accessdata legal and contact information nfield/mpe+_nfield... · 2014-09-03 · accessdata legal...

AccessData Legal and Contact Information

Document date: August 29, 2014

Legal Information

©2014 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

AccessData Group, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, AccessData Group, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, Inc. reserves the right to make changes to any and all parts of AccessData software, at any time, without any obligation to notify any person or entity of such changes.

You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.

AccessData Group, Inc. 1100 Alma Street

Menlo Park, California 94025 USAU.S.A.

www.accessdata.com

AccessData Trademarks and Copyright Information

AccessData® is a registered trademark of AccessData Group, Inc.

AD InSight® is a registered trademark of AccessData Group, Inc.

AD Summation is a registered trademark of AccessData Group, Inc.

Distributed Network Attack® is a registered trademark of AccessData Group, Inc.

DNA® is a registered trademark of AccessData Group, Inc.

Forensic Toolkit® is a registered trademark of AccessData Group, Inc.

FTK® is a registered trademark of AccessData Group, Inc.

Password Recovery Toolkit® is a registered trademark of AccessData Group, Inc.

PRTK® is a registered trademark of AccessData Group, Inc.

Registry Viewer® is a registered trademark of AccessData Group, Inc.

AccessData Legal and Contact Information | 2

A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc. trademark. With few exceptions, and unless otherwise notated, all third-party product names are spelled and capitalized the same way the owner spells and capitalizes its product name. Third-party trademarks and copyrights are the property of the trademark and copyright holders. AccessData claims no responsibility for the function or performance of third-party products.

Third party acknowledgements:

FreeBSD ® Copyright 1992-2011. The FreeBSD Project .

AFF® and AFFLIB® Copyright® 2005, 2006, 2007, 2008 Simson L. Garfinkel and Basis Technology Corp. All rights reserved.

Copyright © 2005 - 2009 Ayende Rahien

BSD License: Copyright (c) 2009-2011, Andriy Syrov. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer; Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution; Neither the name of Andriy Syrov nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

WordNet License

This license is available as the file LICENSE in any downloaded version of WordNet.

WordNet 3.0 license: (Download)

WordNet Release 3.0 This software and database is being provided to you, the LICENSEE, by Princeton University under the following license. By obtaining, using and/or copying this software and database, you agree that you have read, understood, and will comply with these terms and conditions.: Permission to use, copy, modify and distribute this software and database and its documentation for any purpose and without fee or royalty is hereby granted, provided that you agree to comply with the following copyright notice and statements, including the disclaimer, and that the same appear on ALL copies of the software, database and documentation, including modifications that you make for internal use or for distribution. WordNet 3.0 Copyright 2006 by Princeton University. All rights reserved. THIS SOFTWARE AND DATABASE IS PROVIDED "AS IS" AND PRINCETON UNIVERSITY MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PRINCETON UNIVERSITY MAKES NO REPRESENTATIONS OR WARRANTIES OF MERCHANT- ABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE LICENSED SOFTWARE, DATABASE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. The name of Princeton University or


Princeton may not be used in advertising or publicity pertaining to distribution of the software and/or database. Title to copyright in this software, database and any associated documentation shall at all times remain with Princeton University and LICENSEE agrees to preserve same.

Documentation Conventions

In AccessData documentation, a number of text variations are used to indicate meanings or actions. For example, a greater-than symbol (>) is used to separate actions within a step. Where an entry must be typed in using the keyboard, the variable data is set apart using [variable_data] format. Steps that require the user to click on a button or icon are indicated by Bolded text. This Italic font indicates a label or non-interactive item in the user interface.

A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc. trademark. Unless otherwise notated, all third-party product names are spelled and capitalized the same way the owner spells and capitalizes its product name. Third-party trademarks and copyrights are the property of the trademark and copyright holders. AccessData claims no responsibility for the function or performance of third-party products.

Registration

The AccessData solution registration is done at AccessData after a purchase is made, and before the solution is shipped. The licenses are bound to either a USB security device, or a Virtual CmStick, according to your purchase.

Subscriptions

AccessData provides a one-year licensing subscription with all new solution purchases. The subscription allows you to access technical support, and to download and install the latest releases for your licensed solutions during the active license period.

Following the initial licensing period, a subscription renewal is required annually for continued support and for updating your solutions. You can renew your subscriptions through your AccessData Sales Representative.

Use License Manager to view your current registration information, to check for solution updates and to download the latest solution versions, where they are available for download. You can also visit our web site, www.accessdata.com anytime to find the latest releases of our solutions.

For more information, see Managing Licenses in your solution manual or on the AccessData website.

AccessData Contact Information

Your AccessData Sales Representative is your main contact with AccessData. Also, listed below are the general AccessData telephone number and mailing address, and telephone numbers for contacting individual departments.


Mailing Address and General Phone Numbers

You can contact AccessData in the following ways:

Technical Support

Free technical support is available on all currently licensed AccessData solutions. You can contact AccessData Customer and Technical Support in the following ways:

AccessData Mailing Address, Hours, and Department Phone Numbers

Corporate Headquarters: AccessData Group, Inc. 1100 Alma StreetMenlo Park, California 94025 USAU.S.A. Voice: 801.377.5410; Fax: 801.377.5426

General Corporate Hours: Monday through Friday, 8:00 AM – 5:00 PM (MST) AccessData is closed on US Federal Holidays

State and Local Law Enforcement Sales:

Voice: 800.574.5199, option 1; Fax: 801.765.4370 Email: [email protected]

Federal Sales: Voice: 800.574.5199, option 2; Fax: 801.765.4370 Email: [email protected]

Corporate Sales: Voice: 801.377.5410, option 3; Fax: 801.765.4370 Email: [email protected]

Training: Voice: 801.377.5410, option 6; Fax: 801.765.4370 Email: [email protected]

Accounting: Voice: 801.377.5410, option 4

AD Customer & Technical Support Contact Information

AD SUMMATIONand AD EDISCOVERY

Americas/Asia-Pacific:800.786.8369 (North America)801.377.5410, option 5Email: [email protected]

AD IBLAZE and ENTERPRISE:


All other AD SOLUTIONS


AD INTERNATIONAL SUPPORT

Europe/Middle East/Africa:+44 (0) 207 010 7817 (United Kingdom)Email: [email protected]


Documentation

Please email AccessData regarding any typos, inaccuracies, or other problems you find with the documentation: [email protected]

Professional Services

The AccessData Professional Services staff comes with a varied and extensive background in digital investigations including law enforcement, counter-intelligence, and corporate security. Their collective experience in working with both government and commercial entities, as well as in providing expert testimony, enables them to provide a full range of computer forensic and eDiscovery services.

At this time, Professional Services provides support for sales, installation, training, and utilization of FTK, FTK Pro, Enterprise, eDiscovery, and Lab. They can help you resolve any questions or problems you may have regarding these solutions

Contact Information for Professional Services

Contact AccessData Professional Services in the following ways:

Hours of Support: Americas/Asia-Pacific:Monday through Friday, 6:00 AM– 6:00 PM (PST), except corporate holidays.Europe/Middle East/Africa:Monday through Friday, 8:00 AM– 5:00 PM (UK-London) except corporate holidays.

Web Site: http://www.accessdata.com/support/technical-customer-support

The Support website allows access to Discussion Forums, Downloads, Previous Releases, our Knowledge base, a way to submit and track your “trouble tickets”, and in-depth contact information.

AccessData Professional Services Contact Information

Contact Method Number or Address

Phone Washington DC: 410.703.9237

North America: 801.377.5410

North America Toll Free: 800-489-5199, option 7

International: +1.801.377.5410

Email [email protected]

AD Customer & Technical Support Contact Information (Continued)


http://www.accessdata.com

Contents | 7

Contents

AccessData Legal and Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 2: Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9About Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9MPE+ nFIELD Supported Operating Systems . . . . . . . . . . . . . . . . . . . . . 9MPE+ nFIELD System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 10

MPE+ nFIELD Home Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Investigator Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Chapter 3: Extracting Data with MPE+ nFIELD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Extracting Data from Select Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Extracting Data from a SIM/USIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Unlocking a SIM/USIM Smart Card . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Extracting an Image of a Mass Storage Device. . . . . . . . . . . . . . . . . . . . . . 23

| 8

Chapter 1

Introduction

The AccessData (AD) Mobile Phone Examiner Plus (MPE+) nFIELD solution combines the powerful collection capabilities of Mobile Phone Examiner Plus™ (MPE+) with a simple to use interface to support on-scene mobile device data collection. MPE+ nFIELD performs logical and physical acquisition of all MPE+ supported mobile devices along with USIM, SIM, and mass storage devices; all with a touch of a single button.

MPE+ nFIELD provides the same mobile device extraction capabilities of MPE+ which includes support of more than 7,000 devices, such as legacy cell phones as well as smart devices. MPE+ nFIELD also includes the MPE+ iLogical™ and dLogical™ support technology which collects iOS® and Android™ devices.

Note: MPE+ nFIELD also comes pre-installed on the MPE+ Tablet. The MPE+ Tablet is sold separately. Contact your AccessData representative for more information.

Audience

The MPE+ nFIELD manual is written for law enforcement and corporate security professionals with the following competencies:

Basic knowledge of and training in forensic policies and procedures.

Basic knowledge of and experience with personal computers, mobile phones, enhanced PDAs, and Smart Phones.

Familiarity with the fundamentals of collecting digital evidence from mobile devices.

Understanding of forensic data images and how to acquire forensically sound images.

Experience with case studies and reports.

Familiarity with the Microsoft Windows environment.

Scope

This manual documents the available tools, functions, and other features built into the MPE+ nFIELD solution. For information on the AD MPE+ application, refer to the MPE+ User Guide.

For standard information on proper mobile device forensics and data analysis practices, please register for one of AccessData’s beginner, intermediate, and/or specialized mobile forensics workshops.

Chapter 2

Getting Started

This chapter contains all the information you need to get started with MPE+ nFIELD, including licensing your software, installing nFIELD on a tablet or other supported device, and connecting devices to your nFIELD-enabled tablet or other device. Once you have completed the information covered in this chapter, MPE+ nFIELD will be ready to extract and save data from devices.

Note: You can purchase MPE+ nFIELD pre-installed on a tablet provided by AccessData. Contact your AccessData Sales Representative for pricing and availability.

Licensing

About LicensingMPE+ nFIELD requires an MPE+ nFIELD License to launch the application. These licenses are stored on a USB CodeMeter device that connects to the device running MPE+ nFIELD. For more information about obtaining and using a USB CodeMeter device containing a valid license, contact your AccessData sales representative.

Prerequisites

This section outlines what is required to set up a fully functional AccessData MPE+ nFIELD system. The system must have:

A current AccessData MPE+ license on a USB CodeMeter device with CodeMeter installed on the MPE+ nFIELD system

Hardware/software that meets or exceeds the minimum system requirements

Microsoft .NET Framework 4.0 or newer

MPE+ nFIELD Supported Operating SystemsMPE+ is supported on the following operating systems:

Windows 7, 32- and 64-bit (excluding Windows 7, Starter Edition)

Windows 8, 32- and 64-bit (excluding Windows 8 RT)

Windows 8.1, 32- and 64-bit (excluding Windows 8.1 RT)

Getting Started Licensing | 9

MPE+ nFIELD System RequirementsBefore using MPE+ nFIELD to acquire or analyze mobile device data, certain hardware and software requirements must be met.

For information on system requirements for extraction from Apple phones see http://support.apple.com/kb/HT1426.

Optional Hardware

A data synchronization cable that is compatible for the mobile device.

Hardware and Software Specifications

Minimum Ideal

Operating System Windows 7 32-bit Windows 7 64-bit

Processor Core2 Duo 2GHz (or equivalent) Core2 Duo 2GHz+ (or equivalent)

RAM 4GB 8GB

Disk Space 256 GB on the device where nFIELD is installed

256 GB on the device where nFIELD is installed

Expansion Ports Three USB ports (Two USB 3.0 and one USB 2.0)Note: External collection devices

should be three times (3x) the size of the device from which you are collecting.

Three USB ports (Two USB 3.0 and one USB 2.0)Note: External collection devices

should be three times (3x) the size of the device from which you are collecting.

Getting Started Prerequisites | 10

http://support.apple.com/kb/HT1426

http://support.apple.com/kb/HT1426

MPE+ nFIELD Home Page

The MPE+ nFIELD Home page allows you extract data from cellular devices, SIM/USIMs, and mass storage devices. You can also change your investigator information and logo for reports and download device drivers for collection.

Adding Investigator InformationInvestigator Information allows you to include information about the investigator who is collecting the data to appear on the report. For more information on adding investigator information, see Investigator Information (page 12)

Downloading DriversThe Drivers option allows you to install and configure drivers in MPE+ nFIELD. For more information on Drivers, see Drivers (page 13)

Extracting Data For more information on extracting information:

See Extracting Data from Select Device on page 14.See Extracting Data from a SIM/USIM on page 19.See Extracting an Image of a Mass Storage Device on page 23.

Exiting MPE+ nFIELDThe Exit button ( ) closes MPE+ nFIELD.

Getting Started MPE+ nFIELD Home Page | 11

Investigator InformationBesides the default information provided in the report, you can also enter custom information about the investigator. This information appears in the PDF report that generates upon completion of the extraction.

To enter investigator information

1. Tap or click Investigator Information.

2. Enter the investigator information.

Note: There are no required fields. You can enter only the specific information you want to appear in your report.

3. Optional: Tap or click the logo to change the image or logo that appears on the report.

Navigate to the graphic to use as the logo.Highlight the graphic file and tap or click Open.

4. Optional: Tap or click Reset All to clear the Investigator Information fields.

5. When you have complete entering investigator information, tap or click OK.


DriversThe Drivers option allows you to install drivers for MPE+ nFIELD. Before you can extract data from a device, you must install the driver(s) for those device(s).

To download/install device drivers

1. Tap or click Drivers.

2. Tap or click Install next to the drivers to install them. You can also tap or click Install All in each category of drivers to install that entire category of drivers.

3. When you are finished installing the desired drivers, tap or click Home to return to the main MPE+ nFIELD Home page.


Chapter 3

Extracting Data with MPE+ nFIELD

MPE+ nFIELD provides an easy-to-use menu system with step-by-step instructions to extract data from target devices. There are three options when extracting digital evidence:

Select Device. See Extracting Data from Select Device on page 14.

SIM/USIM. See Extracting Data from a SIM/USIM on page 19.

Mass Storage. See Extracting an Image of a Mass Storage Device on page 23.

Important: Verify that your storage device has enough disc space to collect any/all data. When a collection device runs out of disc space during extraction, 0-byte length files are created with the names of any missing files. The data information *.xml file also notes the missing data.

Extracting Data from Select Device

The MPE+ nFIELD allows you to extract data from different mobile and electronic devices. The self-directed menu guides you through the extraction process. To return to the Home page, tap or click Home.

Note: When extracting from devices other than Android and iOS, the computer system that MPE+ nFIELD is installed on will need to have disk space available for temporary files that are created and removed during an extraction. This free space should be equal or exceed the maximum capacity of the device that is to be collected. For the recommended storage space for MPE+ nFIELD, see the ideal specifications in MPE+ nFIELD System Requirements (page 10)

To extract data from Select Device

1. From the MPE+ nFIELD Home menu, tap or click Select Device.

| 14

2. Connect your storage device.MPE+ nFIELD detects and displays the name, location, and size of storage device(s). Some things to consider with storage devices:

Always use a storage device that has triple the storage space as the device from which you are collecting data.

Any storage devices must be recognized as a “removable” device by Microsoft Windows on the device that has MPE+ nFIELD installed. MPE+ nFIELD will not extract to a device that is recognized as a “fixed” drive by Microsoft Windows.

3. Tap or click the displayed storage device you want to use during collection.

| 15

4. Tap or click the Manufacturer. You can quickly move to a specific Manufacturer using Search Mode in the right pane.You can also move by page using the up/down arrows.

Note: When scrolling on a touch screen, press and hold the list before moving your finger to scroll the list.

5. Tap or click the model. You can find the model underneath the battery of the device. To return to the Manufacturer list, tap or click the Manufacturer List button in the top left corner of the window.

| 16

Note: You can use Search Mode to jump to your specific model. You can also move by page using the up/down arrows.

6. Connect the mobile device to the USB port of the nFIELD device.

7. Tap or click Connect.

Note: When connecting to an Android phone, the Enable USB Debugging dialog appears. Follow the steps displayed before proceeding.

8. Select the items to extract. Select Select All to extract all of the data listed on this screen.

9. Tap or click Extract.10. The data acquisition begins automatically. MPE+ nFIELD creates an AD1 forensics file and a PDF

report of the acquisition results on the destination device. Upon completion, the screen displays a summary page with the path to the extracted data on the destination USB drive.

| 17

11. You can view the Report by tapping or clicking View Report. The PDF report is created in the AD1 folder of the destination device and is named the same as the folder where the extracted data resides. To close the Report dialog, tap or click Close.

12. Tap or click Finish.

13. You can now import the AD1 file(s) into the main Mobile Phone Examiner Plus (MPE+) program for further analysis. For more information on Mobile Phone Examiner Plus (MPE+), go to:http://www.accessdata.com/solutions/digital-forensics/mobile-phone-examiner

| 18

http://www.accessdata.com/solutions/digital-forensics/mobile-phone-examiner

Extracting Data from a SIM/USIM

The MPE+ nFIELD allows you to extract data from SIM cards and USIM cards. The self-directed menu guides you through the extraction process. To return to the Home page, tap or click Home.

Note: You can connect the (U)SIM before tapping or clicking the SIM/USIM button or when prompted by MPE+ nFIELD.

To extract data using SIM/USIM

1. From the MPE+ nFIELD Home menu, tap or click SIM/USIM.

2. Connect your storage device.MPE+ nFIELD detects and displays the name, location, and size of storage device(s). Some things to consider with storage devices:



| 19


4. Connect the SIM/USIM.

Note: If the (U)SIM is locked, enter the (U)SIM code and tap or click Unlock. For more information on unlocking a (U)SIM, see Unlocking a SIM/USIM Smart Card (page 22)

5. Tap or click Next.6. Select the items to extract.

| 20

7. Tap or click Extract.8. The data acquisition begins automatically. MPE+ nFIELD creates an AD1 forensics file and a PDF

report of the acquisition results on the destination USB device. Upon completion, the screen displays a summary page with the path to the extracted data on the destination USB device.

9. You can view the Report by tapping or clicking View Report. The PDF report is created in the AD1 folder of the destination USB device and is named the same as the folder where the extracted data resides. To close the Report dialog, tap or click Close.

10. Tap or click Finish.

11. You can now import the AD1 file(s) into the main Mobile Phone Examiner Plus (MPE+) program for further analysis. For more information on Mobile Phone Examiner Plus (MPE+), go to:http://www.accessdata.com/solutions/digital-forensics/mobile-phone-examiner

| 21


Unlocking a SIM/USIM Smart CardThe Subscriber Identification Module (SIM) standard uses a series of Personal Identification Numbers (PIN) to authenticate those who are attempting to access the data stored on the card. PIN1 is required to unlock the majority of the SIM storage. PIN2 unlocks vendor specific storage.

All SIM cards are designed to protect themselves from unauthorized access. For example, both PIN1 and PIN2 enforce a 3 attempt lock out policy. In the case that all attempts to enter the correct PIN have been exhausted, the PIN Unlock Key (PUK) must be provided. A PUK can be generated by the service provider based on the CCID number of the SIM card. MPE+ supports PINs and PUKs between 4 to 8 numeric characters in length.

Note: DON’T use up all remaining attempts to enter a PIN and / or PUK. If you don’t have the PIN, you may need to contact the service provider to get a PIN unlock key (PUK).

To unlock a SIM / USIM smart card1. Open the SIM / USIM Connection Wizard dialog. (When connecting to a protected (U)SIM you will be

met with a dialog to enter the (U)SIM security information.)

2. If you have more than one card reader attached to the system, drop down the SIM/USIM Readers menu and confirm that you are working with the appropriate card. Otherwise, move on to the next step.

Note: The unique card identification code (ICCID) can be used to identify which card is currently being read.

3. Enter the current key codes for either PIN1 or PIN2. If you don’t know the current PIN number, try resetting the PIN. See Resetting the PIN (page 22).

4. Click Unlock. If successful, you will be prompted with the Select Data For Extraction dialog. For help on completing the extraction, see Extracting Data from a SIM/USIM (page 19).

Resetting the PIN

When you do not know the PIN number (required to unlock a SIM card for the purpose of extracting the data it contains), you can reset the PIN to a new value if you have the Pin Unlock Key (PUK). SIM cards grant you 10 attempts to enter the correct PUK before the card is locked permanently.

Note: DO NOT use all of the remaining attempts to enter a PIN and/or PUK. If you do not have the PIN, you may need to contact the service provider to get a PUK.

To Reset the PIN1. Open the SIM / USIM Connection Wizard dialog. (When connecting to a protected (U)SIM you will be

met with a dialog to enter the (U)SIM security information.)

2. If you have more than one card reader attached to the system, drop down the SIM/USIM Readers menu and confirm that you are working with the appropriate card. Otherwise move on to the next step.

Note: The unique card identification code (ICCID) can be used to identify which card is currently being read.

3. Click the Use PUK button that corresponds to the PIN code you want to reset.

| 22

4. Enter the current PUK key codes for either PIN1 or PIN2. If you don’t know the current PUK code, you will need to contact the service provider. They will need the Card Identification number (ICCID) in order to generate a PUK.

5. Type a 4 to 8 character numeric value (to which you want to reset the PIN number) into the corresponding New PIN number field.

6. Click Reset PIN. If successful, you will be prompted with the Select Data For Extraction dialog. For help on completing the extraction, see Extracting Data from a SIM/USIM (page 19).

Extracting an Image of a Mass Storage Device

MPE+ nFIELD can extract an image of mass storage devices including SD cards, flash drives, hard drives, and so forth.

To extract an image from a mass storage device

1. From the MPE+ nFIELD Home menu, tap or click Mass Storage.

2. Connect the Mass Storage device. MPE+ nFIELD detects and displays the name, location, and size of the Mass Storage device(s).

3. Tap or click the displayed Mass Storage device from which you are collection.

| 23

4. Connect the collection device.MPE+ nFIELD detects and displays the name, location, and size of storage device(s). Some things to consider with storage devices:




6. Tap or click Next.

| 24

7. The data acquisition begins. MPE+ nFIELD creates an EO1 image of the mass storage device.

8. Tap or click Home to return the MPE+ nFIELD Main page.

9. You can now take the destination USB drive and import the EO1 file(s) into the main Mobile Phone Examiner Plus (MPE+) program for further analysis. For more information on Mobile Phone Examiner Plus (MPE+), go to:http://www.accessdata.com/solutions/digital-forensics/mobile-phone-examiner

| 25


accessdata legal and contact information nfield/mpe+_nfield... · 2014-09-03 · accessdata legal...

Documents