digital forensics - uni-lj.si

5/5/18

DigitalforensicsAndrejBrodnik

AndrejBrodnik:Digitalforensics

Cell (mobile)phones

chapter 20• various technologies ofdatatransfer• sometimesmostlyphones,todaymostlycomputers• richsourceofpersonaldata• callhistory (incoming,outgoing and missed)• SMSand MMS history (receivedandsent)• historyoflocationdata• images,journals,calendars,...• accesstothewebnetworks– shortly,allthedatawhichisalsofoundonusualcomputers

Dataonthecellphone

• Example (POCKET-DIALMFORMURDER):Theperpetrator hadaphoneinhispocketduringthecrime,whichhaspocket-dialedcellphoneofhiswife,whowasthevictim ofthecrime. Onthewife’sphone,thecallwenttovoicemailanditwasrecorded.

• Computationalpowerofmobiledevicesisincreasing becausetheycontainmuchmoreI/Odevices• thermometers• accelerometers• creditcardscanners• ...• useoftheseunitswentbeyondthemanufacturer’sintentions;e.g.atcertaintemperaturesomeactionistriggered

• phonesbecameonetypeofembeddedsystems

5/5/18

Mobiledeviceforensics

• deviceshavemorecapableoperationsystems• Android• iPhone• Blackberry• WindowsMobile

• andolderoperationsystems (SYMBIAN,...)

• devicesarebythedefinitionnetworkdevices• GPRS,CDMA,UMTS,...• IEEE802.11• IEEE802.15(Bluetooth)• Infraredcommunication• ...

• accesstothedevicemaydestroyormodifytheevidencematerial

• dataisusuallysavedinstoragemedia• itcannotbedeleted,butitcanbecopied• duetothelimitednumberofwrites,writingalgorithmsspreaddataacrossstoragemedia• thatiswhywecangetalotofdatathatseemstobedeleted

5/5/18

• dataacquiringfromdevice• usuallyusingcableconnectedtothedataport

• protocolknowledgeneeded• sometimesadirectcapturefromthestoragemediaisrequired

• directreadingfromchip

• devicesaremadefromtwoparts• deviceitself• SIMcards

• devicehasuniqueidentificationnumberIMEI (InternationalMobileEquipmentIdentity)

• SIMcardsarecomputers• CPU,ROM,RAM

• contain ICC-ID(IntegratedCircuitCardIdentifier):• MCC(mobilecountrycode),• MNC(mobilenetworkcode),• serialnumberofcard

5/5/18

SIMcards

• Challenge: WhichdataSIMcardalsocontains?• Challenge:WhatisLAIandwhatis IMSI?• Challenge:WhatyourSIMcardhas?Whatarethevaluesofthisdata?Whatistheidentificationofyourmobiledevice?

Dataaboutandonthedevice

• ondevice – dependsonthetypeofthedevice:• baselinephone• smartphone

• wherethedataisalsostored:• user’scomputer• operator• SIMcard

• ondeviceareatleaststored:• titles• incoming,outgoingandmissedcalls• receivedandsent SMS

SMSasdigitalevidence

• fullinformation:whenissent/received,fromwho andcontent• norecordofwhenmessageswerefirstread

exampleofdataacquiredusingBitPim (http://www.bitpim.org/)

5/5/18

Imagedata

• smartphoneshavecameras• Imagedataisin EXIFrecord (usually)

Exampleofdataacquiredfrom WindowsMobiledeviceusing XRY(http://www.msab.com/)

AccesstotheInternetservices

• mobiledevicesenableaccesstotheweb• oftenusersavespasswordsthere• thereishistoryofentries• logsofthelastentries• ...

• mobiledevicesenablee-mailreading• passwordstoaccessmailboxes• lastreceived/sentmails• ...

• otherapplicationsandtheirdata

AccesstotheInternetservices

• exampleofdataonaniPhone

5/5/18

LocationInformation

• historyofmovingbetweencellulartowerscanbesaved• GPSdevicescansaveexactcoordinates

LocationInformation

• imagescansaveinformationsuchaswhenandwheretheyweretaken• e.g. EXIFformat

• Challenge:searchforlocationinformationinyourphone.

Otherdata

• calendar,notes,...

• Challenge:searchforcalendardatainyourphone.

5/5/18

Attacksonmobiledevices

• theattackerloadshiscodeonthedevice• throughthenetwork• theuseruploadsanapplicationthatseemsusefulandfriendly(http://www.theregister .co.uk/2010/01/11/android_phishing_app/)

• theapplicationreadspasswords,...• allowstheattackertoaccesstobankaccounts ...• see MobileSpy(http://www.mobile-spy.com/)

Attacksonmobiledevices

• Challenge:HowdoestheMobileSpy work?• Challenge:FindthesoftwarethatcanharmyourAndroidsystem?• Challenge:MakeyourownprogramthatreadsdataonAndroid(iPhone)system.Canthisalsobeusefulsoftware?

ThinkingOutsideoftheDevice

• additionaldata:• user’scomputer• operator:callcenterandbasestations

• devices,userknowssomethingabout(transitivity)

5/5/18

HandlingMobileDevices

• thedevicecanwirelesslyconnectwithworld• disable• removepower• otherways

HandlingMobileDevices

• removestoragemodule• storagemodulesarealwayssmaller

• usually FATfilesystem• iPhone:APFS,Android:Linux design

• otherwiseusualprocedures (signature,journals,...)

Accessingthedata

• differentmethodsofaccessingwithdifferenttypes• noteverydevicehasUSBguide

• examples:• viauserinterface• viacommunicationport• propertyinterface(NokiaF-BUS,FlashBUS)• via JTAG(JointTestActionGroup)interface• viadirectmemorychipaccess

5/5/18

Accessingthedata

• somedevicesprovideagentaccess• whendeviceison, itrunstheagentwhichtakesover controlofthedevice(iPhone)

• sometimeswecanstopsoftwarelaunchingandputourcodeasfurtherupload• manufacturersofferdataarchivingsoftwarewhichalsoprovidesaccesstodeletedandotherdata

Examples...

• exampleofstoreddatawithanarchiveusingXACT(Motoroladevice)

Examples...

• device,whichispartlybroken,itmaystillworkwellenough

5/5/18

MobileDeviceForensicsTools

• anytoolallowsaccesstothedevicememory(forexampledisk)• inthecaseofadisk,accessisrelativelysafebecauseitcannotchangecontentbyitself• incaseofmobiledevicethatisnotnecessarilytrue

XRY(http://www.msab.com/)

Cellebrite UFED(UniversalForensicExtractionDevice)-http://www.cellebrite.com/

Logicube CellDEK(http://www.logicube.com/)

• MOBILedit!Forensic(http://mobiledit.com/)

• progamming equipmentforanalysis

5/5/18

• iXAM(http://www.ixam-forensics.com/)

TwisterFlasher

FileSystemExamination

• dependsondevice• unique• builtinsystemsQualcomm(BREW,BinaryRuntimeEnvironmentforWireless)• FAT,ext2,ext3,HSFX,APFS,…

• varioustoolsareavailable:

5/5/18

Somebasictools...

BitPim(http://www.bitpim.org/)–MotorolaCDMA

Somebasictools...

ForensicToolkit,FTK(http://accessdata.com/products/computer-forensics/ftk)– iPhone

Datarecovery

• evenifwedon’thaveallthedatawecanrecoverpartlydeleteddatafromlogicaldata

5/5/18

Datarecovery

• ifitisusualfilesystem (FAT,ext2,ext3,APFS,...)alreadyknowntools• EnCaseanddeletedimages

Datarecovery

• Inthisexampleofcompositefiles(MMS,docx,...)wecanfindpartsofdata

Datarecovery

• ExampleofdatacapturedusingDFF(DigitalForensicFramework,http://www.digital-forensic.org/)• Challenge:Studytheenironment andhowitisspread

5/5/18

DataFormatSMIL

• SynchronizedMultimediaIntegrationLanguage• partof W3Cstandard- http://www.w3.org/AudioVideo/• versions 1,2in3(http://www.w3.org/TR/SMIL3/)

• includes SVGitems (enhancedvectorgraphics,ScalableVectorGraphics)• allows:• animation,integrationofotherimages,modularization,...

• Challenge:FindSMILfileandstudyit.• Challenge:MakeyourSMILfileandsendittotheforum.

Datarecovery

• SSDisusedasstorage• Data,whichareinstorage,butnotstructured• Partlydeleteddata• Dataindeletedblockswhicharescatteredperunit

• Challenge:lookupforensicchallengeandsolution DRFWS2010(DigitalForensicResearchConference)–http://www.dfrws.org/2010/challenge/• Examplesoffileswiththeunitareavailable

• Challenge:lookupforensicchallengeandsolutionDRFWS2011–http://www.dfrws.org/2011/challenge/• Challenge:lookupforensicchallengeDRFWS2012–http://www.dfrws.org/2012/challenge/

Examination – other data

• Alotofsmartphonessavestheirdataindatabase• SQlite– Android,iPhone,Palm,...• cemail.vol– WindowsMobile

5/5/18

Examination – dataformats

• mostlystandardformats:• 7-bitstandard;GSM03.38:160characters• 16-bit UCS-2(UniversalCharacterSet,UTF-16):70 characters

Examination – dataformats

• bigandlittleendian – dependingontheprocessor• Motorola– big-endianformat

• debeliintankikošček(nibble)• number 12036452774issavedas2130462577F4(Fisfiller)

Examination– SIMcard

• SIM(SubscriberIndentyModule)• deviceispropertyofuser,SIMcardisownedbytheoperator• whichallowstheusertostorecertaindataonit

• detaileddefinitionin:• ETSI(EuropeanTelecommunicationsStandardsInstitute):GSM,GlobalMobileCommunications,GSM11.11,1995.• www.ttfn.net/techno/smartcards/gsm11-11.pdf

5/5/18

SIMcard

• verysimpleinteriorstructure• itconsistsoffilesandeachfilehasitsownidentification2-bytecode

� firstbyterepresentstypeoffile:� 3F–MasterFile MF� 7F–DedicatedFile,DF� 2F– partialfileMF� 6F– partialfileDF

SIMcard

• Somefilesaredefinedinthestandard• 3F00:7F10(DFTELECOM,dedicatedfile):recordsontheuseofservices (i.e.sent SMS,dialednumbers,...)• 3F00:2FE2(EFICCID,elementaryfile):savesICC-ID(IntegratedCircuitCardID)• 3F00:7F20:6F07EFIMSI:saves IMSI(InternationalMobileSubscriberIdentity)• 7F20:6F7E(EFLOCI):howthecardwasmovingbetweenoperators• 7F20:6F53(EFLOCIGPRS):GPRS routingarea

SIMcard

• toolsforexaminingSIMcard:• TULP2G:NetherlandsForensicInstitute• http://tulp2g.sourceforge.net/• toolisnotupdatedbutitisfineforreadingoftheSIMcard

5/5/18

SIMcard

• exampleofinformationfromSIMcard (ParabenDeviceSeizure)

SIMcard

• Challenge:HowcanIaccessthedataonyourSIMcard?• Challenge:IstheentireGPRShistorysaved?• Challenge:naštejtejteEF,vkaterelahkopišeuporabnik. ListtheEFinwhichusercanwrite.

SIMcardandsecurity

• cardisprotectedwithPIN(PersonalIdentificationNumber)code• ifyoumaketoomanymistakes(cannotbechecked),thecardlockeditself• forunlockingweneedPUK(PINUnlockKey)code• oftenoperatorhasit

digital forensics - uni-lj.si

Documents

course catalogue - uni-lj.si

nicolas froeliger - uni-lj.si

magistrska naloga - uni-lj.si

clotho - uni-lj.si

dr. nina zidar - uni-lj.si

dn travnik tilen - uni-lj.si

viri in literatura - uni-lj.si

paul onanuga - uni-lj.si

2 care - uni-lj.si

digital photogrammetry - uni-lj.si

applied soft computing - uni-lj.si

getting started simprocess - uni-lj.si

an - uni-lj.si

university of sarajevo - uni-lj.si

režimi odmerjanja zdravil - uni-lj.si

deconstructing voice - uni-lj.si

theological quarterly - uni-lj.si

research - uni-lj.si

university of ljubljana - uni-lj.si

cypro manual v201 - uni-lj.si