5/5/18
1
DigitalforensicsAndrejBrodnik
AndrejBrodnik:Digitalforensics
Cell (mobile)phones
chapter 20• various technologies ofdatatransfer• sometimesmostlyphones,todaymostlycomputers• richsourceofpersonaldata• callhistory (incoming,outgoing and missed)• SMSand MMS history (receivedandsent)• historyoflocationdata• images,journals,calendars,...• accesstothewebnetworks– shortly,allthedatawhichisalsofoundonusualcomputers
AndrejBrodnik:Digitalforensics
Dataonthecellphone
• Example (POCKET-DIALMFORMURDER):Theperpetrator hadaphoneinhispocketduringthecrime,whichhaspocket-dialedcellphoneofhiswife,whowasthevictim ofthecrime. Onthewife’sphone,thecallwenttovoicemailanditwasrecorded.
• Computationalpowerofmobiledevicesisincreasing becausetheycontainmuchmoreI/Odevices• thermometers• accelerometers• creditcardscanners• ...• useoftheseunitswentbeyondthemanufacturer’sintentions;e.g.atcertaintemperaturesomeactionistriggered
• phonesbecameonetypeofembeddedsystems
AndrejBrodnik:Digitalforensics
5/5/18
2
Mobiledeviceforensics
• deviceshavemorecapableoperationsystems• Android• iPhone• Blackberry• WindowsMobile
• andolderoperationsystems (SYMBIAN,...)
AndrejBrodnik:Digitalforensics
Mobiledeviceforensics
• devicesarebythedefinitionnetworkdevices• GPRS,CDMA,UMTS,...• IEEE802.11• IEEE802.15(Bluetooth)• Infraredcommunication• ...
• accesstothedevicemaydestroyormodifytheevidencematerial
AndrejBrodnik:Digitalforensics
Mobiledeviceforensics
• dataisusuallysavedinstoragemedia• itcannotbedeleted,butitcanbecopied• duetothelimitednumberofwrites,writingalgorithmsspreaddataacrossstoragemedia• thatiswhywecangetalotofdatathatseemstobedeleted
AndrejBrodnik:Digitalforensics
5/5/18
3
Mobiledeviceforensics
• dataacquiringfromdevice• usuallyusingcableconnectedtothedataport
• protocolknowledgeneeded• sometimesadirectcapturefromthestoragemediaisrequired
• directreadingfromchip
AndrejBrodnik:Digitalforensics
Mobiledeviceforensics
• devicesaremadefromtwoparts• deviceitself• SIMcards
• devicehasuniqueidentificationnumberIMEI (InternationalMobileEquipmentIdentity)
AndrejBrodnik:Digitalforensics
Mobiledeviceforensics
• SIMcardsarecomputers• CPU,ROM,RAM
• contain ICC-ID(IntegratedCircuitCardIdentifier):• MCC(mobilecountrycode),• MNC(mobilenetworkcode),• serialnumberofcard
AndrejBrodnik:Digitalforensics
5/5/18
4
SIMcards
• Challenge: WhichdataSIMcardalsocontains?• Challenge:WhatisLAIandwhatis IMSI?• Challenge:WhatyourSIMcardhas?Whatarethevaluesofthisdata?Whatistheidentificationofyourmobiledevice?
AndrejBrodnik:Digitalforensics
Dataaboutandonthedevice
• ondevice – dependsonthetypeofthedevice:• baselinephone• smartphone
• wherethedataisalsostored:• user’scomputer• operator• SIMcard
• ondeviceareatleaststored:• titles• incoming,outgoingandmissedcalls• receivedandsent SMS
AndrejBrodnik:Digitalforensics
SMSasdigitalevidence
• fullinformation:whenissent/received,fromwho andcontent• norecordofwhenmessageswerefirstread
exampleofdataacquiredusingBitPim (http://www.bitpim.org/)
AndrejBrodnik:Digitalforensics
5/5/18
5
Imagedata
• smartphoneshavecameras• Imagedataisin EXIFrecord (usually)
Exampleofdataacquiredfrom WindowsMobiledeviceusing XRY(http://www.msab.com/)
AndrejBrodnik:Digitalforensics
AccesstotheInternetservices
• mobiledevicesenableaccesstotheweb• oftenusersavespasswordsthere• thereishistoryofentries• logsofthelastentries• ...
• mobiledevicesenablee-mailreading• passwordstoaccessmailboxes• lastreceived/sentmails• ...
• otherapplicationsandtheirdata
AndrejBrodnik:Digitalforensics
AccesstotheInternetservices
• exampleofdataonaniPhone
F:\tools>sqlite3.exe “iPhone2\Keychains\keychain-2.db”SQLite version 3.6.16Enter “.help” for instructionsEnter SQL statements terminated with a “;”sqlite> select labl,acct,svce from genp;|[email protected]|Yahoo-token|[email protected]| |[email protected]| |[email protected]| |[email protected]|com.apple.itunesstored.keychainerooster|MMODBracketsAccount|LumosityBrainTrainer|erooster|LumosityBrainTrainer
AndrejBrodnik:Digitalforensics
5/5/18
6
LocationInformation
• historyofmovingbetweencellulartowerscanbesaved• GPSdevicescansaveexactcoordinates
AndrejBrodnik:Digitalforensics
LocationInformation
• imagescansaveinformationsuchaswhenandwheretheyweretaken• e.g. EXIFformat
• Challenge:searchforlocationinformationinyourphone.
AndrejBrodnik:Digitalforensics
Otherdata
• calendar,notes,...
• Challenge:searchforcalendardatainyourphone.
AndrejBrodnik:Digitalforensics
5/5/18
7
Attacksonmobiledevices
• theattackerloadshiscodeonthedevice• throughthenetwork• theuseruploadsanapplicationthatseemsusefulandfriendly(http://www.theregister .co.uk/2010/01/11/android_phishing_app/)
• theapplicationreadspasswords,...• allowstheattackertoaccesstobankaccounts ...• see MobileSpy(http://www.mobile-spy.com/)
AndrejBrodnik:Digitalforensics
Attacksonmobiledevices
• Challenge:HowdoestheMobileSpy work?• Challenge:FindthesoftwarethatcanharmyourAndroidsystem?• Challenge:MakeyourownprogramthatreadsdataonAndroid(iPhone)system.Canthisalsobeusefulsoftware?
AndrejBrodnik:Digitalforensics
ThinkingOutsideoftheDevice
• additionaldata:• user’scomputer• operator:callcenterandbasestations
• devices,userknowssomethingabout(transitivity)
5/5/18
8
HandlingMobileDevices
• thedevicecanwirelesslyconnectwithworld• disable• removepower• otherways
AndrejBrodnik:Digitalforensics
HandlingMobileDevices
• removestoragemodule• storagemodulesarealwayssmaller
• usually FATfilesystem• iPhone:APFS,Android:Linux design
• otherwiseusualprocedures (signature,journals,...)
AndrejBrodnik:Digitalforensics
Accessingthedata
• differentmethodsofaccessingwithdifferenttypes• noteverydevicehasUSBguide
• examples:• viauserinterface• viacommunicationport• propertyinterface(NokiaF-BUS,FlashBUS)• via JTAG(JointTestActionGroup)interface• viadirectmemorychipaccess
AndrejBrodnik:Digitalforensics
5/5/18
9
Accessingthedata
• somedevicesprovideagentaccess• whendeviceison, itrunstheagentwhichtakesover controlofthedevice(iPhone)
• sometimeswecanstopsoftwarelaunchingandputourcodeasfurtherupload• manufacturersofferdataarchivingsoftwarewhichalsoprovidesaccesstodeletedandotherdata
AndrejBrodnik:Digitalforensics
Examples...
• exampleofstoreddatawithanarchiveusingXACT(Motoroladevice)
AndrejBrodnik:Digitalforensics
Examples...
• device,whichispartlybroken,itmaystillworkwellenough
AndrejBrodnik:Digitalforensics
5/5/18
10
MobileDeviceForensicsTools
• anytoolallowsaccesstothedevicememory(forexampledisk)• inthecaseofadisk,accessisrelativelysafebecauseitcannotchangecontentbyitself• incaseofmobiledevicethatisnotnecessarilytrue
AndrejBrodnik:Digitalforensics
MobileDeviceForensicsTools
XRY(http://www.msab.com/)
AndrejBrodnik:Digitalforensics
Cellebrite UFED(UniversalForensicExtractionDevice)-http://www.cellebrite.com/
MobileDeviceForensicsTools
Logicube CellDEK(http://www.logicube.com/)
AndrejBrodnik:Digitalforensics
• MOBILedit!Forensic(http://mobiledit.com/)
• progamming equipmentforanalysis
5/5/18
11
MobileDeviceForensicsTools
• iXAM(http://www.ixam-forensics.com/)
AndrejBrodnik:Digitalforensics
MobileDeviceForensicsTools
TwisterFlasher
AndrejBrodnik:Digitalforensics
FileSystemExamination
• dependsondevice• unique• builtinsystemsQualcomm(BREW,BinaryRuntimeEnvironmentforWireless)• FAT,ext2,ext3,HSFX,APFS,…
• varioustoolsareavailable:
AndrejBrodnik:Digitalforensics
5/5/18
12
Somebasictools...
BitPim(http://www.bitpim.org/)–MotorolaCDMA
AndrejBrodnik:Digitalforensics
Somebasictools...
ForensicToolkit,FTK(http://accessdata.com/products/computer-forensics/ftk)– iPhone
AndrejBrodnik:Digitalforensics
Datarecovery
• evenifwedon’thaveallthedatawecanrecoverpartlydeleteddatafromlogicaldata
AndrejBrodnik:Digitalforensics
5/5/18
13
Datarecovery
• ifitisusualfilesystem (FAT,ext2,ext3,APFS,...)alreadyknowntools• EnCaseanddeletedimages
AndrejBrodnik:Digitalforensics
Datarecovery
• Inthisexampleofcompositefiles(MMS,docx,...)wecanfindpartsofdata
AndrejBrodnik:Digitalforensics
Datarecovery
• ExampleofdatacapturedusingDFF(DigitalForensicFramework,http://www.digital-forensic.org/)• Challenge:Studytheenironment andhowitisspread
AndrejBrodnik:Digitalforensics
5/5/18
14
DataFormatSMIL
• SynchronizedMultimediaIntegrationLanguage• partof W3Cstandard- http://www.w3.org/AudioVideo/• versions 1,2in3(http://www.w3.org/TR/SMIL3/)
• includes SVGitems (enhancedvectorgraphics,ScalableVectorGraphics)• allows:• animation,integrationofotherimages,modularization,...
• Challenge:FindSMILfileandstudyit.• Challenge:MakeyourSMILfileandsendittotheforum.
AndrejBrodnik:Digitalforensics
Datarecovery
• SSDisusedasstorage• Data,whichareinstorage,butnotstructured• Partlydeleteddata• Dataindeletedblockswhicharescatteredperunit
• Challenge:lookupforensicchallengeandsolution DRFWS2010(DigitalForensicResearchConference)–http://www.dfrws.org/2010/challenge/• Examplesoffileswiththeunitareavailable
• Challenge:lookupforensicchallengeandsolutionDRFWS2011–http://www.dfrws.org/2011/challenge/• Challenge:lookupforensicchallengeDRFWS2012–http://www.dfrws.org/2012/challenge/
AndrejBrodnik:Digitalforensics
Examination – other data
• Alotofsmartphonessavestheirdataindatabase• SQlite– Android,iPhone,Palm,...• cemail.vol– WindowsMobile
AndrejBrodnik:Digitalforensics
5/5/18
15
Examination – dataformats
• mostlystandardformats:• 7-bitstandard;GSM03.38:160characters• 16-bit UCS-2(UniversalCharacterSet,UTF-16):70 characters
AndrejBrodnik:Digitalforensics
Examination – dataformats
• bigandlittleendian – dependingontheprocessor• Motorola– big-endianformat
• debeliintankikošček(nibble)• number 12036452774issavedas2130462577F4(Fisfiller)
AndrejBrodnik:Digitalforensics
Examination– SIMcard
• SIM(SubscriberIndentyModule)• deviceispropertyofuser,SIMcardisownedbytheoperator• whichallowstheusertostorecertaindataonit
• detaileddefinitionin:• ETSI(EuropeanTelecommunicationsStandardsInstitute):GSM,GlobalMobileCommunications,GSM11.11,1995.• www.ttfn.net/techno/smartcards/gsm11-11.pdf
AndrejBrodnik:Digitalforensics
5/5/18
16
SIMcard
• verysimpleinteriorstructure• itconsistsoffilesandeachfilehasitsownidentification2-bytecode
AndrejBrodnik:Digitalforensics
� firstbyterepresentstypeoffile:� 3F–MasterFile MF� 7F–DedicatedFile,DF� 2F– partialfileMF� 6F– partialfileDF
SIMcard
• Somefilesaredefinedinthestandard• 3F00:7F10(DFTELECOM,dedicatedfile):recordsontheuseofservices (i.e.sent SMS,dialednumbers,...)• 3F00:2FE2(EFICCID,elementaryfile):savesICC-ID(IntegratedCircuitCardID)• 3F00:7F20:6F07EFIMSI:saves IMSI(InternationalMobileSubscriberIdentity)• 7F20:6F7E(EFLOCI):howthecardwasmovingbetweenoperators• 7F20:6F53(EFLOCIGPRS):GPRS routingarea
AndrejBrodnik:Digitalforensics
SIMcard
• toolsforexaminingSIMcard:• TULP2G:NetherlandsForensicInstitute• http://tulp2g.sourceforge.net/• toolisnotupdatedbutitisfineforreadingoftheSIMcard
AndrejBrodnik:Digitalforensics
5/5/18
17
SIMcard
• exampleofinformationfromSIMcard (ParabenDeviceSeizure)
AndrejBrodnik:Digitalforensics
SIMcard
• Challenge:HowcanIaccessthedataonyourSIMcard?• Challenge:IstheentireGPRShistorysaved?• Challenge:naštejtejteEF,vkaterelahkopišeuporabnik. ListtheEFinwhichusercanwrite.
AndrejBrodnik:Digitalforensics
SIMcardandsecurity
• cardisprotectedwithPIN(PersonalIdentificationNumber)code• ifyoumaketoomanymistakes(cannotbechecked),thecardlockeditself• forunlockingweneedPUK(PINUnlockKey)code• oftenoperatorhasit
AndrejBrodnik:Digitalforensics