Final Digital Forensic Small Devices Report

8/7/2019 Final Digital Forensic Small Devices Report

1/20

Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800

Page 1

qwertyuiopasdfghjklzxcvbnmqwerty

opasdfghjklzxcvbnmqwertyuiopasdfg

klzxcvbnmqwertyuiopasdfghjklzxcvb

nmqwertyuiopasdfghjklzxcvbnmqwe

yuiopasdfghjklzxcvbnmqwertyuiopa

dfghjklzxcvbnmqwertyuiopasdfghjklz

vbnmqwertyuiopasdfghjklzxcvbnmq

wertyuiopasdfghjklzxcvbnmqwertyu

pasdfghjklzxcvbnmqwertyuiopasdfgh

klzxcvbnmqwertyuiopasdfghjklzxcvbmqwertyuiopasdfghjklzxcvbnmqwer

uiopasdfghjklzxcvbnmqwertyuiopasd

ghjklzxcvbnmqwertyuiopasdfghjklzxvbnmqwertyuiopasdfghjklzxcvbnmrt

uiopasdfghjklzxcvbnmqwertyuiopasd

ghjklzxcvbnmqwertyuiopasdfghjklzx

Digital Forensic Small Devices Report

Submitted to: Dr Brian Cusack

Submitted By: Mithilesh Patel

Student ID: 0641800

Paper Name: Cyber Crime & IT Governance

Paper Number: 409313

Due Date: 08 April 2010


2/20


Page 2

Table of Contents

1. Introduction ......................................................................................................................... 3

2. Digital Forensics and its core elements ................................................................................ 4

4. Small Scale Digital Devices Forensics (SSDDF) ...................................................................... 7

5. Digital Forensic Procedure in Mobile Phone ....................................................................... 14

6. Case Studies ....................................................................................................................... 17

7. Conclusion ......................................................................................................................... 18

8. References ......................................................................................................................... 19


3/20


Page 3

1. Introduction

Digital Forensic Small Devices is rather new and rapidly changing field of study. The Digital

Forensics Small Devices and the steps that are involved in digital forensics are vague and in

perpetual state of vagueness.

Firstly this report will explain the term digital forensic. Following that it will explain each

phases of digital forensics which are Collection of Data/ Acquisition, Examination/

Extraction, Analyzing and Reporting.

Second section of this report will briefly talk about the framework of Digital Forensics Small

Devices and different types of small devices which are available in market. Covering all

devices in this report is out of scope. This report will focus on CDMA cell phones by giving abackground of CDMA, the architecture of cell phones, the two types of acquisition

processes and the different types of software used for digital forensic for cell phones and

SIM.

Third section of this report will cover the best practice steps for forensic investigator to

follow by showing the flow diagram. The steps followed in the procedure of digital forensic

of cell phone are on the basis of ACPO principles.

Finally the report will conclude by summarizing the information which is accumulated

during the process of this report and give my personal opinion about Digital Forensic in

Small Scale Devices.


4/20


Page 4

2.Digital Forensics and its core elements

Digital forensics mean The application of computer science and investigative procedures for

a legal purpose involving the analysis of digital evidence after proper search authority, chain

of custody, validation with mathematics, use of validated tools, repeatability, reporting, andpossible expert presentationZatyko., K. (2007)

The main aim behind carrying out the forensic activities is to get better understanding of an

incident by searching and investigation the data in relation to the incident. Such procedures

are carried out usually for legal purposes, internal disciplinary actions against an employee

and handling of malware incidents and unusual operational problem. Kent, K., Chevalier, S.,

Grance, T., & Dang, H. (2006)

This section covers the core phases of digital forensics in brief by covering each phases of

the diagram below. (Refer Figure1)

According to NIST report the basic steps to do a digital forensic investigation in any cases

are as follows:

Figure1 (Forensic Processes) Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006)


5/20


Page 5

1. Collection of Data/ Acquisition:

Digital evidence, by its very nature, is fragile and can be altered, damaged, or

destroyed by improper handling or examination. Hart, S. (n.d.)

In this phase all the evidence related to the case must be recognized first, then labeling

that evidence for identification of it and recording it for maintaining the integrity of the

evidence for future references. Evidence of gadgets such as mobile phones, PDA and

batteries of such devices must be collected in such a way that the integrity of active data

is not lost. E.g. Network Information, information inside those devices, and etc.

Depending on the case this phase also includes other steps of general seizure such as

obtaining warrant, planning seizure, securing the crime scene and transporting it to the

forensic lab for extraction of evidence. Therefore people involved in acquisition phase

must make sure they abide to the rules.

2. Examination/ Extraction:

The purpose of the examination process is to extract and analyze digital evidence.

Extraction refers to the recovery of data from its media. Hart, S. (n.d.)

In this phase all the evidence that are gathered at the crime scene must be examined

using the combination of some manual process with some sophisticated tools or

software to maintain its integrity while extracting the information from those devices.

3. Analyzing:

Analysisrefers to the interpretation of the recovered data and putting it in a logical anduseful format. Hart, S. (n.d.)

Analyzing the examination results is one the important phases and proper procedures

should be followed by using proper documentation methods and techniques to ensure

that the obtained useful data addresses the questions that were helpful for collection

and examination.


6/20


Page 6

4. Reporting:

Actions and observations should be documented throughout the forensic processing of

evidence. Hart, S. (n.d.)

The final phase involves reporting the results of the analysis, which may include

describing actions that are performed, determining what other actions need to be

performed, and recommending improvements to policies, guidelines, procedures, tools,

and other aspects of the forensic process.

In final phase all the gathered data must be reported and may include:

y Explanation of the actions engagedy Reasoning for selecting tools and proceduresy Addressing what other actions need to be performedy Suggesting improvements to the forensic processes and also to procedures,

policies, guidelines and tools

As shown at the bottom of the Figure1, the media get convert into evidence. During

first phase data is extracted from media to get examined. The evidence which is

discovered in that phase gets converted into information. This information gets

converted into Evidence. This evidence can be used for legal issues or for some issues

within a company.


7/20


Page 7

4. Small Scale Digital Devices Forensics (SSDDF)

Digital Devices Forensics has two major categories which are Large Scale Digital Devices and

Small Scale Digital Devices. The SSDDF is the area which was newly introduced in the

forensic world. This area includes newly emerging technologies which are smaller in sizeand are multi-purpose. It becomes enormously harder to recognize and investigate such

nature of devices.

People working in this area have different views of which device come under this section.

To solve this issue a Small Scale Digital Device framework was form which shows the ability

of each to device to store information magnetically, optically, flash memory and by devices

getting connected to PC.

Figure2 (Small Scale Digital Device Framework) (Christopher, D., & Mislan, R., 2007)

We at times are unaware of how small scale digital devices like USB, memory cards, mobile

phones, PDA; etc could pose threat to the actions that we perform from day to day. It is

critical that these small devices are examined by forensic investigators as most often

crimes or criminal activities are performed via these devices.

The following table shows different types of Small Scale Digital Devices that are normally

found at any crime scene.


8/20


Page 8

Figure3 (Small Scale Digital Device) (Christopher, D., & Mislan, R., 2007)

All this devices listed above pose threat. It is not possible to cover all the devices which are

listed in Figure3.

Devices which are used more often in crimes are USB Thumb drive, all different sorts of

memory cards, Cell phone, PDA, Smart phones, GPS device and receiver. Small scale devices are

not only limited to the above listed devices. There are more digital small devices which are

there in the market e.g. pen camera, button camera, etc. Day by day the numbers of such

devices are increasing. Flash devices (EEPROM) have more forensic potential then any other

sort of devices as they have a ability of storing information even when then are off.


9/20


Page 9

Figure 4(Mobile Device Classification)(Ayers, R. n.d.)

In Figure 4 it shows how GSM device is further divided into handset and SIM. This section

focuses on GSM cell phones and will briefly talk about other small devices like SIM, Memory

Card and Internal Memory which are related to it. It will also explain the two type of acquisition

method, different forensic tools used for cell phone and SIM and shows what areas too look for

evidence.

Ronald van der Knijff of Netherlands Forensic Institutehas defined mobile phone as Mobile =

Portable PC = PDA + Phone + Internet + Navigation + Camera. As we can see that this

generation cell phones has the ability to store more data, play music, has a camera to take

photos, act a computer and also has GPS system in it. E.g. Black berry Curve 8900, Iphone,

Nokia N96, etc.

We can see from the graph shown below (Figure 5) that the number of subscribers for GSM

network is way more then CDMA. GSM handsets are used in crime because they can steal

handsets and then buy a SIM card or they can have several SIM cards which are bought with

cash. This would make them untraceable in terms of identification by handset, SIM card and

phone number. Drug dealers use this practice and in fact they carry many handset and SIM

cards.


10/20


Page 10

Figure5 (Number of CDMA and GSM subscribers) (Ayers, R. n.d.)

Cell Phone:

It is necessary to understand the basic architecture of a mobile phone to understand the digital

forensic in mobile phone:

Figure6 (Mobile Phone Architecture) (Willassen, S. Y. 2005)

CPU manages the communication circuits and looks after the communication with the user. It

uses RAM for storing temporary information which gets erased once the cell phone is turned

off. It can be combined with CPU or it can be a different circuit. The new generation mobile has

a secondary non-volatile storage to store information such as contacts, messages, photos,

songs, videos, etc which can be preserved even if the battery dies. Implementation of

secondary storage is done in different ways, but the most common implementation is by having

flash memory circuit on the system board.


11/20


Page 11

There is no standard for file system structures. So it could acquire a Nokia 1100 and 3100 but

the data is in different locations and stored in different orders. There are not many tools which

can look at the data and carve out txt messages etc. Most of the times data is logically

extracted (complete messages, texts and phone lists) but this has the drawback of not getting

any deleted data.

There are 2 type of acquisition method Physical acquisition and Logical acquisition. Different

phone uses different type of acquisition method.

Figure7 (Difference between Physical and Logical Acquisition)

Mobile devices are somewhat different from computer devices as the phone generally has to

be powered up to do data extraction. This leads to the possibility of writes to the device but is

unavoidable. In a perfect world the data extraction would be in RF free rooms, however there

is some benefit from a law enforcement perspective to have the new messages delivered.

The software like UFED (Cellebrite) with physical analyzer, XRY, BitPim and a variety of other

software and hardware devices to dump the file systems and hex dumps of mobile devices.

This process increases the possibility of recovery of trace evidence.

Valuable evidence is recovered from the handset, SIM cards (in case of GSM phones) and

memory cards. With mobile devices becoming much more multi-purpose, people tend to save


12/20


Page 12

more information to the memory card. The card is analyzed using conventional computer

forensic methodologies which ensure no changes are made to the card. Programs such as

Encase and FTK are used to analyze the data on the cards. Deleted SMS messages are

sometimes recovered from the SIM cards and these are analyzed separate from the phone.

There are tools like JTAG which can retrieve all deleted information like photos, messages, and

etc form internal memory.

The data extraction process for CDMA and GSM phones is similar, however the extraction tools

do not normally extract as complete data on CDMA as GSM. The investigator needs to

manually go through the phones to ensure relevant data has been extracted.

The best evidence is always the mobile device itself and the data extraction is just a means to

get the data in a friendlier format. Evidence to recovered using these devices is confirmed by

viewing it on the mobile device. Places where evidence can be find in:

Figure8 (Types ofEvidence) (Ayers, R. n.d.), and (Willassen, S. Y. 2003)


13/20


Page 13

In terms of the forensic procedures different softwares and connection methods are used to

extract data from the phones. There is no one tool does it all.

Examples of tools used for cell phone and SIM card forensic are as follows:

Figure9 (Tools for Cell phone & SIM card forensic)

Ayers, R., Jansen, W., Cilleros, N., & Daniellou, R. (2005)


14/20


Page 14

5.Digital Forensic Procedure in Mobile Phone

As far as procedures for cell phones are concern, it can be a nightmare and there is no one

procedure that works with all phones. With this in mind we still need to apply best practices

and where possible use write blocking software/hardware and of course create excellent

documentation of your steps and work when examining cell phones.

There are four principles which are formed by ACPO (Association of Chief Police Officers) for

the safe handling of digital evidence. These principles are designed mainly for law

enforcement agencies and investigators working in conjunction with them. These principles

cover all the core element of digital forensic such as Acquisition, Examination/Extraction,

Analyzing and Reporting. So this section of this report will follow ACPO Principles for best

practice guide for mobile phone seizure and examination.

Figure10 (Four ACPO Principles) (ACPO Guidelines. n.d.)


15/20


Page 15

Referring to ACPO principles the following diagram will show the procedure followed for

preservation and forensic examination of cell phone in detail. (Digitale Technologie &

Biometrie|Vacaturesite, 2006)


16/20


Page 16


17/20


Page 17

6. Case Studies

All the following case studies are taken from a UK based forensic company websites. The

name of the company is CCL Forensics. Following are the example of few cases related to

different crimes involving Mobile phone. (Case Studies - CCL Forensics. n.d.)

y Drugs ImportationA person was arrested by police on doubt of bringing in Class A drugs worth over 100K.

During investigation police found a cell phone of the suspect which was given to CCL for

recovering deleted text messages and call logs from the phone. The man was later

sentenced to 10 years imprisonment.

y Video retrievalA young boy was suspected for performing a serious assault on another kid while his

friend took pictures on his cell phone. By following the ACPO guide for cell phone

seizure and examination the analyst was able to retrieve pictures and a multimedia text

sent to another child with a picture of assault attached to it.

y DeceptionA large group of people were suspected to be involved in bringing in stolen goods. Few

suspected people were arrested in a sting operation by police. In that process police

seized big number of cell phones and handed it in for examination for any evidence.

Evidence such as call logs related to a specific number was discovered.

y HarassmentAn acquisition of harassment was made where a victim was receiving phone calls and

text messages from an ex-partner. The suspect was arrested and his cell phone was

seized and was given for examination. A request was made to find if the accused was

actually calling and sending text in a particular time frame. Evidence such as text

messages and dialed numbers from the accused phone was found.


18/20


Page 18

7. Conclusion

In this report the four core processes of the digital forensics are shown which must be

carried out by any forensic investigator to retrieve the evidence from small devices.

By comparing all different types of small scale devices, I found Cell phones are best

examples of small held devices. As we all know that this days cell phones are equivalent to

portable PC. Features like GPS, music player, non-volatile high capacity of storage, camera

and internet. Due to such features of cell phones the crime committed using cell phones are

high. We all know that one device doesnt do all the work. By looking at figure8 which

shows different places where evidence can be found in cell phone and SIM, anti-forensics

activities get harder on such devices. It leaves behind other digital forensic fields.

The crime related cell phones are very high. Countries like Europe, Germany, Sweden,

France and USA are leading in cell phone crimes and soon enough the activities will double

and the crime.

The ACPO procedures were highlighted in this report as I would say they are the best

forensic practice to follow for acquisition of cell phones and PDA. ACPO principles have

been in actively used by UK Interpol for mobile forensics. They were specifically designed by

keeping the law enforcement and private investigators in mind. ACPO principles also follow

the core principles of digital forensic which I have mentioned above.

The case study has covered some criminal activities performed with the help of cell phones.

In my opinion small scale devices pose huge threat as new devices with advance

applications are evolving day by day. Due to the size and huge storage capacities the

advance application functionalities allow users to perform criminal activities especially in

small held devices.

According to me focus should be moved to small scale digital devices as in long term storage

devices are going to get smaller in size. Rate at which devices are getting smaller in size are

higher in compare to rate at which forensic tools are getting developed.


19/20


Page 19

8.References

y Ayers, R. (n.d.). Mobile Device Forensics. Mobile Devices. Retrieved March 26, 2010, fromwww.cftt.nist.gov/AAFS-MobileDeviceForensics.pdf

y Ayers, R., Jansen, W., Cilleros, N., & Daniellou, R. (2005). Cell Phone Forensic Tools: AnOverview and Analysis. National Institute if Standards and Technology, NISTIR 7250, 8, 9.

Retrieved April 6, 2010, from http://csrc.nist.gov/publications/nistir/nistir-7250.pdf

y ACPO Guidelines. (n.d.). Forensic Computing Limited. Retrieved April 5, 2010, fromwww.forensic-computing.ltd.uk/acpo.htm

y Britz, M. T. (2008). Computer Forensics and Cyber Crime: An Introduction (2nd Edition) (2ed.). Alexandria, VA: Prentice Hall.

y Case Studies - CCL Forensics. (n.d.). Computer Forensics, Digital Forensics, Computer Analysis - CCL Forensics. Retrieved April 6, 2010, from http://www.ccl-

forensics.com/235/Case_Studies.html#16

y Christopher, D., & Mislan, R. (2007). A Small Scale Digital Device Forensics ontology.Retrieved March 27, 2010, from

http://www.ssddfj.org/papers/SSDDFJ_V1_1_Harrill_Mislan.pdf

y Device Forensics, Netherlands Forensic Institute. Retrieved on Mar, 14, 2009 fromhttp://www.dfrws.org/2007/proceedings/vanderknijff_pres.pdf

y FlowChartForensicMobilePhoneExamination. (2006, May 4). NFI | Digitale Technologie &Biometrie|Vacaturesite. Retrieved April 7, 2010, from

http://www.holmes.nl/MPF/FlowChartForensicMobilePhoneExamination.htm

y Jansen, W., & Ayers, R. (2007). Recommendations of the National Institute of Standardsand Technology. Guidelines on Cell Phone Forensics, Special Publication 800-101.

Retrieved March 24, 2010, from http://csrc.nist.gov/publications/nistpubs/800-

101/SP800-101.pdf

y Kent, K., Mislan, S., Grance, T., & Dang, H. (2006). Recommendations of the NationalInstitute of Standards and Technology. Guide to Integrating Forensic Techniques into

Incident Response, Special Publication 800-86. Retrieved March 6, 2010, from

http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf


20/20


Page 20

y Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). Guide to Integrating ForensicTechniques into Incident Response. National Institute if Standards and Technology,

Special Publication 800-86. Retrieved March 26, 2010, from

http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf

y Hart, S. (n.d.). Forensic Examination of Digital Evidence: A Guide for Law Enforcement.NIJ. Retrieved March 16, 2010, from www.ncjrs.gov/pdffiles1/nij/199408.pdf

y der Knijff, Ronald van. "10 Good Reasons Why You Should Shift Focus to Small ScaleDigital Device Forensics." Prude University Cyber Forensics Lab. N.p., n.d. Web. 22 Mar.

2010, from http://dfrws.org/2007/proceedings/vanderknijff_pres.pdf

y Westman, M. (n.d.). Mobile Forensics World 2009 Chicago, IL. Complete Mobile PhonesForensic Examination: Why we need both Logical & Physical Extractions. Retrieved March27, 2010, from

http://mobileforensicsworld.org/2009/presentations/MFW2009_Westman_LogicalandP

hysicalExtractions.pdf

y Willassen, S. Y. (2005).Advances in Digital Forensics: IFIP International Conference onDigital Forensics, National Center for Forensic Science, Orlando, Florida, February 13-16,

... Federation for Information Processing) (1 ed.). New York: Springer.

y Willassen, S. Y. "Forensics and the GSM mobile telephone system." Forensics and theGSM mobile telephone system 2.1 (2003): 11,12. Print.

y Zatyko, K. (n.d.). Computer Forensics. IT/LawSherlock Holmes: Computer Forensics.Retrieved March 24, 2010, from http://floridalawfirm.com/forensics.html

y Zatyko, K. (n.d.). Forensic Magazine |Commentary: Defining Digital Forensics. ForensicMagazine. Retrieved April 7, 2010, from

http://www.forensicmag.com/articles.asp?pid=130

Final Digital Forensic Small Devices Report

Documents

Transcript of Final Digital Forensic Small Devices Report