introduction to mobile forensicscsis.pace.edu/~lchen/pcap13/mobile_forensics_pcap.pdfintroduction to...
TRANSCRIPT
Definition
• Computer Forensics is the scientific practice of using
digital data in an investigation
• Mobile Forensics is scientific practice of using digital
data, created by a mobile device, in an investigation
Popular Myths
• Computer Forensics is a Part of Security
• Computer Forensics is the Examination of Computers
• Computer Forensics is used to Solve Computer Crimes
• Computer Forensics is about Recovering Deleted Files
What’s Different?
• Communication through Embedded Chip
• Different File System
• Different Information
• Call Logs
• Text Messages
• Active Memory Storage
• Smaller Onboard Capacity
• Locational Data
History
• 1875 – Alexander Graham Bell Transmits Sounds
• 1876 – “Mr. Watson, come here! I want to see you!”
• 1885 – AT&T Founded
• 1919 – First Rotary Telephone
• 1946 – Area Codes Established
• 1961 – Touch Tone Released to the Public
• 1963 – Push-button Telephone
History
• 1973 – First Handheld Cellphone Call
• 1982 – Caller ID
• 1984 – New AT&T Formed
• 1991 – GSM Created
History
• Radio Common Carrier
• 1960s – 1980s
• Dr. Martin Cooper, Motorola, 1973
• 2.2 lbs Phone – First Handheld Mobile
• Wall Street (1987)
History
• 1983 – DynaTAC Cellphone Released by Motorola
• 1 lb
• 9.5 Inches Tall
• 10 Hours to Charge
• 60 Mins. Talk Time
• $3,995
History
• Push-to-talk (1993)
• Motorola StarTAC (1996)
• RIM BlackBerry (1999)
• Two-way Pager
• Motorola RAZR (2003)
History – Mobile Forensics
• Hardware Cellebrite Universal Memory Exchanger
(UME)
• Wireless Retailers
• Software Personal Investigations
• Cheating Spouses
Statistics (Source: CTIA)
1995
• Subscribers: 28.1 million
• Call Minutes: 31.5 billion
2011
• Subscribers: 327.6 million
• Call Minutes: 2.2 trillion (6 billion Call Mins. per Day)
• Text Msgs: 5.7 billion per Day
• Cell Towers: 250,000
• 29.7% of Households are Wireless Only
iPhone
• Higinio O. Ochoa
• Aged 30
• Linux Administrator
• Accused of Being a Part of CabinCr3w
• Arrested by FBI
• EXIF Data from iPhone
• Melbourne, Australia
• Led Investigators to Ochoa’s Facebook Page
Conrad Murray Trial
• Conrad Murray Recorded Jackson’s Last Words on
iPhone
• Judge Ruled that 4-Minute Audio File Was Admissible
Stolen iPhone
• April 2012 – iPhone Stolen on Disney Wonder Cruise
• Victim – Katy McCaffrey
• Photos Automatically Uploaded to iCloud Photo Stream
Account
• Photos of “Nelson” & Co-workers Uploaded to
McCaffrey’s Facebook & Sent to Disney
Time Square Shooting
• August 18, 2012 – Knife-wielding Man Runs through
Time Square
• NYPD Runs after Suspect: Darrius Kennedy, 51
• Bystanders Run Alongside Police with Cellphone
Cameras Recording Action
• Suspect Shot Dead by Police
• Videos Uploaded to YouTube, Facebook, News Networks
• Smartphones Seized by Police
Smartphone Intelligence
• Precrime creeps closer to reality, with predictive
smartphone location tracking
• http://www.extremetech.com/computing/134422-precrime-
creeps-closer-to-reality-with-predictive-smartphone-
location-tracking
• Localscope App
• http://www.cynapse.com/localscope
Law Enforcement
Assistance
• Brooklyn Quality of Life App
• http://www.cbsnews.com/8301-504083_162-57492217-
504083/new-smartphone-application-allows-people-to-
report-crimes-to-authorities/
• FBI Child ID App
• http://www.fbi.gov/news/news_blog/the-child-id-app-on-
android
Forensics on Your
Smartphone
• Forensic Computer Examiner Quick Reference Guide
App
• International Association of Computer Investigative
Specialists (IACIS)
Cellular Network
• Cellular Network – Group of Cells
• Cell – Geographic Area
• Cell Site – Tower or Antenna
Cell Sites
• Cell Tower
• Radio Mast
• Often has 3 Sectors
• 200 Feet High
• Often Used by Multiple
Carriers
• Transmits/Receives Radio
Signals
• Encrypts/Decrypts Traffic
Mobile Station
• Mobile Equipment (Handset)
• Security Identity Module (SIM)
• GSM Networks
• IMEI Identifies Mobile Equipment on GSM Cellular
Network
Practical
• Open Browser
• URL: www.antennasearch.com
• Type: 1600 Pennsylvania Ave NW
• Type: Washington, DC
• Type: 20006
Cell Site Analysis (CSA)
• Call & Mapping Analysis
• http://www.cellanalyst.com/
• Using Cell Site Analysis Evidence in Criminal Trials
• http://www.justice.gov/usao/eousa/foia_reading_room/usab
5906.pdf
• Request Data in Parsed Excel Format
• Request Keys to Tower Codes
• Free Mapping
• http://batchgeo.com/
Carrier Evidence
• Subscriber Records
• Call Detail Records (CDR)
• Phone Numbers Called/Received
• Duration
• Dates
• Times
• Cell Sites
• Quadrant
Mobile Station (GSM)
• Mobile Equipment (Handset)
• Subscriber Identity Module (SIM)
• International Mobile Equipment Identity (IMEI)
• Analysis of IMEI: www.numberingplans.com &
trackimei.com
• Dial *#06# on Cellphone
• Type Allocation Code (TAC) – Initial 6 to 8 Digits of IMEI
• http://www.nobbi.com/tacquery.php
Mobile Station (CDMA)
• Mobile Equipment (Handset)
• Electronic Serial Number (ESN)
• 2005: Mobile Equipment Identifier (MEID)
• www.meidconverter.com
• Subsidy Lock (SPC) – Confines User to One Network
Mobile Station
• Mobile Equipment (ME)
• FCC-ID
• Federal Communication Commission (FCC)
• http://transition.fcc.gov/oet/ea/fccid/
• www.phonescoop.com
• www.gsmarena.com
SIM
• GSM & iDEN (Motorola)
• Swapped Out with Unlocked Phones
• International Mobile Subscriber Identity (IMSI)
• Mobile Country Code (MCC)
• First 3 Digits of IMSI
• Mobile Network Code (MNC)
• Next 2 to 3 Digits
• Mobile Subscriber Identity Number (MSIN)
• Last 10 Digits
SIM
• Integrated Circuit Card ID (ICCID)
• 19 to 20 Digits
• Printed on SIM
• Major Industry Identifier (MII)
• First 2 Digits
• www.numberingplans.com
CDMA
• Code Division Multiple Access (CDMA)
• Developed during WWII
• Patented by Qualcomm
• Users Share a Band of Frequencies
• Verizon & Sprint
• No SIM
• Same Phone Model: GSM or CDMA
• Motorola RAZR
CDMA
• Code Division Multiple Access (CDMA)
• Spread-Spectrum Communications Protocol
• Wide Band Width
• Multiplexing Techniques
• Fiber Optic
• Verizon
• Sprint
• CDMA2000 – 3G
Mobile Phone Network
Operators
• Mobile Network Operator (MNO)
• Owns an RF Spectrum License
• 4 Carriers
• AT&T/Cingular (GSM)
• T-Mobile (GSM)
• Verizon (CDMA)
• Sprint/Nextel (CDMA)
Mobile Phone Network
Operators
• Mobile Virtual Network Operator (MVNO)
• Provides Mobile Phone Service
• No Licensed Frequency of Radio Spectrum
• Purchase Minutes of Use (MOU)
• Do Not Own SIM Cards
• Example: Virgin Mobile USA (Sprint Nextel)
• 100+ Carriers
Operating Systems
• Apple
• iOS
• Android
• Nokia
• Symbian
• Samsung
• Bada
• Research In Motion
• RIM OS
• Microsoft
• Windows 7
Statistics (Gartner)
• 2011: Tablet Sales – 60 Million Units Worldwide
• 2012: Tablet Sales – 119 Million Units Worldwide
Tablet Sales Projections
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
160,000
180,000
2011 2012 2013 2016
iOS Android Microsoft
Statistics (Gartner)
0.00
20,000.00
40,000.00
60,000.00
80,000.00
100,000.00
120,000.00
1Q 2011 1Q 2012
Google Nexus
• January 2010 – Nexus One (N1) Released
• Developed by HTC
• Unlocked
• Sold Directly by Google
• Nexus S
• Developed by Samsung
• WiFi Hotspot Capability
• Internet Calling
• Near Field Communication (NFC)
• Galaxy Nexus Coming Soon with Jelly Bean 4.1
Near Field
Communication (NFC)
• Close Proximity Radio Communication
• Based on RFID Standards
• Formed by Sony, Nokia, Philips
• Google Wallet
• Credit Cards
• Loyalty Cards
• MasterCard PayPass
• Public Transportation Ticketing
Q1 – 2012 OS Market Share
56.6% 23.1%
8.7%
7.0% 2.7% 1.9%
Android iOS
Symbian Research In Motion
Bada Microsoft
Android
• Networks:
• GSM
• iDEN
• CDMA
• Devices:
• Smartphones
• Tablets
• eReaders
• App Market
• 700,000+
Evidence
• Cache.wifi
• Captures WiFi Connections
• Do Not Need to Connect to Record
• Can Be Mapped
• Fb.db
• Contacts
• Chat Logs
• Messages
• Photos
• Searches
Evidence
• Emailprovider.db
• Path:
/data/data/com.android.email/databases/EmailProvider.db
• Exchange Login & Password in Plaintext
• HostAuth
• Gmail Login & Password in Plaintext
Evidence
• SMS& MMS
• Path: /data/data/com.android.providers.telephony
• Contains:
• Sender & Recipient
• Read Status
• Pictures
• Audio/Video
• MMS
• Path: /data/data/com.android.mms
Device Security
• PIN-Protect
• Numeric
• Password
• Alpha/Numeric/Character
• Pattern Lock
• Gesture
Security
• gesture.key
• Pattern-Lock Protection
• Finger Swipe
• Path: data/system/gesture.key
• Encrypted with SHA-1 Hash Algorithm
• Decrypt with Online Tools or Rainbow Tables
Security
• pc.key
• Password Protection
• Path: data/system/pc.key
• Decrypt with Brute Force or Dictionary Attack
• Most Difficult to Break