Forensic Triage for Mobile Phones with DEC0DE Robert J. Walls Erik Learned-Miller Brian Neil Levine Department of Computer Science University of Massachusetts Amherst This work was supported in part by NSF award DUE-0830876. rjwalls@cs.umass.edu forensics.umass.edu
rjwalls@cs.umass.edu 2 forensics.umass.edu
rjwalls@cs.umass.edu 2 forensics.umass.edu
rjwalls@cs.umass.edu 2 forensics.umass.edu
rjwalls@cs.umass.edu 2 forensics.umass.edu
Evidence e c n e d i v E e c n e d i v E rjwalls@cs.umass.edu 2 forensics.umass.edu
Forensic Triage: Acquire evidence quickly , accurately , and on-scene . rjwalls@cs.umass.edu 3 forensics.umass.edu
Forensic Triage: Acquire evidence quickly , accurately , and on-scene . > Done before a full examination rjwalls@cs.umass.edu 3 forensics.umass.edu
DEC0DE: Forensic Triage for Phones DEC0DE rjwalls@cs.umass.edu 4 forensics.umass.edu
DEC0DE: Forensic Triage for Phones DEC0DE rjwalls@cs.umass.edu 4 forensics.umass.edu
DEC0DE: Forensic Triage for Phones DEC0DE rjwalls@cs.umass.edu 4 forensics.umass.edu
DEC0DE: Forensic Triage for Phones DEC0DE rjwalls@cs.umass.edu 4 forensics.umass.edu
DEC0DE: Forensic Triage for Phones DEC0DE rjwalls@cs.umass.edu 4 forensics.umass.edu
DEC0DE: Forensic Triage for Phones DEC0DE rjwalls@cs.umass.edu 4 forensics.umass.edu
Why phones ? rjwalls@cs.umass.edu 5 forensics.umass.edu
rjwalls@cs.umass.edu 6 forensics.umass.edu
Phones record our lives . rjwalls@cs.umass.edu 7 forensics.umass.edu
Phones contain evidence . rjwalls@cs.umass.edu 8 forensics.umass.edu
rjwalls@cs.umass.edu 9 forensics.umass.edu
Proprietary OS + Little Documentation = Unknown Formats rjwalls@cs.umass.edu 10 forensics.umass.edu
Proprietary OS + Little Documentation = Unknown Formats rjwalls@cs.umass.edu 10 forensics.umass.edu
Triage options now ? rjwalls@cs.umass.edu 11 forensics.umass.edu
Option 1: Browsing Option 2: Commercial tools rjwalls@cs.umass.edu 12 forensics.umass.edu
Option 1: Browsing Drawbacks rjwalls@cs.umass.edu 13 forensics.umass.edu
Option 1: Browsing Drawbacks > May not be possible rjwalls@cs.umass.edu 13 forensics.umass.edu
Option 1: Browsing Drawbacks > May not be possible > Modifies the phone rjwalls@cs.umass.edu 13 forensics.umass.edu
Option 1: Browsing Drawbacks > May not be possible > Modifies the phone > Misses important information rjwalls@cs.umass.edu 13 forensics.umass.edu
Option 2: Commercial Tools Drawbacks rjwalls@cs.umass.edu 14 forensics.umass.edu
Option 2: Commercial Tools Drawbacks > Cost Prohibitive rjwalls@cs.umass.edu 14 forensics.umass.edu
Option 2: Commercial Tools Drawbacks > Cost Prohibitive > Does not support all phones rjwalls@cs.umass.edu 14 forensics.umass.edu
Option 2: Commercial Tools Drawbacks > Cost Prohibitive > Does not support all phones > Still misses important information! rjwalls@cs.umass.edu 14 forensics.umass.edu
Option 3: DEC0DE rjwalls@cs.umass.edu 15 forensics.umass.edu
Option 3: DEC0DE Advantages rjwalls@cs.umass.edu 16 forensics.umass.edu
Option 3: DEC0DE Advantages > Extracts information directly from storage rjwalls@cs.umass.edu 16 forensics.umass.edu
Option 3: DEC0DE Advantages > Extracts information directly from storage > File system and OS agnostic rjwalls@cs.umass.edu 16 forensics.umass.edu
Option 3: DEC0DE Advantages > Extracts information directly from storage > File system and OS agnostic > Quick ( < 20 minutes ) rjwalls@cs.umass.edu 16 forensics.umass.edu
rjwalls@cs.umass.edu 17 forensics.umass.edu
rjwalls@cs.umass.edu 18 forensics.umass.edu
rjwalls@cs.umass.edu 19 forensics.umass.edu
rjwalls@cs.umass.edu 20 forensics.umass.edu
rjwalls@cs.umass.edu 21 forensics.umass.edu
Raw Storage DEC0DE Block Hash Filtering Inference Records rjwalls@cs.umass.edu 22 forensics.umass.edu
Raw Storage DEC0DE Block Hash Filtering Inference Records rjwalls@cs.umass.edu 22 forensics.umass.edu
Raw Storage DEC0DE Block Hash Filtering Inference Records rjwalls@cs.umass.edu 22 forensics.umass.edu
Raw Storage DEC0DE Block Hash Filtering Inference Records rjwalls@cs.umass.edu 22 forensics.umass.edu
Raw Storage DEC0DE Component 1: Block Hash Filtering Block Hash Filtering Inference Records Process: > Divide storage into blocks > Compare block hash to library > Filter duplicates rjwalls@cs.umass.edu 23 forensics.umass.edu
Evaluation: BHF rjwalls@cs.umass.edu 24 forensics.umass.edu
Evaluation: BHF rjwalls@cs.umass.edu 25 forensics.umass.edu
Evaluation: BHF rjwalls@cs.umass.edu 25 forensics.umass.edu
Evaluation: BHF rjwalls@cs.umass.edu 25 forensics.umass.edu
Evaluation: BHF rjwalls@cs.umass.edu 25 forensics.umass.edu
Evaluation: BHF rjwalls@cs.umass.edu 25 forensics.umass.edu
Evaluation: BHF rjwalls@cs.umass.edu 25 forensics.umass.edu
Raw Storage DEC0DE Component 1: Block Hash Filtering Block Hash Filtering Inference Records Evaluation Summary: > Filtered 69% on average > Lot of overlap between phones of same model rjwalls@cs.umass.edu 26 forensics.umass.edu
Inference? Raw Storage DEC0DE Block Hash Simple, just use regular expressions. Filtering Inference Records rjwalls@cs.umass.edu 27 forensics.umass.edu
Inference? Raw Storage DEC0DE Block Hash Simple, just use regular expressions. Filtering Inference Records rjwalls@cs.umass.edu 27 forensics.umass.edu
Raw Storage DEC0DE Component 2: Block Hash Filtering Inference Inference Process: Records > Encode formats using Probabilistic Finite State Machines (PFSM) > Parse using Viterbi’s Algorithm > Remove false positives using decision tree. rjwalls@cs.umass.edu 28 forensics.umass.edu
Phone number: Call log: rjwalls@cs.umass.edu 29 forensics.umass.edu
Raw Storage DEC0DE Component 2: Block Hash Filtering Inference Inference Post Processing: Records > Simpler to encode certain features > Reduces complexity of state machines > Increases precision rjwalls@cs.umass.edu 30 forensics.umass.edu
Component 2: Raw Storage DEC0DE Block Hash Inference Evaluation Filtering Inference Records Process: Step 0 > Pick phone set Step 1 > Pick target record types Step 2 > Manually create state machines Step 3 > Acquire Raw Storage Step 4 > Run DEC0DE rjwalls@cs.umass.edu 31 forensics.umass.edu
Step 0 > Pick phone set rjwalls@cs.umass.edu 32 forensics.umass.edu
Component 2: Raw Storage DEC0DE Block Hash Inference Evaluation Filtering Inference Records Process: Step 0 > Pick phone set Step 1 > Pick target record types Step 2 > Manually create state machines Step 3 > Acquire Raw Storage Step 4 > Run DEC0DE rjwalls@cs.umass.edu 33 forensics.umass.edu
Component 2: Raw Storage DEC0DE Block Hash Inference Evaluation Filtering Inference Records Process: Step 0 > Pick phone set Step 1 > Pick target record types Step 2 > Manually create state machines Step 3 > Acquire Raw Storage Step 4 > Run DEC0DE rjwalls@cs.umass.edu 34 forensics.umass.edu
Step 2 > Manually create state machines rjwalls@cs.umass.edu 35 forensics.umass.edu
Component 2: Raw Storage DEC0DE Block Hash Inference Evaluation Filtering Inference Records Process: Step 0 > Pick phone set Step 1 > Pick target record types Step 2 > Manually create state machines Step 3 > Acquire Raw Storage Step 4 > Run DEC0DE rjwalls@cs.umass.edu 36 forensics.umass.edu
rjwalls@cs.umass.edu 37 forensics.umass.edu
Component 2: Raw Storage DEC0DE Block Hash Inference Evaluation Filtering Inference Records Process: Step 0 > Pick phone set Step 1 > Pick target record types Step 2 > Manually create state machines Step 3 > Acquire Raw Storage Step 4 > Run DEC0DE rjwalls@cs.umass.edu 38 forensics.umass.edu
Evaluation: Inference Recall : Fraction of records recovered. Precision : Fraction of results that are actual records. Development Set Evaluation Set rjwalls@cs.umass.edu 39 forensics.umass.edu
Evaluation: Inference Recall : Fraction of records recovered. Precision : Fraction of results that are actual records. Development Set Evaluation Set rjwalls@cs.umass.edu 39 forensics.umass.edu
Evaluation: Inference Recall : Fraction of records recovered. Precision : Fraction of results that are actual records. Development Set Evaluation Set rjwalls@cs.umass.edu 39 forensics.umass.edu
Evaluation: Inference Recall : Fraction of records recovered. Precision : Fraction of results that are actual records. Development Set Evaluation Set rjwalls@cs.umass.edu 39 forensics.umass.edu
Recommend
More recommend
