Cyber Forensics & Incident Response

Flashcards on Cyber Forensics, Incident Response, Mobile Device Forensics, and IoT Forensics

Overview of Mobile Device Forensics

The operation of cellular networks and service provider metadata.

Mobile Phone Technology Evolution

Mobile phone technology has advanced rapidly through analog, digital PCS, 3G, 4G, and 5G cellular networks.

3G Standard

Developed by the ITU, it's compatible with CDMA, GSM, and TDMA; EDGE was specifically developed for it.

4G Network Technologies

Orthogonal Frequency Division Multiplexing (OFDM), Mobile WiMAX, Ultra Mobile Broadband (UMB), Multiple Input Multiple Output (MIMO) and Long Term Evolution (LTE)

CDMA Networks

Networks conforming to IS-95 and using CDMAOne. They became CDMA2000 when they went to 3G services.

Global System for Mobile Communications (GSM)

Uses the Time Division Multiple Access (TDMA) technique, allowing multiple phones to share a channel.

Main Components for Cellular Communication

Base Transceiver Station (BTS), Base Station Controller (BSC), and Mobile Switching Center (MSC).

MSC

Mobile Switching Center.

Cellular Network Characteristics

Cell sizes range from 1-20km; calls are transferred between cells. The network tracks detailed information for cell handoff, billing, and usage.

Data Set Contents from Cell Networks

Phone numbers (hidden by unique codes), call duration, time of communication, and location of cell towers contacted for calls, SMS, and internet connections.

Metadata Retention in Australia

Metadata retention laws in Australia include storing information such as the origin, destination, and time of calls, texts, and emails for at least two years.

Items Stored on Cell Phones

Incoming/outgoing/missed calls, SMS/MMS messages, email accounts, IM logs, web pages, pictures, video, and music files.

Understanding Mobile Device Forensics

Investigating cell phones and mobile devices, which is challenging because no single standard exists for data storage and new phones are released frequently.

Hardware Components of Mobile Devices

Microprocessor, ROM, RAM, digital signal processor, radio module, microphone, speaker, hardware interfaces, and LCD display.

EEPROM

Electronically Erasable Programmable Read-Only Memory (EEPROM).

Peripheral Memory Cards for PDAs

Compact Flash (CF), MultiMediaCard (MMC), and Secure Digital (SD).

SIM Cards

Subscriber Identity Module (SIM) cards, which consist of a microprocessor and internal memory.

Main Concerns in Mobile Device Acquisition

Loss of power, synchronization with cloud services, and remote wiping.

Areas to Check in Forensics Lab

Internal memory, SIM card, and removable or external memory cards.

File System for SIM Cards

Hierarchical structure consisting of Master File (MF), Dedicated File (DF), and Elementary File (EF).

SIM Security

Always Access, Card Holder Verification1 (CHV1), Card Holder Verification2 (CHV2), Administrative Access, and Never Access.

Procedures for Mobile Forensics Software

Identifying the mobile device, ensuring mobile device forensics software is installed, attaching the phone to power and connecting cables, starting the forensics software, and downloading information.

SIM Card Readers

A combination hardware/software device used to access the SIM card.

Mobile Forensic Tools

Eclipse, Project-A-Phone(Manual Extraction), Paraben’s Device Seizure, Susteen’s Data Pilot (Logical extraction), CeleBrite’s UFED Touch Ultimate, RIFF Box (Physical extraction), SD Flash Doctor, UP-828(Chip-off).

Common Methods for Mobile Forensic Data Acquisition

Logical acquisition, physical acquisition, and manual acquisition.

Logical Acquisition

Most practical, offering an acceptable compromise of completeness vs. convenience

Mobile Forensics Tools

Paraben Software (E3:DS, DataPilot, BitPam), Cellebrite UFED Forensic System, and MOBILedit Forensic.

Main IOS operating modes

Normal mode, Recovery mode and DCFU mode.

Backup files in iTunes

Contains a copy of SMS, photos, calendar, music, call logs, configuration files, documents, keychains, network settings, cookies, etc.

IOS Forensic Investigations Data base file systems

SMS Messages, Address Book/Contacts and Photo metadata.

IOS Forensics Tools

Elcomsoft Phone Breaker for logical data acquisition and Tenorshare for data recovery.

Android Platform Architecture

Linux Kernel, Native C/C++ Libraries, Android Runtime, Java API Framework and System Apps.

Android Security features

Secure Kernel, Application Sandbox, the permission model, application signing, Security Enhanced Linux, Full Disk Encryption, Trusted Execution Environment etc.

Main Partitions on Android

/boot, /system, /data, /cache, /recovery, /misc and /sdcard.

Apps locations for Android forensic investigations

Google Chrome, Gmail, WhatsApp and Skype.

Android Forensic Tools

Santoku Linux, Android Debug Bridge (adb) and Android SDK.

Android Forensic Tool

Oxygen Forensics Extractor

Evolution of IoT

From Internet of Thing (IoT) to Internet of Everything (IoE) to Internet of Anything (IoA).

IoT Architecture Layers

Application Layer, Middleware Layer, Internet Layer, Access Gateway Layer and Edge Technology Layer.

Potential IoT Vulnerabilities

No automatic security updates, Improper communications and encryption, Lack of secure storage and authentication and an Insecure web interface.

Attacker breach IoT critical areas

Device firmware & mobile application, Device memory, Device physical interface & network services, Local data storage & Cloud web interface and Device web interface & network traffic.

IoT attacks

DoS, Jamming, Ransomware, Sybil, Man-in-the-Middle, Replay, Side channel, Rolling code and Remote access attacks.

IoT sensor attacks

Jamming attack and BlueBorne attack.

Standard forensic examination

Evidence identification and collection, Preservation, Analysis and Presentation and reporting.

Data Acquisition Smartwatch

Data API; Message API; and Node API.

Logical Acquisition of Android Wearable

Enable developer options, Connect to Wi-Fi and enable Wi-Fi debugging in Settings, Check IP address and use adb connect

Files to be checked in Android Wearable Image Forensic Examination

Log files, database logs, media files, cache files, application files, etc.

Investigator examine data at hardware level

Through JTAG Forensics and through memory chip extraction in Chip-off Forensics.

Overview of Mobile Device Forensics

The operation of cellular networks and service provider metadata.

Mobile Phone Technology Evolution

Mobile phone technology has advanced rapidly through analog, digital PCS, 3G, 4G, and 5G cellular networks.

3G Standard

Developed by the ITU, it's compatible with CDMA, GSM, and TDMA; EDGE was specifically developed for it.

4G Network Technologies

Orthogonal Frequency Division Multiplexing (OFDM), Mobile WiMAX, Ultra Mobile Broadband (UMB), Multiple Input Multiple Output (MIMO) and Long Term Evolution (LTE)

CDMA Networks

Networks conforming to IS-95 and using CDMAOne. They became CDMA2000 when they went to 3G services.

Global System for Mobile Communications (GSM)

Uses the Time Division Multiple Access (TDMA) technique, allowing multiple phones to share a channel.

Main Components for Cellular Communication

Base Transceiver Station (BTS), Base Station Controller (BSC), and Mobile Switching Center (MSC).

MSC

Mobile Switching Center.

Cellular Network Characteristics

Cell sizes range from 1-20km; calls are transferred between cells. The network tracks detailed information for cell handoff, billing, and usage.

Data Set Contents from Cell Networks

Phone numbers (hidden by unique codes), call duration, time of communication, and location of cell towers contacted for calls, SMS, and internet connections.

Metadata Retention in Australia

Metadata retention laws in Australia include storing information such as the origin, destination, and time of calls, texts, and emails for at least two years.

Items Stored on Cell Phones

Incoming/outgoing/missed calls, SMS/MMS messages, email accounts, IM logs, web pages, pictures, video, and music files.

Understanding Mobile Device Forensics

Investigating cell phones and mobile devices, which is challenging because no single standard exists for data storage and new phones are released frequently.

Hardware Components of Mobile Devices

Microprocessor, ROM, RAM, digital signal processor, radio module, microphone, speaker, hardware interfaces, and LCD display.

EEPROM

Electronically Erasable Programmable Read-Only Memory (EEPROM).

Peripheral Memory Cards for PDAs

Compact Flash (CF), MultiMediaCard (MMC), and Secure Digital (SD).

SIM Cards

Subscriber Identity Module (SIM) cards, which consist of a microprocessor and internal memory.

Main Concerns in Mobile Device Acquisition

Loss of power, synchronization with cloud services, and remote wiping.

Areas to Check in Forensics Lab

Internal memory, SIM card, and removable or external memory cards.

File System for SIM Cards

Hierarchical structure consisting of Master File (MF), Dedicated File (DF), and Elementary File (EF).

SIM Security

Always Access, Card Holder Verification1 (CHV1), Card Holder Verification2 (CHV2), Administrative Access, and Never Access.

Procedures for Mobile Forensics Software

Identifying the mobile device, ensuring mobile device forensics software is installed, attaching the phone to power and connecting cables, starting the forensics software, and downloading information.

SIM Card Readers

A combination hardware/software device used to access the SIM card.

Mobile Forensic Tools

Eclipse, Project-A-Phone(Manual Extraction), Paraben’s Device Seizure, Susteen’s Data Pilot (Logical extraction), CeleBrite’s UFED Touch Ultimate, RIFF Box (Physical extraction), SD Flash Doctor, UP-828(Chip-off).

Common Methods for Mobile Forensic Data Acquisition

Logical acquisition, physical acquisition, and manual acquisition.

Logical Acquisition

Most practical, offering an acceptable compromise of completeness vs. convenience

Mobile Forensics Tools

Paraben Software (E3:DS, DataPilot, BitPam), Cellebrite UFED Forensic System, and MOBILedit Forensic.

Main IOS operating modes

Normal mode, Recovery mode and DCFU mode.

Backup files in iTunes

Contains a copy of SMS, photos, calendar, music, call logs, configuration files, documents, keychains, network settings, cookies, etc.

IOS Forensic Investigations Data base file systems

SMS Messages, Address Book/Contacts and Photo metadata.

IOS Forensics Tools

Elcomsoft Phone Breaker for logical data acquisition and Tenorshare for data recovery.

Android Platform Architecture

Linux Kernel, Native C/C++ Libraries, Android Runtime, Java API Framework and System Apps.

Android Security features

Secure Kernel, Application Sandbox, the permission model, application signing, Security Enhanced Linux, Full Disk Encryption, Trusted Execution Environment etc.

Main Partitions on Android

/boot, /system, /data, /cache, /recovery, /misc and /sdcard.

Apps locations for Android forensic investigations

Google Chrome, Gmail, WhatsApp and Skype.

Android Forensic Tools

Santoku Linux, Android Debug Bridge (adb) and Android SDK.

Android Forensic Tool

Oxygen Forensics Extractor

Evolution of IoT

From Internet of Thing (IoT) to Internet of Everything (IoE) to Internet of Anything (IoA).

IoT Architecture Layers

Application Layer, Middleware Layer, Internet Layer, Access Gateway Layer and Edge Technology Layer.

Potential IoT Vulnerabilities

No automatic security updates, Improper communications and encryption, Lack of secure storage and authentication and an Insecure web interface.

Attacker breach IoT critical areas

Device firmware & mobile application, Device memory, Device physical interface & network services, Local data storage & Cloud web interface and Device web interface & network traffic.

IoT attacks

DoS, Jamming, Ransomware, Sybil, Man-in-the-Middle, Replay, Side channel, Rolling code and Remote access attacks.

IoT sensor attacks

Jamming attack and BlueBorne attack.

Standard forensic examination

Evidence identification and collection, Preservation, Analysis and Presentation and reporting.

Data Acquisition Smartwatch

Data API; Message API; and Node API.

Logical Acquisition of Android Wearable

Enable developer options, Connect to Wi-Fi and enable Wi-Fi debugging in Settings, Check IP address and use adb connect

Files to be checked in Android Wearable Image Forensic Examination

Log files, database logs, media files, cache files, application files, etc.

Standard forensic examination

Evidence identification and collection, Preservation, Analysis and Presentation and reporting.

Data Acquisition Smartwatch

Data API; Message API; and Node API.

Logical Acquisition of Android Wearable

Enable developer options, Connect to Wi-Fi and enable Wi-Fi debugging in Settings, Check IP address and use adb connect

Files to be checked in Android Wearable Image Forensic Examination

Log files, database logs, media files, cache files, application files, etc.