+ All Categories
Home > Documents > Digital forensics - uni-lj.si

Digital forensics - uni-lj.si

Date post: 11-Apr-2022
Category:

Documents
Upload: others
View: 1 times
Download: 0 times
Download Report this document
Share this document with a friend
17
5/5/18 1 Digital forensics Andrej Brodnik Andrej Brodnik: Digital forensics Cell (mobile) phones chapter 20 various technologies of data transfer sometimes mostly phones, today mostly computers rich source of personal data call history (incoming, outgoing and missed) SMS and MMS history (received and sent) history of location data images, journals, calendars, ... access to the web networks – shortly, all the data which is also found on usual computers Andrej Brodnik: Digital forensics Data on the cell phone Example (POCKET-DIAL M FOR MURDER): The perpetrator had a phone in his pocket during the crime, which has pocket- dialed cellphone of his wife, who was the victim of the crime. On the wife’s phone, the call went to voicemail and it was recorded. Computational power of mobile devices is increasing because they contain much more I/O devices thermometers accelerometers credit card scanners ... use of these units went beyond the manufacturer’s intentions; e.g. at certain temperature some action is triggered phones became one type of embedded systems Andrej Brodnik: Digital forensics
Transcript
Page 1: Digital forensics - uni-lj.si

5/5/18

1

DigitalforensicsAndrejBrodnik

AndrejBrodnik:Digitalforensics

Cell (mobile)phones

chapter 20• various technologies ofdatatransfer• sometimesmostlyphones,todaymostlycomputers• richsourceofpersonaldata• callhistory (incoming,outgoing and missed)• SMSand MMS history (receivedandsent)• historyoflocationdata• images,journals,calendars,...• accesstothewebnetworks– shortly,allthedatawhichisalsofoundonusualcomputers

AndrejBrodnik:Digitalforensics

Dataonthecellphone

• Example (POCKET-DIALMFORMURDER):Theperpetrator hadaphoneinhispocketduringthecrime,whichhaspocket-dialedcellphoneofhiswife,whowasthevictim ofthecrime. Onthewife’sphone,thecallwenttovoicemailanditwasrecorded.

• Computationalpowerofmobiledevicesisincreasing becausetheycontainmuchmoreI/Odevices• thermometers• accelerometers• creditcardscanners• ...• useoftheseunitswentbeyondthemanufacturer’sintentions;e.g.atcertaintemperaturesomeactionistriggered

• phonesbecameonetypeofembeddedsystems

AndrejBrodnik:Digitalforensics

Page 2: Digital forensics - uni-lj.si

5/5/18

2

Mobiledeviceforensics

• deviceshavemorecapableoperationsystems• Android• iPhone• Blackberry• WindowsMobile

• andolderoperationsystems (SYMBIAN,...)

AndrejBrodnik:Digitalforensics

Mobiledeviceforensics

• devicesarebythedefinitionnetworkdevices• GPRS,CDMA,UMTS,...• IEEE802.11• IEEE802.15(Bluetooth)• Infraredcommunication• ...

• accesstothedevicemaydestroyormodifytheevidencematerial

AndrejBrodnik:Digitalforensics

Mobiledeviceforensics

• dataisusuallysavedinstoragemedia• itcannotbedeleted,butitcanbecopied• duetothelimitednumberofwrites,writingalgorithmsspreaddataacrossstoragemedia• thatiswhywecangetalotofdatathatseemstobedeleted

AndrejBrodnik:Digitalforensics

Page 3: Digital forensics - uni-lj.si

5/5/18

3

Mobiledeviceforensics

• dataacquiringfromdevice• usuallyusingcableconnectedtothedataport

• protocolknowledgeneeded• sometimesadirectcapturefromthestoragemediaisrequired

• directreadingfromchip

AndrejBrodnik:Digitalforensics

Mobiledeviceforensics

• devicesaremadefromtwoparts• deviceitself• SIMcards

• devicehasuniqueidentificationnumberIMEI (InternationalMobileEquipmentIdentity)

AndrejBrodnik:Digitalforensics

Mobiledeviceforensics

• SIMcardsarecomputers• CPU,ROM,RAM

• contain ICC-ID(IntegratedCircuitCardIdentifier):• MCC(mobilecountrycode),• MNC(mobilenetworkcode),• serialnumberofcard

AndrejBrodnik:Digitalforensics

Page 4: Digital forensics - uni-lj.si

5/5/18

4

SIMcards

• Challenge: WhichdataSIMcardalsocontains?• Challenge:WhatisLAIandwhatis IMSI?• Challenge:WhatyourSIMcardhas?Whatarethevaluesofthisdata?Whatistheidentificationofyourmobiledevice?

AndrejBrodnik:Digitalforensics

Dataaboutandonthedevice

• ondevice – dependsonthetypeofthedevice:• baselinephone• smartphone

• wherethedataisalsostored:• user’scomputer• operator• SIMcard

• ondeviceareatleaststored:• titles• incoming,outgoingandmissedcalls• receivedandsent SMS

AndrejBrodnik:Digitalforensics

SMSasdigitalevidence

• fullinformation:whenissent/received,fromwho andcontent• norecordofwhenmessageswerefirstread

exampleofdataacquiredusingBitPim (http://www.bitpim.org/)

AndrejBrodnik:Digitalforensics

Page 5: Digital forensics - uni-lj.si

5/5/18

5

Imagedata

• smartphoneshavecameras• Imagedataisin EXIFrecord (usually)

Exampleofdataacquiredfrom WindowsMobiledeviceusing XRY(http://www.msab.com/)

AndrejBrodnik:Digitalforensics

AccesstotheInternetservices

• mobiledevicesenableaccesstotheweb• oftenusersavespasswordsthere• thereishistoryofentries• logsofthelastentries• ...

• mobiledevicesenablee-mailreading• passwordstoaccessmailboxes• lastreceived/sentmails• ...

• otherapplicationsandtheirdata

AndrejBrodnik:Digitalforensics

AccesstotheInternetservices

• exampleofdataonaniPhone

F:\tools>sqlite3.exe “iPhone2\Keychains\keychain-2.db”SQLite version 3.6.16Enter “.help” for instructionsEnter SQL statements terminated with a “;”sqlite> select labl,acct,svce from genp;|[email protected]|Yahoo-token|[email protected]| |[email protected]| |[email protected]| |[email protected]|com.apple.itunesstored.keychainerooster|MMODBracketsAccount|LumosityBrainTrainer|erooster|LumosityBrainTrainer

AndrejBrodnik:Digitalforensics

Page 6: Digital forensics - uni-lj.si

5/5/18

6

LocationInformation

• historyofmovingbetweencellulartowerscanbesaved• GPSdevicescansaveexactcoordinates

AndrejBrodnik:Digitalforensics

LocationInformation

• imagescansaveinformationsuchaswhenandwheretheyweretaken• e.g. EXIFformat

• Challenge:searchforlocationinformationinyourphone.

AndrejBrodnik:Digitalforensics

Otherdata

• calendar,notes,...

• Challenge:searchforcalendardatainyourphone.

AndrejBrodnik:Digitalforensics

Page 7: Digital forensics - uni-lj.si

5/5/18

7

Attacksonmobiledevices

• theattackerloadshiscodeonthedevice• throughthenetwork• theuseruploadsanapplicationthatseemsusefulandfriendly(http://www.theregister .co.uk/2010/01/11/android_phishing_app/)

• theapplicationreadspasswords,...• allowstheattackertoaccesstobankaccounts ...• see MobileSpy(http://www.mobile-spy.com/)

AndrejBrodnik:Digitalforensics

Attacksonmobiledevices

• Challenge:HowdoestheMobileSpy work?• Challenge:FindthesoftwarethatcanharmyourAndroidsystem?• Challenge:MakeyourownprogramthatreadsdataonAndroid(iPhone)system.Canthisalsobeusefulsoftware?

AndrejBrodnik:Digitalforensics

ThinkingOutsideoftheDevice

• additionaldata:• user’scomputer• operator:callcenterandbasestations

• devices,userknowssomethingabout(transitivity)

Page 8: Digital forensics - uni-lj.si

5/5/18

8

HandlingMobileDevices

• thedevicecanwirelesslyconnectwithworld• disable• removepower• otherways

AndrejBrodnik:Digitalforensics

HandlingMobileDevices

• removestoragemodule• storagemodulesarealwayssmaller

• usually FATfilesystem• iPhone:APFS,Android:Linux design

• otherwiseusualprocedures (signature,journals,...)

AndrejBrodnik:Digitalforensics

Accessingthedata

• differentmethodsofaccessingwithdifferenttypes• noteverydevicehasUSBguide

• examples:• viauserinterface• viacommunicationport• propertyinterface(NokiaF-BUS,FlashBUS)• via JTAG(JointTestActionGroup)interface• viadirectmemorychipaccess

AndrejBrodnik:Digitalforensics

Page 9: Digital forensics - uni-lj.si

5/5/18

9

Accessingthedata

• somedevicesprovideagentaccess• whendeviceison, itrunstheagentwhichtakesover controlofthedevice(iPhone)

• sometimeswecanstopsoftwarelaunchingandputourcodeasfurtherupload• manufacturersofferdataarchivingsoftwarewhichalsoprovidesaccesstodeletedandotherdata

AndrejBrodnik:Digitalforensics

Examples...

• exampleofstoreddatawithanarchiveusingXACT(Motoroladevice)

AndrejBrodnik:Digitalforensics

Examples...

• device,whichispartlybroken,itmaystillworkwellenough

AndrejBrodnik:Digitalforensics

Page 10: Digital forensics - uni-lj.si

5/5/18

10

MobileDeviceForensicsTools

• anytoolallowsaccesstothedevicememory(forexampledisk)• inthecaseofadisk,accessisrelativelysafebecauseitcannotchangecontentbyitself• incaseofmobiledevicethatisnotnecessarilytrue

AndrejBrodnik:Digitalforensics

MobileDeviceForensicsTools

XRY(http://www.msab.com/)

AndrejBrodnik:Digitalforensics

Cellebrite UFED(UniversalForensicExtractionDevice)-http://www.cellebrite.com/

MobileDeviceForensicsTools

Logicube CellDEK(http://www.logicube.com/)

AndrejBrodnik:Digitalforensics

• MOBILedit!Forensic(http://mobiledit.com/)

• progamming equipmentforanalysis

Page 11: Digital forensics - uni-lj.si

5/5/18

11

MobileDeviceForensicsTools

• iXAM(http://www.ixam-forensics.com/)

AndrejBrodnik:Digitalforensics

MobileDeviceForensicsTools

TwisterFlasher

AndrejBrodnik:Digitalforensics

FileSystemExamination

• dependsondevice• unique• builtinsystemsQualcomm(BREW,BinaryRuntimeEnvironmentforWireless)• FAT,ext2,ext3,HSFX,APFS,…

• varioustoolsareavailable:

AndrejBrodnik:Digitalforensics

Page 12: Digital forensics - uni-lj.si

5/5/18

12

Somebasictools...

BitPim(http://www.bitpim.org/)–MotorolaCDMA

AndrejBrodnik:Digitalforensics

Somebasictools...

ForensicToolkit,FTK(http://accessdata.com/products/computer-forensics/ftk)– iPhone

AndrejBrodnik:Digitalforensics

Datarecovery

• evenifwedon’thaveallthedatawecanrecoverpartlydeleteddatafromlogicaldata

AndrejBrodnik:Digitalforensics

Page 13: Digital forensics - uni-lj.si

5/5/18

13

Datarecovery

• ifitisusualfilesystem (FAT,ext2,ext3,APFS,...)alreadyknowntools• EnCaseanddeletedimages

AndrejBrodnik:Digitalforensics

Datarecovery

• Inthisexampleofcompositefiles(MMS,docx,...)wecanfindpartsofdata

AndrejBrodnik:Digitalforensics

Datarecovery

• ExampleofdatacapturedusingDFF(DigitalForensicFramework,http://www.digital-forensic.org/)• Challenge:Studytheenironment andhowitisspread

AndrejBrodnik:Digitalforensics

Page 14: Digital forensics - uni-lj.si

5/5/18

14

DataFormatSMIL

• SynchronizedMultimediaIntegrationLanguage• partof W3Cstandard- http://www.w3.org/AudioVideo/• versions 1,2in3(http://www.w3.org/TR/SMIL3/)

• includes SVGitems (enhancedvectorgraphics,ScalableVectorGraphics)• allows:• animation,integrationofotherimages,modularization,...

• Challenge:FindSMILfileandstudyit.• Challenge:MakeyourSMILfileandsendittotheforum.

AndrejBrodnik:Digitalforensics

Datarecovery

• SSDisusedasstorage• Data,whichareinstorage,butnotstructured• Partlydeleteddata• Dataindeletedblockswhicharescatteredperunit

• Challenge:lookupforensicchallengeandsolution DRFWS2010(DigitalForensicResearchConference)–http://www.dfrws.org/2010/challenge/• Examplesoffileswiththeunitareavailable

• Challenge:lookupforensicchallengeandsolutionDRFWS2011–http://www.dfrws.org/2011/challenge/• Challenge:lookupforensicchallengeDRFWS2012–http://www.dfrws.org/2012/challenge/

AndrejBrodnik:Digitalforensics

Examination – other data

• Alotofsmartphonessavestheirdataindatabase• SQlite– Android,iPhone,Palm,...• cemail.vol– WindowsMobile

AndrejBrodnik:Digitalforensics

Page 15: Digital forensics - uni-lj.si

5/5/18

15

Examination – dataformats

• mostlystandardformats:• 7-bitstandard;GSM03.38:160characters• 16-bit UCS-2(UniversalCharacterSet,UTF-16):70 characters

AndrejBrodnik:Digitalforensics

Examination – dataformats

• bigandlittleendian – dependingontheprocessor• Motorola– big-endianformat

• debeliintankikošček(nibble)• number 12036452774issavedas2130462577F4(Fisfiller)

AndrejBrodnik:Digitalforensics

Examination– SIMcard

• SIM(SubscriberIndentyModule)• deviceispropertyofuser,SIMcardisownedbytheoperator• whichallowstheusertostorecertaindataonit

• detaileddefinitionin:• ETSI(EuropeanTelecommunicationsStandardsInstitute):GSM,GlobalMobileCommunications,GSM11.11,1995.• www.ttfn.net/techno/smartcards/gsm11-11.pdf

AndrejBrodnik:Digitalforensics

Page 16: Digital forensics - uni-lj.si

5/5/18

16

SIMcard

• verysimpleinteriorstructure• itconsistsoffilesandeachfilehasitsownidentification2-bytecode

AndrejBrodnik:Digitalforensics

� firstbyterepresentstypeoffile:� 3F–MasterFile MF� 7F–DedicatedFile,DF� 2F– partialfileMF� 6F– partialfileDF

SIMcard

• Somefilesaredefinedinthestandard• 3F00:7F10(DFTELECOM,dedicatedfile):recordsontheuseofservices (i.e.sent SMS,dialednumbers,...)• 3F00:2FE2(EFICCID,elementaryfile):savesICC-ID(IntegratedCircuitCardID)• 3F00:7F20:6F07EFIMSI:saves IMSI(InternationalMobileSubscriberIdentity)• 7F20:6F7E(EFLOCI):howthecardwasmovingbetweenoperators• 7F20:6F53(EFLOCIGPRS):GPRS routingarea

AndrejBrodnik:Digitalforensics

SIMcard

• toolsforexaminingSIMcard:• TULP2G:NetherlandsForensicInstitute• http://tulp2g.sourceforge.net/• toolisnotupdatedbutitisfineforreadingoftheSIMcard

AndrejBrodnik:Digitalforensics

Page 17: Digital forensics - uni-lj.si

5/5/18

17

SIMcard

• exampleofinformationfromSIMcard (ParabenDeviceSeizure)

AndrejBrodnik:Digitalforensics

SIMcard

• Challenge:HowcanIaccessthedataonyourSIMcard?• Challenge:IstheentireGPRShistorysaved?• Challenge:naštejtejteEF,vkaterelahkopišeuporabnik. ListtheEFinwhichusercanwrite.

AndrejBrodnik:Digitalforensics

SIMcardandsecurity

• cardisprotectedwithPIN(PersonalIdentificationNumber)code• ifyoumaketoomanymistakes(cannotbechecked),thecardlockeditself• forunlockingweneedPUK(PINUnlockKey)code• oftenoperatorhasit

AndrejBrodnik:Digitalforensics


Recommended
Applied Soft Computing - uni-lj.si

Applied Soft Computing - uni-lj.si

Documents

doc. dr. Grega Repov - uni-lj.si

doc. dr. Grega Repov - uni-lj.si

Documents

dr. Nina Zidar - uni-lj.si

dr. Nina Zidar - uni-lj.si

Documents

Computer Forensics - uni-lj.si

Computer Forensics - uni-lj.si

Documents

International Executive Report 2017 - uni-lj.si

International Executive Report 2017 - uni-lj.si

Documents

University of Ljubljana - uni-lj.si

University of Ljubljana - uni-lj.si

Documents

From idea to market - uni-lj.si

From idea to market - uni-lj.si

Documents

Pajek - uni-lj.si

Pajek - uni-lj.si

Documents

Migracije Migrations - uni-lj.si

Migracije Migrations - uni-lj.si

Documents

P04-Management - uni-lj.si

P04-Management - uni-lj.si

Documents

Deconstructing voice - uni-lj.si

Deconstructing voice - uni-lj.si

Documents

Viri in literatura - uni-lj.si

Viri in literatura - uni-lj.si

Documents

2021-03-12 (1) - uni-lj.si

2021-03-12 (1) - uni-lj.si

Documents

Bibliografija - uni-lj.si

Bibliografija - uni-lj.si

Documents

Digital forensics - ucilnica.fri.uni-lj.si

Digital forensics - ucilnica.fri.uni-lj.si

Documents

UDK 711.3 : 338.48 COBISS - uni-lj.si

UDK 711.3 : 338.48 COBISS - uni-lj.si

Documents

Theological Quarterly - uni-lj.si

Theological Quarterly - uni-lj.si

Documents

Science of Gymnastics Journal - uni-lj.si

Science of Gymnastics Journal - uni-lj.si

Documents