Mobile Device Forensics, and IoT Forensics

Flashcards on Cyber Forensics, Incident Response, Mobile Device Forensics, and IoT Forensics

Mobile Device Forensics & IoT Forensics Overview

Operation of cellular network; Service provider meta-data

Mobile Phone Generations

Analog, Digital personal communications service (PCS), Third-generation (3G), Fourth-generation (4G), Fifth-generation (5G)

Fifth-generation (5G) cellular networks

Expected to be finalized in 2020, will incorporate emerging technologies

3G standard

Developed by the International Telecommunications Union (ITU) under the United Nations

3G standard Compatibility

Compatible with Code Division Multiple Access (CDMA), Global System for Mobile (GSM), and Time Division Multiple Access (TDMA)

4G network technologies

Orthogonal Frequency Division Multiplexing (OFDM), Mobile WiMAX, Ultra Mobile Broadband (UMB), Multiple Input Multiple Output (MIMO), Long Term Evolution (LTE)

Code Division Multiple Access (CDMA) networks

Follows IS-95 and is referred to as CDMAOne

Global System for Mobile Communications (GSM)

Uses the Time Division Multiple Access (TDMA) technique

Main components used for communication

Base transceiver station (BTS), Base station controller (BSC), Mobile switching center (MSC)

Mobile Phone Basics components

Home Location Register (HLR), Interworking Functions (IWF), Visitor Location Register (VLR), Mobile Switching Center (MSC), Equipment Identity Register (EIR), Operation and Maintenance Center (OMC), Short Message Service Center (SMSC)

Cell Network Information

Detailed information to enable cell handoff and for billing and usage purposes

Metadata Retention in Australia

Origin, destination and time of phone calls, text messages, and emails for at least two years

Items stored on cell phones

Incoming, outgoing, and missed calls; Multimedia Message Service (MMS; text messages) and Short Message Service (SMS) messages; E-mail accounts; Instant-messaging (IM) logs; Web pages; Pictures, video, and music files

Hardware components of Mobile Devices

Microprocessor, ROM, RAM, a digital signal processor, a radio module, a microphone and speaker, hardware interfaces, and an LCD display

Where phones store system data

Electronically erasable programmable read-only memory (EEPROM)

Peripheral memory cards used with PDAs

Compact Flash (CF), MultiMediaCard (MMC), Secure Digital (SD)

Subscriber identity module (SIM) cards

Consists of a microprocessor and internal memory

Main concerns with mobile devices

Loss of power, synchronization with cloud services, and remote wiping

Areas to Check in Forensics Lab

Internal memory, SIM card, Removable or external memory cards

Data Acquisition from Mobile: SIM contents

International Mobile Subscriber Identity (IMSI), Integrated Circuit Card Identifier (ICC-ID)

File system structure for a SIM card

Master File (MF), Dedicated File (DF), Elementary File (EF)

SIM Security

Always Access; Card Holder Verification1 (CHV1) –PIN1; Card Holder Verification2 (CHV2)-PIN2; Administrative; NeverAccess

General procedure for using SIM card readers

Remove the device’s back panel; Remove the battery; Remove the SIM card from holder; Insert the SIM card into the card reader

Mobile Forensic Tool classification

Manual extraction, Eclipse, Project-A-Phone; Logical extraction, Paraben’s Device Seizure, Susteen’s Data Pilot; Physical extraction( Hex Dumping) CeleBrite’s UFED Touch Ultimate, RIFFBox

Where can find the stored evidence in Mobile Forensic Data Acquisition

Call history, SMS, Address book, Documents, Calendar, Videos, Photos, Web browser history, Email, Deleted data, Maps, Social networking data

Using Mobile Forensics Tools Paraben Software

Paraben’s Device Seizure, Cellebrite UFED Forensic System, MOBILedit Forensic

Three options for data extraction in Cellebrite UFED Forensic System

Logical; File system; Physical

The main IOS operating modes

Normal mode (secure bootchain), Recovery mode, DCFU mode (Boot ROM)

Backup files in iTunes contain copy of

SMS, photos, calendar, music, call logs, configuration files, documents, keychains, network settings, cookies

Data base file systems for forensic investigations

Call history, SMS Messages, Address Book Contacts, Consolidated GPScache, Photo metadata, Notes ,Voicemail

Android Platform Architecture

Linux Kernel, Native C/C++Libraries, Android Runtime, Java API Framework, SystemApps

Android Security features

Secure Kernel, Application Sandbox, The permission model, Application signing, Security Enhanced Linux, Full Disk Encryption, Trusted Execution Environment

Main partitions on Android

/boot, /system, /data, /cache, /recovery, /misc, /sdcard

Android file systems for forensic investigations

Root file system (Rootfs), Sysfs, Devpts, Cgroup, Proc, Tmpfs

Few important apps locations for investigations

GoogleChrome, Gmail, WhatsApp, Skype

logical acquisition using Santoku Linux

Android Debug Bridge (adb),Android SDK

Internet of Things (IoT)

Evolution from Internet of Thing (IoT) to Internet of Everything (IoE) to Internet of Anything (IoA)

5G devices categories

enhanced Mobile Broadband (eMBB), Ultra-reliable and Low-latency Communications (uRLLC),massive Machine Type Communications (mMTC)

IoT Architecture layers

Application Layer, Middleware Layer, Internet Layer, Access Gateway Layer, Edge Technology Layer

Potential IoT vulnerabilities

No automatic security updates, Improper communications and encryption, Lack of secure storage and authentication

The IoT critical areas that the attackers could breach

Device firmware & mobile application, Device memory, Device physical interface & network services, Local data storage & Cloud web interface, Device web interface & network traffic

Other disruptive attacks in IoT

DoS, Jamming, Ransomware, Sybil, Man-in-the-Middle, Replay, Side channel, Rolling code, Remote access attacks

Standard forensic examination process can include

Evidence identification and collection; Preservation; Analysis; Presentation and reporting

Wearable IoT devices

Wearable IoT devices can connect to smartphones or network through Bluetooth, Wi-Fi, GPS and NFC

Important files to be checked in Forensic Examination of Android Wearable Image

Log files, database logs, media files, cache files, application files

What is Mobile Device Forensics & IoT Forensics?

The process of identifying, preserving, analyzing, and presenting digital evidence from mobile devices and IoT devices.

What is a cellular network?

A network that provides high-speed wireless communication services for mobile devices.

What is service provider metadata?

Metadata that includes information about the origin, destination, and timing of communications, used for billing and network management.

What are mobile phone generations?

The evolution of mobile phone technology from analog to digital and beyond, with each generation offering increased speed and capabilities.

What are the benefits of fifth-generation (5G) cellular networks?

Emerging technologies that will provide even faster and more reliable wireless communication, supporting new applications and services.

What is the 3G standard?

A standard developed to ensure compatibility and global roaming for mobile devices.

What are 4G network technologies?

The various technologies used in 4G networks to achieve higher data rates and improved network performance.

What are the main components used for communication?

The main components that facilitate communication in a cellular network.

What is cell network information?

The detailed information collected by cellular networks for cell handoff, billing, and usage tracking.

What is metadata retention in Australia?

A law in Australia that requires telecommunications companies to retain metadata for a specified period.

What items are stored on cell phones?

The various types of data stored on cell phones, including communications, media, and personal information.

What are the hardware components of mobile devices?

The physical components that make up a mobile device.

Where do phones store system data?

The type of memory where phones store system data.

What are the peripheral memory cards used with PDAs?

The different types of peripheral memory cards used with PDAs for data storage.

What are subscriber identity module (SIM) cards?

A card that contains a microprocessor and internal memory, used to identify and authenticate a mobile device on a network.

What are the main concerns with mobile devices?

The main issues encountered when dealing with mobile devices in a forensic context.

What areas should you check in a Forensics Lab?

The areas that need to be checked in a forensics lab to gather evidence from mobile devices.

What data is acquired from Mobile SIM contents?

Data extracted from a SIM card, including identifiers such as IMSI and ICC-ID.

What is the file system structure for a SIM card?

The structure of a SIM card's file system.

What are the SIM Security measures?

The mechanisms used to secure a SIM card and protect the data stored on it.

What is the general procedure for using SIM card readers?

The general steps to follow when using SIM card readers for data extraction.

What are mobile forensic tool classifications?

The different types of tools used in mobile forensics for data extraction.

Where can you find stored evidence in Mobile Forensic Data Acquisition?

The locations where evidence can be found in mobile forensic data acquisition.

What are some Mobile Forensics Tools Paraben Software offers?

Software tools used for mobile forensics, such as Paraben’s Device Seizure and Cellebrite UFED Forensic System.

What are the three options for data extraction in Cellebrite UFED Forensic System?

The three main methods for extracting data using Cellebrite UFED Forensic System.

What are the main IOS operating modes?

The different operating modes of iOS devices.

What does the backup files in iTunes contain a copy of?

The types of data included in iTunes backup files.

What are the data base file systems for forensic investigations?

The types of database file systems used for forensic investigations on mobile devices.

What is the Android Platform Architecture?

The architecture of the Android platform, including the Linux Kernel and Java API Framework.

What are Android Security features?

The security features implemented in Android to protect the operating system and user data.

What are the main partitions on Android?

The main partitions on an Android device, including /boot, /system, and /data.

What are the Android file systems for forensic investigations?

The file systems used in Android for forensic investigations.

What are a few important apps locations for investigations?

The locations of important apps on Android devices for forensic investigations.

How do you perform logical acquisition using Santoku Linux?

The use of Android Debug Bridge (adb) and Android SDK for logical acquisition using Santoku Linux.

What is the Internet of Things (IoT)?

The evolution of the Internet of Things (IoT) to the Internet of Everything (IoE) and the Internet of Anything (IoA).

What are the 5G devices categories?

The categories of 5G devices, including enhanced Mobile Broadband (eMBB) and Ultra-reliable and Low-latency Communications (uRLLC).

What are IoT Architecture layers?

The layers of the IoT architecture, including the Application Layer and Middleware Layer.

What are potential IoT vulnerabilities?

The potential vulnerabilities in IoT devices, such as lack of security updates and improper encryption.

What are the IoT critical areas that the attackers could breach?

The critical areas in IoT that attackers could breach, including device firmware and mobile applications.

What are other disruptive attacks in IoT?

Disruptive attacks in IoT, such as DoS, ransomware, and man-in-the-middle attacks.