forensics assignment 11

didosld

forensic3e_ppt_ch11.pptx

Home >Information Systems homework help >forensics assignment 11

System Forensics, Investigation, and Response

Lesson 11

Mobile Forensics

www.jblearning.com

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Learning Objective

Summarize various types of digital forensics.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Key Concepts

Mobile device concepts

Evidence that can be obtained from a mobile device

How to seize evidence from a mobile device

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Cellular Device Concepts

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

A mobile switching center (MSC) is the switching system for the cellular network. MSCs are used in 1G, 2G, 3G, and Global System for Mobile (GSM) communications networks. You will learn about 3G and GSM networks later in this section. The MSC processes all the connections between mobile devices and between mobile devices and landline phones. The MSC is also responsible for routing calls between base stations and the public switched telephone network (PSTN).

The base transceiver station (BTS) is the part of the cellular network responsible for communications between the mobile phone and the network switching system. The base station system (BSS) is a set of radio transceiver equipment that communicates with cellular devices. It consists of a BTS and a base station controller (BSC). The BSC is a central controller coordinating the other pieces of the BSS.

The home location register (HLR) is a database used by the MSC that contains subscriber data and service information.

It is related to the visitor location register (VLR), which is used for roaming phones.

7/3/2017

Mobile switching center (MSC)

The switching system for the cellular network

Base transceiver station (BTS)

The part of the cellular network responsible for communications between the mobile phone and the network switching system

Home location register (HLR)

A database used by the MSC that contains subscriber data and service information

Cellular Device Concepts (Cont.)

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The subscriber identity module (SIM) is a memory chip that stores the International Mobile Subscriber Identity (IMSI). It is intended to be unique for each phone and is what you use to identify the phone. Many modern phones have removable SIMs, which means you could change out the SIM and essentially have a different phone with a different number.

A SIM card contains its unique serial number—the ICCID—the IMSI, security authentication, and ciphering information. The SIM will also usually have network

information, services the user has access to, and two passwords. Those passwords are the personal identification number (PIN) and the personal unlocking code (PUK).

Electronic serial numbers (ESNs) are unique identification numbers developed by the United States Federal Communications Commission (FCC) to identify cell phones. They are now used only in code division multiple access (CDMA) phones, whereas GSM and later phones use the International Mobile Equipment Identity (IMEI) number. The first 8 bits of the ESN identify the manufacturer, and the subsequent 24 bits uniquely identify the phone. The IMEI is used with GSM and Long Term Evolution (LTE) as well as other types of phones.

The personal unlocking code (PUK) is a code used to reset a forgotten PIN. Using the code returns the phone to its original state, causing loss of most forensic data. If the code is entered incorrectly 10 times in a row, the device becomes permanently blocked

and unrecoverable.

Each SIM is identified by its integrated circuit card identifier (ICCID). These numbers are engraved on the SIM during manufacturing. This number has subsections that are very important for forensics. This number starts with the issuer identification number (IIN), which is a seven-digit number that identifies the country code and issuer, followed by a variable-length individual account identification number to identify the specific phone, and a check digit.

7/3/2017

Subscriber identity module (SIM)

A memory chip that stores the International Mobile Subscriber Identity (IMSI)

Electronic serial number (ESN)

A unique identification number developed by the U.S. Federal Communications Commission (FCC) to identify cell phones

Personal unlocking code (PUK)

A code used to reset a forgotten PIN

Network: Cellular

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Global System for Mobile (GSM) communications is a standard developed by the European Telecommunications Standards Institute (ETSI). Basically, GSM is the 2G network.

Enhanced Data Rates for GSM Evolution (EDGE) does not fit neatly into the 2G-3G-4G continuum. It is technically considered 2G, but was an improvement on GSM (2G), so it can be considered a bridge between 2G and 3G technologies.

Universal Mobile Telecommunications System (UMTS) is a 3G standard based on GSM. It is essentially an improvement of GSM.

Long Term Evolution (LTE) is a standard for wireless communication of high-speed data for mobile devices. This is what is commonly called 4G.

7/3/2017

GSM

UMTS

2G+

EDGE

LTE

Wi-Fi

Most cellular phones and other mobile devices can connect to Wi-Fi networks

Free Wi-Fi hotspots in restaurants, coffee shops, hotels, homes, and many other locations

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Operating Systems

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

iOS

iPhone

iPad

Android

Samsung Galaxy

Windows 8

Microsoft Mobile/ Nokia

iPod

Blackberry 10

Blackberry

Many more

iOS

Derived from OS X

Interface based on touch and gestures

In normal operations, iOS uses HFS+ file system

Can use FAT32 when communicating with a PC

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

iOS

Originally released in 2007 for the iPod Touch and the iPhone. The user interface is based all on touching the icons directly. It supports what Apple calls gestures: swipe, drag, pinch, tap, and so on. The iOS operating system is derived from OS X.

In normal operations, iOS uses the HFS+ file system, but it can use FAT32 when communicating with a PC.

7/3/2017

iOS (Cont.)

Four layers:

Core OS layer: The heart of the operating system

Core Services layer: Where applications interact with the iOS

Media layer: Is responsible for music, video, and so on

Cocoa Touch layer: Responds to gestures

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

iOS (Cont.)

Contains several elements in data partition:

Calendar entries

Contacts entries

Note entries

iPod_control directory (hidden)

iTunes configuration

iTunes music

iPod_control\device\sysinfo folder contains model number and serial number

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Android

Linux-based operating system, completely open source

First released in 2003

Versions of Android named after sweets, such as Version 4.1–4.2 Jelly Bean and Version 7.0 Nougat

Similarity across versions

Can perform similar forensic examinations on different versions

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

A Linux-based operating system that is completely open source.

Android source code: http://source.android.com/

First released in 2003

Versions of Android named after sweets, such as Version 4.1–4.2 Jelly Bean and Version 7.0 Nougat

Differences from version to version usually involved adding new features. If you are comfortable with version 1.6 (Donut), you will be able to do forensic examination on version 4.2 (Jelly Bean).

Samsung Galaxy and many other mobile devices run Android

7/3/2017

Windows

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Windows mobile operating systems

1996: Windows CE

2008: Windows Phone; not compatible with many of the previous Windows Mobile apps

2010: Windows Phone 7

2012: Windows 8

2015: Windows 10 Mobile

Windows 10 (Windows 10 Mobile) is shipped on PCs, laptops, phones, and tablets. This means that once you are comfortable with the operating system on

one device, you are going to be able to conduct forensic examinations on other devices running Windows 8 or Windows 10.

7/3/2017

1996 Windows CE

2008 Windows Phone

2010 Windows Phone 7

2015 Windows 10 Mobile

Blackberry 10

Based on QRNX operating system

Supports major features similar to other mobile phones

Drag and drop

Gestures

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Evidence You Can Get from a Cell Phone

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Call history

Emails, texts, and/or other messages

Photos and video

Phone information

GPS information

Network information

Mobile Device States

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

The National Institute of Standards and Technology (NIST) guidelines list four different states a mobile device can be in when you extract data:

Nascent State—Devices are in the nascent state when received from the manufacturer—the device contains no user data and has its original factory

configuration settings.

Active State—Devices that are in the active state are powered on, performing tasks, and able to be customized by the user and have their filesystems

populated with data.

Semi-Active State—The semi-active state is a state partway between active and quiescent. The state is reached by a timer, which is triggered after a period of

inactivity, allowing battery life to be preserved by dimming the display and taking other appropriate actions.

Quiescent State—The quiescent state is a dormant mode that conserves battery life while maintaining user data and performing other background functions. Context information for the device is preserved in memory to allow a quick resumption of processing when returning to the active state.

7/3/2017

Semi-Active

Quiescent

Active

Nascent

Rules for Seizing Evidence from a Mobile Device

If you plug device into a computer, make sure device does not synchronize with the computer

Touch evidence as little as possible

Document what you do to the device

Don’t accidentally write data to the mobile device

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

If the forensic workstation is a Windows machine, you can use the Windows Registry to prevent the workstation from writing to the mobile device. Before connecting to a Windows machine, find the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlset\StorageDevicePolicies, set the value to 0x00000001, and restart the computer. This prevents that computer from writing to mobile devices that are connected to it.

7/3/2017

Mobile Device Forensic Products

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Although Forensic Toolkit and EnCase can both image a phone for you, there are other products made specifically for phone forensics:

Oxygen Forensics—A full forensic tool capable of imaging and examining iPhones and Android phones. It provides a number of user-friendly tools for extracting specific data such as contacts, social media data, and the like.

Cellabrite—The most widely known phone forensics tool. Used heavily by federal law enforcement. It is a very robust and effective tool. Downside: the high cost. It is the most expensive phone forensics tool on the market.

MobileEdit—There are several variations of this product. MobileEdit Lite is the most forensically advanced version of MobileEdit. This is a very easy-to-use tool that can aid a forensic examiner in extracting data from cell phones.

Data Doctor—Recovers all Inbox and Outbox data and all contact data, and has an easy-to-use interface. It has a free trial version, but there is a cost for the full version. Data Doctor retrieves Inbox and sent message data as well as contact data.

Device Seizure—Available from Paraben Software. There is a license fee associated with this product. Paraben makes a number of forensic products.

Forensic SIM Cloner—This tool is used to clone SIM cards, allowing you to perform forensic analysis of the SIM card.

7/3/2017

Oxygen Forensics

Cellabrite

Data Doctor

Device Seizure

Forensic SIM Cloner

MobileEdit

The iPhone: Seizing Evidence

iPhone has four-digit pin

10,000 possible combinations of the digits 0–9

Can use automated process to break iPhone passcode, such as XRY

Tools specifically for iOS devices:

Pwnage

Recover My iPod

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

The iPhone: Seizing Evidence (Cont.)

If forensic workstation has iTunes:

Plug iPhone (or iPad/iPod) into the workstation

Use iTunes to extract information about the device

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Apple iPhone iTunes Display

Screenshot reprinted with permission from Apple Inc.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Three important items to document:

1. The iOS version number

2. The phone number (redacted in this figure)

3. The serial number (redacted in this figure)

Notice you can also see where the phone is backed up. That can indicate yet another place you should search during your forensic investigation.

7/3/2017

Seizing Evidence from an iPhone

Information from a device image:

Library_CallHistory_call_history.db

Contains entire call history

Library_Cookies_Cookies.plist

Contains cookies

Give you a history of the phone user’s Internet activities

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

If you have imaged the phone and you then search for information, you may have to look more closely to find some data:

Library_CallHistory_call_history.db has the entire call history. If you cannot view that directly on the phone itself, the database file has all call information.

Cookies are in the file Library_Cookies_Cookies.plist. This can give you a history of the phone user’s Internet activities.

These, and other files, are actually copied to a PC during synchronization. Here are a few of those files:

Library_Preferences_com.apple.mobileipod.plist

Library_Preferences_com.apple.mobileemail.plist

Library_Preferences_com.apple.mobilevpn.plist

The mobileemail.plist file gives you information about email sent and received from the phone.

The mobilevpn.plist file can indicate if the user has used the phone to communicate over a VPN.

7/3/2017

Seizing Evidence from an iPhone

Information from a device image:

Library_Preferences_com.apple.mobileipod.plist

Library_Preferences_com.apple.mobileemail.plist

Gives you information about email sent and received from the phone

Library_Preferences_com.apple.mobilevpn.plist

Indicates if user used device to communicate over a VPN

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

If you have imaged the phone and you then search for information, you may have to look more closely to find some data:

Library_CallHistory_call_history.db has the entire call history. If you cannot view that directly on the phone itself, the database file has all call information.

Cookies are in the file Library_Cookies_Cookies.plist. This can give you a history of the phone user’s Internet activities.

These, and other files, are actually copied to a PC during synchronization. Here are a few of those files:

Library_Preferences_com.apple.mobileipod.plist

Library_Preferences_com.apple.mobileemail.plist

Library_Preferences_com.apple.mobilevpn.plist

7/3/2017

Seizing Evidence from an iPhone

Deleted files

When a file is deleted on iPhone/iPad/iPod, moved to.Trashes\501 folder

Data exists until overwritten

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Seizing Evidence from a Blackberry

Download and install BlackBerry Desktop Manager

Steps to create complete backup image:

Open BlackBerry’s Desktop Manager. Click Options then Connection Settings.

If the Desktop Manager hasn’t already done so, select USB-PIN: Device # for connection type. Click OK.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

Seizing Evidence from a Blackberry (Cont.)

Select Backup and Restore.

Click the Back Up button for a full backup of the device or use the Advanced section for specific data.

Select your destination (such as workstation) and save the .ipd file.

Examine data and perform a forensic analysis.

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

7/3/2017

JTAG

Joint Test Action Group (JTAG)

An Institute of Electrical and Electronics Engineers (IEEE) standard for testing chips

Test access points (TAPs) used to directly access the chip and extract data

Forensic examiner takes back off of phone, and then connects wires by soldering or by using some other means to the TAPs of the phone’s memory chip

Wires also connected to a JTAG device that uses software to extract the data directly from the memory chip

Page ‹#›

System Forensics, Investigation, and Response

www.jblearning.com

Summary

Mobile device concepts

Evidence that can be obtained from a mobile device

How to seize evidence from a mobile device

Page ‹#›

System Forensics, Investigation, and Response