Download - Final Digital Forensic Small Devices Report
-
8/7/2019 Final Digital Forensic Small Devices Report
1/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 1
qwertyuiopasdfghjklzxcvbnmqwerty
opasdfghjklzxcvbnmqwertyuiopasdfg
klzxcvbnmqwertyuiopasdfghjklzxcvb
nmqwertyuiopasdfghjklzxcvbnmqwe
yuiopasdfghjklzxcvbnmqwertyuiopa
dfghjklzxcvbnmqwertyuiopasdfghjklz
vbnmqwertyuiopasdfghjklzxcvbnmq
wertyuiopasdfghjklzxcvbnmqwertyu
pasdfghjklzxcvbnmqwertyuiopasdfgh
klzxcvbnmqwertyuiopasdfghjklzxcvbmqwertyuiopasdfghjklzxcvbnmqwer
uiopasdfghjklzxcvbnmqwertyuiopasd
ghjklzxcvbnmqwertyuiopasdfghjklzxvbnmqwertyuiopasdfghjklzxcvbnmrt
uiopasdfghjklzxcvbnmqwertyuiopasd
ghjklzxcvbnmqwertyuiopasdfghjklzx
Digital Forensic Small Devices Report
Submitted to: Dr Brian Cusack
Submitted By: Mithilesh Patel
Student ID: 0641800
Paper Name: Cyber Crime & IT Governance
Paper Number: 409313
Due Date: 08 April 2010
-
8/7/2019 Final Digital Forensic Small Devices Report
2/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 2
Table of Contents
1. Introduction ......................................................................................................................... 3
2. Digital Forensics and its core elements ................................................................................ 4
4. Small Scale Digital Devices Forensics (SSDDF) ...................................................................... 7
5. Digital Forensic Procedure in Mobile Phone ....................................................................... 14
6. Case Studies ....................................................................................................................... 17
7. Conclusion ......................................................................................................................... 18
8. References ......................................................................................................................... 19
-
8/7/2019 Final Digital Forensic Small Devices Report
3/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 3
1. Introduction
Digital Forensic Small Devices is rather new and rapidly changing field of study. The Digital
Forensics Small Devices and the steps that are involved in digital forensics are vague and in
perpetual state of vagueness.
Firstly this report will explain the term digital forensic. Following that it will explain each
phases of digital forensics which are Collection of Data/ Acquisition, Examination/
Extraction, Analyzing and Reporting.
Second section of this report will briefly talk about the framework of Digital Forensics Small
Devices and different types of small devices which are available in market. Covering all
devices in this report is out of scope. This report will focus on CDMA cell phones by giving abackground of CDMA, the architecture of cell phones, the two types of acquisition
processes and the different types of software used for digital forensic for cell phones and
SIM.
Third section of this report will cover the best practice steps for forensic investigator to
follow by showing the flow diagram. The steps followed in the procedure of digital forensic
of cell phone are on the basis of ACPO principles.
Finally the report will conclude by summarizing the information which is accumulated
during the process of this report and give my personal opinion about Digital Forensic in
Small Scale Devices.
-
8/7/2019 Final Digital Forensic Small Devices Report
4/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 4
2.Digital Forensics and its core elements
Digital forensics mean The application of computer science and investigative procedures for
a legal purpose involving the analysis of digital evidence after proper search authority, chain
of custody, validation with mathematics, use of validated tools, repeatability, reporting, andpossible expert presentationZatyko., K. (2007)
The main aim behind carrying out the forensic activities is to get better understanding of an
incident by searching and investigation the data in relation to the incident. Such procedures
are carried out usually for legal purposes, internal disciplinary actions against an employee
and handling of malware incidents and unusual operational problem. Kent, K., Chevalier, S.,
Grance, T., & Dang, H. (2006)
This section covers the core phases of digital forensics in brief by covering each phases of
the diagram below. (Refer Figure1)
According to NIST report the basic steps to do a digital forensic investigation in any cases
are as follows:
Figure1 (Forensic Processes) Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006)
-
8/7/2019 Final Digital Forensic Small Devices Report
5/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 5
1. Collection of Data/ Acquisition:
Digital evidence, by its very nature, is fragile and can be altered, damaged, or
destroyed by improper handling or examination. Hart, S. (n.d.)
In this phase all the evidence related to the case must be recognized first, then labeling
that evidence for identification of it and recording it for maintaining the integrity of the
evidence for future references. Evidence of gadgets such as mobile phones, PDA and
batteries of such devices must be collected in such a way that the integrity of active data
is not lost. E.g. Network Information, information inside those devices, and etc.
Depending on the case this phase also includes other steps of general seizure such as
obtaining warrant, planning seizure, securing the crime scene and transporting it to the
forensic lab for extraction of evidence. Therefore people involved in acquisition phase
must make sure they abide to the rules.
2. Examination/ Extraction:
The purpose of the examination process is to extract and analyze digital evidence.
Extraction refers to the recovery of data from its media. Hart, S. (n.d.)
In this phase all the evidence that are gathered at the crime scene must be examined
using the combination of some manual process with some sophisticated tools or
software to maintain its integrity while extracting the information from those devices.
3. Analyzing:
Analysisrefers to the interpretation of the recovered data and putting it in a logical anduseful format. Hart, S. (n.d.)
Analyzing the examination results is one the important phases and proper procedures
should be followed by using proper documentation methods and techniques to ensure
that the obtained useful data addresses the questions that were helpful for collection
and examination.
-
8/7/2019 Final Digital Forensic Small Devices Report
6/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 6
4. Reporting:
Actions and observations should be documented throughout the forensic processing of
evidence. Hart, S. (n.d.)
The final phase involves reporting the results of the analysis, which may include
describing actions that are performed, determining what other actions need to be
performed, and recommending improvements to policies, guidelines, procedures, tools,
and other aspects of the forensic process.
In final phase all the gathered data must be reported and may include:
y Explanation of the actions engagedy Reasoning for selecting tools and proceduresy Addressing what other actions need to be performedy Suggesting improvements to the forensic processes and also to procedures,
policies, guidelines and tools
As shown at the bottom of the Figure1, the media get convert into evidence. During
first phase data is extracted from media to get examined. The evidence which is
discovered in that phase gets converted into information. This information gets
converted into Evidence. This evidence can be used for legal issues or for some issues
within a company.
-
8/7/2019 Final Digital Forensic Small Devices Report
7/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 7
4. Small Scale Digital Devices Forensics (SSDDF)
Digital Devices Forensics has two major categories which are Large Scale Digital Devices and
Small Scale Digital Devices. The SSDDF is the area which was newly introduced in the
forensic world. This area includes newly emerging technologies which are smaller in sizeand are multi-purpose. It becomes enormously harder to recognize and investigate such
nature of devices.
People working in this area have different views of which device come under this section.
To solve this issue a Small Scale Digital Device framework was form which shows the ability
of each to device to store information magnetically, optically, flash memory and by devices
getting connected to PC.
Figure2 (Small Scale Digital Device Framework) (Christopher, D., & Mislan, R., 2007)
We at times are unaware of how small scale digital devices like USB, memory cards, mobile
phones, PDA; etc could pose threat to the actions that we perform from day to day. It is
critical that these small devices are examined by forensic investigators as most often
crimes or criminal activities are performed via these devices.
The following table shows different types of Small Scale Digital Devices that are normally
found at any crime scene.
-
8/7/2019 Final Digital Forensic Small Devices Report
8/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 8
Figure3 (Small Scale Digital Device) (Christopher, D., & Mislan, R., 2007)
All this devices listed above pose threat. It is not possible to cover all the devices which are
listed in Figure3.
Devices which are used more often in crimes are USB Thumb drive, all different sorts of
memory cards, Cell phone, PDA, Smart phones, GPS device and receiver. Small scale devices are
not only limited to the above listed devices. There are more digital small devices which are
there in the market e.g. pen camera, button camera, etc. Day by day the numbers of such
devices are increasing. Flash devices (EEPROM) have more forensic potential then any other
sort of devices as they have a ability of storing information even when then are off.
-
8/7/2019 Final Digital Forensic Small Devices Report
9/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 9
Figure 4(Mobile Device Classification)(Ayers, R. n.d.)
In Figure 4 it shows how GSM device is further divided into handset and SIM. This section
focuses on GSM cell phones and will briefly talk about other small devices like SIM, Memory
Card and Internal Memory which are related to it. It will also explain the two type of acquisition
method, different forensic tools used for cell phone and SIM and shows what areas too look for
evidence.
Ronald van der Knijff of Netherlands Forensic Institutehas defined mobile phone as Mobile =
Portable PC = PDA + Phone + Internet + Navigation + Camera. As we can see that this
generation cell phones has the ability to store more data, play music, has a camera to take
photos, act a computer and also has GPS system in it. E.g. Black berry Curve 8900, Iphone,
Nokia N96, etc.
We can see from the graph shown below (Figure 5) that the number of subscribers for GSM
network is way more then CDMA. GSM handsets are used in crime because they can steal
handsets and then buy a SIM card or they can have several SIM cards which are bought with
cash. This would make them untraceable in terms of identification by handset, SIM card and
phone number. Drug dealers use this practice and in fact they carry many handset and SIM
cards.
-
8/7/2019 Final Digital Forensic Small Devices Report
10/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 10
Figure5 (Number of CDMA and GSM subscribers) (Ayers, R. n.d.)
Cell Phone:
It is necessary to understand the basic architecture of a mobile phone to understand the digital
forensic in mobile phone:
Figure6 (Mobile Phone Architecture) (Willassen, S. Y. 2005)
CPU manages the communication circuits and looks after the communication with the user. It
uses RAM for storing temporary information which gets erased once the cell phone is turned
off. It can be combined with CPU or it can be a different circuit. The new generation mobile has
a secondary non-volatile storage to store information such as contacts, messages, photos,
songs, videos, etc which can be preserved even if the battery dies. Implementation of
secondary storage is done in different ways, but the most common implementation is by having
flash memory circuit on the system board.
-
8/7/2019 Final Digital Forensic Small Devices Report
11/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 11
There is no standard for file system structures. So it could acquire a Nokia 1100 and 3100 but
the data is in different locations and stored in different orders. There are not many tools which
can look at the data and carve out txt messages etc. Most of the times data is logically
extracted (complete messages, texts and phone lists) but this has the drawback of not getting
any deleted data.
There are 2 type of acquisition method Physical acquisition and Logical acquisition. Different
phone uses different type of acquisition method.
Figure7 (Difference between Physical and Logical Acquisition)
Mobile devices are somewhat different from computer devices as the phone generally has to
be powered up to do data extraction. This leads to the possibility of writes to the device but is
unavoidable. In a perfect world the data extraction would be in RF free rooms, however there
is some benefit from a law enforcement perspective to have the new messages delivered.
The software like UFED (Cellebrite) with physical analyzer, XRY, BitPim and a variety of other
software and hardware devices to dump the file systems and hex dumps of mobile devices.
This process increases the possibility of recovery of trace evidence.
Valuable evidence is recovered from the handset, SIM cards (in case of GSM phones) and
memory cards. With mobile devices becoming much more multi-purpose, people tend to save
-
8/7/2019 Final Digital Forensic Small Devices Report
12/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 12
more information to the memory card. The card is analyzed using conventional computer
forensic methodologies which ensure no changes are made to the card. Programs such as
Encase and FTK are used to analyze the data on the cards. Deleted SMS messages are
sometimes recovered from the SIM cards and these are analyzed separate from the phone.
There are tools like JTAG which can retrieve all deleted information like photos, messages, and
etc form internal memory.
The data extraction process for CDMA and GSM phones is similar, however the extraction tools
do not normally extract as complete data on CDMA as GSM. The investigator needs to
manually go through the phones to ensure relevant data has been extracted.
The best evidence is always the mobile device itself and the data extraction is just a means to
get the data in a friendlier format. Evidence to recovered using these devices is confirmed by
viewing it on the mobile device. Places where evidence can be find in:
Figure8 (Types ofEvidence) (Ayers, R. n.d.), and (Willassen, S. Y. 2003)
-
8/7/2019 Final Digital Forensic Small Devices Report
13/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 13
In terms of the forensic procedures different softwares and connection methods are used to
extract data from the phones. There is no one tool does it all.
Examples of tools used for cell phone and SIM card forensic are as follows:
Figure9 (Tools for Cell phone & SIM card forensic)
Ayers, R., Jansen, W., Cilleros, N., & Daniellou, R. (2005)
-
8/7/2019 Final Digital Forensic Small Devices Report
14/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 14
5.Digital Forensic Procedure in Mobile Phone
As far as procedures for cell phones are concern, it can be a nightmare and there is no one
procedure that works with all phones. With this in mind we still need to apply best practices
and where possible use write blocking software/hardware and of course create excellent
documentation of your steps and work when examining cell phones.
There are four principles which are formed by ACPO (Association of Chief Police Officers) for
the safe handling of digital evidence. These principles are designed mainly for law
enforcement agencies and investigators working in conjunction with them. These principles
cover all the core element of digital forensic such as Acquisition, Examination/Extraction,
Analyzing and Reporting. So this section of this report will follow ACPO Principles for best
practice guide for mobile phone seizure and examination.
Figure10 (Four ACPO Principles) (ACPO Guidelines. n.d.)
-
8/7/2019 Final Digital Forensic Small Devices Report
15/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 15
Referring to ACPO principles the following diagram will show the procedure followed for
preservation and forensic examination of cell phone in detail. (Digitale Technologie &
Biometrie|Vacaturesite, 2006)
-
8/7/2019 Final Digital Forensic Small Devices Report
16/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 16
-
8/7/2019 Final Digital Forensic Small Devices Report
17/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 17
6. Case Studies
All the following case studies are taken from a UK based forensic company websites. The
name of the company is CCL Forensics. Following are the example of few cases related to
different crimes involving Mobile phone. (Case Studies - CCL Forensics. n.d.)
y Drugs ImportationA person was arrested by police on doubt of bringing in Class A drugs worth over 100K.
During investigation police found a cell phone of the suspect which was given to CCL for
recovering deleted text messages and call logs from the phone. The man was later
sentenced to 10 years imprisonment.
y Video retrievalA young boy was suspected for performing a serious assault on another kid while his
friend took pictures on his cell phone. By following the ACPO guide for cell phone
seizure and examination the analyst was able to retrieve pictures and a multimedia text
sent to another child with a picture of assault attached to it.
y DeceptionA large group of people were suspected to be involved in bringing in stolen goods. Few
suspected people were arrested in a sting operation by police. In that process police
seized big number of cell phones and handed it in for examination for any evidence.
Evidence such as call logs related to a specific number was discovered.
y HarassmentAn acquisition of harassment was made where a victim was receiving phone calls and
text messages from an ex-partner. The suspect was arrested and his cell phone was
seized and was given for examination. A request was made to find if the accused was
actually calling and sending text in a particular time frame. Evidence such as text
messages and dialed numbers from the accused phone was found.
-
8/7/2019 Final Digital Forensic Small Devices Report
18/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 18
7. Conclusion
In this report the four core processes of the digital forensics are shown which must be
carried out by any forensic investigator to retrieve the evidence from small devices.
By comparing all different types of small scale devices, I found Cell phones are best
examples of small held devices. As we all know that this days cell phones are equivalent to
portable PC. Features like GPS, music player, non-volatile high capacity of storage, camera
and internet. Due to such features of cell phones the crime committed using cell phones are
high. We all know that one device doesnt do all the work. By looking at figure8 which
shows different places where evidence can be found in cell phone and SIM, anti-forensics
activities get harder on such devices. It leaves behind other digital forensic fields.
The crime related cell phones are very high. Countries like Europe, Germany, Sweden,
France and USA are leading in cell phone crimes and soon enough the activities will double
and the crime.
The ACPO procedures were highlighted in this report as I would say they are the best
forensic practice to follow for acquisition of cell phones and PDA. ACPO principles have
been in actively used by UK Interpol for mobile forensics. They were specifically designed by
keeping the law enforcement and private investigators in mind. ACPO principles also follow
the core principles of digital forensic which I have mentioned above.
The case study has covered some criminal activities performed with the help of cell phones.
In my opinion small scale devices pose huge threat as new devices with advance
applications are evolving day by day. Due to the size and huge storage capacities the
advance application functionalities allow users to perform criminal activities especially in
small held devices.
According to me focus should be moved to small scale digital devices as in long term storage
devices are going to get smaller in size. Rate at which devices are getting smaller in size are
higher in compare to rate at which forensic tools are getting developed.
-
8/7/2019 Final Digital Forensic Small Devices Report
19/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 19
8.References
y Ayers, R. (n.d.). Mobile Device Forensics. Mobile Devices. Retrieved March 26, 2010, fromwww.cftt.nist.gov/AAFS-MobileDeviceForensics.pdf
y Ayers, R., Jansen, W., Cilleros, N., & Daniellou, R. (2005). Cell Phone Forensic Tools: AnOverview and Analysis. National Institute if Standards and Technology, NISTIR 7250, 8, 9.
Retrieved April 6, 2010, from http://csrc.nist.gov/publications/nistir/nistir-7250.pdf
y ACPO Guidelines. (n.d.). Forensic Computing Limited. Retrieved April 5, 2010, fromwww.forensic-computing.ltd.uk/acpo.htm
y Britz, M. T. (2008). Computer Forensics and Cyber Crime: An Introduction (2nd Edition) (2ed.). Alexandria, VA: Prentice Hall.
y Case Studies - CCL Forensics. (n.d.). Computer Forensics, Digital Forensics, Computer Analysis - CCL Forensics. Retrieved April 6, 2010, from http://www.ccl-
forensics.com/235/Case_Studies.html#16
y Christopher, D., & Mislan, R. (2007). A Small Scale Digital Device Forensics ontology.Retrieved March 27, 2010, from
http://www.ssddfj.org/papers/SSDDFJ_V1_1_Harrill_Mislan.pdf
y Device Forensics, Netherlands Forensic Institute. Retrieved on Mar, 14, 2009 fromhttp://www.dfrws.org/2007/proceedings/vanderknijff_pres.pdf
y FlowChartForensicMobilePhoneExamination. (2006, May 4). NFI | Digitale Technologie &Biometrie|Vacaturesite. Retrieved April 7, 2010, from
http://www.holmes.nl/MPF/FlowChartForensicMobilePhoneExamination.htm
y Jansen, W., & Ayers, R. (2007). Recommendations of the National Institute of Standardsand Technology. Guidelines on Cell Phone Forensics, Special Publication 800-101.
Retrieved March 24, 2010, from http://csrc.nist.gov/publications/nistpubs/800-
101/SP800-101.pdf
y Kent, K., Mislan, S., Grance, T., & Dang, H. (2006). Recommendations of the NationalInstitute of Standards and Technology. Guide to Integrating Forensic Techniques into
Incident Response, Special Publication 800-86. Retrieved March 6, 2010, from
http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
-
8/7/2019 Final Digital Forensic Small Devices Report
20/20
Name: Mithilesh Patel Digital Forensics Small Devices Student ID: 0641800
Page 20
y Kent, K., Chevalier, S., Grance, T., & Dang, H. (2006). Guide to Integrating ForensicTechniques into Incident Response. National Institute if Standards and Technology,
Special Publication 800-86. Retrieved March 26, 2010, from
http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
y Hart, S. (n.d.). Forensic Examination of Digital Evidence: A Guide for Law Enforcement.NIJ. Retrieved March 16, 2010, from www.ncjrs.gov/pdffiles1/nij/199408.pdf
y der Knijff, Ronald van. "10 Good Reasons Why You Should Shift Focus to Small ScaleDigital Device Forensics." Prude University Cyber Forensics Lab. N.p., n.d. Web. 22 Mar.
2010, from http://dfrws.org/2007/proceedings/vanderknijff_pres.pdf
y Westman, M. (n.d.). Mobile Forensics World 2009 Chicago, IL. Complete Mobile PhonesForensic Examination: Why we need both Logical & Physical Extractions. Retrieved March27, 2010, from
http://mobileforensicsworld.org/2009/presentations/MFW2009_Westman_LogicalandP
hysicalExtractions.pdf
y Willassen, S. Y. (2005).Advances in Digital Forensics: IFIP International Conference onDigital Forensics, National Center for Forensic Science, Orlando, Florida, February 13-16,
... Federation for Information Processing) (1 ed.). New York: Springer.
y Willassen, S. Y. "Forensics and the GSM mobile telephone system." Forensics and theGSM mobile telephone system 2.1 (2003): 11,12. Print.
y Zatyko, K. (n.d.). Computer Forensics. IT/LawSherlock Holmes: Computer Forensics.Retrieved March 24, 2010, from http://floridalawfirm.com/forensics.html
y Zatyko, K. (n.d.). Forensic Magazine |Commentary: Defining Digital Forensics. ForensicMagazine. Retrieved April 7, 2010, from
http://www.forensicmag.com/articles.asp?pid=130