MFW2009_BROTHERS_CellPhoneandGPSForensicToolClassificationSystem

8/7/2019 MFW2009_BROTHERS_CellPhoneandGPSForensicToolClassificationSystem

1/36

Cell Phone and GPS ForensicTool Classification System

State of the Market Place as of:May 2009

Author: Sam BrothersDirector of Digital Forensics


2/36

5- Levels of Analysis:

1. Manual Analysis

2. Logical Analysis

3. Hex Dump (Physical Analysis)

4. p- ys ca na ys s5. Micro Read (Physical Analysis)

Copyright 2009 by Sam Brothers All rights reserved


3/36

Tool Analysis PyramidMicroRead

Chip-Off

e

x ump

Logical Analysis

Manual Extraction



4/36

Tool Analysis Pyramid Going Up More forensically

sound More technical

Longer analysis

MicroRead

Chip-Off

Hex Dum

times More Training

Required

*Products may exist at more than one level

Logical Analysis

Manual Extraction



5/36

Less forensically

sound Less technical

Less Training

Tool Analysis Pyramid Going Down

MicroRead

Chip-Off

Hex Dum

Required

*Cost is not proportional

Logical Analysis

Manual Extraction



6/36

Level 1: Manual Extraction Manual Extraction:

Process:

Review phone documentation, and

browse the using handset buttons toview and record data by hand.

Tools available:

Project-A-Phone

Pros:

Fast

Will work on almost everyphone

No cables required

Easy to use

ZRT

Notes:

Popular with local PD

Hand Jamming

NOT fun!

Cons:

Will not get to ALL data

Prone to errors

Foreign language barrier Booby traps

Broken buttons

No Deleted Files

Time consumingCopyright 2009 by Sam Brothers All rights reserved


7/36

Level 2: Logical Analysis Logical Analysis:

Process:

Connect data cable to the handset.

Extract data using AT, BREW, etc.commands in client/serverarchitecture.

Tools available:

Pros:

Fast

Easy to use Lots of research

Lots of info available

Forei n Lan ua e su ort Too many to list

Notes:

Many cell phone tools fit in thiscategory.

Currently ALL GPS tools exist atthis level!

Standard report format Repeatable

Cons:

Writes data to handset Log file access (minimal)

End user understanding

Lots-o- Cables

Deleted filesCopyright 2009 by Sam Brothers All rights reserved


8/36

Pros:

Inexpensive

Deleted Data Extract data hidden from

handset menus

Level 3: Physical Analysis Hex Dump

Process:

Push Boot Loader into phone and

dump memory.

Tools available:

CelleBrites UFED (Beta)

Parabens DS

Cons: Requires data conversion

Inconsistent report format

Came out of the hackercommunity

Difficult to use

Custom Cables

Source code not available

Limited to specific

manufacturers

SmartClip iPhone (Coming Soon!)

Notes:

Currently, this is the fastest growing

segment in the Cell Phone ForensicTool Marketplace.



9/36

Pros:

Expensive

Able to extract ALL datafrom handset memory

Better picture of what isgoing on holistically in the

Level 4: Physical Analysis Chip-Off Process:

Remove memory from thephone/device and read in eithersecond phone or EEprom reader.

Tools available:

Rework Station

p one

Cons:

Data is not contiguous!

Hard to interpret/convert

No report format

Difficult to use

Source code not available

Custom cable harnesses

needed

Z-Poly Film

EEProm Reader

Notes:

This includes desoldering

This is where we will all be in 3years.



10/36

Pros:

Expensive

Able to extract and verify alldata from handset memory

Best picture of what is goingon holistically in the phone

Level 5: Physical Analysis Micro Read Process:

Use an electron microscope to viewstate of memory.

Tools available:

Electron Microscope

Most Forensically Sound

Cons:

Most time consuming

Hard to interpret/convert

No report format

VERY Expensive

Highly technical

Notes: This method would be reserved for

high value devices or damagedmemory chips.



11/36

Fernicos ZRT Level 1

BitPIM Level 2

CelleBrites UFED Level 3

Summit 1100 BGA Level 4

Leveling System in Practice:

Hitachi S-450 SEM Level 5

Level 1 Level 2 Level 3 Level 4 Level 5


12/36

Level 1 Tools:


13/36

ICD-505(Project-A-Phone)

Low Cost Works for almost EVERY

phone! Works for other small

pieces of evidence as well. Includes microphone! Shoots video

solution. Easiest for Jury to

understand.

Cost: $400 USD


14/36

ZRT(Fernico)

Rugged for large volume Works for almost EVERY

phone! Works for other small

pieces of evidence as well. Includes microphone Shoots video

Sometimes the ONLYsolution.

Easiest for Jury tounderstand.

Cost: $900 USD


15/36

Level 2 Tools:(Basic)


16/36

BitPim(Freeware)

Excellent CDMA FileSystem Browsing

User Community Support Almost ANY CDMA phone

is supported! Saves the entire File

System as a .ZIP file.

Lead Developer is LEFriendly!

Cost: Free


17/36

CellDEK

(Logicube) Cable Management Portable

Includes Laptop Intuitive Interface HTML Report Creation SIM Card Processing iPhone Support

Technical Support Data Deletion 644 Phones Supported

Cost: $20,000 USD


18/36

SecureView

(Susteen) Cable Management Simple User Interface

HTML Report Creation SIM Card Processing Technical Support 2 Year Subscription iPhone Support (Logical)

1400 Phones Supported

Cost: $1,600 USD


19/36

MOBILedit! Forensic

(Compelson Labs) Supports Windows Mobile

6.1 iPhone Support 550 Phones Supported

Cost: $600 USD


20/36

Oxygen Forensic Suite

(Oxygen Software) Popular with European

Market Symbian Based Phones! Windows Mobile Support BlackBerry Support LifeBlog Data (Nokia)

Geographic Data!!!

Cost: $1,000 USD


21/36

Wolf

(Digital Forensic Solutions) Pros:

iPhone Support

Training Available 1 Phone Supported

Cost: Unknown


22/36

Level 2/3 Tools:(Basic)


23/36

UFED - Ruggedized(CelleBrite)

Intuitive Interface Compact/Complete

Fast Development Cable Management HTML Report Creation Simple Update Process SIM Card Processing

iPhone Support Technical Support Goof Proof Subscription Includes Chargers No Windows! Product Certification 1600 Phones Supported

Cost: $7,000 USD


24/36

.XRY

(MicroSystemation) Pros:

Documentation (Best inthe Business!)

Simple User Interface Cable Management HTML Report Creation SIM Card Processing

Technical Support CDMA File System

Support with XACT($5,000)

Product Certification iPhone Support

BlackBerry Support 639 Phones Supported

Cost: $7,300 USD


25/36

Device Seizure- Command Kit(Paraben)

BlackBerry Support

Physical Extractions

Technical Support Claims 1,900 Phones

Cost: $1,900 USD


26/36

Level 3 Tools:(Advanced)

FOUO - LEO


27/36

CDMA Workshop

(CDMA Software)

Frequently Updated

Excellent Memory Dumptool! Uses Boot Loaders User Community is so-so Password recovery for

Cost: $350 USD


28/36

Cell Phone Analyzer

(BK Forensics) Pros:

Data Dump translation

Training available BlackBerry Support Technical Support Phones Supported

Cost: $1,000 USD


29/36

Pandoras Box

(Digital Forensic Solutions) Nokia S30/S40 Support

(Fantastic!) Data Dump translation Training available Technical Support 200 Phones Supported

Cost: $550 USD


30/36

Level 4 Tools:(Chip Off)


31/36

Pieces and Parts1. Remove the Chip

A. Summit 1100 BGARework System

$50,000 USD

2. Mount the ChipA. Fuji Poly W-Series

ElastometricConnectors

$500 USD

B. Re-Balling(Good Luck!)

3. Reading the ChipA. BP Microsystems 1710

$10,000 USD

B. BGA Socket Module $500 USD

Cost: $70,000 USD


32/36

Pieces and Parts4. Translate the data

Cost: Unknown


33/36

Level 5 Tools:

(Micro Read)


34/36

Electron Microscope1. Use chemical

process to removetop layer of chip

2. Use microscope to

manually.3. Translate binary to

hex

4. Translate hex todata

Cost: $60,000 USD


35/36

Level 5 Tools:

(Micro Read)

Design Principles for Tamper-Resistant

Smartcard Processors http://www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf


36/36

Questions?

Sam Brothers

Director of Digital Forensics

QinetiQ North America

. . .

Phone: (703) 921-7149

Date post:	08-Apr-2018
Category:	Documents
Upload:	paulmazziotta
View:	225 times
Download:	0 times

MFW2009_BROTHERS_CellPhoneandGPSForensicToolClassificationSystem

Documents