mobile device forensics? - sans device forensics essentials ... • lock codes • unsupported...
TRANSCRIPT
![Page 1: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/1.jpg)
cmdLabs>
Mobile Device Forensics Essentials
Everything you need to know but were afraid to ask!
Eoghan [email protected]
![Page 2: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/2.jpg)
cmdLabs>
Pervasive Computing
• Billions of devices worldwide– China (540+ million)– Europe (400+ million)– India (360 million)– United States (270 million)
• People carrying multiple devices
![Page 3: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/3.jpg)
cmdLabs>
Mobile Misuse and Malware
• Unauthorized access– Bluetooth hacking– Spyware– IPv6
• Eavesdropping on communications• Tracking device location• Server reconfiguration• Access to desktop sync/backups
![Page 4: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/4.jpg)
cmdLabs>
Categories of Evidence
• Who– Owner details and
user accounts– Contacts and cohorts– Personalization
(wallpaper, ringtones)• When
– Calendar items– File system metadata– Timestamps may not
be immediately visible
• What– Phone call database– E-mail and memos– SMS / MMS– Internet and LAN
access– Visited URLs and
saved pages• Where
– Location information
![Page 5: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/5.jpg)
cmdLabs>
Case: Murder
• John Gaumer– Met Josie Brown on Myspace– Arranged a date and killed her
• Victim’s phone provided clues– Last location contradicted Gaumer– Accidental voicemail from Gaumer’s phone– “thumping noises, shouting and brief bursts of
a woman’s muffled screams”
![Page 6: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/6.jpg)
cmdLabs>
GPS Remnants
• Cached map queries– Traffic or social networking applications
• GPS coordinates embedded in Exif
N35 deg 36 'E139 deg 41'
![Page 7: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/7.jpg)
cmdLabs>
Investigation Dictates Goals
• Logical acquisition may be sufficient– Items from AT or proprietary commands– User backup utilities
• Software agent using device API• Physical acquisition
– Need to recover lock code– Need to recover deleted data
• Whatever can be acquired…– Should be complete and accurate
![Page 8: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/8.jpg)
cmdLabs>
In-Field Challenges
• No data cable– Try Bluetooth
• Lock codes• Unsupported device
– Select a similar model– Manual examination
• Forensic tool glitch
![Page 9: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/9.jpg)
cmdLabs>
Logical Acquistion
• Extraction of data seen by the user on the device
• Does not acquire deleted data
• Even forensic tools may not capture all logical data
![Page 10: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/10.jpg)
cmdLabs>
Example: Failed Acquisition (iDEN)
• You can’t spell evidence without “iDEN”– Videos/photos visible on device
• Cellebrite– Phonebook only
• Paraben acquisition errors– Flex: “Unknown packet”– User space
• “Unknown Crap Signature”
![Page 11: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/11.jpg)
cmdLabs>
Motorola iDEN Backup
![Page 12: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/12.jpg)
cmdLabs>
Example of Tool Limitations
• Cellebrite
• .XRY
![Page 13: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/13.jpg)
cmdLabs>
Example of Tool Limitations
• BitPim
• ForensicMobile
![Page 14: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/14.jpg)
cmdLabs>
Lessons Learned
• Forensic practitioners– Non-forensic tool may recover more data…– Or not!
• Forensic tool developers– State what level of support up front– Get the basics right first– Try to be consistent
![Page 15: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/15.jpg)
cmdLabs>
Where do we draw the line?
• Microsoft ActiveSync– Interacts with device
and alters system• Flash & Backup
– Reset home screen photo on test device
• Jailbreak– Modifies the device
• Remote access– Sync to BES server
![Page 16: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/16.jpg)
cmdLabs>
Recovering Unlock Codes
• User manual– Default lock code– Security bypass code
• Motorola SEEM– P2K Commander– BitPim
• Some CDMA forensic tools– ForensicMobile
1234
![Page 17: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/17.jpg)
cmdLabs>
Forensic Acquisition of Windows Mobile 6
How complete is your analysis if…• Your software agent can’t execute
– Won’t run unsigned applications• Important files are empty
– Files locked by the operating system • Some tools only acquire limited items• Your tools don’t understand the data
– Proprietary database format
![Page 18: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/18.jpg)
cmdLabs>
WM6: Failed Acquisition
• Software agent advantages– Access to more data– Control changes– Known impact
• Software agent won’t run– Can change Registry value
![Page 19: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/19.jpg)
cmdLabs>
WM6: Locked Files are Empty
![Page 20: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/20.jpg)
cmdLabs>
WM6: Varying Results with Different Tools
• Cellebrite– Contacts, images, videos, ringtones
• Paraben– Some files, deleted filenames
• .XRY– SMS, call logs, images, videos…
• XACT – Entire FAT volume– Using Flash Abstraction Layer
![Page 21: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/21.jpg)
cmdLabs>
Lesson Learned
• Forensic practitioners– Non-forensic tools are less effective– Forensic tools provide widely varying results
• Forensic tool developers– Be clear about what is acquired– Don’t delete the agent afterwards
![Page 22: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/22.jpg)
cmdLabs>
Flasher Boxes
• Designed to update flash memory– Twister– HWK– UFS3– SHU box– JAF box
• Cables!
![Page 23: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/23.jpg)
cmdLabs>
Twister & SaraSoft
![Page 24: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/24.jpg)
cmdLabs>
Beware of Overwriting Evidence
• Sarasoft– Designed for flashing
![Page 25: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/25.jpg)
cmdLabs>
Limited Models and Firmware
• Nokia 6230– Some firmware does
not support direct memory access
• Twister box– Rd MEM error– Rd PM success
![Page 26: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/26.jpg)
cmdLabs>
Example: Deleted Photos (Samsung)
![Page 27: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/27.jpg)
cmdLabs>
Example: Deleted Text Messages (Motorola)
![Page 28: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/28.jpg)
cmdLabs>
Bomb Investigation (Alphabet Soup)
IKEA• IED• No SIM• IMSI in memory• NSPs have CDRs
![Page 29: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/29.jpg)
cmdLabs>
WM6: Interpreting Data (FAT & EDB)
![Page 30: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/30.jpg)
cmdLabs>
WM6: Interpreting Data using Emulator
• Mount acquired file• Examine details• Call history example
– Log of recent calls– Drill down for details
![Page 31: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/31.jpg)
cmdLabs>
Keyword Searching
• ASCII and Unicode• Regular expressions• Nibble reversed format• 7-bit encoded
BKForensics CPAextracting e-mail
addresses & URLsfrom Samsungmemory dump
![Page 32: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/32.jpg)
cmdLabs>
SMS 7-bit EncodingMAIN Success Connected to Motorola USB Modem [COM11]MAIN Success Starting process of FLASHDUMP (4.10)FLASHDUMP Success Connecting…FLASHDUMP Success Firmware R452F1_G_08.05.04RFLASHDUMP Success Flex GSTCPRIRTMB01NA097FLASHDUMP Success Boot Loader 0x0ac3FLASHDUMP Success Installing Flash LoaderFLASHDUMP Success Flash Loader ConnectedFLASHDUMP Success Reading 64MB FLASHFLASHDUMP Success Reading 10000000-1000FFFF,BootFLASHDUMP Success Reading 10010000-1001FFFF,PDSFLASHDUMP Success Reading 10020000-1003FFFFFLASHDUMP Success Reading 10040000-10091FFF,DSPFLASHDUMP Success Reading 10092000-115DFFFF,FirmwareFLASHDUMP Success Reading 115E0000-1185FFFF,DRMFLASHDUMP Success Reading 11860000-11ABFFFF,LangPackFLASHDUMP Success Reading 11AC0000-13F5FFFF,FlexFLASHDUMP Success Reading 13F60000-13F7FFFFFLASHDUMP Success Reading 13F80000-13F9FFFF,DigSigFLASHDUMP Success Reading 13FA0000-13FDFFFFFLASHDUMP Success Reading 13FE0000-13FE07FF,DigSigFLASHDUMP Success Reading 13FE0800-13FFFFFFFLASHDUMP Success Saved 67108864 Bytes from 10000000-13FFFFFFFLASHDUMP Success Totally Saved 67108864 Bytes from FLASH
![Page 33: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/33.jpg)
cmdLabs>
File Carving
• Foremost– JFIF = 0xFFD8FFE0– Exif = 0xFFD8FFE1
• Beware of Samsung JPG header– 0xFFD8FFE3
![Page 34: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/34.jpg)
cmdLabs>
Future of Physical Acquisition
• JTAG interface– Test circuit– Read flash memory– Disabled by some manufacturers
• Direct chip access
![Page 35: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/35.jpg)
cmdLabs>
What to Do?
• Validate results with multiple tools• Publish tool evaluation and comparison• Teach forensic examiners
– How the underlying technology works– How to work around barriers and failures
• Improve physical acquisition and analysis– Transition from Flasher boxes– Facilitate access to JTAG
![Page 36: Mobile Device Forensics? - SANS Device Forensics Essentials ... • Lock codes • Unsupported device – Select a similar model ... 1234. cmdLabs>](https://reader030.vdocuments.net/reader030/viewer/2022020108/5b05baaf7f8b9a5c308be9d4/html5/thumbnails/36.jpg)
cmdLabs>
Upcoming Training
SANS Mobile Device Forensics• July 27-31: Baltimore
– Debut discount: $1,750 (50%)• Sept 16-20: San Diego
See www.cmdLabs.com for details