Mobile Forensics

6431 Unique Visitors
12199 Page-views

Introduction to Mobile Forensics

Smartphones are being utilised for more than just making phone calls; they are also used for socialising.

Smartphones store a lot of personal information about their owners. Contacts are stored on mobile devices via a variety of sources, including the phone, social networks, instant messaging, and email.

information about phone calls, sent and received text, and communication applications

Messages, e-mails, and attachments are all examples. There are also cached geolocation and browser logs.

photos and videos made with the phone’s camera; information passwords for cloud storage

services, forums, social media sites, internet portals, and e-commerce sites; saved payment information

data; and a plethora of additional data that could be crucial to an investigation

Needless to say, this data is critical for both corporate and forensic purposes.

Tablets are no longer only used for entertainment. Even the smallest tablets can run full Windows, complete with the Office suite, thanks to fast CPUs and enough of storage. Tablets are nevertheless commonly used to socialise, communicate, plan events, and book trips, even though they are not as popular as smartphones.

Many tablets have the ability to make voice conversations via cellular networks, and some smartphones have screens as large as 6.4 inches. All of this makes distinguishing between a phone or phablet and a tablet difficult.

Every smartphone on the market has a camera that is always available, unlike a larger and probably superior camera. As a result, the average smartphone contains more shots and videos than a specialised camera, sometimes in the terabytes. Smartphones function as storage devices as well. They can be used to store, transport, and exchange data. Smartphones connected to a corporate network may have access to files and documents that are not intended to be shared publicly. Employees’ smartphones with unrestricted access to company networks can result in the leakage of very sensitive data.

Controlling the data that is exposed to anyone connecting to a corporate network is critical, especially with many organisations permitting or even encouraging bring your own device rules.

Mobile Forensics Is Necessary

It’s difficult to overestimate the value of mobile forensics. In 2012, desktop and laptop computers accounted for more than 70% of all web page requests (the most common operating systems being Windows 7 and Windows XP). In May 2015, desktop operating systems accounted for only 43% of inquiries, while Android, iOS, and Windows phone devices accounted for 54% of traffic. Users’ time spent on desktop computers is decreasing, while their time spent on mobile devices is increasing: Apple revealed in January 2015 that it had sold over one billion iOS devices. The business sold 74.4 million iPhone handsets in the first quarter of 2015. Android had already sold a billion devices by the end of 2014. Smartphones and tablets are successfully competing with personal PCs for user attention. Digital cameras, camcorders, book readers, newspapers, communication and navigation devices, portable game consoles, and even television are being effectively replaced by them.

Consumers spend more time on mobile devices than they do on television:

Mobile forensics deals with many data sources, unlike personal computers, which essentially present a single source of information (the device itself, which consists of hard drive(s) and volatile memory). Investigators may utilize one or the other tool to gather information, depending on the sources available.

Mobile Devices

You can try to accomplish physical or logical acquisition if you have access to the mobile device. This may or may not be possible, depending on the device’s hardware and the operating system it runs. Physical acquisition, on the other hand, remains the most comprehensive and up-to-date source of evidence available.

Most Android smartphones and tablets, as well as older Apple hardware (iPhones up to iPhone 4, the original iPad, iPad mini, and so on) and modern Apple gear with a known passcode, are all capable of physical acquisition. Apple devices are usually only physically obtained after they have been jailbroken. Physical acquisition of iOS devices is risky since a jailbreak acquires superuser rights by exploiting a vulnerability in iOS, and Apple aggressively patches such bugs. Using the Cellebrite Universal Forensic Extraction Device, a physical acquisition technique for several Windows phone handsets was recently created (UFED).

Physical acquisition is also possible for Apple 64-bit hardware (iPhone 5S and newer, iPad mini 2 and so on). Physical acquisition of 64-bit devices is more difficult than physical acquisition of 32-bit devices, as it necessitates not only jailbreaking the device and unlocking it with a passcode, but also removing the passcode from the security settings. Interestingly, Apple claims that even if they are served with a court order, they will be unable to extract information from 64-bit iOS devices running iOS 8 and newer.

Physical acquisition is only accessible on a few BlackBerry smartphones running BlackBerry OS 7 and older. Physical acquisition is available for unlocked BlackBerry 7 and below devices, where supported, using Cellebrite UFED Touch/4PC via the bootloader method for BlackBerry handsets. When device encryption is not activated on BlackBerry 10 devices, a chip-off can successfully acquire the device memory by parsing the physical dump with Cellebrite UFED.

Personal Computers

In particular, the user’s personal computer can aid in the collection of mobile evidence. Offline data backups (such as those created by Apple iTunes) that comprise the majority of the information contained in the phone and are available (or unavailable) during physical acquisition may be kept on the PC.

When an iOS device is physically linked to a computer and authorised through iTunes, lockdown records are created. Without inputting the passcode, lockdown records can be utilised to obtain access to an iOS device. Furthermore, the computer may include binary authentication tokens that can be used to access cloud accounts associated with a user’s mobile devices.

Storage in the Cloud

Many smartphones and tablets, particularly those made by Apple, include the option of backing up data to an internet cloud. When an Apple smartphone is connected to a charger within range of a known Wi-Fi network, it will automatically back up its content to Apple iCloud. Similar behaviour can be seen on Windows Phone devices. While Google does not offer full cloud backups like Apple or Microsoft, it does capture and store much more data through Google Mobile Services (GMS). This data can also be retrieved from the cloud. Many smartphone users leave cloud backups enabled by default since they are transparent, non-intrusive, and require no user involvement, making it possible for an investigator to either get the material of the cloud storage or request it from the corresponding firm with a court order.

To gain access to the phone’s cloud storage, one must first obtain the user’s authentication credentials (login and password). It’s feasible that binary authentication tokens retrieved from the user’s machine could be used to get access to iCloud.

Cloud forensics is gradually gaining prominence and recognition among digital forensic specialists, as manufacturers advance in their security implementations.

The Different Stages of Mobile Forensics

An examiner should start with the least intrusive method and work their way up the continuum, which can be governed by the type of data that needs to be gathered from the mobile device and the sophistication of the mobile device’s hardware/software.

Stage 1: seizure of the device

This stage involves the physical seizure of the device and its transfer to the investigator/control examiner’s and custody. The legal authorization or written consent to seize, extract, and search this data must also be considered. The device’s physical condition at the time of the seizure should be documented, ideally by digital photography and written notes, such as:

Is there a problem with the device? If this is the case, make a note of the sort of damage.

Is the gadget turned on or off?

If the gadget is turned on, what is the date and time?

What apps are running or visible on the device desktop if the device is turned on?

Is the device desktop available if the device is turned on to check for passcode and security settings?

Radio isolation, shutting the device off if it is on, remote wipe, and anti-forensics are some of the other components of device seizure that will affect post-seizure analysis.

When it comes to purchasing a mobile device, it’s important to understand the many differences between computers and mobile devices. In comparison to desktop and even laptop computers, seizing, handling, storing, and extracting mobile devices must take a distinct path.

Smartphones and tablets operate in a different, always-connected mode than PCs, which can be online or offline (including energy-saving states like sleep and hibernation). Even when the gadget appears to be asleep, a large number of actions are carried out in the background. A wide range of events, including push events from online services and events initiated remotely by the user, can be used to schedule or trigger activities.

Another factor to think about when purchasing a mobile device is security. Mobile devices are frequently carried, and therefore are built to be more secure than desktop PCs.

Non-removable storage and soldered RAM chips, optional or enforced data encryption, remote kill switches, secure lock screens, and protected bootloaders are a few examples of security features.

When dealing with a seized device, it’s critical to keep it from shutting down.

It’s one thing to never turn off a working device; it’s another to keep it from shutting down. Since mobile devices consume power even while the display is off, the standard practice is to connect the device to a charger and place it into a wireless-blocking Faraday bag. This will keep the phone from shutting down when it reaches the low-power state.

What is the purpose of this procedure? The thing is, compared to a device that boots up in one’s lab and for which one does not know the password, a device that has been used (at least once) after the last boot cycle may be able to extract more information.

Let’s imagine someone seized an iPhone with an unknown passcode to demonstrate the likely outcome. Because the iPhone is jailbroken, Elcomsoft iOS Forensic Toolkit can be used to extract information.

If the device is locked and the user does not know the passcode, he will only have access to the following information:

Recent geolocation data: Due to the encryption of the core location database, only limited geolocation data may be extracted. This limited location data is only available if the device has been unlocked at least once after the boot process has finished. As a result, if one keeps the gadget powered on, he can see the device’s recent geolocation history. The geolocation data will be inaccessible until the device is unlocked if the gadget goes down and is only powered on in the lab.

Incoming calls and SMS messages (just numbers): Before the initial unlock following a cold boot, incoming text messages are briefly stored unencrypted. The messages will be transferred into the main encrypted database after the device is unlocked for the first time following a cold boot.This means that getting a device that was never unlocked after a cold start will only provide you access to text messages received while the device was locked after the boot.

If the iPhone was unlocked at least once after it was booted (for example, if the device was seized in a turned-on condition), much more information might be accessed. When the smartphone is first unlocked, the SMS database is encrypted, allowing you to retrieve all text messages, not only those received while the device was locked.

Logs from the app and the system (installs and updates, net access logs, and so on).

Write-ahead logs (WAL) and SQLite temp files: Messages received using apps like Skype, Viber, Facebook Messenger, and others may be included in this WAL. The data is integrated with the primary databases of the appropriate apps after the device is unlocked. When removing a device after a cold boot (one that has never been unlocked), you will only be able to see notifications that have been received after the boot. If, on the other hand, one extracts a device that has been unlocked at least once after booting up, he may be able to extract the entire database, including all messages (depending on the data protection class specified by the application’s developer).

Apple iOS, latest versions of Google Android, all versions of BlackBerry OS, and Microsoft Windows phone 8/8.1 (Windows 10 mobile) all offer a security mechanism that prevents unauthorised individuals from accessing information saved on the device. If the gadget is reported lost or stolen, the so-called kill switch allows the owner to lock or wipe the device. While this feature is utilised by genuine consumers to protect their data, it is also employed by suspects who may try to erase evidence remotely if their mobile device is seized.

To prevent suspects from gaining access to the kill switch, the Faraday bag must be used. Even if the device in question has already been remotely erased, this does not necessarily imply that all data has been deleted.

Cloud backups are supported by Apple iOS, Windows Phone 8/8.1, Windows 10 mobile, and the newest version of Android (Android 6.0 Marshmallow) (however Android cloud backups are limited in size). The decryption key is related to the user’s BlackBerry ID and saved on BlackBerry servers, however the backups are purely offline with BlackBerry 10.

The capacity to upload backup copies of data to the cloud automatically is a double-edged sword. Cloud backups allow for distant acquisition approaches while also providing more convenience to the user. Depending on the platform, all or part of the device’s data can be obtained from the cloud using a forensic application (such as Elcomsoft Phone Breaker or Oxygen Forensic Detective) or by submitting a government request to the relevant business (Apple, Google, Microsoft, or BlackBerry).

There are a variety of anti-forensic techniques aimed towards law enforcement agencies’ evidence collection procedures. The police frequently grab devices, connect them to a charger, and place them in a Faraday bag. On Android phones, some technologically advanced suspects utilise an anti-forensic strategy that entails rooting the device and installing a tool that monitors the device’s wireless connectivity. The tool executes a factory reset if it detects that the device has been idle, connected to a charger, and without wireless connectivity for a predetermined amount of time. Because there is no realistic means of knowing whether such protection is operational on the device prior to acquisition, just following standard procedures risks destroying evidence. If there are reasonable grounds to believe that such a system is in use, the device can be turned off (while being aware of the potential of full-disk encryption prohibiting later acquisition).

While rooting or jailbreaking a device puts it vulnerable to sophisticated acquisition methods, we’ve observed users who unlocked their bootloader to install a custom recovery, password-protected access to the custom recovery, and then relocked the bootloader. The combination of a password-protected bootloader and password-protected access to custom recovery is exceedingly difficult to crack.

We’ve learned about the following anti-forensic approach used by a group of cyber thieves from multiple reports. If certain specified circumstances were satisfied, the devices were set to automatically erase user data. The wipe was triggered in this case because the predefined parameters matched the normal acquisition scenario of placing the device inside a Faraday bag and attaching it to a charger. A unique tool performs a full factory reset of the device when it reports being charged without wireless connectivity (but not in aeroplane mode) for a particular amount of time. This is only available on smartphones that have been rooted or jailbroken. This anti-forensic method has yet to gain widespread acceptance. Only a small percentage of smartphone users, mostly those involved in cybercrime, use it. The likelihood of a smartphone being configured in this manner is insignificant enough to justify making adjustments to published rules.

Stage 2: data collection

Various techniques of getting data from the device are discussed at this stage. The following factors determine the data extraction strategies that can be used:

Mobile device type: The configuration of the make, model, hardware, software, and vendor. The examiner has access to a broad variety of hardware and software extraction/analysis tools: There is no one-size-fits-all tool; an examiner will require access to a variety of tools to help with data extraction.

Device’s physical state: Has the equipment been damaged by physical forces, water, or biological fluids like blood? The data extraction procedures used on the device are frequently dictated by the sort of damage.

The amount of data extracted from the device is determined by numerous distinct forms of data extraction:

Physical: The binary image of the device has the best chance of recovering erased data and extracting the most data from it. This form of extraction can be the most difficult to obtain.

Organize your files: This is a representation of the files and folders in the device’s user area, and it may contain deleted database data. When compared to a physical data extraction, this method will produce less data.

Logical: This method obtains the least amount of information from the gadget. Call history, messages, contacts, images, movies, and audio files are all examples of this. This is known as “low-hanging fruit.” There is no way to recover destroyed data or source files.

Typically, the output will be a series of reports generated by the extraction programme.

This is frequently the simplest and fastest method of extraction.

Documentation using photography: When all other options for data extraction have been exhausted, this procedure is often used. The examiner utilises a digital camera to photographically document the content shown by the gadget in this technique.

When there is a large amount of data to photograph, this is a time-consuming process.

Bootloader, jailbreak, rooting, adb, debug, and sim cloning are just a few of the data-extraction concepts covered here.

Mobile devices that have been rooted or jailbroken are vulnerable to a variety of exploits. Rooted devices are simple to acquire in the context of mobile forensics, as many forensic acquisition technologies rely on root/jailbreak to complete physical acquisition. Unlocked bootloaders allow unsigned code to be booted, thereby granting complete access to the device, even if it is password-protected. Bypassing passcode protection may not automatically enable access to encrypted data if the device is encrypted and the passcode is part of the encryption key.

Rooting or jailbreaking gives the acquisition tool unlimited access to the filesystem, bypassing the operating system’s security protections and allowing the acquisition tool to read data from protected locations. This is one of the reasons why rooted devices (as well as devices with unlocked bootloaders) are prohibited in the workplace.

Installing a jailbreak on an iOS device makes it less secure by allowing third-party code to be inserted and run at the system level. Forensic professionals that utilise tools like Cellebrite UFED or Elcomsoft iOS Forensic Toolkit to physically acquire jailbroken Apple handsets are well aware of this reality.

Some Android smartphones allow you to unlock the bootloader, allowing you to root the device quickly and easily. While not all Android smartphones with unlocked bootloaders are rooted, rooting a device with an unlocked bootloader has a far better success rate than rooting a device with a locked bootloader.

The root status of the phone can be used by tools like Cellebrite UFED, Forensic Toolkit (FTK), Oxygen Forensic Suite, and many others to inject acquisition applets and image the device. If you use UFED, you can also exploit unlocked bootloaders. Even if the bootloader is locked, a bootloader-level attack exists and is utilised in UFED to accomplish acquisition of various Android and Windows phone devices based on the Qualcomm reference platform.

A Developer Options menu is buried in Android. To get to this menu, you’ll have to make a conscious effort to tap on the OS build number many times. Developer Options are enabled by some users out of curiosity. It may or may not be possible to hide the Developer Options menu once it has been enabled.

The Developer Options menu has a USB debugging or ADB debugging option, among other things. If this option is selected, you can control the device via the ADB command line, which allows Android debugging tools (adb.exe) to connect to the device from a PC even if it’s locked with a passcode. Activating USB debugging opens up a world of options, including the ability to acquire data even if the device is password-protected.

Cloning SIM cards

Establishing a connection between the phone and the extraction tool may not be possible in some situations unless the phone is equipped with a SIM card. Furthermore, some gadgets can be set up to safeguard you if you use a different SIM card. Devices can even be set to delete its content if a non-original SIM card is inserted or if a SIM card is withdrawn in exceptional cases. Some BlackBerry smartphones, in particular, may reject extraction efforts with the message SIM Not Provisioned or SIM Not Allowed. In such circumstances, a cloned SIM card may be used to allow communication and extraction.

Memory on SIM cards

The SIM card contains information about the network provider and can be used to identify the mobile phone number provided to the user by the mobile device. Call history and messages may be stored on the SIM card. Most, if not all, mobile forensic tools can access the information saved on SIM cards.

Memory stick

A microSD card can be used to expand the storage capacity of most smartphone and tablet devices (with the exception of iOS devices). An examiner would remove the memory card from the mobile device/tablet and create a bit stream forensic image of the memory card using either hardware or software write-protection methods, which could then be analysed using forensic software tools like X-Ways, Autopsy Sleuth Kit, Forensic Explorer (GetData), EnCase, or FTK (AccessData).

Stage 3 – data analysis

Data analysis is the third stage.

The obtained data from the device and its components are analysed in this stage of mobile device forensics (SIM card and memory card if present). Most mobile forensic acquisition solutions that extract data from device memory can also parse the data and enable examiner capabilities to perform analysis within the tool. This requires going over all of your data, both non-deleted and destroyed.

When analysing non-deleted data, it’s a good idea to do a manual check of the device to make sure the extracted and processed data matches what the device displays. Given the increased storage capacity of mobile devices, it is recommended that only a subset of data records from the relevant areas be evaluated.

For example, if a mobile device has more than 200 call records, various call records from missed calls, incoming calls, and departing calls can be compared to similar records in the extracted data on the device. It is then feasible to find any differences in the extracted data by performing this manual examination.

Only when the device is still in the examiner’s possession may a manual device review be done. In some cases, the device is returned to the investigator or owner after the data extraction has been finished. In scenarios like this, the examiner should document that manual verification is limited or impossible due to the circumstances.

The acquired data can be analysed using multiple analysis tools. Multiple analytic tools should be explored, especially when one tool can’t parse a certain sort of data but another can.