Mobile Device Forensics at a glance

The article recreates an anatomy of Mobile forensics, through the cyclic process within and practice of utilizing sound methodologies for preservation, acquisition, examination and analysis, and reporting of digital evidence on mobile devices.

The digital forensic community constantly face challenge to stay abreast of the latest technologies that may be used to expose relevant clues in an investigation. Corporations are extremely keen on mobile security to shield themselves from corporate espionage, monetary burglary, and intellectual property theft.

7 key questions: who, what, why, when, where, how and how much?

Digital forensics

Digital forensics (also known as digital forensic science) is a branch of legal science incorporating the recuperation and investigation of material found in digital gadgets, regularly in connection to computer crime. The term digital forensics was initially utilized as an equivalent word for computer forensics.

Mobile forensics

Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Mobile device forensics is an evolving specialty in the field of digital forensics. This guide attempts to bridge the gap by providing an in-depth look into mobile devices and explaining the technologies involved and their relationship to forensic procedures.

Need for Mobile Forensics

Mobile device forensics has expanded significantly over the past few years. The use of mobile phones in online transactions such as online mobile banking, stock trading, flight/Hotel reservations; and communications regarding illegal activities that are being utilized by criminals has created a need for mobile device forensics.

Why Smartphones?

Now that smartphones are becoming ubiquitous and their usage is prevalent in almost every walk of life, Information is becoming the crucial part. Furthermore with the ability of smartphones persistently developing, the sum and sensitivity of information these devices store also increases. With basic features like GPS, Cell, Wi-Fi, Bluetooth, camera, feature recording, email, NFC, and more, it is critical for law enforcement and the private sector to have the capacity to perform forensics because information such as this can be significant in an investigation.

Older model mobile phones used to store a limited amount of data that could be easily obtained by the forensics investigator. With the development of the smartphone, a significant amount of information can still be retrieved from the device by a forensics expert; however the techniques to gather this information have become increasingly complicated. It is important for forensics investigators to develop an understanding of the working components of a mobile device and the appropriate tasks to perform when they deal with them on a forensic basis.

Smartphone and Smartphone vendor market share

20 years of evolution, there are a number of electronic personal devices that are labelled mobile devices on the market today. Mobile devices include cell phones; smart phones like the Apple iPhone and Blackberry; personal digital assistants (PDAs); and digital audio players such as iPods and other MP3 type devices.

The worldwide smartphone market grew 28.2% year over year in the fourth quarter of 2014 (2014Q4), with shipments of 377.5 million units, according to data from the International Data Corporation. At the moment mobile OS market share shows the following casting: Android OS – 76.6%, Apple iOS – 19.7%, BlackBerry OS – 0.4% and Microsoft – 2.8%.

The exponential growth in the smartphones comes with additional entry point for the cybercrimes.

Overall, Majority of the Vendors are Samsung 19.9%, Apple 19.7%, Lenovo 6.5%, Huawei 6.3%, Xiaomi 4.4% and others 45.7%, so majority is being other smartphones while it depends on what the manufacturers have designed. This comes with a challenge in the forensics world.

The Challenge

The biggest challenge that law enforcement, Corporates and forensics investigators facing today is to effectively manage digital evidence obtained by Mobile devices

Some of the issues include

• Complexity of interface, storage media and hardware in Mobile Devices
• File systems that are contained in mobile devices operate from volatile memory or computer memory that requires power to maintain stored information versus non-volatile memory devices like a standalone hard disk drive that does not require a maintained power supply.
• Different variety of operating systems that are embedded in mobile devices.
• New mobile devices with respective Operating Systems.

7 key Questions

Who: Gather information about the individual(s) involved

What: Determine the exact nature of the events that occurred

Where: Did the incident happened offshore or onshore facilities

When: Construct a timeline of events

Why: Uncover information that explains the motivation for the offense

How: Discover what tools or exploits were used

How much: Every single byte of information

Identification

Mobile devices need to be identified by the make, model, and service provider. If the mobile device is not identifiable, photographing the front, back and sides of the device may be useful in identifying the make, model and current state (e.g., screen lock) at a later time. Most mobile devices keep user data in non-volatile memory (i.e. NAND). If the mobile device is powered on, battery removal will power it off, possibly causing an authentication mechanism to trigger when powered back on.

The main means of Identification includes

Device Characteristics

• The make and manufacturer of a mobile device may be identified by its observable characteristics

Device Interface

• The power connector can be specific to a manufacturer and may provide clues for device identification.

Device Label

• For all mobile devices that use a UICC, the identity module is typically located under the battery and imprinted with a unique identifier called the Integrated Circuit Card Identification (ICCID). For powered on GSM and UMTS phones, the International Mobile Equipment Identifier (IMEI) may be obtained by keying in *#06#. Similar codes exist for obtaining the Electronic Serial Number (ESN) or Mobile Equipment Identifier (MEID) from powered on CDMA phones

Carrier Identification

• The carrier for a mobile device may have their logo printed on the exterior. This is traditionally displayed prominently to allow for advertising and branding. This may provide the examiner with insight on which carrier the mobile device operates

Preservation

Preservation involves the search, recognition, documentation, and collection of electronic based evidence. In order to use evidence successfully, whether in a court of law or a less formal proceeding, it must be preserved. Failure to preserve evidence in its original state could jeopardize an entire investigation, potentially losing valuable case-related information.

Collection

Mobile device examiners typically assemble a collection of both forensic and non-forensic tools for their toolkit.

Processing

Logical extraction tools are providing additional capabilities to hardcode keywords and specific known hashes alerting the on-scene examiner immediately to potential issues that need to be addressed. Where possible, devices supporting encryption, such as Android and iOS devices, should be triage processed at the scene if they are found in an unlocked state, as the data may no longer be available to an investigator once the device’s screen is locked, or if the battery exhausts.

Review

Review is the technical process that is the province of a forensic specialist. However, analysis may be done by roles other than the forensic analyst, such as the investigator or the forensic examiner

Analysis

This step provides the examiner with the ability to perform examination or analysis of acquired data. The understanding gained by studying the case should provide ideas about the type of data to target and specific keywords or phrases to use when searching the acquired data. Depending on the type of case, the strategy varies. For example, a case about child pornography may begin with browsing all of the graphic images on the system, while a case about an Internet related offense might begin with browsing all Internet history files.

Presentation of Evidence

This is the final step and it’s a process of preparing a detailed summary of all the steps taken and conclusions reached in the investigation of a case. Digital evidence, as well as the tools, techniques and methodologies used in an examination is subject to being challenged in a court of law or other formal proceedings.

Chain of Custody and Preservation of Evidence

The goal of a forensic investigator is to obtain evidence utilizing the most acceptable methods, so the evidence will be admitted according to law in the trial. Obtaining a judge’s acceptance of evidence is commonly called admission of evidence. Evidence admissibility will require a lawful search and the strict adherence to chain of custody rules including evidence collection, evidence preservation, analysis, and reporting.

What should I consider for different platforms?

The capabilities of the tool and the richness of its features, versus the operating system and type of device under examination, determines what information can be recovered, identified, and reported, and the amount of effort needed

• Application and file analysis
• Timeframe analysis
• Data hiding analysis

Potential Evidences

For all the Mobile Devices and Operating systems the following are the list of potential evidences that can be uncovered.

• Subscriber and equipment identifiers
• Date/time, language, and other settings
• Phonebook/Contact information
• Calendar information
• Text messages
• Outgoing, incoming, and missed call logs
• Electronic mail
• Photos
• Audio and video recordings
• Multi-media messages
• Instant messaging
• Web browsing activities
• Electronic documents
• Social media related data
• Application related data
• Location information
• Geo-location data

A quick walk through on Android forensics

As Android is the market leader in the Mobile Operating system, the probability of any cyber attackers is high.

• Either using Android device to use as a means to carry an attack
• Targeting the users using the android device

Thumb rule in forensic investigation that you cannot work on primary evidences if you want them to take in the court of law.

If we copy and paste the content of a disk, this will only copy visible, hidden and system files.  Whatever is deleted or not accessible by the OS would not be copied by copy command. So, for a thorough analysis, it is required to create a 1:1 image of the disk.

There are two locations to be taken image of in case of Android device. One is the device and other is the external card

In order to establish the authenticity of the image that we have created. This can be done by multiple tools, one can use WinHex, etc.

Physical Extraction

On most Android devices, do the following: go to “Menu” -> “Settings” -> “Applications” -> “Development” and then click “USB debugging” to enable ADB (Android Debug Bridge).

USB debugging must be turned on before it’s possible to attempt an extraction, and this cannot be done when the device is locked. However, in some cases the user could have turned on USB debugging before locking the device. In this case you will be able to “bypass” the screen lock.

In Android terminology, we need to ROOT the device to get the super-user permission. There are various techniques available in the market that can help you in rooting your Android phone. Among them, Odin3 software is one such popular tool. All you need to do is to check the build number of your phone. You can check it by visiting the following location in any Android phone: Settings-> About Phone-> Build number.

Backup

If the Android device is rooted and one can connect to the device through ADB.

Insert a fresh SD card in device and copy the target data there. Typical syntax of DD command:

dd if=/dev/fd0 of=tmp.image

This output of DD image can be understood by most of the open source forensic and commercial tools including Helix, EnCase, , Forensic Toolkit etc.

Analysis

Most of the application specific data can be found at

#adb shell

$#cd /data/data/

SQLite database files are most interesting files for forensic investigators. One will get most critical information here, even username and passwords in some cases. All SQLite files stored with .db format

/data/data/com.application_name/databases       

Dumping and decoding of contacts, call logs, SMS, emails and user files. Can extract deleted file items such as databases, images, video, audio, and documents. Android O/S version all and EXT3, EXT4 and RFS file systems.

Major Players in the mobile forensics market

Law authorization

Government agencies

Corporates

Conclusion

Different variety of smart phones makes Mobile Forensics a real challenge which requires heavy manual intelligence and interference.

Although forensics toolkits do exist for the investigator, the majority of the tools are either not fully developed and do not yet provide full functionality for multiple devices. The digital forensics examiner must be able to recognize a phone’s make/model and know what connections to make and what data acquisition methods can be applied to the device.  It is important to be fully aware what an acquisition tool does and what can and cannot be extracted from the phone

Reference:

• Wikipedia & Google Search
• http://forensicfocus.com/
• viaforensics.com
• http://www.nist.gov/
• http://resources.infosecinstitute.com/windows-phone-digital-forensics-2/

About the Author

Vijay Kumar Velu is a Passionate Information Security Practitioner currently working as Technical Manager in KPMG Global Services based in India. He has 8+ years of IT industry Experience, is a Licensed Penetration Tester and has specialized in providing technical solutions to variety of cyber problems.

Vijay holds multiple Security qualifications including Certified Ethical Hacker, EC-council Certified Security Analyst and Computer Hacking Forensics Investigator.