Police Technology Forum

Mobile devices and their implications for

forensic investigations in Australia

Dr Kim-Kwang Raymond Choo

Information Assurance Research Group

University of South Australia

How many of us do NOT have at least one smart mobile device (e.g. Android, iOS – iPhone or iPad, Windows and Blackberry)?

Differences between a smart mobile device and a PC/”traditional” laptop?

• Apps (other than a Windows 8 PC or laptop)? – What are the types of apps you have installed on your

devices? Email, Cloud Storage (e.g. Dropbox), Social networking, VoIP, etc … ?

Poll

3

How many of us

READ / RESEARCH

the type of permissions apps

are asking for at the time of

installation?

4

Do you know what your apps have just requested for?

What do mobile apps have to do with forensic investigations?

1.What is the best method of identifying app usage on a smart mobile device?

2.Do you know what data / remnants remains on a smart mobile device after the user has used one or more apps?

Mobile apps and forensic investigations

Part I: Cloud Forensics

Part II: Mobile Device and App Forensics

Part III: Data Reduction Framework

• Potentially more difficult to acquire and analyse digital evidence to the same standards as that currently expected for traditional server-based systems, such as

• An exact and verifiable digital copy of the users’ data must be made;

• Identifying and copying the contents of the RAM of the virtualised environment;

• There must be provenance;

• Evidence of intent must be proved;

• Data must be analysed and processed in accordance with the prevailing rules of evidence; and

• Evidence must be preserved and made available for examination by the defendant’s legal team.

• Examination and analysis using digital forensics tools such as Encase®, FTK™ and XRY™ will need to be augmented by “translators” which convert popular cloud computing file formats into data files for processing.

Challenges of cloud forensics

“little guidance exists on how to acquire and conduct forensics in a cloud environment”

(National Institute of Standards and Technology 2011, p.64)

“[c]urrently, guidelines and best practice guides on gathering digital evidence are rare and

often outdated. There are no guidelines specific to evidence gathered in the cloud…”

(Birk and Wegener 2011, p.9)

“[m]ore research is required in the cyber domain, especially in cloud computing, to identify

and categorize the unique aspects of where and how digital evidence can be found. End

points such as mobile devices add complexity to this domain. Trace evidence can be found

on servers, switches, routers, cell phones, etc” by previous Director of US Department of

Defence Computer Forensics Laboratory and the previous Chief Scientist at US Air Force

Research Laboratory Information Directorate (Zatyko & Bay 2012, p.15)

Need for evidence-based digital forensic framework to

guide investigations, which is • Flexible/generic enough to be able to work with future providers

offering new services, yet

• Be able to step an investigation through a formalized process to

ensure information sources are identified and preserved.

Challenges of cloud forensics

Itera

tive

1. Commence (Scope)

Determine the scope of the investigation, the requirements and limitations, prepare

equipment and expertise.

2. Identification and Preservation

It is critical that preservation commences as soon as cloud computing use is discovered

in a case, as such it is combined with identification in this model.

3. Collection

The potential difficulties in collection of cloud computing data dictates the requirement for

collection to be represented as a separate step.

4. Examination and Analysis

Examination of the collected data allows the investigator to locate the evidence in the

data, analysis transforms this data into evidence.

5. Reporting and Presentation

This step relates to reporting and presenting evidence to court. As such this step will

remain mostly unchanged.

6. Feedback and Complete

This step relates to a review of the findings and a decision to finalise the case or expand

the analysis.

Adapted from Martini and Choo (2012) and Quick and Choo (2013); and appeared in Quick, Martini and Choo (2014)

Our published cloud forensics framework

• The initial focus of our research has been in the area of

Storage as a Service (StaaS).

• Client analysis: Three popular public storage clients have

been analysed across both PC and mobile devices.

• Client and server analysis: One of the preeminent open

source cloud storage products (ownCloud) has also been

analysed.

– Australia’s Academic and Research Network (with over

one million end users from 38 Australian universities,

CSIRO and other academic, research and education

institutions) is deploying ownCloud as the basis for its

CloudStor+ service.

Cloud forensics

System tray link RAM password

cleartext

DBAN

Dropbox Yes Yes No

Microsoft Skydrive Yes (but not full

access to an

account)

Yes No

Google Drive Yes Yes (and also on HDD) No

Eraser/CCleaner Configuration files Mobile

Dropbox Remnants Yes (Old) / Encrypted

(New)

Browser

Microsoft Skydrive Remnants Yes Browser

Google Drive Remnants Yes Browser

Cloud forensics

A snapshot of our findings from the client analysis

Cloud forensics

Our recent book

For our new book entitled “Cloud Storage Forensics, 1st Edition”, please visit

http://store.elsevier.com/product.jsp?isbn=9780124199705. The book’s

forewords are written by Australia’s Chief Defence Scientist and the Chair

of Electronic Evidence Specialist Advisory Group, Senior Managers of

Australian and New Zealand Forensic Laboratories.

• Examine other cloud services to determine

the best practices for forensic extraction and

analysis on these platforms as there will

most certainly be variation in the collection

methods in each type of cloud platform and

deployment model

Cloud forensics

Ongoing Work

Part I: Cloud Forensics

Part II: Mobile Device and App Forensics

Part III: Data Reduction Framework

• iOS Forensics – Develop a practitioner-based iOS forensic technique to identify and

acquire deleted data from an HFS Plus volume in an iOS device.

– The technique also allows forensic practitioners to verify the

timestamps of the recovered image file.

–

iOS Forensics

Cloud and Mobile Forensics

Ongoing Work

• iOS Anti-Forensics

– “Concealment” technique to enhance the

security of non-protected (Class D) data that is

at rest on iOS devices,

– “Deletion” technique to reinforce data deletion

from iOS devices, and

– “Insertion” technique to insert data into iOS

devices surreptitiously that would be hard to pick

up in a forensic investigation.

iOS anti-forensics

Ariffin A, D'Orazio C, Choo K-K R and Slay J 2013. iOS Forensics: How can we recover deleted image files with timestamp in a forensically

sound manner?. In International Conference on Availability, Reliability and Security (ARES 2013) (pp. 375–382), University of Regensburg,

Germany, 2 – 6 September 2013

D’Orazio C, Ariffin A and Choo K-K R 2014. iOS anti-forensics: How can we securely conceal, delete and insert data?. In 47th Annual Hawaii

International Conference on System Sciences (HICSS 2014), pp. 4838–4847, 6–9 January 2014, IEEE Computer Society Press

Aim: To examine ten popular freely available Android VoIP apps to determine whether voice and text communications using these applications are encrypted.

What this study is not about …

• Motivations: – VoIP and video chat from smart mobile devices

are an increasingly popular choice for consumers. It is important to understand the limitations of these technologies.

• App-to-app communication channel • Wi-Fi network to Wi-Fi network

• Mobile data network to mobile data network

• Mobile data network to Wi-Fi network

• Wi-Fi network to mobile data network

18

VoIP apps

VoIP Apps Text

communication

encrypted?

(Yes/No)

Cluster in Histogram

Analysis

Entropy Analysis Voice

communication

encrypted?

(Yes/No)

Sample1 Sample2 Sample1 Sample 2

Skype Yes No No Steady Steady with

sudden changes

Yes

Google Talk Yes No No Gradual change Gradual change Yes

ICQ Yes Yes Yes Uneven Steady changes No

Viber Yes Yes Yes High fluctuation High fluctuation No

Nimbuzz Yes Yes Yes Steady changes Steady changes Yes

Yahoo No (messages

sent by user)

Yes (messages

received by

user)

No No High

fluctuations in

the beginning

High fluctuation No

Fring Yes Yes Yes High fluctuation High fluctuation No

Vonage Yes Yes Yes Steady with few

spikes

Steady with few

spikes

No

WeChat Yes Yes Yes Even and

uneven

Even and uneven No

Tango Yes No No High fluctuation Steady changes Yes

Android VoIP apps

Android VoIP

Apps

Encryption of

Text/ Voice

Communication Channel

w2w

m2m

m2w

w2m

Skype Text Y Y Y Y

Voice Y Y Y Y

Google Hangout

Text - Y Y Y Voice - Y Y Y

ICQ Text Y Y Y Y

Voice N N N N

Viber Text Y Y Y Y

Voice N N N N

Nimbuzz Text Y Y Y Y

Voice Y Y Y Y

Yahoo Text N N N N

Voice N N N N

Fring Text Y N N N

Voice N N N N

Vonage Text Y N N N

Voice N N N N

Wechat Text Y Y Y Y

Voice N N N N

Tango Text Y Y Y Y

Voice Y N N N

These three

VoIP apps

might be

silently turning

off encryption

whenever a

mobile

network is

involved.

Android VoIP apps

Azfar A, Choo K-K R and Liu L 2014. A study of ten popular Android mobile VoIP applications: Are the communications encrypted?. In 47th

Annual Hawaii International Conference on System Sciences (HICSS 2014), pp. 4858–4867, 6–9 January 2014, IEEE Computer Society

Press

Windows event forensic process (WinEFP)

Do Q, Martini B, Looi J M J, Wang Y and Choo K-K R 2014. Windows Event Forensic Process (WinEFP). In IFIP WG 11.9 International

Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria, IFIP Advances in Information and Communication

Technology, Springer-Verlag, 8 – 10 January [In press]

Mobile forensics : A rat race

Mobile forensics: A race not only to keep up with device (i.e. hardware) and

software (e.g. app and operating systems) releases by providers, but also

from software and hardware modifications made by end users, particularly

serious and organised criminals, to complicate or prevent the collection

and analysis of digital evidence. • ‘Thousands of encrypted phones are believed to be in Australia and the officials

say some of the phones are suspected of being used to send the most

dangerous messages imaginable - those that lead to murder … [and] Police

believe one of Australia's most violent outlaw bikers used uncrackable

encrypted phones to order some of the shootings that have rocked Sydney’

(Australian Broadcasting Corporation 2014).

• NSW Crime Commission’s 2012-2013 annual report stated that ‘[a]s in the last

reporting period, criminal groups continue to exploit mobile-phone encryption

methods. Some companies, which appear to be almost exclusive set-up to

supply criminal networks, provide mobile-phones for around $2,200 … The

Commission believes the phones are almost exclusively used by criminals and

there are limited legitimate users for such heavily encrypted phones in the wider

community’.

Part I: Cloud Forensics

Part II: Mobile Device and App Forensics

Part III: Data Reduction Framework

Digitalisation of data

1. Increasing data volume and cost implications

2. Digital forensic practitioners, especially those in government and law

enforcement agencies, will continue to be under pressure to deliver

more with less especially in today’s economic landscape. This gives

rise to a variety of needs, including

• a more efficient method of collecting and preserving evidence,

• a capacity to triage evidence prior to conducting full analysis,

• reduced data storage requirements,

• an ability to conduct a review of information in a timely manner for

intelligence, research and evidential purposes,

• an ability to archive important data,

• an ability to quickly retrieve and review archived data, and

• a source of data to enable a review of current and historical cases

(intelligence, research, and knowledge management).

Data reduction framework for digital forensic evidence

storage, intelligence, review and archive

Initial research with sample

data from South Australia

Police Electronic Crime

Section and Digital Corpora

forensic images using our

proposed framework

resulted in significant

reduction in the storage

requirements – the reduced

subset is only 0.196% and

0.75% respectively of the

original data volume.

Quick D and Choo K-K R. Data reduction framework for digital forensic

evidence storage, review and archive. Trends & Issues in Crime and Criminal

Justice [In press, accepted 11 March 2014]

Dr. Kim-Kwang Raymond Choo

2009 Fulbright Scholar

Research Director, Cloud Security Alliance, Australia Chapter

Senior Lecturer, School of Information Technology & Mathematical Sciences,

University of South Australia

URL: https://sites.google.com/site/raymondchooau/

Email: raymond.choo@unisa.edu.au

Google Scholar:

http://scholar.google.de/citations?user=rRBNI6AAAAAJ&hl=de