Mobile Forensics Lecture Notes

Mobile Forensics

  • Mobile forensics deals with the acquisition and recovery of evidence from mobile devices.
  • Not following proper procedure during the examination can result in loss or damage of evidence or render it inadmissible in court.
  • When seizing a cell phone, it's advisable to disconnect it from the network to prevent data alterations.
  • Dealing with the fact that the mobile platform can be accessed, stored, and synchronized across multiple devices is a challenge for a qualified digital forensic examiner.
  • Modern mobile platforms contain built-in security features to protect user data and privacy.
  • Mobile platform security features can pose hurdles to forensic acquisition and examination.
  • One of the fundamental rules in forensics is to ensure that data on the device is not modified.
  • It is particularly challenging to prevent data modification during a mobile device forensic examination.
  • Even if the mobile device is password protected, the forensic examiner may not always be able to gain access to the device contents.
  • There isn't a universally well-established standard process for mobile forensics.
  • According to NIST (National Institute of Standards and Technology), chain of custody refers to a process that tracks the movement of evidence through its collection, safeguarding, and analysis life cycle by documenting each person who handled the evidence, date and time it was collected or transferred, and purpose of the transfer.
  • Storage media-removable SD cards should be removed and processed using traditional forensic technology and also acquired while in the mobile device to ensure all data is acquired.
  • During the verification phase of the mobile phone evidence extraction process, all image files should be hashed after acquisition to ensure that data remains unchanged.
  • Archiving the data extracted from a mobile phone is an important part of the overall process.
  • Google Android is a Linux based operating system that is open source.
  • Apple iOS is not a Linux like operating system and it is proprietary.
  • Microsoft Windows phone operating system is not a Linux based non-proprietary operating system.
  • A manual extraction of a cellular device needs to be documented by photographing the process.
  • Most digital forensic tools provide a logical analysis of a mobile device.
  • A physical extraction provides deleted files from unallocated space.
  • Three main types of forensic acquisition methods for mobile phones are physical acquisition, logical acquisition, and cognitive acquisition.
  • Securing the evidence by isolating the phone from the network is always a good idea.
  • Preserving the evidence by working on copies not the original is always a good policy.
  • A forensic hash is used to ensure the integrity of an acquisition by calculating a cryptographically strong and non-reversible value of an image/data.
  • Reporting is the process of preparing a detailed summary of all the steps taken and conclusions reached as part of an examination.
  • In your forensic report always list the tools you used to acquire the data and include the software version of the tool you used.
  • Forensically Sound is a term used extensively in the digital forensics community to qualify and justify the use of a particular forensic technology or methodology.
  • Documentation of the process of acquisition is an important element of a forensically sound process.
  • Mobile phones are dynamic systems that present a lot of challenges for us in extracting and analyzing digital evidence.
  • All methods used when extracting data from mobile devices should be tested, validated, and documented.
  • The 4th amendment prevents any searching or seizure by a Government agent without having a proper search warrant.
  • The Legal authority needs to be verified before any examination can be conducted.
  • During the processing phase of the mobile phone evidence extraction process, the device should be acquired using a tested method that is repeatable and is forensically sound.
  • A physical acquisition is the preferred method of data acquisition.
  • The forensic examiner is required to document throughout the examination process, everything related to what was done during acquisition and examination.
  • The Android operating system is the world’s most widely used operating system for cellular devices.
  • A physical extraction also referred to as a hex dump is achieved by connecting a device to a forensic workstation and pushing unsigned code or a boot loader onto the device.
  • A physical acquisition of a mobile device is a bit by bit copy of the physical storage and the entire filesystem.
  • A logical acquisition of a mobile device is about extracting logical storage objects such as files and directories that reside on a filesystem.
  • Authentic evidence is evidence that is tied to the incident in a relevant way to prove something.
  • Reliable evidence is evidence collected from a device that can be reproduced.
  • The 4 main categories of the mobile forensics process are Seizure, Acquisition, Examination, and Reporting.
  • Various mobile device operating systems include iOS, Android, Blackberry, and Windows.
  • The 9 steps of the mobile phone evidence extraction process are Intake, Identification, Preparation, Isolation, Processing, Verification, Documentation, Reporting, and Archiving.
  • The 2 types of legal authority are Search Warrant and Consent.
  • The 3 main operating systems that dominate the cellular device market are Android, iOS and Windows.
  • Data on a mobile phone can be found in the SIM Card, External storage card and Phone Memory.
  • 5 common areas of potential evidence that apply to digital forensics are Address Book, SMS, MMS, Photos and Videos.
  • 5 general rules of evidence that apply to digital forensics are Admissible, Authentic, Complete, Reliable and Believable.
  • If you have obtained a search warrant for a mobile device but forgot to include the digital media element to be searched for in the search warrant, you cannot search for digital media like photos and videos because the elements need to be listed on the search warrant or they can be ruled inadmissible in court.
  • The introduction of the iPhone has redefined the entire world of mobile computing.
  • Before examining an iPhone, it is necessary to identify the correct hardware model and the firmware version installed on the device.
  • The current file system used in an iPhone is APFS.
  • Four of the seven main features of the Apple APFS file system are Clones, Snapshots, Space Sharing and Encryption.
  • iOS disk layout, by default, the filesystem is configured as two logical disk partitions: the system (root or firmware) partition and the user data partition.
  • The System Partition contains the OS and all of the preloaded applications used with the iPhone.
  • The user data partition contains all the user-created data, ranging from music and contacts to third-party application data.
  • 5 types of security Apple iOS has implemented on iOS devices are Passcodes, Closed-Source, Proprietary, End-to-end encryption and Passcode security.
  • Jailbreaking is the process of removing limitations imposed by Apple’s mobile OS through the use of software and hardware exploits. Jailbreaking permits unsigned code to run and gain root access on the OS.
  • The three operating modes of iOS device are Normal Mode, Recovery Mode and Device Firmware Update Mode.
  • Most regular activities (calling, texting, etc.) that are performed on an iPhone will be run in Normal mode.
  • In a criminal investigation, a search warrant can be obtained to seize a computer that belongs to a suspect in order to access the Apple backup and lookdown certificates.
  • iTunes uses Apple’s Proprietary Synchronization protocol to copy data from the iOS device to a computer.
  • iTunes is configured to automatically initiate the synchronization process once the iOS device is connected to the computer.
  • iTunes backup only copies music, pictures and video files.
  • The Manifest.plist contains details on applications, build version, device and display name, GUID, ICCID, IMEI, MEID, last backup date, phone number.
  • The IMEI stands for International Mobile Equipment Identity.
  • The manifest.db is an SQLite database that contains a list of all the files and folders extracted from the iPhone via the backup mechanism.
  • iCloud allows all users to wirelessly and automatically back up their iOS device to iCloud.
  • iCloud can automatically back up your data when your phone is plugged in, locked, and connected to WiFi. That is to say, iCloud backups represent a fresh and near-real-time copy of information stored on the device, as long as space is available to create a current backup.
  • To extract a backup from iCloud, you need to know the user’s Apple ID and password.
  • The two types of timestamps found on an iOS device are Unix Timestamp and Mac absolute time format.
  • SQLite is an open source, in-process library that implements a self-contained, zero-configuration, and transactional SQL database engine.
  • Key artifacts that are important iOS database files are Address book contacts, Address book images, and Call history.
  • Five of the key artifacts - important iOS database files that can be extremely useful in an investigation are Messages, Calendar, Contacts, Safari and Call history.
  • A Property list, commonly referred to as a plist, is a structured data format used to store, organize, and access various types of data on an iOS device as well as a macOS device.
  • Most commercial forensic tools include great support for parsing plist files.
  • Four of the five other important files or valuable source of information in an examination are Deleted files, Cloud storage, Settings and Hidden files.
  • Every photo stored in the DCIM folder contains Exchangeable Image File Format data.
  • EXIF stands for Exchangeable Image File Format.
  • Third-party applications that are downloaded and installed from the App Store may contain information that is useful for an investigation.
  • An examiner must not only know how to use forensic tools but must also understand the methods and acquisition techniques that are deployed by the tools you use in your investigations.
  • Cellebrite Universal Forensic Extraction Device (UFED) empowers law enforcement, anti-terrorism, and security organizations to capture critical forensic evidence from mobile phones, smart phones, PDAs, and portable handset varieties, including updates for newly released models.
  • Cellebrite enables forensically sound data extraction, decoding, and analysis techniques to obtain existing and deleted data from different mobile devices.
  • Forensically sound means Tested and Validated.
  • One key feature to Cellebrite is that it dumps the raw filesystem partition so that it can be imported and examined in another forensic tool.
  • Magnet Axiom can be used for mobile forensics, the recent version of the suite introduced the newest feature- cloud forensics.
  • Magnet Axiom can be used for both logical and filesystem acquisitions and supports all iOS versions - from the oldest to the latest.
  • One of the favorite features of Magnet Axiom is its ability to start processing extraction data on the fly so that you don’t have to wait for the acquisition process to be finished to start your forensic analysis.
  • Grayshift software GrayKey provides comprehensive access, incredible speed, retrieves critical data, provides chain of custody reporting, and reliable brute force passcode cracking only for iOS devices.
  • Belkasoft supports damages iTunes backups
  • You should always take further steps to validate and understand each tool that might be used as part of an investigation.
  • An understanding of the underlying components of a mobile device will help you understand what data can be acquired, where the data is stored, and what methods can be used to access the data from that device.
  • Since the iPhone 5, there is no method or tool available to physically recover data from an iPhone, unless it is jailbroken. A logical acquisition can be obtained if the iPhone is unlocked.
  • APFS file system uses Journaling by default.
  • APFS is a new filesystem for iOS, macOS, watchOS, it is a 64-bit filesystem and supports over 9 quintillion files on a single volume.
  • Jailbreaking an iOS device allows the user root access to the device, but voids the manufacturer warranty.
  • The most common reason for jailbreaking is to expand the limit feature set imposed by Apple’s App Store to install unapproved apps.
  • Android is a Linux-based mobile operating system developed for touchscreen mobile devices.
  • All versions of Android had Full Disk Encryption (FDE) mechanism to store data in an encrypted format within the device. FDE makes data extraction difficult for a Forensic Examiner.
  • With each Android version update, more and more security features, such as app permissions, trusted execution environment (TEE), and secure kernel, have been added to improve the security of the platform overall but at the same time complicate the process of data extraction.
  • Android is currently the most popular mobile operating system designed to power mobile devices.
  • The Unix kernel is responsible for managing the core functionality of Android, such as process management, memory management, security, and networking.
  • All the applications that you install on the Android device are written in the Java programming language.
  • The JAVA API Framework application framework is the layer responsible for handling the basic functioning of a phone.
  • Android was designed with a specific focus on security. Android as a platform offers and enforces certain features that safeguard the user data present on the mobile device through multilayered security.
  • The Linux kernel automatically brings some of its inherent security features, such as: A user-based permissions model, isolation of running processes (application sandbox), secure inter-process communication (IPC)
  • The permission model allows the user to provide Android applications permission to access sensitive functionality - such as the internet, dialer, and so on.
  • Flash memory is a type of constantly powered non-volatile memory (NVM) that retains data in the absence of a power supply
  • To obtain access to the device, you must be able to enable settings or bypass them in order to allow the data to be extracted from the Android device.
  • Forensic acquisition of any device should be conducted on a forensically sterile workstation. This means that the workstation is strictly used for forensics and not for personal use.
  • Chip-off technique involves using advanced data acquisition techniques, which involve connecting to specific ports on the device and instructing the processor to transfer the data stored on the device. By using this method, a full physical image can be acquired.
  • Joint Test Action Group (JTAG) is a technique where the NAND flash chips are removed from the device and examined to extract information
  • The chip-off technique usually results in the destruction of the device.
  • Data recovery is one of the most significant and powerful aspects of forensic analysis.
  • Data recovery is the process of retrieving deleted data from a device when it cannot be accessed normally.
  • Deleted data will always be recovered from an Android device.
  • Place the device in airplane mode or disable all connectivity options on the device. This prevents the delivery of any new SMS messages.
  • When text messages or any other files are deleted from the device, they are just made invisible to the user, but the files are still present on the device. The files are simply marked for deletion, but they reside on the filesystem until being overwritten.
  • SD cards can be mounted as an external mass storage device and forensically acquired using standard digital forensic techniques.
  • Recovering files that are deleted from an Android device’s internal memory (SMS, contacts, app data, etc.) is not supported by all analytical tools and may require manual carving.
  • Data related to text messages, emails, and certain app data is stored in SQLite files.
  • Commercial tools that recover deleted data scan the unallocated blocks and free blocks of SQLite pages.
  • The header-footer carving method relies on recovering the fuels based on their header and footer information.
  • Apps such as Facebook, WhapsApp, Skype, and so on are widely used these days, and they are often the source of valuable data that aids in cracking a case.
  • On Android, everything the user interacts with is an application.
  • Analyzing the app may provide information about the location details of the user, their communications with others, and more.
  • The Google Play Store is more likely to provide apps that are infected with malware than Apple’s App Store.
  • Android, as an open-source operating system, releases its code under Apache License, one of the many open-source licenses. This means anyone (especially device manufacturers) can access it, freely modify it, and use the software according to the requirements of any device. This is one of the primary reasons for its wide acceptance.
  • Three of the notable players that use Android are Samsung, HTC, and Sony.
  • The two types of applications in an Android OS are Pre-Installed Applications and User-Installed Applications.
  • Data extraction techniques on an Android device can be classified into three types: Manual, Logical, and Physical.
  • SD cards are capable of storing valuable information for an investigation. Four types of items that can be found on an SD card are Photos, Videos, Application Data, and Documents.
  • The Android Linux Kernel layer contains drivers for Audio, Binder, Display, Keypad, Bluetooth, USB, WiFi, Camera, Shared Memory
  • Security Enhanced Linux Android uses Mandatory Access Control (MAC) which ensures that applications work in isolated environments.
  • Rooting is the process of gaining privileged access on an Android device.
  • The Filesystem refers to the way data is stored, organized, and retrieved from a volume.
  • exFAT is a Microsoft proprietary file system that was created to be used on flash drives such as USB memory sticks and SD cards.
  • The Android debug bridge (ADB) is a command-line tool that allows you to communicate with the Android device and control it.
  • Logical data extraction techniques extract the data present on the device by interacting with the operating system and accessing the filesystem.
  • During the course of an investigation, you may be asked to retrieve the text messages that were sent and delivered to a particular mobile device. The data can be found in the mmssms.db file.
  • The Device should be Rooted to obtain an image of an Android device
  • SD cards are typically using the exFAT file system to overcome size limitations.
  • When the SD card uses MTP/PTP and is not mounted as a drive, the recovery can be done by certain Android-specific data recovery tools that need the USB debugging option to be turned on.
  • File Carving is the process of reassembling computer files from fragments in the absence of filesystem metadata.
  • For JPEG files, the file header starts with 0xffd80xffd8 and the file ends with 0xffd90xffd9.
  • All applications store their data in the /data/data folder by default
  • The history.db file contains the user’s web history stores in various tables.