Forensics Magazine 16/2013
Transcription
Forensics Magazine 16/2013
Computer MOBILE TOUCH( VOl.2NO.16 ) STONE iOS Android Windows Mobile DOES MOBILE PHONE FORENSICS PLAY A ROLE IN SOLVING TRADITIONAL CRIME? iPhone Forensics – WHAT YOU NEED TO KNOW WINDOWS PHONE 7/8 (WP7) – DIGITAL FORENSIC INVESTIGATION PROCEDURE AND EVIDENCE RECOVERY TECHNIQUES BEST PRACTICES FOR A COLLECTION OF AN IOS MOBILE DEVICE NFC SECURITY AND DATA LEAK Issue 16/2013 (20) October ISSN 2300-6986 FREE eBOOK DOWNLOAD Encryption KEy ManagEMEnt SiMplifiEd Learn the Fundamentals What is encryption key management and do i need it? Key management best practices How to meet compliance regulations (pci-dSS, Hipaa/HitEcH, glBa/ffiEc, etc.) with encryption key management How encryption key management works on every platform including Microsoft SQl Server ‘08/’12, oracle, and iBM i DOWNLOAD THE eBOOK townsendsecurity.com/eforensics HACKERS DON’T BREAK ENCRYPTION. THEY FIND YOUR KEYS. www.townsendsecurity.com - TEAM Editors: Sebastian Słomiński sebastian.slominski@software.com.pl Betatesters/Proofreaders: James Fleit, Kishore P.V, m1ndl3ss.2012, Owain Williams, Martin Baader, Luca Losio, Dr DB Karron, A. Rosen, Alex Rams, Masa Danilo Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Marketing Director: Joanna Kretowicz jaonna.kretowicz@eforensicsmag.com Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Publisher: Hakin9 Media Sp. z o.o. SK 02-676 Warszawa, ul. Postępu 17D Phone: 1 917 338 3631 www.eforensicsmag.com DISCLAIMER! The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss. 4 Dear Readers! Since the theme of Mobile Forensics seems to be inexhaustible, we are pleased to present you this new edition, which is called: “TOUCH (iOS/Android/Windows Mobile 7/8) STONE”. We were able to collect a very interesting and varied articles, which will be beneficial for all of you. We decided to go further into the iPhone forensics topic and add some information about iOS mobile forensics. Also you will find few things about Windows Mobile. Moreover, you will notice the importance of mobile forensics in cybercrimes investigation processes. All in this single issue. We would like to thank you for your trust you have bestowed to our Magazine – we are doing our best to keep you pleased with our work. You are invited to visiting our website, commenting and sharing your opinion with us. Only to remind you – you can follow us on Facebook, LinkedIn and Twitter (@eForensics_Mag). Join eForensics friends and fans – we would be more than happy to have you there! Check thoroughly what you will find inside! 08 iOS MOBILE DEVICE FORENSICS – FOR BEGINNERS by NCIS Solutions Team 18 BEST PRACTICES FOR A COLLECTION OF AN IOS MOBILE DEVICE by Richard A. Rodney 24 UNDERSTAND RISKS OF ANDROID APPS (secroid.com) by NetAgent Inc and NetAgent Co. Ltd. 30 NFC SECURITY AND DATA LEAK by Eric Laurent-Ricard 36 WINDOWS PHONE 7/8 (WP7) – DIGITAL FORENSIC INVESTIGATION PROCEDURE AND EVIDENCE RECOVERY TECHNIQUES by Dr. Roffeh Ehud What we are hoping to do is give an overview to any new mobile device forensicators on how we would run an iOS forensics task when delivering a service to a client on a particular handset. Similar techniques would also be used when exploiting media devices. For instance, if our ‘Red Team’ is tasked by a client, to run a full security assessment at their residence or business address. The techniques shown in this article can also be added and run for Android devices in the same way, as long as you have the native cable of the mobile device you want to extract data from. As the use of iOS devices continues to proliferate in the business space, they present some unique challenges when data must be collected from them. Bring Your Own Device (or BYOD) policies in many organizations have further altered the landscape that computer forensic professionals must navigate. When compared to paid apps, free Android apps are said to be about a hundred times more likely to be downloaded, and so developers will oftentimes employ advertisements, or in-app billing models, in order to generate profits. Ads in free apps are a growing risk among smartphone users, with many able to amass various types of user information. What the user sees as simple advertisements on a smartphone actually have the ability to see a user’s age, gender, location, phone model, and other downloaded apps. The ads then proceed to collect as much information as they possibly can before sending it anywhere ranging from America to Japan, China, or Korea. Before trying to do some forensic on NFC devices, it is important to understand the mechanism that make the whole thing work. The different kind of services offered by NFC phones compared to contactless cards is important as well. Is the contactless payment secure enough and what will be next enhancements? One of the central problems involving technology and legal proceedings is the reliability of evidence presented to the court. This question is made more relevant due to the fact that rapid technological changes make previous legal precedents irrelevant. In other words, the same technology is no longer used to reinforce evidence as this is not the equivalent forensic tool used to extract digital evidence from the new device. Furthermore, the same forensic tool that was evaluated in the past and was found to be reliable with regard to the digital evidence it presents, must now undergo far reaching change in order that it be capable of copping with new technologies. This leads us to the issue as to whether the evidence presented to the court represents the actual events and/ or if is it possible to rely absolutely on the evidence. 42 APPLE GOES BIOMETRICS by Cordny Nederkoorn 48 IPHONE FORENSICS – WHAT YOU NEED TO KNOW by David Shelton With the launch of IPhone 5S last September, Apple has entered the area of mobile fingerprinting authentication. A bold way of using biometrics in authentication. This article will cover the fingerprinting technology behind Apple Touch ID and its relation with iOS7 regarding saving the data, security and usability. Next to this the risks of using Touch ID will be discussed. Client’s of Advanced Technology Investigations, LLC throughout North Carolina turn to us when there is a possibility of evidence in the form of electronic data with cell phones, computers and other digital devices that hold communication and media. We bring special skills in technology to our Clients to ensure they have all the evidence possible from a team of experienced experts with proven results, giving our Client’s the truth they deserve. www.eForensicsMag.com 5 60 HOW TO PERFORM SEARCHES, SEIZURES AND INCIDENT RESPONSES ON iPHONES by Deivison Pinheiro Franco and Nágila Magalhães Cardoso iPhones collect and store a tremendous amount of evidence about a user’s activities. In many cases one could argue more evidence is collected than the user may want. Locations, messages, contacts, web surfing habits, notes, pictures and more are available on iPhones storage media, many with time stamped data. With this forensic evidence available, and more business being conducted on iPhones, forensic examiners need to be able to successfully and accurately acquire this evidence when requested by authorized authority. By utilizing proven, existing forensic techniques along with specialty tools mentioned in this paper, examiners can collect and present evidence from an iPhone. This evidence can then produce a clear report of the activities performed on the device. 70 STEP BY STEP GUIDE FOR MOBILE FORENSIC ESPECIALLY MESSENGER LIKE WHATSAPP!! – TO TACKLE CYBER-CRIMES COMMITTED BY COMMUNICATION MEDIUM LIKE MO BILE by Omkar Prakash Joshi Now a days, Mobile Forensics has raise in world because of cyber-crimes or other crimes using electronic media such as mobile has been increasing. So in this I am going to introduce Forensics Investigation or Forensic of Mobile Devices & In this mostly Android Based & iOS based devices. Now a days in the world most of users are using android & iOS based mobile devices. So, if person has committed crime using such mobile devices how we can investigate? What actually mobile forensics is? & the acquisition and analysis of data from devices. In this I am going to demonstrate on Forensics techniques on mobile devices such as android & iOS. 84 DOES MOBILE PHONE FORENSICS PLAY A ROLE IN SOLVING TRADITIONAL CRIME? by Dr. Mukesh Sharma & Dr. Shailendra Jha Solving a crime using Mobile Phone and SIM records may depend on proper call data records (CDR) and mobile phone forensic (MPF) investigation. Important data may be retrieved depending on the mobile phone mode and whether the electronic evidence within the mobile phone is retained and able to be retrieved. A thorough examination of the data found on the mobile phone’s SIM/USIM, integrated memory and any optional memory cards require in-depth knowledge, kept current with the latest upgrades and advancements in technology. Available tools used in forensic examinations of mobile phone devices and SIM cards have been compared. Two examples are exemplified within two case studies of crimes, which have been solved on the basis on the forensics of call data records from mobile phones. 6 92 MOBILE PHONES IN INVESTIGATION by Satendra Kumar Yadav 98 AT THE CRIME SCENE WITH DIGITAL EVIDENCE by Jim Bolt Mobiles became a fundamental need now a days for communication as well as other cyber and network related works including banking and shopping that has increased the vulnerability of the information and attracted the hackers to commit cyber-frauds resulting increase in forensic cases related to mobiles. In most of the crimes where mobile is involved that can be used as an evidence for identification and isolation of clues to get investigative leads. Along with digital data, mobile phone devices can also be used for the collection of other evidences like ear prints, sweat, saliva and finger prints that can be used in investigation to find any association between crime and the criminal. The present article presents a systematic process of collection of mobile from crime scene and its investigation including the data retrieval or mining from memory cards or flash drives attached to the computers for synchronization. Today most individuals own some type of digital device that they carry everywhere with them. Whether it is a cell phone, camera, tablet, laptop or a gaming console and they are all so important when it comes to valuable digital evidence. The future is here and with this new age of technology the Detective or Investigator must pay very close attention to what is at the scene of the crime. One piece of digital evidence can make or break the case and it can be so important just to know what to look for. U P D AT E NOW WITH STIG AUDITING IN SOME CASES nipper studio HAS VIRTUALLY REMOVED the NEED FOR a MANUAL AUDIT CISCO SYSTEMS INC. Titania’s award winning Nipper Studio configuration auditing tool is helping security consultants and enduser organizations worldwide improve their network security. Its reports are more detailed than those typically produced by scanners, enabling you to maintain a higher level of vulnerability analysis in the intervals between penetration tests. Now used in over 45 countries, Nipper Studio provides a thorough, fast & cost effective way to securely audit over 100 different types of network device. The NSA, FBI, DoD & U.S. Treasury already use it, so why not try it for free at www.titania.com www.titania.com IOS MOBILE DEVICE FORENSICS FOR BEGINNERS by NCIS Solutions Team We were approached by e-forensics magazine and given the opportunity of writing a piece about our experiences in iOS forensics. What we are hoping to do is give an overview to any new mobile device forensicators on how we would run an iOS forensics task when delivering a service to a client on a particular handset. Similar techniques would also be used when exploiting media devices. For instance, if our ‘Red Team’ is tasked by a client, to run a full security assessment at their residence or business address. The techniques shown in this article can also be added and run for Android devices in the same way, as long as you have the native cable of the mobile device you want to extract data from. What you will learn: • Considerations to take when developing a mobile device forensics team • An overview of how to extract data from an iOS device • What is achievable by using multiple mobile device forensics tools • How to deliver a basic mobile device forensics product to clients What you should know: • An understanding of how basic mobile device forensics works e Forensics Magazine asked us here at NCIS Solutions to aim this article at the beginner. So what you are about to read will probably not get the embers burning if you are an intermediate or advanced law enforcement forensics analyst. However, if you are new to mobile device forensics or you and your business are looking to trial mobile device forensics as a service to your clients, we hope that this article is interesting or at least a little useful to you. At the end of the article we will also touch on NCIS’s ‘zero app 30 project’, which is soon to be released as a beta Android handset. This project may appeal to the more advanced mobile device forensics analyst? INTRODUCTION So what is the hardest decision when looking at starting out solo in mobile device forensics? For me, it was which company do we go too? Along with, is the annual license costing worth the amount of mobile device forensic work 8 IOS MOBILE DEVICE FORENSICS FOR BEGINNERS we will receive over the same period? In the military, budgets and workloads never entered our minds or our remit; we were simply one of many operators. Running our own business was a whole different ball game. Firstly, how much interest is out there for mobile device forensic work and are you going to pay for an annual software license(s)? Especially when your first six months is spent demonstrating what is possible for clients to achieve by employing your company as their mobile device forensic specialists? This article will hopefully get you thinking about your approach to starting mobile device forensics, if nothing else? Relationships and communication is the key to getting help. We have been rather fortunate; in that two large mobile device forensic companies (Oxygen and UFED Cellebrite) were willing to help me out for a minimum of 30 days. For the example in this article, we are using an iPhone 4 running iOS 5.1. We are running Oxygen Forensic Suite 2013 (www.oxygen-forensic.com) and UFED Cellebrite Physical Analyzer. However, this is not an Oxygen Forensic Suite or UFED Cellebrite Physical Analyzer user guide for iOS forensics. If this were tasking from a proposed client we would be looking at using multiple software and tools, such as Oxygen and UFED Cellebrite and/or XRY. This is to make sure that no information is missed and so that we can collaborate our results, giving the client the best possible visual findings. We have found over time working with some obscenely talented ‘mobile device forensicators’ that the piece of kit used is normally operator driven. We have been fortunate enough during our time to of used XRY, UFED Cellebrite, Athena, Oxygen & Tarantula. The chosen equipment for a particular task usually came down to which equipment the operator was most comfortable with, or which software gave the operator the best displayed final visual results to pass on to their client. Throughout this article there are certain procedures we have not mentioned such as being physically forensically sound. In that we mean, we are not going to be employing a clean room, lab coat, facemask or dust mask and latex gloves, as not to contaminate the device and other items, such as the SIM card. Who you are performing the tasking for, the environment you are working in, and the time constraints that have been placed on you will determine how physically forensically sound you are. We are also, not going to show you SIM card extraction. There are a plethora of open source SIM card extraction tools, though make sure you have a USB SIM card holder/reader to house the SIM card. If you are using one of the big names equipment, such as XRY (www.msab.com) or UFED Cellebrite (www.cellebrite.com), you will be in possession of a USB SIM card reader. As this article is aimed at the beginner though we would advise using Todd Whiteman’s PySIM software. This is a great piece of software; it is open source and is available to download from www.twhiteman.netfirms.com/pySIM.html. Figure 1. PySIM download As well as deciding on what equipment and technique we are going to use, we have to ask ourselves a few more questions. What information are we looking for? What does our client want to see & achieve? This should all be gained from meetings and briefings with your client, the person whom you are going to deliver the final findings, presentation and executive summary too. For my example we are wanting to find out what Internet Access Points the handset has been attached too, what SMS messages have been sent from the device and what social media accounts are active on www.eForensicsMag.com 9 the handset if any? We also want to see the activity log of the device i.e. phone calls in and out, Whats App & Viber usage etc. We shall also see if the software has extracted any geo location data from my mobile device. Figure 2. Oxygen Forensics Extractor connection options • How are we going to connect to the device being investigated? In this case, it is our own iPhone 4. We have the iPhone cable available to us as well so there is no need to use the Bluetooth option. • If you have purchased a full product from one of the big companies you will find that there is an option to have an array of mobile phone cables with your purchase. You may find though that you are seeing the same mobile device connectors, so purchase just the specific ones you require i.e. iPhone 3G – 4S cable, iPhone 5 cable as well as a micro USB cable Figure 3. Oxygen Forensics Extractor device identifier • Once the device is connected, you will see this page informing you of the devices IMEI (International Mobile Equipment Identifier). You may want to note this number down and use it as a client reference 10 IOS MOBILE DEVICE FORENSICS FOR BEGINNERS number. Or if you are working on multiple devices for the same client, use the IMEI to distinguish between devices later on in the investigation. Figure 4. Oxygen Forensics Extractor Forensicator information • Just before we start the software running, we have to fill out details about the case. The case number, who is the inspector/investigator/forensicator, who owns the device (client), any notes we may have about the device, such as big dents or scratches, stickers on the back of the device etc. In the screen shot above, you can see how we at NCIS Solutions fill out this information when using Oxygen Forensic Suite 2013. Every information security and forensic investigation company will have their own working practices for how to fill this information out. Figure 5. Oxygen Forensics Extractor, extraction completion options • As you are probably aware, the time taken to finish the extraction will depend on the size of the device you are extracting from. In this example our iPhone 4 is 8Gb and took 18 minutes to extract. It will also depend on the computer you are running the software on. Again, in this example we are running Microsoft Windows 7 Home Edition in a VM on an Apple MacBook Pro. www.eForensicsMag.com 11 Figure 6. Oxygen Forensic Suite 2013 front page • Now we have extracted all the data from the device, we can start to analyze the device and build up our findings and executive summary based on our clients’ initial brief. • As you can see from the front page above, the Oxygen software is very easy on the eye and very intuitive when navigating around our extracted device data. It can be safely said that both UFED Cellebrite and XRY software is as easy to navigate around though it may take you some time to become comfortable for different use of icons, naming of different tools that perform the same task etc. So if we take our clients initial brief, we are looking to pull out text messages, social media, phone (GSM) events and any geo location data. The next few slides will demonstrate what is available to the mobile forensic investigator through using Oxygen Forensic Suite 2013. Figure 7. Phone call data 12 IOS MOBILE DEVICE FORENSICS FOR BEGINNERS • We can see that there was a particular rise in messaging (other) activity in 2013 than 2012 to this particular number. As well as individuals we could look at overall activity of the handset. Figure 8. WiFi data • This is our wifi data for July 2012. If you were at the Black Hat or DEF CON in 2012 then you will understand the pattern of our BSSID names, as they are names of hotel hotspots along the Las Vegas strip. If the device has recorded the lat long, we can also export this data to Google Earth. Producing a pictorial representation of where the device has been is a definite must for clients, if the data is available to you? Figure 9. Social Media • We could see from the front page that our iPhone had Twitter & LinkedIn installed. Here we can see all attachments posted on Twitter. We can also take my Twitter and LinkedIn details to find my account front page online. www.eForensicsMag.com 13 Figure 10. Device Timeline • This data shows us what significant events happened on the device in March/Apr 2012. We can see that two pictures were taken with geo tags & a note was created regarding spear phishing when we attended a social engineering course in London. (www.socialengineering.com) Figure 11. Geo Tagged data • From this slide you can see a snap shot of the geo tagged data extracted from my mobile device. For those reading, unaware, this is a shot of London and the numerous tourist type trips one of the NCIS Solution forensicators has taken over the past couple of years. So what we have here is a timeline of activity of the device (my iPhone 4) over the past 24 months. We began the article by stating that this isn’t an in depth look at iOS forensics, nor is it a Oxygen Forensics Suite 2013 how-to piece. 14 IOS MOBILE DEVICE FORENSICS FOR BEGINNERS Below you will see a similar front page to the one we have from Oxygen but this time the software is by UFED Cellebrite, as well as the returned geo tagged results gained from a UFED Cellebrite Physical Analyzer extraction. Figure 12. UFED Cellebrite Physical Analyzer summary Figure 13. UFED Cellebrite Physical Analyzer summary and front page • As you can clearly see the layout and methodology of how the results are presented to the forensicator after extraction are very alike. You will notice this, no matter what mobile device software you decide to use for your extractions. This is a positive as you move through your mobile device forensics career. For example, moving employer who uses UFED Cellebrite instead of Oxygen or XRY. You as the operator will be able to extract data and start analyzing results with minimum training on the software. The slide below is just another example of how similar different types of software are, helping you the forensicator, quickly adapt to small visual changes if required. www.eForensicsMag.com 15 Figure 14. UFED Cellebrite Physical Analyzer Geo tagged data • Instead of exporting to Google Earth this time we have simply, opened up the mapping tool within UFED Physically Analyzer for a global perspective of the phones geographical use. From here you can either zoom further in for more detail or export the data to Google Earth as we did when using Oxygen Forensic Suite 2013. As you develop your knowledge and experience you will become quicker and more comfortable with a particular piece of software and find yourself turning to that software first. One lesson NCIS forensicators have learnt over their time in mobile device forensics is, do not become over dependant on just one piece of software. Have your favorite by all means but always try to use a minimum of two pieces of mobile device extraction software to maximize your results and give yourself the best possible executive summary of your findings for your client. That is all on mobile device forensics for beginners. Thank you for reading and we hope that it has been an insight for beginners and for the more advanced, who maybe haven’t seen the Oxygen Forensic Suite 2013 or UFED Cellebrite Physical Analyzer before now? IN SUMMARY As I wrote earlier, here is a little piece on what we at NCIS Solutions are looking to do over the coming months in regards to mobile device forensics, with an added twist. Within NCIS, we have a very fun, out side of the box, Research & Development team. Our knowledge and experience of media device forensics, information and personal security gives us a great platform to work from. The team’s aim is to take current working practices or systems and evolve them, make them better & simplify them. Our aim is NOT to re-invent the wheel! In recent weeks we have been researching the use of FTK (Forensic Toolkit) on a .dd image of an Android and/or iOS handset. This technique gives the forensicator, possibly by remote means, if we are working from multiple locations, the ability to have a quick and dirty look at the folder structure of the handset before deciding which, if any, specialist mobile forensic equipment should be used. We are also experimenting at present with our zero app 30 project. We wanted to be able to protect our client’s data on their Android handset remotely, if the handset is lost or more importantly stolen. The ’thinking’ mans thief, in our experience, would firstly turn off location services and then secondly, delete any handset location apps such as ‘Find My iPhone’. 16 We believe that we have developed an Android phone that circumvents all of these issues if a client’s smart phone is lost or stolen. The first of these handsets is hopefully going to be rolled out in late November in beta form, with the first full version going live in the New Year. We would like to thank the Oxygen Forensic Suite 2013 team for letting us use their Educational license when writing this article. We would also like to thank Ron Serber and the UFED Cellebrite team who also gave us access to their Physical Analyzer suite and their support recently. It is very much appreciated. Finally, a big thank you to the operators from NCIS Solutions involved in helping put this article together. ABOUT THE AUTHOR In our time working in the British Army, we have been fortunate enough to work all over the world with some incredible specialists, including EOD ECM (Explosive Ordnance Disposal Electronic Counter Measures) Operators, Intelligence Analysts, Computer Network Exploitation Operators and TME (Tactical Media Exploitation) Forensics Operators. Since leaving, we have been working as a small group of ex UK and US military operators from similar backgrounds, running NCIS (Network, Computer and Information Security) Solutions. With over 20 years combined military intelligence, government agency and special forces experience, our aim is to deliver products and technology that is simple to use but unique in its delivery. We also support vulnerable businesses and personal users defend against persons and/or groups wishing to cause harm and disruption to their equipment and infrastructure. For any more information please visit us at www.ncis-solutions.com [ GEEKED AT BIRTH ] You can talk the talk. Can you walk the walk? [ IT’S IN YOUR DNA ] LEARN: Advancing Computer Science Artificial Life Programming Digital Media Digital Video Enterprise Software Development Game Art and Animation Game Design Game Programming Human-Computer Interaction Network Engineering Network Security Open Source Technologies Robotics and Embedded Systems Serious Game and Simulation Strategic Technology Development Technology Forensics Technology Product Design Technology Studies Virtual Modeling and Design Web and Social Media Technologies www.uat.edu > 877.UAT.GEEK www.eForensicsMag.com Please see www.uat.edu/fastfacts for the latest information about degree program performance, placement and costs. BEST PRACTICES FOR A COLLECTION OF AN IOS MOBILE DEVICE by Richard A. Rodney As the use of iOS devices continues to proliferate in the business space, they present some unique challenges when data must be collected from them. Bring Your Own Device (or BYOD) policies in many organizations have further altered the landscape that computer forensic professionals must navigate. What you will learn: • The procedure to follow for performing a forensic collection of an apple iOS device such as iPod, iPhone or iPad. • What you should know prior to performing a collection of an iOS device. • Some important items you can collect from an iOS device. • Methods of blocking mobile wireless signals. What you should know: • Familiarity with mobile operating systems. • Familiarity with Apple devices and iOS versions. • Familiarity with the concept of encryption. O f the many new challenges facing computer forensic and ediscovery professionals, the proliferation of mobile devices, specifically Apple iOS devices, presents professionals with new questions as to how they should manage collections for these devices. The explosion of permissive Bring-Your-Own-Device (“BYOD”) policies in businesses, coupled with the rapid acceptance of non-Windows based (i.e. Apple) products in the business space, has in short order changed the landscape for digital evidence detection, collection and use forever. Businesses must adapt to new technologies while mastering (and regulating) their own use of them. Lawyers, computer/mobile forensic technicians and ediscovery practitioners must also adapt to new technologies, particularly to the increasingly accepted mobile/cloud/BYOD based business environment, and develop new strategies and methods for ensuring that digital evidence is thoroughly, efficiently and defensibly collected and preserved. Apple/iOS devices are now present in the network architecture (at least through BYOD) of most every major business in the country, and this article focuses on considerations and best practices for collecting data from these devices once they’ve been identified and access to them has been secured. APPLE/iOS Apple iOS devices in the form of the iPod, iPhone and iPad present some unique challenges for the early stages of managing, preserving and collecting 18 BEST PRACTICESFOR A COLLECTION OF AN IOS MOBILE DEVICE electronic files. There are two primary questions to answer when collecting data from any of these devices: One, what is the precise model version of the device? Two, what is the precise operating system (“OS”) running on the device, including the update history of the OS running on the device? There are sometimes subtle and, often times, not so subtle differences between generations of iOS devices and the year they are released. Apple has had a semi-annual release schedule for many of its devices for a few years now. This means for example, that iPhone 3 and 3GS devices produced in the same year are different and may require different processes and software to reliably collect from them. Just as with the different model versions, different OS versions present their own different challenges and solutions. Each version of iOS was designed to update and improve the user experience, but not all users perform all updates. There are various reasons for this but regardless, you have to be aware of the current version of iOS on the device you are about to collect from. Apple/IOS devices feature various Pass code/pass lock encryption elements that must be disabled to ensure an uninterrupted and successful collection. If devices are encrypted and users have not provided security access, there are a variety of processes that can be used to gain root user access (also known as jailbreaking) to achieve and maintain access to data on the device. Figure 1. iPhone 5 Figure 2. iPad3 As mobile forensics and ediscovery are becoming more common place, it is a good idea to recognize the roots of the discipline. As with most computer forensics tactics, mobile forensics was born of law enforcement and the intelligence communities varied needs to access content on mobile devices. From there these disciplines have been adopted in the corporate and legal worlds for a variety of needs from human resources matters to theft of intellectual property. One of the tried and true methods is screen capture. Plug the mobile device into a projector, and do a print of the contents of each screen. This is an effective if somewhat painstaking and methodical process. This method was more useful for early semi smartphones and other cellular phones that had no access to the cloud and could store very little active data. With most smartphones such as the iPhone and tablets such as the iPad, being as or more powerful than computers from 5 to 10 years ago, it is not an understatement to refer to most mobile devices as mobile desktops. The project-a-phone method is not practical for most smartphones and absolutely not for any tablets. To that end there have been several tools to come on the market to address collecting and analyzing mobile devices. Without any implied preference, examples are: Cellebrite’s UFED device, Accessdata’s Mobile Phone Examiner plus (MPE +), BlackBag Technologies Blacklight and Paraben’s Device Seizure. There are many other tools but these are the ones I know through my own vetting process. They all can be utilized effectively for collection and analysis of iOS devices. Before we get into a step by step of what to do, as any mobile forensic professional will acknowledge, seizure of a device is only as good as your ability to keep its contents unchanged. Mobile devices can www.eForensicsMag.com 19 be updated wirelessly via mobile data service or WiFi, so turn the antenna off. In fact, disable all wireless services as soon as reasonable before collecting. Airplane mode is a good choice to stop all communications to the mobile device. Another method I have learned is wrapping the mobile device in aluminum foil. This method is one I like to refer to as a poor man’s faraday box. A faraday box, or faraday bag or room, utilizes material that effectively blocks all incoming and outgoing wireless signals for a device. Why would you want to do so? Simply put if the mobile carrier sends out an update to the operating system or an Information Technology technician pushes a firmware or software update to the device mid collection, this can effectively change the files on the mobile device up to and including wiping existing files. This would render the purpose of your collection fruitless. COLLECTING FROM AN iOS DEVICE Now we’ve wrapped our brains around a few procedures and tools, let’s discuss a standard workflow for collecting from an iOS device. • First step, put the device airplane mode or find other means to block mobile data and WiFi signals from reaching the device. I also recommend disabling the pass code device locking feature as soon as you can. • Second step, you will want to ensure the mobile device is charged. Collect the power cables, if you can or have one handy, then Charge it up! • Third step, while the device is being acquired, perform some social engineering. Find out what the passwords are for the device, version of iOS, model of device (iPhone 4 or 4s, iPad 2 or 3, etc), year it was released for sale, did the user create an encrypted ITunes backup? • Fourth step, choose the appropriate tool for the collection. Consider what will be done with the files after they are collected. Will analysis be performed for the purposes of establishing when and where the phone was used? Will eDiscovery and data normalization be performed along in order to add specific user create content for a legal review with documents from other sources? The reality is that all the tools mentioned will work well. There may arise a scenario where more postcollection work is required to fit one scenario versus another. Always go in to the process with as much information as can be known or acquired. While there are a few different approaches and variations to the process of collecting, what has been presented is basic, repeatable and adaptable. With any computer forensic collection remain agile. Since we are focusing on iOS here, let’s hone in on some core concepts mentioned earlier to make an effective collection. The simplest question that can hamper a collection by going unanswered is: “What is the passcode to unlock the device?” There are few devices that can confound access more so than an iOS device that is locked. Even to Jailbreak an iOS device, it must be unlocked first. One of the many exploits to collect from an iOS device is to jailbreak the device. If the device cannot be accessed, jailbreaking will not be impossible but certainly difficult. Next, consider the device itself and remember that different versions of iOS devices in specific generations and within years of production have different make-ups. Each can use different processors, have different iOS versions and the user may or may not have upgraded. Another thing to consider: Is physical or logical access to the device needed? Physical access is everything that has ever been stored or deleted on the device. Logical access is only to those items currently considered “live” on the device. For example, iPad 3 currently can only be acquired via logical access by the leading tools (including Blackbag’s Blacklight which is an apple centric collection and analysis tool). But all developers are working to solve this problem, which will allow them to get ready to start all over for iPad 4. Regardless, consider what is needed and what may need to be considered acceptable for access. 20 BEST PRACTICESFOR A COLLECTION OF AN IOS MOBILE DEVICE Figure 3. Encryption KEY COLLECTION CONSIDERATIONS Another consideration that was mentioned earlier is whether or not the device is encrypted or has an encrypted iTunes backup. I can tell you from personal experience, this situation can drive you mad. I once performed a forensic collection of several mobile devices of which one subject had an iPhone and another device. The person from whom I needed to collect the esi on their iPhone was cooperative but had forget they had set an encrypted iTunes backup for their iPhone. A fact that they did not inform me of because they did not recall they had done it. After several failed attempts to collect the device it occurred to me ask if they had an encrypted iTunes back up. The user recalled that they did but could not remember their password and was reasonably certain they had set it up on their home computer which was a mac. The user agreed to try to access their device and unlock the encryption on their office computer which they had synched to. After several attempts he recalled the password and we were able to access the iPhone. The tool I used was able to collect the esi from has phone, where previously it sat in a state of collection for roughly 8 to 10 hours on four different attempts to collect. I can only imagine what these situations must be like for law enforcement or collections from less cooperative subjects; thankfully, so far I only have to imagine! Something else to consider is the amount of storage the particular iOS device is capable of. Remember earlier, I referred to some mobile devices as mobile desktops? Well most people given the chance will save everything they can locally. So a 64GB iOS device is great for the end user, not so much for the collector. Apple iOS devices are considered dense storage devices, or another way to view them is as a portable hard disk drive with a user interface. At their core, they are storage devices and as such many things can be saved to them like thousands of pictures, music files, movie files and documents. The storage capacity of the device will determine how long the collection will take. Under the best of circumstances the time to collect or harvest is nebulous. But having some idea up front if you are dealing with a large storage capable device or not is extremely useful in planning the collection. So, you have collected: What’s next? This goes back to the question: What is your end-game? Basic and standard information will be available depending on the mobile carrier such as • where the phone or tablet was last used. • numbers called. • WiFi networks connected to. www.eForensicsMag.com 21 With this information known, you can get granular and look at important electronic evidence artifacts. Many are standard but some are apple/iOS only items like sqlite tables. • Do you need to know what emails / text messages were sent and when? • Do you need to know the location and time stamp of a stored picture or picture taken with camera? • Is it important to know what applications were downloaded and used? All that you need to know is there and available to varying degrees. If the user only set their email to store the last 100 emails then that is all that is available. The point is once you have harvested the files from the phone, you can lay out a very accurate map of the travels and activities of the phone user or disprove actions that they are assumed to have taken. Choose the right tool for your analysis and subsequent ediscovery processing and review. Keep in mind that while iOS is very organized, there are a lot of files that may be considered responsive to your analysis via standard keyword or live search. As most ediscovery and review platforms are Microsoft based, you want to consider this as well for your overall strategy. One thing I would advise, when practical, is to analyze and export your responsive esi using a Mac computer. This is not always necessary and, in fact, it is a good idea to have multiple analysis tools, but there are some files that are just better viewed and more accessible in a Mac environment. IN SUMMARY Collecting from an iOS device is difficult but not impossible. There are specific facts you need to know about the device and its manufacture, and variations in the methods that must be used depending on those facts. The keys for successful collection of data from Apple/IOS devices is the same as it is for any collection: Know the device; know the user, know the purpose of the collection, know the data that is being targeted and know how to use (and have access to) the right tools to defensibly collect it. ABOUT THE AUTHOR Richard Rodney serves as the Chief Technology Officer for SiteLogic Technologies with its headquarters in New York City. Richard has over 20 years in Litigation Support, ESI technologies and Computer Forensics. Richard manages the Electronic Services and Project Management group for SiteLogic and serves as the chief architect of technology related services with a concentration on consulting, forensic collections and analysis, and processing. Richard is a certified forensic and mobile forensic examiner having achieved both the ACE and AME certifications from Accessdata’s training group. Richard received his initial computer forensics training from instructors with the International Society of Forensic Computer Examiners CCE bootcamp program. Richard has also been trained by instructors at Blackbag Technologies to perform collections and analysis of Apple devices using their tools. Richard is a devoted father of a daughter, who also enjoys reading, fitness activities, and movies. Richard also enjoys learning about and using new technology. Richard is long time supporter of the New York “Football” Giants team in the NFL, the New York Yankees in MLB and the New York Knicks in the NBA. Richard is a graduate of Lincoln University and Brooklyn Technical High School. 22 Organized By: BOOK BY THE 31st DECEMBER 2013 AND RECEIVE UP TO 20% OFF REGISTRATION FEE Cyber Intelligence Asia 2014 11th - 14th March 2014, Singapore Esteemed Speaker Line-up: • Major General Bunjerd Tientongdee, Deputy Director of Defense Information and Space Technology Department (DIST), Ministry of Defence, Thailand • Yurie Ito, Chair, Asia-Pacific Computer Emergency Response Team (APCERT) • Phannarith Ou, Head, Cambodia Computer Emergency Response Team (CamCERT) Cambodia • Budi Rahardjo, President, Indonesia Computer Emergency Response Team (ID-CERT), Indonesia • Khamla Sounnalat, Deputy Head, Lao Computer Emergency Response Team (LaoCERT), Lao • Philip Victor, Director, Centre for Policy & International Cooperation, IMPACT • Inspector Allan Cabanlong, Chief, Web Services and Cyber Security Division, • Philippine National Police Force • Serupepeli Neiko, Section Head, Cybercrime Division, Fiji Police Force • Dr. Mingu Jumaan, Director, Sabah State Computer Services Department, Malaysia • Jack YS Lin, Senior Security Analyst, Japan Computer Emergency Response Team (JPCERT), Japan • Dr. Frank Law, President, High Technology Crime Investigation Association (HTCIA) • Ammar Jafri, President, Pakistan Information Security Association (PISA) • Andrey Komarov, Chief Technology Officer, CERT-GIB, Russian Law Enforcement Agency • Senior Representative, Ministry of Internal Affairs, Russia • Senior Representative, Infocomm Development Agency (IDA), Singapore • Kiran Karnad, Staff Engineer, MiMOS, Malaysia Reasons to attend: Largest international gathering of cyber security experts in ASEAN Opportunity to network with the leading firms who provide defences to cyber attacks Analyse the latest cyber security challenges and issues in the region Discuss international cooperation to combat cyber-crime Network with the leading decision makers in the government's Determine the latest cyber-crimes taking place in ASEAN Gain a mix of policy, strategies and technical expertise in one place Associated Workshops : Strategic Co-operation amongst CERT’s Led by: Asia-Pacific Computer Emergency Response Team (APCERT) OWASP Top 3 - Injection, Session Management and Cross Site Scripting: Hands-on with Kali Linux Led by: MiMOS Malaysia For more information visit – www.intelligence-sec.com Book your place by: Web: www.intelligence-sec.com I Email: events@intelligence-sec.com I Tel: +44(0)1582 346706 UNDERSTAND RISKS OF ANDROID APPS secroid.com by NetAgent Inc and NetAgent Co., Ltd. When compared to paid apps, free Android apps are said to be about a hundred times more likely to be downloaded, and so developers will oftentimes employ advertisements, or in-app billing models, in order to generate profits. Ads in free apps are a growing risk among smartphone users, with many able to amass various types of user information. What the user sees as simple advertisements on a smartphone actually have the ability to see a user’s age, gender, location, phone model, and other downloaded apps. The ads then proceed to collect as much information as they possibly can before sending it anywhere ranging from America to Japan, China, or Korea. What you will learn: • Which factors determine risky behavior in smartphone apps. • What software analyzes apps for vulnerabilities in the code. What you should know: • Malicious software affects Android users every day. • Most malicious software is hidden in free apps. • Users need a way to determine risks of apps. F orensic investigations of malicious Android apps have two main goals: finding an app’s users and finding an app’s developer. The Global ID used by advertising modules is an effective means of tracking down users of an app. For most apps advertising to Android users, individual users are distinguished by their Global IDs. The Global ID ties each installed client OS to a SIM whenever a contract with the phone carrier is made, and thus it is not frequently changed by the user. Figure 1. A Global ID’s MD5 hash value 24 UNDERSTAND RISKS OF ANDROID APPS There are multiple methods of finding an app’s developer: • • • • Distributor’s Information Page Code sign Ad-ID Access URL DISTRIBUTOR’S INFORMATION PAGE The most basic method is to simply look for when an app is released on Google Play. Information on the distributor, such as a link to the developer’s website, email address, or privacy policy will be published under “Additional Information”. A developer can be trusted if this information is clearly stated, and other apps by the developer can also be viewed at a glance. Figure 2. A Distributor’s Additional Information CODE SIGN Each Android app has a self-signed certificate, which requires a code sign. The signature itself may not be reliable, but since it was created by a user, there may be information related to the creator. Some criminals may even use their real names. Figure 3. Code Sign Example AD-ID Before sending to the advertiser, an app with an advertising module records either an advertisement ID coming from the app, or an ID made from the app’s package name. If an advertisement ID is used, it can be embedded in any of four places: the Manifest file, resource library, XML file contents, and the program code. This can be quite complex, but because it is a source of income, it is likely to include bank account information as well as other details. Figure 4. Ad-ID Example Figure 5. Captured Parameters of an Ad-ID www.eForensicsMag.com 25 ACCESS URL Ad modules are likely to send information outside via a URL created by the app’s author. These URLs often link to separate pages dedicated either to smartphones or PCs. If the app is running high-ticket affiliate ads, it will link to the affiliate’s site before jumping to the target site. The affiliate ID attached to the URL can then be used to determine the ID of the ad publisher. If it isn’t being used to deliver money outright, the ID may be used to track users through Google Analytics. Figure 6. In-app URL found in secroid Figure 7. s72700, an affiliate ID DYNAMIC ANALYSIS The analysis of apps can be analyzed either dynamically or statically. Dynamic analysis refers to the analysis of an app as it is running. There are multiple ways to do this – the most reliable method involves the capture of packet traffic going through the device. Since it is difficult to manually test for each and every function, some relevant information is used to test the overall operation. A client’s identifiers can only be recognized if the hashes match with those obtained from the client beforehand. STATIC ANALYSIS Compared to dynamic analysis, static analysis of an Android app is relatively easy. Most Android apps are installed not in their native environment, but in a process virtual machine known as “Dalvik”. Applications are commonly written in Java, and are compiled into Java bytecode when running on Java VM; however, when Dalvik is used, Java bytecode becomes “Dalvik-compatible code”. Due to Dalvik being based on Java, decompiling is simple. One characteristic of static analysis is that everything about the entire app is uncovered. But on the other hand, parts of the code which do not run may also be included, and there is no way of knowing for sure whether they actually run or not. Android developers may also be using an obfuscating tool named ProGuard, but the obfuscation does not affect accesses to the API, which can still be analyzed without problems. ANDROID APP PERMISSIONS Android runs on a Linux kernel, and so the files, devices, and user access controls are all based on UNIX systems. For each app executed within Dalvik VM, the executing user has already been predetermined, and only the rights of that user can be granted. In order for Dalvik VM to access the API of the app in question, it requires the permissions written in the app’s Manifest.xml file. Without the right permissions, an error will be returned. Permissions given to an app are granted at the time of installation, by clicking [OK] for each permission. Up until now, this is how Google has provided Android with app security. As the App Market has begun to pick up since then, numerous problems have arisen with this system. The official market was only capable of determining whether credit card payments were settled. Inspecting the apps themselves was left to “Bouncer”, an automated system which debuted in February 2012. While it may have had some results, Bouncer did not meet user expectations, and it was inevitably powerless to stop a great deal of information collected by malware from being made public. HOW SECROID ANALYZES In March 2012, Japan faced an outbreak of malicious apps. A total of about 50 million counts of personal contact information were stolen, collected by 6 major criminal organizations. Three of these groups were 26 UNDERSTAND RISKS OF ANDROID APPS arrested, thanks to information provided to news organizations and the police relating to the apps. From the results of this incident, software has been developed in order to prevent further cases of information theft due to apps on Android. This software, which checks apps for risks before they are installed, is known as secroid. Figure 8. secroid.com Home Page Secroid.com is a free website which evaluates the potential risks of Android apps. Apps published on Google Play can be searched, and their levels of risk will be shown. When evaluating risk levels, secroid analyzes not just permissions, but the actual code, along with what information gets sent, and where and to whom it is sent. As of 2013/08/05, secroid.com has gathered information on 770,000 apps, covering about 90-95% of all free apps published online. The risks of apps can be displayed directly on Google Play instead of having to search on the web by installing the optional SecroidSearch app beforehand. www.eForensicsMag.com 27 Figure 9. SecroidSearch app https://play.google.com/store/apps/details?id=com.github.ymstmsys.secroidsearch WHAT INFORMATION IS EVALUATED Apps developed in a particular region tend to share individual traits. In general, featured ads in a smartphone app will send a client’s information to be distributed among ad servers in order to send ads specifically targeted to that user. To this end, advertisers will evaluate how often an app is run on a smartphone, along with the duration it is run, or when it was last run. In addition, the client’s info is encrypted into a hash table, with a different key sent for each advertiser. Risks are determined either by matching code with that of previously recognized viruses, or by finding any byte code which allows permission to access contact information, location, or client identification. The main structure of the Android app, as well as code written by the developer, code added by Android SDK, any third-party modules, resource files, signatures, and Manifest files are also identified. Code written by the developer and third-party modules are especially taken into account, allowing secroid to investigate where, and to whom, information is sent. Thus users are able to establish a privacy policy for determining which apps are allowed to collect information. Figure 10. An app’s library list For advertising modules, the portions of code which access, hash, or encrypt any identifiers, or link to any URLs are automatically extracted, and inspected, on a per-module basis. 28 UNDERSTAND RISKS OF ANDROID APPS When URLs are included, a web crawler automatically archives the web page. Table 1. Key features of malicious apps identified by secroid Important Functions Viruses Executable commands Commands executed as root Location Info GPS Base Station ID Info Line number* Android_ID* IMEI (device id)* ICCID (SIM serial number)* Wi-fi MAC address* UUID Module Types Advertisement User Tracking Crash Report Framework Image Library Billing SNS Messaging Contact Info Read contact data Telephone numbers Display names Email addresses Account Info Google ID (Gmail address) Amazon ID Other accounts Other Info Installed Application Lists Use Notification Area * Found in Global ID SUMMARY By evaluating the risks of Android apps with secroid, it is possible to produce a viable strategy for managing mobile devices. Secroid can determine whether an app has access to a smartphone’s personal contact list, location info, and more. For companies looking to implement BYOD, secroid is essential for determining the criteria of which apps may, or may not, be installed on Android phones. ABOUT THE AUTHOR NetAgent Co., Ltd. is a Tokyo-based Japanese company which, since inaugurated in 2000, has increasingly gained a reputation in computer and network security. Through developing various useful security products and providing unique investigative services, NetAgent has focused on both preventative and backward incidence measures against data breaches. Today they enjoy a highly loyal customer base, including government agencies, financial sectors, telecom and other media companies, or large-scale manufacturers. Among their many products and services includes secroid, a software which analyzes Android apps for potential security risks and reports them in order to provide clear guidelines for mobile device management. NetAgent Inc. is a New York-based subsidiary of NetAgent Co., Ltd. since 2012. They are currently dealing with introducing the product line to the North American market. www.eForensicsMag.com 29 NFC SECURITY AND DATA LEAK by Eric Laurent-Ricard Before trying to do some forensic on NFC devices, it is important to understand the mechanism that make the whole thing work. The different kind of services offered by NFC phones compared to contactless cards is important as well. Is the contactless payment secure enough and what will be next enhancements? What you will learn: • NFC is different from EMV Contactless because of incompatibility of underlying protocols. • What can you do with a NFC phone? • EMV Contactless payments does have weaknesses and personal information can be stolen! • Will it be important to do forensic analysis of NFC devices? What you should know: • What are protocols and layers W hen someone hears about NFC (Near Field Communication), he often thinks that it is a technology with specific hardware. In fact NFC is a set of multiple standardized communication protocols between a RFID target and a smart device like smartphones or tablets with respect to ISO 18092 protocol. When it comes to payment smartcards, this not the NFC protocol which is used but a specific protocol related to EMV (Europay, Mastercard and Visa) mechanism. The exchange between the card and the target is very close to the one defined by EMV for CHIP&PIN smartcards working with contact. This protocol is named EMV Contactless and used by Visa in Paywave and by Mastercard in Paypass among others. NFC and EMV Contactless are different implementation of the underlying protocols, making them incompatible, but both protocols are using the same basis layer named ISO 14443. 30 NFC SECURITY AND DATA LEAK Figure 1. NFC FORUM ARCHITECTURE [7] Nevertheless, both structure that are writing the standards for these two systems (EMVco and NFC Forum), are now working together to target a point where both systems will be compatible. Contactless systems and card are not always based on NFC: For instance, the French transport system in Paris, called NAVIGO, is based on a different standard named CALYPSO, which is quite secured and prevent any data leaking. Figure 2. NAVIGO Card DIFFERENT NFC MODES NFC devices can work in various ways, as shown in Figure 1. Passive mode This is the card emulation mode for a smartphone working like EMV contactless with smartcards but not yet in a compatible way. www.eForensicsMag.com 31 Figure 3. Paypass payment Figure 4. NFC payment Active mode Reader/Writer mode make the system working like a POS with a device that can exchange actively and ask a contactless card some information, or as a NFC tag reader. Figure 5. Writing a NFC tag Peer to Peer mode This is the way to operate a direct exchange of data between two NFC phones, for instance to exchange business card. Figure 6. Exchanging data in P2P mode 32 NFC SECURITY AND DATA LEAK NFC is communicating at a very small distance: < 10cm compared to other communications modes (Bluetooth, Wi-Fi, Zigbee, Beacon…), but with specific hardware you can access devices up to 1.5 m in reader/writer mode. APPLICATIONS AND SERVICES Depending on each mode, NFC devices can be used for various services: Marketing and loyalty are more dedicated to smartphone devices along with specific applications on the phone. Transportation and ticketing are used either with EMV contactless card, Calypso cards (Navigo) or with smartphones. Payment and money transfer are used both by EMV contactless and by NFC smartphones. This last service is the one with more buzz around because of the amount of transaction it can generate and for today’s weakness as well: CURRENT WEAKNESSES The main weakness everyone is talking about can be found in the EMV contactless implementation of the protocol because they wanted to keep simple compatibility with EMV contact process. Thus the data exchange between the card and the targets are not encrypted, and when the contactless reader access the card it can ask for a lot of information sent back in clear text. These data include the followings: • • • • • PAN number of the card Expiry date Magnetic stripe information Full name of the customer Historic of last operation done But, at least, the CVV cannot be read! So, someone with a NFC device in “active mode” (usb token, smartphone…) can gain access to these data contained in the EMV contactless card. An exploit has been done by Renaud Lifchitz, Security engineer at BT [1] and demonstrated at “Hackito Ergo Sum” in April 2012, which shows the ability to read from these cards. Personal information data leak is real with today’s implementation of contactless protocol on payment cards. Nevertheless, transaction could not be made in place of the card, because the process for payment IS secured and needs an access to crypto data secured in the chip itself. But, there are anyway multiple risks due to this weakness: • Copying the PAN, Expiry date and name of the card and use these information for online payment where CVV is not required, can lead to great loss for the customer and/or merchant depending on bank contracts and applicable laws in different countries. • Cloning the magstripe on a new card so that it can be used where Chip&Pin POS are not current. • Privacy: one can get personal information from the card and the way he is spending money, so profiling is an option. • The card can be blocked by thief attempts. • PCI DSS compliance (EMV security requirements at merchant and bank facilities) would not be achieved by merchant because of clear personal information issues. www.eForensicsMag.com 33 People will then prefer to protect their EMV contactless card with specific wallets which could protect the access to their card information, but actual protection are not fully efficient, and probably only “mumetal” case could offer a real protection against all electromagnetic waves. We don’t have to panic either, because the limitation in distance for using the card is protecting from a misuse of the EMV contactless cards. Besides, new versions of EMV contactless cards have been modified since November 2012 and do not show anymore neither the name nor the history of the payments. With the example of Calypso systems and the work ongoing between EMVco and NFC forum, the future version of contactless card should include more security and exchange only encrypted data and include a specific PAN for contactless payment. Another real risk, whether or not card security is implemented, is the lost of the card itself, in this case, the thief can use it without a PIN code for small payments (less than 20€)! A LEGAL QUESTION THEN ARISES Let’s consider that security issues are solved in the near future, and that no data leaking is possible (1 year, 2 years?). As we do not use a PIN code nor a signature to validate the transaction, will these payments be considered as online payments (card not present)? If you read most bank contracts, you can make a denial of the payment if you did not sign or PIN it, and then be reimbursed arguing someone else did it. So will local contactless payment be analyzed by lawyers as remote payment or not? I think they will have some work to do there… FORENSIC ISSUES After spending some time about security and data leak problems arising from contactless payment, let’s talk a little about forensic (it was time to!). We have to consider two options: EMV CONTACTLESS CARDS First in criminal cases, we have to know whether or not the suspect had a contactless card, and then ask the law enforcement forces to give it to us along with other hardware to analyze it. Then we have to buy and mount a specific platform with NFC and Contactless readers to be able to access data in the card. We can use the basis of the program Renaud Lifchitz told us about and modify it to be a “forensic” tool proving it will not alter the card itself. From there we can have access to the history of payments done with the contactless card, which could be useful for authorities to cross check this activity with some others or with specific locations where the suspect could have been. NFC SMARTPHONES The smartphone analysis is often part of our work with well known tools eForensics magazine already wrote about, and in more articles in the current issue. We then have to verify about the presence of the NFC functionality; either by checking the applications installed in the phone, or by testing its capabilities with the same kind of hardware we described earlier for contactless cards. Normally, the access to the payment function, even in NFC mode, should be protected by a specific code to prevent from thieves to use this option. 34 NFC SECURITY AND DATA LEAK So, if it is possible, it would be nice to have the police ask the suspect to give his code for this analysis. Then most information will be available directly from the application, and mainly the history of payments, which, once again, could be useful. If we don’t have the access code, then we can try to read from the NFC chip and check if the implementation of the protocol is as weak as today’s EMV contactless protocol, thus giving us the expected data. Other NFC applications present in the smartphone can also be useful, especially loyalty programs or tag checked if they are logged somewhere, so don’t forget to check every function you can find in this kind of smartphone… A FINAL WORD ON NFC Following the NFC forum specification for smartphones, a Secure Element (SE) should be embedded in the mobile phone, either on the SIM card or in another secure chip. The problem arises when the MNO wants to be the Trusted Service Manager (TSM) and includes the SE in the SIM: Banks do not want to have the MNO in the chain of custody and having to share their revenue from the transactions! On the other hand, mobile manufacturers are not willing to install another support in their phones to activate the TSM operations through another secured chip. This will lead to hard discussions between the various players in the process: issuers, acquirers, MNO and TSM, and probably increase the cost of NFC transaction! In the case of a NFC smartphone, the usability for contactless payment is not so obvious: How will be managed software priorities when another application is taking most of the phone memory, or when the user is called by someone or online? Will the payment process be interrupted or suspended? If I want to protect he access to my payment application, I will probably include a code to access it, besides the code I need to access my phone, and this will as long as paying with the standard POS with Chip&Pin! Doesn’t security a 15s waiting time to use CHIP&PIN instead of a TAP? REFERENCES ANDworth BIBLIOGRAPHY [1] Renaud Lifchitz BT engineer paper: https://code.google.com/p/readnfccc/downloads/detail?name=hes2012bt-contactless-payments-insecurity.pdf [2] EMV and NFC: Complementary Technologies that Deliver Secure Payments and ValueAdded Functionality: http://www.smartcardalliance.org/resources/pdf/EMV_and_NFC_WP_102212.pdf [3] EMV Co: EMV Contactless specifications: http://www.emvco.com/specifications.aspx?id=21 [4] PCI Security Standards Guidelines: https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_ guide_v2.0.pdf [5] Swiss study on EMV compatible Mobile payment: http://www.abrantix.com/de-downloads.html?file=tl_ files/abrantix/download/whitepaper/Feasibility%20Study%20for%20a%20Smartphone%20App%20to%20 Make%20EMV-Compatible%20Payments%20via%20NFC%20Maeder%20Vogler.pdf [6] GlobalPlatform specifications for NFC: http://www.globalplatform.org/specificationssystems.asp [7] NFC Forum specifications: http://www.nfc-forum.org/resources/presentations/IET_presentation_NFC_Forum_John_Hillan_final.pdf ABOUT THE AUTHOR Forensic Expert, Phd in computer sciences, National Trusted Third Parties Member (FNTC), Vice-Chairman EESTEL (Secured European Electronic Transactions Experts) Member of various Expert witness companies (CNEJITA-CEESD-CIECAP), he owns a Phd in computer sciences, and created in 1993, the first French commercial Internet service provider, sold to Qwest in 97. Along with his business expertise of helping new startups (Business Models), he has been acting in non profit professional organizations, mainly in the field of security, electronic signature, Trusted Third parties and standardization. Besides, he is a lecturer in Paris II University on Internet protocols, ID and security, forensic, cryptographic technologies... Often working with law enforcement agencies in computer forensics, he also works on payment and secured cards along with contactless technologies. www.eForensicsMag.com 35 WINDOWS PHONE 7/8 (WP7) DIGITAL FORENSIC INVESTIGATION PROCEDURE AND EVIDENCE RECOVERY TECHNIQUES by Dr. Roffeh Ehud, International Law Expert in Electronic Evidence One of the central problems involving technology and legal proceedings is the reliability of evidence presented to the court. This question is made more relevant due to the fact that rapid technological changes make previous legal precedents irrelevant. In other words, the same technology is no longer used to reinforce evidence as this is not the equivalent forensic tool used to extract digital evidence from the new device. What you will learn: • Overview of changes in WM8 regarding WM7 • Evidence recovery techniques • Procedure of digital forensics investigation • Way of legal conservation for mobile devices What you should know: • Basic information about Windows Mobile Phone • General idea of mobile forensics F urthermore, the same forensic tool that was evaluated in the past and was found to be reliable with regard to the digital evidence it presents, must now undergo far reaching change in order that it be capable of copping with new technologies. This leads us to the issue as to whether the evidence presented to the court represents the actual events and/or if is it possible to rely absolutely on the evidence. It is imperative to realize that, even with regard to a technological forensic tool that has successfully passed all tests regarding the credibility of digital evidence collected from other devices, this does not constitute a guarantee regarding the credibility of findings collected from modern devices. Additionally, it must be understood that the difference between devices will often result in variations in the manner that digital evidence must be dealt with. It is recommended that the deeper device levels be investigated rather than just the operating system level. Additionally, it is essential that technological tools used in order to extract electronic evidence from the mobile device also be examined. Furthermore, the device should be examined to determine if it has been tested in the past, under what circumstances and if the data collected was proven beyond all doubt to be credible and reliable. 36 WINDOWS PHONE 7/8 (WP7) For these reasons and others, it is always advisable to obtain and examine additional hardware with which the mobile device was synchronized, such as a laptop or work station. In the eyes of the court, it is given that, in the event that no other equivalent data is presented which asserts to the origin of the evidence, then it is advisable that the weight given to evidence collected from a modern device be reduced. INTRODUCTION On the 27th of December 2012, the WP8 operating system was launched globally. This is the most recent operating system marketed by Microsoft (MS) and replaces previous Microsoft operating systems such and WP7, WP6 and earlier versions. The WP8 system is a new program that is visually different and includes a number of additions that, substantially, do not differ from WP7. Therefore I will focus on WP7 technology which introduced a different technological model and resulted in a change in the management of digital evidence and its extraction from a mobile device. As stated, we can view the WP7/8 operating systems as being totally different from their predecessors. MS completely redesigned the operating system so that it is no longer based on the older WM model and/or even earlier versions. WP7/8 will not operate on outdated hardware including some existing mobile phones and older generation devices and will not allow the use of previous generation programs. The system’s new design introduced many visual changes with the result that techniques used for managing digital evidence which operated on older systems, will no longer operate on the new system. The operating system includes a new user interface which utilizes a touch screen and on-screen virtual keyboard. Instead of icons, the system uses a system known as “Tiles”. This is a dynamic design function that allows the user to design the user interface as they wish. The operating system’s standard applications include an internet browser (Internet Explorer Mobile), email (an Outlook Client which can use Hotmail, Yahoo Mail or Gmail), multimedia and music players, video and pictures, Office and more. As with competitors’ similar smart phone platforms, the MS operating system enables the installation of third party applications such as music players, video clips, applications and more. During an investigation involving digital evidence in a WM operating system, use is made of tools and techniques for criminal identification with the aim of extracting data from the device in a legally safe and secure manner. During the first stage a simulation is run on the device being investigated which constitutes a legal, authentic copy of the entire mobile device. Following this, the data collected is analyzed in order to identify data relevant to the legal investigation. One of the accepted data extraction methods is the connection of the device to a personal computer (PC) using a USB connection. An alternative method involves physical access to the mobile device’s memory. The WP7 system does connect to a PC with a USB connection. However, the mechanism which communicates between the telephone and the PC has changed. Essentially, the manner in which the mobile phone communicates with the PC could result in recognized forensic tools used for the management and collection of digital evidence being unable to work on the WP7 operating system. With regard to direct access to the device’s memory, existing WM tools and techniques for criminal identification allow for the extraction of data from the mobile device’s memory using the WP7 operating system. The significance of this change is the manner in which data is stored in the device’s memory. In other words, it is possible that it will be impossible to analysis the data extracted using existing tools and techniques. www.eForensicsMag.com 37 Tools that collect WM digital evidence by installing a program on the mobile device via a USB connection to a PC do exist. After installation, the program transfers the contents of the mobile telephone’s memory to the PC. I wish to stress that installation of such a program on the telephone rather than an authentic copy made from the device, raises serious questions regarding the digital data’s overall evidential reliability. I would also point out that it may be impossible to install a program on the mobile device for two reasons. First, communications between the WP7 system and the PC differ from previous systems and existing tools may be unable or fail to install the program on the mobile telephone. Secondly, I would remind the reader that the WP7 system cannot run all older programs. Thus, even if the program is successfully installed on the mobile phone, it may not operate as expected and required. Additionally, I would point out that, as of the writing of this article, I have not come across any information that proves, beyond any reasonable doubt, that such programs, when installed on a mobile telephone, do not adversely affect the reliability of digital evidence that may be stored on the device. In my opinion, there still exists a gap between tools for the identification and extraction of digital evidence from mobile devices in general and tools for criminal identification on the WP7 system. LEGAL CONSERVATION FOR MOBILE DEVICES A forensic investigation involving digital evidence obtained from mobile devices in general and from WP7 based devices specifically, is made possible through the use of technologies that facilitate criminal identification (forensic tools) that are designed to examine and analyze mobile telephones’. The same legal principles that apply to all computerized devices also apply to mobile devices in order to allow others to verify electronic evidence. We should remember that the process’s purposes is established from a legal point of view and is to document and verify that the evidence is indeed what it is claimed to be and has not been altered or exchanged since the original data extraction. This is the central problem with regard to new devices where accumulated experience is limited. Those involved in the process must record their activities and procedures in order to provide transparency and support for learned abilities whilst also allowing third parties to evaluate and repeat the working procedures. Additionally, data collected must be evaluated and documented in order that others be able to verify that nothing has been altered since the original data was obtained. Also any issues and failures encountered during the investigation and data collection process must be documented. For example, failures resulting from the installation of an older program version on a new device. From experience, the new operating system displays error messages and, until this point in time, it has not yet been legally proven beyond any reasonable doubt that the device’s content has indeed been preserved in its entirety. In general, advanced techniques allow for the physical collection of data from a mobile phone. Whilst it is true that physical access to the device will yield a larger amount of information, the danger of damage to the device and its digital evidence is higher. Furthermore, the physical method requires special, professional equipment alongside extensive knowledge and a deep understanding of the device’s built in characteristics but does create a mirror image of all the data stored on the mobile device, including erased data and data not allocated to a specific, defined area. Due to the pace of technological development and until it can be proven beyond any doubt that legal, forensic investigation programs work in a logical and accepted manner and that evidence discovered on a mobile telephone is preserved intact and in its original state, the physical method is, in most cases, the preferred one. The forensic, digital investigatory process changes significantly according to the importance of the investigation, policy guidelines and the individual situation and circumstances surrounding the investigation. 38 WINDOWS PHONE 7/8 (WP7) The investigatory process is usually divided into four main segments which include collection, examination, analysis and presentation of the data. Together, these constitute the required digital evidence to be presented to the court and will act as the factual foundation for legal conjecture. The correct execution of the process, including documentation, allows the information to be presented as acceptable evidence in the legal procedure. IN SUMMARY Guidelines regarding the investigation of mobile telephones and WM systems do exist. Their implementation changes with the organization, the investigation’s purpose and special circumstances. Over time, legal models for dealing with Microsoft’s operating systems have been developed. However, as with other technologies, the brief history of WM telephones and the conceptual changes between older model operating systems and WP7 and WP8 have resulted in logical analytical systems lacking the ability to prove their reliability. WP7’s major changes and the fact that WP7 is incompatible with all previous WP operating systems have made present forensic investigation tools and techniques unsuitable for use on a WP7 mobile phone. One of the major changes that could influence digital investigations is the way in which the WP7 system interfaces with the PC. WP digital forensic devices allow access to data in a logical and physical manner whilst using ActiveSync/WMDC connections between the mobile device and the PC. As opposed to older systems, WP7 uses Zune and not ActiveSync/WMDC. Therefore, existing devises may not be capable of communicating with a WP7 device and/or the extraction of information in its entirety may not be possible. In the old model, WM systems install an ‘agent’ program on the mobile telephone. The “agent” collects the data from the device’s memory and transmits it to the home base, the external, examining device. I would point out that the WP7 system is incapable of running older WM applications. Furthermore, even if the ‘agent’ is successfully installed, it may not operate and/or be unable to transmit data to an external device. With regard to legal issues, it has not been proven that the data is reliable and that it can be accepted as original and reliable evidence. Additionally, WP7 user the mobile telephone’s internal memory and its SD card thus creating a single storage space. I would also point out that a number of methods for the physical extraction of data exist one of which is the removal of the memory chip. Since WP7 type systems use memory components in parallel there is a fear that physical removal could erase and/or corrupt important data. Furthermore, I would also point out that we cannot predict which files are stored on the device’s internal memory or on its SD card. What is more, the WP7’s SD card is encoded and cannot be decoded by the user using standard methods used in previous generations of WM type operating systems. The compression system used by the WP7 system is also different from previous WM systems. WP7 uses the TexFAT file system and XPH compression whilst WM uses the TFAT system and XPR compression. The new WP7 system file system and compression method is not sufficiently known to the world of digital investigations. It is still too early to clearly decide if evidence presented is indeed sufficiently reliable for the legal process. Even if we use the physical process and obtain a complete copy of the WP7 device, existing devices and techniques could fail to identify files and/or be unable to open them. www.eForensicsMag.com 39 Conclusion In this article I have reviewed only the preliminary and basic points regarding lack of credibility and the fear of unreliability of evidence retrieved from WP7 mobile telephones. There are many issues which exhibit significant differences that harm the reliability of digital evidence obtained from WP7 mobile telephones. Furthermore, when when a technological solution capable of coping with the above mentioned issues is found, developers of technology in general and of mobile technology specifically will continue the ‘circle of uncertainty’ due to the inability of forensic technologies to fully and decisively cope with the pace of progress. ABOUT THE AUTHOR Over the past 15 years I have been working as an expert in the field of digital forensics. My fields of expertise include a wide variety of hi-tech fields and issues such as: CCTV Forensic issues, Email Forensic, Internet investigation, Websites, CRM systems, ERP systems, data base investigation, Mobiles Phones Forensic, PDA’s and much more. Additionally, I am a lecturer for B.A. students at the Criminology Faculty at the Bet Beryl College in Israel where I teach electronic evidence, computer law and computer & internet crime. These courses are all based on my book “Digital evidence into practice – The combination between technology and law” which I am completing at this point in time. The book addresses the areas of technology and the law whilst comparing the legal systems of the United States, the United Kingdom and Israel. I have also written a dozens of expert opinions which have been offered to the courts at all levels including both criminal law and civil law. These opinions dealt with issues such as the internet, social networks such as Facebook, Twitter and YouTube videos and more, sexual harassment, rape, murder cases, money launderings and internet gambling, code theft and many issues of intellectual rights. In addition, I have been appointed by Israeli courts on many occasions to act as a mediator and arbitrator for cases and issues in the field of law and technology. I have been involved in research into electronic signatures and my expert opinions in this matter were crucial in the acceptance of the use of electronic signatures in the largest insurance companies in Israel. I hold four academic degrees in the field of technology and technology & the law. I have also participated in numerous professional courses and am, at this moment, preparing for the winter 2014, New York Bar Exam. 40 www.CyberThreatSummit.com October 24th 2013 24 Hour Global Follow The Sun Virtual Summit 1,000+ Delegates 100 Countries 24 Time Zones 50+ Experts 1 Day Free Registration Apple goes biometrics by Cordny Nederkoorn With the launch of IPhone 5S last September, Apple has entered the area of mobile fingerprinting authentication. A bold way of using biometrics in authentication. This article will cover the fingerprinting technology behind Apple Touch ID and its relation with iOS7 regarding saving the data, security and usability. Next to this the risks of using Touch ID will be discussed. What you will learn: • Basic Information about how the Apple iPhone 5S Touch ID-technology works • Basic information on fingerprinting technology • Risks with using Apple iPhone 5S Touch ID • Possible methods for hacking passwords What you will not learn: • How to hack Apple iPhone 5S digitally • Detailed functionality Apple iPhone 5S Touch ID • Countermeasures hacking passwords W hen Apple bought Authentec, a developer of fingerprintsensors in 2012, everybody was anxious to see what Apple was going to do with Authentec’s fingerprinting sensortechnology. Was it going to be used for the iMacs or was it going to be a new feature for the new Apple iPhone 5? Well, on 10 September 2013 on the Apple iPhone Media event it was announced the new Apple IPhone 5S was going to be delivered with Touch ID. Touch ID enables the iPhone 5S user to unlock their phone, but also make purchases in iTunes, the App Store, or iBooks. So, Touch ID enables a user to have access to four important products of Apple. Still, Apple doesn’t replace the user’s passcode. If the iPhone 5S has been rebooted or has not been unlocked for 48 hours the user still has to use the passcode, not it’s fingerprint to unlock its iPhone 5S. Regarding eforensics, this is important, because when an eforensics investigator unlocks an IPhone 5S for forensics investigation he/she can see if the iPhone 5S has been used for the last 48 hours. When used, the iPhone 5S will ask for a fingerprint. When not, a passcode will be asked. Well, assuming the iPhone 5S user uses its fingerprint for unlocking. OK, now back to Touch ID, beginning with the hardware. 42 Apple goes biometrics Hardware The Touch ID sensor is built into the home button (made of sapphire crystal against scratching), which is surrounded by a steel detection ring. This ring is able to see if the user’s finger is there without touching it and will waken the sensor. For usability, the sensor can read the user’s finger in any direction (360 degrees). It uses capacitative touch to detect the fingerprint, by ‘reading’ the sub-epidermal skin layer. This is important, because this way only live tissue can be detected by Touch ID. This eliminates the risk of accessing the iPhone 5S through a chopped off finger or a fingerprint image (although the latter is already spoofed, see further for more information) Software The fingerprint data is stored on the Secure Enclave of the Apple A7 processor on the IPhone 5S and not stored on the Apple servers or iCloud. But how is it possible to convert the fingerprint from your finger to data on the iPhone 5S? Fingerprint matching is possible trough comparison of various features of the finger print pattern. These features can be divided in two variants: patterns and minutia points resulting in ridges and valleys. The next pictures show the visual characteristics of the two variants [1]. Figure 1. From left to right the different patterns: arch, loop and whorl Figure 2. From left to right the different minutia: ridge ending, burcation and short ridge (dot) [2] As already said, Touch ID uses capacitance to detect the user’s fingerprint. An image of the fingerprint is created through 2 methods: www.eForensicsMag.com 43 1. Capacitive: The human skin has different layers. Two of these are the epidermal and the dermal layer. Capacitance utilizes the difference in electrical conductivity between these layers: the epidermal layer is in contrast to the dermal layer not electrically conductive. This way both the sensor array pixels (sensor giving a small electrical charge) and the subepidermal skin layer can act as parallel-plate capacitor and the epidermal (dead, non-conductive) skin layer as dielectric. The sensor array measures the capacitance per pixel and because the fingerprint has ridges and valleys the capacitance will be different (due to air gaps) on various spots giving a distinct capacitance value pattern per fingerprint. 2. Radio frequency (RF) [3]: another difference between the epidermal and subepidermal skin layer is that the epidermal dead skin layer can’t be read by RF waves sent by the Touch ID sensor. The subepidermal layer can be read, which gives a nice RF-map which is different per person’s fingerprint. In fingerprint technology (this could be different at Apple) the sensor array data are reduced to a string of numbers through encryption method one way hashing [4]. Figure 3. Simple representation One-way hashing with encryption method MD5 [5] Figure 3 shows how one way hashing works. Bluntly said, through one-way hashing it is possible to encrypt the sensor array data to a string of numbers, but you can’t reverse engineer the string to the arra data. This encrypted data is then stored on the Secure Enclave of the Apple A7 processor as a data file containing the string of numbers. The next time the user uses its fingerprint to unlock the iPhone 5S the data gathered by the sensor and encrypted by iOS software will be compared to the saved encrypted fingerprint data of the user and if these are equal the iPhone 5S will be unlocked. If the data is not equal, the iPhone 5S stays unlocked. Risks Regarding the previous information the iPhone 5S seems to be quite secure with (un)locking using Touch ID technology. Is it possible to hack the iPhone 5S Touch ID technology? As already said, don’t be afraid to get your fingers chopped off because criminals want access to your iPhone 5S. Touch ID works because of 2 methods: capacitance and RF (possibly), and both need a living subepidermal skin layer of the user to activate the sensor and unlock the iPhone 5S. At the time of writing this article, claims have been made Touch ID can be hacked with the use of a high-resolution fingerprint picture, a laserprinter and some glue [6]. 44 Apple goes biometrics But this is a physical attack and not an attack on the encrypted data stored in the Secure Enclave. It’s more fooling Touch ID than really hacking it. Is it then possible through digital attacks? To attack the iPhone 5S digitally it is required to have access to the Secure Enclave of the Apple A7 processor. Mind you, Apple does not give 3rd party developers access to the Touch ID software, eliminating possible tampering. Well, if the hacker could get hold of the encrypted (hashed) fingerprint data (method not known to me yet) he has three possible attack mechanisms if he knows also the cryptographic hash-function used (MD5 etc.): • Brute force attack – Systematic check of all possible fingerprint data used as input or the hash function • Dictionary attack – Systematic check of words in a dictionary used as input for the hash function • Rainbow attack – A table filled with a list of known input for the hash function and its known hashes; this way the attacker gives the input and gets the correct hash. The effectivity of these attacks will be very dependent on the cryptographic hash function used and will only result (if successful) in gaining access to the iPhone Naturally it won’t give you the fingerprint of the user, which will still be unknown to you. Next to the prerequisite that you have to know the cryptographic hash used, you also have to have access to the Secure Enclave. Are there no better alternatives? Yes indeed! Well, as already said, a password/passcode still can be used to unlock the iPhone 5S (after 48 hour nonuse or reboot). And here the attacks described above can also be used. The hacker only has to wait 48 hours (after 48 hours iPhone 5S goes from fingerprint to passcode authentication) and the described attacks above can begin. Another risk could be that the encryption software used by Apple contains a bug, encrypting the fingerprint data in a correct hash, resulting in false positives when encrypting. But is there a high chance this happens because it has to occur for all numbers of the string? False negatives could also play a role when the Touch ID process does incorrectly reject a registered print. But Apple has a workaround for this by requiring a PIN at the time of fingerprint registration. But wait a minute, this PIN can also be gathered by hacking if it is known where it is stored. Therefore you can’t say Apple iPhone 5S uses 2-factor authentication. It only uses 1 authentication mechanism at a time. Conclusion Through the use of Touch ID technology in its iPhone 5S Apple has entered the mobile biometrics area. With fingerprinting technology (capacitive, RF) and encryption (one way hash), next to password technology, it has given the user a more secure use of its product the iPhone. By putting the data on the iPhone itself (Secure enclave P7 processor), and not on servers or iCloud it narrows the area where a hack on the iPhone 5S can take place. Still, the iPhone 5S can be ‘Spoofed’ as seen by the high-resolution picture attempt. But, adding the Touch ID technology has made it more difficult to hack the iPhone 5S. As long as you use the Touch ID together with the passcode, although it still is 1-factor authentication. www.eForensicsMag.com 45 Better would be to make the iPhone 5S suitable for 2-factor authentication, where both your fingerprint and a passcode are necessary to unlock your iPhone 5S. But at least your fingerprint is not stored physically on the iPhone 5S. References [1] http://en.wikipedia.org/wiki/Fingerprint_recognition [2] http://en.wikipedia.org/wiki/Fingerprint_recognition [3] Only patented with Authentec, see http://www.daqs.org/patents/assignee/authentec-inc/, not documented with Apple Touch ID [4] http://www.aspencrypt.com/crypto101_hash.html [5] http://www.gohacking.com/what-is-md5-hash/ [6] http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid ABOUT THE AUTHOR Cordny Nederkoorn is a Dutch software testengineer, employed by Eyefreight, a leading provider of Transport Management System (TMS) technology. On a personal level Cordny helps Kantara Initiative improving the quality of the specification and implementation of UMA (User-Managed Access), a web authorization protocol building on OAuth 2.0. He discusses his work on different social media. Blog: http://testingsaas.blogspot.com twitter: http://www.twitter.com/testingsaas facebook: http://www.facebook.com/TestingSaaS 46 LECTRONIC CYBER SECURITY ECHNOLOGY INTELLIGENCE CONTROL COMPLEXITY you PROTECTION ISK Are prepared? CONTROL ELECTRONIC THREAT CONTROL FORENSICS CONTROL RISK DATABASE TECHNOLOGY OMPLEXITY kpmg.ca/forensic ECHNOLOGY RISK NTELLIGENCE OMPLEXITY RISK ELECTRONIC SK COMPLEXITY YBER SECURITY NTELLIGENCE RISK NTELLIGENCE COMPLEXITY COMPLEXITY YBER SECURITY ATTACK INVESTIGATIONS ELECTRONIC ORPORATE THREAT CYBER SECURITY RISK THREAT INTELLIGENCE ATTACK THREAT CYBER SECURITY TECHNOLOGY eDISCOVERY OMPLEXITY ELECTRONIC INFORMATION THREAT CONTROL DATA ANALYTICS INFORMATION ISK INFORMATION TECHNOLOGY ATTACK RISK NTELLIGENCE DATA RECOVERY OMPLEXITY ELECTRONIC PROTECTION NTELLIGENCE INFORMATION ELECTRONIC THREAT CONTROL INFORMATION CONTROL RISK COMPLEXITY ISK COMPLEXITY INTRUSION © 2013 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NFORMATION RISK TECHNOLOGY ATTACK RISK IPHONE FORENSICS WHAT YOU NEED TO KNOW by David Shelton, Advanced Technology Investigations, LLC Client’s of Advanced Technology Investigations, LLC throughout North Carolina turn to us when there is a possibility of evidence in the form of electronic data with cell phones, computers and other digital devices that hold communication and media. We bring special skills in technology to our Clients to ensure they have all the evidence possible from a team of experienced experts with proven results, giving our Client’s the truth they deserve. What you will learn: • What you should know about digital forensics on cell phones • What to expect from a Forensic examination on an Apple iPhone • Step by Step, conducting the examination • Plug in tools to assist in interpreting the data What you should know: • Digital Forensics with Cell Phones is challenging in that, there is no, one tool fits all. • The Examiner has to have multiple tools, and have a good understanding of data that can be on a cell phone. • The Examiner must learn a multitude of techniques to make different models of cell phones communicate with the specific workstation. • Learning as much as possible with continuing training, and experience, will give the examiner the best chance to be successful in their attempts at this ever changing field. 48 O ne of the more popular cell phones to attempt a forensic examination on is the Apple iPhone. The iPhone is a smart phone made by Apple. The Apple iPhone can hold tremendous amounts of data. If successful at an acquisition, all the tedious and hard work is quite satisfying to the forensic examiner, in that, the examiner has overcome challenges with each iPhone model and different iOS versions examined, and has most likely used multiple tools to acquire all the available data the iPhone can produce. WHAT YOU CAN EXPECT FROM AN iPHONE FORENSIC EXAMINATION Before we began the step by step process we must identify the different types of acquisitions available for the iPhone model and the iOS version running on the particular iPhone. The experienced examiner will know, or will research if the phone to be examined is able to be examined Logically (Data that can be seen), or with a Physical examination (Data that cannot be seen, such as deleted data). There are different tools for each method the examiner can use. The chosen tool will depend on the tools available to the examiner, the circumstances of the case, and the data the examiner is looking for. Several Forensic tools can acquire a physical image of iPhone models previous to the iPhone 4 and below, such as the iphones 3, 3G, and 4. At the time of this paper, there are no forensic tools that will acquire a physical acquisition of the iPhone 4s or the iPhone 5. IPHONE FORENSICS The examiner will however, still be able to recover a limited amount of deleted text messages located in the logical database file, as well as data that can be carved from application files. Knowing as much information about the case will help the examiner to pick the most appropriate available tools for the case. THE CHALLENGES There are quite a few challenges with acquiring the data from an iPhone. Several tools are needed to examine the different types of files the examiner successfully acquires. Some of the forensic software’s have several different tools built into the software and automated for the examiner already. There are other software’s that you must conduct separate task with the phone in order to access all the data the iPhone can hold. The Apple iPhone was introduced into the market in 2007. Its proprietary operating system is the iOS. One of the most known challenges of the iPhone is the constant upgrades and patches made with each release of the iOS firmware. As cell phones evolve, the forensic software tools must do the same to attempt to keep up with the newest technology. There are teams of developers and hackers that constantly work to crack the iOS encryption so the device can be forensically examined. If you start researching iPhone forensics you can find a multitude of books written specifically on topics of the iOS operating systems and how it works, and how to develop apps for it. PRESERVING THE DATA The very first and most important step in any Digital Forensic examination is to protect the data from changing so to preserve the source data from changing. There are arguable points as how to accomplish this task. Do you simply turn the phone off or do you protect the device with a Faraday cage to keep the device from communicating with the wireless network? Knowing that a cell phone is a mobile device, there are many possibilities on how the device suddenly became an item of interest to be examined. The first responder at the scene may not be trained in Cell Phone Forensics, and may not have the necessary tools to perform a triage on the spot. Even though a first responder may not be trained in preserving digital evidence, most first responders know that documentation is very important at any incident they may encounter, thus the words document…document…document, must get burned into the first responders brain. Taking a picture of the cell phone, its screen, and any visible ports before deciding to cut the phone off or to faraday protect the phone is a reasonable and smart decision to make. If the situation is that the first responder has access to a faraday cage, it is important to note that some models of iPhones have a metal exterior showing around the edges of the phone, and if you place a faraday article against the metal of the phone, instead of blocking the cellular signal, the result could be that you actually cause an antenna effect of the phone shell and boost the signal to the iPhone. It’s always good to have some way of isolating the phone from the actual faraday protectant, just in case this situation arises. If faraday protection isn’t an option, placing the iPhone in airplane mode will disconnect the phone from the network as well. It is important for the first responder to document and let the examiner know what state the iPhone will be arriving, so the examiner can reduce the chances that the data can be wiped from the user’s account at a later time by the User. These items conducted properly will allow the examiner to report the proper preservation of the data. The first responder and the examiner will be responsible in establishing a chain of custody to follow the cell phone from the time the cell phone is in possession, until the conclusion of the case. Once in the lab the iPhone can be examined using a multitude of tools. The examiner needs to be aware of how a physical acquisition is obtained by understanding the iPhone iOS firmware tools which will assist in acquiring a bit by bit image of the target iPhone memory. Some tools will automatically execute commands to the phone while the phone is placed in DFU mode, in order to execute a temporary root which will allow for a bit by bit copy of the phone memory, then restore the iPhone back to its normal state without altering any data on the phone, such as process ran on products like Cellebrite and AccessData’s MPE+. Depending on the tools available, the examiner may have no other choice except to use multiple tools in order to acquire a physical image, then use a other tools to analyze the image. At times when Apple releases a new iOS and before the forensic software manufactures release their update to support the new iOS, the examiner may have no other choice other than to perform a jailbreak on the target iPhone in order to obtain a physical acquisition of a newly released update of the target iPhone. An experienced examiner that has been trained with the iOS developer tools and has a clear understanding of how different tools work with different iOS versions, can be well prepared for any challenges the examiner may face during the forensic examination of the iPhone. www.eForensicsMag.com 49 TOOLS AVAILABLE TO THE EXAMINER • • • • • • • • • • • • • • • • UFED – Cellebrite CellDek – Logicube Device Seizure – Paraben EnCase Neutrino – Guidance Software iPhone Analyzer IEF – Magnet Forensics iXAM – FTS Lantern – Katana Forensic MacLockPick – SubRosaSoft Mobilyze – BlackBag Tech Mobiledit – Compelson MobileSyncBrowser – Vaughn S. Cordero MPE+ AccessData Oxygen Forensics SecureView – Susteen .XRY – MicroSystemation To learn how each tool performs with different models of iPhones, visit the website of the National Institute of Standards and Technology (NIST) to read in-debt test results. Reference: (http://www.nist.gov/ index.html). TYPES OF DATA THAT CAN BE ON AN IPHONE The type of data on a target phone will be determined on how the User has set the iPhone up to operate. Each phone will be different based on apps added to the iPhone from the original default apps that come pre-installed on the iPhone. Most Forensic software’s will have different file viewers built into the software to interpret the database files acquired. Some of the file viewers will be for interpretation of database files from SQlite, Plist, and XLM database files. Other tools such as hex viewers, converters for time/date, image and video viewers, will allow for an extensive analysis of the data. Below are types of data typically discovered from an iPhone with forensic tools available today. • • • • • • • • • • • • • • • • • • • • • • • • • • • 50 Contacts Phonebook Call History Favorites list SMS MMS Calendar/Notes Images Videos Thumbnail data Music Ringtones Application Data Passwords Location data ip addresses Wifi data Cell tower data Device identifiers Browser History Cookies data Cache data Internet Favorites Browser Bookmarks Voicemail GPS Documents IPHONE FORENSICS • • • • • Email Skype Youtube Games User names IPHONE BACKUPS Another source to discover iPhone data can be easily overlooked by Investigators/examiners once you get caught up in the actual iPhone examination. iTunes and iCloud can be used to make a backup of an iPhone. An iPhone can be connected to a computer and have a backup made of the phone memory using iTunes. The iTunes backup file can obtain valuable data that may not reside on the currently secured iPhone due to data being overwritten over a certain time period. The user may create a password for the backup file in which the file cannot be decrypted without the password. In such case, the examiner can use a password cracking tool such as “Passware” which works in conjunction with Oxygen forensics as a third party tool to attempt to crack the iPhone backup file. IPHONE BACKUPS ON THE WEB Below you will find a good article from an Apple support page on the web for more information on this topic. “iTunes installed on the Users computer can back up the iPhone settings, Messages, Camera Roll, documents, saved games, and other data. Backups do not contain content synced to the device, such as movies, music, podcasts, and apps. Often data that has been deleted and overwritten may be available in the backup file found on the Users computer.” Reference: (http://support.apple.com/kb/HT4946). THE EXAMINATION PROCESS The forensic process used in the below examination has been conducted using multiple tools to show an examiner how to utilize different tools even if on budgets restraints, and with the tools available to the examiner. The two tools of choice for this examination are Katana’s Lantern Lite, and Oxygen Forensics Analyst version. STEP ONE – PREPARATION The target cell phone has been isolated from communicating with the wireless and cellular networks, and a chain of custody has been established, and photos and/or video of the phone and any identifiers have been documented. The examiner needs to be aware to make sure all workstations are properly write protected especially when using multiple tools transferring data images from one work station to another. The cell phone cables that come with the forensic software kits have built in write protection on the USB drive of the cables. Be aware if you are using a factory cable that is not write protected. When copying an image to a second workstation, make sure the secondary workstation is write protected. Below is a simple free open source tool from Nirsoft (www.nirsoft.net) to place on a computer desktop to apply write protection to the forensic workstation. It is a good idea to take a screen shot showing the workstation is write protected when the examiner is using multiple tools and workstations. Figure 1. Write Protection on the workstation www.eForensicsMag.com 51 Figure 2. Cell Phone Forensic cable kit STEP TWO – CHOOSE THE FORENSIC TOOL The first tool of choice for this article is Katana’s Lantern Lite. Lantern Lite uses a combination of ipsw firmware files along with the jail breaking tool RedSnow. The Apple ipsw file is simply the iOS firmware of specific iOS devices. A ipsw file can be used in conjunction with iTunes to update an iOS. LanternLite uses ipsw files in conjunction with RedSnow for the temporary rooting process to assist in acquiring a bit by bit image of the iPhone. RedSnow is used to perform a temporary jailbreak after placing the phone in DFU mode as shown below. Once Lantern Lite has acquired the physical image of the iPhone, the software will output a folder with the encrypted image or the examiner may choose Lantern to decrypt the image so the examiner can cross validate the acquired data using both forensic tools used in the examination of the target iPhone. The file output from Lantern is a DMG image. Several forensic software’s are now supporting the importing of a DMG image into the forensic software to analyze the acquired data from LanternLite. Figure 3. Katana’s Lantern Lite STEP THREE – OXYGEN FORENSICS ANALYIST SUITE Once the examiner has made sure the second workstation in which the acquired image is to be copied, is write protected, the copy of the image is imported into the second forensic software. The forensic software of choice for this examination is Oxygen Forensics Analyst version. As you can see from the screenshot of the Oxygen backup extractor, Oxygen supports images acquired with several other forensic tools. The advantage of this option is that the examiner may be able to parse out data that other 52 IPHONE FORENSICS forensic tools may not have the capabilities to do at the present time. Oxygen forensics is known for its capabilities in decrypting several different types of database files and producing a nice report that is easily navigated to view the data. Figure 4. Oxygen Forensics STEP FOUR – PLUG IN TOOLS Once Oxygen Forensics has analyzed the iPhone image, the examiner can navigate to areas such as application data and use Oxygen’s built in plug in tools to further analyze databases of interest. Using the plug in tools within Oxygen Forensics, the examiner is allowed to parse out data to look for evidence that could have been attempted to be hidden by the user. Data such as location, Wifi, Cell Tower, passwords, social network communication, chats, email accounts, spyware, games that the user can communicate within such as “Words with Friends” can be easily parsed using the plugins. This type of data is often thought of as non- existent to the user, since the user cannot see items such as the location data collected by the phone. Having access to tools such as Oxygen Forensics can uncover data that would otherwise not be known to the forensic examiner. PLIST VIEWER The iPhone file shown below was parsed using a Plist viewer. The blue arrow below shows the password to the restriction settings found in the application section of the iPhone file system. The springboard file of the iPhone can hold hidden or unknown passwords from apps and screen lock codes. The Oxygen Plist viewer contains a time/date converter to translate UTC (Universal time code) into real date/time of the region the phone was used in. Having this tool built in saves the examiner many long hours in the examination process. Figure 5. Oxygen Forensics Plist Viewer www.eForensicsMag.com 53 HEX VIEWERS Hex viewers show data in binary raw data format. Hex viewers are a good plug in tool for cross validation of discovered data to ensure the accuracy of the data. The examiner can also use the hex viewer to locate data such as passwords, and help interpret hard to read data that may have been deleted or partially overwritten. The hex viewer will show the examiner the file path to the discovered data and provide a Hash file within the software report for validation, which is very useful when the examiner cross validates the discovered data. Figure 6. Oxygen Forensics Hex Viewer SQLITE VIWERS The below picture is an example of the data that can be carved from the application “Words with Friends” that can be downloaded to the iPhone from the Apple App Store. The SQLite database viewer with this particular software acquired logical and deleted (Physical) data from the app. Many applications use SQLite databases to create the app because of its versatility. SQLite is an open source tool in the public domain. SQLite is very versatile and can be customized for a developer to use. SQLite is very popular and is used in software’s such as Adobe, Dropbox, Firefox, Chrome, Quickbooks, Apple products, Python, Skype, and many other popular companies. SQLite viewers can also be used to parse deleted data as well, such as the Oxygen SQLite viewer shown below. Figure 7. Oxygen Forensics Sqlite Viewer STEP FOUR – THE FORENSIC REPORT The report generator of the examiners chosen Forensic software for each case needs to be considered in deciding which tools the examiner uses. While most Forensic software’s will have a report function, as a secondary report for the case, having a report generator with customized settings will reduce unrelated evidence, this will also save many hours for the examiner as well as the end user that receives the report to view. 54 IPHONE FORENSICS The Forensic examiner should always export a full report with all the data, to go along with the examiners customized secondary report of the subject case. The report should produce a Hash value key which gives a digital signature of the data acquired. The hash file can be verified by the opposing party in a legal case to ensure the data has not been altered. The examiner should always uphold a Professional standard to provide all the data possible that is available from the cell phone acquisition in order for a Court to make an informed decision of the subject case from the Forensic Cell Phone examination evidence. REPORT EXAMPLES Below is a screenshot of Oxygen Forensics Analyst version showing the types of data acquired from the iPhone 3GS. The examiner can easily navigate to any area of the report by clicking on the categories listed. Each category page has a box that can be checked to compile a Key Evidence report. A timeline function is available to show events of the phone in chronological order. Figure 8. Oxygen Forensics Dashboard AGGREGATED CONTACTS Aggregated contacts will show all the areas of the phone in which the user stores each person’s contact information, other than just the phonebook area. This section will show the contact if it is used in Facebook, Email, text messages, MMS, Call History, and other applications on the iPhone. Figure 9. Aggregated Contacts www.eForensicsMag.com 55 TEXT MESSAGES Text messages are shown in categories of Inbox, Sent, Outbox, and deleted data. All deleted data will show a trash can beside of the message. In some instances, some of the data from a deleted text message may have been overwritten and the examiner will only see a partial message or data. Figure 10. Text SMS Messages LOCATION DATA An area that the User cannot access on the iPhone is the location data. The User can only turn on and off this service in the iPhone settings. Location data is recorded only with the services the user has set the phone to work with. When location services are on, the iPhone stores Wifi connections, iP connections, and cell tower data. This data is very useful especially in criminal cases. Figure 11. Cell Tower Data APPLICATION DATA Oxygen Forensics Analyst version does a good job at carving out data from many application that may be on the iPhone. Many applications today can be used to communicate by text message, chat, photos and video. The communication sent through these applications do not show up on the users phone bill, and can contain data unknown if a forensic cell phone examination is not conducted in the legal case. 56 IPHONE FORENSICS Figure 12. Applications WEB BROWSER HISTORY Internet activity is stored in the Web Browser section with time and dates of the internet activity of the user. Web Browser data can show that the user may have other types of accounts that may hold evidence such as multiple email accounts, social networks, dating sites, addresses looked up, and search terms. Figure 13. Web Browser History CALL HISTORY Call History will show time/date, duration of the phone call, and if the person is entered into the phone contacts. The voicemail files can be listed to within the software, then exported to an external device to be listened to as well. Deleted voice mail files can be recovered in the iPhone with Oxygen Forensics as well. Figure 14. Call History www.eForensicsMag.com 57 THE EXAMINERS RESPONSIBILITY The Forensic examiner should know that he/she will need to be able to explain the Forensic report in such a way that the average person can understand the evidence that has been discovered. Knowing where the data came from, how it was acquired, verifying the authenticity of the data, and being able to answer questions about the cell phone examined, and the Forensic process followed all the way to the report which was produced, will ensure the Forensic examiner is a reliable experienced professional in which the end result can produce a complete result of the evidence, so an informed decision can be made in the case. IN SUMMARY The iPhone can hold large amounts of useful data that can be used in many types of criminal and civil cases. iPhone forensics is a very specialized area, mostly due to all the different tools needed to acquire and process the different types of data available from each model, and each iOS version produced by Apple. The iPhone can produce only the data in which the User sets the iPhone up to work. Knowing what to expect, and being familiar with the challenges, and the available tools, will determine what the final result of the iPhone Forensic examination will be. The iPhone can be examined with single tools with different file viewer built into the software, but the examiner needs to be prepared to have other third party tools to assist in the examination with some circumstances. The popular line examiners use in Cell Phone forensics is shown by the example examination in this article, that “no one tool fits all.” As cell phones change and update, the Forensic examiner will always continue to learn and train to keep up with the ever changing technology. ABOUT THE AUTHOR David Shelton is a licensed Private Investigator and the Owner of Advanced Technology Investigations, LLC in Greensboro, North Carolina. David has been conducting investigations for the past 12 years and opened Advanced Technology Investigations, LLC in 2009 to specialize in areas of technology in investigations to assist in discovering evidence in civil and criminal cases. Before getting into the Private Investigation field, David worked in the electrical and electronics field for 23 years designing, installing, and maintaining different types of electrical, low voltage, and security systems. David is certified in Digital Forensics, and specializes in the area of Cell Phone Forensics, in which he has been approved in the Court of Law as an expert witness in Digital Forensics many times. David is a Certified Continuing education instructor in North Carolina, and teaches classes on Cell Phone Forensics. David has spoken at Private Investigation Conferences throughout the USA on the topic of Cell Phone Forensics. To learn more about the services that Advanced Technology Investigations, LLC provides, visit our website for a full list of services and information on services we provide. (www.detectiveati.com). 58 *pending final confirmation Confirmed Speakers: Mr. Noboru Nakatani, Executive Director, INTERPOL Global Complex for Innovation Mr. Anwer Yussoff, Head of Innovation and Commercialisation, CyberSecurity Malaysia Mr. Mohd Zabri Adil Bin Talib, Head of Digital Forensics, CyberSecurity Malaysia Dr. Mingu Jumaan, Director, Sabah State Computer Services Department, Malaysia Mr. Lauri Korts-Pärn, CTO, Cyber Defense Institute, Japan Mr. Jack YS Lin, Information Security Analyst, JPCERT, Japan Mr. Roberto Panganiban, System Administrator, Philippines News Agency Mr. Budi Rahardjo, Chairman, ID-CERT , Indonesia * Mr. Matthew Gartenberg, Chief Legal Officer, Centre for Strategic Cyberspace + Security Science * Mr. Adli Wahid, Manager, Cyber Security / MUFG-CERT, Bank of Tokyo Mr. Kislay Chaudhary, Director and Senior Information Security Analyst, Indian Cyber Army Mr. Leo Dofiles, Computer Crime Investigator/Computer & Cellphone Forensics Planner, National Police, Philippine Mr. Jairam Ramesh, IT Infrastructure, International Multilateral Partnership Against Cyber Threats (IMPACT), Malaysia * Mr. Ng Kang Siong, Principle Researcher, MIMOS Berhad, Malaysia Organised by: Sponsored by: Supported by: Media Partner: PRIVATE & COMMERCIAL CONFIDENTIAL page 1/7 HOW TO PERFORM SEARCHES, SEIZURES AND INCIDENT RESPONSES ON IPHONES by Deivison Pinheiro Franco and Nágila Magalhães Cardoso iPhones collect and store a tremendous amount of evidence about a user’s activities. In many cases one could argue more evidence is collected than the user may want. Locations, messages, contacts, web surfing habits, notes, pictures and more are available on iPhones storage media, many with time stamped data. With this forensic evidence available, and more business being conducted on iPhones, forensic examiners need to be able to successfully and accurately acquire this evidence when requested by authorized authority. By utilizing proven, existing forensic techniques along with specialty tools mentioned in this paper, examiners can collect and present evidence from an iPhone. This evidence can then produce a clear report of the activities performed on the device. What you will learn: • Respond to the Apple iPhone; • iPhone isolation; • Identify jailbroken iPhones; • iPhone information collection; • Respond to Mac/Windows in connection to iPhones. What you should know: • A basic understanding of iPhone and Apple Operating System (iOS) operation; • A basic understanding of iOS usage; • A basic understanding of security procedures on iPhone. 60 I magine for a moment that an officer has stopped your vehicle and detained you for speeding. The officer approaches your car, walks around your vehicle, and, after speaking with you, requests to search your iPhone. What do you do? Do you have the right to say no? The law offers protection from unreasonable search and seizure. Does it protect you from unlawful search and seizure of your iPhone? This question may seem easy to answer, but it actually depends on the circumstances and events that are occurring. In principle, the law protects an individual from unreasonable searches and seizures, except for certain exceptions, such as searches incident to a lawful arrest. However, technology is advancing faster than case law can interpret and protect an individual from unreasonable search and seizure of electronic devices. Wireless devices sold today are capable of storing large amounts of data, including not only call information but also contact lists, emails, and even Internet browser history. HOW TO PERFORM SEARCHES, SEIZURES AND INCIDENT RESPONSES ON IPHONES The idea of a cell phone originated in 1947 when Donald Ring formulated the idea of clustering geographic areas into cells (Farley, 2007). In each of these cells, there would be an antenna and transceiver unit that would reduce power consumption and make it easier to expand into widespread areas. By 2000, there were more than 109 million cell phone subscribers, and cell phones had become smaller and more practical to use. The technology built into cell phones is constantly changing, so users are able to incorporate and utilize more features than just making a phone call. As technology advances, cell phone features include the ability to use multimedia applications and store personal information including addresses, phone numbers, call lists, and text messages. Today, cell phones are more like handheld computers, allowing the user to not only make phone calls but communicate via the Internet and e-mail, store data and perform functions as if at a normal computer. Currently, an officer may search an individual’s cell phone for easily accessible information (Stillwagon, 2008). However, the standard, bright-line rule that officers apply after making an arrest may not be sufficient to guarantee an individual’s rights under the law. For instance, should officers have the option to search the entire contents of a cell phone, even if it’s not an ordinary cell phone but a smartphone such as an Apple iPhone with 16GB of stored data? After all, using proper information management methods allows handheld devices to store data equivalent to several thousand printed pages. Lawmakers could not have envisioned the advances in technology that are available today, and are constantly struggling to keep up with technology. Imagine being arrested for a crime and having your cell phone seized and searched, and while searching the cell phone, officers find information that is personal and has nothing to do with the crime for which you were arrested. In this scenario, officers have open access to your personal information with no recourse available to you if they misuse or misappropriate that information. Courts currently allow police officers to seize cell phones and conduct searches after placing an individual under arrest (Stillwagon, 2008). However, an individual’s rights surrounding the private information stored on a cell phone is not settled, because courts have been struggling to interpret and apply the correct law to the highly technologically advanced cell phone. Search, Seizure and Incident Response Tracking an Individual by Cell Phone For law enforcement officers, an inherent advantage of cell phones is the ability to track the location of a particular cell phone at any given time (Henderson, 2006), and if police have the ability to track a cell phone, they have the ability to track an individual. Police officers have been able to link individuals to crimes using tracking information from cell phone records (Walsh, D., & Finz, S., 2004). In 2001 it was initiated a proceeding that forced cell carriers to roll out technology that used multiple overlapping cell sites to “triangulate” the location of cell phone calls (Fletcher, F., & Mow, L., 2002). Cell phone tracking technology was pushed by emergency personnel to aid in the prompt response to emergency locations. Police and government officials later discovered another inherent use for this technology: to track suspects, conduct investigations, and solve and prosecute crimes (Henderson, 2006). Thus, if you do not consent to being tracked, your only choice is to not carry a cell phone. Changing Technology and the Apple iPhone Cell phones are continuing to embrace technology and become more advanced each year. A cell phone in 2002 is nothing like a cell phone in 2010. In 2007, Apple released the first-generation iPhone. The iPhone is a wireless smartphone that combines the functions of a cell phone, camera, personal digital assistant (PDA), iPod, and Internet access via a mobile browser (Hafner, 2007). In the first three days of its release, more than a quarter million first-generation iPhones were sold. Since that time, Apple has released updated versions of the iPhone and continues to lead the smartphone market. Customer satisfaction has been extraordinary. This will continue to fuel more sales of iPhones as new versions hit the market in the future (Roberts, 2007). The storage capacity of the iPhone is currently between 8GB to 64GB. Thus, with this high storage capacity, law enforcement officers have the ability to access information ranging from text messages, email, contacts, and call history, along with photos, music, and video. Further, the iPhone accesses the www.eForensicsMag.com 61 Internet using a web browser similar to that of an ordinary computer. Officers are able to retrace steps a suspect may have taken on web sites by reviewing Internet bookmarks and browser history and through forensic examination of deleted data. Currently, the search incident make no distinction between the data found on a cell phone and iPhone – it would be very difficult to alter the bright-line test to make a distinction between the types of cell phones on the market. Even if courts were to make changes to keep up with different types of wireless technology, scholars argue it would not be efficient to have multiple rules for different cell phones because judges cannot predict how technology will evolve (Kerr, 2004). Given the advanced technology and mass storage capabilities of the iPhone, technology has reached a point where the bright-line test may not be a “one-size-fits-all” type of test to apply to searching wireless devices. For instance, officers are not constrained by limited resources when investigating the iPhone, because it’s the individual with the technology, not the officer. Another way to counteract the technology of the iPhone while protecting an individual’s rights is to adopt a new test that allows an officer to limit the search content, such as searching only applications that are open. The temptation to use a treasure trove of evidence against a suspect, however, would easily overcome a “new” bright-line test such as this. The iPhone or a BlackBerry device offers law enforcement a window into their suspect, not only via hard evidence but also in the sense that they can tell what kind of applications the suspect is interested in and what types of web sites they tend to visit. This could be very valuable character and habit information not directly related to the crime, which may unduly prejudice a jury or judge against the suspect. As evident with the iPhone, technology is constantly changing with wireless devices. Both the courts and police officers are unable to keep up with the changes in technology. The bright-line test should be examined to guarantee that officers are not afforded too much freedom in conducting searches of cell phones, such as iPhones. To date, there have not been any major iPhone challenges in court. Even after case law has been written that addresses advanced technological devices such as the iPhone, technology advancement will be opening new avenues in which to question the standard bright-line rule that involves conducting searches incident to a lawful arrest. The only clear-cut way to avoid being tracked or subjected to having your cell phone searched is to not carry a cell phone, iPhone, or the “next” phone of tomorrow. Responding to the Apple Device Now that we have the legal authority to search and seize an iPhone, there are some things that we have to consider and document while in the process of seizing. When an investigator, examiner, or other incident response personnel encounters an iPhone, iPod touch, or iPad, the following procedures should be used to mitigate loss of data and access to the device. The iPhone and iPad are just like a BlackBerry, which has the ability to remote wipe, allowing the owner to remove all data from the device and restore the settings to factory defaults, even when they are not physically in possession of the phone. This can be accomplished by the owner or a compatriot of the owner who has access to the MobileMe account associated with that device (Apple controls these accounts and the court will allow an investigator to gather MobileMe data). The Find My iPhone service within a MobileMe account needs to have contact from the Web or the 3G network to the MobileMe account. First let’s look at what a user has to do to accomplish wiping an iDevice. From the MobileMe account, the Find My iPhone service needs to be activated. Second, from the device, a MobileMe account has to be added. The Find My iPhone service needs to be turned on, as shown in Figure 1. 62 HOW TO PERFORM SEARCHES, SEIZURES AND INCIDENT RESPONSES ON IPHONES Figure 1. Turning on the Find My iPhone feature Once these steps have been completed, anyone who has access to the web-based MobileMe account can remotely wipe or lock the device. Figure 2 illustrates this. Figure 2. Lock or Wipe the device The remote user can do two things: • Place a passcode on the device (Figure 3); • Remote wipe the device. www.eForensicsMag.com 63 Figure 3. Entering a Remote Lock passcode The process to place a passcode remotely is as follows: • • • • • Enter MobileMe; Go to Find My iPhone; Click the device; Select Lock; Insert a new passcode twice, and select Lock. To remote wipe the device, the following steps have to be completed by the individual or co-conspirator: • • • • • As with locking, the user has to go to a MobileMe account; Select Find My iPhone; Select the appropriate device; Select Wipe; A warning is presented, and if accepted, the device will then be wiped. Device Isolation To mitigate the possible data loss, when an iPhone is encountered and there isn’t a passcode active, use the following steps to isolate the phone from cellular and wireless networks: • • • • Tap the Settings icon; Tap the top setting, Airplane Mode; Switch from off to on; Sometimes Airplane Mode can be activated and Wi-Fi will still be on. You can turn this off by tapping the Wi-Fi settings and turning the Wi-Fi off; • On the iPod touch and Wi-Fi iPad, it is only necessary to turn off the Wi-Fi. If an Apple device has a passcode initiated and is locked upon response, isolate the device with a Faraday Bag, or in the case of the iPad, a large paint can be of some assistance. These steps are demonstrated in Figures 4 and 5. 64 HOW TO PERFORM SEARCHES, SEIZURES AND INCIDENT RESPONSES ON IPHONES Figure 4. Enabling Airplane Mode Figure 5. Disabling Wi-Fi An additional step is removing the SIM card or mini-SIM cards from the iPhone. Using a paper clip or a SIM card removal tool that comes with the device, you can eject the SIM card from the top or side of the Apple device, as demonstrated in Figure 6 – the SIM is on the right side on the iPhone, and this will isolate the phone only from the cellular network, not from any wireless access points. Figure 6. Removing the SIM from iPhone Passcode Lock Next you need to ascertain whether a passcode lock has been activated. To determine this, follow these steps: • If the Enter Passcode screen (Figure 7) does not display upon responding to the device, then a passcode has been enabled. It then requires the person on the scene to locate and recover lockdown certificates. This is explained later in this article; • You might also encounter a phone that has a passcode and the Auto-Lock has not been disabled; • Tap the Settings icon; • Tap General; • If you encounter the screen in Figure 8, the phone has a passcode; • From this screen, there is one additional setting that has to be changed to allow for a logical acquisition to be accomplished. It is important for the responder to have an iPhone charger as part of the tool kit; • Tap the Auto-Lock setting; • Change the 3 Minutes setting to Never, as shown in Figure 9; • Attach the device to a forensic workstation, and retrieve a logical extraction using either a manual method from iTunes; • If the device is encountered with a passcode, the responder should remove the SIM card or miniSIM card from the phone as described previously and place the phone into a Faraday Bag. Bag and tag the SIM card and the device as required by your organization; www.eForensicsMag.com 65 • If in the passcode-enabled screen it says this is off, then a passcode is not enabled on the device. Bag and tag the device. Figure 9. Setting Auto-Lock to Never Figure 7. Enter Passcode screen on iPhone Figure 8. Passcode lock on iPhone Identifying Jailbroken iPhones The actual number of users who jailbreak their phones is minimal compared to the total sales of Apple devices. The reason most people jailbreak iPhones is to use the phone on other carriers, to customize the home screen, or to run applications that are not found in the App Store. Most users who have jailbroken their phones have reported performance reduction in their devices, and news reports state that hackers have attacked devices that have been jailbroken. That’s because these devices circumvent the security features of the device, which allows rouge hackers to possibly gather personal information from their devices. Users jailbreak their phones using blackrai1n, Qwkpwn, Pwnage, or some other process. There are visual ways of recognizing a jailbroken phone. Since the release of iOS4, this has become harder to visualize, though. The home screen could have more icons that are not normally seen on any nonjailbroken phone. Figure 10 shows some of the suspected icons and the customization of the home screen, which can indicate that the device has been jailbroken. Responding to these devices is no different from nonjailbroken phones. Follow the previous procedures to collect the evidence on the iPhone. Figure 10. Indications of a jailbroken iPhone iPhone Information Collection Use the following steps to effectively gather system information from the iPhone upon the response: 66 HOW TO PERFORM SEARCHES, SEIZURES AND INCIDENT RESPONSES ON IPHONES • • • • From the home screen or lock screen, annotate the system date and time; From the Mail, Contacts, and Calendars menu, record the e-mail accounts; From the phone menu, annotate the telephone number; From the General à About menu, record the following information (Figure 11): • Size of the iPhone; • OS Version; • The Cellular Carrier; • iPhone Serial Number; • Model; • Wi-Fi and Bluetooth MAC Addresses; • IEMI; • ICCID; • Modem Firmware. The previous items should be written down in the responder’s notes and/or photographed, as demonstrated in Figures 12, 13, 14 and 15. Figure 11. General information about a particular iPhone Figure 14. Photo evidence of system information www.eForensicsMag.com Figure 12. Photo evidence of date and time Figure 13. Photo evidence of e-mail associated with the phone Figure 15. Photo evidence of general information 67 Responding to Mac/Windows in Connection to iPhones It is important to know that there are items of evidentiary value on Mac and Windows computers. Therefore, your search warrants or consent search allows for the responder to grab the lockdown certificates from a possible syncing Mac/Windows computer. This will facilitate the process if a seized phone has a screen lock and requires the input of a four-number passcode or strong password. The new iOS4 now has the ability to add strong passwords. If the connecting Mac/Windows machine is also seized, you can retrieve the lockdown certificates later. If the circumstances warrant that the certificates be acquired from the Mac/Windows computer, the following are the paths for various operating systems: OS X: /Private/var/db/Lockdown; XP: C:\Documents and Settings\username\Local Settings\Application Data\Apple Computer\Lockdown; Vista: C:\Users\username\AppData\Roaming\Apple Computer\Lockdown; Windows 7: C:\ProgramData\Apple\Lockdown. In all the operating systems, copy the Lockdown folder. Save this to an external device for further use in acquisition. The property lists (plists) contain the authentication keys so that if the seized device has a passcode, these plists can assist the examiner in gaining access to the phone without invasive procedures. It is important to know the locations of these files so they are not forgotten during a response to any crime scene. It is also wise to incorporate language in search warrants that will allow you to locate these files on not just a Mac or Windows computer but on external devices as well, as depicted in Figure 16. Figure 16. Copying a lockdown certificate from a Mac 68 HOW TO PERFORM SEARCHES, SEIZURES AND INCIDENT RESPONSES ON IPHONES Conclusions As you have learned in this article, responding to an iDevice means isolating the device from the network and then acquiring information from that device while on scene – from getting device and account information to making sure that all artifacts are gathered at the time of seizure. By the time the search warrant is completed and you leave, all measures should be taken to get data and isolate the device so that an analysis of the iDevice can be accomplished. You also must not forget to write search warrants that allow for not only the seizure of the device but also artifacts from other types of media. References • Elmer-Dewitt, P. (2008, May, 16). iPhone Rollout: 42 Countries, 575 million potential customers. Fortune. Retrieved March 30, 2009 from http://apple20.blogs.fortune.cnn.com/2008/05/16/iphone-rollout-42-countries-575-million-potential-customers/ • Farley, T. (2007). The Cell-Phone Revolution. American Heritage of Invention and Technology. Retrieved March 24, 2009, from www.americanheritage.com/events/articles /web/20070110-cell-phone-att-mobilephone-motorola-federal-communications-commission-cdma-tdmagsm.shtml. • Fletcher, F. E., & Mow, L. C. (2002). What’s happening with E-911? The Voice of Technology. Retrieved April 2, 2009, from www.drinkerbiddle.com/files/Publication/d6e48706-e421-411c-ab6f-b4fa132be026/Presentation/PublicationAttachment/fdb0980a-7abf-40bf-a9cd-1b7f9c64f3c7/WhatHappeningWithE911.pdf • Hafner, K. (2007, July 6). iPhone futures turn out to be a risky investment. The New York Times, p. C3. • Henderson, S. (2006). Learning from all fifty states: how to apply the fourth amendment and its state analogs to protect third party information from unreasonable search. The Catholic University Law Review, 55, 373. • Kerr, O. (2004). The fourth amendment and new technologies: constitutional myths and the case for caution. Michigan Law Review, 102, 801. • Krazit, T. (2009). Apple ready for third generation iPhone. Retrieved March 30, 2009, from http://news.cent. com/apple-ready-for-third-generation-of-iphone/ • Morrissey, Sean. (2010) iOS Forensic Analysis: for iPhone, iPad and iPod Touch. New York, NY: Apress. • Roberts, M. (2007, July 25). AT&T profit soars: iPhone gives cell provider a boost. Augusta Chronicle, p. B11. • Stillwagon, B. (2008). Bringing an end to warrantless cell phone searches. Georgia Law Review, 42, 1165. • Walsh, D., & Finz, S. (2004, August 26). The Peterson trial: defendant lied often, recorded calls show, supporters mislead about whereabouts. San Francisco Chronicle, p. B1. ABOUT THE AUTHOR Deivison Pinheiro Franco is Graduated in Data Processing. Specialist in Computer Networks, in Computer Networks Support and in Forensic Sciences (Emphasis in Forensic Computing). Security Analyst of Bank of Amazônia. Professor at various colleges and universities of disciplines like: Computer Forensics, Information Security, Systems Audit, Computer Networks, Computer Architecture and Operating Systems. Computer Forensic Expert, IT Auditor and Pentester with the following certifications: CEH – Certified Ethical Hacker, CHFI – Certified Hacking Forensic Investigator, DSEH – Data Security Ethical Hacker, DSFE – Data Security Forensics Examiner, DSO – Data Security Officer and ISO/IEC 27002 Foundation. ABOUT THE AUTHOR Nágila Magalhães Cardoso is graduated in Computer Networks Technology and Specialist in Computer Security. Certified in network administration and technical in computer installation, maintenance and installation of computer networks. Panelist and professor of free computer courses in the areas of information technology and computer networks, with special knowledge in computer security and forensics. www.eForensicsMag.com 69 STEP BY STEP GUIDE FOR MOBILE FORENSIC ESPECIALLY MESSENGER LIKE WHATSAPP!! TO TACKLE CYBER-CRIMES COMMITTED BY COMMUNICATION MEDIUM LIKE MOBILE by Omkar Prakash Joshi CEH, CHFI, ECSA/LPT, ISO27001, Cyber Forensics Investigator Now a days, Mobile Forensics has raise in world because of cybercrimes or other crimes using electronic media such as mobile has been increasing. To tackle such types of crimes, mobile forensic came into IT world. By doing forensic investigation of mobile devices to we analyse data regarding SMS, call logs, memory etc. Now a days Mobile Forensic & investigation have increasingly gain lot of importance. What you will learn: • How to acquire data or evidence from mobile devices. • How to analyse all data • How to do forensic analysis on acquired data • How to bypass passcodes such as pattern locks • Useful tools in details What you should know: • Familiar with Concept of forensic • Familiar with all File systems N ow a days, Mobile Forensics has raise in world because of cybercrimes or other crimes using electronic media such as mobile has been increasing. So in this I am going to introduce Forensics Investigation or Forensic of Mobile Devices & In this mostly Android Based & iOS based devices. Now a days in the world most of users are using android & iOS based mobile devices. So, if person has committed crime using such mobile devices how we can investigate? What actually mobile forensics is? & the acquisition and analysis of data from devices. In this I am going to demonstrate on Forensics techniques on mobile devices such as android & iOS. INTRODUCTION Mobile Forensics is defined as “the science of recovering digital evidence from a mobile phone under forensically sound conditions using accepted methods.” (NIST) WHAT IS MOBILE FORENSICS & WHY SHOULD I CARE? The acquisition and analysis of data from devices. Internal corporate investigations, civil litigation, criminal investigations, intelligence gathering, and matters involving national security. Arguably the fastest growing and evolving digital forensic discipline, offers significant opportunities as well as many challenges. 70 STEP BY STEP GUIDE FOR MOBILE FORENSIC ESPECIALLY MESSENGER LIKE WHATSAPP!! INTERESTING FILES cache.img: disk image of /cache partition sdcard.img: disk image of SD card userdata-qemu.img: disk image of /data partition Android Debug Bridge (ADB) One of the most important pieces of Android forensics. Best time to pay attention is now. Developers use this, forensic analysts and security analysts rely on this. What is actually ADB? It is an interface that provides the user access to a shell prompt on the device as well as other advanced features. For this firstly you need to enable USB debugging. So how to do that? ENABLE USB DEBUGGING ON DEVICE • Applications > Development > USB Debugging • This will run adb daemon (adbd) on device. • adbd runs as a user account, not an admin account. No root access. Unless your device is rooted, then adbd will run as root. • If the device is locked with a pass code, enabling USB debugging is difficult. ADB Components Three components • adbd on device • adbd on workstation • adb on workstation adb is free, open-source, and our primary tool for Android forensics. Figure 1. OSAF VMware Workstation Now all forensic analysis I am doing on my forensic workstation i.e. OSAF VMware Workstation. (Open Source Android Forensic). This workstation is very good as per forensic prospective. It is open source & most of the investigators uses this workstation because all forensic tools are already installed in this workstation. To identify device connected or not, use command adb devices www.eForensicsMag.com 71 Figure 2. Identify device command a) Sometimes ADB doesn’t respond properly in that case use command, adb kill-server Figure 3. Identify device command b) ADB Shell To open an adb shell on an Android device, use command adb shell Figure 4. Opening an adb shell on Android device It gives full shell access directly on device. Once we learn more about file system and directories, adb shell will get you much of the data needed for forensic analysis. If you are having root access to android devices then you are super user who having all permissions & rights. So for rooted devices command is, Figure 5. Rooted device command a) Or Figure 6. Rooted device command b) FORENSICS DATA GATHERED AND ANALYZED As forensic prospective, following data should be analyzed during analysis. Because most of crimes are done through mobile devices left evidences as below, • • • • 72 SMS History Deleted SMS Contacts (stored in phone memory and on SIM card) Call History • Received Calls • Dialed Numbers STEP BY STEP GUIDE FOR MOBILE FORENSIC ESPECIALLY MESSENGER LIKE WHATSAPP!! • • • • • • • • • • • • • • • Missed Calls • Call Dates & Durations Datebook Scheduler Calendar File System (physical memory) System Files Multimedia Files Java Files / Executables Deleted Data Notepad More... GPS Waypoints, Tracks, Routes, etc. RAM/ROM Databases E-mail WHAT DATA ARE STORED? • • • • • Apps that ship with Android Apps installed by the manufacturer Apps installed by the wireless carrier Additional Google/Android apps Apps installed by the user, typically from the Android Market Basically file system that are used on android devices are, • EXT (Extended File System) • YAFFS2 (Yet another Flash File System) • FAT32 (File Allocation Table) IMPORTANT DIRECTORIES & DATA STORAGE METHODS /data/data – Apps data generally installed in a subdirectory COMMON SUBDIRECTORIES Figure 7. Common subdirectiories DATA STORAGE METHODS • • • • • Shared preferences Internal storage External storage SQLite Network Internal & external storage SD card is external storage device & internal storage will be /data/data and other as, www.eForensicsMag.com 73 Figure 8. Internal storage And external storage such as sdcard as, Figure 9. External storage All SMS, call log, whatsapp messages are stored in databases i.e. “.db” extension. We can analyse this using SQlite utility SQLite • • • • Lightweight open-source relational database Entire database contained in a single file Generally stored on internal storage at /data/data/<packageName>/databases Browser subdirectories contain valuable data Firstly if any android device is having passcode like pattern, so how to get rid of it?? Bypassing passcode using some attacks like smudge attack, pattern lock vulnerability, adb etc. So, passcode types are, 74 STEP BY STEP GUIDE FOR MOBILE FORENSIC ESPECIALLY MESSENGER LIKE WHATSAPP!! Figure 10. Passcode types So, how to bypass this passcodes. One attack type is smudge attack. We know screens are reflective; smudge (aka pattern lock) is diffuse. Directional lighting and a camera capturing photos overexposed by two to three f-stops (4 to 8 times “correct” exposure) Creates an image displaying pattern lock. Not 100% accurate, since other swipes of the screen may have damaged the pattern lock smudge SMUDGE ATTACK Figure 11. Smudge attack Figure 12. The pattern contrasts greatly with the background noise: a grid of dots. The contrast on this image has been adjusted www.eForensicsMag.com 75 PATTERN LOCK CRACK Pattern Lock creates a file gesture.key in internal storage with only read permission. Hash of the pattern stored in storage. If custom recovery ROM is installed (i.e. ClockWork Recovery). Remove & recreate key to bypass pattern. Figure 13. Romoving and recreating the key So, another way to crack this pattern lock is retrieve gesture.key from system and use android pattern lock master to crack pattern or match hash value with predefined dictionary. Now I am going to demonstrate in both ways as, To retrieve file from android devices, Figure 14. Retrieving file from android devices Next step to crack using android pattern lock master, Figure 15. Cracking with android pattern lock master Figure 16. Cracking with android pattern lock master Finally, my mobile pattern is cracked & it will show actual pattern. Another way to crack pattern is matching hash values as, Open gesture.key in hex editor & copy hash from file. Figure 17. Matching hash values a) Now copy this hash & compare it with predefined hash rainbow table as, 76 STEP BY STEP GUIDE FOR MOBILE FORENSIC ESPECIALLY MESSENGER LIKE WHATSAPP!! Figure 18. Matching hash values b) Figure 19. Matching hash values c) In this way we can get pattern and we can easily access our android device after entering pattern. Now we have done so now we are ready to do forensic on our android phone. So, as forensic prospective important files are SMS, call logs, chat history, messenger history etc. Now I am going to demonstrate about forensic techniques. In which way forensic carried out on android devices &much more. ANDROID FORENSIC TECHNIQUES Forensic data acquisition using adb pull. Acquiring SD card data i.e. external storage Open-source and commercial forensic tools • • • • qtADB viaExtract CelleBrite Paraben LOGICAL SD CARD ACQUISITION User app data lives in /data/data directories which each sub-directory is RW protected to the app user. SD cards are used for large storage (audio, video, maps). SD uses cross-platform FAT file systems. www.eForensicsMag.com 77 .apk files residing on SD cards are increasingly encrypted. Unencrypted .apk’s are mounted in /mnt/asec. This is an important directory to pull and analyze, if 3rd party apps are part of the investigation. We can pull data from locked & rooted devices also by using adb pull as, Figure 20. Pulling the data with adb pull It will pull out data from sdcard & stored it into adbpull directory. Figure 21. Adb directory Another tool is AFLogical used for forensic logical extraction. AFLogical Android forensics logical extraction tool & its free for law enforcement and government agencies. First I am going to show actual location of all SMS, call logs & messenger databases. TRACING LOCATION OF IMPORTANT DATABASES As forensic prospective we need to analyse all contacts, SMS history, call logs & messenger like whatsapp chat history. So where they are stored? Actual location of such databases I am going to demonstrate now. All are stored in database format i.e. “.db” extension. For contact database, Figure 22. db extension Generally all files in /data/data are RW protected so we need to change permission so that we can pull out from system. Figure 23. Pulling out from the system a) Figure 24. Pulling out from the system b) 78 STEP BY STEP GUIDE FOR MOBILE FORENSIC ESPECIALLY MESSENGER LIKE WHATSAPP!! For call logs, call logs are stored in same database file but table name is different i.e. calls Figure 25. Table name All this is about contacts & call logs databases. In this way we can analyse call logs & contacts on android devices manually. Now what about SMS history? Location is different but these are also stored in database file. Figure 26. Database file This is location of SMS databases & stored in MMSSMS.db file. Figure 27. Location of SMS databases & stored in MMSSMS.db file Figure 28. Location of SMS databases & stored in MMSSMS.db file This is actual message database which shows all information regarding SMS sent from (address), date, actual message (body) and so on. MESSENGER FORENSIC (Whatsapp) Now a days, chatting using some messengers is raising in this world. In this whatsapp is one of the famous messenger allows you to chat with friends from anywhere, sharing photos, sharing videos etc. these features are available in whatsapp. So if suppose crime committed through whatsapp. How do we investigate that? By analysing chat history. Basically whatsapp chat history also stored in database format but again in same location /data/data which is RW protected. But it also creates backup in /sdcard/whatspp directory but in encrypted format. So, how do we proceed for analysis of such messages? Don’t worry we can analyse all databases. Nothing is impossible!! In this I am going to demonstrate on analysis of whatsapp chat history or you can say whatsapp forensic, how do we carried out? www.eForensicsMag.com 79 We can do in both way i.e. we can analyse backup which is encrypted & also main database which is present in /data/data directory. Firstly I will show you how to do forensic analysis of main database. Figure 29. Forensics analysis of main database This is location where whatsapp database is stored. Figure 30. Whatsapp database storage location Figure 31. Whatsapp chat history In this way we can retrieve whatsapp chat history manually. Also whatsapp stores backup in /sdcard/whatsapp directory but that is encrypted. How to analyse such files? Figure 32. Analysing backup In above database is stored with extension “.crypt” i.e. it is encrypted. So, how to decrypt them and analyse? We need python package “pycrypto” to be installed to decrypt such encrypted files & “whatsapp_xtract” python tool. This will extract messages from database file & generate HTML format report. Figure 33. Command to extract messages from encrypted database file This is command to extract messages from encrypted database file. Figure 34. Encrypted database file After completion it will generate html report as, 80 STEP BY STEP GUIDE FOR MOBILE FORENSIC ESPECIALLY MESSENGER LIKE WHATSAPP!! Figure 35. Html report In this way we can analyze encrypted backups of whatsapp databases. These all SMS, call logs, contacts, chat history etc. are very useful & important as forensic investigation prospective. ANDROID FORENSIC TOOL – AFLogical As I mentioned in above, AFLogical is android forensics logical extraction tool. It is used to extract SMS, call logs, contacts etc. which is very useful as forensic prospective. So, in this you need to download AFLogical.apk on android device. After installation when you open it, it will shows you available providers like SMS, call logs, contacts etc. to extract data from it. After extraction it will save it into forensic folder in device itself with “.csv” extension. Figure 36. Saving into forensic folder So, now I am going to pull out these files to analyze contents. Figure 37. Analysing content You can use csv viewer to view or read csv file contents or you can open it with Microsoft excel. www.eForensicsMag.com 81 Figure 38. Viewing the csv files So, in this way all forensic of android devices especially Messenger like whatsapp forensic, contacts, call logs, SMS history I have demonstrated. And as forensic prospective important directory paths, • • • • • • • /cache/ Previewed Gmail attachments Downloads (Market and messages) /data/ dalvik-cache: applications (.dex) that have been run app: .apk files data: subdirectories per app with SQLite databases and XML shared preferences • misc: protocol info • system: • installed applications (or packages.xml) • accounts database • device and app login details, .key files • /proc & /sys – list of device filesystems, web history, device info • /mnt/sdcard/DCIM/Camera – images • /sdcard/android or sdcard/data/data – FAT32, limited permission In this way we have done with, • • • • Extract and analyze data from an Android device Manipulate Android file systems and directory structures Understand techniques to bypass passcodes Utilize logical and physical data extraction techniques SUMMARY Technology is destructive only in the hands of people who do not realize that they are one and the same process as the universe. REFERENCES • Android Forensics – Andrew Hoog (Syngress, 2011) ISBN- 978-1-59749-651-3 • Android Forensics & Security Testing – http://www.opensecuritytraining.info • OSAF – Open Source Android Forensic Workstation About The Author I have been working with IT field since last 1 year. I am independent security researcher. I acquired knowledge & experience in Computer & Mobile Forensics as well as Information Security & Ethical Hacking Training. I have acquired several certifications like CEH, CHFI, ECSA/LPT, ISO27001 Lead Auditor, and Cyber Crime Investigator. I give training to corporate as well as students in Mobile & Computer Forensics. I am currently working as Freelancer in Information Security Field. For more my profile on Facebook – https://www.facebook.com/omkar.joshi.10690 & on LinkedIn – http:// in.linkedin.com/pub/omkar-joshi/25/4a6/357 & my email ID – omkarjoshi07@gmail.com 82 L IA ss de r EC pa co iste SP old her reg ER a g ouc ou AD off e v n y RE % us he 15 ly 5 w p C sim WC P5 @tmforumorg #dd13 OCTOBER 28-31, 2013 SAN JOSE, CALIFORNIA Crashing the party - digital services Enabling businesses and enterprises to conquer challenges and seize opportunities presented by the digital world, Digital Disruption, TM Forum’s all new, expanded event for the Americas, helps service providers and their partners address vital issues such as reducing cost and risk, improving market retention and growth and increasing revenue by introducing innovative new services. Engage with 150+ expert speakers over four days filled with critical insights, debate, TM Forum training, networking and hands-on opportunities that immerse you in exciting innovations and new ideas. Not your average conference… • Four topic-driven Forums - Agile Business and IT Forum - Customer Engagement and Analytics Forum - Delivering Enterprise Services Forum - Disruptive Innovation Forum • Innovation Zone: Explore all things TM Forum; meet companies that are seizing the opportunities the digital world is creating: - Meet the experts, learn about TM Forum programs and explore our award-winning series of live Catalyst demos, collaborative accelerator projects led by cutting edge service providers and suppliers - Touch and feel some of the latest disruptive technology that is changing the way we live and work - Watch live demos and learn more about real digital services that leverage the broad ecosystem - Discover innovative technology from vendors showcasing their best products and services • Networking • TM Forum Training and MasterClasses For more information or to register now: Email: register@tmforum.org | Phone: +1 973 944 5100 Visit: www.tmforum.org/dd13EF Keynotes include... Daniel Sieberg Head of Media Outreach & Official Spokesperson, Google Adrian Cockcroft Director of Architecture, Cloud Systems, Netflix Georges Nahon CEO, Orange Platinum Sponsor: DOES MOBILE PHONE FORENSICS PLAY A ROLE IN SOLVING TRADITIONAL CRIME? by Dr. Mukesh Sharma & Dr. Shailendra Jha Solving a crime using Mobile Phone and SIM records may depend on proper call data records (CDR) and mobile phone forensic (MPF) investigation. Important data may be retrieved depending on the mobile phone mode and whether the electronic evidence within the mobile phone is retained and able to be retrieved. What you will learn: • From this article, it will become useful to pattern evidence collection in a traditional scene based on occurrence. • From which evidence, an investigator may direction the investigation. • Basic information provided by the SIM/USIM. • Mobile Phone properties. • Various tools and techniques are available in Mobile phone/SIM forensic examinations. What you should know: • Familiarity fundamentals of crime scene investigations. • Knowledge of basic functioning of Mobile. • Familiarity New IT Act. 84 A thorough examination of the data found on the mobile phone’s SIM/ USIM, integrated memory and any optional memory cards require indepth knowledge, kept current with the latest upgrades and advancements in technology. Available tools used in forensic examinations of mobile phone devices and SIM cards have been compared. Two examples are exemplified within two case studies of crimes, which have been solved on the basis on the forensics of call data records from mobile phones. Introduction Mobile web users are those who surf the web on their phones using either WAP or GPRS. But a new survey by UK-based Bango Plc, which tracks the users from over 190 countries has stated the following % for different countries: UK is 27%, US is 21%, South Africa 11% and India is 9%0. India lacks the infrastructure for a better fixed line phone, so mobile usage and subscriber numbers would continue to grow allowing India to exceed European internet usage levels on mobile in the next couple of years as reported. With the increasing popularity and technological advances of mobile devices, new challenges arise for forensic examiners and toolmakers (Willassen 2003; Ayers 2004). Data recovered from mobile devices has proven useful in solving incidents and investigating criminal activity (Barrie Mellars, 2004). In Fig. 1, the world’s largest individual mobile operator is Chinese mobile sets with over 500 million mobile phone subscribers. The world’s largest mobile operator group by subscribers is UK (Vodafone) based service provider. There are over 600 mobile operators and carriers DOES MOBILE PHONE FORENSICS PLAY A ROLE in commercial production worldwide. Over 50 mobile operators have over 10 million subscribers each, and over 150 mobile operators have at least one million subscribers by the end of 2009 (Kim et al. 2007; Willassen 2003; Ayers 2007) Figure 1. Market share of the Mobile manufacturer since first quarter of 2010 references [3] & [4] from the web Forensics of Mobile Phone and SIM Mobile devices specifically refer to Cellular (or Mobile) Phones and Smart Phones. Bear in mind that some of the older model PDAs’s, such as the initial Palm and BlackBerry-series devices do not have radio (cellular) capability and are simply used to store personal information (contacts, calendars, memos, to-do lists, etc.). Mobile phone Properties: • Cellular Phones: • Code Division Multiple Access (CDMA) – Typically handset only • Global Systems Mobile (GSM) – Handset and SIM • Integrated Digital Enhanced Network (iDEN) – Handset and SIM • Smart Phones • Cell phone as well as multimedia properties. The distinction between cell phones and data storage organizer are becoming blurred with the emergence of Smart Phone devices. These devices encompass the features of cell phones (radio capability) and the ability to store personal data, surf the web, send text messages (SMS) and/or multimedia messages, (MMS), check email, instant message (IM), make audio or video calls, download/upload content to and from the Internet, take pictures as well as video. To catch a user, to nail a prank caller, to stop telemarketers, to research a missed call, to trace old friends and relative are some of the reasons why any one would want to know how to trace a cell phone number owner’s location by phone number. However, tracing a cell phone number owner’s location by phone number is not always as easy as it sounds (Ayers 2007). Every SIM is assigned to a subscriber through 4-8 digit Personal Identification Number (PIN) codes. PIN protects core SIM subscriber-related data and certain optional data. The subscriber can modify these codes, and their function disabled or enabled. Only by providing a correct PIN Unblocking Key (PUK) can the value of a PIN and its attempt counter be reset on the SIM. If the number of attempts to enter the correct PUK value exceeds a set limit, normally ten attempts, the card becomes blocked permanently. The PUK for a PIN can be obtained from the service provider or network operator by providing the identifier of the SIM (i.e., its Integrated Circuit Chip Identifier or ICCID). The ICCID is normally imprinted on the SIM, but can also be read from an element of the file system (Idc.com 2009-07-21). Sometimes the service provider can help us, besides call detail records (CDRs), subscriber records maintained by a service provider can provide data useful in an investigation. For example, for GSM systems, the database usually contains the following information about each customer: www.eForensicsMag.com 85 • • • • • • • • • Customer name and address Billing name and address (if other than customer) User name and address (if other than customer) Billing account details Telephone number (MSISDN) IMSI (U)SIM serial number (ICCID) PIN/PUK for the (U)SIM Services allowed Planning the Analysis HOW TO COLLECT THE DEVICE? This may sound trivial, but this decision can have a significant impact on the type of data one able to obtain. Because mobile devices can communicate constantly, a real concern exists that the data you are interested in (especially email, texts, and Internet history) could be crowded out by newly arriving data and disappear if the device is not rendered incommunicative. WHAT ANALYSIS WILL BE DONE? There are many different ways to forensically analyze a mobile device. One technique developed early on is decidedly low-tech: simply manipulating the phone (by navigating through the email, photographs, or contacts list, for example) while videotaping and/or photographing the results. WHAT EVIDENCE CAN ONE GET? While mobile device forensics can present many challenges, the potential payoff can be significant. We are fairly well assured of getting the basics, including call logs, texts, contacts, calendar items, multimedia (photos, music, et cetera), memos, notes, and potentially email. We may also be able to retrieve Internet browsing history, screenshots, voicemails, information regarding mobile “apps,” (including when they were purchased), videos, map histories, geo-location information (including from coordinates stored in photographs taken by the device), and records of access to wireless networks. AVAILABLE TOOL FOR FORENSIC EXAMINATION OF MOBILE PHONE AND SIM CARD Table 1 and Table 2 list a broad range of tools for forensic examination of Mobile Phones and SIMs. These tools are easily available in the market and are used in Forensic Laboratories as well. 86 DOES MOBILE PHONE FORENSICS PLAY A ROLE Table 1. Mobile & SIM examinations tools available for Forensic with specifications Tools Process Specifications Cell seizure Acquisition, Reporting, Examination - Targets certain models of GSM, TDMA, and CDMA phones - Internal and external SIM support - Only cable interface is supported GSM .XRY Acquisition, Reporting, Examination - Targets certain models of GSM phones - Internal and external SIM support - Cable, Bluetooth, and IR interfaces are supported MOBILedit! Forensic Acquisition, Reporting, Examination - Targets certain models of GSM phones - Internal and external SIM support - Cable and IR interfaces are supported BitPIM Acquisition, Examination - Targets certain models of CDMA phones - Recovering of SIM information is not supported CellDEK Acquisition, Examination, Reporting GSM and CDMA phones SIMs and USIMs PhoneBase Acquisition, Examinatio, Reporting GSM phones SIMs and USIMs Secure View Acquisition Examination Reporting TDMA, CDMA, and GSM phones SIMs TULP 2G Acquisition, Reporting GSM phones SIMs BKForensics Acquisition a data interpreter for cell phone flash files Acquisition, Reporting Extract data such as phonebook, pictures, videos, text messages, call logs, ESN and IMEI information from 8000+ models of handsets Forensic Card Reader (FCR) Acquisition, Reporting FCR software indicates the ICC-ID and the IMSI to identify the mobile phone card with the network operator, and more FTK Mobile Phone Examiner Acquisition, Reporting GSM and CDMA phones SIMs and USIMs UFED Touch Cellebrite Table 2. SIM examination tools available for Forensic Laboratory Tools Process Specifications SIMIS Acquisition, Reporting, Examination Only external SIM cards are supported ForensicSIM Acquisition, Reporting, Examination Only external SIM cards are supported Produces physical facsimiles of SIM for defense and prosecutor, and used as a storage record Forensic Card Reader Acquisition, Reporting Only external SIM cards are supported SIMCon Acquisition, Reporting, Examination Only external SIM cards are supported WHAT TO DO: WHEN A MOBILE IS FOUND AT THE SPOT For a forensic person/team member must ensure that the proper search warrant is in place for beginning an investigation. When searching at site, it should proceed cautiously. Mobile phone and its owner or user, or for other reasons, if the device is not handled properly, physical evidence can be easily contaminated and rendered useless. For cell phones, sources of evidence include the device, SIM, and media (memory cards). Associated peripherals, cables, cradles, power adapters, and other accessories are also part of interest, might have information related to the happenings. www.eForensicsMag.com 87 At the in-house crime spot surrounding areas and rooms, other than where a device is found, should be searched to ensure related evidence is not overviewed. When mobile/Cell phone devices found on the scene, consideration should be given to turning off wireless interfaces, such as Bluetooth and WiFi radios as soon as the equipment brought into the search area, so that any interaction may be avoided. Equipment associated with the cell phone, such as removable media, SIMs, or even personal computers may be connected with it, sometimes may provide more valuable information than the phone itself. Most often, removable memory cards are identifiable by their distinctive shape and the presence of pins, pin receptacles, or contacts located on their body, used to establish an electrical interface with the device. Phones found in a compromised state, can complicate seizure, such as immersed in a liquid (Faraday Bags). In the case of liquids, the battery should be removed to prevent electrical shorting. It must be ensured that no type of moisture may be introduced during the transportation to the lab. Mobile phones and associated media may be found in a damaged state, caused by accident or deliberate action by the criminal. Cell Phone or media with visible external damage do not necessarily prevent the extraction of data from them. Damaged phones should be sending back to the lab for closer inspection for repairing damaged components on a mobile phone or restoring the device for examination and analysis may be performed on it. Undamaged memory components may also be removed from a damage device and their contents recovered independently. In general, two basic methods for isolating the phone from radio communication and preventing these problems are as under: • Turn device off at the point of seizure • Place device in a shielded container/bag. PROCEDURE TO ANALYSIS IN MOBILE PHONE FORENSICALLY USING TOOLS The general requirements to test a mobile phone/SIM/Memory Card on a tool is must follow the Fig. 2 as shown flowchart. For the sake of example, we have incorporated the illustrative example for examination process using LogiCube CellDEK Check equipment manual. 88 DOES MOBILE PHONE FORENSICS PLAY A ROLE Figure 2. Showing the flow chart to execute the process of examination and illustrated as performed on CellDEK User’s Manual Version: 1.24 Date: 03/11/13 (Courtesy: LogiCube) Cases studies Two very interesting cases have been reported for the forensic community to exemplify the advancement in technology, this also presents easier ways to catch criminals as well as the path and direction of investigations. CASE I: MURDER Per the investigating officer (IO) request, our team was called to the scene. From these photos, it is clearly observed that the door was closed from the outside and a dead body was lying in the house. At the scene we observed that the dead body of the lady was on the floor. The body had a head injury and a blood smeared heavy stone was found near the body. It appeared that she was murdered using the stone, but the question remained as to who may have done this. Per the questioning of neighbors of the victim, she was usually carrying a mobile phone, which was missing from the scene of incident. www.eForensicsMag.com 89 Because of the missing mobile phone, the IO was advised to trace the mobile and its details. Some of the procedures are defined below for locating the suspect who may have kept the phone: • One mistake the suspect had done is that he kept the mobile phone of the victim with him. Although, he had broken the SIM. • CDRs of the victim’s mobile number were provided by the Service Provider. • It was estimated that, whose Mobile number was the last three days before her death, might have been involved in the case. • The suspect had changed the SIM card, but not the handset, the location of that person after two months, using Cell Site Analysis as per provided by the service provider and our Cyber-cell of the Dist. Police, he was caught in Madhya Pradesh (India). On behalf of her mobile CDRs and last Location of her SIM details it was observed that mobile was used after death and the culprit switched off the mobile later. The handset was under observations, after two month through the IMEI number of the cell phone of that lady; new SIM was registered for the same IMEI. The Location has been analyzed as per Cell Site Analysis. CASE II: IDENTIFICATION OF UNKNOWN DEAD BODY In this case to dead body were found in an open place. To hide their identification dead body’s faces were fired with petrol and so that they could not be recognized at any cost. At the spot, struggling marks has been observed at the place of occurrence. Lower parts of both dead bodies were semi and partially burnt. During searching we are not able to identify the persons and as per observations, the spot was secondary scene of crime. Our team checked all the pockets and clothes. By luck, we found a wallet in the second dead body’s pent backside. From these numbers, we able to link the person, where they belong to and what might happen. The only mobile number list was the evidence for identification purposes. They were belong to Madhya Pradesh which is about 430 Km away from the spot. This article reveals mobile forensics is an important task and with technology advancing rapidly this practice becomes more and more difficult for forensic person. The future of mobile phones seems to be heading towards convergence with other digital devices such as the MP3 player, GPS navigational devices, laptop computers, camcorders, Personal Digital Assistants (PDA) and digital cameras (Terrence P. O’Connor 2009). As forensic scientists, we should always be aware of the laws that deal with the admissibility of evidence. As the use of these devices grows, more evidence and information important to investigations will be found on them. 90 DOES MOBILE PHONE FORENSICS PLAY A ROLE IN SUMMARY Although mobile phone forensics is a novel field it can be used in solving crimes. When analyzing a mobile phone for forensic evidence, the process of doing so is different from a traditional computer forensics model. As forensic scientists, we should always be aware of the laws that deal with the admissibility of evidence; mainly the guidelines outlined (Burentte 2002; Cohen 2007). As the use of these devices grows, more evidence and information important to investigations will be found on them. To ignore examining these devices would be negligent and result in incomplete investigations. Crime scene investigators commonly require the call history, contacts, and text messages from these mobile devices, but can also benefit from other sources of evidence such as photos, videos, and ring tones. Usually these personal pieces of information take investigations to the next step or lead to more questions. ON THE WEB • • • • AccessData’s FTK, http://www.accessdata.com/ EnCase Forensic, http://www.guidancesoftware.com Paraben (Network) E-mail Examiner, http://www.paraben.com Mobile Marketing Tools – http://mobithinking.com/mobile-marketing-tools/latest-mobile-stats/a BIBLIOGRAPHY • • • • • Ayers, R. J. (2004). Cell Phone Forensic Tools: An Overview and Analysis. NIST Interagency Report. Barrie Mellars, Forensic examination of mobile phones, Digital Investigation (2004) 1, 266e272 Burentte, M.W., Forensic Examination of a RIM (BlackBerry) Wireless Device, June, 2002. Cohen, T., Schroader, A., (2007) Alternate Data Storage Forensics. Syngress Publishing Kim, K., Hong, D., Chung, K., Ryou, J. (2007). Data Acquisition from Cell Phone using Logical Approach. Proceedings of World Academy of Science, Engineering and Technology. Vol. 26. December 2007 • Terrence P. O’Connor “Provider Side Cell Phone Forensics” SMALL SCALE DIGITAL DEVICE FORENSICS JOURNAL, VOL. 3, NO. 1, JUNE 2009 ISSN# 1941-6164. • Willassen, S., Forensics and the GSM mobile telephone system. International Journal of Digital Evidence. Vol. 2, No. 1 (2003). ABOUT THE AUTHOR Dr. Mukesh Sharma (M.Sc. Ph.D.), Senior Scientific Officer, Physics Division. He has completed his Ph.D. in the field of Material Science, now working as SSO, in Forensic Science. He has been involved in the field of forensic science since 05 years. He has published more than 90 research articles in International/National Journals/ Conferences/Magazines. His fields of research are Trace evidence analysis, Forensic Physics, Cyber Forensic/Digital Forensic and Crime Scene Management. He has visited approx. 120 crime scenes in last four years. He has been nominated as Leading Scientist of the World 2010, from IBC, England and Asian Academics Achievers, New Delhi. He is member of reviewer team at internationally recognized Journals like JDFSL, IJFE and IJFMT etc. Dr. Sharma is well known cyber forensic author and experts at International Level. His expertise in instrumental measurements on XRD, XRF, SEM and GRIM used in Forensic trace evidences analysis. Dr. Sharma is the fellow member and life member of National/International renowned societies as IANCAS (India), ISRP (India), ISOI (India), IXAS (Italy), IACSIT, (Singapore: Fellow Member: 80341901), ISCMNS (England), SASCV (India), UACEE (Thailand) and SDIWC (Taiwan) etc. ABOUT THE AUTHOR Dr. Shailendra Jha (M.Sc., Ph.D.) Deputy Director (Physics Division), State Forensic Science Laboratory (Raj.), India. He has been serving the forensic community for 30 years. He is experts in field trace evidence analysis, Forensic Physics, Cyber Crime/Digital Forensic, Voice Analysis, Video Authetication and Mobile Forensic in Rajasthan, India. He has reported about 500 cases on Physics Division (cases related to Forensic Physics, Cyber Crime/Digital Forensic, Voice Analysis, Video Authetication and Mobile Forensic) in last 17 years. He has been awarded, two times best paper awards in All India Forensic Science Conf. 2008 and 2009. He has co-author about 20 articles on Forensic Sciences at International and National level with Dr. Sharma. www.eForensicsMag.com 91 MOBILE PHONES IN INVESTIGATION by Satendra Kumar Yadav Mobiles became a fundamental need now a days for communication as well as other cyber and network related works including banking and shopping that has increased the vulnerability of the information and attracted the hackers to commit cyber-frauds resulting increase in forensic cases related to mobiles. In most of the crimes where mobile is involved that can be used as an evidence for identification and isolation of clues to get investigative leads. Along with digital data, mobile phone devices can also be used for the collection of other evidences like ear prints, sweat, saliva and finger prints that can be used in investigation to find any association between crime and the criminal. The present article presents a systematic process of collection of mobile from crime scene and its investigation including the data retrieval or mining from memory cards or flash drives attached to the computers for synchronization. What you will learn: • This article provides a brief view/account on mobile phone forensics and its need in the field of investigation and proper collection of the mobile device from the crime scene. • The article will provide proper seizure procedure for the mobile devices/ documentation of the evidence and its further stepwise investigation process. • Present article presents the process of the identification of the mobile device, its last synchronization when the device or its memory was connected to any computer and what was the last data transferred to the device. What you should know: • While starting mobile phone seizure or collecting the mobile phone for evidence from the victim/suspect we must have an information about the legal formalities and process for it. • We must have the information about the packing material and proper packing of the mobile device in a way that there will be no connection between network and the device using electromagnetic radiation proof bags and other information related to transfer. • Before starting examination of the mobile device for evidences/data mining, the investigator must have good information and working knowledge of the tools and techniques being to be used during the investigation. He must have knowledge of mobile operating systems including their programming and execution along with the examination required and its reporting. 92 M obile devices are rapidly becoming universal requirement worldwide. In 2012 IBM Tech Trends Report (based on a survey done on more than 1,200 persons those are involved for making technology decisions for their organizations in 16 different industries and 13 countries, as well as more than 250 academics and 450 students across these same countries) predicted that the end of 2012, mobile devices are expected to outnumber people. Sources of the mobile devices are increasing continuously with the world, generating more than 15 petabytes of new data every day – that’s roughly eight times the information housed in all the academic libraries of educational and other databases. The Australian Communications and Media Authority has also published the increase in the growth and ubiquity of mobile devices in Australia which is showing a total 3% increase in the no. of mobile devices and reached more than 30.2 million, approximately four mobile services to every three people in Australia. With the increasing prevalence of mobile MOBILE PHONES IN INVESTIGATION devices and due to being easiest mode for communication, involvement of mobile phone in crimes has been raised and their recovery from crime scenes is also reported with a rapid growth which demanded more mobile forensics to identify the clues and evidences from the mobile devices. Not only In cases of events where mobile was used as a mean weather in case of sexual assault, black mailing, adulteration and other pornography related crimes or crimes related to burglary, mental torture, harassment, mobile devices have provided vital information in cases of suicide and other location related cases. Forensic evidence extracted from mobile (as well as other electronic) devices can be an invaluable source of evidence for investigators in both civil and criminal prosecution. Mobile device data can be extracted and then used to generate reports on a range of data including an individual’s communication and travel habits. For example, in a criminal investigation, the data including transaction information such as call history, message data (SMS/MMS/emails), calendar events, photos and emails, are often able to be supplied to the investigating officer in a report format. For the evidence to be admissible in a court of law, appropriate forensic procedures must be followed. MOBILE FORENSICS Mobile forensics is a part of digital forensics which is used to collect and retrieve data from the mobile phone, it is also included other digital gadgets which has internal memory and communication process like PDA [personal digital assistance] devices, GPS [global positioning system] and tablet computers. HISTORY OF MOBILE FORENSICS Like historical evolution of humans and other objects/ machines there are some stages or mile stones, in the same manner in mobile forensics there are several stages: Stage-1 The development of mobile forensics was started from late 1990’s and it has been recognized that mobile phones are ensuring obedience of the laws in crime. Earlier mobile forensics is been investigated with the help of computers to collect and retrieve the data from the phone directly by taking screen shots and photographs of the evidence. This process was lot of time consuming and was comparatively very slow. Stage-2 As days passed the usability of the mobile phones started increasing and the investigators started using more efficient ways to investigate with the help of the software called PDA or Phone synchronization, this software used to take the backup of the data from mobile to computer. However this process failed because this process would not have allowed the investigator to perform read/write operations on the phones data and it also cannot retrieve the data which is deleted. Stage-3 As the second stage failed some investigators have introduced software called “flasher” and “twister” boxes which was developed by OEMs[original equipment manufacturer software] these two software’s were used to flash the memory of the phone and update it, however these two software’s were invasive and can change the data. It was very complicated software and they were not developed by the forensics tools so this method was also failed. Stage-4 As all the initial stages failed due to some security and transaction reasons and the growth of the usage of mobile phone was increasing rapidly and along with the crime. To overcome all the stages and compete the demand of the generation the investigators bought a commercial tools which was only made for forensic purpose and also used to recover the phone memory with less interrupt. So the invasion of the commercial tools was the great achievement to compete the challenges. Stage-5 After the invention of commercial tools the investigators have added some more advanced features and implemented the tools with new techniques through which the investigators can recover the deleted data from the mobile phone. Stage-6 As the growth of the technology in the field of forensic become advanced similarly development of the tools became modern and automated, this process used to trace the suspect with mobile device and www.eForensicsMag.com 93 other necessary details recovered from the mobile phones data and helped to make the investigating work easier. INVESTIGATION PROCESS In today’s world there are billions of mobile phone users across the globe which indicates that even person has mobile phone been carried by them. These mobile phones are used not only to communicate through calls and messages but also used to store the information. When a mobile phone is been recovered at the crime spot, the investigator will get to know about the owner of the phone in many ways. The information found inside the phone is more important than finger prints traced on the mobile phone. Using forensic software’s the investigators can be able to see the contents in the mobile phone like call list, text messages, pictures, videos, music and much more to collect the evidence and help to trace the suspect. As the mobile phone technology has developed similarly the huge amount of data can be found in the mobile phone recovering the evidence from the mobile phone can be retrieve from different sources like phone memory, SIM memory and SD[secure digital] card. Earlier in the mobile forensics they used to recover SMS and MMS messages, call logs, contact list, and phones IMEI/ESN number. As the generation of the Smartphone’s started the investigation in mobile forensics included variety of information like web browsing, wireless network settings, GPS location information, Emails, social networking sites and other rich internet media. Types of evidences: there are three main types of evidences which can be collected during the investigation process they are classified as follows. 1) Internal Memory: it is also called as phone main memory or primary memory which has direct access with processor in them mobile phone. The internal memory of the mobile phone is the memory of its RAM inside the mobile phone. Earlier tge internal memory use to come as built in memory mechanism started from 80MB to 256MB of memory till 512MB of the memory and the Smartphone’s use to have built-in memory of 512MB of the memory to 32GB of the memory. It is used to store the data and the applications which are installed in the mobile phone will occupy this space along with the call logs, messages and other media. 2) External Memory: it is also called as secondary memory, it is not directly accessed by processor of the mobile phone but the processor uses the input/ output channels to access the secondary memory. The secondary memory dose not lose the data even the phone is been damaged. The space of the secondary memory is unlimited example 32GB. Generally external memory is used to store huge amount of data like applications, games, videos, music’s, movies and other personal data. 3) Service Provider: it is nothing but a service which is been provided by the a telecommunication companies through cellular networks or mobile networks which gives network for the mobile phone to communicate with each other, this plays very important role in tracing the suspect. The service provider stores the details like call records, text messages, and other data which is been sent or received by the user. The service provider always stores the entire data in base location through mobile towers which are placed in each and every location for better communication purpose. The service provider plays very important role in the investigation process it can also retrieve the data which is been deleted in the mobile phone, another important aspect of this is that it shows the exact location of the mobile phone and even the location of mobile phone which is moving with the suspect. STEP BY STEP INVESTIGATION PROCESS Finding the evidence from mobile phone is a challenging task, the investigator always examine the mobile phone and retrieve data. The forensic investigators will even retrieve deleted data which includes deleted information like 1) Call Logs which includes incoming and outgoing details along with the time and duration of calls. 2) Text messages and MMS. 3) Contact names and phone numbers. 4) Address book entries, Email addresses. 5) Photos and videos. The investigation process can be classified into three parts they are 1) Seizure: in this component the investigators always seize the mobile phone at the crime spot as an evidence and examine the device thoroughly. 2) Isolation: this is very important component because the data which is been seized at the crime spot can be changed, altered and deleted over the air, and it can also be done by service provider(carrier) and delete the data remotely by some applications. 3) Documentation: in this component the evidence which is been seized at the crime spot will be photographed along with the time setting for better evidence. 94 MOBILE PHONES IN INVESTIGATION Investigation Process can be followed by certain steps as mentioned below: • Maintain a network isolation • Always maintain the document thoroughly by collection all the information available and take the photographs of the information as an evidence to support the document process • If SIM card is found remove it and maintain the image of the SIM card • Clone the SIM card • Instance the clone SIM card and do logical extraction with the help of tools on mobile phone, if it indicate as non-SIM device then start here • Match the extracted data from the logical extraction data • If the data is matched by both mobile phone and tools then do physical extraction of the mobile phone • Split the data from the physical extraction which will vary from the manufacturer of the mobile and the tools which is been used. • Carve the image into different file types • Report the entire investigation process. Thus if the mobile phones recovered from crime scenes will processed in a précised and proper way, they can provide lead in many cases raising from domestic violence till issues of national security or confidential information. USB devices/ Flash drives or memory cards are also in a trend in mobile devices to increase the storage capacity of the device so in order to get this information it became necessary to examine them for data. The flexibility of carrying the high capacity of data in USB/ memory drives makes them more important for forensic investigators to extract potential evidences from them. These drives can store data from 1 GB to 64 GB and more which is very much important in cyber investigations. But before starting with the memory forensics, we first need to know few more things related to these drives. These drives supports following file systems: • • • • • • • Most preformatted with FAT or FAT32 NTFS TrueFFS ExtremeFFS JFFS YAFFS Various UNIX/Linux file systems Now whenever a drive is connected to a windows PC, its serial number and the Company Make name, Device Class ID is written into the Registry along with the Last Write Data and Time when the USB drive was connected. The above information can be found at: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ Enum\USBSTOR Figure 1. Showing screenshot of registry editor where we can get the information of the drive connected or mobile attached to the computer for synchronization along with its details and last data transferred www.eForensicsMag.com 95 For forensic investigators, write protecting the evidence exhibit is very important. For manually WRITEPROTECTING the memory cards, go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect; And set value = “1”. USB Device Forensic Details • Write Down Vendor, Product, Version: SYSTEM\CurrentControlSet\Enum\USBSTOR • Write Down Serial Numbers: SYSTEM\CurrentControlSet\Enum\USBSTOR • Determine Drive Letter Device Mapped To: SOFTWARE\Microsoft\Windows Portable Devices\Devices-> Perform Search for Serial Number • Write Down Volume GUIDs: SYSTEM\MountedDevices-> Perform Search for Serial Number • Find User That Used The Specific USB Device: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2-> Search for Device GUID • Determine Last Time Device Connected: SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}-> Perform search for S/N • Discover First Time Device Connected: C:\Windows\setupapi.log -> Perform search for Serial SUMMARY Mobile phone examination and investigation can provide vital information related to crime and criminal. Mobile devices can be used as a physical as well as circumstantial evidences in various types of crime where the mobile device was in use either as a medium or as an evidence left by mistake at the crime scene like in case of mental harassment and suicides where external person is involved. Mobile phone can be used to collect the information regarding their last synchronization, date of use and can also be used for tracing the information regarding locations, texts and account/banking transactions. This article provides the proper procedure from mobile seizure to step by step investigation and analysis that can be used by the investigator as well as developers of cyber forensic community. ABOUT THE AUTHOR S K Yadav, is currently working as Assistant Professor Sr. at Department of Forensic Science, Jain University, Bangalore, India and Associated as Forensic Expert for SPIPA, Police Academy Government of Gujarat State, India under RAMANA Group. Before current position Mr. yadav had worked as Assistant Professor in Kurukshetra University, Kurukshetra, Gujarat forensic Science University, Gandhinagar, Central University of Chhattisgarh. Mr. Yadav had done his MSc., PGDFSc, CCSR in Forensic Science and Completed his PhD work in Forensic Biotechnology. He is proud recipient of various Scholarships and awards few of them are UGC-JRF, DST-JRF, IASc and best Scientific Approach Award etc. in the field of Forensic Sciences. Mr. Yadav has Acccepted 4 Patents, One Copyright and more than 15 research papers in International Journals of Repute with impact factors. 96 AT THE CRIME SCENE WITH DIGITAL EVIDENCE ALWAYS REMEMBER AT THE CRIME SCENE DIGITAL EVIDENCE CAN BE VERY IMPORTANT AND SHOULD BE COLLECTED, ACCESSED AND HANDLED PROPERLY by Jim Bolt Today most individuals own some type of digital device that they carry everywhere with them. Whether it is a cell phone, camera, tablet, laptop or a gaming console and they are all so important when it comes to valuable digital evidence. The future is here and with this new age of technology the Detective or Investigator must pay very close attention to what is at the scene of the crime. One piece of digital evidence can make or break the case and it can be so important just to know what to look for. What you will learn: • What can be important at most crime scenes that could be missed? • When should I look through the data on digital equipment? • Who should really handle digital evidence? • What other type of evidence can be found on digital equipment? What you should know: • Reports show that 90% of Americans own some type of computerized equipment. • Most crime scenes have one or more pieces of digital evidence. 98 T he crime scenes are so complex with the amount of regular evidence that can be collected at the scene alone. This is not even including the digital evidence that is just lying around waiting for the trained eye to see it. Consider this, you are called to a crime scene and when you arrive you are told that a robbery has been committed. The first thing that you would be looking for would be the evidence pointing toward the method in which the crime was committed. That would be very important but how about the camera, tablet or cell phone sitting on a table or floor? Are these pieces of evidence important? Would you just pick up this digital evidence and start thumbing through the enclosed information or data? What would it hurt to see what is there right then? These questions among others have been asked so many times and so many answers have been given but which answers are right and which are wrong? I asked several trained detectives what they would do if they were at the scene and they admittedly stated “they would pick up the devices and thumb through them to see if anything jumped out at them”. In an emergency situation that can sometimes be the right thing to do if you have the training in the proper way to do just that. If not it is better to contact your Digital forensics examiner/investigator and leave the data collection to him or her because they are trained in the proper way to obtain or view the evidence with limited changes to the actual evidence that is there. If you just start going through the data and you just touch the wrong key you can lose the valuable evidence you are trying to obtain. Going through the data this way can also alter metadata stored in this digital equipment. Some would ask AT THE CRIME SCENE WITH DIGITAL EVIDENCE the question what is metadata? Metadata describes how the data in the digital equipment was formatted, when it was created and who created it, to name just a few. So this type of information can be very valuable however this can be altered very quickly if you start going through the data without the proper training or knowledge to do so. The Digital forensics examiner/investigator usually has a trained eye of what he or she can use to possibly obtain digital evidence for the case. This Investigator understands the process of collecting, securing, and transporting digital evidence and how it should be treated so that the evidence included has not been changed or altered in any way. For this reason only those Investigators specifically trained in digital evidence collection should be permitted to examine any digital evidence and enclosed data present at the crime scene. Each Detective or Investigator needs to have the training or knowledge to know what to inventory and collect at the scene even if they are not a Digital forensics examiner/investigator and also know how to package the digital evidence properly. If you are collecting evidence related to a search warrant for the evidence in a crime it can be so vast now because a MicroSD card is so small it can be placed anywhere. These little memory cards can hold so much data that it is amazing what you can find stored on them. I remember when a computer hard drive was less than 20 megabytes and we use to think we could never fill that up. Now a MicroSD can hold so much data it is astounding. The crime scene investigation use to be so fast and to the point but now it is complex with items everywhere at the scene and near the scene to obtain. Near the scene you ask? Well now with digital cameras on poles and in ever persons hands in the form of cell phones or tablets. Detectives or Investigators must keep in mind that people are curious and also love to take pictures and video with their phones and tablets in this technology age. There have been countless crimes solved just by the evidence collected from another party’s cell phone, camera or tablet located near the scene of the crime. The way the crime scenes are changing with the collection of digital evidence each department needs to have training in place for the collection of this type of evidence and what they should and should not do with this evidence. I am amazed that even today there are Detectives or Investigators that will pick up a piece of digital evidence and just start looking through the information or data without the proper authority or training to do so. The Detective or Investigator can collect the cell phone, tablet, camera and other types of digital evidence however the included data needs to be collected properly. When we discuss authority all Investigators must remember is that the data inside the digital evidence most of the time cannot be included in your crime scene collection or with a standard search warrant for the property itself. This type evidence most of the time requires a search warrant or some other form of authority for just the included data. This is also can be governed by the law itself. As we step through the crime scene we see countless pieces of evidence but one of the important things to remember is that just because you know that piece of digital evidence and how it works there are still other forms of evidence that can be obtained from that digital evidence. A Digital forensics examiner/investigator, Detective or Investigator must remember there could be finger print or touch DNA evidence located on the piece of equipment that you are looking at. Therefore it is better to point out the piece of evidence to be collected and then let the crime scene investigator collect the evidence for processing in their lab and then in the digital forensics lab. Once the evidence has been collected from the crime scene and all of the possible outside evidence has been collected from the digital equipment then it is feasible to obtain the evidence from the Evidence custodian and obtain the evidence located in the data from the item. I suggest that the Digital forensics examiner/investigator make a list that will explain what you are looking for at the scene. This plan can be based on the search warrant or reason for access to the scene and the crime that has been committed. As you are preparing to go to the crime scene you can give everyone collecting evidence this list to show what you are looking for and what to do when they see this type of evidence. Once you and your fellow Investigators arrive at the scene they can pan out and help not only you but help the Crime scene investigator with collection. The list that you provided gives them some insight of what types of evidence could be there that otherwise would be looked over. You still need to always advise if there is a questionable item to always ask if it needs to be collected. Do not let a valuable piece of evidence get left at the scene to be destroyed. I was looking back at crime scene photos of a possible identity theft ring and noticed in one of the photos a metal box. A Digital forensics examiner/investigator was not called to this scene for some reason. As I discussed the scene with the Crime scene investigator he explained that they had went through the scene collecting all digital evidence that they could see. So I asked “Why didn’t you collect the metal box in this photo?” and the Investigator advised “He did not know it was important”. This box that was in the photo was very important because it was an external hard drive that could have stored valuable evidence. This evidence was possibly destroyed or transferred to someone else so that they could continue to use the stolen inforwww.eForensicsMag.com 99 mation. Later after completing the forensic examination of the digital evidence I was able to find lists of driver license numbers, dates of births, addresses and much more. This really concerned me because of the one piece of evidence that was left behind. The Digital forensics examiner/investigator is not the most important person when you are at the scene but he or she can be a very important part at the crime scene as well as the Crime scene investigator. This is just something to always keep in mind as we move more and more into a digital age. This also lets you know that from the crime scene to the lab what is important with digital evidence. SUMMARY There are so many pieces of evidence that can be overlooked such as digital evidence and it can be not just at the crime scene but near the crime scene. Always remember what is important and what not to do when you see the digital evidence. It is better to contact a Digital forensics examiner/investigator to collect the digital evidence and to search through the data properly. You can alter important information when you thumb through the data on digital evidence if it is completed improperly. Remember there is more evidence on digital equipment than just the internal data so let the Crime scene investigator look at the equipment first. When at the crime scene asking if a strange object is important to be collected can be important because it could be digital evidence that should not be left behind. ABOUT THE AUTHOR Jim Bolt served with the Army National Guard where his job included being a Network Engineer, Information Systems Team Chief, Tactical Operator Maintainer for Tactical Systems, COMSEC Custodian, Software development, Network and information security and Web development..He has been in Law Enforcement since 1990 and still works in the field today. He started in law enforcement as a SC State Trooper where he was involved with the start and implementation of their Information Technologies Unit. Once implemented he remained a member of the unit as a Network Engineer and Software developer, In 2008 He began the computer forensics lab at the APD where He currently handles cases from 39 agencies that include federal, state and local law enforcement with their computer and mobile forensic needs. He was asked in 2010 to oversee the IT Unit at the APD. In 1995 He started his technology based business with the concept of helping those companies that cannot afford the high costs of having on board staff to handle the IT matters. His business has since grown to incorporate many other aspects of technology base systems as well as another computer forensics lab. 100