20 Cell Phone - Villanova University › ~dprice › fall2014 › slides › 20_Cell Phone.pdf ·...

Villanova University – Department of Computing Sciences – D. Justin Price – Fall 2014

Mobile Devices

Villanova University – Department of Computing Sciences – D. Justin Price – Digital Forensics - Fall 2014

INTRODUCTION

The field of computer forensics has long been centered on traditional media like hard drives.

This is rapidly changing as cell phones and specifically

smartphone devices are so common that they have become the standard in today’s digital examinations.


CELL PHONE CAPABILITIES

• Storage capacity increasing... • 128GB of data storage within the phone. • Removable media with 32GB data storage for cell

phones (e.g. microSD cards) • Functionality increasing…

• 10 megapixel camera and video capabilities. • WiFi and Internet access for data transfer.

• Usage Increasing Worldwide • http://www.socialnomics.net/2013/03/25/

mobilenomics-video/

http://www.socialnomics.net/2013/03/25/mobilenomics-video/


CELL PHONE TECHNOLOGY

• Two major Cellphone Technologies: GSM & CDMA • GSM - stands for Global System for Mobile

communications. It is the world’s most widely used cell phone technology

• Key features of GSM is the Subscriber Identity Module, commonly known as a SIM card.

• The SIM is a detachable smart card containing the user's subscription information and some user data (potentially).

• Uses a cell phone service carrier’s GSM network by searching for cell phone towers in the nearby area


CELL PHONE TECHNOLOGY• CDMA, or Code Division Multiple Access, is a competing

cell phone service technology to GSM • CDMA uses a “spread-spectrum” technique whereby

electromagnetic energy is spread to allow for a signal with a wider bandwidth

• With CDMA technology, data and voice packets are separated using codes and then transmitted using a wide frequency range

• The CDMA standard was originally designed by Qualcomm in the U.S. and is primarily used in the U.S. and portions of Asia by other carriers.


CELL PHONE TECHNOLOGY

• Most CDMA phones do not use SIM Cards

• Forensics can only be done on the phone itself

• Relevant data is stored directly on the phone

• Sprint, Virgin Mobile and Verizon Wireless use CDMA while T-Mobile and AT&T use GSM


BLACKBERRY

• The Blackberry (RIM) device shares similarities to other smart phones

• The Blackberry (RIM) device is always-on, and may be participating in some form of wireless push technology

• The Blackberry (RIM) does not require some form of desktop synchronization like the original PDA’s did

• It still can be manually backed up to the computer so this may be a source of evidence • *.ipd = Blackberry Backups


CELLULAR HANDLING

• Most new cellular devices are not as “power dependent” as the older devices were. However they still can be sensitive to power.

• However, you MUST control the wireless access to the device

• Additionally, gather all potential accessories • Each cellular cable can be proprietary or unique to

the device


SEIZING CELL PHONES

• Secure the phone. Prevent the phone from being used. Capture any information on display.

• Prevent phone’s access to the cellular network. • Faraday, airplane mode (radio off), jammer (legal

issue), turn off (may engage password) • Collect related hardware, software, documentation,

passwords, computers, interviews, and other information.

• Transport seized materials to evidence storage, maintain chain of custody, and have phone analyzed by trained examiners.


ISSUES SEIZING CELL PHONES• Seizing and preserving cell phone data… • Isolating phone from network

• Remotely delete user data. • Overwriting call logs, deleted data

• Identifying related sources of evidence • Must know what data may exist and where. • Must recognize related media.

• Search incident to arrest • Will change data on the phone. • Should be fully documented. • May encounter admissibility issues.


ISSUES SEIZING CELL PHONES


RECOGNIZING EVIDENCE

Subscriber Identity Module.

Phone number is tied to the SIM.

SIM can hold phonebook, last dialed numbers, text messages, last cell tower, and other information.

Removable media such as MicroSD, MiniSD or regular SD cards (shown above) can be found inside or outside the phone.

This media can be used to transfer data between a computer and cell phone.

They are easily overlooked.

SIM CardsSD Cards


SOURCES OF EVIDENCE• Network Provider

• User data • Locations (cell tower, GPS)

• Computers for sync or backup files. • Phone backup files (e.g. Blackberry, iPhone) • Transfer data to/from phone

• People/Subscriber • Passwords • Usage information


CELL PHONE FORENSICS

• Handheld devices are unique in that most have their own proprietary operating systems, file systems, file formats, and methods of communication

• Dealing with this creates unique problems for examiners • Performing a forensic exam on a cell phone takes special

software and special knowledge of the way these devices work, as well as where possible evidence could be stored

• Multiple tools may be necessary to complete the exam of a single phone. • http://www.csc.villanova.edu/~dprice/9010sp14/

resources.html

http://www.csc.villanova.edu/~dprice/9010sp14/resources.html


CELL PHONE FORENSICS• Three main methods of acquiring a mobile device:

• Logical • Extracts common artifacts: contacts, call logs,

SMS, MMS, audio, graphic and video files. • Filesystem Extraction

• Copies all files and folders found within the filesystem

• Physical • Bit for bit image of the entire physical device. • Captures free space, file slack and deleted data.


ISSUES WITH EXAMINATION

• Issue regarding technology...

• Proprietary hardware, cables, and connectors.

• Propriety operating systems, file systems for data storage methods, and applications.

• Password cracking and encryption.

• Methodologies for recovery of deleted data


EXAMINATION AND EXTRACTION• We call it cell phone forensics, but is it?

• Hash value verification of digital data. • Hash values change • Device cannot be write-blocked

• Are results reproducible? • If data are changing, then not only hash value, but even final results may change

• Different tools produce different results • Nature of flash memory

• Rewrite/refresh of pages in memory may overwrite deleted data

• Lack of artifacts – like file slack or residual data


ISSUES WITH EXAMINATION

• Manually, by using photography or video as data is displayed on the cell phone. • Possibility of destroying data • May miss evidence (i.e. deleted data)

• Extracting Active Data from the cell phone. • Requires multiple tools (hardware & software) • Cellebrite, XRY, Paraben, Oxygen,…

• Extracting and Analyzing cell phone physical memory • Requires more skills and tools • Not even an option for all phones


ANDROID DEVICES• Linux Platform • Can contain several different partitions

• User Data • \data • SQLite Databases • Stores all user data: SMS, Emails, Contacts, Call Logs,

Social Media Artifacts, Internet Artifacts • System Data

• \app • Preinstalled Applications

• Cache Records • Swap Partition on a Linux System • Temporary location for downloaded files / apps • Apps downloaded from Google Store, etc.


ANDROID DEVICES• Boot

• Points to the software needed to boot the device. • Recovery

• Low level software that allows the device to be restored to factory defaults.

• Internal SD Card • Stores media files (graphic files, video files, audio files,

etc.) • Some apps will use the external storage to put large

amounts of cache files. • Forensic Procedure:

• Remove from device and process using standard write-protection and acquisition methods.


CELLEBRITE UFED ULTIMATE

http://www.rcfl.gov/cpik_cbt/index.html

http://www.rcfl.gov/cpik_cbt/index.html


CELLEBRITE UFED ULTIMATE


iOS DEVICES• iPod Touch, iPhone and iPad can all be processed using

similar techniques. • Knowing the exact model is important

• iPhones = http://support.apple.com/kb/ht3939 • iPads = http://support.apple.com/kb/ht5452

• Four methods of extraction or sources of user data: • Physical Acquisition … up to iPhone v4 • Logical Acquisition • iTunes Backup • iCloud

• Email messages, geo-location (consolidated.db - GPS data, cell tower logs and wifi connections) and Apps cache data will not be extracted when processing a logical image or an iTunes backup.

http://support.apple.com/kb/ht3939

http://support.apple.com/kb/ht5452


iTUNES BACKUPS• Locations:

• Creates a backup of user data that can't be re-downloaded (i.e. contacts, SMS, photos, calendar entries, call logs, configuration files, database files, etc.)

• The backup folder contains several file which are not directly readable.

• Contains folders for each device sync’ed with the computer.

• The folder name is based on the device’s UDID (Unique Device ID) … see next slide for example.

OS X Users/<USERNAME>/Library/Application Support/MobileSync/Backup/

Win Vista/7/8 C:\Users\<USERNAME>\AppData\Roaming\Apple Computer\MobileSync\Backup\

Win XP C:\Documents and Settings\<USERNAME>\Application Data\Apple Computer\MobileSync\Backup\


iTUNES BACKUPS

• The filenames are based on a SHA1 hash value of the “DomainName-filename” calculation. • SHA1 of HomeDomain-Library/AddressBook/

AddressBookImages.sqlitedb =


LOCKED iOS DEVICES

• Ask the user for the passcode • Extract the pairing file from the suspect’s computer.

• UDID (Unique Device ID).plist

OS X \private\var\db\lockdown

Win 7/8 C:\Program Data\Apple\Lockdown

Win Vista C:\Users\<USERNAME>\AppData\Roaming\Apple Computer\Lockdown

Win XP C:\Documents and Settings\<USERNAME>\Application Data\Apple Computer\Lockdown\Default\Cache


LOCKED iOS DEVICES

• Brute-force the passcode … up to iPhone v4

• Send to Apple with appropriate legal authority.


iOS DEVICES• Data is stored in one of the following formats:

• Internal Storage • Partition 1 - System or Firmware

• mounted as / • Partition 2 - User Data

• Mounted as /private/var • Most all user data is located

• /private/var/mobile/Library • /private/var/mobile/Media/DCIM/100APPLE

• Photos and videos taken by the device • /private/var/mobile/Media/DCIM/999APPLE

• Screenshots taken by the device.


iOS DEVICES• Data is stored in one of the following formats:

• SQLite Database Files • Address Books, Calendar Entries, Notes, SMS, Call Logs,

Photos, Voicemails, etc. • Property Lists (.plist)

• XML Format or Binary Format • Apple’s Version of the “Windows Registry”

• Network • User Dictionary - dynamic dictionary that records words

manually typed into the iOS device (i.e. SMS, email, notes, etc.) • /private/var/mobile/Library/Keyboard/dynamic-text.dat

• Lantern Demo • https://katanaforensics.com/

https://katanaforensics.com/

20 Cell Phone - Villanova University › ~dprice › fall2014 › slides › 20_Cell Phone.pdf ·...

Documents

Transcript of 20 Cell Phone - Villanova University › ~dprice › fall2014 › slides › 20_Cell Phone.pdf ·...