CHFI module 13: Mobile forensics

Những kiến thức và kinh nghiệm sau khi đạt chứng chỉ CHFI: – Xác định quy trình điều tra tội phạm, bao gồm các giao thức tìm kiếm và thu giữ, lấy lệnh khám xét và các luật khác – Phân loại tội phạm, các loại bằng chứng kỹ thuật số, các quy tắc của chứng cứ và thực hành tốt nhất trong kiểm tra bằng chứng máy tính – Tiến hành và xây dựng tài liệu các cuộc phỏng vấn sơ bộ, bảo vệ đánh giá cảnh báo tội phạm máy tính – Dùng các công cụ điều tra liên quan thu thập và vận chuyển chứng cứ điện tử, và tội phạm mạng – Phục hồi file và phân vùng bị xóa trong môi trường điện toán phổ biến, bao gồm Windows, Linux, và Mac OS – Sử dụng công cụ truy cập dữ liệu Forensic Toolkit (FTK), Steganography, Steganalysis, và Forensics Image File – Phá vỡ mật khẩu, các loại hình tấn công mật khẩu, các công cụ và công nghệ để giải mã mật khẩu mới nhất – Xác định, theo dõi, phân tích và bảo vệ chống lại hệ thống mạng mới nhất, Email, Điện thoại di động, không dây và tấn công Web – Tìm ra và cung cấp bằng chứng chuyên môn hiệu quả trong các tội phạm mạng và các thủ tục pháp lý.

Trang 1

Mobile Forensics

Module 13

Trang 2

Mobile Forensics

Module 13

Designed by Cyber Crime Investigators Presented by Professionals.

Computer Hacking Forensic Investigator v9

Module 13: Mobile Forensics

Exam 312-49

Trang 3

 After successfully completing this module, you will be able to:

Illustrate Android architecture stack and demonstrate Android boot process

Discuss about mobile device forensics and understand why it is needed

Understand the role of mobile hardware and OS while conducting forensics on mobiles

Illustrate the architectural layers of mobile device environment

Illustrate iOS architecture stack and demonstrate iOS boot process

Determine the mobile storage and evidence locations

Understand what you should do before performing investigation

Perform mobile forensics

Mobile forensics is the science of recovering digital evidence from mobile devices under forensically sound conditions With the increase in the usage of mobile devices every day, there

is growing importance of mobile forensics This module highlights the precautions that a forensic analyst must take when collection, preserving, and acquiring mobile devices such as smartphones, PDAs, digital cameras, Internet of Things, etc This module will familiarize you with the topics mentioned in the slide:

Trang 4

Mobile phone forensics is the science of recovering digital evidencefrom a mobile phone under forensically sound conditions

It includes recovery and analysis of data from mobile devices’

internal memory,SD cardsand SIM cards

Mobile forensics aims to trace the perpetratorsof crimes that involve the use of mobile phones

Mobile phone forensics is the science of recovering digital evidence from a mobile phone under forensically sound conditions It involves the examination and reporting of all possible sources

of digital evidence in a forensically sound manner The investigator reports and presents the evidence in the court of law to prove the incident

Mobile phone forensics includes extraction, recovery, and analysis of data from the internal memory, SD cards, and SIM cards of mobile devices Forensics experts analyze the phone by examining the incoming and outgoing text messages, pictures stored in the memory of the phone, call logs, email messages, SIM data, deleted data, etc., in an attempt to trace the perpetrators of crimes that involve the use of mobile phones

Trang 5

The Projected Growth of Mobile Use

Internet connections made via mobile devices

Using Mobiles for Money Transactions

Mobile payment user

425 Million

384 Million

transactions transactions

$450 Billion $620 Billion

50%

2020

of transactions will be made via mobile

http://www.kaspersky.com

http://www.three.co.uk http://www.

statista.com

Approximately 94,344 unique users were attacked by mobile ransomware in 2015 in comparison with 18,478 users in 2014

Among all the malwares, ransomware malwares capable of obtaining unlimited rights on an infected device, and data stealers proved to be the most dangerous threat

in 2015

With the increase in smart phone usage and mobile payments in recent years, the number of malware and ransomware has also increased, resulting in an increase in importance of mobile forensics

 According to statistica, users making payments through mobile devices have increased from 385 million in 2015 to 425 million in 2016; and transactions worth $620 billion have occurred in contrast to $450 billion in 2015

 According to three.co.uk, 50% of the transactions will be made through mobiles by the year 2020

 With the increase in mobile device usage, the number of internet connections made via mobiles has increased from 52.7% in 2015 to 56.1% in 2016 It is estimated to increase

 Among all the malwares, ransomwares - malwares capable of obtaining unlimited rights

on an infected device and data stealers proved to be the most dangerous threats in

Trang 6

modifications, with more geographies being targeted

Sources: http://www.statista.com, http://www.three.co.uk, http://www.kaspersky.com

Trang 7

Top Threats Targeting Mobile Devices

Launched by malicious websites or

compromised legitimate sites

Attacking site exploits device’s browser

Attempts to install malware or steal confidential

data that flows through the browser

Includes traditional computer viruses, computer

worms and Trojan horse programs

Example: IKee worm targeted iOS-based devices

Example: Pjapps enroll infected Android devices on

the botnet

Leverage social engineering to trick users

Attempts to get users to disclose sensitive information

or install malware

Examples include phishing and targeted attacks

Attempts to corrupt or modify data The purpose is to disrupt operations of

an enterprise or geared toward financial gain

Can also occur unintentionally

Employee or hacker exfiltrates sensitive information from device or network Can be unintentional or malicious Remains biggest threat to mobile devices

Attempt to misuse network, device or identity resources

Example: Sending spam from compromised devices

Example: Denial of Service attacks using computer resources of compromised devices

Malware Web- & Network-based Attacks

Social Engineering Attacks

Resource Abuse

Data Loss

Data Integrity Threats

http://www.symantec.com

The following list describes the different types of threats targeting mobile devices:

Web-based and network-based attacks: These attacks are commonly executed through malicious websites or compromised legitimate websites, which actually execute malicious code/program on a device’s browser and exploit it Web-based and network-based attacks attempt to install malware or steal confidential data flowing through the browser

Malware is of the following types:

 Traditional computer virus: Comes into force after attaching to a legitimate host

program

 Computer worms: Spreads from one device to another and tries to appear across the

entire mobile network

 Trojan horse programs: Performs malicious actions upon satisfying certain conditions

Social Engineering Attacks: The attacker entices the victim to share his/her sensitive

information such as personal details, professional details, and credit card and banking details Some of the social engineering attacks are as follows:

 Phishing

 Baiting

Trang 8

 Tailgating

Resource Abuse: Attackers aim at misusing mobile device resources (such as network,

computing, or identity-related information stored on the mobile) for malicious purposes The two most common abuses include sending phishing mails and executing denial of service attacks from a set of compromised machines/botnets, using a command and control center

Data Loss: Data loss occurs when unauthorized transfer of data occurs on a mobile device Such

transfer may be induced unintentionally by a legitimate mobile user or illegally by an attacker who has remote access to the device Data loss is the biggest threat to mobile devices

Data Integrity Threats: These threats attempt to modify or corrupt the data stored in mobile

devices These attacks are aimed at disturbing normal enterprise functionality or for financial gain Data integrity threats may also occur unintentionally by natural forces such as random data corruption

Source: http://www.symantec.com

Trang 9

damaged device when it is not possible to access device using data ports

Investigators need to take different approaches for mobile forensics depending upon the mobile hardware architecture

mobile devices

The common mobile hardware components include various elements such as application processor, baseband processor, digital signal processor, ADC, DAC, RAM, ROM, and RF The architecture and configuration of these hardware components may differ from device to device For example, an iPhone may have different hardware architecture than an Android mobile phone In such cases, challenges for mobile forensics investigators increase, as there is

no standard hardware architecture for mobile phones Investigators need to apply different tools and techniques to conduct forensics investigation of such a variety of mobile phones Thus, a mobile forensics investigator should have sound knowledge of mobile hardware architectures on different mobile phones The investigator must identify and know the location

of specific components of mobile phone hardware For example, he/she should know where

the memory chip resides inside mobile phones, if he/she wants to conduct chip-off forensics

Trang 10

A mobile operating system determines the functions and features

available on mobile devices, and manages the communication between the mobile device and other compatible devices

This diversity in the mobile OS architecture may impact forensic

analysis process

Investigators require knowledge of underlying OS, architecture, and file systems of mobile device under investigation

Knowledge of mobile OS booting processhelps investigator to

gain lower level access

A mobile operating system (OS) is software that enables mobile phones, tablet PCs, and other mobile devices to run applications and programs A mobile OS determines the functions and features available on mobile devices and manages the communication between the mobile device and other compatible devices

There are several mobile OSs available in the market such as Google’s Android, RIM’s BlackBerry OS, Microsoft’s Windows Mobile, etc This proliferation of mobile OSs and models creates various challenges for mobile forensic experts Investigators require knowledge of underlying OS, architecture, and file systems of mobiles under investigation Knowledge of the mobile OS booting process helps investigators gain lower level access

Trang 11

Architectural Layers of Mobile Device Environment

Client Application

Communication APIs ( E-mail, internet, SMS, etc )

GUI API

Phone API

Middleware Components (Service-discovery, network database components, etc.)

Operating System

Device hardware consisting of display device, keypad, RAM, flash, embedded processor, and media processor

Network Radio interface, gateway, and network interface

Mobile Architectural Layer is a platform that enables mobile operating systems, apps, and mobile device hardware to work in coordination for successful operations on devices, such as PDAs, cellular phones, and smartphones

Client application: Client application represents any android application that runs on the

Android platform The client application needs resources to function effectively These include communication APIs, GUI API, phone API, and middleware components

Communication APIs, GUI API, phone API, and middleware components:

The Communication API simplifies the process of interacting with web services and other applications such as email, internet, and SMS

The GUI API is responsible for creating menus and sub-menus in designing applications It acts

as an interface where the developer has a chance of building other plugins

Phone API provides telephony services related to the mobile carrier operator such as making calls, receiving calls, and SMS All phone APIs appear at the application layer

In general, the OS provides middleware components used to link application components with network-distributed components

Operating system: The mobile OS offers utilities for scheduling multiple tasks, memory

management tasks, synchronization, and priority allocation It also provides interfaces for

Trang 12

embedded processor, and media processor, which are responsible for mobile operation

Radio interface, gateway, and network interface: A mobile device communicates with the

network operator with some interfaces, such as radio interface, gateway, and network interface, to establish safe and secure communication

Network: To communicate with the network, the data must pass through various layers to

reach the destination The data travels over network layers to reach its destination

Trang 13

Home Contacts Phone Browser …

Resource Manager Location Manager

Notification Manager Package Manager

Surface Manager Media Framework SQLite

OpenGL | ES FreeType WebKit

Supports application API interfaces

Native libraries written in C/C++, responsible for

handling different types

of data

Built on top of the Linux 2.6 Kernel , responsible for interacting with the hardware

Custom-built virtual machine

Android architecture consists of various software components arranged in stacks

Linux Kernel:

The Android OS was specially built on Linux kernel layer with some additional modifications to its architecture However, it is not possible for a user to run any of the Linux packages on the Android OS since it is different from original Linux Simply put, Android uses Linux as its core Therefore, both Android and Linux packages do not run at each other Android is simply a Linux kernel that communicates with the hardware and comprises all the necessary hardware drivers Linux kernel operates as an intelligence layer between the hardware and software layers

Libraries:

The next layer in android architecture is android native library that permits the device to manage various types of data The application developer generally writes libraries for all the available hardware separately in C or C++ language Some of the important native libraries include the following:

 Surface Manager: It takes care of displaying windows owned by different applications

running on different processes

 Media framework: Media framework offers various media codecs that allow the

recording and playback of all the media formats

Trang 14

content to the screen

 FreeType: It renders the bitmap and vector fonts

 WebKit: It is the browser engine used to display web pages

 Libc: It is a C system library tuned for embedded Linux-based devices

Android Runtime:

Android Runtime is an application runtime setting used by the Android OS that transforms

machine bytecode into normal instructions It is the successor of Dalvik

Dalvik Virtual Machine:

Dalvik Virtual Machine (DVM) is a type of the Java virtual machine responsible for power management and memory management The Dalvik virtual machine runs only dex files built from class files during compilation to achieve better efficiency using few resources It creates partitions in the virtual machine to provide security, isolation, memory management, and threading support simultaneously

Core Java Libraries:

Core Java libraries differ from Java software edition and Java micro edition, but provides almost all the functionalities stated in Java software edition libraries

Application Framework:

Android applications, in general, interact with these application framework blocks itself to manage basic mobile functions such as resource management and voice call management Android developers make use of these tools as the base while developing applications

Important blocks of the application framework are as follows:

 Package Manager: It tracks the apks installed in the mobile device

 Activity Manager: It controls the life cycle of applications running in the device

 Content Providers: Content providers allow applications to share data between each of

them

 Telephony Manager: This block of Application Framework controls/manages all the calls

made from the device

 Location Manager: It manages the location of an Android device using GPS or cell tower

 Resource Manager: It manages the various types of resources used in applications, such

as such as strings, color settings, and user interface layouts

 Notifications Manager: This block allows mobile device applications to display alerts

and notifications on the screen

Trang 15

Applications

The Applications portion is the last stage of android architecture that displays applications on the user screen All the applications designed and developed fit into this portion By default, this portion loads with some basic applications such as:

Trang 16

1 The Android Linux kernel

component first calls the

init process

2 The init process accesses

the various processes and

demons including init.rc

mostly known as zygote,

zygote is started

3 The zygote process loads

the core Java classes, and

performs the initial

processing steps

4 After the initial load

process, zygote idles on a

socketand waits for

Applications Servers Services

Exec() Fork() Dalvik Specialization

Trang 17

Init process is responsible to:

1 Mount directories like /sys , /dev or /proc

2 Run init.rc script located at <android source>/system/core/rootdir/init.rc

The init.rc script describes the system services, file system, and other parameters that need to

be set up

Step 5:

In Java, whenever a new app launches, a separate VM instance will occur in the memory Therefore, if multiple applications launch at the same time, multiple Dalvik VM instances occur, resulting in extensive memory and time consumption

To avoid this, Android implements a system termed “Zygote,” which enables code sharing across the Dalvik virtual machine, resulting in low memory consumption and quick startup time Zygote is a VM process that launches at the system boot It preloads and initializes the core library classes Whenever a new app launches, Zygote forks a new virtual machine and runs the app in its sandboxed environment It provides a pre-warmed up virtual machine instance for each apk to run, thereby reducing the startup time

In simple terms, the init process initializes the Zygote, which in turn initializes the Dalvik virtual machine

Step 6:

On completion of step 5, runtime requests Zygote to launch the system server, which initializes services such as Power Manager, Battery Service, and Bluetooth Service The system server is the first Java-based component to launch on the device, during the bootup sequence

The Android boot process completes only after all the services are up and running in the device memory, and then, the system triggers an “ACTION_BOOT_COMPLETED” standard broadcast

Trang 18

Provide audio, video, animation, and

graphics capabilities to the iPhone

Provides foundation to upper

layers

Provides low - level services

iPhone OS stack consists of four abstraction layers

Map Kit, iAD, Game Kit, Events (Touch), View Controllers, and UIKit

Core Audio, Core Animation, AirPlay, Quartz (2D), Video Playback, Audi Recording, Audio Mixing, OpenAL, JPEG, PNG, TIFF, and PDF

Threading, File Access, Preferences, Collections (NSArray, NSDictionary, NSSet), Networking, Address Book, and High Level Features (iCloud, In-App Purchase, and SQLite)

Security Firmware, Accelerate FW, External Accessary FW, System (Threading, Networking, Filesystem Access, Standard I/O, Bonjour

& DNS Services, Locale Information, and Memory Allocation)

One of the salient features of iOS Architecture is that the OS never allows app developers direct access to any of the iPhone hardware Hardware interactions with the apps function intermittently between applications and device hardware that includes different software layers, providing a framework for application development The iPhone operating system has four abstraction layers in its design, namely, Core Operating system layer, Core Services layer, Media Services layer, and the Cocoa Touch layer The OS occupies 500 MB data of iPhone storage and uses Objective C language for coding

Cocoa Touch Layer:

The Cocoa Touch layer is the first and the topmost layer in iOS architecture and contains some

of the important frameworks related to the applications The most important framework among the available frameworks is UIKit It defines simple application basics and offers advanced technologies such as multitasking and touch-based input

Media Services Layer:

The Media Services layer mainly takes care of media files such as audio and video It also handles important technologies such as OpenGL ES and OpenAL, Core Graphics, Core Media, and AV Foundation It also contains the following frameworks:

 Assets Library Framework - To access photos and videos

 Core Image Framework – Image manipulation

 Core Graphics Framework – 2D drawing

Trang 19

Core Services Layer:

The Core Services Layer is mainly responsible for managing basic system services that an iOS application uses The Cocoa Touch Layer mainly depends on this layer to offer better services while using applications It offers services such as iCloud Storage, Grand Central Dispatch, Block Objects, and In-App Purchase The Automatic Reference Counting feature is the latest in the Core Services Layer and its main purpose is to simplify the memory management in Objective C

Core OS Layer:

Core OS layer is the most important of all the layers since it provides the maximum features for the applications It provides most of the frameworks needed for the applications for their

accurate functionality Applications access most of the low-level features using “C”-based

libSystem libraries such as BSD sockets, POSIX threads, and DNS services

Trang 20

The iPhone boot process consists of multiple boot stages Each stage verifies the integrity and authenticity of the next stage

The normal booting process uses a built-in chain-of-trust mechanism that prevents lower level access to iOS implementation layers

Device Firmware Upgrade (DFU) mode is used during a forensics investigation to gain lower level access to the device

Using this mode, the investigator can alter the boot sequence

The iPhone’s normal boot process involves a series of RSA (RSA stands for Ron Rivest, Adi Shamir, and Leonard Adleman) signature checks such as BootROM, LLB, iBoot, and Kernel/NAND Flash root device

In the normal boot process, BootRom is the first stage in the iPhone, which has all the root certificates that check for the next stage The BootRom initializes some of the components and then checks the signature of the lower level boot loader (LLB) Upon successful verification, the BootRom loads the LLB In the same way, the LLB checks the signature of iBoot (stage-2 boot loader) and loads it upon successful verification.The same procedure applies to the next stages

in the sequence, where iBoot checks the kernel and device tree signatures, while the kernel checks the signatures of all the user applications

Unlike the normal booting process, forensic investigators use Device Firmware Upgrade (DFU) mode to gain lower level of access of the device Using this mode, investigator can alter the boot sequence and perform forensic examination on the device

Trang 21

Normal Boot Process:

BootRom starts the booting process LLB, the first level boot loader, is loaded after verification of integrity and authenticity The stage 2 bootloader iBoot starts after verification of integrity and authenticity Kernel and NAND flash is also loaded after verification of integrity and authenticity

DFU Mode:

iBoot is not booted during the DFU mode boot sequence

Kernel + NAND Flash + NAND Flash

iPhone operates in two modes, namely normal mode and DFU mode

During normal booting, the device loads the Ramdisk into the RAM along with the other required OS components The complete process follows a chain of custody: if the first signature check allows loading the disk, then the remaining stages also allow loading since it checks only the previous stage signature instead of checking the Ramdisk signature

In DFU (Device Firmware Upgrade) mode, iPhone goes through the boot sequence with signature checks Initially, BootROM signature checks iBSS/iBEC and kernel In turn, kernel checks Ramdisk While iOS update processes, Ramdisk loads to RAM and other OS components Blackhat experts discovered vulnerabilities in BootROM Using some of the tools, the BootROM signature, and therefore all subsequent stages of signature verification, can be bypassed The second hurdle in iOS booting is encryption Encryption keys can be obtained using some of jailbreaking tools

Trang 22

Turn the iPhone off

Connect the iPhone to a computer and launch iTunes

Continue to hold down the Home buttonuntil a message appears in iTunes saying that “iTunes has detected an iPhone in recovery mode”

Hold down the sleep/power button and home button together for exactly 10 seconds, then release the power button

Booting iPhone in DFU Mode

The main reason for connecting the device in the DFU mode is to change the firmware of the mobile phone Using DFU mode, the user can downgrade the OS and firmware or use custom firmware Generally, jailbreaking devices or SIM unlocking devices use this procedure

The display completely turns OFF while running in DFU mode; this confirms that the mobile is connected in the DFU mode If it displays any of the logo on the screen, it represents that the mobile is connected in the standard recovery mode; then, it repeats the steps again to connect the device in DFU mode To exit from the DFU mode, the user must press and hold the Home and sleep/power buttons together on the device when connected

Trang 23

Locations

Stores personal information, address books, messages, and service-related information

Stores personal information such as audio, video, images, etc

Internal Memory SIM Card External Memory

RAM, ROM or flash memory

(NAND / NOR) is used to

store mobile phone's OS,

applications and data

The possible locations in the mobile phone where investigators can find the evidence are classified into three types of memory storage In the early days of mobile forensics, evidence was associated only with SMS, MMS, contact lists, call logs, IMEI/ESN information, but currently, it is also associated with data stored in the following mobile storages The investigator finds the mobile storage of a mobile phone in three locations:

Internal Phone Memory: It includes data stored in RAM, ROM, or flash memory It stores the

Mobile phone's OS, applications, and data The investigator can extract information from internal phone memory using AT commands with the help of a USB cable, infrared, or Bluetooth

SIM Card Memory: It includes data stored in the SIM card memory The SIM stores personal

information, address books, messages, and service-related information

External Memory: It includes data stored in SD card, MiniSD Card, MicroSD, etc It stores

personal information such as audio, video, and images

Trang 24

What Should You Do Before the Investigation?

Build a Forensics Workstation Build the Investigation Team Review Policies and Laws

Risk Assessment Notify Decision Makers and Acquire Authorization

Build a Mobile Forensics Toolkit

Preparation takes many steps before starting an actual forensics investigation The investigator needs to prepare and check several prerequisites such as the availability of tools, reporting requirement, and legal clearances in order to conduct a successful investigation It is necessary

to plan and consult with the concerned persons, which is required before, during, and after the investigation

The investigator must follow the following steps before performing a forensic investigation:

1 Build a Forensics Workstation

Investigators build forensic workstations to perform forensic investigation on mobile devices The workstation includes hardware and software tools in the lab such as laptop

or desktop computer, USB connector, FireWire, mobile forensics toolkit, cables (including Bluetooth and IR), SIM card reader, and micro-SD memory card reader

2 Build the Investigation Team

The investigation team consists of persons who have expertise in responding, seizing, collecting, and reporting evidences from the mobile devices

3 Review Policies and Laws

Before starting the investigation process, investigators need to understand the laws pertaining to the investigation They must also be aware of the potential concerns associated with Federal laws, State statutes, and local policies and laws before beginning the investigation

Trang 25

4 Notify Decision Makers and Acquire Authorization

Decision makers are authorities who implement the policies and procedures for handling an incident The decision maker must be notified for the authorization when written incident response policies and procedures do not exist

5 Risk Assessment

Risk assessment measures the risk associated with the mobile data, estimating the likelihood and impact of the risk Risk assessment is an iterative process and it assigns priorities for risk mitigation and implementation plans

6 Build a Mobile forensics Toolkit

Investigators require a collection of hardware and software tools to acquire data during the investigation The investigator needs to use different tools to extract and analyze the data, depending on the make and model of the phone seized

Trang 26

Build a Forensics Workstation

A laptop or a

desktop

computer

A USB (universal serial bus) connector

Mobile forensics toolkit

Cables (including FireWire, Bluetooth and IR)

Micro SD Memory card Reader

SIM card Reader

Build a mobile forensic workstation with the following equipment:

Mobile hardware toolkit (Eg: Pro Tech Toolkit)

Investigators should clearly define a forensic approach before building the forensic workstation The workstation includes hardware and software tools in the lab

A mobile forensic workstation is built with the following equipment:

 A laptop or a desktop computer

The forensic examiner requires a computer to retrieve, store, and process the information from the mobile phone

 Mobile forensics toolkit

Mobile forensics toolkits such as EnCase, FTK, etc facilitate forensic investigation and data recovery from mobile devices

Trang 27

 Cables (including Bluetooth and IR)

The investigator requires supporting cables and wires that provide communication between devices

 Micro SD Memory card Reader

The forensic investigator requires an SD Memory card Reader (with micro option) to

access the data from a memory card

 SIM card Reader

The SIM card reader is a small device that is used to access the information on a SIM card The investigator carefully secures the SIM card found at the crime scene and uses

a SIM card reader to access the information on the SIM card

Trang 28

Build the Investigation Team

Witness, Evidence Manager, Evidence Documenter, Evidence Examiner/Investigator, Attorney,

Photographer, Incident Responder, Decision Maker, and Incident Analyzer

Each team member should have in-depth

knowledge of a wide variety of mobile

devices, their hardware architecture,

operating systems, and mobile apps

Every team member should have the

necessary clearance and authorization to

conduct assigned tasks

Keep the investigation team as small as

possible to ensure confidentiality

Identify team members and assign a

responsibilityto each team member Assign one team member as the technical lead for the investigation

Each team member should be aware of local

laws and legal issuesassociated with related crime

mobile-The investigation team plays a major role in solving a case It should consist of persons who have expertise in responding, seizing, collecting, and reporting the evidences from the mobile devices The investigation team includes the expert witness, evidence manager, evidence documenter, evidence examiner/investigator, attorney, photographer, incident responder, decision maker, and incident analyzer This team is responsible for evaluating the crime, evidence, and criminals Each team member is assigned a few specific tasks (roles and responsibilities), enabling the team to analyze the incident effectively

The following are the key factors taken into consideration while building an effective investigation team:

1 There is a wide range of mobile devices in use Therefore, each team member should have in-depth knowledge of each mobile device, its hardware architecture, OS, and mobile apps, in order to perform forensic investigation on the device

2 The investigating team should be aware of local laws and legal issues associated with mobile related crime

3 A forensic investigator should have the necessary clearance and authorization to conduct assigned tasks

a The investigation team should be as small as possible to ensure confidentiality

4 The team members should be identified, and each team member should be assigned a responsibility

a One team member should be designated as the technical lead for the investigation

Trang 29

Review local laws that may influence the forensics investigation; investigators must follow a legally acceptedforensics investigation process, and create documentation accordingly

Review internalBring Your Own Device (BYOD)

andinformation security policiesof the organization carefully in cases of forensics investigation involving mobile phones issued by the organization

Before beginning the investigation process, it is essential to understand the laws that pertain to the investigation These are typically contained in the internal organization policies The investigators must also understand the potential concerns associated with Federal laws, State statutes, and local policies and laws

The best practices in reviewing policies and laws include the following:

 Determine the extent of the authority to search: Since the incident can relate to any

confidential information, it is necessary to determine the limits/extent of the authority

of the investigation team to search for evidence

 Determine the legal authorities that perform an investigation: It is necessary to

establish policies and procedures that address the privacy rights of the employees, contractors, or any other personnel in determining the legal authorities

 Consult with a legal advisor for the issues arising due to any improper handling of the

investigation: Not all the actions performed during an investigation may be appropriate

Sometimes, someone may improperly handle the evidence; in this situation, it is essential to consult a legal advisor

 Ensure the customer’s privacy and confidentiality: Organizations need to check or

develop the policies that ensure the customer’s privacy and confidentiality

Trang 30

Notify Decision Makers and

Acquire Authorization

Notify the decision

makers of the need

to obtain authorization

After obtaining the authorization, assess the situation and define the course of action

Decision makers are the people who implement policies and procedures for handling an incident The decision maker should be notified for authorization when written incident response policies and procedures are absent Authorization is important for investigators to avoid legal issues arising during the investigation After the authorization, the situation should

be assessed and the course of action must be determined

The best practices to get authorization and define the course of action are as follows:

 An authorized decision maker should be chosen to obtain authorization for conducting the investigation

 All the events occurring and decisions taken at the time of the incident and incident response should be documented Investigators can use these documents in court proceedings to determine the course of action

 Depending on the scope of the incident and absence of any national security issues or life safety issues, the first priority is to protect the organization from further harm

 After securing the organization, the services are reinstated, and the investigation is carried out for the incident

Trang 31

Risk Assessment

the device in an isolation container properly

Use recommended isolation containers

Consider the power state of mobile device seized Expiration

of the battery would be disastrous as important data may

Handle and transport mobile devices carefully as they are

fragileand can be easily damaged

Risk assessment measures the risk associated with the mobile data and estimating the likelihood and impact of the risk Risk assessment is an iterative process that assigns priorities for risk mitigation and implementation plans This helps in determining the quantitative and qualitative value of risk associated with the mobile device and its data Risk assessment determines the kind of risks present, the likelihood and severity of risk, priorities, and plans for risk control Security professionals conduct risk assessment upon identifying the hazards and, in case of failure, in controlling risk immediately Risk assessment helps the senior management and decision makers in the organization devise appropriate risk mitigation strategies A proper risk assessment also helps in minimizing the impact of an incident

Trang 32

Hardware Tools Software Tools

Cellebrite UFED System

Secure ViewKit for Forensics

DS-Device Seizure & Toolbox

USB reader for SIM cards

iGo

DC Lab Power Supply 0-15V/3A

Digital Display with Backlight

Paraben’s Phone Recovery Stick

SEARCH Investigative Toolbar BitPim

Oxygen Forensics Analayst Paraben’s Sim Card Seizure MOBILedit! Forensic TULP2G

iDEN Phonebook Manager SUMURI’s PALADIN floAt’s Mobile Agent XRY Logical & XRY Physical

analyzedata from mobile devices

Investigators require need a range of hardware and software tools to acquire data during the investigation Depending upon the make and model of the phone seized, various tools are required to extract and analyze the data The mobile forensics toolkit varies depending upon the make and model of the phone The toolkit includes the tools supporting the different types

of mobile phones If the investigators are familiar with the tools in the toolkit, they can respond quickly while investigating the incident A sophisticated investigation toolkit not only reduces the risk of data lost or damaged but also increases the chances of success

Following are some of the tools a forensic investigator requires as a part of his forensic toolkit:

Hardware Tools:

 Cellebrite UFED System

 Secure ViewKit for Forensics

 DS-Device Seizure & Toolbox

 USB reader for SIM cards

 iGo

 DC Lab Power Supply 0-15V/3A

 Digital Display with Backlight

 Paraben’s Phone Recovery Stick

Trang 33

Software Tools:

 SEARCH Investigative Toolbar

 BitPim

 Oxygen Forensics Analyst

 Paraben’s Sim Card Seizure

 MOBILedit! Forensic

 TULP2G

 iDEN Phonebook Manager

 SUMURI’s PALADIN

 floAt’s Mobile Agent

 XRY Logical & XRY Physical

Trang 34

SIM Data

Service Provider Data

Phone Memory Data

Forensics Workstation

Reports

A complete mobile phone acquisition and analysis should include extracting and analyzing data from various locations such as a mobile phone memory and file system, SIM card, and service provider data Each of these locations may contain valuable information that the investigator can retrieve Analyzing the data collected from all of these locations is useful in many ways

For example, if a user deletes some data, such as SMS or call records, from a mobile device to

wipe out the evidence and the evidence is not recoverable from the device, then an investigator can also retrieve the same information from the service provider data

Trang 35

1 2 3 4 5

Document the Scene

Generate Report Acquire and Analyze Information Imaging and Profiling

Collect and Preserve the Evidence

A forensic investigator needs to follow a proper forensic investigation process in order to successfully examine the evidence and retrieve the deleted data The process includes the following steps:

Collect and Preserve the Evidence:

When a forensic investigator finds evidence in the crime scene, his/her primary task is to collect the evidence and preserve it, to conduct the investigation

The mobile device and any other evidence items in or around the crime scene area should be collected The make and model of the phone should be identified This helps in determining the tools and techniques used in the forensic analysis of that device Once the device is seized, the investigator must preserve it to maintain the integrity of the evidence One of the mobile preservation steps is to isolate the seized device from the cellular network, preserving the integrity of the evidence

Document the Scene:

Documenting a scene plays a crucial role in the forensic investigation, since it creates a record

of the crime scene Documenting the scene refers to recording the following details:

1 Crime location

2 Power status of the evidence (ON/OFF)

Trang 36

A forensic investigator should never perform investigation on the device itself He/she has to create a forensic image of the device, and then analyze the image, as a part of investigation Imaging is a process of creating a bit-to-bit copy of the mobile device After creating the image, the forensic investigation examines the image and recovers the data stored in the image

Acquire and analyze Information:

Once a forensic image is created, the next task of the investigator is to analyze the image using tools such as Forensic Explorer and Autopsy The image contains all the data stored on the mobile device In a crime scene where the accused has deleted all files in the device, the forensic investigation tools examine the image file and might recover the deleted files (file carving), thus helping in proceeding with the investigation

Generate a Report:

This is the final phase in a mobile forensic process The investigator must document all the evidences and findings obtained during the investigation and produce these reports in the court

of law

Trang 37

the evidence

notes, and computer printouts

Evidence plays a significant role in the mobile forensics investigation process It has to be collected carefully so that no evidence is lost or damaged Digital evidence on mobile devices can be easily altered, deleted, or destroyed The investigator should collect the data without losing or tampering with the data

Following are the guidelines for collecting the evidence of a crime scene:

 Protect the integrity of traditional and electronic evidence

 Prevent unauthorized users from entering the scene and touching the evidence

 Collect all the electronic devices found at the crime scene

 Check whether the mobile device is connected to a computer

 Conform the power status of the device(s) by checking for flashing lights

 Collect non-electronic evidence such as written passwords, handwritten notes, and computer printouts

Trang 38

scene

notes on what you have seenon the screen

the crime scene

The investigator should document the scene after investigating, for analysis and future

reference He/she has to preserve the evidence in order to protect its integrity Following are

the guidelines that help the investigator perform the task of documenting the scene and

preserving the evidence appropriately:

1 Document all the electronic devices found at the crime scene

2 Take photographs of all evidence at the scene and write notes on what is seen on the

screen

3 Document the state of the device during seizure

4 Document every activity on the electronic devices found at the crime scene

Trang 39

Phone Identification Identify the brand, model, operating system, and the network service

provider

It helps to choose an appropriate forensics toolfor the data acquisition

Identify the type of connectionused to connect to the forensics workstation

It may be a cable, Infrared, or Bluetooth This depends upon the phone, forensics tool and acquisition conditions

Accurate Deterministic

Verifiable

Acquisition consists of the following steps:

1 Phone Identification: Identify the phone by brand, model, and service provider This

helps the investigator choose the appropriate tool for the acquisition process The investigator can obtain this information from the battery cavity or the SIM card or from the mobile phone board under the battery The label under the battery contains the mobile phone model, type, code, IMEI, and FCC ID

2 Connection Identification: Connect the mobile phone to the forensic station through a

cable, Infrared, or Bluetooth Selection of the connection type depends on the phone, the tool used, and the acquisition conditions

3 Tool Selection: Tool selection is a crucial part of the acquisition stage since the selection

of the wrong tool can have serious consequences The tool should be selected with the following considerations in mind:

 Usability: Presents useful data to the investigator

 Comprehensive: Presents all data on the device without missing any part

 Accuracy: Presents the highest quality output to the investigator

 Deterministic: Provides the same output for a given input and instructions

Trang 40

The aim of the preservation step is to seize the suspect mobile phoneand its associated peripherals without altering the data in it

It is the first step carried out prior to the actual investigation

It involves discovering, recognizing, documenting, and collectingthe digital evidence obtained at the crime scene

A forensic investigator should preserve the device properly, in order to maintain the integrity of the device Following are the guidelines to preserve the evidence:

 Preserve all the evidences and documents in a secure location

 Focus on hidden or trace evidence and take necessary actions to preserve it

 Pack the electronic devices in antistatic packaging

 Make sure that all the containers that hold the evidence are labeled in a proper manner

 Keep electronic evidence away from magnetic sources while transporting

 Store the evidence in a secure area and weather-controlled environment that is away from extreme temperature and humidity

 Maintain the chain of custody documents

Tiêu đề	Mobile Forensics Module 13
Tác giả	Cyber Crime Investigators
Trường học	EC-Council
Chuyên ngành	Mobile Forensics
Thể loại	module

Định dạng
Số trang	112
Dung lượng	8,13 MB