Cyber Forensics & Incident Response Flashcards

Flashcards on Cyber Forensics, Incident Response, Mobile Device Forensics, and IoT Forensics.

Mobile Device Forensics & IoT Forensics

Examines mobile devices and IoT devices.

Mobile phone technology generations by 2008

Analog, Digital personal communications service (PCS), Third-generation (3G).

Fourth-generation (4G)

Was introduced in 2009.

Fifth-generation (5G) cellular networks

Expected to be finalized in 2020, will incorporate emerging technologies

The 3G standard

Developed by the International Telecommunications Union (ITU) under the United Nations

The 3G standard

Compatible with Code Division Multiple Access (CDMA), Global System for Mobile (GSM), and Time Division Multiple Access (TDMA)

The Enhanced Data GSM Environment (EDGE) standard

Developed specifically for 3G

4G network technologies

Orthogonal Frequency Division Multiplexing (OFDM), Mobile WiMAX, Ultra Mobile Broadband (UMB), Multiple Input Multiple Output (MIMO), Long Term Evolution (LTE)

Most Code Division Multiple Access (CDMA) networks conform to IS- 95

These systems are referred to as CDMAOne; When they went to 3G services, they became CDMA2000

Global System for Mobile Communications (GSM)

Uses the Time Division Multiple Access (TDMA) technique; Multiple phones take turns sharing a channel

Main components used for communication

Base transceiver station (BTS), Base station controller (BSC), Mobile switching center (MSC)

Metadata Retention inAustralia

Stores info such as the origin, destination and time of phone calls, text messages and emails – for at least two years. Such data can be accessed from telco firms without a warrant

Items stored on cell phones

Incoming, outgoing, and missed calls, Multimedia Message Service (MMS; text messages) and Short Message Service (SMS) messages, E-mail accounts Instant- messaging (IM) logs, Web pages, Pictures, video, and music files

Hardware components of mobile devices

Microprocessor, ROM, RAM, a digital signal processor, a radio module, a microphone and speaker, hardware interfaces, and an LCD display

Subscriber identity module (SIM) cards

Found most commonly in GSM devices; Consist of a microprocessor and internal memory

The main concerns with mobile devices

Loss of power, synchronization with cloud services, and remote wiping

Isolate the device from incoming signals with one of the following options

Place the device in airplane mode, Place the device in a paint can, Use a Faraday cage/bag, Turn the device off

Check these areas in the forensics lab

Internal memory, SIM card, Removable or external memory cards, Network provider

Data Acquisition from Mobile: SIM contents

International Mobile Subscriber Identity (IMSI), Integrated CircuitCard Identifier (ICC-ID)

The file system for a SIM card

Hierarchical structure; Master File (MF), Dedicated File (DF), Elementary File (EF)

SIM Security

Always Access, Card Holder Verification1 (CHV1) –PIN1, Card Holder Verification2 (CHV2)-PIN2, Administrative, NeverAccess

General procedure is as follows for SIM card readers

Remove the device’s back panel, Remove the battery, Remove the SIM card from holder, Insert the SIM card into the card reader

Manual extraction Mobile Forensic Tool

Eclipse, Project-A-Phone

Logical extraction Mobile Forensic Tool

Paraben’s Device Seizure, Susteen’s Data Pilot

Physical extraction( Hex Dumping) Mobile Forensic Tool

CeleBrite’s UFED Touch Ultimate, RIFF Box

Physical extraction (Chip-off) Mobile Forensic Tool

SD Flash Doctor,UP-828

Physical extraction (Micro Read) Mobile Forensic Tool

High-power microscope

Common methods of Mobile Forensic Data Acquisition

Logical acquisition, Physical acquisition, Manual acquisition

Logical extraction

Paraben’s Device Seizure, Susteen’s Data Pilot

The main IOS operating modes

Normal mode (secure bootchain), Recovery mode, DCFU mode (Boor ROM)

IOS Forensics Solutions

Check lockdown files underC:\ProgramData\Apple\Lockdown Or /var/db/lockdown on MacOS

Few important apps locations for investigations for Android Forensics

GoogleChrome, Gmail, WhatsApp, Skype

Tools that can be used to bypass the security lock of the suspected Andorid device

DroidKit and Dr.Fone

5G devices categories: (by 3GPP)

enhanced Mobile Broadband (eMBB), Ultra-reliable and Low-latency Communications (uRLLC), massive Machine Type Commun3i8Cations (mMTC)

IoT Architecture includes various layers:

Application Layer, Middleware Layer, Internet Layer, Access Gateway Layer, Edge Technology Layer

The IoT critical areas that the attackers could breach may include

Device firmware & mobile application, Device memory, Device physical interface & network services, Local data storage & Cloud web interface, Device web interface & network traffic, Ecosystem access control & communication, Vendor & TTP backend APIs

Attackers can exploit these devices to steal data, cause physical damage to the network or launch other disruptive attacks such as

DoS, Jamming, Ransomware, Sybil, Man-in-the-Middle, Replay, Side channel, Rolling code, Remote access attacks, etc

Standard forensic examination process can include

Evidence identification and collection, Preservation, Analysis, Presentation and reporting

To acquire data from the smartwatch need to check

Data API; Message API; and Node API