mobile forensics -...
TRANSCRIPT
– http://en.wikipedia.org/wiki/Forensic
“Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any
digital device that has both internal memory and communication ability, including PDA devices, GPS
devices and tablet computers.”
Variables Smart Phone firmware and software varies by carrier (Verizon, AT&T, Sprint, etc)
Android phone firmware and software varies by manufacturer (LG, HTC, Samsung, etc)
Android software versions are Alpha, Beta, Cupcake, Donut, Eclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich, Jelly Bean, KitKat, Lollipop
iPhone versions 1x thru 8x
Some Android phones have internal memory as well as external memory
iPhones, iPads and iPods have internal memory only (16gb-128gb)
There are millions of Apps available from Google Play, App Store, and third party websites ( including jail breaking).
Other Variables “Jail Breaking”
Decoy Apps
Pre-paid phones
Spyware
Malware
User Apps created via open source SDK
Wifi only users (no carrier)
Users
Encryption
Screen locks / Passwords
Our Mobile Lab
XRY
Cellbrite
Lantern
Mobiledit
EnCase
MPE+
dSolo
IEF
Data Pilot
Hex-editor
Wireless sand box
Faraday bags/cages
Packet capturing software
Open source tools
No one program does the job!
Before you choose a mobile forensics lab?
In theory, a mobile forensics lab can process the subject device with one tool and truthfully state that they conducted a forensic examination
Some tools are better at uncovering deleted texts, other tools are better at recovering photos. Those tools may not uncover third party apps
A reputable lab will process the subject device with multiple tools to validate their findings
Alternative Data CollectionAndroid data can be extracted from a SD card using an APK
f-Respose provides forensic extraction over the Internet
iTunes back up from computer and or iCloud backup
Wireless sand boxingA controlled environment that allows the examiner to monitor communications from the subject device
Allows examiner to see which websites/IP addresses the phone is communicating with
Provides insight to hidden apps and spyware
FAQsQ: Can we bypass the screen lock code?
A: Depends on the of the phone and software version
Q: How far back can we go to collect deleted text messages?
A: Text messages are stored in a SQL-lite database and the text history is relevant to how often the user deletes and receives text as well as the memory size
Q: Can an iDevice that was remotely wiped be recovered?
A: No, as such it’s imperative to keep devices in a faraday cage or in airplane mode
Q: Can spyware be installed without physical access to the phone?
A: Yes and No. Androids phones are vulnerable to remote spyware deployment. iDevices are not, however new spyware tools can collect data via iCloud
Q: Can the fingerprint reader be bypassed?
A: Yes, particularly if you are a heavy sleeper. Also a judge can compel you to place your finger on the phone
Text
Cyber Bullying and StalkingWe offer free mobile forensics to parents who believe that their children are victims of these offenses.
What should you do if you suspect evidence is on a mobile device?
Immediately place the phone in airplane mode
The battery should only be removed if you can’t figure out how to place the phone in airplane mode
Never attempt to conduct your own investigation by looking through the device
Read our guide for first responders