously concerning other digital evidences discovery.

3.3 Step 3

Momentarily, the officers screened the event logs of the wireless router, which specifically recorded the web sites that 192.168.1.2 had visited. As Fig. 4 shows, it illustrated that the suspect did link to Twitter, which is a popular Web 2.0 social web site, at local time 10:30:25 and 10:32:03, respectively.

Fig. 4
figure 4

The event logs of the wireless router indicated that the suspect did link to Twitter

Full size image

3.4 Step 4

It could happen that the suspected intentionally erased all the history data within the browser of the smart phone after utilizing some multimedia communication tools right after using this mobile multimedia communication device. Consequently, the officer cannot apparently collect the related possible digital trails from this mobile communication device. Under such circumstances, the anti-cyberterrorism squad team decided to carry on DF of the smart phone on the spot because the collected digital evidences would be probative concerning the suspect being exculpatory or inculpatory with respect to the potential cyberterrorist attacks.

3.5 Step 5

The DF officer connected the smart phone to the mobile DF work station, which was a notebook with Microsoft ActiveSync 4.5 installed under Windows XP OS. Paraben’s Device Seizure version 3.2 was applied in this case in order to discover any digital evidences from the smart phone. Figure 5 indicated that the DF officer configured the Paraben’s Device Seizure version 3.2 in order to fulfill the data acquisition procedure from the smart phone.

Fig. 5
figure 5

The DF officer configured the DF application package in order to fulfill the data acquisition procedure

Full size image

3.6 Step 6

Initially, the DF officer conducted the data acquisition procedure and obtained the initial information as Fig. 6 shows. There were 1,915 files deposited within the smart phone, Asus M530w, after the DF officer acquired the internal file systems. After applying the sorter function within the DF toolkit, the collected digital evidences were displayed as shown in Fig. 7.

Fig. 6
figure 6

There were 1,915 files deposited within the smart phone, Asus M530w

Full size image
Fig. 7
figure 7

After applying the sorter function within the DF toolkit to classify 1,915 files

Full size image

3.7 Step 7

The DF officer applied the keyword Twitter, which was first disclosed in Step 3, to investigate the file system of the smart phone as depicted in Fig. 8 trying to unveil the possible digital trails. The search results were demonstrated as shown in Fig. 9, which illustrated advanced digital foot printing concerning the potential cyberterrorist campaign. In addition, the figure exhibited the partial search results out of 40 occurrences using Twitter as the search keyword with respect to the internal files of the smart phone.

Fig. 8
figure 8

The DF officer applied the keyword Twitter trying to unveil the possible digital trails

Full size image
Fig. 9
figure 9

The partial search results out of 40 occurrences via using Twitter as the search keyword

Full size image

3.8 Step 8

The DF officer scrutinized all the possible digital trails that might divulge information on the possible cyber attacks. After double clicking the item, F35Canada [16], indicated by the arrow in Fig. 9, the staff found the detailed information as depicted in Fig. 10, which revealed the latest messages that the suspect was delivering through the Wi-Fi connection to Twitter, a popular Web 2.0 social web site. At this step, the DF officer was able to conclude that the suspect was using F35Canada as the logon ID of Twitter to launch the commanding operations. Within the figure, as the arrows indicated, there were two tweets ‘LA Operation at 2:40 a.m.’ and ‘Boston Operation at 2:30 a.m.’, respectively.

Fig. 10
figure 10

The latest messages that the suspect was delivering through the Wi-Fi connection to Twitter

Full size image

At this moment, from the digital evidence being exposed, the suspect launched the message 9 min ago and ‘LA Operation at 2:40 a.m.’ was launched 11 min ago.

The DF officer utilized a notebook and visited the web site of Twitter with ‘F35Canada’ as the logon ID via the following expression through the browser: http://twitter.com/F35Canada. The corresponding web site did illustrate that there were two messages, which were posted from mobile web as demonstrated in Fig. 11.

Fig. 11
figure 11

The DF officer utilized a notebook and visited the web site of Twitter with ‘F35Canada’ as the logon ID

Full size image

4 Discussion and reconstruction of the cyberterrorist conspiracy based on the digital forensics

After the DF examiners of the anti-cyberterrorism squad team collected, analyzed and preserved the digital evidences, the team came up with the following hypothetical scenarios concerning the cyberterrorist conspiracy based on the digital evidences on the crime scene.

4.1 Stage 1

First, the suspect carried the smart phone, Asus M530w, and joined the tour on a cruise near the San Francisco Bay area. The suspect definitely knew that the cruise provided the Wi-Fi service, which can be exploited to launch cyberterrorist attack commands.

4.2 Stage 2

The suspect enabled the Wi-Fi connection function of the smart phone and then hooked up with the wireless router with SSID named planexuser. After getting the intranet IP, 192.168.1.2 (with MAC address: 00:13:E0:88:05:99 h ), based on the DHCP server of the wireless router, the suspect visited the Twitter web site providing ‘F35Canada’ as the logon ID for the session around 10:30 local time. After a few moments, the suspect posted the first tweet, ‘Boston Operation at 2:30 a.m.’. Two minutes later, the suspect placed the second tweet, ‘LA Operation at 2:40 a.m.’. The time interval between two consecutive instructions were 2 min, which were identical concerning the digital evidences collected on the crime scene. This supported the argument that the suspect did post the attacking commands from this mobile multimedia communication device.

4.3 Stage 3

The suspect signed out Twitter and then disabled the Wi-Fi connection function declaring that neither the smart phone nor any APs had been activated. However, the statements from the suspect contradicted the digital evidences that were collected, analyzed and preserved.

Therefore, the digital forensics team summarized the hypothetical scenarios as Fig. 12 illustrated based on the digital evidences collected and analyzed.

Fig. 12
figure 12

The crime scene reconstruction based on the digital evidences collected and analyzed

Full size image

Furthermore, as Fig. 13 shows, the DF toolkit also identified the IMEI number to be 355678010127433, which was globally unique. Therefore, additional criminal investigations could be traced via this distinct identifier with respect to the associate mobile phone service providers. Nevertheless, corresponding mobile carriers based on the IMEI number retrieved is beyond the scope of this research.

Fig. 13
figure 13

The IMEI number of the suspect’s smart phone

Full size image

5 Conclusion

The unparalleled rapid escalation of ubiquitous communication technologies and the dwindling physical volume of mobile multimedia communication devices, voluminous folks are carrying more than one mobile phone from leisure motivation to business purpose worldwide. Undoubtedly, the mushrooming proliferation of mobile phones in our societies spectacularly changes the ways of communication. Evidently, these mobile multimedia gadgets become portable, precious, and sensitive digital data carriers. In this research, we provided the case review and insight regarding the application of the contemporary mobile multimedia smart phones whose functionalities are no less than those of desktop PC to fulfill acts of cyberterrorism. However, the DF of these modern gadgets still lags behind than desktop computers. More and more web 2.0 APs are capable of executing on the smart phones unprecedentedly. Hence, the DF of mobile multimedia communication devices becomes much more urgent in order to combat the relentless cybercrime or the upcoming devastating cyberterrorist attacks. The paper provided solid guidelines for the DF agencies or researchers to deliberate when confronted with information security threats by invisible cyber syndicates.