digital forensics lecture 8
TRANSCRIPT
0011 0010 1010 1101 0001 0100 1011
Digital ForensicsLecture 8
Cell Phone/PDA Analysis
0011 0010 1010 1101 0001 0100 1011
This Week’s Presentations
• Maggie Castillo: Cell Phones• Jim Curry: PDAs• Ryan Ware: Investigation of Non-traditional
Equipment: Autos, Washers, …• Nicholas Gallegos: MP3 Players• Barry Gavrich: Flash Media (EC)• Ron Prine: Digital Cameras
0011 0010 1010 1101 0001 0100 1011
Next Week Presentations
• Joshua Prusak: Tools for Binary Analysis • Sage LaTorra: Detection of Malicious
Code • Rodrigo Lopes: Reverse Engineering • Chad Cravens: Encrypted Binaries (EC)
0011 0010 1010 1101 0001 0100 1011
News Item• US District Judge William Wilson has dismissed a class
action lawsuit against data aggregator Acxiom, citing "lack of standing;" there is no evidence that data stolen from Acxiom's databases had been used to send spam or junk mail. Scott Levine was sentenced to eight-years in prison for unauthorized access to Acxiom computers. Levine ran a company that had been identified as a spammer, but there is no evidence the company used the information taken from the Acxiom databases. An attorney for the plaintiffs says no decision has been made yet on whether they plan to appeal the judge's ruling.
0011 0010 1010 1101 0001 0100 1011
Lecture Overview
• Cell Phones• PDA’s• General Tools and Methods
Legal/Policy
Preparation Collection Analysis Findings/Evidence
Reporting/Action
0011 0010 1010 1101 0001 0100 1011
Module 1
Cell Phones
0011 0010 1010 1101 0001 0100 1011
External Communications
• Cell Phone Network– Command channel
• Used for registration, call processing, and some data– GSM/CDMA/AMPS data channel
• GPS– Used to establish geo-location of unit
• Blue Tooth– Used for local dialing and audio extension
• IR– Used for PDA-like inter-unit communication
0011 0010 1010 1101 0001 0100 1011
Internal Structure• Processor• Core applications• User-configured applications• SIM Card (GSM, can be exchanged between units)• Application specific hardware (encryption, codecs, etc.)• Integrated memory• Expandable memory• Audio transducers• Camera lens• Keypad entry• Display• Data port• External communication interfaces• Battery
0011 0010 1010 1101 0001 0100 1011
Functions and Features• Muti-network cell phone• E911• Web browsing• Text messenger• PDA (contacts, calendar, notes, etc.)• Camera/video• Voice recorder• GPS navigator• Personal audio/video player• Personalized location-based services (e.g., dating)• Other personalized services (e.g., sports scores)
0011 0010 1010 1101 0001 0100 1011
Characteristics
• Radio communications– RF– CDMA (US), GSM (International)
• Data storage– Possibly removable
• Run programs– Web browser, email, timer
0011 0010 1010 1101 0001 0100 1011
Type of Data to Collect
• User Data– Phone directory, images, movies, email,
documents, bookmarks, Short Message Service (SMS), call logs
• Operator Data– Geographic data, SMS parameters, network
priority, network restrictions• Handset Data
– Active internal parameters
0011 0010 1010 1101 0001 0100 1011
Location of Data
• Handset– Phone numbers, stored audio/video/images/text
msgs, documents, call logs, programs, calendar, alarms, various settings
• Network– Customer name/address, billing info, services,
Call Data Record (stations, type of service, endpoints of calls)
• SIM (Subscriber Identity Module) (GSM only)– Card serial number, various control parameters
0011 0010 1010 1101 0001 0100 1011
Gotcha’s
• Don’t power it off• Don’t allow it to connect to the network
– Store in faraday cage• Don’t try to unlock• Cover IR port, if present• If off, remove battery but keep with phone
0011 0010 1010 1101 0001 0100 1011
Tools
• Data acquisition, decoding, and translation– Vary greatly depending on phone
• Data analysis– Lots of partially working tools
• SIM analysis– Tools don’t work for Cingular, Axalto
• Technology is changing daily!
0011 0010 1010 1101 0001 0100 1011
Module 2
PDA’s
0011 0010 1010 1101 0001 0100 1011
Characteristics
• Communications– Wired – USB, serial– Wireless – IR, WiFi, Bluetooth
• Data storage– Removable media– Internal
• Runs programs– Calendar, email, web browser
0011 0010 1010 1101 0001 0100 1011
Type of Data to Collect
• User Data– Directory, images, movies, email, documents,
bookmarks• System Data
– Internal settings
0011 0010 1010 1101 0001 0100 1011
Location of Data
• PDA memory• Removable media cards• Synchronizing PC• PC Backups• Network owners
0011 0010 1010 1101 0001 0100 1011
Gotcha’s
• Might have to reset auto shutoff mode• Cover IR port, if present• Store in faraday cage until acquisition step
0011 0010 1010 1101 0001 0100 1011
Tools
• Data acquisition, decoding, and translation– EnCase– PDA Seizure– Palm Debugger
• Data analysis– EnCase– PDA Seizure– Palm Emulator
(http://www.palmos.com/dev/tools/emulator/)
0011 0010 1010 1101 0001 0100 1011
Module 3
General Tools and Methods
0011 0010 1010 1101 0001 0100 1011
Errata
• PDA’s and cell phones are converging• Forensic tools are NOT keeping up
0011 0010 1010 1101 0001 0100 1011
Tools
• Some common tools– Radio frequency limiters (faraday bags/cages)– Radio frequency disrupters– Memory card readers
• Multi-purpose tools absent• Specialized, sometimes to single models• Most tools not court tested
0011 0010 1010 1101 0001 0100 1011
Methods
• Data acquisition– Depends on role– Ask for PIN/PW, exploit known weaknesses– Access through backdoor
• Analysis– Similar to computer forensics– Use to find other pointers– Don’t forget cell phone network
0011 0010 1010 1101 0001 0100 1011
Gaps
• What are the difficult problems?– Cell phone technology is not mature– Cell phone interfaces not standard– PDA’s and cell phone capabilities merging– Few products are court tested
• Balancing privacy with security• Analysis techniques
0011 0010 1010 1101 0001 0100 1011
References
• http://csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdf
• http://csrc.nist.gov/publications/nistir/nistir-7250.pdf
• http://csrc.nist.gov/publications/nistpubs/800-72/sp800-72.pdf
• WayneJansen_MobileForensics.pdf• MobileForensics-NIST.pdf
0011 0010 1010 1101 0001 0100 1011
Questions?
After all, you are an investigator