mobile forensics
TRANSCRIPT
MOBILE DEVICE FORENSICS
Understanding Mobile Device Forensics
People store a wealth of information on cell phones and mobile devices People don’t think about securing their mobile devices
Items stored on mobile devices: Incoming, outgoing, and missed calls Text and Short Message Service (SMS) messages E-mail Instant-messaging (IM) logs Web pages Pictures Personal calendars Address books Music files Voice recordings GPS data
Investigating cell phones and mobile devices is one of the most challenging tasks in digital forensics
Understanding Cellular Connected Mobile Devices A Mobile Switching Center(MSC) is the switching system for
the cellular network. The MSC is also responsible for communications between mobile and landline phones.
The Base Transceiver Station(BTS) is the part of the cellular network responsible fro communications between mobile phone and network switching systems.
The Home Location Register is a database used by the MSC that contains subscriber and service information. It is related to the VLR for roaming status.
Inside Mobile Devices
IMEI and IMSI International Mobile Equipment Identifier International Mobile Subscriber Identifier Also MEID (Mobile Equipment Identifier) or ESN (electronic serial
number) Phones store system data in electronically erasable programmable
read-only memory (EEPROM) Enables service providers to reprogram phones without having to physically
access memory chips OS is stored in ROM
Nonvolatile memory
Inside Mobile Devices
Subscriber identity module (SIM) cards Found most commonly in GSM(Global System for Mobile Communications)
devices GSM refers to mobile phones as “mobile stations” and divides a station into two
parts: The SIM card and the mobile equipment (ME)
Portability of information makes SIM cards versatile Integrated Circuit Card Identifier(ICCID) Identifies the subscriber to the network Stores service-related information PIN – unlock the device PUK – reset the PIN
Wipes phone is incorrectly entered > 10 time Cipher Algorithm
Mobile Device Forensic Analysis Process
Biggest challenge is dealing with constantly changing models of cell phones
When you’re acquiring evidence, generally you’re performing two tasks: Acting as though you’re a PC synchronizing with the device (to
download data) Reading the SIM card
First step is to identify the mobile device Question: Why is this important?
Understanding Acquisition Procedures for Cell Phones and Mobile Devices
The main concerns with mobile devices are loss of power and synchronization with PCs
All mobile devices have volatile memory Making sure they don’t lose power before you can retrieve RAM
data is critical Mobile device attached to a PC via a cable or
cradle/docking station should be disconnected from the PC immediately
Communication or system messages might be received on the mobile device after seizure Isolate the device from incoming (RF)signals The drawback to using these isolating options is that the mobile
device is put into roaming mode, which accelerates battery drainage
Data Acquisition Procedures for Cell Phones and Mobile Devices Check these areas in the forensics lab :
Internal memory SIM card
file system is a hierarchical structure Removable or external memory cards
Information that can be retrieved: Service-related data, such as identifiers for the SIM card and the subscriber Call data, such as numbers dialed Message information Location information
If power has been lost, PINs or other access codes might be required to view files.
Encryption
Access Methods (6 types according to NIST)
Manual Extraction looking at pages of info directly on the
device Logical Extraction
filesystem dump Hex dumping and JTAG
can work on damaged devices and bypass lock screens. Reads directly from RAM/ROM
Chip off unsolder or cut flash memory from circuit board
Micro read use a SEM to view data
Don’t ignore useful properties
When was the last time this phone was at 2SP?
Poke around and you will find…
Encoded Secrets
This has been truncated, the app stores your password Base64 encoded
Application Data
Found in plists or sqlite files Apps continue to change formats Looking primarily for location and message data
Rooting
Usually an alternate OS (may be command injection) Removes built-in restrictions on access to data Removes or makes possible to add 3rd party applications Consumers do it for functionality Investigators do it for access to data Manufacturers are making this more challenging
Summary
People store a wealth of information on their cell phones Various generations of mobile phones Data can be retrieved from several different places in phones As with computers, proper search and seizure procedures
must be followed for mobile devices To isolate a mobile device from incoming messages, you can
place it in a specially treated paint can, a wave-blocking wireless evidence bag, or eight layers of antistatic bags
SIM cards store data in a hierarchical file structure