Toriality's Blog

COMPUTER FORENSICS - 15

created_at:

June 4, 2024 at 5:35 PM

last_updated:

July 15, 2024 at 8:11 PM

COMPUTER FORENSICS STUDY - 15 SOURCES: INFOSECINSTITUTE.COM

MOBILE FORENSICS TOOLS & TECHNIQUES

INTRODUCTION

Data acquisition is the process of gathering information from mobile devices and their associated media. This process reduces the chances of data loss due to damage or battery depletion during storage and transportation. Mobile device identification is necessary at the beginning  of the forensic examination. The identification process includes undestanding the type of cell phone, its OS, and other essential characteristics to create a legal copy of the mobile device's content.

HOW DO YOU GATHER DATA FROM MOBILE DEVICES?

The data can be gathered from mobile devices in two ways, namely, physical acquisition and logical acquisition.
PHYSICAL ACQUISTION: 
    Also known as physical memory dump, is a technique for capturing all the data from flash memory chips on the mobile device. It allows the forensic tool to collect remmants of deleted data. Initially, the received data is in raw format and cannot be read. Later on, some methods are applied to convert that data into a human readable form.
    
LOGICAL ACQUISTION:
Or logical extraction, is a technique for extracting the files and folders without any of the deleted data from a mobile device. However, some vendors describal logical extraction narrowly as the ability to gather a partiular data type, such as pictures, call history, text messages, calendar, videos and ringtones. A software tool is used to make a copy of the files. For example, iTunes backup is used to make a logical image of an iPhone or iPad.

WHAT DATA TYPES CAN YOU COLLECT FROM A MOBILE DEVICE?

CALL DETAIL RECORDS (CDRS):
Service provides frequently use CDRs to improve network performance. However, they can provide useful information to investigators, as well, CDRs can show: 
    
        - Call started and ended date/time
        
        - The terminating and originating towers
        
        - Whether the call was outgoing or incoming
        
        - Call time duration
        
        - Who was called and who made the call
        
    Almost all service providers retain these important records for a certain time. The forensic specialist can collect these records if he requires. However, the collection of this information depends on the policies of the concermed state. Every state has different laws in this regard.
    
GLOBAL POSITIONING SYSTEM (GPS):
GPS data is an excellent source of empirical evidence. If the suspect has an active mobiel device at the crime scene, GPS can pinpoint his location as well as his criminal acts. GPS also locates the movements of the suspect from a crime scene to the hideout. Furthermore, it helps in finding phone call logs, images and SMS messages. Presently, a GPS system includes 27 satelites in operation. 
    
APP DATA:
Many apps store and access data the user is not aware of, in fact, many apps seek permission during the installation process to access their data. For example, photo or video editing apps request permission to access media files, camera and GPS for navigation. This data can be a primary source of evidence to the court. 
    
SMS:
Text messaging is a widely used way of communication. Text messages leave electronic records of dialogue that can be presented in the court as evidence. They include the relevant information such as: 
    
        - Date and time of each message
        
        - Phone number of sender and receiver
    
PHOTO AND VIDEOS AS EVIDENCE:
    
    They can be a tremendous source of evidence, but their relevance to ocrime and authentication is crucial.

WHAT TOOLS & TECHNIQUES ARE COMMONLY USED?

The two most common techniques are physical and logical extraction. Physical extraction is done through JTAG or cable connection, whereas logical extraction occurs via Bluetooth, infrared, or cable connection.
There are various types of tools available for mobile forensic purposes. They can be categorized as popen source, commercial and non-forensic tools. Both non-forensic and forensic tools frequently use the same techniques and protocols to interact witha mobile device. 
TOOLS CLASSIFICATION SYSTEM:
Forensic analysts must understand the several types of forensic tools. The tools classification system offers a framework for forensic analysts to compare the acquistion techniques used by different forensic tools to capture data. 
    
    https://mk0resourcesinfm536w.kinstacdn.
    com/wp-content/uploads/1-90.png
    
MANUAL EXTRACTION:
The manual extraction technique allows investigators to extract and view data through the device's touchscreen or keypad. At a later stage, this data is documented photographically. Furthermore, manual extraction is time-consuming and involves a great probability of human error. For example, the data may be accidentally deleted or modified during the examination. 
    
    Popular tool for manual extraction include:
    
        - Project A-Phone
        
        - Fernico ZRT 
        
        - EDEC Eclipse
        
LOGICAL EXTRACITON:
In this technique, the investigators connect the cellular device to a forensic workstation or hardware via Bluetooth, Infrared, RJ-45 cable or USB cable. The computer using a logical extraction tool sends a series of commands to the mobile device. As a result, the required data is collected from the phone's memory and sent back to the forensicc workstation for analysis purposes. The tools used for logical extraction include: 
    
        - XRY Logical
        
        - Oxygen Forensic Suite
        
        - Lantern
        
HEX DUMP:
Hex dump, also called physical extraction, extracts the raw image in binary format from the mobile device. The forensic specialist connects the device to a forensic workstation and pushes the boot-loader into the device, which instructs the device to dump its memory to the computer. This process is cost effect and supplies more information to the investigatorrs, including the recovery of phone's deleted files and unallocated space. The common tools used for hex dump include: 
    
        - XACT
        
        - Cellebrite UFED Physical Analyzer
        
        - Pandora's Box
        
CHIP OFF:
The chip-off technique allows the examiners to extract data directly from the flash memory of the cellular device. They remove the phone's memory chip and create its binary image. This process is costly and requires an ample knowledge of hardware. Improper handling may cause phyiscal damage to the chip and renders the data impossible to retrieve. The popular tools and equipment used for chip-off include: 
    
        - iSeassamo Phone Opening Tool
        
        - Xytronic 988D Solder Rework Station
        
        - FEITA Digital Inspection Station
        
        - Chip Epoxy Glue Remover
        
        - Circuit Board Holder
        
MICRO READ:
This process involves interpreting and viewing gdata on memory chips. The investigators use a high-powered electron microscope to analyze the physical gates on the chips nad then convert the gate level into 1's and 0's to discover the resulting ASCII code. This process is expensive and time-consuming. Also it requires an ample knowledge of hardware and file systems. There is no tool available for micro read (2014).

EVIDENCE ACQUISTION IN MOBILE FORENSICS

TYPES OF EVIDENCE ACQUISTION

There are several methods that can be employed by forensic specialists when trying  to acquire evidence from a device, but the most priminently employed methods of data acquistion are:

  • Manual

  • Logical

  • File System

  • Physical

  • Brute force

    MANUAL DATA ACQUISTION:

    Manual data acquistion is used when a mobile device is functional and is not encrypted or physicially damaged and, since the device can be navigated via its graphical user interface (GUI), no special software or software tools are required. Content such as pictures, documents, call records, or any other data and features can be viewed by the investigator. In manycases, screenshots will be captured from the device, via either digital camera or a video adapter onto an external screen with image-capturing software.

    This is not necessarily a comprehensive method of detection, as data that is unreadable to the device's operating system will not be accessible to the investigator during the process. Deleted items are also unrecoverable at this level, meaning that other, more technical methods needs to be employed if this become a requirement. Whenever an investigator uses the mobiel device in this manner, there is the risk of compromising data by inadvertently deleting files or modifying time stamps.

    Another critical factor is the time-consuming nature of manual data acquisition. This is because an investigator will be required to manually sift through potentially large stores of data manually take screen shots of each piece being entered into evidence. In cases where there are several hundred pictures, emails or messages, it quickly becomes clear that large amounts of time will be required to complete any meaningful investigation. For those reasons, a forensic investigator may only use this method as a last resort, when all other avenues have already been exausted.

    LOGICAL DATA ACQUISITION:

    This method involves connecting a mobile device to the forensic investigator's workstation via a wired USB or RS-232 connection. Wireless connecitons such as Wi-Fi, IrDA (nfrared) or Bluetooth can also be utilized, depending on the requirements of the investigator and the capatibilities or limitations of the device that is being examined. Each method uses its own communications protocol and may package data differently in order to transfer the mobile device's data at the bit level.

    Each mobile operating system has an associated SDK that forensics investigators will have loaded on their workstations. The SDK provides manufacturer-levle access to the mobile device's hardware and software, as it interacts natively with the device's API (applicaiton programming interface) and means that it will respond to commands given to it tremotely, from the forensic workstation.

    This method is especially useful if SMSM, MMS and call histories need to be examined. The investigator can remotely install OS-specific forensic tools on the device and run queries that will not affect the mobile device's file structure, delivering forensic reprots in many different formats, such as CSV or XLS formatted documents. Yhese are human-readable documents and are excellent source of information. In cases where SMS or text messaging data needs to be examined, the document fileds can include time sent, received, status (read or unread), message size, message content, protocol and much more. The forensic application can then be removed remotely and without affecting the integrity of the mobile device once the assessment has been completed. One of the big disvantages with this method is that deleted files are not usually detectable.

    FILE SYSTEM DATA ACQUISITION:

    This is a great method for recovering deleted files from a mobile device. On many digital systems, a file that been deleted usually hasn't been deleted at all, but rather has been allocated a flag that tells the system that the file can be safely overwritten. When that overwrite happens depends on many fators, the main one being how much data has been copied to the devie since the file's deletion and wheter the flagged data is located in an area of storage where writing activity is more likelyy to occur.

    Android and iOS devices share a common database structure, which is based on the SQLite schema. The synchronization interface determines whether a file is ready to be overwritten and is responsible for flagging deleted items. If forensic investigators can successfully acces it, then they can potentially copy these deleted files such as browser history, pictures, messages and many other items of interest from the mobile device for further investigation.

    PHYISICAL DATA ACQUISITION:

    It is a bit-by-bit copy, or clone, of a mobile device's file system and directory structure. It can be thought of as a hard drive copy of a normal computer system. Once this data has been copied, it can then be indexed by specialized tools. For instance, if instant messages are an area of interest to an investigator, such tools can compile all messages from different instant messenger applications in an ordered logical list for an investigator to begin their search.

    This method is advantageous because the risks associated with data integrity being compromised can be avoided entirely by using a write blocker on the interface that is used for the copy. Some finer details need to be addressed when using logical data acquistion. In cases where the state of a message needs to be established the investigator must ensure that the copy method employed will not alter the flagged state of the message and the forensic tool that is used to compile and display the message is salso able to preserve this message state.

    Another critial factor is the time stamps of the files in question. They should all match the mobile device's time stamps and not be edited by the copy process or the forensic tool being used. Problems arise when the date and time of the copy process replace the original time stamps of the mobile device that is under examination, which can seriously impede the progress of a forensic investigation.

    BRUTE FORCE DATA ACQUISITION:

    This method refers more to the act of "brute forcing" a passcode or password and is usually quite successfull where relatively small combinations of digits are required. Many phones have a four digit PIN that will range from 0000 from 9999. This means that there are 10.000 possible combinations that need to be guesses by the forensic investigator, and most mobile devices have a safety feature that locks the phone entirely after a thereshold of attempts has been excedeed. Brute forcing a phone's passcode can be succesful in some instances but an investigator should only use tools that are indetified as being legal and adimissible in court.

    A device needs to be connected to the investigator's workstation and booted into the boot loader of equivalent mode. An application on the workstation will then either mount the mobile device's file system, locate the encryptedd passcode file and begin the attack or will temporarily load a custom boot ROM the the mobile device itself and will use the mobiel device's CPU to perform the attack. In either case, this does not take very long, as the CPU can handle multiple attempts per second and, depeding on a few factors, could be as quick as few minutes, or it may take anywhere up to a few hours.

    Once the correct combination has been found, the four-digit PIN will be display via the brute force application's on-screen, prompt, and the investigator can attempt to unlock the phone with it, provided that is has been deemed safe to do so.

EVICE HARDWARE AND OPERATING SYSTEMS

SIM CARDS

When carryng gout a forensic examination on a GSM mobile device, it is important to investigate the contents of its associated Subscriber Identity Module (SIM) Card. SIM Cards consist of microprocesssor, and 16KB to 4MB and even 1 GB Electronically Erasable Programmable Read Only Memory (EEPROM). Some mobile devices feature dual SIM card with increasing data storage capacity. SIM cards may ycontain important pieces of information for forensic analysis. Additionally many mobile devices leave useful remmants of files when users delete data from SIM cards.
    
SIM cards feature a relatively straightforward and hierarchical data sotrage strcutre. There is a one Master File (MF) on the card that includes references to all other files on the same card. The address of each file is represented by using a unique 2-byte hexadecimal value. The first byte indicates whether it is a Master File, Elementary File (EF) or Dedicated File (DF).
    
https://mk0resourcesinfm536w.kinstacdn.
com/wp-content/uploads/1-89.png

WHAT ARE THE TYPES OF MOBILE NETWORKS?

The most popular network include GSM, EDGE, UMTS, LTE and iDEN
GSM: 
    Global System for Mobile Communation was developed in Europed especially by Nokia and Ericsson, T-Mobile and AT&T use GSM netowrk in the US and is standard in Asia and Europe.
    
EDGE:
Enhanced Data GSM Environment, is the speediest version of GSM and is developed to transmit data quickly, AT&T first initiated EDGE in US in 2003. 
    
UMTS:
Or universal Mobile Telecommuncations System is a 3rd generation mobile network based on GSM standards, UMTS offers an excellent bandwidth and efficiency to mobile users by using Wideband Code Division Multiple Acces (W-CDMA) technology. Unlike EDGE, UMTS needs new frequency allocaiton and new base stations. 
    
4G LTE
Or 4G Long Term Evolution is the successor to UMTS and GMS. LTE shares several architectural and administrative elements with its predecessors, UMTS and GSM. The operators have the choice to run multi-RAT services, such as 4G, 3G, 2G, in parallel. LTE now has become world's most dominant 4G technology. 
    
IDEN:
Integrated Digital Network is Motorola's protocol that combines various services including data transmission into one network.

WHAT ARE THE TYPES OF MOBILE OPERATING SYSTEMS?

ANDROID:
Is a Google's open source platfrom designed for mobile devices and was released in 2007. It is widely used mobile operating system in the handsets industry. The Android OS runs on a Linux based kernel which supports core functions such as power managment, network infraestructure, and device drivers. Android SDK contains a significant tool for genereic forensic purposes. 
    
APPLE IOS:
Is the UNIX based OS first released in 2007. it is universal for all Apple's mobile devices. 
WINDOWS PHONE:
Developed by Microsoft, is a proprietary mobile OS for Pocket PCs and smartphones. Introduced in 2010.