CSCE 517 Final
Facts about various wireless telecommunication technologies
4G is a wireless telecommunications standard and supports high-speed large data transmission rates. 4G Long Term Evolution (LTE) Advanced is a high-mobility broadband communication protocol that is suitable for use on trains and in other vehicles. Motorola Mobility holds the patent for this technology. 5G is a transmission protocol developed by the 3rd Generation Partnership Project (3GPP). 5G protocol will allow telecom carriers to transmit data, via radio signals, at an extremely high frequency (EHF) or "millimeter wave", which will support the transmission of more data at much faster speeds than 4G. Time Division Multiple Access (TDMA) is a radio communication methodology that enables devices to communicate on the same frequency by splitting digital signals into time slots or "bursts", which are data packets transmitted on the same frequency. Global System for Mobile communications (GSM) is an international standard for signal communications, which uses TDMA and FDD (Frequency Division Duplex) communication methods. GSM is a standard created by the European Telecommunications Standards Institute (ETSI) and primarily designed by Nokia and Ericsson. The most pervasive GSM standard is 4G LTE Advanced. 3G GSM networks use UMTS (Universal Mobile Telecommunications System) and WCDMA (Wide Band CDMA) for communication. T-Mobile and AT&T use GSM in the United States. GSM handsets, when unlocked, can be used on international networks by simply purchasing a SIM card locally and activating it with a local carrier. This is important to know because a suspect could have used a GSM cellphone internationally and removed evidence by switching the SIM card. 3GP is an audio/video file format found on mobile phones operating on 3G GSM cellular networks. It was developed by the 3rd Generation Partnership Project (3GPP), which is a collaboration of six standards bodies and many corporations worldwide that provide telecommunication standards. More information about 3GPP can be found at www.3gpp.org. The scope of their work includes (GSM), General Packet Radio Service (GPRS) and Enhanced Data rates for GSM Evolution (EDGE). GPRS is packet switching wireless communication found on 2G and 3G GSM networks. EDGE is a high data transfer technology, which is found on GSM networks. EDGE provides up to three times the data capacity of GPRS. Universal Mobile Telecommunications System (UMTS) is a 3G cellular network standard, which was developed by 3GPP and based on GSM. UMTS cellphones utilize a USIM smart card to identify the subscriber on a network. From a forensics perspective, a USIM can store more files than a SIM card. Code Division Multiple Access (CDMA) is a spread-spectrum communication methodology that uses a wide bandwidth for transmitting data. CDMA does not share channels; it uses multiplexing techniques in which multiple signals are transmitted simultaneously across a shared medium. A fiber optic is an example of a shared medium that can support multiplexing. CDMA2000 is a 3G technology that uses the CDMA communications protocol. CDMA technology is used by Verizon and Sprint on their US nationwide cellular networks. 3GP2 is an audio/video file format found on mobile phones operating on 3G CDMA cellular networks. This standard was developed by the 3rd Generation Partnership Project 2 (3GPP2), a partnership of North American and Asian 3G telecommunications companies that develop standards for third generation mobile networks, including CDMA. More information about the work of 3GPP2 can be found at www.3gpp2.org.
5G related technologies and their importance to investigators.
5G is an important enabler of smart cities applications, which depend heavily on IoT. Speed has increased exponentially with the introduction of 5G. With 5G, latency has been dramatically reduced. While 5G-ready mobile devices are still expensive for many, 5G will certainly grow in popularity once the carriers make 5G more pervasive. People are excited about the impact of 5G on so many technologies, from virtual reality to self-driving cars to remote-controlled factories as well as an impact on emergency responders. 5G will be important for industrial robotics, where robots will communicate with one another and drones will have the ability to coordinate their activities in groups. The technology still has obstacles that need to be overcome, like walls and bad weather. 5G uses millimeter waves and therefore a new infrastructure—with new transmitters in closer proximity—needs to be built. The costs of implementing 5G are huge, and therefore it is possible that there will be changes to the structure of the mobile network operators (MNOs). Minimization of Drive Testing (MDT) is not a 5G concept yet it is being discussed as an important way to measure consumer satisfaction on a cellular network, including new 5G networks. With MDT, the cellular providers have sought to gather performance metrics directly from consumer cellular devices, thereby minimizing the need to drive and test signal strength. Thus, MDT may create a new, rich source of evidence for law enforcement. The path that traffic takes in a network will change with 5G, which means that the sources of digital evidence and the nature of evidence will change. Two key concepts associated with 5G are Multi-access Edge Computing (MEC) and CUPS (Control and User Plane Separation). Multi-access Edge Computing (MEC) is a networking protocol, whereby mobile users can establish direct connections, using available network infrastructure, at the edge of the network, rather than being routed through the mobile network operator's core network. CUPS (Control and User Plane Separation) is a 3GPP specification that facilitates MEC, whereby control functions, like establishing a connection with another device, take a different route through a network. The goal of MEC and CUPS is to create more bandwidth for users and significantly reduce latency by facilitating connections at the network edge, while moving away from a centralized network. MEC will also benefit virtual reality gaming and self-driving cars. Another element of 5G is D2D. Device-to-device (D2D) communication is technology that enables user equipment (UE) to communicate with one another, with or without a network infrastructure. The UE can be a mobile device or can be vehicle-to-vehicle communication. Benefits of D2D communication is ultra-low latency. Another benefit of D2D is the reduction of network capacity issues, thereby enabling devices to communicate with each other without the need to connect with a network. IEEE 802.11p is part of the dedicated short-range communications (DSRC) system and is a standard for adding wireless access in vehicle environments (WAVE). With the proliferation of 5G, we shall see more vehicles communicate with one another, especially in corporate fleets and potentially in fleets of police squad cars. We have already seen vehicle-to-vehicle communications with Tesla cars for example. With the development of 5G, there have been many discussions about security and privacy. The CTIA, which represents America's wireless communications industry, has stated that enhanced privacy protections have been integrated into 5G and this includes encrypting the device's IMSI (international mobile subscriber identity). Since an IMSI uniquely identifies a subscriber on a GSM cellular network. There are numerous law enforcement agencies that have used "IMSI-catchers" to catch wanted criminals and suspects. The Harris Corporation produces StingRays, which are IMSI-catchers, for law enforcement only. If law enforcement knows the cellphone number, or the number of a MiFi device, of a criminal but is unsure of the exact location of a suspect, then law enforcement can use the device to locate the suspect. A carrier can provide the IMSI number, associated with a telephone number, to law enforcement. There have also been reports of ICE (Immigration and Customs Enforcement) using IMSI-catchers to locate undocumented residents in the United States. These devices have been effective in catching criminals. Some privacy advocates have raised concerns about StingRays capturing the location information. According to the CTIA, on a 5G network, the IMSI will be encrypted to protect the privacy of a mobile subscriber. This will potentially create an issue for law enforcement agencies using StingRay devices. Furthermore, virtualization will increase in importance with 5G while replacing legacy hardware—sometimes on the fly in a cellular network. This is also likely to impact the retention of data related to the subscriber and the availability of evidence to law enforcement. The GSMA represents the telecommunications industry and they have developed a digital authentication standard called Mobile Connect, which allows a subscriber to create a universal digital identity with a single sign-on (SSO). Mobile Connect is a 5G technology that matches a user's mobile number to an account, thereby allowing the user to login to websites and applications, without remembering the login and password. Huawei, a Chinese telecommunications company that has invested heavily in 5G, published a white paper about Vo5G. Vo5G (Voice over 5G) is a standard for voice/video on the fifth generation of mobile technologies and approved by 3GPP. Vo5G will use Voice over New Radio (VoNR) for calls on a 5G network. VoNR will use a 5G network and replace VoLTE (Voice over LTE).
hub and switch
A hub is a hardware networking device that broadcasts data packets to all devices on a network regardless of the MAC address. A hub is a Layer 1 (OSI Model) device. A network switch is an intelligent hardware device that connects devices on a network. It is also referred to as a switching hub, bridging hub, or MAC bridge. The difference between a hub and a switch is that the latter only forwards packets to the required destination device on a network. A switch operates at the data link layer (Layer 2 of OSI Model), although some switches can also operate at the network layer (Layer 3 of OSI Model). Content Addressable Memory (CAM) is a type of memory used by Cisco switches, and a CAM address table may be available for an investigator to analyze.
Mobile station and related terminology
A mobile station consists of mobile equipment (handset) and, in the case of a GSM network, a Subscriber Identity Module (SIM). An International Mobile Equipment Identity (IMEI) number uniquely identifies the mobile equipment or handset. The initial six or eight digits of the IMEI are the Type Allocation Code. The Type Allocation Code (TAC) identifies the type of wireless device. The website www.nobbi.com/tacquery.php allows an investigator to enter a TAC or IMEI to discover details about a specific device. The IMEI is generally found by removing the back of the cell phone and then looking under the battery. A Universal Integrated Circuit Card (UICC) is a smart card used to uniquely identify a subscriber on a GSM or UMTS network. With a GSM network, the smart card is a SIM, whereas with a UMTS the smart card is a USIM (Universal Subscriber Identity Module). A Mobile Equipment Identifier (MEID) is an internationally unique number that identifies a CDMA handset (mobile equipment). The MEID was previously referred to as an Electronic Serial Number (ESN) before being replaced by a global MEID standard around 2005. An Electronic Serial Number (ESN) is an 11-digit number used to identify a subscriber on a CDMA cellular network. The ESN contains a manufacturer code and a serial number that identifies a specific handset. Both the ESN and the MEID are noted on the handset in a decimal format as well as a hex format. The website www.meidconverter.com allows users to convert between ESN and MEID and also view both decimal and hex values of an ESN or MEID. Some providers provide a lookup feature for subscriber details using the MEID. Many CDMA cellphones have a subsidy lock. A subsidy lock confines a subscriber to a certain cellular network so that a cellphone can be sold for free or at a subsidized price. From a forensics perspective, this means that the phone's file system often cannot be acquired with an active subsidy. For example, an iPhone may be available for as little as $99 but you are locked into a particular carrier and a specific contract. The unlocked iPhone may actually cost over $1,000 (depending on the model) but the user can easily switch carriers and is not locked into a two-year agreement. Prepaid cellphone plans, offered by AT&T and others, where the subscriber paid full price for the phone, can be unlocked. An investigator should understand this because the (unlocked) handset may have been used internationally with a SIM card purchased abroad. All cellphones sold in the United States have an FCC-ID. An FCC-ID is a number issued by the Federal Communication Commission (FCC) that indicates that the handset is authorized to operate on radio frequencies within the FCC's control. The FCC-ID can be entered on the FCC website (https://www.fcc.gov/oet/ea/fccid/). Once you enter the FCC-ID, you can download a manual for the cellphone. This is important for an investigator who may need to know about the features of the cellphone and, more importantly, how to remove the cellphone from all networks and external communications for proper containment.
Base station controller (BSC) and two types of handoff.
A Base Station Controller (BSC) manages the radio signals for base transceiver stations, in terms of assigning frequencies and handoffs between cell sites. When moving through an area, your cellphone call may be handled by several base transceiver stations, which requires a handoff from one BTS to another. Two types of handoff: A soft handoff is when a cellular communication is conditionally handed off from one base station to another and the mobile equipment is simultaneously communicating with multiple base transceiver stations. The handoff is conditional because the signal strength on a new BTS will be adjudicated. A hard handoff means that the communication is only handled by one base transceiver station at a time with no simultaneous communication.
static analysis
A SQLite database is a relational database that is the preferred storage for data associated with mobile apps. SQLite is a C-language library that is responsible for the SQL database. SQLite source code resides in the public domain. Forensic tools, like BlackLight and SQLite Database Browser, enable the user to easily browse through application SQLite databases. There are many folders and files associated with a mobile app SQLite database, which may contain many tables. Within each SQLite database (.sqlite) you will find databases, which will contain the file extension .db; for example, google_analytics.db. It also contains recognizable files, like .jpg (picture images), .vcf (or vCard for your contacts), or .mp3 (sound file). A bundle ID is a uniform type identifier, which is comprised of alphanumeric characters, that uniquely identifies a specific app. The format for the bundle ID is generally com.<YourCompany>.<AppName>, which is referred to as a reverse-domain name style string. An iOS app also has a unique identifier known as an App ID, which is a two-part string that identifies a development team (Team ID) and an application (bundle ID). The Team ID is created and assigned by Apple, while the bundle ID is generated by the app developer.
smtp servers
A Simple Mail Transport Protocol (SMTP) server is used to send email for a client. The email is subsequently routed to another SMTP server or other email server. When sending an email to another domain (for instance, an email from Hotmail to Yahoo!), the SMTP server communicates with a DNS server and requests the IP address of the SMTP server. The DNS then responds with the IP address(es) for the destination SMTP servers. SMTP servers communicate with one another using simple commands, like HELO (introduction), MAIL FROM: (specify the sender), RCPT TO: (specify the recipient), QUIT (quit the session), HELP (get help), VRFY (verify the address), and DATA (To, From, Subject, Body of message). Internet Message Access Protocol (IMAP) allows the user to access email from just about any type of Internet-enabled device. With IMAP, the user's email is stored on an email server, and when an email message is requested, it is only temporarily downloaded to the user's device. Post Office Protocol (POP) is a different electronic mail standard in which the email is stored on the user's device, not on the server.
Structure and operation of cellular network: base transceiver station (BTS), mobile switching center (MSC), public switched telephone network (PSTN), call path in cellular networks.
A base transceiver station (BTS) is the equipment found at a cell site that facilitates the communication of cell phone users across a cellular network. The Mobile Switching Center (MSC) is responsible for switching data packets from one network path to another on a cellular network. If the user is calling a user on a cellular network managed by another carrier, the call is routed from the MSC to the Public Switched Telephone Network. The Public Switched Telephone Network (PSTN) is an aggregate of all circuit-switched telephone networks. The purpose of the PSTN is to connect all telephone networks worldwide. call path is pic
Cell tower and antenna
A cell site, also known as a cell tower, can be a stand-alone tower or be attached to a building or other structure. The cell tower generally has an antenna with three panels on each side. Typically, there are three sides on each antenna. Usually, the middle panel is a transmitter and the two outer panels are receivers. The cell tower is generally over 200 feet high. A tower can contain multiple antennae, which are owned by different carriers. An antenna can either be located on a cell tower or be placed on the side or top of a building.
Dynamic analysis
A dynamic analysis of the app is an analysis of the behavior of the application once it has been executed (or run). An Android emulator is an application that simulates, or runs, the Android operating system in a virtual machine. App developers use an emulator to analyze how their apps will run before making them available to the public. However, an emulator can also benefit investigators who are interested in viewing the behavior of an app—especially if an app potentially contains malware. An investigator may also be interested in monitoring the permissions and DNS connections associated with an executed mobile app. In terms of monitoring DNS connections (connections to servers), there is Wireshark (Windows) and Debookee (macOS). A pcap file is a wireless packet that contains user data and network data related to the sender and receiver. To remain safe and compliant, a personal hotspot device, like a Verizon Jetpack, can be used in a secure lab. Some tools like Debookee also have the ability to decrypt some wireless traffic.
routers
special purpose devices that are designed to read the source and destination address fields in IP packet headers to decide where to send (route) the packet next
proxy server
A proxy server is a computer that relays a request for a client to a server computer. This is important to know because a suspect might use another user's computer as an intermediary to request information from a server. Squid is a caching proxy service that can be used to increase performance of a web server by caching popular requests. Most proxies are web proxies and Web cache is of interest to forensics investigators because it can provide valuable information about Internet activity through requests to a web server.
Different types of digital photograph files; which of the formats belong to raster graphic and which belong to vector graphic.
A raster graphic is a pixelated image associated with pictures found on a computer or retrieved from a digital camera. A raster graphic consists of a grid of pixels. A pixel is the smallest element of a raster image, which may be either a dot or a square. A megapixel is a million pixels. Compression algorithms are used to reduce the size of large digital images. JPEG and GIF are image formats that use compression. The following files are examples of raster graphics. Joint Photographic Experts Group (.jpg or .jpeg ) RAW file Bitmap Image File (.bmp ) Portable Network Graphics (.png ) Graphics Interchange Format (.gif ) Tagged Image File Format (.tif ) Joint Photographic Experts Group (JPEG) is both a committee and an image file format. JPEG format is popular because of its compression and support for so many different colors. JPEG is a lossy format, which means compression causes some loss of quality to the image. When creating a JPEG, the camera discards a certain amount of data. A JPEG file often has one or more thumbnails embedded in it. A thumbnail is a small image representation of a larger image. File carving carves out these embedded files. Many smartphones, tablets, and digital cameras store photos as JPEGs. When taking a photograph with a high-end digital camera, the camera can either process the image as a JPEG file or save the data to a RAW file. A RAW file takes data from a digital camera's image sensor to create an unprocessed or minimally processed image. The user needs to spend time processing these images later but may choose this format to create a higher-quality photograph and have more control over how the image is processed. The manufacturers of these high-end digital cameras all have their own proprietary RAW file formats, and these formats can also vary between devices manufactured by the same company. The Digital Negative (DNG) is an open standard RAW image format developed by Adobe for digital photographs. Bitmap Image File (BMP) is a raster image file format generally associated with a Windows PC. Portable Network Graphics (PNG) is a raster image file format that supports lossless compression. PNG images are often used on the Internet. Graphics Interchange Format (GIF) is a raster image file format that was developed by CompuServe, Inc., in 1987. GIF images can be compressed using the Lempel-Ziv-Welch (LZW) lossless data compression algorithm. Tagged Image File Format (TIFF) is a raster image file format that also uses the Lempel-Ziv-Welch (LZW) lossless data compression algorithm. It was developed by Aldus but is now controlled by Adobe Systems. TIFF was originally an ideal format for scanners. A vector graphic is composed of curves, lines, or shapes based on mathematical formulae rather than pixels. An investigator is more likely to encounter raster graphics than vector graphics. The following files are examples of vector graphics. Adobe Illustrator File (.ai ) Encapsulated PostScript File (.eps ) Scalable Vector Graphics File (.svg ) Drawing File (.drw )
skype encryption
All Skype-to-Skype voice, video, file transfers and instant messages are encrypted to protect users from potential eavesdropping by malicious users. Instant messages (IM) between a Skype client and the chat service in the Cloud are encrypted using TLS (transport-level security). IM between two Skype clients are encrypted using AES (Advanced Encryption Standard). Voice messages are encrypted when sent to the recipient. However, when the voice message is downloaded and listened to, it is stored on the client's computer in an unencrypted way. Skype calls are also encrypted. When the user logs in, Skype will verify the user's public key using 1536 or 2048-bit RSA certificates. If a user makes a call from Skype to mobile and landline phones, the part of the call that takes place over the PSTN (the ordinary phone network) is not encrypted.
web server
A web server stores and serves up HTML documents and related media resources in response to client requests. Log files on a web server have the following information: Date and time Source IP address HTTP source code Resource requested A Uniform Resource Identifier is used to locate a resource on the Internet. The most common type of URI is a uniform resource locator (URL), which consists of the following: Transmission protocol (generally HTTP) Colon (:) Two slashes (//) Domain name, translated to an IP address Resource HTML document or file, e.g., a .jpg file
Understand various indicators of compromise (IOCs).
APTs are so advanced that many traditional security mechanisms, are ineffective. However, certain hallmarks of an APT attack, or indicators of compromise (IOCs), are known and can include the following: Registry keys: Windows configuration files. DLL files: Dynamic Link Library (DLL) files are Windows system files that contain procedures and drivers that are executed by a program. If changes occur, they can be identified by matching version numbers of the DLL files with the version of Windows. ServiceDLL: If the service.dll file is found on a personal computer, the machine could be infected with the Trojan infostealer.msnbancos. svchost.exe: If this file is located outside the System32 directory, there has been a compromise. Email: The email SMTP IP address does not match the domain name. Ports: Regularly unused computer ports that are now used. $USN_Journal: This is the Update Sequence Number Journal, which is a feature of NTFS, and keeps track of changes on a volume. This file should be examined by an incident responder. Prefetch files: New prefetch files might refer to new drivers or new downloaded files. Prefetch is a folder in the Windows system folder that contains files used in the boot process and regularly opened by other programs. The purpose of prefetch is to boot up a machine or start a program faster by keeping track of commonly used files. System32: Contains Windows system files and other program files, which are critical to the Windows operating system. The System32 folder may also contain malicious files installed by a hacker and be an indicator of compromise. DNS and DHCP logs can also be found in the System32 directory. Master File Table (MFT): MFT is a critical resource for incident responders as well as for traditional forensic examiners. This is because if anti-forensics techniques were attempted with a system, such as timestomping, or an attempt was made to delete files, then the MFT can be used to identify whether a hacker or a suspect did manipulate files. Most dates can be manipulated by an attacker except for the "FN Info Creation Date". The MFT can be parsed with most licensed forensics tools and there are free tools, such as Eric Zimmerman's MFTECmd parser tool. The MFT is located here in Windows: %systemroot%\$MFT. Event Logs: One example of the importance of Event IDs in IR is related to successful login attempts. Event ID 4624 indicates that a successful login occurred and also provides a Logon Type. If the Event ID 4624 Logon Type is 2 (Interactive: logon at keyboard and screen of system), then we might not be concerned. However, a Logon Type of 10 (Terminal Services, Remote Desktop or Remote Assistance) could be an indicator of compromise, as sophisticated hackers will often use Remote Desktop to remotely connect to other hosts on a network, as they move laterally. Important Event IDs, associated with Remote Desktop (RDP), are Event ID 21/22 (RDP/Citrix authentications), Event ID 23/24 (RDP/Citrix logoffs), Event ID 1158 (RDP from an IP address), and Event ID 1149 (successful RDP authentication). Other important Event IDs are 7045, 7036 and 4697 to identify installed services on an infected host machine. ultimatewindowssecurity.com provides a comprehensive list of Event IDs. MRU (most recently used) lists: are also a potential artifact of interest for an incident responder. These are a listing of applications and files recently used by a user. This file can be found in Windows Registry here: HKCU\Software\Microsoft\Windows\ CurrentVersion\ Explorer\RunMRU. PsExec: is a Windows command-line tool that allows a user to remotely execute processes on a computer without having to install client software. It could be a tool of choice for an attacker. Ironically, PsExec is also used by Windows administrators and incident responders. Event ID 540 will show a PsExec login. UserAssist: contains a list of programs that have been executed on a Windows computer, including the run count and last execution date and time. Didier Stevens has produced a tool to parse these entries. The file containing these entries is located here: HCU\Software\Microsoft\Windows\CurrentVersion \Explorer\UserAssist An IR team will typically circulate a list of IOCs for team members to search for. IOCs on that list may also include IP address(es) of interest, malware name(s) and MD5 hash(es) of known malware, and a list of keywords that can be used to search through an imaged drive. A keyword list may include names of malware, IP addresses, and other search terms of interest.
Dating apps
According to Pew Research Center's report on mobile dating, 15% of adults (ages 18 and older) in the United States reported that they have used online dating sites or mobile dating apps. Dating site usage has nearly tripled for young adults (18 through 24) in just two years, from 10% to 27%. Therefore, it is important for investigators to understand the evidence available from mobile dating apps. Moreover, the prevalence of social engineering—using data derived from social media accounts—means that dating apps are a cause for concern in terms of organizational risk. Another concern is whether dating applications are utilizing personal data ethically. In March 2018, a security flaw in the Grindr app disclosed user location data, which could have exposed app users to harassment. Understanding the available evidence from a dating app is extremely important because of the nature of the crimes being committed, the links to social media, the personal information available, and the location and communication capabilities of these apps. Tinder is used in 190 countries and supports 40 languages. As of 2018, Tinder had 57 million users worldwide. Owned by Match Group, Inc., Tinder is a location-based, social media, application for dating. The app connects singles and allows them to "Swipe Right", if they wish to connect with another individual, or "Swipe Left", if they are not interested. The user can also "Swipe Up" (called a "super like"), which notifies the user that they have been "Super Liked". The ability to passively block communication with someone, whom a user is not interested in, is what makes Tinder appealing for so many people. Tinder gives the user the ability to chat with individuals who have both swiped right pseudo-anonymously. A user is not required to divulge his cellphone number, and a user can make his own judgment about how much personal information he wishes to share with another user when matched. Chats within the application are stored chronologically and can be deleted. Using Robtex (robtex.com), we can quickly map out the domains associated with Tinder. Utilizing tools, like Robtex and traceroute, and whatismyipaddress.com, an investigator can determine where app user data is being stored and determining jurisdiction. An analysis of Tinder's DNS connections shows that the Tinder app connects a user's profile with servers managed by Facebook, Leanplum, Appsflyer, DoubleClick, and many other companies. Grindr was launched in 2009 and is the world's leading social networking application for gay, bisexual, trans and queer people. Grindr has reached more than 196 countries with more than 3.6 million daily active users (2018). On average these users send 228 million messages and 20 million photos each day. While there are many mobile apps that provide corroborating evidence in an investigation, Grindr has been used to perpetrate some of the most heinous crimes. Therefore, it is an app that warrants special attention for investigators. There are literally hundreds of cases where Grindr has been used by criminals to lure victims and subsequently commit crimes which include murder, assault, and robbery. The good news is that the Grindr app stores a wealth of information in plaintext, which may help investigators and prosecutors. Grindr is designed to find individuals in close proximity to the user. The smallest value for distance that Tinder/Bumble incorporates into their platform is one mile, but Grindr will literally go to "zero feet away". If a user wants to engage with another user, simply "Tap" that individual's profile and the other user will be notified. At this point, both users can send an unlimited number of messages, which can be texts, images, or "GayMoji" stickers. Unlike Tinder and Bumble, Grindr does not require mutual consent to begin a chat session. There is a safeguard to protect from harassment, where the user can simply delete the "Tap" from a user they do not like, ending the message session. There are different types of "Taps" that give a visual representation of what the individual is looking for, such as a "Hi" icon tap, a "flame" icon tap, a "smiling devil Emoji" icon tap. If the message is a text, it will be previewed next to the user's profile. If it is a photo or video, it will have a small "Camera Icon" instead. A "Read" receipt will indicate whether the person a user messages has actually opened the message.
Characteristics of Internet of Things (IoT); how IoT can be used for malicious purposes, such as cryptojacking and IoT botnet.
An Internet of Things (IoT) device is an Internet-enabled electronic device that can include a smart television, thermostat, refrigerator, or a speaker with artificial intelligence (AI) built-in. These IoT devices are different from traditional devices or appliances because their ability to connect to the Internet means that they can be controlled using a smartphone app remotely. For example, a Nest thermostat can be remotely controlled from your smartphone so that you can turn on the heat in your house on the way home from work. Some estimated that by the end of 2020 there will be more than 30 billion IoT devices globally. The revenue of selling IoT devices is well above $1 billion annually. While the local storage capacity of most IoT devices is very small, they are hugely important to investigators because the producers of these devices collect vast amounts of user data, and we are seeing more and more IoT developers being subpoenaed for IoT user data during criminal investigations. This new field of forensics has tremendous potential for investigators but there are many challenges that need to be overcome first. As a new field of study, existing forensic solutions (tools) are very limited. There are thousands of different IoT devices, each with different proprietary firmware and often with non-standard file formats. While many IoT devices cannot be directly forensically imaged, much of the data derived by these devices resides in the Cloud, and therefore considering the use of a subpoena for cloud storage can be critical. Cryptojacking is the unauthorized use of a computing device to mine a crytocurrency. Cryptojacking generally works when a user clicks on a link, sent in an email, for example, or visits a website with embedded malware scripts. An IoT botnet is a network of devices connected to the internet of things (IoT), typically routers, that have been infected by botnet malware and have fallen into the control of malicious actors. IoT botnets are mostly used in launching DDoS attacks on target entities to disrupt their operations and services, and the involvement of routers also opens other opportunities for malicious actors to conduct more damaging attacks.
Advanced persistent threat (APT) and its six stages.
An advanced persistent threat (APT) is a sophisticated, relentless, coordinated attack on a computer network, with the goal of stealing intellectual property. reconnaissance(the start, studying of person ur attacking), weaponization(place malicous code into payload), delivery(performing the attack), exploitation(successful execution of attack), C2(control and command, may not always happen), exfiltration(theft of data)
ids
An intrusion detection system (IDS) is hardware or software used to monitor network traffic for malicious activity. An IDS can provide alerts when suspicious or anomalous activity occurs and provide detailed logging information with professional reporting capabilities. An IDS monitors both inbound and outbound network traffic, and can work either heuristically or with predetermined signatures. The IDS, with its logs and reports, is one of the first items a network forensics examiner analyzes, but the efficacy of an IDS or an intrusion prevention system (IPS) may be diminished by encryption. Many different types of IDS exist, and they all work in very different ways: Network intrusion detection system (NIDS) Network node intrusion system (NNIDS) Host-based intrusion detection system (HIDS) Intrusion prevention system (IPS)
Various image enhancement and restoration techniques
An investigator can use certain techniques to improve the clarity of an image. Brightness adjustment makes an image lighter or darker, to make the image easier to view. Color balancing describes the process of adjusting colors in an image so that they more accurately reflect the original scene when the photograph was taken. Contrast adjustment refers to improving the contrast of objects and backgrounds to make them more visible. Cropping is the process of removing unwanted portions of an image. Cropping is not always advisable unless the investigator can show a jury the original and demonstrate the need to crop a photograph. Linear filtering techniques can enhance edges and sharpen objects in an image, to make them less blurred. In some cases, an image may not need an enhancement, but it might need to be restored. As digital photographs increase in resolution (and file size), the picture files are more likely to be fragmented across a volume rather than be stored in contiguous sectors. Restoration of an image may also include the reversal of edited or manipulated photographs. For example, a warping technique may have been used on an image, and that enhancement needs to be reversed. More information about digital image evidence and manipulation can be found in the published work of the Scientific Working Group on Imaging Technologies (SWGIT), an organization founded by the FBI that publishes standards on the use of digital and multimedia evidence in the justice system.
Android
Android is an open source operating system based on the Linux 2.6 kernel. In 2005, Google acquired Android. The Android OS is found on smartphones, tablets, and many other consumer electronics. An Android device has two types of memory: RAM and NAND. As on a regular computer, RAM is volatile memory and may contain evidence that includes the user's passwords. NAND is nonvolatile flash memory. The most valuable evidence on an Android is in the libraries, especially the SQLite databases. An SQLite database is an open source relational database standard, which is frequently found on mobile devices. Investigators can extract evidence from an Android smartphone in four ways: Logical (hardware/software) Physical (hardware/software) Joint Test Action Group (JTAG) Chip-off Some mobile forensic software supports logical acquisition of a smartphone, which means that only user data can be recovered, not system files. Optimally, the investigator should acquire a physical image when possible. JTAG is IEEE 1149.1 standard for testing, maintenance, and support of assembled circuit boards. It provides a way to bypass security and encryption to obtain a physical dump of the device's data. Chip-off removes the chip from the board by applying hot air or infrared to the soldered pins. Very few forensics labs conduct chip-off due to high cost and skills required. Emergency Download (EDL) mode is a technical recovery feature found on Android devices with Qualcomm chipsets. During the boot process, if there are any errors or faults detected, then the device will boot into EDL. Most importantly, EDL mode can be used to access and forensically image an Android device, if it supports this mode. If the device is unencrypted, you can typically read directly from the eMMC chip. If the device is encrypted, then EDL mode can be used to modify the bootloader to bypass the integrity check on a boot image, which maintains a rooted Android Debug Bridge (ADB) shell, a command-line utility that, if enabled, allows the device to receive instructions, from a computer, via a USB cable. There are several ways to access EDL mode and no single method works on all devices: Use of a specialized cable (or EDL cable). Shorting pins on the printed circuit board (PCB). Device button combinations. There are several ways that a user can secure his or her Android smartphone: PIN-Protection: Using a numeric PIN number. Password: Using an alpha-numeric password. Pattern Lock: A finger is used to secure the device with gestures (swiping motion). Biometrics: This could be an iris or retina scan or perhaps facial recognition. There are many different Android forensics tools. NowSecure is one organization that produces several free tools. Santoku is one of these tools that enables the examiner to image an Android. The company also produces AFLogical, which performs a logical acquisition of Android 1.5 or later. The data acquired is stored on a blank SD card. Andriller is a forensic suite of tools which can crack PIN codes, passwords, and pattern locks, as well as extract mobile app data. It is available for both Windows PC and Ubuntu Linux. Like other Android forensic tools, USB debugging must be first enabled on the device to extract files from the device. The location may vary, but can usually be accessed via: Settings > Developer Options > USB Debugging Android Debug Bridge (ADB) is a command-line utility that enables the user to send requests from a computer to an Android device. ADB is part of the Android Platform-Tools package, which is available for free from developer.android.com. Utilities, including BusyBox and nanddump, can then be used with ADB to pull an image of memory. Whatever tool you decide to use, you will need to have root access to the device to access, or image, the user files. To gain root privileges we need to use an exploit, which is what tools, like Cellebrite UFED, use.
What is Best Evidence Rule and how does it impact the admissibility of digital evidence?
Answer: The best evidence rule states that the secondary evidence or the copy is inadmissable in court when the original copy exists. This affects the admissability of digital evidence because if for whatever reason you arent legally able to get the original copy but it exsits then all your evidence is usless in the eyes of the court. Also if you have the original then all other copys are not needed.
Police safety enhancement with Apple Watch, drone, and body worn camera (BWC)
Apple Watch can monitor the health of its officers, primarily by monitoring ECG levels, which could alert their departments about the stress levels of their officers. Furthermore, a police department could check to see if their officers are getting enough sleep at night. Stress, and even suicide, is a major problem for police officers around the world. Drones are being used more and more by law enforcement. For example, drones are currently being used by SWAT (Special Weapons And Tactics) teams, to gather aerial reconnaissance prior to, and during, an operation. The benefit of using drones is that they can be stealthier, less costly, and safer than using a police helicopter. Drones have also been used in hostage situations, for manhunts, missing persons, and post incidents. A smart holster sensor, which is built into a gun holster, is used to detect when a firearm has been removed from its holster, which in turn activates a body camera. This eliminates the need for an officer to manually activate her body camera. The sensor will also send real-time alerts to dispatch an officer in the vicinity. A connected firearm has a small device attaches to a gun and has a built-in accelerometer and magnetometer, which can detect the location of the firearm, whether the firearm is holstered, when it is loaded, and the video when it is discharged. A body worn camera (BWC) is a digital video camera that can be clipped onto clothing or can be built into a vest and worn on the torso. Many police agencies, across the United States and in other countries, use body cameras. Some BWCs collect video, audio, date and timestamps, and GPS coordinates, and the video can be later used for facial recognition. Some BWCs can be automatically activated when a police officer removes his gun from its holster. Manufacturers of BWCs include Axon, Coban, Data911, FlyWIRE, and many more producers. Companies, such as Yardarm, have developed gun sensors that utilize three-axis telemetry to monitor the position of a police officer's gun. Thus, the direction that the gun is held in, and the direction of fire, can be recorded. Each gunfire event is captured via a Bluetooth device, and that event information is sent to the officer's smartphone. An alert can also be automatically sent to dispatch in addition to other officers in close proximity. Police in China have been using smart glasses, which have facial recognition capabilities. These spectacles are connected to a handheld device, and facial images are captured in crowded public spaces. Subsequently, these facial images are scanned against a database of suspected criminals. As smart glasses evolve, they may be used by law enforcement to improve situational awareness, i.e. use augmented reality to navigate certain terrain, understand potential hazards, and perhaps locate a criminal suspect. Amazon has partnered with more than 400 law enforcement agencies to share data from the Ring doorbell to help investigators solve burglaries, using Ring video footage. Doorbell cameras and home cameras can be effective in the successful capture of criminal suspects, including crimes like kidnapping.
Heart rate monitoring with Apple Watch and how the Health app data can be correlated with other databases.
Apple Watch monitors a user's heart rate and the user can view his resting, walking, workout heart rate throughout the day. The user can also enable notifications if his heart rate drops too low or is too high when at rest. A user's heart rate is monitored continuously during a workout and three minutes after the conclusion of a workout to monitor the user's workout recovery. Apple Watch uses an optical heart sensor technology called photoplethysmography (PPG), to monitor heart rate. PPG uses light to determine blood flow based on rates of light absorption, based on the premise that blood is red because it reflects red light but absorbs green light. The optical heart sensor flashes its LED lights hundreds of times a second. With each heartbeat, there is more blood flow in the wrist, and therefore a higher absorption of green light, which is recorded by the Watch. The optical heart sensor uses infrared light to measure heart rate in the background and to provide heart rate notifications. Apple Watch Series 4 has built-in electrodes that monitor electrical signals from your heart, while using the ECG or Heart Rate functions. When the user touches the Digital Crown, it creates a circuit between the arms and the heart and measures electrical impulses across the chest. While there is some digital evidence stored locally on the Watch, the investigator must largely rely on extracting Apple Watch data from the Health app on the iPhone that it is synchronized with as there is no real backup for the device. An investigator can find Apple Health data at the following file path: /private/var/mobile/Library/Health/ There may also be relevant data located in iTunes backups: /HealthDomain/Health/ The folder contains two SQLite databases: healthdb.sqlite and healthdb_secure.sqlite. With the necessary court approvals, law enforcement can also request Apple to provide Health app data synced to iCloud. The user may also use another app that complements the Health app, like Strava, and this data may also be accessible to law enforcement. ElcomSoft Phone Breaker can extract Health app data, as can the Apple Pattern of Life Lazy Output'er (APOLLO) tool. APOLLO is an iOS forensics tool that pulls data from numerous SQLite databases on an iPhone and correlates that information with the investigator. Data from the Health app, like steps and heart rate, can be correlated with location information, weather, and other user activity to provide a more holistic view of what a user was doing during a particular timeframe; for example, showing that a person was running in Central Park, New York City, while listening to music, on a sunny day, at 17:53 on May 4, 2021.
Apple mobile devices and iOS features.
Apple mobile devices, particularly the iPhone, are potentially more important than a MacBook or an iMac because they are more personalized and capture a greater variety of evidence than a traditional computer. The benefit for the investigator is that these devices are often interconnected in an Apple environment, so that the same evidence can be retrieved from multiple devices. Another benefit for the investigator is that the operating system on mobile devices (iOS) is very similar to macOS, and therefore there is more predictability about what to expect. iOS, introduced in 2007, is the proprietary mobile operating system for Apple devices, including iPhone, iPad, and iPod. iOS uses APFS, which is a case-sensitive file system. The root partition (system partition) is the first partition found in an iOS device and contains the operating system. The remainder of volume is the media partition. which is the data partition on an iOS device and contains both user and some system files. Typical user data found in the media partition can include videos, contacts, and SMS. Users of iOS devices are strongly encouraged by Apple to upgrade to the latest version of iOS, when available and when compatible, so as to enable the latest security fixes. System Software Personalization is a process which prevents a user from downgrading an iOS device to an earlier version of iOS firmware. iOS 13 provides some important enhancements to security from earlier versions of iOS, which investigators should be aware of. The user has more options in terms allowing a mobile app to access the user's location. A user can select "Allow Once", permission to access the user's location information. iOS 13 comes with a feature called Control Center, which allows the user to swipe upward to display controls that include a flashlight, camera, stopwatch, and calculator. The Control Center may also be a fast way for an investigator to activate Airplane Mode so that the cellular and Wi-Fi connections are disabled. AirDrop is a feature of iOS 13 that allows the user to share photos, videos, contacts, and other data, via Bluetooth, to another user in close proximity. This may be important to consider as defense counsel may question whether an investigator checked to see if this type of data transfer may have occurred.
Admissibility of photographs in the courtroom.
Article X of the Federal Rules of Evidence (FRE) relates to the "Contents of Writings, Recordings and Photographs." The definition of "Photographs" includes still photographs, X-ray films, video tapes, and motion pictures. An "original" can include a negative or a print from the negative. A "duplicate" is "a counterpart produced by the same impression as the original, or from the same matrix, or by means of photography, including enlargements and miniatures, or by mechanical or electronic re-recording Using digital photographs as evidence offers many benefits, compared to traditional photographs. With older photograph technology, detecting whether a photograph had been manipulated was often difficult. Although numerous applications are available to edit digital photographs, detecting those changes is possible. An investigator can review a photograph's metadata and see whether changes were made and when. With digital images, the investigator can perform improved enhancements to make background images or far away objects clearer because of higher-resolution photographs.
communication apps
Communication apps, such as WhatsApp, Signal, Viber, and Skype, are arguably more important to investigators than traditional cellphone or landline calls for several reasons: It is a lot easier to obtain content from these apps than to obtain a Title III Wiretap. The content is much richer than a traditional call or a text message. For example, consumers often share rich content while reacting to comments of others. Investigators can find group chats that can link individuals with certain relationship. Investigators can see emoticons and other reactions to messages that demonstrate personalization and behavior. However, the investigator needs to understand that these reactions are easy to fake and impersonate. Law enforcement today understands that criminal gangs will often prefer using mobile communication apps over traditional cellular calls. Therefore, it is essential to have a good understanding of mobile communication apps.
Ipv4
Currently, most traffic on the Internet uses Internet Protocol version 4 (IPv4), the fourth version protocol for connectionless data transmission on packet-switched internetworks. A packet is a block of data transmitted across a network. On the Internet, these packets are transmitted in sequence, and each packet is uniform in size and structure. An IP packet (block of data sent across the Internet) contains a header section and a data section. An IPv4 header is 20-byte long (without options field) and has 14 fields.
Various forms of cyberbullying
Cyberbullying is not simply sending harassing emails or nasty text messages. Many forms of intimidating communications fall under this category: Images and video: Cyberbullies commonly use social media sites to post images and videos in attempts to embarrass other children. Sexting: An individual illegally shares a sexually explicit image, usually via MMS from a cellphone. Outing: An individual publishes confidential personal information online or shares it in an email to embarrass another individual. Flaming: Flaming is online arguing, often including vulgar and offensive language to denigrate another person. Bash boards: Online bulletin boards used to post hateful comments about peers or teachers that people dislike. Tricking: The process of duping an individual into divulging personal comments, with the intent to publicly publish those secrets to humiliate another individual. Happy slapping: People organize to physically harm another person and also video the abuse and later post the content online or send it to others. Online polls: Online polls are used to get classmates to vote on certain topics, such as the ugliest student in class. Impersonation: A person either illegally breaks into another person's account or sets up a fake page purporting to be someone else.
Features of Debookee tool.
Debookee is a comprehensive wireless packet sniffer for macOS. The tool is not passive as it intercepts data from mobile and IoT devices by performing a man-in-the-middle (MITM) attack, which is an attempt to intercept electronic communications between two computing devices, with the intent to decipher encrypted messages. Debookee has the ability to perform SSL/TLS decryption. Debookee supports numerous protocols, including HTTP, HTTPS, DNS, TCP, DHCP, SIP, and RTP (VoIP). Debookee can be used to identify what data is being collected and shared by mobile apps. In other words, you can identify DNS connections to servers around the world and other companies that could be potentially subpoenaed for information. The data generated from one mobile app can be shared with multiple third-party companies, which are mostly analytics companies like Crashlytics, UXCam, Fabric, etc.
Explain the processes of disk clone and disk image, and compare their difference.
Disk clone is an exact copy of a hard drive and can be used as a backup as a hardrive becuase it is bootable like the original. Disk image is a file or group of files that contain bit by bit copies of a hardrive. The biggest different is that a disk image is not bootable like the original since it is not an exact copy so a disk clone can only be bootable. Correct Answer: [None]
How to perform static and dynamic analysis on mobile apps.
During app installation, typically an SQLite database will be installed on the user device. This is a relational database that is comprised of tables. The data stored in these tables may or may not be encrypted. These tables may contain information which is valuable to the investigation. For example, one table may contain a user's contacts, while a related table may store communications with contacts. It is important to understand that these databases contain an extraordinary amount of personal information and, when unencrypted, can put an individual at risk for social engineering. It is also possible to subpoena a third-party service provider for evidence. When analyzing mobile apps, there are several approaches that an investigator can take, in order to examine the user data. A static analysis includes an examination of the SQLite database associated with that app. A dynamic analysis of the app is an analysis of the behavior of the application once it has been executed (or run).
dhcp server
Dynamic Host Configuration Protocol (DHCP) is a standard for allowing a server to dynamically assign IP addresses and configuration to hosts on a network. This dynamic addressing means that a new client can join a network without having to possess a preassigned IP address. The DHCP server assigns a unique IP address, and then after a client leaves the network, that IP address is released and can be used for a new host that enters the network. An Internet service provider (ISP) can use DHCP to allow customers to join its networks. Similarly, on a home network, a broadband router uses DHCP to add clients to its network—these can include a PC, a smart TV, a tablet, or a smartphone. At a minimum, a DHCP server provides an IP address, subnet mask, and default gateway. The default gateway is the node on a network that serves as the forwarding host (router) to other networks.
Tools for investigating a network attack.
Endpoint Detection and Response (EDR): a tool for monitoring threats on network hosts and then automatically responding to certain types of attacks. The power of EDR lies in its tremendous logging capabilities, but the cost is very high. Kibana: a free, open source, data visualization tool, which can be used for log analysis and application monitoring. The tool integrates with Elasticsearch, which is a powerful analytical search engine. Kibana uses a variety of histograms, heat maps, line graphs, and other visualization tools, to visually identify what occurred during a specific timeframe. This is easier than scanning through thousands of logs. Log2Timeline: takes log files and parses different types of logs, from a variety of Registry files, and creates a timeline of system logs. The tool is typically used on an infected computer. SANS SIFT: a free suite of forensics tools, which are available from SANS Institute (www.sans.org). The tool integrates with VMWare Player. The SIFT can be used to mount images and then perform different types of analysis in a virtual box.
Epoch time and conversion between different systems.
Epoch time is different for different web browsers and for other systems. Thus, converting timestamps can be challenging when working with a Mac or an iOS device. UNIX time (or UNIX epoch time) is the number of seconds that have elapsed since January 1, 1970, 00:00:00 UTC. Date and time values are stored as a 32-bit integer. Epoch (zero) time for macOS is January 1, 1904, 00:00:00 UTC. The maximum date supported by HFS+ is February 6, 2040, at 06:28:15 GMT. Unlike a UNIX system, when a file on HFS+ is moved from one location to another, the creation date does not change. Timestamps from macOS must be translated into a human readable format. Epoch Converter (www.epochconverter.com) can assist the examiner with this precarious conversion. Epoch Converter is a tool from Cellebrite which converts epoch times on a macOS 10.5.8 or higher to both local and UTC times.
Metadata found in photograph images
Exchangeable Image File Format (EXIF) is the metadata associated with digital pictures. Most smart devices today use the EXIF data format in the photographs they produce. EXIF data can include the following: Date and time Make and model of camera Thumbnail Aperture, shutter speed, and other camera settings Optionally, longitude and latitude
Techniques for detecting and discerning fake or altered images.
Fake or altered images have become a central problem in the last few years, especially after the advent of the so called Deepfakes, i.e., images and videos manipulated using advanced deep learning tools, like autoencoders (AE) or generative adversarial networks (GAN). Such technology opens the door to a series of exciting applications such as creative arts, advertising, film production, video games. On the other hand, it can also be abused to manipulate public opinion during elections, commit fraud, discredit or blackmail people. Therefore, there is an urgent need for automated tools capable of detecting false multimedia content and curbing the spread of dangerous false information. A rather general approach is to look for high-level visual artifacts in the face. Methods following this approach try to highlight specific failures in the generation process which does not reproduce perfectly all the details of a real face. Many other detection methods are based on deep learning and very deep learning.
Touch ID and Face ID.
For investigators, a critical difference between older iPhone models and newer models is the biometric authentication sensor. Touch ID is the fingerprint sensor used to unlock the iPhone. Touch ID can also be used to make purchases from the Apps Store. The problem for an investigator is that if a user uses this biometric sensor, the hash value associated with this is stored on the device and Apple cannot access the iPhone if the user has used Touch ID, because a fingerprint map is stored in an encrypted format in the "Secure Enclave" section of the device's A7 processor and cannot be extracted by an examiner. Nevertheless, if the reader cannot authenticate the user with her fingerprint, then the user is asked to enter her passcode. Face ID is a facial recognition technology which replaced the fingerprint recognition technology associated with Touch ID. Face ID is used to unlock recent models of the iPhone and iPad. Face ID can also be used to install apps, make payments with Apple Pay, and access sensitive data, including app and online passwords. The iPhone collects a series of infrared dots and creates a pattern based on the user's face. This pattern is stored in the iPhone's Secure Enclave. According to Apple, the Secure Enclave is a coprocessor fabricated within the system on chip (SoC). It uses encrypted memory and includes a hardware random number generator. The Secure Enclave provides all cryptographic operations for Data Protection key management and maintains the integrity of Data Protection even if the kernel has been compromised. Basically, the Secure Enclave is a hardware-based key manager on the iPhone, where biometrics and encryption keys are securely stored, and is separate from the iPhone's main processor.
Type of evidence available from cell phone carriers and subscribers.
From a computer forensics perspective, it is important to understand how a cellular network is structured so that the investigator can determine the type of evidence that can be retrieved from the carrier's network, even without access to the suspect's handset. Law enforcement can request cell site records from a carrier for a particular cell phone user that indicate where the user was, based on data retrieved from the Base Transceiver Station. It is important for the investigator to specify the wanted format for the evidence; getting the information in a spreadsheet is generally more helpful because the data can be easily sorted and analyzed. To obtain evidence, law enforcement can contact the network carrier and explain that the user information is needed as part of an ongoing investigation and that the customer in question should not be notified about the investigation. Under U.S.C. 2703(f), "Requirements for Court Order", law enforcement can request that the suspect's records be preserved for 90 days, pending their acquisition of a search warrant, and can be extended for an additional 90 days. subscriber: In addition to BTS evidence, law enforcement can obtain subscriber records, call detail records (CDR), and PUK codes. Subscriber records are personal details maintained by the carrier about their customers and can include their name, address, alternative phone numbers, social security number, and credit card information. Call detail records (CDR) are details used for billing purposes and can include phone numbers called, duration, dates and times of calls, and cell sites used. It is important to verify the data that you receive from the carrier with the evidence found on the device, i.e., corroborating evidence. PIN Unblocking Key (PUK) is an unlock reset code used to bypass the SIM PIN protection; some carriers use the word "unlock" or "unlocking" as an alternative to "unblocking" with PUK.
Access to SIM and types of available evidence.
Gaining access to the data on a SIM is challenging if the SIM card has been PIN-protected. A PIN on a SIM is usually four digits long but can be up to 8 digits. An investigator will have three attempts to get the PIN correct before the SIM is locked. After that, you are prompted to enter a PUK (PIN Unblocking Key) or a PUC (Personal Unblocking Code). A Personal Unblocking Code (PUC) is a code that is available from the carrier and allows a user to remove the PIN protection from the SIM card. The number of possible attempts varies, but generally after 5-10 incorrect PIN entry attempts, the SIM card will be permanently locked. Similar to hard disk drive cloning, an investigator will often choose to clone a SIM card, rather than examine the original SIM card. As a best practice, a SIM card clone should be used in the investigation rather than the original. Evidence: The range of evidence available from a cellphone is quite different from what can be acquired from a laptop or desktop. One of the primary differences is the existence of SMS, MMS, and RCS messages. Short Message Service (SMS) is a text message communication service found on mobile devices. SMS messages are primarily saved on the memory of the handset, but when stored on the SIM card they can be found in the DF_TELECOM file. Multimedia Messaging Service (MMS) is a messaging service which allows the user to send multimedia content, including audio, video, and images. Using a cellphone forensics tool, the investigator can carve the multimedia content out of the user's messages. Rich Communication Services (RCS) is an advanced messaging standard that aims to be a cross-platform mobile device solution for SMS, MMS, and other consumer communications. This standard is supported by smartphone manufacturers, telecommunications companies, and other companies (e.g. Google). The idea is that RCS will broaden the capabilities of traditional SMS and possess the functionality of other messaging apps, such as WhatsApp, iMessage, etc. RCS will be available through the Android Messages app. Forensics investigators should understand that Chat (RCS) (1) is becoming more popular, (2) is a protocol and not an app, (3) does not support end-to-end encryption, like Signal or iMessage, and (4) maintains the same legal intercept standards as SMS.
APFS encryption and features
HFS+ maintains no native support for encryption and relies on CoreStorage for encryption. Conversely, APFS has encryption built into the file system. APFS-formatted volumes utilize randomly generated encryption keys, while CoreStorage uses the UUID as the secondary key, which is not random and can be guessed. Therefore, APFS may be viewed as possessing a superior encryption protocol. APFS features strong encryption provided in three options: No encryption Single-key encryption Multi-key with per-file keys for file data, and a separate key for sensitive metadata Depending on the hardware, APFS uses AES-XTS or AES-CBC encryption. Keybags store the encryption information, for an Apple Macintosh or iOS device, including the encryption keys. On a MacBook, keybags contain the keys to unlock a container and the keys to unlock a volume. The Container Keybag holds the Volume Keybags and the Volume Encryption Key (VEK). While the Container Keybag is encrypted, there are unencrypted data (plaintext) on the drive that will enable you to decrypt the Container Keybag. The Volume Keybags contains a series of Key Encryption Keys (KEK). The Key Encryption Key (KEK) is derived from each user's password on a system and the Recovery Key. The KEK is critical to decrypting a volume. An investigator only needs one user's password or the Recovery Key to open the Volume Keybag and access to the Volume Encryption Key (VEK), which will then be used to decrypt the volume. A Volume Encryption Key (VEK) is a file system key that is used to encrypt data blocks on a volume (disk). Some tools like BlackLight can perform this decryption process for you, but it is not possible for more recent Mac computers that come with an Apple T2 chip. iOS uses the following keybags: backup, device, escrow, iCloud Backup, and user. When the user enters her passcode, the NSFileProtectionComplete key is loaded from the user keybag and unwrapped. The backup keybag is generated when iTunes created an encrypted backup and this keybag is stored on the computer associated with the iOS device. The escrow keybag is used for mobile device management and iTunes syncing.
ipv6
IPv6 is the latest version and, like IPv4, was developed by the Internet Engineering Task Force (IETF). It was developed in response to the limited number of IP addresses associated with IPv4 (232 = 4,294,967,296 available addresses). The Internet Assigned Numbers Authority (IANA) is responsible for the allocation of IP addresses globally. All devices operating on the Internet need an IP address. IPv6 is a 128-bit address and, therefore, has 2128 addresses available. An example of 198.105.44.27 in IPv4 converts to 2002:C669:2C1B:0:0:0:0:0 in IPv6. An IPv6 address has eight groupings of four hexadecimal digits, and semicolons are used to separate each grouping. Cisco's NetFlow is a helpful tool for network forensics investigators because it can capture transactions for IP network traffic. The data stored includes the source and destination IP, source and destination ports, IP protocol used, and type of service, but not the content of packets saved. NetFlow is beneficial when full packet capture is not feasible. NetFlow version 9 has become the basis for an IETF standard called Internet Protocol Flow Information eXport (IPFIX).
New technologies installed on police vehicles.
IoT has made it possible for law enforcement to have smart connected vehicles. Cellular Vehicle-to-Everything (C-V2X) is a 3GPP standard for use with smart vehicles on 4G and 5G networks. This is an alternative standard to the IEEE 802.11p standard for V2V (vehicle-to-vehicle) communications. Police vehicles are now fitted with dash cameras and GPS so that dispatch will always know where their officers are at all times. The vehicle may also have a Cradlepoint router, which connects first responders on a 4G LTE network, such as firefighters, to remotely access building blueprints and maps, aerial views of a fire from on-scene drones, and coordinate fire trucks and personnel. Cradlepoint can also assists law enforcement with situational awareness and coordinates law enforcement resources. Pepwave is a 5G-ready technology that provides law enforcement, firefighters, and emergency medical services (EMS) with public safety network capabilities. Today's police cruiser may also incorporate automatic number plate recognition. Automatic number plate recognition (ANPR) (or License Plate Recognition (LPR) in the U.S.) is a technology that uses optical character recognition to read vehicle registration plates and record the location of the vehicle. Geotab GO is a device used for vehicle telematics. Telematics is a technology in which a telecommunications device, such as a mobile phone or Geotab, sends real-time data to a centralized computer system. Geotab GO has the ability to collect location data, engine idling times, engine data to determine potential issues, acceleration, braking, cornering, and other important information that could be used in an accident investigation or be used to improve police safety. Uber is one company that uses telematics to keep track of their drivers and determine if their drivers are driving safely.
Standard operating procedures and tools for handling handset evidence.
Laboratories and their investigators must use best practices for cell phone examinations. Luckily, guidelines are available to use as the basis for the laboratory's standard operating procedures (SOP). An organization's SOP varies from place to place primarily as a result of differences in organizational budgets; this then impacts the resources (equipment, personnel, training, and so on) the lab has available. When documenting the examination of a cell phone, it is important to document every person who came in contact with the device. For example, some onsite police are instructed to place a handset into Airplane Mode when it is seized, and that needs to be documented. If the device were dusted for fingerprints before its arrival at the computer forensics lab, that also should be a part of the investigative report. The National Institute of Standards and Technology (NIST) provides standard operating procedures for a variety of scientific practices, including cell phone forensics. NIST Special Publication 800-101 Revision 1 (final), Guidelines on Mobile Device Forensics, issued guidelines on cell phone forensics in 2014. Four steps are involved in a forensic examination: Preservation Acquisition Examination and analysis Reporting The Association of Chief Police Officers (ACPO) have noted the importance of evidence not changing after being subjected to examination: "No action performed by investigators should change data contained on digital devices or storage media that may subsequently be relied upon in court."
ridesharing apps
Location information is always important in an investigation because an investigator needs to identify where a suspect was. Uber is a service that enables drivers to provide flexible transportation services that compete with traditional taxi services. Consumers can use the Uber mobile app to search for a car service in their area. The benefit to the consumer is that they are visually provided with the mapped location of Uber cars in their vicinity and are provided with an upfront quote for a specific "ride". Uber operates in approximately 600 cities worldwide. In the past, Uber has received negative press about its geolocation tracking of users, which raised concerns regarding its privacy policies and potentially invasive data collection practices. identifying and tagging iPhones after the Uber app had been uninstalled or the device had been wiped using Unroll.me, which purported to purge your device's email inbox of advertising messages, to spy on competitors According to Uber's user privacy statement, there are two categories of information collected about users: (a) Information You Provide to Us, which can include name, email, phone number, postal address, profile picture, payment method, and (b) Information We Collect Through Your Use of Our Services, which can include location information, contacts, transactions, usage and preference, device information, call and SMS data, and log information. Of particular interest is the device information (hardware model, operating system and version, software and file names and versions, preferred language, unique device identifier, advertising identifiers, serial number, device motion information, and mobile network information). In terms of location information, Uber is not specific about the extent to which the user's location is being tracked but states that they "may also collect the precise location of your device when the app is running in the foreground or background." Uber states in their FAQ that the reasoning behind this data collection is to "improve pickups, drop-offs, customer service, and to enhance safety." However, users reported seeing the Uber app using location services weeks after the app was used and certainly beyond the stated 5 minutes. Uber responded to these reports blaming Apple's iOS Maps extension that Uber uses to serve regional maps to their customers. Uber has invested heavily in data science to retain its competitive advantage. It is also known that Uber extensively uses a telematics pilot program, called Autohawk, to identify the location of its drivers and perform diagnostic testing on the vehicle to ensure passenger safety. In fact, Uber provides geolocation information, provided by its data visualization team, on its website at eng.uber.com/data-viz-intel. Uber integrates both Fabric and Localytics in its mobile app. Fabric provides companies, like Uber, with real-time information about the health of their app. These analytics include application crash analytics. Localytics provide location information. Allegations about Uber's competitor spy programs have been abundant.
How to use Target Disk Mode to clone a Mac device
Mac devices can be problematic when it comes to removing the hard drive. Target Disk Mode (TDM) allows an investigator to acquire a hard drive image using FireWire (IEEE 1394). With more recent Mac computers, you can use the Thunderbolt to perform an acquisition using TDM. Thunderbolt 3 has transfer speeds of up to 40 Gbps and can be used for data transfer, video output and power. If the suspect's computer has a firmware password, then you will not be able to shift to Target Disk Mode and you will likely see a black screen. Therefore, an investigator should first check to see if there is a firmware password by holding down the option key when booting. If a firmware password has been added by the user, a dialog box will be displayed. It should be noted that a write-blocker should be used with TDM.
Facts about Macintosh file systems: MFS, HFS, HFS+, APFS.
Macintosh File System (MFS) is a flat file system that was introduced with Apple's Macintosh computer in 1984. The file system was developed to store files on floppy disks. As volumes grew in size, a new file system, called Hierarchical File System (HFS), was introduced in 1985 to support its hard disk drive. Hierarchical File System Extended (HFS+) was introduced in 1998 to support larger files and uses Unicode. In general, Apple's operating system is based upon UNIX, and the HFS+ file system has been updated to function with macOS (previously called "Mac OS X"). Nevertheless, an Intel-based Macintosh could contain file systems like NTFS, FAT 32, EXT3, EXT4, because it can run multiple operating systems with their different file systems. Boot Camp is a tool that allows an Intel-based Macintosh to run Windows operating systems. HFS: Earlier Mac operating systems were composed of files with two parts, a data fork and a resource fork (storing file metadata and associated application information; equivalent of an Alternate Data Stream in NTFS). Apple has deprecated use of the resource fork, but it can still be found in use. Files containing a resource fork often lose the resource fork when copied to a volume of a different file system such as Windows NTFS. HFS has a maximum of 65,536 blocks per volume. Like NTFS, each block is 512 bytes. HFS+: Also referred to as Mac OS Extended, HFS+ was introduced with Mac OS 8.1 in 1998. HFS+ provided improvements in the allocation of disk space. With HFS+, the maximum number of blocks is 232 (4,294,967,296). More blocks meant less wasted space on a volume. Long file names can contain up to 255 characters in Unicode. The maximum file size in HFS+ is 263 bytes. HFS+ is a case-sensitive file system. NTFS is not a case-sensitive file system, so there is a good argument for using a Mac to examine a Mac or iOS device. An allocation block is a unit of storage space and is typically 512 bytes for a hard drive. An allocation block number is a 32-bit number that identifies an allocation block. A volume header contains information about the volume, including the time and date of its creation and the number of files stored on that volume. The volume header is located at 1024 bytes from the start of the volume. An alternative volume header is a copy of the volume header and is located at 1024 bytes before the end of the volume. Catalog file contains detailed information about the file, including the file and folder name. The catalog file is structured as a B-tree. Catalog ID is a unique sequential number that is created when a new file is created on a Mac. This is extremely important from a forensics perspective because an investigator can determine the sequence by which files were created and the Catalog ID cannot be manipulated by the user. Catalog ID is dependable in determining when a file is created, whereas there are ways in which a user can manipulate file metadata associated with files. Catalog ID is deleted when the file is deleted but the number is never repeated. In contrast, with NTFS, the MFT record identifier can be reused when a file is deleted. The following date and time metadata can be found in an HFS+ file: Created Date: Time of creation Last Accessed Date: Time of creation Modified Date: Time of creation Date Added: Field is not populated The HFS+ file system uses UNIX time, also referred to as Epoch time, for timestamps. If a file is duplicated, then the following date and time metadata can be retrieved by the investigator: Created: Inherited from the original Modified: Inherited from the original Accessed: Time of duplication Record Changed: Time of duplication Date Added: Time of duplication APFS: APFS (Apple File System) is a file system released by Apple, for use on its Macintosh computers as well as for mobile devices, like the iPhone. It was released with macOS Sierra in 2017. If you upgraded your iPhone or iPad to iOS 10.3 (or later) then APFS was automatically installed on your device and replaced HFS+. macOS High Sierra installer offers non-destructive, in-place upgrades, from HFS+ to APFS. APFS can be found on devices running macOS, iOS, tvOS, and watchOS. APFS has been optimized for flash / solid state memory by increasing read/write speeds. APFS is a 64-bit file system, with theoretical 264 addressable blocks. Therefore, with APFS there are 9 quintillion addressable objects (files), compared to 4 billion in HFS+. Timestamps are now stored as 64-bit values so have greater precision: 1 nanosecond on APFS compared to 1 second in HFS+. In APFS, copy-on-write has replaced journaling. The copy-on-write feature creates a clone of files and only changes to the file are made to the file clone, which is more efficient when compared to journaling. Checksums are used for integrity of file metadata. APFS uses a B-Tree data structure to store user data and file content information, which is different from HFS+. Data cloning is an APFS feature, whereby when data is duplicated, within a container, regardless of the volume, the data content is not replicated and only the metadata is duplicated. This means that two files will have data content that is physically stored in the same blocks.
Incident response team and intelligence sharing.
Many larger organizations maintain a security operations center (SOC) and an incident response (IR) team. The SOC often focuses on information security and threat detection, which may include monitoring for unusual login attempts, malware, data exfiltration, and unusual external IP address connections attempts. The IR team may handle incidents as small as a lost/stolen smartphone to a more serious incident involving stolen credentials or a large network breach. Triage is the initial step with incident response, which usually involves mitigating the risk (preventing the loss of data, money, or any potential threats to the organization) and capturing perishable data (data that quickly expires). An example of triage would be to capture the latest state of the device (last login, last location, etc.), send a remote wipe to a stolen iPhone, inform the cellular carrier about the loss, file a police report, and have the user change her passwords to any network services that the device was used for. intelligence sharing: Threat intelligence has become extremely important as many organizations and industries encounter similar threats from hacktivists, individual hackers and nation states. While the W32.Stuxnet malware variant targeted the centrifuges at the Iranian nuclear facility at Natanz, the Stuxnet worm impacted similar networks in Indonesia, India, and many other countries. APT10, also referred to as Operation Cloud Hopper, targeted the managed service provider (MSP) industry, using similar types of malware. Sharing intelligence within industries, even among competitors, has become a more robust and effective strategy. There are sector-based Information Sharing and Analysis Centers (ISAC), e.g., Financial Services Information Sharing and Analysis Center (FS-ISAC). They provide actionable intelligence for security professionals. The Cybersecurity and Infrastructure Security Agency (CISA), within the Department of Homeland Security (DHS), provides important security alerts for both organizational and personal security. InfraGard, a public-private organization of the FBI, provides organizations with security alerts.
How to authenticate a subscriber on a network.
Mobile Switching Center is where user information passes to the Home Location Register, Visitor Location Register, and Authentication Center. The Home Location Register (HLR) is a database of a carrier's subscribers and includes their home address, IMSI, telephone number, SIM card ICCID, and services used by the subscriber. The Visitor Location Register (VLR) is a database of information about a roaming subscriber. A subscriber can only be found on one HLR but can be found in multiple VLRs. The current location of a mobile station (handset) can be found on a VLR. The VLR also contains the Temporary Mobile Subscriber Identity (TMSI), which is a randomly generated number that is assigned to a mobile station by the VLR when the handset is switched on and is based on the geographic location. The Equipment Identity Register (EIR) is used to track IMEI numbers and decide whether an IMEI is valid, suspect, or perhaps stolen. The Authentication Center (AuC) is a database that contains the subscriber's IMSI, authentication, and encryption algorithms.
How to document a cellphone investigation.
Most forensic tools, such as Paraben's Device Seizure AccessData's MPE+, have a built-in report feature. The investigator's report should ultimately include the following details: Device specifications, including details about the SIM card Where the device was seized How the device was seized (copies of consent form or warrant) Preparation techniques, including removing the device from the network Forensic tools used to acquire the evidence Evidence acquired (SMS, MMS, images, video, contacts, call history, and so on) Carrier evidence (subscriber details and call detail records) Application service evidence (for example, Gmail from Google's e-mail servers)
Property lists (PLists) and their importance.
PList (Property List) Format files are configuration files found on a computer running the Mac operating system. PLists are found in Mac OS X and iOS mobile devices. These files can be thought of as the equivalent of Registry files on a Windows computer. PLists contain user settings and provide a wealth of information for investigators. They store user and application preferences. PLists are an efficient way for a developer to store small blocks of data consisting primarily of numbers and strings. PList files are binary or XML formats and require a special PList viewer to see the data in a meaningful manner.
other useful info on apple phones
Photos on the iPhone can provide a treasure trove of information about events and about the user. iPhone will record the longitude and latitude of where a photo was taken, as EXIF data (metadata), if Location Services (under Settings > Privacy) is enabled by the user. Location Services is a user preference that allows an iOS device and running on the device, to determine your location based on cell sites, GPS, Wi-Fi hotspots, and iBeacons. An iBeacon uses Bluetooth Low Energy (BLE) to identify the location of a user. An iPhone, and other Bluetooth devices, can act as iBeacons, which in turn can provide Location Services with your exact location, thereby reducing the reliance on GPS or a cell site. SSID (network name) of access points are captured on an iPhone but does not necessarily mean that the user actually connected to a router on that network. In fact, most SSIDs recorded on smartphones are access points that a user passed by without actually connecting. Once you view the SSIDs that were logged by an iPhone, you can further research these access points on wigle.net.
Pretty Good Privacy (PGP) and its use in forensics investigation.
Pretty Good Privacy (PGP) is an encryption program that is used for the secure transmission of email and encryption of files, directories, and volumes (disks). PGP is the most widely used email encryption program in the world. In 1991, Phil Zimmermann created the PGP program and made it freely available to the public. PGP combines symmetric key encryption and public key encryption. The message is first encrypted with symmetric key encryption. The symmetric key is a one-time-only session key that is sent to the receiver during transmission, and the message is also encrypted with the receiver's public key. The receiver can only decrypt the symmetric (session) key with their private key. PGP also uses a digital signature, using either RSA or DSA algorithms to ensure message authentication. PGP also supports integrity checking to ensure that the message was not altered during transmission; if the message was altered, then the receiver will not be able to decrypt the message. its use: PGP is of particular interest to investigators because it is widely used for secure email communication between Dark Web marketplace vendors and their customers. These vendors have made their PGP public key available on Dark Web marketplaces, like Hansa, Honest Cocaine, and AlphaBay. Kleopatra is a tool, which is available from OpenPGP, that can extract the email address used to generate a PGP key, using the public PGP key. PGP is used by these vendors to prevent eavesdropping by law enforcement.
RIM OS
RIM OS is the operating system developed by Research in Motion (RIM) for use on BlackBerry smartphones and tablets. Although they are limited, BlackBerry APIs are available to allow for third-party development. The BlackBerry OS is now an open source system, however. Because many organizations issue their employers BlackBerry devices, these smartphones can provide a wealth of evidence. The BlackBerry was developed with corporate productivity in mind, so this device can attain Internet access through a carrier's data plan but can also work in Wi-Fi hotspots. In fact, with BlackBerry 7.1 OS, the device can connect to a hotspot and then become a mobile hotspot for up to five devices. BlackBerry Tablet OS is an operating system developed for the BlackBerry PlayBook tablet computer. Unlike Google's Android OS, which runs on handsets manufactured by a wide variety of providers, RIM OS works only on BlackBerry devices.
macOS features and associated files.
Safari is the browser that comes bundled with the Mac operating system. If a user has activated private browsing, then there will be a limited amount of browser history available. From a forensics perspective, the most valuable files will be found in the user directory here: ~/Library/Safari/ Recent versions of Safari come with a sidebar that contains Shared Links posted by people that the user follows on LinkedIn and Twitter. This sidebar may of course help the investigator to build up a picture of the user's network of friends and interests. Safari browser history is stored in History.plist in the user directory. Every URL is recorded, as is the date and time of the last visit, and the number of times that the website has been visited, which can be extremely helpful for an investigator. The date and time values are a floating point value with the number of seconds since January 1, 2001 00:00:00 UTC. DCode is a tool that can convert this value to a readable date and time. Safari creates a thumbnail of the site visited. The JPEG and PNG files for these thumbnails can be retrieved at: ~/Library/Caches/com.apple.Safari/Webpage Previews Any downloads from the Internet are stored in the PList file Downloads.plist. Safari cache can be retrieved from the SQLite database called Cache.db which contains a history of websites visited, images, dates, and access times. The file is located at: ~/Library/Caches/com.apple.Safari Cookies.plist file is another source of information about websites visited which can be found at: ~/Library/Cookies/subfolder The websites that are most frequently visited by a user are stored in TopSites.plist. A user may "pin" a website to this list or manually remove a website from the list. There is a version of Safari available for use with Windows. Safari browser history is generally found here on a Windows 7 or Windows 10 PC: \AppData\Roaming\Apple Computer\Safari\
Forensics examinations on a Mac machine.
Some important points to keep in mind: Using a Macintosh to examine a Macintosh is critical at some point in an investigation given that HFS+ supports a case-sensitive file system. File metadata associated with HFS+, and especially APFS, is very different from FAT and NTFS and therefore using a Mac for a Mac investigation is vital. Many extended attributes could be lost when using a PC to examine a Mac computer. One example would be the origin of a file (how the file was transferred to a Mac), e.g., via AirDrop. Quick Look is a feature of macOS that allows the user to preview the contents of a file without opening the file or executing its associated application. Spotlight is a feature found in macOS that quickly finds files, folders, and applications as soon as the user starts typing a name in the Spotlight search field. Spotlight can also be used by an investigator to search through an indexed .DMG image. A DMG image is an exact copy of a file, or a collection of files, or a volume, and has been the default image format for distributing applications for macOS. Indexing is a process of searching through an image and creating references to words in file names and within files. An investigator may choose to index an image so that a keyword search can be performed later, or not to index since it is a long process. Spotlight contains a treasure trove of evidence for the investigator and includes file and app metadata. For example, an investigator can determine where an application came from, how many times the application has been used, etc. kMDItemUseCount displays the number of times that an application was used. There are many third-party applications, like the Firefox.app, that can be found in Spotlight. This metadata can be found here: /Users/.../Library/Metadata/CoreSpotlight/index.spotlightV3/.store.db What is particularly interesting about Spotlight is that you can find a specific website that a user visited, searches performed on Safari, determine how many times the website was visited, search results that were displayed to the user, etc. This information can be found here: com.apple.safari.history Spotlight also stores cached data at /.Spotlight-V100/Store-V2/... where an investigator will find metadata related to when a file was placed in a folder, how many times it was accessed, etc. Importantly, you may also find text from files here that were previously deleted by a user. In Spotlight Search History, you can find the text used by the user when performing a search and also view the search results that were originally displayed to the user. Initialization is the term used to refer to formatting a drive in macOS. Initializing a drive is performed with the Disk Utility tool on a Mac (Applications / Utilities), and there are six options: macOS Extended (Journaled) macOS Extended (Journaled, Encrypted) macOS Extended (Case-sensitive, Journaled) macOS Extended (Case-sensitive, Journaled, Encrypted) ExFAT MS-DOS (FAT) IOReg Info is a tool available from Cellebrite that can provide an investigator with information about devices connected to a Mac, like SATA Drives, FireWire devices and USB devices. PMAP Info is a tool available from Cellebrite that displays a map of a device's partition. The partition map could be of the Mac's hard drive or could be an attached USB device. Both tools are available from www.blackbagtech.com.
Facts about various Apple devices.
The Apple I was introduced in 1976, but it wasn't until 1984 that the first Macintosh computer was introduced. Apple released its PowerBook laptop in 1991. Between 1999 and 2006, Apple sold a range of laptops known as the iBook. The MacBook was then introduced in 2006. In 1998, the iMac was introduced in a variety of cool-looking colors, which was a major departure from the choice of white or black desktop computers. In 2005, the Mac mini, which is a smaller desktop version of the Macintosh computer, was released. A server version of the Mac mini was then released in 2009. The iPod was first released in October 2001, and it was available in either a 5 GB or 10 GB model. The first-generation iPod was only compatible with Macintosh computers. The second generation of the iPod Classic, released in July 2002, was compatible with Windows 2000. In 2004 the iPod Mini was released in a 4 GB model, and the Nano made its first appearance the following year. In 2005 the iPod Shuffle was released. The iPod Touch was released in September 2007, which was basically an iPod with Wi-Fi capability that enabled users to surf the Internet with Safari, watch videos on YouTube or download content from iTunes. The only iPod device being sold today is the iPod Touch, which now has a capacity storage of up to 256 GB. The first iPhone was released in 2007. This first- generation iPhone ran on iOS 1.0 and was available in a 4 GB model for $499 and an 8 GB model for $599. The first-generation iPhone casing was made of plastic and aluminum. The iPhone 3G and 3GS had an all-plastic backing to improve the cellular signal. The iPhone has changed dramatically since those early days. In September 2021, Apple announced its new iPhone 13, iPhone 13 Pro and iPhone 13 Pro Max. What is notable for investigators is how the storage capacity for iPhones has increased up to 1 TB. Apple also announced iOS 14.8.1, the latest version, in October 2021. Recently, consumers have been provided more choices with Apple's iOS devices, from higher-end to lower-end. The iPad Air was released in November 2013, which features an A7 chip, up to 128 GB of onboard memory and of course uses the Lightning pin connector The first-generation iPad was released in 2010 and, like the iPhone and iPod, it ran on iOS. A year later, the iPad 2 was released, and consumers had a choice of a traditional iPad with Wi-Fi or a data plan operating on either CDMA or GSM. Today, there are basically four different iPad models available: iPad, iPad Pro, iPad Air, and iPad Mini. The first iPad Pro was released in November 2015, it was 12.9 inches and featured LPDDR4 RAM. The third generation of iPad Pro, which was announced in October 2018, integrated Apple's FaceID technology and could be used while holding the tablet in either a portrait or in a landscape position. This third iteration also saw the home button being removed. In terms of memory, this version included storage options that reach 1TB. As with other iPad models, there are Wi-Fi or Wi-Fi and cellular versions of the table Apple Watch was first introduced in 2015. Subsequent versions have been introduced with Series 1 and Series 2 in 2016, Series 3 in 2017, Series 4 in 2018, and Series 5 in 2019. Apple Watch is a smart watch that syncs with several apps from the user's iPhone, in addition to other Apple devices. Most importantly, the watch pairs with Apple's Health app, which tracks user activity, including calories burned, number of steps, and walking or running distance (kilometers or miles). The watch also monitors the user's vitals, such as heart rate. The Apple Watch can also be used to answer calls, reply to text messages (SMS) and can be used to answer incoming calls. The device can also pair with a Mac computer to unlock the device when in sleep mode. The Series 4 featured a larger display and contained a much faster 64-bit dual-core processor. The device also contained an electrical heart sensor, while its ECG (electrocardiogram) was approved by the U.S. Food and Drug Administration and supported by the American Heart Association (AHA). The device automatically calls emergency services if the device detects a fall. The Series 4 Watch contains a GPS module, and there is an LTE chip on the cellular models. The cellular version contains an eSIM, which means that the user can make and receive calls without having their iPhone in close proximity. This version supports Apple Pay. The Series 5 Watch introduced a new "Always-On Retina display", which means that the watch face now continually displays. The watch can also monitor your heart rhythm, which is an important development for investigators, who may use Apple Watch data as corroborating evidence to show that a suspect or a victim was sleeping or running, for example. There is also a built-in alert system to warn you about noise levels that may negatively impact your hearing. A new Cycle Tracking app can be used to track menstrual cycle, which could perhaps be relevant to an investigation. The Series 5 also supports cellular service with the use of an eSIM and Apple Pay. Contactless payments can be made with the Watch, which links to the Wallet app, at point of service (payment) terminals at retail stores. Transit cards can also be added to the Wallet app. Apple Health app stores health related data derived from the sensors of Apple Watch and iPhone. Apple Health app data is often backed up to the user's iCloud account, which is certainly of interest to investigators. Tools such as ElcomSoft's Phone Breaker (elcomsoft.com) and Belkasoft Acquisition (belcasoft.com) can pull this data from a user's iCloud account. The Health app data can include the following data points: Heart rate Sleeping habits Location points Workouts Steps Walking routines Apple has a number of wireless devices that enable consumers to create an integrated wireless "Apple Environment", meaning that a user's Apple devices are connected, and allow media and communications to be shared. For example, a website on Safari that is open on an iPhone can be opened on a synced MacBook. Another example is that an Apple consumer can also answer a phone call on her iPhone, on her iPad, on her Apple Watch or on her MacBook. Understanding this Apple Environment is important because it means that evidence can be retrieved from multiple devices in the home or office. Apple TV was introduced in 2007 as a device for streaming Internet content to a television. The first generation had a 40 GB hard drive, which later increased to 160 GB. The second-generation device was announced in September 2010, and this version allowed the user to download content from iTunes, through AirPlay, via computer or an iOS device. AirPlay is a proprietary protocol, developed by Apple, to wirelessly stream content from the Internet and between compatible devices. In March 2012, a third generation Apple TV was released, and this device provided the user with 1080p high-definition video. From an investigator's perspective, only the second generation of Apple TV was of little forensics value because there was much smaller flash memory, which was inaccessible. Released in September 2017, Apple TV 4K now allows users to experience movies in 4K HDR (High Dynamic Range). This version of Apple TV comes in either a 32 GB or 64 GB version. This version contains an A10X fusion chip with 64-bit processor. The operating system for the device is tvOS and is based on iOS. The model number for Apple TV 4K is A1842. The good news to an investigator is that file stored on Apple TV can now be accessed using an exploit called checkm8. In September 2019, the company announced its new streaming service called Apple TV+, which would compete with other streaming services, like Netflix, Hulu, and Disney's new service (Disney+). AirPort Express is a Wi-Fi base station that allows a user to connect other Apple devices and wirelessly stream content on a simultaneous dual-band 802.11n Wi-Fi protocol. AirPort Express can also function as a wireless access point and connect up to 50 users. AirPort Express can also extend the range of a Wi-Fi connection. AirPort Extreme is a Wi-Fi base station similar to AirPort Express but is designed for a larger home, small business, or a classroom. This device uses the 802.11ac Wi-Fi protocol. AirPort Extreme can facilitate sharing an external hard drive. AirPort Time Capsule is an automatic wireless backup drive for Mac users. AirPort Time Capsule has many of the same features as the AirPort Extreme Wi-Fi base station but includes a 2 TB or 3 TB hard drive. It also operates on the 802.11ac Wi-Fi standard. AirPort Time Capsule has tremendous potential for evidence in an investigation. These three devices have been discontinued by Apple,
DNS servers
The Domain Name System (DNS) is a naming system for computers and other devices connected to the Internet. The main function of DNS is to convert domain names to IP addresses. For example, the IP address for the domain name www.pace.edu is actually 198.105.44.27 (IPv4), but we use letter names because it is easier to remember. DNS servers are also referred to as nameservers. A DNS server will point a client to either the company that a domain was registered to or to the company that hosts their Website. Zone files contain the domain's DNS settings. DNS is sometimes referred to as a query-response protocol. Generally, a client sends a request with a single UDP packet, and then the server responds with a single UDP packet. With larger systems, the server may respond via TCP.
SIM card and related terminology
The SIM card identifies a user on a cellular network and contains an IMSI. SIM cards are found in cell phones that operate on GSM cellular networks and usually in iDEN network cell phones. A user can simply add a SIM card to an unlocked cell phone. Not all U.S. cell phone carriers allow a user to purchase a SIM card and use the handset on another network. In the European Union (E.U.), generally all GSM-compatible cell phones can be unlocked. The International Mobile Subscriber Identity (IMSI) is an internationally unique number that identifies a user on a network. The mobile country code (MCC) is the first three digits of the IMSI. The proceeding two to three digits are the mobile network code (MNC). For example, MNC 260 for MCC 310 represents the carrier T-Mobile USA. The final part of the IMSI is the mobile subscriber identity number (MSIN), which is created by a cellular telephone carrier to identify the subscriber and comprised of up to 10 digits. The mobile subscriber ISDN (MSISDN) is essentially the phone number for the subscriber. The MSISDN is a maximum of 15 digits and is comprised of the country code (CC), the numbering plan area (NPA) and the subscriber number (SN). For example, in the Americas the CC is "1" because it is in Zone 1. For Trinidad and Tobago all telephone numbers begin with "1-868". European countries are in Zone 3 and Zone 4. Ireland, in Zone 3, is "353" while the United Kingdom in Zone 4 is "44". The SIM card also includes an ICCID. The Integrated Circuit Card ID (ICCID) is a 19- to 20-digit serial number physically located on the SIM card. The first two digits of the ICCID are referred to as the major industry identifier (MII). The first digit indicates the industry and "8" indicates "Healthcare, telecommunications and other future industry assignments". The first two digits indicate "Telecommunications administrations and private operating agencies". The ICCID on a SIM card will begin with "89". The proceeding two numbers will indicate the Country Code (CC). The next two numbers are the Issuer Identifier (II), which will indicate the telecommunications company. Understanding the ICCID will help you to identify the origins of a SIM card. The ICCID can be accessed, via the SIM card, in the EF_ICCID file.
iPhone backup options and iCloud.
The investigator can access a wealth of iPhone evidence from a synced computer. Originally, Apple required all iOS devices to be synced to a Windows Personal Computer or to a Mac computer. Today a user may never sync their iPhone or iPod to a computer. The user has the option to backup files from his iPhone to either the computer or to iCloud. Encrypted backups are only permitted to the user's computer (if that option is enabled by the user), but not to iCloud. An iTunes backup may be password-protected. If the user has synced their iPhone to a MacBook, then the backup location may be as follows: ~/Library/ApplicationSupport/MobileSync/Backup/ When an iPhone has been synced to a Windows Vista machine, or a later version of Windows, then the location of the backup folder may be located here:\Users\<username>\AppData\Roaming\Apple Computer\MobileSync\Backup. iCloud is Apple's cloud service that is available to Apple device owners. To use the service with an iPhone, the user needs to have at a minimum iOS 5, or later. Consumers will get 5 GB for free but must pay for any additional iCloud storage. All devices belonging to the user, including a MacBook, can be backed up to iCloud and are associated through the user's Apple ID. Up to 10 devices can be registered to one iCloud account. The benefit for the investigator is that Apple can be subpoenaed for iCloud evidence. User data from apps installed on the user's iOS devices is frequently backed up to iCloud. However, the investigator should understand that 5 GB of free iCloud space is not a lot. Thus, the iCloud backup, available through Apple, will be quite limited, unless the consumer has chosen to pay for additional space.
SIM file system
The two primary functions of a SIM card are to identify the subscriber to a cellular network and to store data. More important to the investigator is the SIM card's storage of important evidence. A SIM is essentially a smart card composed of a processor and memory. The Electronically Erasable Programmable Read Only Memory (EEPROM) is where the hierarchical file system exists. The operating system, user authentication, and encryption algorithms are found on the SIM card's read-only memory (ROM). There are three primary components of the file system: Master File (MF) that is the root of the file system Dedicated Files (DFs), which are basically directories Elementary Files (EFs), where the data is held The Elementary Files (EF) are where the subscriber information is stored. Abbreviated Dialing Numbers (ADN) contain the contact names and numbers entered by the subscriber, which are located in the folder EF_ADN. Forbidden Public Land Mobile Network (FPLMN) refers to cellular networks that a subscriber attempted to connect to but was not authorized to connect; this data can be found in EF_FPLMN. This data can assist investigators who want to know where a suspect was located, even if they were unsuccessful in connecting to a network. Last Numbers Dialed (LND) refers to a list of all outgoing calls made by the subscriber; the folder EF_LND holds this information. EF_LOCI contains the Temporary Mobile Subscriber Identity (TMSI), which is assigned by the Visitor Location Register (VLR). The TMSI represents the location where the mobile equipment was last shut down. The TMSI is four octets long and will make no sense to the investigator. However, the investigator could contact the carrier for assistance with determining the location represented by the TMSI.
iPhone modes of operation and unlocking SIM card.
There are several modes of operation an investigator should be aware of when examining an iPhone. The most important mode is DFU Mode, which is required when jailbreaking the device to get root access and obtaining a full file system. Device Firmware Upgrade (DFU) Mode enables the user to select the firmware version that they wish to install on the device. Enabling DFU Mode on an iPhone will vary depending on the model that you are investigating. On an iPhone X, for example, you would follow these instructions: Ensure that iTunes is running on your Mac (or PC), and then connect your iPhone to your computer; Press and release the volume up button; Press and release the volume down button; and Press and hold the side button until a black screen appears; Once the black screen appears, continue pressing the side button and then press and hold the volume down button for about five seconds. Recovery Mode enables the user to restore iPhone settings to the original factory settings. When an iPhone is powered on, boot code is executed from the device's read-only memory (ROM). An Apple Root CA public key is located in this boot code to ensure that the Low-Level Bootloader (LLB) is signed by Apple, and then the bootloader runs. After the LLB finishes, iBoot is the second phase of the bootloader that verifies and mounts the iOS kernel. If an iOS device fails to load or verify during the boot process, then a message displays stating that the user must connect with iTunes; then this signifies that the device is now in recovery mode. If the initial boot fails or the LLB is not loaded, then the device goes into DFU mode and the user must connect the device to a computer, via USB. unlock sim: Some iPhones are sold with the SIM card locked, thereby limiting the user to one cellular telephone carrier. AT&T used to be the exclusive carrier for iPhones in the U.S., but other companies, like Verizon, became resellers. For AT&T and Sprint users, this device operates on the GSM network. If the iPhone SIM is locked, then many companies will generally not divulge the code to unlock the device. Apple maintains information about this code when the iPhone is activated. There are, however, a number of hackers who have made tools available to unlock the iPhone and enable iPhone users to swap out the SIM card for another SIM card, thereby allowing users to avail themselves of lower calling rates when traveling internationally.
Two types of cellular service carriers.
There are two types of cellular service carriers. A mobile network operator (MNO) owns and operates a cellular network. The following companies are MNOs: Verizon T-Mobile/Sprint/Nextel AT&T/Cingular A mobile virtual network operator (MVNO) does not own its own cellular network but operates on the network of a mobile network operator. For example, Altice Mobile has its own cellular service but operates on the AT&T network. This means that two warrants may be needed for an investigation - one for AT&T (the MNO) and one for Altice Mobile (the MVNO) to obtain a suspect's records. The following companies are Mobile Virtual Network Operators: Altice Mobile Net10 Wireless Consumer Cellular H2O Wireless
Vehicle forensics; vehicle identification number (VIN) and its value for investigators.
Vehicle forensics has grown in importance because of advancements in vehicle technology, including applications like Apple CarPlay, which links and synchronizes with an Apple iPhone, vehicle-to-vehicle (V2V) communications, and vehicle-to-everything (v2X) communications. These connections, coupled with other telematics, can provide important digital evidence for an investigator. Berla is arguably the leading provider of vehicle forensics solutions with its iVe forensic tool. Online tools available to investigators searching for information on a vehicle, when in possession of a VIN: National Insurance Crime Bureau: https://www.nicb.org/vincheck Reverse Genie: http://www.reversegenie.com/plate.php VINDECODERZ: https://www.vindecoderz.com/ A vehicle identification number (VIN) is a unique code, used by the automotive industry, to identify a specific vehicle and is defined by ISO 3779 and ISO 4030. A VIN will include a manufacturer identifier, vehicle descriptor (vehicle attributes), and vehicle identifier (model year, plant code, manufacturer number and sequential number). Consider a VIN example: 1GKKVRED3CJ315078 The first number shows the world manufacturer number and "1" means that the vehicle was manufactured in the USA. The first three digits of the VIN is the world manufacturer identifier (WMI). In our example, "1G" is assigned to General Motors. The fourth to ninth numbers of the VIN are the vehicle descriptor section (VDS) and often references the model type, body style or sometimes the engine type. The last 5 digits of a VIN in North America must be numeric. The 10th digit of a VIN is always consistent and represents the year that the vehicle was produced. In our example VIN, the "C" shows that the vehicle is a 2012 vehicle. "D" is 2013, "E" is 2014, and so on. A search on VINDECODERZ (https://www.vindecoderz.com/) shows that the vehicle is a 2012 GMC Acadia SLT 1 (AWD).
Windows
Windows Phone is a Microsoft operating system that can be found on personal computers, mobile phones, and tablets. Examining Windows smartphones can be problematic and often requires JTAG to download data from the handset. The good news is that the files downloaded using JTAG are NTFS and do not need to be converted. Internet Explorer Mobile is the web browser, based on Internet Explorer 9, found on Windows Phone devices. People Hub is an address book tool found on Windows Phone devices that can synchronize contacts from social networking sites such as Facebook, Twitter, and LinkedIn. Windows Phone supports POP and IMAP email protocols, including Hotmail, Gmail, and Yahoo! Mail, and can sync contacts and calendars from these services.
Tools for packet sniffing and protocol analysis; features of Wireshark.
packet sniffers, have the capability of capturing the data packets on a wired or wireless network. Wireshark and tcpdump are good examples of packet sniffers. protocol analyzers, which can analyze and interpret traffic over a network. Wireshark has a rich feature set which includes the following: Deep inspection of hundreds of protocols, with more being added all the time Live capture and offline analysis Standard three-pane packet browser Multi-platform: Runs on Windows, Linux, OS X, FreeBSD, NetBSD, and many others Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility The most powerful display filters in the industry Rich VoIP analysis
2. Hardware devices that contain valuable network logs
proxy servers, web servers, DHCP servers, SMTP servers, DNS servers, routers, switches, hubs, IDS, firewalls.
Importance of Thumbcache.
thumbcache.db is a database of thumbnails, associated with digital photographs, which are found on Windows 10 computers. Each time an image is saved to a folder, a thumbnail of that photo is added to thumbcache.db. What is important for investigators is the fact that when a digital photo is deleted, the thumbnail will still exist in thumbcache.db. Additionally, if the user has a PowerPoint file (.ppt or .pptx) or a video file (MPG or AVI), then a thumbnail from the first slide will also be saved in thumbcache.db. In earlier versions of Windows, an investigator used to analyze the thumbs.db file. thumbcache.db can be found in the following folder: C:\Users\<user>\AppData\Local\Microsoft\Windows\Explorer. Forensics tools, like AccessData's FTK, can sort and display the thumbnails from thumbcache.db. There is also a free tool, called Thumbcache Viewer, available from Sourceforge.
firewall
▪A firewall is a software or hardware mechanism used to inspect data packets on a network and determine, based on its set of rules, whether each packet should be allowed through. ▪The network administrator should add known malware sites to the firewall as blocked websites. These malware sites are published on websites, like www.malwaredomainlist.com, and are also available from federal law enforcement. ▪Some firewalls can perform detailed inspection at Layer 4 (TCP and ICMP), while other firewalls can inspect Layer 7 data, including FTP and DNS requests. ▪A hacker may try to change the firewall settings so that they can send and receive data without interruption. A network forensics examiner will check to see if the firewall rules have been changed. ▪Different types of firewalls: Proxy firewalls Stateful inspection firewalls Unified threat management (UTM) Next-generation firewalls (NGFW) ▪An investigator can retrieve the following evidence from a firewall: Access Control Lists: determine traffic allowed and blocked traffic Packet logs including the origin/destination address, timestamps, packet size, and protocols Data content: if it is a Layer 7 firewall
OSI model
▪The Open Systems Interconnection (OSI) standard is a model used to define how data is transmitted across the Internet. This standard was introduced in 1984 by the International Organization for Standardization (ISO). ▪The ISO introduced the notion that we communicate across the Internet using seven layers. (Other groups have a different model with fewer layers.) ▪It is important to understand the different layers of communication because a forensics examiner might need to explain to a jury how we can be sure that an email received by the victim did, in fact, come from the criminal suspect. ▪To do that, you would need to explain the header information in an email and tell how that message is routed through different hardware. ▪A helpful way to remember the layers is APSTNDP—All People Seem To Need Data Processing.