Mobile Devices Villanova University Department of Computing - - PowerPoint PPT Presentation

Villanova University – Department of Computing Sciences – D. Justin Price – Fall 2014

Mobile Devices

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

INTRODUCTION

The field of computer forensics has long been centered

• n traditional media like hard drives.

This is rapidly changing as cell phones and specifically smartphone devices are so common that they have become the standard in today’s digital examinations.

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

CELL PHONE CAPABILITIES

• Storage capacity increasing...
• 128GB of data storage within the phone.
• Removable media with 32GB data storage for cell

phones (e.g. microSD cards)

• Functionality increasing…
• 10 megapixel camera and video capabilities.
• WiFi and Internet access for data transfer.
• Usage Increasing Worldwide
• http://www.socialnomics.net/2013/03/25/

mobilenomics-video/

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

CELL PHONE TECHNOLOGY

• Two major Cellphone Technologies: GSM & CDMA
• GSM - stands for Global System for Mobile
• communications. It is the world’s most widely used cell

phone technology

• Key features of GSM is the Subscriber Identity

Module, commonly known as a SIM card.

• The SIM is a detachable smart card containing the

user's subscription information and some user data (potentially).

• Uses a cell phone service carrier’s GSM network by

searching for cell phone towers in the nearby area

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

CELL PHONE TECHNOLOGY

• CDMA, or Code Division Multiple Access, is a competing

cell phone service technology to GSM

• CDMA uses a “spread-spectrum” technique whereby

electromagnetic energy is spread to allow for a signal with a wider bandwidth

• With CDMA technology, data and voice packets are

separated using codes and then transmitted using a wide frequency range

• The CDMA standard was originally designed by

Qualcomm in the U.S. and is primarily used in the U.S. and portions of Asia by other carriers.

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

CELL PHONE TECHNOLOGY

• Most CDMA phones do not use SIM Cards
• Forensics can only be done on the phone itself
• Relevant data is stored directly on the phone
• Sprint, Virgin Mobile and Verizon Wireless use CDMA

while T-Mobile and AT&T use GSM

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

BLACKBERRY

• The Blackberry (RIM) device shares similarities to
• ther smart phones
• The Blackberry (RIM) device is always-on, and may

be participating in some form of wireless push technology

• The Blackberry (RIM) does not require some form of

desktop synchronization like the original PDA’s did

• It still can be manually backed up to the computer so

this may be a source of evidence

• *.ipd = Blackberry Backups

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

CELLULAR HANDLING

• Most new cellular devices are not as “power dependent”

as the older devices were. However they still can be sensitive to power.

• However, you MUST control the wireless access to the

device

• Additionally, gather all potential accessories
• Each cellular cable can be proprietary or unique to

the device

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

SEIZING CELL PHONES

• Secure the phone. Prevent the phone from being used.

Capture any information on display.

• Prevent phone’s access to the cellular network.
• Faraday, airplane mode (radio off), jammer (legal

issue), turn off (may engage password)

• Collect related hardware, software, documentation,

passwords, computers, interviews, and other information.

• Transport seized materials to evidence storage, maintain

chain of custody, and have phone analyzed by trained examiners.

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

ISSUES SEIZING CELL PHONES

• Seizing and preserving cell phone data…
• Isolating phone from network
• Remotely delete user data.
• Overwriting call logs, deleted data
• Identifying related sources of evidence
• Must know what data may exist and where.
• Must recognize related media.
• Search incident to arrest
• Will change data on the phone.
• Should be fully documented.
• May encounter admissibility issues.

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

ISSUES SEIZING CELL PHONES

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

RECOGNIZING EVIDENCE

Subscriber Identity Module. Phone number is tied to the SIM. SIM can hold phonebook, last dialed numbers, text messages, last cell tower, and other information. Removable media such as MicroSD, MiniSD or regular SD cards (shown above) can be found inside or outside the phone. This media can be used to transfer data between a computer and cell phone. They are easily overlooked.

SIM Cards SD Cards

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

SOURCES OF EVIDENCE

• Network Provider
• User data
• Locations (cell tower, GPS)
• Computers for sync or backup files.
• Phone backup files (e.g. Blackberry, iPhone)
• Transfer data to/from phone
• People/Subscriber
• Passwords
• Usage information

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

CELL PHONE FORENSICS

• Handheld devices are unique in that most have their own

proprietary operating systems, file systems, file formats, and methods of communication

• Dealing with this creates unique problems for examiners
• Performing a forensic exam on a cell phone takes special

software and special knowledge of the way these devices work, as well as where possible evidence could be stored

• Multiple tools may be necessary to complete the exam of

a single phone.

• http://www.csc.villanova.edu/~dprice/9010sp14/

resources.html

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

CELL PHONE FORENSICS

• Three main methods of acquiring a mobile device:
• Logical
• Extracts common artifacts: contacts, call logs,

SMS, MMS, audio, graphic and video files.

• Filesystem Extraction
• Copies all files and folders found within the

filesystem

• Physical
• Bit for bit image of the entire physical device.
• Captures free space, file slack and deleted data.

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

ISSUES WITH EXAMINATION

• Issue regarding technology...
• Proprietary hardware, cables, and connectors.
• Propriety operating systems, file systems for data

storage methods, and applications.

• Password cracking and encryption.
• Methodologies for recovery of deleted data

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

EXAMINATION AND EXTRACTION

• We call it cell phone forensics, but is it?
• Hash value verification of digital data.
• Hash values change
• Device cannot be write-blocked
• Are results reproducible?
• If data are changing, then not only hash value, but

even final results may change

• Different tools produce different results
• Nature of flash memory
• Rewrite/refresh of pages in memory may overwrite

deleted data

• Lack of artifacts – like file slack or residual data

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

ISSUES WITH EXAMINATION

• Manually, by using photography or video as data is

displayed on the cell phone.

• Possibility of destroying data
• May miss evidence (i.e. deleted data)
• Extracting Active Data from the cell phone.
• Requires multiple tools (hardware & software)
• Cellebrite, XRY, Paraben, Oxygen,…
• Extracting and Analyzing cell phone physical memory
• Requires more skills and tools
• Not even an option for all phones

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

ANDROID DEVICES

• Linux Platform
• Can contain several different partitions
• User Data
• \data
• SQLite Databases
• Stores all user data: SMS, Emails, Contacts, Call Logs,

Social Media Artifacts, Internet Artifacts

• System Data
• \app
• Preinstalled Applications
• Cache Records
• Swap Partition on a Linux System
• Temporary location for downloaded files / apps
• Apps downloaded from Google Store, etc.

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

ANDROID DEVICES

• Boot
• Points to the software needed to boot the device.
• Recovery
• Low level software that allows the device to be restored

to factory defaults.

• Internal SD Card
• Stores media files (graphic files, video files, audio files,

etc.)

• Some apps will use the external storage to put large

amounts of cache files.

• Forensic Procedure:
• Remove from device and process using standard

write-protection and acquisition methods.

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

CELLEBRITE UFED ULTIMATE

http://www.rcfl.gov/cpik_cbt/index.html

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

CELLEBRITE UFED ULTIMATE

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

CELLEBRITE UFED ULTIMATE

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

CELLEBRITE UFED ULTIMATE

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

CELLEBRITE UFED ULTIMATE

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

CELLEBRITE UFED ULTIMATE

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

CELLEBRITE UFED ULTIMATE

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

iOS DEVICES

• iPod Touch, iPhone and iPad can all be processed using

similar techniques.

• Knowing the exact model is important
• iPhones = http://support.apple.com/kb/ht3939
• iPads = http://support.apple.com/kb/ht5452
• Four methods of extraction or sources of user data:
• Physical Acquisition … up to iPhone v4
• Logical Acquisition
• iTunes Backup
• iCloud
• Email messages, geo-location (consolidated.db - GPS data,

cell tower logs and wifi connections) and Apps cache data will not be extracted when processing a logical image or an iTunes backup.

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

iTUNES BACKUPS

• Locations:
• Creates a backup of user data that can't be re-downloaded

(i.e. contacts, SMS, photos, calendar entries, call logs, configuration files, database files, etc.)

• The backup folder contains several file which are not directly

readable.

• Contains folders for each device sync’ed with the

computer.

• The folder name is based on the device’s UDID (Unique

Device ID) … see next slide for example.

OS X Users/<USERNAME>/Library/Application Support/MobileSync/Backup/ Win Vista/7/8 C:\Users\<USERNAME>\AppData\Roaming\Apple Computer\MobileSync\Backup\ Win XP C:\Documents and Settings\<USERNAME>\Application Data\Apple Computer \MobileSync\Backup\

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

iTUNES BACKUPS

• The filenames are based on a SHA1 hash value of the

“DomainName-filename” calculation.

• SHA1 of HomeDomain-Library/AddressBook/

AddressBookImages.sqlitedb =

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

LOCKED iOS DEVICES

• Ask the user for the passcode
• Extract the pairing file from the suspect’s computer.
• UDID (Unique Device ID).plist

OS X \private\var\db\lockdown Win 7/8 C:\Program Data\Apple\Lockdown Win Vista C:\Users\<USERNAME>\AppData\Roaming\Apple Computer\Lockdown Win XP C:\Documents and Settings\<USERNAME>\Application Data\Apple Computer \Lockdown\Default\Cache

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

LOCKED iOS DEVICES

• Brute-force the passcode … up to iPhone v4
• Send to Apple with appropriate legal authority.

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

iOS DEVICES

• Data is stored in one of the following formats:
• Internal Storage
• Partition 1 - System or Firmware
• mounted as /
• Partition 2 - User Data
• Mounted as /private/var
• Most all user data is located
• /private/var/mobile/Library
• /private/var/mobile/Media/DCIM/100APPLE
• Photos and videos taken by the device
• /private/var/mobile/Media/DCIM/999APPLE
• Screenshots taken by the device.

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

iOS DEVICES

• Data is stored in one of the following formats:
• SQLite Database Files
• Address Books, Calendar Entries, Notes, SMS, Call Logs,

Photos, Voicemails, etc.

• Property Lists (.plist)
• XML Format or Binary Format
• Apple’s Version of the “Windows Registry”
• Network
• User Dictionary - dynamic dictionary that records words

manually typed into the iOS device (i.e. SMS, email, notes, etc.)

• /private/var/mobile/Library/Keyboard/dynamic-text.dat
• Lantern Demo
• https://katanaforensics.com/