essay type

s_k

Unit8Ch11.pdf

Home >Computer Science homework help >essay type

System Forensics, Investigation, and Response

Lesson 11 Mobile Forensics

Learning Objective

§ Summarize various types of digital forensics.

Key Concepts

§ Mobile device concepts § Evidence that can be obtained from a mobile

device § How to seize evidence from a mobile device

Cellular Device Concepts

• The switching system for the cellular network

Mobile switching

center (MSC)

• The part of the cellular network responsible for communications between the mobile phone and the network switching system

Base transceiver

station (BTS)

• A database used by the MSC that contains subscriber data and service information

Home location register (HLR)

Cellular Device Concepts (Cont.)

• A memory chip that stores the International Mobile Subscriber Identity (IMSI)

Subscriber identity

module (SIM)

• A unique identification number developed by the U.S. Federal Communications Commission (FCC) to identify cell phones

Electronic serial number

(ESN)

• A code used to reset a forgotten PIN Personal unlocking

code (PUK)

Network: Cellular

GSM 2G

EDGE 2G+

UMTS 3G

LTE 4G

Wi-Fi § Most cellular phones and other mobile devices

can connect to Wi-Fi networks § Free Wi-Fi hotspots in restaurants, coffee

shops, hotels, homes, and many other locations

Operating Systems

iOS

• iPhone • iPad • iPod

Android

• Samsung Galaxy

• Many more

Windows 8

• Microsoft Mobile/ Nokia

Blackberry 10

• Blackberry

iOS §Derived from OS X §Interface based on touch and gestures §In normal operations, iOS uses HFS+ file

system §Can use FAT32 when communicating with

a PC

iOS (Cont.) §Four layers: • Core OS layer: The heart of the operating

system • Core Services layer: Where applications

interact with the iOS • Media layer: Is responsible for music,

video, and so on • Cocoa Touch layer: Responds to gestures

iOS (Cont.) §Contains several elements in data partition: • Calendar entries • Contacts entries • Note entries • iPod_control directory (hidden) • iTunes configuration • iTunes music

§iPod_control\device\sysinfo folder contains model number and serial number

Android §Linux-based operating system, completely

open source §First released in 2003 §Versions of Android named after sweets,

such as Version 4.1–4.2 Jelly Bean and Version 7.0 Nougat

§Similarity across versions • Can perform similar forensic examinations

on different versions

Windows

1996 Windows CE

2008 Windows Phone

2010 Windows Phone 7

2015 Windows 10 Mobile

Blackberry 10 §Based on QRNX operating system §Supports major features similar to other

mobile phones • Drag and drop • Gestures

Evidence You Can Get from a Cell Phone

Call history Emails, texts, and/or other messages

Photos and video

Phone information

GPS information

Network information

Mobile Device States

Semi- Active

Quiescent

Active Nascent

Rules for Seizing Evidence from a Mobile Device §If you plug device into a computer, make

sure device does not synchronize with the computer

§Touch evidence as little as possible §Document what you do to the device §Don’t accidentally write data to the mobile

device

Mobile Device Forensic Products

Oxygen Forensics Cellabrite MobileEdit

Data Doctor

Device Seizure

Forensic SIM Cloner

The iPhone: Seizing Evidence §iPhone has four-digit pin • 10,000 possible combinations of the digits

0–9 §Can use automated process to break

iPhone passcode, such as XRY §Tools specifically for iOS devices: • Pwnage • Recover My iPod

The iPhone: Seizing Evidence (Cont.) §If forensic workstation has iTunes: • Plug iPhone (or iPad/iPod) into the

workstation • Use iTunes to extract information about the

device

Apple iPhone iTunes Display S

creenshot reprinted w ith perm

ission from A

pple Inc.

Seizing Evidence from an iPhone §Information from a device image: • Library_CallHistory_call_history.db

- Contains entire call history • Library_Cookies_Cookies.plist

- Contains cookies - Give you a history of the phone user’s

Internet activities

Seizing Evidence from an iPhone §Information from a device image:

• Library_Preferences_com.apple.mobileipod.plist • Library_Preferences_com.apple.mobileemail.plist

- Gives you information about email sent and received from the phone

• Library_Preferences_com.apple.mobilevpn.plist - Indicates if user used device to communicate over

a VPN

Seizing Evidence from an iPhone §Deleted files • When a file is deleted on iPhone/iPad/iPod,

moved to.Trashes\501 folder • Data exists until overwritten

Seizing Evidence from a Blackberry §Download and install BlackBerry Desktop

Manager §Steps to create complete backup image: 1. Open BlackBerry’s Desktop Manager.

Click Options then Connection Settings. 2. If the Desktop Manager hasn’t already

done so, select USB-PIN: Device # for connection type. Click OK.

Seizing Evidence from a Blackberry (Cont.) 3. Select Backup and Restore. 4. Click the Back Up button for a full backup

of the device or use the Advanced section for specific data.

5. Select your destination (such as workstation) and save the .ipd file.

6. Examine data and perform a forensic analysis.

JTAG § Joint Test Action Group (JTAG) § An Institute of Electrical and Electronics Engineers

(IEEE) standard for testing chips § Test access points (TAPs) used to directly access the

chip and extract data § Forensic examiner takes back off of phone, and then

connects wires by soldering or by using some other means to the TAPs of the phone’s memory chip

§ Wires also connected to a JTAG device that uses software to extract the data directly from the memory chip

Summary §Mobile device concepts §Evidence that can be obtained from a

mobile device §How to seize evidence from a mobile

device