Cyber Forensics Flashcards

Cyber Forensics & Incident Response

• Mobile Device Forensics & IoT Forensics

Overview

• Operation of cellular network
• Service provider meta-data
• Explain the basic concepts of mobile device forensics
• Describe procedures for acquiring data from mobile devices
• Summarize the challenges of forensic acquisitions of data stored on Internet of Anything devices
• IOS Forensics
• Android Forensics
• IoT forensic existing issues and processes

Mobile Phone Basics

• Mobile phone technology has advanced rapidly
• By the end of 2008, mobile phones had gone through three generations:
• Analog
• Digital personal communications service (PCS)
• Third-generation (3G)
• Fourth-generation (4G) was introduced in 2009
• Several digital networks are used in the mobile phone industry
• Fifth-generation (5G) cellular networks
• Expected to be finalized in 2020, will incorporate emerging technologies

Mobile Phone Basics (cont’d)

• The 3G standard was developed by the International Telecommunications Union (ITU) under the United Nations
• It is compatible with Code Division Multiple Access (CDMA), Global System for Mobile (GSM), and Time Division Multiple Access (TDMA)
• The Enhanced Data GSM Environment (EDGE) standard was developed specifically for 3G
• 4G networks can use the following technologies:
• Orthogonal Frequency Division Multiplexing (OFDM)
• Mobile WiMAX
• Ultra Mobile Broadband (UMB)
• Multiple Input Multiple Output (MIMO)
• Long Term Evolution (LTE)

Mobile Phone Basics (cont’d)

• Most Code Division Multiple Access (CDMA) networks conform to IS-95
• These systems are referred to as CDMAOne
• When they went to 3G services, they became CDMA2000
• Global System for Mobile Communications (GSM) uses the Time Division Multiple Access (TDMA) technique
• Multiple phones take turns sharing a channel

Overview of GSM

• Main components used for communication:
  • Base transceiver station (BTS)
  • Base station controller (BSC)
  • Mobile switching center (MSC)
• Home Location Register (HLR)
• Interworking Functions (IWF)
• Visitor Location Register (VLR)
• Mobile Switching Center (MSC)
• Equipment Identity Register (EIR)
• Operation and Maintenance Center (OMC)
• Short Message ServiceCenter (SMSC)

Cellular Network

• user equipment (UE)
• base station (BS)

Cellular Network (cont’d)

• Cell sizes are anything from 1-20km
• As the user moves around, the call is transferred between cells
• Cell network needs to keep detailed information to enable this cell handoff and for billing and usage purposes

Triangulation in a Cell Network

Data Set Content

• Who he called and texted (in our dataset, exact phone numbers have been hidden and replaced by unique identifying codes).
• How long each phone call lasted.
• The time of the communication.
• The location of the cell tower contacted when outgoing calls were initiated.
• The location of the cell tower contacted for SMS and internet connections.
• (Details of incoming calls, internet use etc would all be stored too but were not in the data set provided)

Data Set Content (cont'd)

Data Set Content (cont'd)

Data Set Content (cont'd)

• Will's top 10 contacts
  • Phone
  • SMS

Metadata Retention in Australia

• As you know, metadata retention laws in Australia result in a lot of information being stored.
• This includes storing information “such as the origin, destination and time of phone calls, text messages and emails – for at least two years.” Such data can be accessed from telco firms without a warrant by any of the several thousand authorized officers.

Understanding Mobile Device Forensics

• Items stored on cell phones:
  • Incoming, outgoing, and missed calls
  • Multimedia Message Service (MMS; text messages) and Short Message Service (SMS) messages
  • E-mail accounts
  • Instant-messaging (IM) logs
  • Web pages
  • Pictures, video, and music files
• People store a wealth of information on cell phones
• A search warrant is needed to examine mobile devices because they can contain so much information

Understanding Mobile Device Forensics (cont’d)

• Investigating cell phones and mobile devices is one of the more challenging tasks in digital forensics
• No single standard exists for how and where phones store messages
• New phones come out about every six months and they are rarely compatible with previous models

Inside Mobile Devices

• Mobile devices can range from simple phones to small computers AKA smart phones
  • Hardware components:
    • Microprocessor, ROM, RAM, a digital signal processor, a radio module, a microphone and speaker, hardware interfaces, and an LCD display
• Most basic phones have a proprietary OS
• Although smart phones use the same OSs as PCs

Inside Mobile Devices (cont’d)

• Phones store system data in electronically erasable programmable read-only memory (EEPROM) also EPROM
• Enables service providers to reprogram phones without having to physically access memory chips
• OS is stored in ROM
  • Nonvolatile memory
  • Available even if the phone loses power

Inside Mobile Devices (cont’d)

• Personal digital assistants (PDAs) have been mostly replaced by iPods, iPads, and other mobile devices
• Their use has shifted to more specific markets such as medical or industrial
• Peripheral memory cards used with PDAs:
  • Compact Flash (CF)
  • MultiMediaCard (MMC)
  • Secure Digital (SD)

SIM Cards

• Subscriber identity module (SIM) cards
• Found most commonly in GSM devices
• Consist of a microprocessor and internal memory
• GSM refers to mobile phones as “mobile stations” and divides a station into two parts: -The SIM card and the mobile equipment (ME)
• SIM cards come in three sizes: standard, micro, and nano.
• Portability of information makes SIM cards versatile

Understanding Acquisition Procedures for Cell Phones and Mobile Devices

• The main concerns with mobile devices are loss of power, synchronization with cloud services, and remote wiping
• All mobile devices have volatile memory
  • Making sure they don’t lose power before you can retrieve RAM data is critical
• Mobile device attached to a PC via a USB cable should be disconnected from the PC immediately
  • Helps prevent synchronization that might occur automatically and overwrite data

Understanding Acquisition Procedures for Cell Phones and Mobile Devices (cont’d)

• Depending on the warrant, the time of seizure might be relevant
• Isolate the device from incoming signals with one of the following options:
  • Place the device in airplane mode
  • Place the device in a paint can
  • Use a Faraday cage/bag e.g. the Paraben Wireless StrongHold Bag
  • Turn the device off
• Read more on SANS DFIR (Digital Forensics and Incident Response)

Understanding Acquisition Procedures for Cell Phones and Mobile Devices (cont'd)

Understanding Acquisition Procedures for Cell Phones and Mobile Devices (cont’d)

• There are thousands of variants of operating system and phone making it impossible to have a standard approach.
• Imaging older phones like iPhone 3 or 4 is trivial now, but gets increasingly more difficult with newer models.
• Similarly although Android is the dominant platform, each phone manufacturer has their own customized version which may do things a bit differently.
• Mobile phones states (SANS DFIR)
  • On and unlocked
  • On and locked
  • Off

Understanding Acquisition Procedures for Cell Phones and Mobile Devices (cont’d)

• Check these areas in the forensics lab :
  • Internal memory
  • SIM card
  • Removable or external memory cards
  • Network provider
• Checking network provider usually requires a search warrant.
• A new complication has surfaced because backups might be stored in a cloud provided by the carrier or third party

Data Acquisition from Mobile: SIM Contents

• Network Info for different frequencies
• Service Info for specific user.
• Location information and routing information to make calls
• User data including Phonebook, stored SMS messages and call history
• International Mobile Subscriber Identity (IMSI)
• Integrated CircuitCard Identifier (ICC-ID)

Data Acquisition from Mobile: SIM Cards (cont’d)

• The file system for a SIM card is a hierarchical structure
  • Master File (MF), Dedicated File (DF), Elementary File (EF)
• SIM Security:
  • Always Access
  • Card Holder Verification1 (CHV1) –PIN1
  • Card Holder Verification2 (CHV2)-PIN2
  • Administrative
  • NeverAccess

Mobile Forensics Equipment

• Mobile forensics is an evolving science
• Biggest challenge is dealing with constantly changing phone models
• Procedures for working with mobile forensics software:
  • Identify the mobile device
  • Make sure you have installed the mobile device forensics software
  • Attach the phone to power and connect cables
  • Start the forensics software and download information

Mobile Forensics Equipment (cont’d)

• SIM card readers
  • A combination hardware/software device used to access the SIM card
  • You need to be in a forensics lab equipped with appropriate antistatic devices
  • General procedure is as follows:
    • Remove the device’s back panel
    • Remove the battery
    • Remove the SIM card from holder
    • Insert the SIM card into the card reader
    • AccessData FTK Imager
  • Other tools: Cellebrite UFED , MOBILedit Forensic, Sim Card Data Recovery Software, Dekart SIM Explorer, SIM Card Seizure device
  • MacLockPick 3.0

Mobile Forensics Equipment (cont’d)

• Dealing with an SD Card is easy.
  • Remove it from the device, and treat it the same as we treated the USB drive.

Mobile Forensic Tool Classification

• Less technical
• Shorter analysis times
• Less training required
• Less invasive
• More technical
• Longer analysis times
• More training required
• More invasive

Mobile Forensic Tool Classification (cont’d)

• Some examples of available tools
  • Manual extraction
    • Eclipse, Project-A-Phone
  • Logical extraction
    • Paraben’s Device Seizure, Susteen’s Data Pilot
  • Physical extraction( Hex Dumping)
    • CeleBrite’s UFED Touch Ultimate, RIFFBox
  • Physical extraction (Chip-off)
    • SD Flash Doctor,UP-828
  • Physical extraction (Micro Read)
    • High-power microscope

Mobile Forensic Data Acquisition

• Common methods
  • Logical acquisition
  • Physical acquisition
  • Manual acquisition
• Where can find the stored evidence?
  • Call history, SMS, Address book, Documents, Calendar, Videos, Photos, Web browser history, Email, Deleted data, Maps, Social networking data, …..

The Practical Approach? Logical vs Physical

• Typically logical acquisition is the most practical and gives an acceptable compromise of completeness vs convenience.
• But this might not work in some circumstances
• A forensics tool from Cellebrite can crack a phone's password and retrieve all of its data.
• Cellbrite Universal Memory Exchanger For Mobile Phones

Using Mobile Forensics Tools

• Paraben Software offers several tools:
  • E3:DS – for mobile device investigations
  • DataPilot – has a collection of cables that can interface with phones from different manufacturers
  • BitPam - used to view data on many CDMA phones
• Cellebrite UFED Forensic System - works with smartphones, PDAs, tablets, and GPS devices
• MOBILedit Forensic - contains a built-in write-blocker

Using Mobile Forensics Tools (cont’d)

• Cellebrite is often used by law enforcement
• You can determine the device’s make and model, learn what has to be done before connecting a mobile device to the UFED device, and then retrieve the data
• Three options for data extraction:
  • Logical
  • File system
  • Physical
• You can also simply connect a mobile device to a computer to browse the file system and examine and retrieve files
  • Needs a USB write-blocker

Using Mobile Forensics Tools (cont’d)

• Many mobile forensics tools are available
  • Most aren’t free
• Methods and techniques for acquiring evidence will change as market continues to expand and mature
• Subscribe to user groups and professional organizations to know what’s happening in the industry
• Mobile phones use SQLite database to store information, e.g. emails, address books, etc which can be extracted and analyzed using SQLite browsing tools, e.g.
  • sqlite3 Images.sqlitedb
  • Sqlite> .output Images.txt
  • Sqlite> .dump FullSizeImage

IOS Forensics

• The main IOS operating modes are
  • Normal mode (secure bootchain)
  • Recovery mode
  • DCFU mode (Boor ROM)
• Password protection can rise some issues
  • New iOS devices are all passcode protected
  • Hardware based solutions might break the device
  • Solution?
    • Check lockdown files underC:\ProgramData\Apple\Lockdown
    • Or /var/db/lockdown on MacOS
    • E.g. of tool: JailBreakingSoftware

IOS Forensics (cont’d)

• Backup files in iTunes contain copy of
  • SMS, photos, calendar, music, call logs, configuration files, documents, keychains, network settings, cookies, ….
• Info.plist
  • Apps, phone number, product number, serial number, last backup date, …
• Manifest.plist
  • Lockdown, apps, IsEncrypted, date, WasPAsscodeSet,…
• Status.plist
  • BackupState, IsFullBackup, Date, UUIS,SnapshotState
• Manifest.db
  • Flags, LastModified and Birth, Domain, …
• Encrypted using AES256 algorithm in CBCmode

IOS Forensics (cont’d)

• Data base file systems for forensic investigations
  • Call history: /private/var/mobile/Library/CallHistoryDB/CallHistory.storedata
  • SMS Messages: /private/var/mobile/Library/SMS/sms.db
  • Address BookContacts: Private/var/mobile/Library/AddressBook/AddressBook.sqlitedb
  • Consolidated GPScache: /private/var/root/Caches/locationd/consolidated.db
  • Photo metadata:/private/var/mobile/Media/PhotoData/Photos.sqlite
  • Notes : /private/var/mobile/Library/Notes/notes.sqlite
  • Voicemail: /private/var/mobile/Library/Voicemail/voicemail.dbAND /private/var/mobile/Library/Voi4c1email

IOS Forensics (cont’d)

• Brows and extract data files from iOS backups by iBackupViewer
• Elcomsoft Phone Breaker can be used for logical data acquisition
• Tenorshare is useful for data recovery
• Trainings are uploaded to the “Suggested Readings”

IOS Forensics (cont’d)

• In order to perform physical acquisition on iOS device follow these steps
  • Jailbreak the device to gain root access to the device
  • Create a wireless network with a static IP. Ensure the suspected iOS device and the workstation are connected on the same network for integrity validation
  • Connect the iOS device to the network via SSH. You can install OpenSSH on the jailbroken iOS device, via Cydia
  • Use netcat utility to initiate a socket to establish a connection between the mobile device and the forensic workstation
  • Use dd command to acquire the image of the device
  • Verify the image to ensure the integrity

Android Forensics

• PlatformArchitecture
  • Linux Kernel
  • Native C/C++Libraries
  • Android Runtime
  • Java API Framework
  • SystemApps

Android Forensics (cont’d)

• Android Security features
  • Secure Kernel
  • Application Sandbox
  • The permission model
  • Application signing
  • Security Enhanced Linux
  • Full Disk Encryption
  • Trusted Execution Environment
  • …

Android Forensics (cont’d)

• Android has the same system structure as Linux
• Main partitions on Android are
  • /boot
  • /system
  • /data
  • /cache
  • /recovery
  • /misc
  • /sdcard

Android Forensics (cont’d)

• Android file systems for forensic investigations
  • Root file system (Rootfs)
  • Sysfs
  • Devpts
  • Cgroup
  • Proc
  • Tmpfs
• Which files are important for forensic investigations?

Android Forensics (cont’d)

• Few important apps locations for investigations
  • GoogleChrome
    • /data/data/com.android.chrome/app_chrome/Default/Bookmarks
    • /data/data/com.android.chrome/app_chrome/Default/History
    • /data/data/com.android.chrome/app_chrome/Default/Log in Data
  • Gmail
    • /data/data/com.google.android.gm/cache/@gmail.com
    • /data/data/com.google.android.gm/databases/suggestions.db
  • WhatsApp
    • /data/data/com.whatsapp/me
  • Skype
    • /data/data/com.whatsapp/me

Android Forensics (cont’d)

• logical acquisition using Santoku Linux
• Android Debug Bridge (adb)
  • Communicate with a device and run Unix shell
• Android SDK
  • Includes a comprehensive tools for writing AndroidApps
• Abd –d shell
• Ls /data
• Check Suggested Readings

Android Forensics (cont’d)

• Investigators need to bypass the security lock of the suspected Andorid device found at the crime scene to analyse the evidence
• Some of the tools that can be used are: DroidKit and Dr.Fone

Android Forensics (cont’d)

• Oxygen Forensics Extractor can be used to extract, decode and analyze data from various sources, including mobile devices
• It also allows cloud data extraction such as Telegram and Whatsapp
• It also provides comprehensive analysis through log files, messages, etc

Introduction to Internet of Things (IoT) Forensics

• Internet of Things (IoT)
  • The number of devices that connect to the Internet is higher than the amount of people
• Evolution from Internet of Thing (IoT) to Internet of Everything (IoE) to Internet of Anything (IoA)
• IoA includes cars, homes, pets, livestock, and applications for making all these things work together
• Eventually will include 5G smart devices
• 5G devices categories: (by 3GPP)
  • enhanced Mobile Broadband (eMBB)
  • Ultra-reliable and Low-latency Communications (uRLLC)
  • massive Machine Type Commun3i8cations (mMTC)

IoT Architecture & IoT Security Issues

• IoT Architecture includes various layers:
  • Application Layer
  • Middleware Layer
  • Internet Layer
  • Access Gateway Layer
  • Edge Technology Layer
• Potential IoT vulnerabilities include
  • No automatic security updates,
  • Improper communications and encryption,
  • Lack of secure storage and authentication
  • No encryption of storage and
  • Insecure web interface, insufficient privacy protection, …
• IoT Security Issues
  • Validation of the input
  • Network and update issues
  • Insecure API & channels
  • Insecure storage

IoT Architecture & IoT Security Issues (cont’d)

• The IoT critical areas that the attackers could breach may include
  • Device firmware & mobile application
    • Encryption keys, information disclosure, weak passwords
  • Device memory
    • Clear-text credentials
  • Device physical interface & network services
    • Removal of storage media, injection and DoS attack
  • Local data storage & Cloud web interface
    • Lack of data integrity and encryption, SQL injection
  • Device web interface & network traffic
    • Cross-site scripting, request forgery and short range
  • Ecosystem access control & communication
    • Weak access control and pushing updates
  • Vendor & TTP backend APIs
    • Weak authentication and location leakage

IoT Architecture & IoT Security Issues (cont’d)

• IoT devices have limited security protection mechanisms against existing threats
• Then, attackers can exploit these devices to steal data, cause physical damage to the network or launch other disruptive attacks
• such as DoS, Jamming, Ransomware, Sybil, Man-in-the-Middle, Replay, Side channel, Rolling code, Remote access attacks, etc

IoT Forensics Process & Challenges

• IoT sensors for heating, ventilation and air-conditioning (HVAC) systems can get compromised for stealing login credentials (source: https://www.bleepingcomputer.com/news/security/attackers-can-use-hvac-systems-to-control-malware-on-air-gapped-networks/ )

IoT Forensics Process & Challenges (cont’d)

• Jamming attack is a type of attack in IoT sensors where the communication between wireless IoT devices is jammed to compromise the sensors
• Through random radio signals sent through attacks with the same frequency as the sensor nodes
• Then the network gets jammed and make endpoints unable to send or receive data
• BlueBorne attack is performed on Bluetooth connections to gain full control of the target device
• Then the attacker can penetrate any corporate network and steal data
• Attackers can gather basic information using backdoors, such as phishing emails
• Then gain access to the critical data or internal network

IoT Forensics Process & Challenges (cont’d)

• Introduction to IoT Forensics
• In IoT forensics, an investigator needs to gain knowledge of various fields, e.g. cloud, network, and IoT forensics
• Hence, various devices need to be examined, such as smartphones, smart watches, cloud storage
• Data acquisition needs to be examined to create a timeline of the incidents
• Standard forensic examination process can include
  • Evidence identification and collection
  • Preservation
  • Analysis
  • Presentation and reporting

IoT Forensics Process & Challenges (cont’d)

• Smartwatch data acquisition
  • Wearable IoT devices can connect to smartphones or network through Bluetooth, Wi-Fi, GPS and NFC
  • Attackers can access wearable devices to gain sensitive information, e.g. location, PINs, etc
  • Though the data is stored on the phone or online cloud
• To acquire data from the smartwatch need to check
  • Data API; Message API; and Node API
• Take the image of the data through Image generation & Data analysis
• Perform Chip-off forensics to extract the physical image and examine the image using forensics tools, e.g. Autopsy
• Perform logical/physical acquisition using ‘dd’ if you have root access
• Otherwise use ‘adb pull’ and analyse the image using forensics tools, e.g. Autopsy, SQLite DB Brower, etc

IoT Forensics Process & Challenges (cont’d)

• Logical Acquisition of Android Wearable
  • Enable developer options
  • Connect to Wi-Fi and enable Wi-Fi debugging in Settings
  • Check IP address and use
    • adb connect
    • to establish connection between the smartwatch and workstation
  • Perform logical acquisition using adb pull
    • adb pull

IoT Forensics Process & Challenges (cont’d)

• Physical Acquisition of Android Wearable
  • Use Android SDK platform tools to establish connection between forensic workstation and device
  • Use ‘adb devices’ command to select the device
  • Run ‘adb shell’ command to get root shell
  • Acquire image through ‘dd’ command

IoT Forensics Process & Challenges (cont’d)

• Forensic Examination of Android Wearable Image
  • Any tools can be used to forensically analyse the extracted artifcats, such as Autopsy, Magnet Axiom, IoT Inspector, NetOdin3, MD-NEXT
  • Important files to be checked include
    • Log files, database logs, media files, cache files, application files, etc
    • e.g. downloads.db, contacts2.db, profile.db, calendar.db, config.db, bt_did.conf, etc

IoT Forensics Process & Challenges (cont’d)

• Hardware Level Analysis
  • When the attacker cannot get access through software-level
  • Then, the investigator can acquire and examine data at hardware level
  • The investigator can perform data acquisition of the memory chip in JTAG Forensics
  • The investigator can read the chip through memory chip extraction in Chip-off Forensics
    • Needs special equipment to extract data and acquire image from memory chip
    • Can be used in damaged or working device

Summary

• People store a wealth of information on smartphones, including calls, text messages, picture and music files, address books, and more
• Mobile devices have gone through four generations: analog, digital personal communications service (PCS), third- generation (3G), and fourth-generation (4G)
• 5G standards are being negotiated and developed by the IMT 2020 working group of the International TelecommunicationsUnion

Summary (cont’d)

• Mobile devices range from basic, inexpensive phones used primarily for phone calls to smartphones
• Data can be retrieved from several different places in phones
• Use of personal digital assistants (PDAs) has declined due to the popularity of smartphones
• As with computers, proper search and seizure procedures must be followed for mobile devices
• To isolate a mobile device from incoming messages, you can put it in airplane mode, turn the device off, or place it in a special treated paint can or evidence bag

Summary (cont’d)

• SIM cards store data in a hierarchical file structure
• Mobile device forensics is becoming more important as these devices grow in popularity
• Many software tools are available for reading data stored in mobile devices
• The Internet of Things (IoT) has resulted in yet another challenge for digital forensics investigators
• Collecting information from wearable computers will pose many new challenges for investigators

Summary (cont’d)

• IoT devices are easy targets for attackers due to various vulnerabilities
• Attackers can use IoT devices as access points to access the internal network of any organisation
• IoT threats could include DDoS attack, Jamming attack, BlueBorne attack, Ransomware attack, etc
• To perform IoT forensic investigations, the investigator might need to perform logical or physical data acquisition
• The IoT data examination can be done through available forensic tools, e.g. Autopsy, Magnet Axiom, etc