Toriality's Blog

COMPUTER FORENSICS - 14

created_at:

June 4, 2024 at 5:35 PM

last_updated:

July 15, 2024 at 8:11 PM

COMPUTER FORENSICS STUDY - 14 SOURCES: INFOSECINSTITUTE.COM

THE MOBILE FORENSICS PROCESS

IMPORTANCE OF MOBILE FORENSICS

The term "mobile devices" encompasses a wide array of gadgets ranging from mobile phones, smartphones, tablets and GPS units to wearables and PDAs. What they all have in common is the fact that they contain a lot of user information.
Mobile devices are right in the middle of three booming technological trends. Internet of Things, Cloud Computing and Big Data. The proliferal of mobile technology is perhaps the main reason, or at least one of the main reasons, for these trends to occur in the first place. In 2015, 377.9 million wireless subscriber connections of smartphone, tablets a nd feature phones occurred in the United States. 
Nowdays, mobile device use is as pervasive as it is helpful, especially in the context of digital forensics, because these small-sized machines amass huge quantities od data on a daily basis, which can be extracted to facilitate the investigation. Being something like a digital extension of ourselves, these machines allow digitatl forensic investigators to glean a lot of information.

INFORMATION THAT RESIDES ON MOBILEE DEVICES (A NON-EHHAUSTIVE LIST):

- Incoming, outgoing, missed call history

  • Phonebook or contact list

  • SMS text, application based, and multimedia messaging content

  • Pictures, videos and audio files and sometimes voicemail messages

  • Internet browsing history, concent, cookies, search history, analytics information.

  • To-do lists, notes, calendar entries, ringtones.

  • Document, speadsheets, presentation files and other user-created data.

  • Passwords, passcodes, swipe codes, user account credentials

  • Historical geolocation data, cell phone tower related location data, wi-fi connection information.

  • User dictionary content

  • Data from various installed apps

  • System files, usage logs, error messages

  • Deleted data from all of the above

    WHAT IS THE MOBILE FORENSICS PROCESS?

    Crimes do not happen in isolation from technological tendencies, therefore, mobile device forensics has become a significant part of digital forensics

    Most people do not realize how complicated the mobile forensics process can be in reality. As the mobile devices increasingly continue to gravitate between professional and personal use, the stream of data pouring into them will continue to grow exponentially as well. Did you know that 33.500 reams of paper are the equivalent of 64 gigabytes if printed? Storage capacity of 64 GB is common for today's smartphones.

    Usually, the mobile forensics process is similar to the ones in other branches of digital forensics. Nevertheless, one should know that the mobile forensic process has its own particularities that need to be considred. Following correct methodology and guidelines is a vital precondition for examination of mobile devices to yield good results.

    STEPS IN THE MOBILE FORENSICS PROCESS

    SEIZURE

    Digital forensics operates on the principle that evidence should always be adequately preserved, processed and admissible in court of law. Some legal considerations go hand in hand with the confiscation of mobile devices.

    There are two major risks concerning this phase of the mobile forensic process. Lock activation (by user/suspect/inadvertent third party) and Network / Cellular connection.

    Network isolation of always advisable and it could be achieved either through 1) Airplane mode - Disabling wi-fi and Hotspots, or 2) Cloning the device SIM card.

    AIRPLANE MODE

      Mobile devices are often seized switched on; and since the purpose of their confiscation is to preserve evidence, the best way to transport them is to attempt to keep them turned on to avoid a shutdown, which would inevitably alter files.
    PHONE JAMMER 
      A Faraday box/bag and external power supply are common types of equipment for conducting mobile forensics. While the former is a container specifically designed to isolate mobile devices from network communications and, at the same time, help with the safe transportation of evidence to the laboratory, the allter, is a power source embeded inside the Faraday Box/bag, before putting the phone in the Faraday bag, disconnect it from the network, disable all network connections (Wi-fi, GPS, Hotspots, etc) and activate the flight mode to protect the integrity of the evidence.
    FARADAY BAG 
      Last but not least, investigators should beware of mobile devices being connected to unknown incendiary devices, as well as any other booby trapset up to cause bodily harm or death to anyone at the crime scene.

    ACQUISITION

    IDENTIFICATION + EXTRACTION:

      The goal of this phase is to retrieve data from  the mobile device. A locked screen can be unlocked with the right PIN, password, pattern or biometrics (Note thata biometric approaches while convenient are not always protected by the fifth amendment of the US Constitution). According to a ruling by the Virginia Circuit Court, passcodes are protected, fingerprints not. Also, similar lock measures may exist on apps, images, SMSs, or messengers. Encryption on the other hand, provides security on a software and/or hardware level that is often impossible to circumvent.
  
  It is hard to be in control of data on mobile devices because the data is mobile as well. Once communicaiton or files are sent from a smartphone, control is lost. Although there are different devices having the capatibility to store considerable amounts of data, the data in itself may physically be in another location. To give an example, data synchronization among devices and applications can take place directly but also via the cloud. Services such as Apple's iCloud and Microsoft One Drive are prevalent among mobile devices users, which leave open the possibility for data acquisition frrom there. For that reason, investigators should be atentive to any indications that data may transcend the mobile device as a physical object, because such an occurence may affect the collection and even preservation process.
  
  Since data is constantly being synchronized, hardware and software may be able to bridge the data gap. Consider Uber - it has both an app and a fully functional website. All the information that can be accessed through the Uber app on a phone may be pulled off the Uber website instead, or even the Uber software program installed on a computer.
  
  Regardless of the type of a device, identifying the location of the data can be further impeded due to the fragmentation of operating systems and item specifications. The open-source Android operating system alone comes in several different versions, and even Apple's iOS may vary from version to version.
  
  Another challenge that forensic experts need to overcome is the abundant and ever-changing landscape of mobile apps. Create a full list of all installed apps. Some apps archive and backup data.
  
  After one identifies the data source, the next step is to collect the information properly. There are certain unique challenges concerning gathering information in the context of mobile technology. Many mobile devices cannot be collected by creating an image and instead they may have to undergo a process called acquisition of data. There are various protocols for collecting data from mobile devices as certain design specificaitons may only allow one type of acquisition.
  
  The examiner should make a use of SIM Card imaging - procedure that recreates a replica image of the SIM Card content. As with other replicas, the original evidence will remain intacat while the replica image is being used for analysis. All image files should be hashed to ensure data remains accurate and unchanged.

    EXAMINATION AND ANALYSIS

    As the first step of every digital investigation involving a mobile device(s) the forensic experts needs to identify:

      - Type of mobile device(s)
  
  - Type of network
  
  - Carrier
  
  - Service Provider (Reverse lookup)
    The examiner may need to use numerous forensic tools to acquire and analyze data residing in the machine. Due to the sheer diversity of mobile devices, there is no one-size-fits-all solution regarding forensic tools. Consequently, it is advisable to use more than one tool for examination. AccessData, Sleuthkit and EnCase are some tools.

    NON-INVASIVE VS INVASIVE FORENSICS

    No matter what you actual mobile forensic is, it is imperative to create a policy or plan for rits execution and follow all its steps meticulously and in the prroper sequence. Not followwing the protocol may entail grave consequences. One should start with non-invasive forensic techniques first as they tend to endanger a device's integrity to a lesser degree. Be careful with built-in security features.

    https://mk0resourcesinfm536w. kinstacdn.com/wp-content/uploads/11-13.png

    NON-INVASIVE METHODS:

    They can deal with other tasks such as unlocking the SIM lock and the operator lock, the operating system update, IMEI number modification, etc. These techniques are virtually inapplicable in cases where the device has sustained severe physical damage . Types of non-invasive methods are:

    MANUAL EXTRACTION:

      The forensic examiner merely browses through the data using the mobile device's touchscreen or keypad. Information of interest discovered on the phone is photographically documented. This process of manual extraction is simple and applicable to almost every phone. While there are some tools designed to make this process easier, it is not possible, however, to restored deleted data this way.
    LOGICAL EXTRACTION: 
      This approach involves instituting a connection between the mobile device adn the forensic workstation using a USB cable, Bluetooth, Infrared or RJ-45 cable. Following the connecting part, the computer sends command requests to the device, and the device sends back data from its memory. The majority of forensic tools support logical extraction, and the process itself requires short-term training. On the downside, however, this technique may add data to the mobile device and may alter the integrity of the evidence. Also, deleted data is rarely accessible.
    JTAG METHOD: 
      JTAG is a non-invasive form of physical acquistion that could extract data from a mobile device even when data was difficult to access through software avenues because the device is damaged, locked or encrypted. The device, however, must be at leat partially functional (minor damages would not hinder this method).
  
  The process involves connecting to the Test Access Ports (TAPs) on a device and instructing the processor to transfer raw data stored on connected memory chips. This is a standard feature that one could come across in many mobile phone models, which provides mobile  phone manufactures a low-level interface outside the operating system. Digital forensic investigators take an interest in JTAG, as it can, in theory, allow direct access to the mobile device's memory without jeopardizing it. Despite the fact, it is a labor-intensive, time-consuming procedure, and it requires advanced knowledge (not only of JTAG for the model of the phone under investigation but also how to arrange anew the resulting binary composed of the phone's memory structures).
    HEX DUMP: 
      Similar to JTAG, Hex Dump is another method for physical extraction of raw information sotred in flash memory. It is performed by connecting the forensic workstation to the device and then tunneling an unsigned code or a bootloader into the device, each of them will carry instruction to dump memory from the phone to the computer. Resulting image is fairly technical - in binary format - and it requires a person having the technical education tot analyze it. Furthermore, the examiner comes into possession of an abundat amount of data, since deleted data can be recovered, and, on top of that, the entire process is inexpensive.

    INVASIVE METHODS:

    Typically, they are longer and more complex. In cases where the device is entirely non-functional due to some severe damage, it is very likely the only way to retrieve data from the device might be to manually remove and image the flash memory chips of the device. Even if the device or item is in good condition, circustances may require the forensic expert to acquire the chip's contents phyisically.

    CHIP OFF:

      A process that refers to obtaining data straight from the mobile device's memory chip. According to the preparations pertinent to this level, the chip is detached from the device and a chip reader or a second phone is used to extract data stored on the device under investigation. It should be noted that this method is technically challening because of the wide variety of chip types existing on the mobile market. Also, the chip-off process is expensive, training is required, and the examiner should procure specific hardware to conduct de-soldering and heating of the memory chip. Bits and bytes of raw information that is retrieved from the memory are yet to be parsed, decoded and interpreted. Even the smallest mistake may lead to damages to the memory chip, which, in effect, would render the data irrevocably lost. Consequently, experts advise having recourse to chip-off when a) other methods of extraction are already attempted, b) it is important to preserve the current state of device's memory, c) the memory chip is the only element in a mobile device that is not broken.
  
  The whole process consists of five stages:
  
      - Detect the memory chip typolog of the device
      
      - Physical extraction of the chip (i.e by unwelding it).
      
      - Interfacing of the chip using reading/programming software.
      
      - Reading and transferring data from the chip to a PC.
      
      - Interpretation of the acquired data (using reverse engineering).
      
  The last two phases coincide with those of the non-invasive methods. However, the phases of physical extraction and interfacing are critical to the outcome of the invasive analysis.
    MICRO READ: 
      This method refers to manually taking an all-around view through the lenses of an electron microscope and analyzing data seen on the memory chip, more specifically the physical gates on the chip. In a nutshell, micro read is a method that demands utmost level of expertise, it is costly and time-consuming, and is reserved for serious national security crises.