Mobile Device Forensics - Infosec · PDF fileRunning head: MOBILE DEVICE FORENSICS 1 Mobile...

Running head: MOBILE DEVICE FORENSICS

1

Mobile Device Forensics

By: Vicki Holzknecht

East Carolina University

Contact: [email protected]


2

Abstract

In 2015, Gartner expects personal computer shipments to be estimated at 268 million, on the other hand

mobile device shipments is roughly around 2 billion shipments (Rivera, van der M., 2014). Businesses

when adopting the Bring Your Own Device (BYOD) platform, face head on securing private information

from prying eyes. However, disgruntled employees can erase videos, pictures, text messages, or corporate

data that could be used as evidence to implicate the user for any wrongdoings. Retrieving any type of

data, forensics experts use mobile forensic tools that are designed to penetrate and analyze deep into the

heart of the mobile devices hardware and software, recovering data that was thought to be lost.

Keywords: Mobile Forensics, Extractions, Software Recovery Tools


3

Mobile Device Forensics

Introduction

Mobile technology has come a long way since World War II, soldiers were shouldering a twenty-

five pound phone that had spotty reception and was limited to a range of five miles (Meyers, 2011). Fast-

forwarding to present day, mobile phones are so compact, they can now fit into shirt pockets, purses, and

coverage is nationwide and even international depending on the carrier. The advancement of mobile

technology has allowed employees to perform what was once considered office environment task, can

now be completed while on the go such as making calls, e-mailing, instant messaging / text messaging,

setting up calendar events, storing contacts, and working on presentations, etc. Mobile devices are

interwoven into the consumer’s daily life whether it is personal or work usage. What consumers do not

realize is the mobile devices are really just a treasure trove of data; law enforcement can use in a court of

law. Digital evidence is found in eighty percent of today’s civil, criminal, and domestic prosecutions,

(Daniel, n.d.), this should not be a surprise when there is approximately 6.8 million mobile devices

around the globe (Moshe, 2014). During a NIST Mobile Forensics Webcast Richard Ayers noted that 2.5

trillion text messages are sent per year (Ayers, 2014). Many users are under the assumption that once a

text message is deleted or removed from a device it is non-retrievable. Paul Luehr part of a cybercrime

expert team recently retrieved a years worth of text messages, even after the device had been erased

(Kaneshige, 2014).

Mobile Device Forensics Defined

The recovery of digital evidence using forensically sound and proven methods of acceptance is

known as mobile device forensics (Barmpatsalou, Damopoulos, Kambourakis, Katos, 2013). Mobile

forensics falls underneath the umbrella of the digital forensic sciences. Digital forensic science is defined

as:


4

“The use of scientifically derived and proven methods toward the preservation, collection,

validation, identification, analysis, interpretation, documentation and presentation of digital evidence

derived from digital sources… (Palmer, 2001).”

The National Institute of Standards and Technology published a revised document 800-101:

“Guidelines on Mobile Device Forensics” updating any information that is no longer prevalent to the

field, because of continual changes in mobile technology (Ayers, Brothers, Jansen, 2014). The Guide on

Mobile Device Forensics is drafted to be a reference tool that forensic analysts could use to become

acquainted with common mobile technologies, and common industry procedures. For evidence to not be

dismissed in a court of law sound methods much be exercised (Tassone, Martini, Choo, Slay, 2013).

NIST clearly states, that the 800-101 guide is to be used explicitly as a reference manual, NOT to be

misconstrued as a step-by-step model for lawful advice (Ayers, Brothers, Jansen, 2014).

Types of Data

According to a survey observing statistics from January to March in 2014 by a mobile

measurement platform Flurry; American’s spend 162 minutes per day on their device (Soper, 2014);

hence the amount of evidence that can be discovered and recovered. Table 1 below lists various sources

that can be used as evidence for investigations:

Contacts Call log (Time Stamps, Incoming,

Outgoing, and Missed Electronic Email Text Messages (MMS,

SMS) Photos Internet Browsing Cache

GPS Coordinates Social Network Data (Facebook, Twitter, etc)

Calendar Documents

Video/Audio Removable Media Cards

Instant Messengers (Skype, Facebook

Chat)

Subscriber Identifiers


5

Equipment Identifiers

Gaming Data (Applications)

Table 1 Types of Evidence (Ayers, 2014)

Hardware

Two of the most ubiquitous mobile operating systems used today are Android and iOS, both

having conventional hardware architectural frameworks. Each device holds a microprocessor, memory

(ROM, RAM), liquid crystal display, keyboard, touchscreen capabilities and a digital signal processor

(Al-Zarouni, 2006) just to mention a few. Read Only Memory (ROM) and Random Access Memory

(RAM) is a key factor when collecting digital evidence off of a mobile device. Random Access Memory

is temporary memory that stores information when performing a certain task; Read Only Memory, is the

mobile devices internal memory (Gonzalez, Hung, Friedberg, 2011). RAM is volatile memory, meaning

if the device battery depletes all the way, or the investigator inadvertently shutdowns the device, potential

evidence (data) that was stashed in RAM is non-recoverable; it is the most difficult to accurately capture

(Ayers, Brothers, Jansen, 2014). The device being powered off does not affect non-volatile memory

ROM.

Subscriber Identity Modules, known as SIM cards is used to authenticate the mobile device to the

carriers cellular network, and storing data about the users identity (Gonzalez, Hung, Friedburg, 2011).

There are several cellular networks, two that are used more so than others Code Division Multiple Access

(CDMA) and Global System for Mobile Communications (GSM) (Murray, n.d.). CDMA devices are

assigned a 32 bit electronic serial number (ESN) or Mobile Equipment Identifier (MEID), embedded on a

protected chip, identifying the manufacturer and the serial number (Ayers, Brothers, Jansen, 2014). A

GSM device uses the International Mobile Equipment Identity (IMEI), which is a 15-digit number that

identifies the manufacturer, model and the country allowing the devices (Ayers, Brothers, Jansen, 2014).

If the device is turned on an examiner documenting every step made, can go onto an iOS device select

Settings, General, and then About to discover more device information that can be researched. Figures 2

and Figures 3 shows a screenshot of an iPhone 4 and an iPhone 6-device label:


6

Figure 2 iPhone 4 Device Label (Holzknecht, 2015)

Figure 3 iPhone 6 Device Label (Holzknecht, 2015)

Forensic experts can use online databases such as International Numbering Plans1 to look up

IMEI’s if they are uncertain of manufacturer and or model of the device. Under a free account, a forensic

expert can analyze up to twenty devices for approximately eight months. Figure 4 is an example of

returned information from the International Numbering Plans analysis tool:

1 https://www.numberingplans.com


7

Phone Scoop2 a collective database on mobile phones where specifications and device features

can be found (Ayers, Brothers, Jansen, 2014). It is advisable to obtain current documentation or a user

manual on the device before it is to be analyzed (SWGDE, 2013).

Extraction Levels

Research has shown, that using more than one tool to acquisition evidence can balance out each

of the tools strengths and weaknesses (Barmpatsalou, Damopoulos, Kambourakis, Katos, 2013). What

one tool may not discover, the other tool may penetrate deeper into the system retrieving valuable

information. Tools available in general are third party. Sam Brothers originated the Mobile Device Tool

Classification pyramid back in 2007 (Ayers, 2014). The pyramid shows the different levels of

acquisitions that can be accomplished using mobile forensic tools; going up the classification structure

2 http://www.phonescoop.com/phones

Figure 4 iPhone 6 IMEI Lookup (Holzknecht, 2015)


8

requires more training, analyses periods are longer, invasive, and it gets technical, sometimes involving

the removal of a chip (Brothers, 2014). Going down the classification structure the procedure is less

invasive, analysis times are quicker, not a lot of technical training involved (Brothers, 2014). Table 2 is a

visual representation of the different classification levels for tools (bottom to top approach):

Micro Read Physical Extraction

Chip-Off Physical Extraction

Hex Dumping Physical Extraction

Logical Extraction

Manual Extraction

Table 2 Extraction Classification (Brothers, 2014)

Manual Extraction also known, as hand jamming is the process of physically looking at the

device, this is considered one of the easiest extraction levels when there is small amount of data involved

(Brothers 2014). During the manual extraction level document steps taken using a camera, or a video

recorder when sorting through the devices using the screen and keyboard to unearth evidence (Ayers,

2014). This method is popular with the police departments. In some cases, mobile users will voluntarily

hand over their device to the police for a quick glance at text messages, e-mails, calendars, social

applications (Facebook, Twitter), call logs (Brothers, 2014); to see if there is any probable cause to seize

the device for an in-depth investigation.

There are a couple of tools that can be used for manual extraction, ZRT 2 and Project-A-Phone

(Brothers, 2014). Project a Phone3 is a cataloging system that takes 8 Mega Pixel photos and 720p video;

with software that generates reports, cost is around $400. ZRT 2 is another camera that is good for

Optical Character Recognition within pictures, also has the capability to take videos, generates reports

works with almost every phone; the price is around $3,800 (Brothers, 2014), ZRT 3 is now available.

3 http://www.project-a-phone.com/icd-8000.html


9

Logical Extraction involves connecting the device through a data cable to a computer; the

computer software then sends a command to the mobile device, and the mobile device responds

accordingly, (Ayers, 2014), using AT commands (Casey, Turnbull, 2011). Some possible AT commands

are at+xlog=0 gives the firmware version and at+cpbr which is SIM phonebook read (Rivers, 2012). AT

Commands are considered a weak approach because investigators cannot extract deleted information

(Willassen, 2005). A couple of tool extractions that can be used at level two are Oxygen Forensics

Extractor, and ACESO Kiosk. Oxygen Forensics Extractor4 analyzes, geological coordinates from

photos, collecting user data from over 550 applications, device logs, and passwords to accounts that the

device user owns, and Wi-Fi hotspots, et cetera, price requires a quote request. The ACESO Kiosk5 can

be used with any technical skill levels, the forensic analyst inserts the device extracting metadata,

providing timestamps, geo-tagging the model and make of device, retrieving data off of SIM and memory

cards, storing all the data gathered in an AES encrypted format and a comprehensive report.

The next three tier levels are through procedures of physical extractions. The third level is

through methods of Hex Dumping (Barmpatsalou, Damopoulos, Kambourakis, Katos, 2013), requiring

connectivity (Wi-Fi, wired, et cetera) between mobile device and digital forensic workstation (Ayers,

Brothers, Jansen, 2014). Hex Dumping forces a boot loader onto the device dumping the information that

is harvested on the protected parts of the memory (RAM) (Brothers, 2014). Forensic analyst use a flasher

box connecting the device data port to the digital forensic workstation, then the device is placed in a

diagnostic mode, where the analyst can send commands and the flasher box “captures’ section(s) of the

memory transporting the data back to the workstation (Ayers, Brothers, Jansen, 2014). Cellebrite’s UFED

Touch Ultimate is the most popular tool used in the United States (Brothers, 2014). The Touch Ultimate6

performs both logical and physical extraction and decoding; also for Android devices the Touch Ultimate

4 http://www.oxygen-forensic.com/en/products/oxygen-forensic-extractor/for-mobile-devices 5 http://www.radio-tactics.com/products/law/aceso-kiosk 6http://www.cellebrite.com/Media/Default/Files/UFED%20Touch%20data%20sheet.pdf


10

can bypass security features such as pattern lock, and pin (Cellebrite, 2015), price range is around $4500

(Brothers, 2014). XRY Office7 is an all-in-one packaged tool that performs logical and physical

extractions of data; it can read and clone SIM cards, produce a combined live and delete report, and

provides a hex viewer to examine the data. XRY is widely used in the United Kingdom, and price tag is

around $4000 (Brothers, 2014).

The fourth classification tier level is chip-off. Chip-Off is the removal of the chip from the

device, so the analyst can create a binary image of the chip (Ayers, Brothers, Jansen, 2014). The copy of

the chip can then be read in another device or through an EEPROM reader (Brothers, 2014). UP-828

Programmer8 by TEELtechnologies supports different Android and Blackberry flash chip technologies,

the beginning price is $2012, if further adapters are required for newer phone support it is a $670

investment. The Netherlands Forensic Institute developed NFI Memory Toolkit9; it is a universal kit that

examines the memory retrieving phone numbers, text messages, browser history even when the device is

damaged and / or protected.

The last level in the tool classification module is Micro Read. Micro Read is using an electron

microscope to examine NAND and NOR chips; at this level it should only be performed during a high

profile case, there are no Micro Read tools available (Ayers, Brothers, Jansen, 2014). “NOR chips store

operating system code, drivers for the device, system libraries; NAND memory comprises of graphics,

audio, video and other useful files” (Ayers, Brothers, Jansen, 2014).

The table below defines some of the pros and cons of each level in the classification tier.

7 https://www.msab.com/products/office/ 8 http://www.teeltech.com/mobile-device-forensic-tools/up-828-programmer/ 9https://www.forensicinstitute.nl/products_and_services/forensic_products/memory_toolkit/


11

Pros Cons

Manual Fast, work on almost all devices, no cables needed

Not all data is retrieved, error prone, broken buttons, time consuming

Logical Fast, easy, gather lots of valuable information, report printout

Possible data change, cables, minimal access to log files

Hex Dumping Extract data that was hidden in menus of the device, retrieve deleted data, bypass passwords (methods vary for bypassing passwords since

there are different security mechanisms available)

Data needs to be converted, some tools from hacker community, customized

cables, manufacturer support is limited, lacking source code

Chip Off Extract ALL data from device memory, more of a holistic approach, training is available

Reporting is lacking, hard to use, possible chip damage, customized cable harnesses needed, lacking source code

Micro Read Extract and verify all data from memory, best picture of what is going on in the device

More time consuming than other levels, expensive, requires high level of

technical experience, hard to understand extracted data

Table 3 Classification Levels Pros and Cons (Brothers, 2014)

The main difference between physical and logical extractions, physical is a bit-by-bit copy of all of the

flash memory including the unallocated space; logical extraction is viewing the file structure and

directories through flash memory (Mooij, 2010).

Documentation

Documenting evidence should begin upon arrival of the scene. Preserving the data in its original

condition is key (Casey, Turnbull, 2011); the integrity of the evidence is only beneficial in court using

standard method(s) to acquire the evidence (Bennett, 2011). Documenting evidence is not only of how

the data was extracted through software tools, but also a timestamp of when the device was seized, battery

level, applications showing on the display, physical state of device, any original cables (Dixon, n.d.).

When involved in digital evidence case, a couple of defensible practices need to occur, chain of custody

and verifying evidence (Daniel, n.d.). Proper documentation of the chain of custody allows the court to

see who has handled the evidence. Verifying the evidence allows others to validate data has not been

altered, and steps that were originally taken, could be repeated, returning equivalent results. (Casey,


12

Turnbull, 2011). Any blunders made during the process, i.e. the battery drained shutting off the device;

this needs to be noted somewhere because potential evidence that was stored in RAM while the device

was on it now completely gone.

Forensic Mishaps

Turning off the device can be a regrettable action; a security lock feature could be activated such

as a pin code, drawing a pattern, and a biometric feature (finger print, facial scan). Integrity of the device

is important, Faraday isolator bags / cages block out radio waves (Admin, 2012); preventing network

access to the device. Also, placing the device in airplane mode limits access to the cell towers (SWGDE,

2013). Network access to the device can cause an alteration of current data (incoming calls, messages);

also remote wipe features could be initiated inhibiting evidence that may be crucial to the investigation

(Casey, Turnbull, 2011). Any mishandlings or loss of data could threaten the investigation (Ayers,

Brothers, Jansen, 2014). There are times when data is retrieved from the device while it is sitting in a

cradle connected to a machine, this too can alter potential evidence (Casey, Turnbull, 2011), if something

happens during synchronization processing. Neglecting evidence is possible during examination; an

application for Android and iOS that is known for peer-to-peer messaging using elliptic curve encryption

is Wickr10. An investigator could assume that the Wickr is an application for designing wicker baskets,

thus overlooking text-messaging evidence that could have been the smoking gun in the case.

Education and Training

Reading reference guides, and HOWTOs can only go so far; proper hands-on training should be a

pre-requisite before entering into a live forensics acquisition environment solo. Training would also

benefit situations where personnel (crime scene technicians, patrol officers, agents) who have been

delegated the responsibility of analyzing the devices having pessimistic attitudes:

10 https://wickr.com/how-wickr-works/


13

• Afraid of destroying digital evidence

• Afraid of misreading the digital evidence

• Digital evidence does not that big of a sway in court verdicts

• No technical background

(Miller, 2015).

Nationally recognized, Champlain College offers a Baccalaureate program in Computer and

Mobile Forensics encoding a skill set that students need to be successful in this growing area allowing

them to work alongside of law enforcement in live digital investigation cases (Champlain College, 2015).

There is hands-on and online training available through the SANS Internet Storm Center for

Advanced Smartphone Forensics covering topics on how to bypass locks, detecting malicious software,

and performing forensics on two of the top mobile platforms that users are on today Android and iOS

(SANS, 2015). InfoSec Institute offers a boot camp training course where 60% of the training is hands-

on; learning how to read sqlite data stores, recovering keyboard caches, breaking the devices encryption

keys, and other useful skills to carryout investigations on devices (InfoSec, n.d.).

Conclusion

Mobile Forensics is a relatively new, and a difficult field to tackle. The changes in mobile

technology are a major headache for digital evidence analyst who has to constantly keep up with current

mobile developments. So much data is accumulated on a mobile device, that it becomes a gold mind for

evidence. Software tools have been developed for manually, logically, and physically acquisition data

from the devices memory chips, call logs, text messages, SIM cards, file system, et cetera. Documentation

can go along way in a court of law; the analyst will need to justify the method(s) used for collecting

evidence (Gonzalez, Hung, Friedberg, 2011). Becoming a successful mobile forensic analyst requires

extensive training in the diverse field, an open mind, and who can think on their toes when necessary..


14

References

Admin. (2012). How a faraday bag works. Retrieved from http://forensicstore.com/how-a-faraday-bag-works/

Ayers, R. (2014). Mobile forensics tool testing at NIST. Retrieved from http://www.nist.gov/forensics/nist-

mobile-forensics-webcast.cfm

Ayers, R., Brothers, S. & Jansen, W. (2014). Guidelines on mobile forensic devices. Retrieved from

http://dx.doi.org.jproxy.lib.ecu.edu/10.6028/NIST.SP.800-101r1

Barmpatsalou, K., Damopoulos, D., Kambourakis, G., & Katos, V. (2013). A critical review of 7 years of mobile

device forensics. Digital Investigation, 10(4), 323-349. doi:http://dx.doi.org/10.1016/j.diin.2013.10.003

Bennett, W. D. (2011). The challeneges facing computer forensic investigators in obtaining information from

mobile devices for use in criminal investigation . Retrieved from

http://articles.forensicfocus.com/2011/08/22/the-challenges-facing-computer-forensics-investigators-in-

obtaining-information-from-mobile-devices-for-use-in-criminal-investigations/

Brome, R., & Zeman, E. (2015). Phone scoop. Retrieved from http://www.phonescoop.com/phones/

Brothers, S. (2014). Acquisition techniques: Mobile foresnics A to Z. Retrieved from

http://www.nist.gov/forensics/nist-mobile-forensics-webcast.cfm

Casey, E., & Turnbull, B. (2011). Digital evidence on mobile device. Digital evidence and computer crime (3rd

ed., pp. 1) Elsevier Inc.

Cellebrite. (2015). UFED touch. Retrieved from

http://www.cellebrite.com/Media/Default/Files/UFED%20Touch%20data%20sheet.pdf

Champlain College. (2015). Computer and digital forensics. Retrieved from http://www.champlain.edu/computer-

forensics/computer-and-digital-forensics-major

Daniel, L.Digital forensics for attorneys: An overview of digital forensics. Retrieved from

https://sog.adobeconnect.com/p69493734/


15

Dixon, E.Best practices in mobile forensic investigations. Retrieved from

http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=659

Friedberg, S., Gonzalez, J. & Hung, J. (2011). Mobile device forensics: A brave new world? Retrieved from

http://www.strozfriedberg.com/files/Publication/224ca0f8-5101-4e1b-938a-

4d4b128ad5ed/Presentation/PublicationAttachment/ef4a28ad-ff7d-4014-aea8-

80505789b86c/Mobile%20Device%20Forensics_%20A%20Brave%20New%20World.pdf

Infosec Institute.Mobile computer forensics. Retrieved from http://www.infosecinstitute.com/courses/mobile-

computer-forensics.html#pricing

International Numbering Plans. (2015). Retrieved from https://www.numberingplans.com.

Kaneshige, T. (2014). Think deleted text messages are gone forever? think again. Retrieved from

http://www.cio.com/article/2378005/byod/byod-think-deleted-text-messages-are-gone-forever-think-

again.html?page=2

Meyers, J. (2011). Watch the incredible 70-year evolution of the cell phone . Retrieved from

http://www.businessinsider.com/complete-visual-history-of-cell-phones-2011-5

Miller, C. M. (2015). Fear of mobile device evidence collection? Law Enforcement Technology, 42(2), 8-10.

Retrieved from http://search.ebscohost.com/login.aspx?direct=true&db=i3h&AN=101065797&site=ehost-

live

Mooij, B. (2010). Data extraction from a physical dump. Retrieved from

http://www.forensicmag.com/articles/2010/09/data-extraction-physical-dump

Moshe-Ben, Y. (2014). Digital detection. Retrieved from

http://www.cellebrite.com/collateral/AR_Digital%20Detection_Forensic%20Investigator_NOV2014.pdf

MSAB. (2015). XRY office. Retrieved from https://www.msab.com/products/office/

Murray, D. J.Guide to computer forensics and investigations. Retrieved from

http://mgt.buffalo.edu/departments/mss/djmurray/mgs410/ch13.ppt


16

Netherlands Forensic Institute.NFI memory tool kit. Retrieved from

https://www.forensicinstitute.nl/products_and_services/forensic_products/memory_toolkit/

Oxygen Forensics.Oxygen forensic extractor. Retrieved from http://www.oxygen-

forensic.com/en/products/oxygen-forensic-extractor/for-mobile-devices

Palmer, G. (2001). A roadmap to digital forensics research. Retrieved from http://www.dfrws.org/2001/dfrws-rm-

final.pdf

paraben corporation. (2015). Project-A-phone ICD-8000 . Retrieved from http://www.project-a-phone.com/icd-

8000.html

Radio Tactics. (2015). Phone and device forensics. Retrieved from http://www.radio-

tactics.com/products/law/aceso-kiosk

Rivera, J., & van der, M. R. (2014). Gartner says worldwide traditional PC, tablet, ultramobile and mobile phone

shipments on pace to grow 7.6% in 2014 . Retrieved from ttp://www.gartner.com/newsroom/id/2645115

Rivers, A. (2012). Find any AT command for iPhone baseband using my list . Retrieved from

http://letsunlockiphone.guru/iphone-at-baseband-command-list/

SANS. (2015). FOR585: Advanced smartphone forensics. Retrieved from http://www.sans.org/course/advanced-

smartphone-mobile-device-forensics#results

Soper, T. (2014). Study: Americans spend 162 minutes on their mobile device per day, mostly with apps .

Retrieved from http://www.geekwire.com/2014/flurry-report-mobile-phones-162-minutes/

SWGDE. (2013). Best practices for mobile phone forensics. Retrieved from

https://www.swgde.org/documents/Current%20Documents/2013-02-

11%20SWGDE%20Best%20Practices%20for%20Mobile%20Phone%20Forensics%20V2-0

Tassone, C., Martini, B., Kim-Kwang, R. C., & Slay, J. (2013). Mobile device forensics: A snapshot. Trends &

Issues in Crime & Criminal Justice, (460), 1-7. Retrieved from

http://search.ebscohost.com/login.aspx?direct=true&db=i3h&AN=90116161&site=ehost-live


17

Teel, B. (2014). UP-828 programmer. Retrieved from http://www.teeltech.com/mobile-device-forensic-tools/up-

828-programmer/

Wickr. (2015). How wickr works. Retrieved from https://wickr.com/how-wickr-works/

Willassen, S. (2005). Forensic analysis of mobile phone internal memory. In M. Pollitt, & S. Shenoi (Eds.), (pp.

191-204) Springer US. doi:10.1007/0-387-31163-7_16

Zarouni-Al, M. (2006). Mobile handset forensic evidence: A challenge for law enforcement. Edith Cowan

University. (4th)

Mobile Device Forensics - Infosec · PDF fileRunning head: MOBILE DEVICE FORENSICS 1 Mobile...

Documents

Transcript of Mobile Device Forensics - Infosec · PDF fileRunning head: MOBILE DEVICE FORENSICS 1 Mobile...