mobile devices
play

Mobile Devices Villanova University Department of Computing - PowerPoint PPT Presentation

Mobile Devices Villanova University Department of Computing Sciences D. Justin Price Fall 2014 INTRODUCTION The field of computer forensics has long been centered on traditional media like hard drives. This is rapidly changing as


  1. Mobile Devices Villanova University – Department of Computing Sciences – D. Justin Price – Fall 2014

  2. INTRODUCTION The field of computer forensics has long been centered on traditional media like hard drives. This is rapidly changing as cell phones and specifically smartphone devices are so common that they have become the standard in today’s digital examinations. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  3. CELL PHONE CAPABILITIES • Storage capacity increasing... • 128GB of data storage within the phone. • Removable media with 32GB data storage for cell phones (e.g. microSD cards) • Functionality increasing… • 10 megapixel camera and video capabilities. • WiFi and Internet access for data transfer. • Usage Increasing Worldwide • http://www.socialnomics.net/2013/03/25/ mobilenomics-video/ Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  4. CELL PHONE TECHNOLOGY • Two major Cellphone Technologies: GSM & CDMA • GSM - stands for Global System for Mobile communications. It is the world’s most widely used cell phone technology • Key features of GSM is the Subscriber Identity Module, commonly known as a SIM card. • The SIM is a detachable smart card containing the user's subscription information and some user data (potentially). • Uses a cell phone service carrier’s GSM network by searching for cell phone towers in the nearby area Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  5. CELL PHONE TECHNOLOGY • CDMA, or Code Division Multiple Access, is a competing cell phone service technology to GSM • CDMA uses a “spread-spectrum” technique whereby electromagnetic energy is spread to allow for a signal with a wider bandwidth • With CDMA technology, data and voice packets are separated using codes and then transmitted using a wide frequency range • The CDMA standard was originally designed by Qualcomm in the U.S. and is primarily used in the U.S. and portions of Asia by other carriers. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  6. CELL PHONE TECHNOLOGY • Most CDMA phones do not use SIM Cards • Forensics can only be done on the phone itself • Relevant data is stored directly on the phone • Sprint, Virgin Mobile and Verizon Wireless use CDMA while T-Mobile and AT&T use GSM Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  7. BLACKBERRY • The Blackberry (RIM) device shares similarities to other smart phones • The Blackberry (RIM) device is always-on, and may be participating in some form of wireless push technology • The Blackberry (RIM) does not require some form of desktop synchronization like the original PDA’s did • It still can be manually backed up to the computer so this may be a source of evidence • *.ipd = Blackberry Backups Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  8. CELLULAR HANDLING • Most new cellular devices are not as “power dependent” as the older devices were. However they still can be sensitive to power. • However, you MUST control the wireless access to the device • Additionally, gather all potential accessories • Each cellular cable can be proprietary or unique to the device Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  9. SEIZING CELL PHONES • Secure the phone. Prevent the phone from being used. Capture any information on display. • Prevent phone’s access to the cellular network. • Faraday, airplane mode (radio off), jammer (legal issue), turn off (may engage password) • Collect related hardware, software, documentation, passwords, computers, interviews, and other information. • Transport seized materials to evidence storage, maintain chain of custody, and have phone analyzed by trained examiners. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  10. ISSUES SEIZING CELL PHONES • Seizing and preserving cell phone data… • Isolating phone from network • Remotely delete user data. • Overwriting call logs, deleted data • Identifying related sources of evidence • Must know what data may exist and where. • Must recognize related media. • Search incident to arrest • Will change data on the phone. • Should be fully documented. • May encounter admissibility issues. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  11. ISSUES SEIZING CELL PHONES Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  12. RECOGNIZING EVIDENCE SD Cards SIM Cards Removable media such as MicroSD, Subscriber Identity Module. MiniSD or regular SD cards (shown above) can be found inside or outside Phone number is tied to the SIM. the phone. SIM can hold phonebook, last This media can be used to transfer data dialed numbers, text messages, last between a computer and cell phone. cell tower, and other information. They are easily overlooked. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  13. SOURCES OF EVIDENCE • Network Provider • User data • Locations (cell tower, GPS) • Computers for sync or backup files. • Phone backup files (e.g. Blackberry, iPhone) • Transfer data to/from phone • People/Subscriber • Passwords • Usage information Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  14. CELL PHONE FORENSICS • Handheld devices are unique in that most have their own proprietary operating systems, file systems, file formats, and methods of communication • Dealing with this creates unique problems for examiners • Performing a forensic exam on a cell phone takes special software and special knowledge of the way these devices work, as well as where possible evidence could be stored • Multiple tools may be necessary to complete the exam of a single phone. • http://www.csc.villanova.edu/~dprice/9010sp14/ resources.html Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  15. CELL PHONE FORENSICS • Three main methods of acquiring a mobile device: • Logical • Extracts common artifacts: contacts, call logs, SMS, MMS, audio, graphic and video files. • Filesystem Extraction • Copies all files and folders found within the filesystem • Physical • Bit for bit image of the entire physical device. • Captures free space, file slack and deleted data. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  16. ISSUES WITH EXAMINATION • Issue regarding technology... • Proprietary hardware, cables, and connectors. • Propriety operating systems, file systems for data storage methods, and applications. • Password cracking and encryption. • Methodologies for recovery of deleted data Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  17. EXAMINATION AND EXTRACTION • We call it cell phone forensics, but is it? • Hash value verification of digital data. • Hash values change • Device cannot be write-blocked • Are results reproducible? • If data are changing, then not only hash value, but even final results may change • Different tools produce different results • Nature of flash memory • Rewrite/refresh of pages in memory may overwrite deleted data • Lack of artifacts – like file slack or residual data Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  18. ISSUES WITH EXAMINATION • Manually, by using photography or video as data is displayed on the cell phone. • Possibility of destroying data • May miss evidence (i.e. deleted data) • Extracting Active Data from the cell phone. • Requires multiple tools (hardware & software) • Cellebrite, XRY, Paraben, Oxygen,… • Extracting and Analyzing cell phone physical memory • Requires more skills and tools • Not even an option for all phones Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

  19. ANDROID DEVICES • Linux Platform • Can contain several different partitions • User Data • \data • SQLite Databases • Stores all user data: SMS, Emails, Contacts, Call Logs, Social Media Artifacts, Internet Artifacts • System Data • \app • Preinstalled Applications • Cache Records • Swap Partition on a Linux System • Temporary location for downloaded files / apps • Apps downloaded from Google Store, etc. Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

Recommend


More recommend