Advanced Techniques in
Forensic Examination of Smartphones
2012
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Worldwide smartphone sales
32,3%
14,6%15,8%
30,5%
3,4% 2,0% 1,5%101M devices sold in 4Q 2010
Symbian
RIM
iOS
Android
Microsoft
Bada
Other
Source: Gartner (February 2012)
Smartphone market increased by 48,5% during just 1 year!
11,7%
8,8%
23,8%
50,9%
1,9% 2,1% 0,8%149M devices sold in 4Q 2011
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Top smartphone vendors - 2011
18,9%
18,5%
17,9%10,9%
9,1%
24,6%
471.7M devices sold in 2011
Apple
Samsung
Nokia
RIM
HTC
Others
Source: Gartner (February 2012)
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphones
What information is stored on a modern smartphone?(C) Oxygen Software, 2000-2012
http://www.oxygen-forensic.com
Cell phone
Address book
Planner & Organizer
Messenger
Photo & Video camera
GPS navigator
Web & IM client
Platform for 3rd party apps
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphone is a small PC
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphone as: Cell phone
• IMEI/MEID/Serial number• Hardware & Software revision• Network information
Basic Information
• Incoming, outgoing, missed calls history
• Sent & received messages history• GPRS & Wi-Fi sessions log
Event log
• IMSI• Phone numbers*• SMS messages*
SIM card
* - Usually these features are not utilized by smartphones
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphone as: Address book• First, middle, last name, nickname, joint
name, company, department, job title• Photo and personal ringing tone• Phone numbers: general, mobile, fax,
video, pager, VoIP, push-to-talk• Postal addresses, Web pages and e-mails• Different contact sources (Android)• Number of calls (Android)• Text notes• Private info: birthday, spouse, children• Custom field labels (Symbian, iPhone OS)• Multiple fields of the same type• Creation and last modification times
(Symbian, iPhone OS)
Contacts information
• List of caller groups & belonging contactsCaller groups
• List of assigned speed dialsSpeed dials
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphone as: Planner• Meetings, reminders and
anniversaries• Start date & time• Finish date & time• Alarm date & time• Recurrence• Last modification date & time
Calendar events
• Task description• Deadline• Priority• Alarm date & time• Completion date & time
Tasks
• Note text & dateNotes
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphone as: Messenger
• Text messages (SMS)• Multimedia messages (MMS)• E-mail messages with attached
files• BIO messages: vCard, vCal,
configuration and others• Beamed messages: files sent via
Bluetooth, IR or USB• Standard message folders• Custom message folders• Date & time• Service center timestamp for
incoming messages• Information about deleted SMS
messages (Symbian, iPhone OS)
Messaging system
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphone as: GPS navigator• Last fixed GPS coordinates• Search history• Routes history• Last displayed map• Saved maps• List of favorite places
GPS Navigator
• GPS coordinates in camera snapshots*
• Cell coordinates in camera snapshots*
• Cell coordinates for camera snapshots**
• Cell coordinates for video records**• Cell coordinates for SMS messages**
Location tagger
* - Available in EXIF header for almost all models having GPS receiver** - Available in several Nokia smartphones and Sony Ericsson devices
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphone as: Web client
• Web cache files• Bookmarks• Pages view history• Last opened URLs• Search history• Cookies
Web browser
• IP, Login (UID, e-mail) and password*• Contacts list• Chat history• Calls history
IM client
* - Available for some IM clients
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
• Camera snapshots• Video clips• Voice records• Sounds and Podcasts• Wi-Fi networks list• Paired Bluetooth devices list• Activated SIM cards list• VPN profiles
Operating System apps
• List of installed applications• Office documents• Application logs & data files
3rd party apps
Smartphone as: PC
Extraction
What data extraction methods are available for mobile devices?
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
There are 2 standard ways to get forensic information from smartphones: logical and physical analysis
(C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com
Standard extraction methods
Logical analysis
• Data extracted using common PC-to-mobile communication protocols: AT, OBEX, SyncML
• Smartphone connected to PC with a standard cable (or Bluetooth/IR adapter)
Physical analysis
• Data extracted using direct memory reading (hex dump)
• Smartphone (or its memory chip only) connected to special hardware
(C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com
Logical analysis for smartphones
AT+• General phone information• Contacts (simple), calls*, SMS,
settings*
Nokia FBUS • General phone information
OBEX• General phone information• Files*
SyncML• General phone information• Contacts, calendar, notes, settings*,
bookmarks, messages*
1) The information extracted by all logical protocols is only the top of the iceberg2) All logical protocols were developed for data synchronization
General phone information
Contacts*
Calendar
Notes
Calls history
Messages*
Files*
Settings*
Bookmarks
* - Available data set is restricted and depends highly on manufacturer implementation
Caller groups
Custom field labels
Speed dials
Messages from custom folders
Event log
Deleted messages information
Service center timestamps
GPS information
Location tagged data
Web browser data
IM client data
3rd party apps
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Physical analysis for smartphones
What to do with gigabytes
of that?
(C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com
Standard extraction methods: Summary
Physical analysis
All information can be extracted
Hard to perform
Very hard to analyze
Expensive software, special hardware needed
In 2002 Oxygen Software invented the 3rd way - analysis using a special agent application working inside smartphone OS
(C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com
How to extract data without a headache?
Physical analysis
All information can be extracted
Hard to perform
Very hard to analyze
Expensive software, special hardware needed
* - Agent can extract all the information available for native OS applications
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Agent application usage General phone information & SIM card data Contacts with all fields and custom field
labels Caller groups & Speed dials Event Log Calendar events Tasks & Notes Messages from standard and custom folders Deleted messages information Service center timestamp Camera snapshots, video clips and voice
records File system GPS & Location tagged information Web browser cache & bookmarks IM clients data 3rd party applications with their information
- Protected operating system
files
- Memory dump
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Afraid of writing to device?Comparison of phone content changes when performing
analysis using different approaches
SyncML protocol usage
Setting up sync parameters
Installing extra sync add-ons*
Running SyncML server
SyncML server generates synchronization log files
Agent application usage
Loading Agent to device
Installing Agent
Running Agent
Uninstalling Agent**
* - Extra sync add-ons installation may be needed to extract some additional information (e.g. MMS)** - Agent does not generate any log files
Unlike Agent, SyncML server is not a forensically designed app and is out of full control from examiner. In addition - it makes more data modifications than Agent.
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
SummarySmartphones are a considerable part of mobile device marketFutureSource Consulting forecasts that, between 2008 and 2013, annual sales of smartphones will rise by 95% to over 300 million. It will be around 37% of all new mobile phones, up from 13% in 2008.
Smartphones store much more important forensic information than plain cell phonesBeing a multiple-in-one device and having OS with open API smartphones are turning into small PCs with big memory sizes, wide set of preinstalled applications and huge number of available 3rd party applications.
Standard extraction methods are less effective for smartphonesAll logical protocols were developed for sync purposes, thus they can only extract a top of the iceberg. Physical analysis of gigabyte hex dumps takes a lot of time.
Agent application usage is the golden meanThe Agent application approach, introduced by Oxygen Software in 2002, almost achieves the completeness of data extracted by physical methods. At the same time it works via standard cables and adaptors and presents the extracted data in a readable and user-friendly format that is more like a logical analysis.
Top Related