Chapter 13 - Mobile Forensics
What should the investigative report contain?
- Description of how the incident occurred - Technically sound and clear-to-understand content - Proper formatting page, and paragraph numbering for easy reference - Unambiguous conclusions, opinions and recommendations supported by figures and facts - Adherence to local laws and be admissible in courts.
What should one do before the investigation?
1. Build a Forensics Workstation 2. Build the Investigation Team 3. Review Policies and Laws 4. Notify Decision Makers and Acquire Authorization 5. Risk Assessment 6. Build a Mobile Forensics Toolkit
What are the steps in the Mobile Forensics Process? This is an important methodology.
1. Collect and Preserve the Evience 2. Document the Scene 3. Imaging and Profiling 4. Acquire and analyze information - use tools such as Forensic Explorer and Autopsy to examine the image. 5. Generate a report
What hardware should be in a mobile forensics toolkit?
Cellebrite UFED System Secure ViewKit for Forensics DS-Device Seizure & Toolbox USB reader for SIM cards iGo DC Lab Power Supply 0-15V/3A Digital Display with Backlight Paraben's Phone Recovery Stick p.1006
What are the architectural layers of a Mobile Device Environment?
Client Appication - any android app. Communication, GUI and Phone APIs. Middleware - simplifies the process of interacting with web services, email, text and internet. OS - schedules tasks, manages memory, allocates priority Hardware - keypad, RAM, flash, processors Radio, gateway and network interface Network - allows a device to communicate with the network p.994
What are the 4 abstraction layers in the design of iOS?
Core Operating systems layer - low-level features using "C"-based libSystem libraries. Core Services layer - manages basic services Media Services layer - audio and video Cocoa Touch layer - for application development The OS takes up 500mb and uses Objective C for coding.
What is the Dalvik Virtual Machine?
Dalvik Virtual Machine (DVM) is a type of the Java virtual machine responsible for power management and memory management. The Dalvik virtual machine runs only .dex files built from .class files during compilation to achieve better efficiency using few resources. It creates partitions in the virtual machine to provide security, isolation, memory management, and threading support simultaneously.
What is the biggest threat to mobile devices?
Data loss is the biggest threat to mobile devices.
What is the main objective of a cybercrime investigation?
Identify the evidence and facts.
What is the ICCID Number?
Integrated Circuit Card Identification. It's the identifier of the SIM card itself.
Where can evidence be found on any mobile phone?
Internal Phone Memory - RAM, ROM or flash. Investigators use AT commands to get memory and need either a USB cable, infared or Bluetooth. SIM Card Memory - has personal info External Memory (think SD card you can plug in on android) - has audio, video and images. p.1002
What is the IMEI Number?
International Mobile Equipment Identity. Its found in the battery compartment but can also be displayed on the phone. To get it, issue the code *#06#
What is the IMSI number?
International Mobile Subscriber Identity. It uniquely identifies every user of a cellular network. It's presented as a 15 digit number. The first 3 digits represent the country code, then the network code (2-3 digits) and the rest are the mobile subscription identification number.
What can the Oxygen Forensics Detective tool do on iPhones?
Investigators can extract data and complete an investigation process. Features include: SQLite viewer, Plist (property list xml files) viewer, device info, passwords, key evidence, backups import, data viewers, links and stats, global search, call data records (CDR) files
How can investigators image an iPhone?
Investigators can use SSH to create the disk image and transfer data over the iPhone. Their workstation needs to be running Linux. ssh -l <username> <your Linux box host address> dd if=/dev/disk0 | dd of=~/myiphoneback.img iPhone should be jailbroken SSH should be installed on both iPhone and workstation p.1014
What is physical acquisition?
It is extracting data from internal flash memories and it gets the raw data. Tools for this include: Via Extract XRY Physical UFED Physical Analyzer It is the preferred method to obtain data because investigators can obtain more info by this method than any other. For Oxygen Forensic Detective 1. Launch it 2. Connect the device through USB 3. Perform physical acquisition
What does the SIM filesystem look like?
It is hierarchical in nature, consisting of 3 parts: Master File (MF), Dedicated File (DF), and Elementary File (EF) The DF contain headers and point to the EFs. 4 types of EFs exist: Transparent, Linear-fixed, Linear-variable, and Cyclic. To access the SIM, a PIN code is required. If it fails 3 times then it locks and an 8 digit Personal Unlock Number (PUK) needs to be entered. The provider owns the SIM. Failure to get correct PUK in 10 attempts disables the SIM permanently.
What is the ESN?
It is the Electronic Serial Number. An ESN is a unique 32-bit identifier. Its like a MAC address, the first 6 digits are the manufacturer and the last are the id.
What is Zygote?
Its where Android shares code across the Dalvik VM, lowering memory and starting up faster. (this seems like a hypervisor to me) init initializes the Zygote which initializes the Dalvik VM
What tools are used for logical acquisition of data on the device?
MOBILedit - lets you browse the data Cellebrite UFED Logical Analyzer - has a built-in SIM reader XRY LOGICAL - Paraben Device Seizure - Oxygen Forensic Extractor - can use USB or bluetooth DataPilot - can break passcodes, has a GUI Mobile Phone Examiner Plus - has smart acquisition capabilities
What are some SIM data acquisition tools?
MOBILedit - thumb drive, software and blank SIMs. SIM Explorer - can scan for unknown files. Cellebrite UFED Logical Analyzer - supports cloning. AccessData Mobile Phone Examiner (MPE) Plus - gathers info off SIM MOBILedit! Forensic EnCase Forensic Paraben's SIM-Card Seizure - recover deleted texts Data Pilot Secure View Kit - recovers deleted data SIMiFOR - recovers deleted data USIM Detective - fast imaging SIM Explorer - helps mobile operators SIM Card Data Recovery - recovers lost texts and contacts p.1038
What are some of the Android Rooting Tools?
OneClickRoot - simple for beginners. Allows installing custom firmware. Kingo Android ROOT - for novice users Towelroot - it's a rooting apk RescuRoot - roots Samsung and others (hint: sounds like rescue rooter) (hint: these all have the word root in them)
What iOS jailbreaking tools exist?
PANGU JAIL BREAK - run the click-to-jailbreak app. Rebooting restores the device Redsn0w - created by the Dev-Team Sn0wbreeze - developed by iH8sn0w GeekSn0w - works with Windows OS (hint: think of breaking out of the Sn0w)
What file carving tools exist?
Phone Image Carver - analyzes sector-by-sector for select file types. Blade Professional v1 - retrieves MPEG-4 video files.
What are the 3 ways to begin extracting data from an iPhone?
Physical memory image - a bit stream or DMG image. Use Cellebrite, XRY, Lantern, Elcomsoft or MPE. File system dump Make a partial physical memory image of the iPhone. Use the following tools: celebrite, Blacklight, Oxygen or XRY iPhone backup Investigators can use the iPhone backup feature using iTunes or iCloud to perform a backup of the data stored on the phone. p.1052
What Software tools should be in a mobile forensics toolkit?
SEARCH Investigative Toolbar BitPim Oxygen Forensics Analyst Paraben's Sim Card Seizure MOBILedit! Forensic TULP2G iDEN Phonebook Manager SUMURI's PALADIN floAt's Mobile Agent XRY Logical & XRY Physical
What SIM Forensics analysis tools exist?
SIMIS 2.0 - creates an HTML report of the data for 2G devices. SIMIS 3G SIMulate - 2G or 3G SIMXtractor - analyzes data Last SIM Details - finds details of previously inserted SIM cards SIM Brush - open-source tool to recover text and call lists USIM Detective - view acquired info SIM Query - retrieves the ICCID and IMSI from a GSM SIM (hint: they all have the word SIM in their names) p.1039
What is the iOS Boot Process?
The BootRom is the first stage and it has the certificates that ensure the lower level boot loader and iBoot (stage-2 boot loader) are secure. iBoot also checks the kernel and device tree signatures. The kernel checks the signatures of all user applications.
After the boot ROM code loads the Boot Loader, what does the Boot Loader do?
The boot Loader sets up the network and memory required to start the kernel. It's located in <AndroidSource>\bootable\bootloader\legacy\usbloader The kernel launches the init process as the initial user space process. It's found under <AndroidSource>/system/core/init. It mounts /sys, /dev and /proc. It also runs init.rc p.997
What is DFU Mode Booting in iOS?
The iPhone operates in two modes, normal and DFU. DFU is Device Firmware Upgrade mode. All of the signature checks occur, but iBoot is not booted during the DFU mode boot sequence. Hackers found that the Boot ROM signature check and all subsequent checks can be bypassed. They also found that encryption keys can be found using some jailbreaking tools.
What is the first Java-based component to launch on Android devices?
The system server.
What tools help with the analysis of SQLite Databases?
These tools can extract data from non-rooted devices by using a set of decoders. Andriller - knows which dbs to go extract Oxygen Forensics SQLite Viewer - it allows investigators to access actual and deleted data from the databases created by the system and applications. (hint: like out of thin air) Built-in SQLite tools include: DB Browser for SQLite X-plore - gives a dual-pane tree view SQLitePlus Explorer - gives programatic access to SQLite databases SQLite Viewer
Where do phone API's such as the Communication API, GUI API and Phone API live?
They appear at the application level. (hint: A in API is for application)
What can investigators find with the Cellebrite UFED Touch Sample Mobile Forensics Report Snapshot?
This tool helps investigators with the physical, file system and logical extractions of data, passwords, etc from devices. It can get the IMEI Number ICCID Number IMSI number
What iPhone Data Acquisition tools exist?
UFED Touch2 - can do any of the extractions on data Mobilyze - provides immediate data to investigators SecureView - a forensic recovery tool NowSecure Forensics - extracts and analyzes data MOBILedit - can even get app data from Skype, Dropbox and Evernote. Lantern - can triage a Mac running OSX or an OSX image. Aceso - works with GPS, phones and SIM cards Athena - works with GPS, satellite handsets, phones, and other portable devices Elcomsoft iOS Forensic Toolkit - works on iPhone, iPad, iPod iXAM - text, photo, or map location
What does data acquisition and forensics analysis require on a mobile device?
Unlocking the device Rooting/Jailbreaking the device Enabling USB debugging on it
How can one bypass the iPhone Passcode lock?
Use a tool called IExplorer and navigate to /var/mobile/Library/Preferences and delete com.apple.springboard.plist Navigate to /var/Keychains and delete keychain-2.db reboot the iPhone Note: This technique works for jailbroken devices only.
How can one bypass the Android phone lock password?
Use a tool called ViaExtract and lauch an adb shell. Remove password.key from the android directory (/data/system)
What Android Forensics Analysis tools are there?
ViaExtract - works on many types of devices and can do logical and physical data extraction. p.1051
What sqlite command extracts the image data on a device?
sqlite> .output AddressBookImages.txtx sqlite> .dump ABFullSizeImage
What is the Android Runtime (ART)?
Android Runtime is an application runtime setting used by the Android OS that transforms machine bytecode into normal instructions. It is the successor of Dalvik. p.996
What mobile device imaging tools exist?
FTK Imager, EnCase, Smart p.1012
What signal containment supplies exist?
Faraday Bag - blocks signals Signal Disruption Bag / Wireless StrongHold Bag - prevents signals from getting to the device Arson Cans - protect device from email bombs Aluminum Foil - wrap in 3 layers to protect RF-shielded box - Protects the device from RF noise Cell Phone Signal Disruption Device - Passively blocks signals
