Network for Real Life Superheroes, Warriors, Protectors,
Saviors, to have a place to socialize, network, and also teach and learn from each other.
 
HomePortalRegisterLog in
Twitter
Facebook
Latest topics
» The Book of Five Rings
Thu Oct 05, 2017 1:41 pm by Tothian

» Greetings All
Wed Oct 04, 2017 5:43 am by Tothian

» Golden Aerie
Wed Oct 04, 2017 5:40 am by Tothian

» The Superhero Costume: Identity and Disguise in Fact and Fiction by Barbara Brownie and Danny Graydon
Mon Jun 12, 2017 9:49 pm by GoldenAerie

» Words Of Encouragement
Sun Feb 19, 2017 6:59 pm by Tothian

» Revolutionary Introduction
Sun Feb 19, 2017 6:21 pm by Tothian

» Do you support President Donald Trump's immigration ban?
Sat Feb 18, 2017 4:36 am by Anti-Hero

» Welcome to Society-X
Thu Feb 09, 2017 6:53 pm by Tin-Man

» New Orleans hit by a Tornado
Tue Feb 07, 2017 8:31 pm by Tothian

Keywords
Society videos

Share | 
 

 Mobile device forensics

View previous topic View next topic Go down 
AuthorMessage
Guest
Guest



PostSubject: Mobile device forensics   Tue Feb 28, 2012 1:55 am

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability.
The use of phones in crime was widely recognized for some years, but the forensic study of mobile devices is a relatively new field, dating from the early 2000s. A proliferation of phones (particularly smartphones) on the consumer market caused a demand for forensic examination of the devices, which could not be met by existing computer forensics techniques.
The memory type, custom interface and proprietary nature of mobile devices requires a different forensic process compared to computer forensics. Each device often has to have custom extraction techniques used on it. Mobile devices can be used to save several types of personal information such as contacts, photos, calendars and notes.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 1:56 am

History

As a field of study forensic examination of mobile devices dates from the late 1990s and early 2000s. The role of mobile phones in crime had long been recognized by law enforcement. With the increased availability of such devices on the consumer market and the wider array of communication platforms they support (e.g. email, web browsing) demand for forensic examination grew.
In comparison to computer forensics, law enforcement are much more likely to encounter a suspect with a mobile device in his possession and so the growth of demand for analysis of mobiles has increased exponentially in the last decade.
Early efforts to examine mobile devices used similar techniques to the first computer forensics investigations; analyzing phone contents directly via the screen and photographing important content. Over time commercial tools appeared which allowed examiners to recover phone memory with minimal disruption and analyze it separately.
In more recent years these commercial techniques have developed further and the recovery of deleted data from proprietary mobile devices has become possible with some specialist tools.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 1:57 am

Types of evidence

As mobile device technology advances, the amount and types of data that can be found on a mobile device is constantly increasing. Evidence that can be potentially recovered by law enforcement agents from a mobile phone may come from several different sources, including SIM card, Handset and attached memory cards.
Traditionally mobile phone forensics has been associated with recovering SMS and MMS messaging, as well as call logs, contact lists and phone IMEI/ESN information. Newer generations of smart phones also include wider varieties of information; from web browsing, Wireless network settings, e-mail and other forms of rich internet media, including important data now retained on smartphone 'apps'.
Service provider logs

The European Union requires its members countries to retain certain telecommunications data for use in investigations. This includes data on calls made and retrieved. The location of a mobile phone can be determined and this geographical data must also be retained. Although this is a different science than forensic analysis which is undertaken once the mobile phone has been seized.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 1:57 am

Forensic process


Main article: digital forensic process The forensics process for mobile devices broadly matches other branches of digital forensics; however, some particular concerns apply. One of the main ongoing considerations for analysts is preventing the device from making a network/cellular connection; which may bring in new data, overwriting evidence. To prevent a connection mobile devices will often be transported and examined from within an Faraday cage (or bag).
Seizure

Seizing mobile devices is covered by the same legal considerations as other digital media. Mobiles will often be recovered switched on; as the aim of seizure is to preserve evidence the device will often be transported in the same state to avoid a shutdown changing files.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 1:58 am

Acquisition






iPhone in an RF shield bag





RTL Aceso, a mobile device acquisition unit
The second step in the forensic process is acquisition, in this case usually referring to retrieval of material from a device (as compared to the bit-copy imaging used in computer forensics).
Because of the proprietary nature of mobiles it is often not possible to acquire data with it powered down, most mobile device acquisition is performed live. With more advanced smartphones using advanced memory management, connecting it to a recharger and putting it into a faraday cage may not be good practice. The mobile device would recognize the network disconnection and therefore it would change its status information that can trigger the memory manager to write data.
Most acquisition tools for mobile devices are commercial in nature and consist of a hardware and software component, often automated.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 1:58 am

Examination and analysis

As an increasing number of mobile devices use high-level file systems, similar to the file systems of computers, methods and tools can be taken over from hard disk forensics or only need slight changes.
The FAT file system is generally used on NAND memory. A difference is the block size used, which is larger than 512 bytes for hard disks and depends on the used memory type, e.g., NOR type 64, 128, 256 and NAND memory 16, 128, 256, or 512 kilobyte.
Different software tools can extract the data from the memory image. One could use specialized and automated forensic software products or generic file viewers such as any hex editor to search for characteristics of file headers. The advantage of the hex editor is the deeper insight into the memory management, but working with a hex editor means a lot of handwork and file system as well as file header knowledge. In contrast, specialized forensic software simplifies the search and extracts the data but may not find everything. AccessData, Sleuthkit, and EnCase, to mention only some, are forensic software products to analyze memory images. Since there is no tool that extracts all possible information, it is advisable to use two or more tools for examination. There is currently (February 2010) no software solution to get all evidences from flash memories.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 1:59 am

Data acquisition types

Physical acquisition

Physical acquisition implies a bit-by-bit copy of an entire physical store (e.g., a memory chip). A physical acquisition has the advantage of allowing deleted files and data remnants to be examined. Physical extraction acquires information from the device by direct access to the flash memories. Generally this is harder to achieve because the device vendors needs to secure against arbitrary reading of memory so that a device may be locked to a certain operator. A physical extraction is the method most similar to the examination of a personal computer. It produces a bit-by-bit copy of the device's flash memory. Generally the physical extraction is then split into two steps, the dumping phase and the decoding phase.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 2:00 am

Logical acquisition

Logical acquisition implies a bit-by-bit copy of logical storage objects (e.g., directories and files) that reside on a logical store (e.g., a file system partition). Logical acquisition has the advantage that system data structures are easier for a tool to extract and organize. Logical extraction acquires information from the device using the vendor interface for synchronizing the contents of the phone with a personal computer. This usually does not produce any deleted information, due to it normally being removed from the file system of the phone. However, in some cases the phone may keep a database file of information which does not overwrite the information but simply marks it as deleted and available for later overwriting. In this case, if the device allows file system access through their synchronization interface, it is possible to recover deleted information. A logical extraction is generally easier to work with as it does not produce a large binary blob. However a skilled forensic examiner will be able to extract far more information from a physical extraction.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 2:01 am

Manual acquisition

The user interface can be utilized to investigate the content of the memory. Therefore the device is used as normal and pictures are taken from the screen. This method has the advantage that the operating system makes the transformation of raw data into human interpretable information. In practice this method is applied to cell phones, e.g., Project-a-Phone, PDAs and navigation systems. The disadvantage is that only data visible to the operating system can be recovered and that all data are only available in form of pictures.
External memory

External memory devices are SIM cards, SD cards, MMC cards, CF cards, and the Memory Stick. For external memory and the USB flash drive, appropriate software, e.g., the Unix command dd, is needed to make the bit-level copy. Furthermore USB flash drives with memory protection do not need special hardware and can be connected to any computer. Many USB drives and memory cards have a write-lock switch that can be used to prevent data changes, while making a copy. If the USB drive has no protection switch a write blocker can be used to mount the drive in a read-only mode or, in an exceptional case, the memory chip can be desoldered. The SIM and memory cards need a card reader to make the copy. The SIM card is soundly analyzed, such that it is possible to recover (deleted) data like contacts or text messages.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 2:02 am

Internal memory

This section describes various possibilities to save the internal storage, nowadays mostly flash memory.
System commands

Mobile devices do not provide the possibility to run or boot from a CD, connecting to a network share or another device with clean tools. Therefore system commands could be the only way to save the volatile memory of a mobile device. With the risk of modified system commands it must be estimated if the volatile memory is really important. A similar problem arises when no network connection is available and no secondary memory can be connected to a mobile device because the volatile memory image must be saved on the internal non-volatile memory, where the user data is stored and most likely deleted important data will be lost. System commands are the cheapest method, but imply some risks of data loss. Every command usage with options and output must be documented.
AT commands

AT commands are old modem commands, e.g., Hayes command set and Motorola phone AT commands, and can therefore only be used on a device that has modem support. Using these commands one can only obtain information through the operating system, such that no deleted data can be extracted.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 2:03 am

Flasher tools

A flasher tool is a programming hardware and/or software that can be used to program (flash) the device memory, e.g., EEPROM or flash memory. These tools mainly originate from the manufacturer or service centers for debugging, repair, or upgrade services. They can overwrite the non-volatile memory and some, depending on the manufacturer or device, can also read the memory to make a copy, originally intended as a backup. The memory can be protected from reading, e.g., by software command or destruction of fuses in the read circuit. Note, this would not prevent writing or using the memory internally by the CPU. The flasher tools are easy to connect and use, but some can change the data and have other dangerous options or do not make a complete copy.
JTAG

Existing standardized interfaces for reading data are built into several mobile devices, e.g., to get position data from GPS equipment (NMEA) or to get deceleration information from airbag units.
Not all mobile devices provide such a standardized interface nor does there exist a standard interface for all mobile devices, but all manufacturers have one problem in common. The miniaturizing of device parts opens the question how to test automatically the functionality and quality of the soldered integrated components. For this problem an industry group, the Joint Test Action Group (JTAG), developed a test technology called boundary scan.
Despite the standardization there are four tasks before the JTAG device interface can be used to recover the memory. To find the correct bits in the boundary scan register one must know which processor and memory circuits are used and how they are connected to the system bus. When not accessible from outside one must find the test points for the JTAG interface on the printed circuit board and determine which test point is used for which signal. The JTAG port is not always soldered with connectors, such that it is sometimes necessary to open the device and re-solder the access port. The protocol for reading the memory must be known and finally the correct voltage must be determined to prevent damage to the circuit.
The boundary scan produces a complete forensic image of the volatile and non-volatile memory. The risk of data change is minimized and the memory chip must not be desoldered. Generating the image can be slow and not all mobile devices are JTAG enabled. Also, it can be difficult to find the test access port.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 2:05 am

Forensic desoldering

Commonly referred to as a "Chip-Off" technique within the industry - this is the last and most intrusive method to get a memory image is to desolder the non-volatile memory chip and connect it to a memory chip reader. This method contains the potential danger of total data destruction: it is possible to destroy the chip and its content because of the heat required during desoldering. Before the invention of the BGA technology it was possible to attach probes to the pins of the memory chip and to recover the memory through these probes. The BGA technique bonds the chips directly onto thePCB through molten solder balls, such that it is no longer possible to attach probes.





Here you can see that moisture in the circuit board turned to steam when it was subjected to intense heat. This produces the so-called "popcorn effect."
Desoldering the chips is done carefully and slowly, so that the heat does not destroy the chip or data. Before the chip is desoldered the PCB is baked in an oven to eliminate remaining water. This prevents the so-called popcorn effect, at which the remaining water would blow the chip package at desoldering.
There are mainly three methods to melt the solder: hot air, infrared light, and steam-phasing. The infrared light technology works with a focused infrared light beam onto a specific integrated circuit and is used for small chips. The hot air and steam methods cannot focus as much as the infrared technique.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 2:05 am

Chip re-balling

After desoldering the chip a re-balling process cleans the chip and adds new tin balls to the chip. Re-balling can be done in two different ways.


  • The first is to use a stencil. The stencil is chip-dependent and must fit exactly. Then the tin-solder is put on the stencil. After cooling the tin the stencil is removed and if necessary a second cleaning step is done.
  • The second method is laser re-balling; see. Here the stencil is programmed into the re-balling unit. A bondhead (looks like a tube/needle) is automatically loaded with one tin ball from a solder ball singulation tank. The ball is then heated by a laser, such that the tin-solder ball becomes fluid and flows onto the cleaned chip. Instantly after melting the ball the laser turns off and a new ball falls into the bondhead. While reloading the bondhead of the re-balling unit changes the position to the next pin.
A third method makes the entire re-balling process unnecessary. The chip is connected to an adapter with Y-shaped springs or spring-loaded pogo pins. The Y-shaped springs need to have a ball onto the pin to establish an electric connection, but the pogo pins can be used directly on the pads on the chip without the balls.
The advantage of forensic desoldering is that the device does not need to be functional and that a copy without any changes to the original data can be made. The disadvantage is that the re-balling devices are expensive, so this process is very costly and there are some risks of total data loss. Hence, forensic desoldering should only be done by experienced laboratories.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 2:09 am

Tools

Early investigations consisted of live analysis of mobile devices; with examiners photographing or writing down useful material for use as evidence. This had the disadvantage of risking the modification of the device content, as well as leaving many parts of the proprietary operating system inaccessible.
In recent years a number of hardware/software tools have emerged to recover evidence from mobile devices. Most tools consist of a hardware portion, with a number of cables to connect the phone to the acquisition machine, and some software, to extract the evidence and, occasionally, to analyse it.
Some current tools include those by Accessdata MPE, Radio Tactics, eDEC Digital Forensics, Cellebrite UFED, Micro Systemation XRY, Oxygen Forensic Suite 2, Paraben Device Seizure and MOBILedit! Forensic.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 2:09 am

Controversies

In general there exists no standard for what constitutes a supported device in a specific product. This has led to the situation where different vendors define a supported device differently. A situation such as this makes it much harder to compare products based on vendor provided lists of supported devices. For instance a device where logical extraction using one product only produces a list of calls made by the device may be listed as supported by that vendor while another vendor can produce much more information. Furthermore different products extract different amounts of information from different devices. This leads to a very complex landscape when trying to overview the products. In general this leads to a situation where testing a product extensively before purchase is strongly recommended. It is quite common to use at least two products which complement each other.
For a detailed discussion see Gubian and Savoldi, 2007. For a wide overview on nand flash forensic see Salvatore Fiorillo, 2009.
Back to top Go down
Guest
Guest



PostSubject: Re: Mobile device forensics   Tue Feb 28, 2012 2:10 am

Anti-forensics

Anti-computer forensics is more difficult because of the small size of the devices and the user's restricted data accessibility. Nevertheless there are developments to secure the memory in hardware with security circuits in the CPU and memory chip, such that the memory chip cannot be read even after desoldering.
Back to top Go down
Sponsored content




PostSubject: Re: Mobile device forensics   

Back to top Go down
 
Mobile device forensics
View previous topic View next topic Back to top 
Page 1 of 1
 Similar topics
-
» Problem uploading photos to Servimg on mobile device
» Updating Post E-Mails & View by Mobile Devices
» How justice and forensics are changing today
» China gives £50 million in aid so mobile phones work on underground by the Olympics
» AV-98 Ingram - Patlabor Mobile Police Làm liên tưởng đến headman

Permissions in this forum:You cannot reply to topics in this forum
Heroes Network :: ACADEMICS CATEGORY :: Forensics-
Jump to: