20 Cell Phone - Villanova University › ~dprice › fall2014 › slides › 20_Cell Phone.pdf ·...
Transcript of 20 Cell Phone - Villanova University › ~dprice › fall2014 › slides › 20_Cell Phone.pdf ·...
Villanova University – Department of Computing Sciences – D. Justin Price – Fall 2014
Mobile Devices
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
INTRODUCTION
The field of computer forensics has long been centered on traditional media like hard drives.
This is rapidly changing as cell phones and specifically
smartphone devices are so common that they have become the standard in today’s digital examinations.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
CELL PHONE CAPABILITIES
• Storage capacity increasing... • 128GB of data storage within the phone. • Removable media with 32GB data storage for cell
phones (e.g. microSD cards) • Functionality increasing…
• 10 megapixel camera and video capabilities. • WiFi and Internet access for data transfer.
• Usage Increasing Worldwide • http://www.socialnomics.net/2013/03/25/
mobilenomics-video/
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
CELL PHONE TECHNOLOGY
• Two major Cellphone Technologies: GSM & CDMA • GSM - stands for Global System for Mobile
communications. It is the world’s most widely used cell phone technology
• Key features of GSM is the Subscriber Identity Module, commonly known as a SIM card.
• The SIM is a detachable smart card containing the user's subscription information and some user data (potentially).
• Uses a cell phone service carrier’s GSM network by searching for cell phone towers in the nearby area
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
CELL PHONE TECHNOLOGY• CDMA, or Code Division Multiple Access, is a competing
cell phone service technology to GSM • CDMA uses a “spread-spectrum” technique whereby
electromagnetic energy is spread to allow for a signal with a wider bandwidth
• With CDMA technology, data and voice packets are separated using codes and then transmitted using a wide frequency range
• The CDMA standard was originally designed by Qualcomm in the U.S. and is primarily used in the U.S. and portions of Asia by other carriers.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
CELL PHONE TECHNOLOGY
• Most CDMA phones do not use SIM Cards
• Forensics can only be done on the phone itself
• Relevant data is stored directly on the phone
• Sprint, Virgin Mobile and Verizon Wireless use CDMA while T-Mobile and AT&T use GSM
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
BLACKBERRY
• The Blackberry (RIM) device shares similarities to other smart phones
• The Blackberry (RIM) device is always-on, and may be participating in some form of wireless push technology
• The Blackberry (RIM) does not require some form of desktop synchronization like the original PDA’s did
• It still can be manually backed up to the computer so this may be a source of evidence • *.ipd = Blackberry Backups
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
CELLULAR HANDLING
• Most new cellular devices are not as “power dependent” as the older devices were. However they still can be sensitive to power.
• However, you MUST control the wireless access to the device
• Additionally, gather all potential accessories • Each cellular cable can be proprietary or unique to
the device
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SEIZING CELL PHONES
• Secure the phone. Prevent the phone from being used. Capture any information on display.
• Prevent phone’s access to the cellular network. • Faraday, airplane mode (radio off), jammer (legal
issue), turn off (may engage password) • Collect related hardware, software, documentation,
passwords, computers, interviews, and other information.
• Transport seized materials to evidence storage, maintain chain of custody, and have phone analyzed by trained examiners.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
ISSUES SEIZING CELL PHONES• Seizing and preserving cell phone data… • Isolating phone from network
• Remotely delete user data. • Overwriting call logs, deleted data
• Identifying related sources of evidence • Must know what data may exist and where. • Must recognize related media.
• Search incident to arrest • Will change data on the phone. • Should be fully documented. • May encounter admissibility issues.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
ISSUES SEIZING CELL PHONES
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
RECOGNIZING EVIDENCE
Subscriber Identity Module.
Phone number is tied to the SIM.
SIM can hold phonebook, last dialed numbers, text messages, last cell tower, and other information.
Removable media such as MicroSD, MiniSD or regular SD cards (shown above) can be found inside or outside the phone.
This media can be used to transfer data between a computer and cell phone.
They are easily overlooked.
SIM CardsSD Cards
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
SOURCES OF EVIDENCE• Network Provider
• User data • Locations (cell tower, GPS)
• Computers for sync or backup files. • Phone backup files (e.g. Blackberry, iPhone) • Transfer data to/from phone
• People/Subscriber • Passwords • Usage information
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
CELL PHONE FORENSICS
• Handheld devices are unique in that most have their own proprietary operating systems, file systems, file formats, and methods of communication
• Dealing with this creates unique problems for examiners • Performing a forensic exam on a cell phone takes special
software and special knowledge of the way these devices work, as well as where possible evidence could be stored
• Multiple tools may be necessary to complete the exam of a single phone. • http://www.csc.villanova.edu/~dprice/9010sp14/
resources.html
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
CELL PHONE FORENSICS• Three main methods of acquiring a mobile device:
• Logical • Extracts common artifacts: contacts, call logs,
SMS, MMS, audio, graphic and video files. • Filesystem Extraction
• Copies all files and folders found within the filesystem
• Physical • Bit for bit image of the entire physical device. • Captures free space, file slack and deleted data.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
ISSUES WITH EXAMINATION
• Issue regarding technology...
• Proprietary hardware, cables, and connectors.
• Propriety operating systems, file systems for data storage methods, and applications.
• Password cracking and encryption.
• Methodologies for recovery of deleted data
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
EXAMINATION AND EXTRACTION• We call it cell phone forensics, but is it?
• Hash value verification of digital data. • Hash values change • Device cannot be write-blocked
• Are results reproducible? • If data are changing, then not only hash value, but even final results may change
• Different tools produce different results • Nature of flash memory
• Rewrite/refresh of pages in memory may overwrite deleted data
• Lack of artifacts – like file slack or residual data
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
ISSUES WITH EXAMINATION
• Manually, by using photography or video as data is displayed on the cell phone. • Possibility of destroying data • May miss evidence (i.e. deleted data)
• Extracting Active Data from the cell phone. • Requires multiple tools (hardware & software) • Cellebrite, XRY, Paraben, Oxygen,…
• Extracting and Analyzing cell phone physical memory • Requires more skills and tools • Not even an option for all phones
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
ANDROID DEVICES• Linux Platform • Can contain several different partitions
• User Data • \data • SQLite Databases • Stores all user data: SMS, Emails, Contacts, Call Logs,
Social Media Artifacts, Internet Artifacts • System Data
• \app • Preinstalled Applications
• Cache Records • Swap Partition on a Linux System • Temporary location for downloaded files / apps • Apps downloaded from Google Store, etc.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
ANDROID DEVICES• Boot
• Points to the software needed to boot the device. • Recovery
• Low level software that allows the device to be restored to factory defaults.
• Internal SD Card • Stores media files (graphic files, video files, audio files,
etc.) • Some apps will use the external storage to put large
amounts of cache files. • Forensic Procedure:
• Remove from device and process using standard write-protection and acquisition methods.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
CELLEBRITE UFED ULTIMATE
http://www.rcfl.gov/cpik_cbt/index.html
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
CELLEBRITE UFED ULTIMATE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
CELLEBRITE UFED ULTIMATE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
CELLEBRITE UFED ULTIMATE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
CELLEBRITE UFED ULTIMATE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
CELLEBRITE UFED ULTIMATE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
CELLEBRITE UFED ULTIMATE
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
iOS DEVICES• iPod Touch, iPhone and iPad can all be processed using
similar techniques. • Knowing the exact model is important
• iPhones = http://support.apple.com/kb/ht3939 • iPads = http://support.apple.com/kb/ht5452
• Four methods of extraction or sources of user data: • Physical Acquisition … up to iPhone v4 • Logical Acquisition • iTunes Backup • iCloud
• Email messages, geo-location (consolidated.db - GPS data, cell tower logs and wifi connections) and Apps cache data will not be extracted when processing a logical image or an iTunes backup.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
iTUNES BACKUPS• Locations:
• Creates a backup of user data that can't be re-downloaded (i.e. contacts, SMS, photos, calendar entries, call logs, configuration files, database files, etc.)
• The backup folder contains several file which are not directly readable.
• Contains folders for each device sync’ed with the computer.
• The folder name is based on the device’s UDID (Unique Device ID) … see next slide for example.
OS X Users/<USERNAME>/Library/Application Support/MobileSync/Backup/
Win Vista/7/8 C:\Users\<USERNAME>\AppData\Roaming\Apple Computer\MobileSync\Backup\
Win XP C:\Documents and Settings\<USERNAME>\Application Data\Apple Computer\MobileSync\Backup\
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
iTUNES BACKUPS
• The filenames are based on a SHA1 hash value of the “DomainName-filename” calculation. • SHA1 of HomeDomain-Library/AddressBook/
AddressBookImages.sqlitedb =
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
LOCKED iOS DEVICES
• Ask the user for the passcode • Extract the pairing file from the suspect’s computer.
• UDID (Unique Device ID).plist
OS X \private\var\db\lockdown
Win 7/8 C:\Program Data\Apple\Lockdown
Win Vista C:\Users\<USERNAME>\AppData\Roaming\Apple Computer\Lockdown
Win XP C:\Documents and Settings\<USERNAME>\Application Data\Apple Computer\Lockdown\Default\Cache
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
LOCKED iOS DEVICES
• Brute-force the passcode … up to iPhone v4
• Send to Apple with appropriate legal authority.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
iOS DEVICES• Data is stored in one of the following formats:
• Internal Storage • Partition 1 - System or Firmware
• mounted as / • Partition 2 - User Data
• Mounted as /private/var • Most all user data is located
• /private/var/mobile/Library • /private/var/mobile/Media/DCIM/100APPLE
• Photos and videos taken by the device • /private/var/mobile/Media/DCIM/999APPLE
• Screenshots taken by the device.
Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014
iOS DEVICES• Data is stored in one of the following formats:
• SQLite Database Files • Address Books, Calendar Entries, Notes, SMS, Call Logs,
Photos, Voicemails, etc. • Property Lists (.plist)
• XML Format or Binary Format • Apple’s Version of the “Windows Registry”
• Network • User Dictionary - dynamic dictionary that records words
manually typed into the iOS device (i.e. SMS, email, notes, etc.) • /private/var/mobile/Library/Keyboard/dynamic-text.dat
• Lantern Demo • https://katanaforensics.com/