There are 2 standard ways to get forensic information from smartphones: logical and physical analysis Standard extraction methods... Logical analysis for smartphones1 The information ext
Trang 1Advanced Techniques in
Forensic Examination of Smartphones
2010
Trang 2Smartphones market growth
Data provided by FutureSource Consulting
Smartphones market is growing even while general mobile phones market falling
Trang 3Smartphone is a small PC
Trang 4Smartphone as: Cell phone
* - Usually these features are not utilized by smartphones
Trang 5Smartphone as: Address book
Trang 6Smartphone as: Planner
Trang 7Smartphone as: Messenger
Trang 8Smartphone as: GPS navigator
* - Available in EXIF header for many new models
** - Available in smartphones with Nokia LifeBlog application installed
Trang 9Smartphone as: Web client
* - Available for some IM clients
Trang 10Smartphone as: PC
Trang 11There are 2 standard ways to get forensic information from smartphones: logical and
physical analysis
Standard extraction methods
Trang 12Logical analysis for smartphones
1) The information extracted by all logical protocols is only the top of the iceberg 2) All logical protocols were developed for data synchronization
General phone information Contacts*
Calendar Notes Calls history Messages*
Files*
Settings*
Bookmarks
* - Available data set is restricted and depends highly on manufacturer implementation
Caller groups Custom field labels Speed dials Messages from custom folders Event log Deleted messages information Service center timestamps GPS information Location tagged data Web browser data
IM client data
3rd party apps
Trang 13Physical analysis for smartphones
How to deal with gigabytes of
that?
Trang 14Standard extraction methods: Summary
Trang 15In 2002 Oxygen Software invented the 3rd way - analysis using a special agent
application working inside smartphone OS
How to extract data without a headache?
Trang 16Agent application usage
General phone information & SIM card data
Contacts with all fields and custom field labels
Caller groups & Speed dials
Event Log
Calendar events
Tasks & Notes
Messages from standard and custom folders
Deleted messages information
Service center timestamp
Camera snapshots, video clips and voice records
File system
GPS & Location tagged information
Web browser cache & bookmarks
IM clients data
3rd party applications with their information
- Protected operating
system files
- Memory dump
Trang 17Afraid of writing to device?
Comparison of phone content changes when performing analysis using
different approaches
* - Extra sync add-ons installation may be needed to extract some additional information (e.g MMS)
** - Agent does not generate any log files
Unlike Agent, SyncML server is not a forensically designed app and is out of full
control from examiner In addition - it makes more data modifications than Agent
Trang 18Smartphones is a considerable part of mobile device market
FutureSource Consulting forecasts that, between 2008 and 2013, annual sales of
smartphones will rise by 95% to over 300 million It will be around 37% of all new mobile phones, up from 13% in 2008
Smartphones store much more important forensic information than plain cell phones
Being a multiple-in-one device and having OS with open API smartphones are turning into small PCs with big memory sizes, wide set of preinstalled applications and huge number of available 3rd party applications
Standard extraction methods are less effective for smartphones
All logical protocols were developed for sync purposes, thus they can only extract a top of the iceberg Physical analysis of gigabyte hex dumps takes a lot of time
Agent application usage is the golden mean
The Agent application approach, introduced by Oxygen Software in 2002, almost achieves the completeness of data extracted by physical methods At the same time it works via standard cables and adaptors and allows to present the extracted data in readable and user-friendly format that is more peculiar to logical analysis
Trang 19Oxygen Forensic Suite 2010
www.oxygen-forensic.com
Oxygen Forensics for iPhone
www.iphone-forensics.com
+44 (0) 20 8133 8450 (UK) +1 877 9-OXYGEN (USA)
Oxygen Forensic Suite and Oxygen Forensic Suite 2010 a the
trademarks of Oxygen Software.
Oxygen Software LLC was founded in year 2000 and since that time our business is a PC-to-mobile communication.
Interested in more details?
£899