Mobile/Smart Phone ForensicWatcharaphon WongaphaiSenior Information Security InstructorGIAC GCFA, SSCP, E|SCA, C|EH, CNE6, Security+, Network+, CCNAPrathan PhongthiproekSection Manager, Senior Information Security ConsultantGIAC GPEN, eCPPT, E|CSA, C|EH, CIW Security Analyst, CPTS, CWNP, CWSP, Security+, ITIL-FACIS Professional Center
Outline1) Introduction to Mobile Forensic!2) Forensic Analysis of iphone! - JailBroken! - iTune Backup ﬁles!
Forensic Soundness • What did it mean for disk forensics?! • Does it mean the same thing?! • Mobile devices are volatile, by nature! – Real time clock changing in memory all the time! – Acquiring SMS messages may change their status to “Read”! – Some tools run code on the device itself!! • Our goal is to change as little as possible! – Perhaps disable automatic sync when using Blackberry Desktop Manager, and disable conversion to local time in ABC Amber Converter!
Evidence Take-In and Chain of Custody• Document the scene! – Handle with care, and gloves!! – For the Chain of Custody form, ﬁnd the serial number! – Don’t forget MicroSD cards!! – Photograph the device where it is found! – Document what is showing on the screen, if anything! – Power concerns! – Take cables and documentation!
Blocking Network Connectivity • Disable the radio! – How can you be sure it’s disabled?! • Faraday isolation! – Not all products are created equal!!! – Usually causes the battery to be depleted more quickly! • Use a “safe” SIM card! • Remember, you want to turn off the phones connectivity to the service provider, as well as Wiﬁ and Bluetooth connectivity! • Exercise: Disable network connectivity on your own phone.!
!• What! – Phone call database! – E-mail and memos! – SMS/MMS! – Internet and LAN access! – Visited URLs and saved pages!• Where! – Location information!
!• Who! – Owner details and user accounts! – Contacts and cohorts! – Personalizations (wallpaper, ringtones)!• When! – Calendar items! – File system metadata! – Timestamps may not be immediately visible!
Messaging • Short message service (SMS)! • Multimedia message service (MMS)! • Instant messaging! • Blackberry! – PIN messages! – Blackberry IM!
Internet Activities • Downloaded images and web pages! • Email! • Visited URLs! • History log! • Browser cache!
Location Tracking • Location-based applications! – Loopt! – Google Latitude! – Yahoo! Fire Eagle! – Citysense! – LifeBlog! – Facebook (Friends on Fire)! – Foursqare! – Twitter!
GPS Embedded in Photos • GPS coordinates embedded in Exif! • Same Exif we talked about for disk forensics! • This is often automatically added if the phone is GPS aware.!
Think Outside the Device• Past usage information! – Network service provider records! – Look for paper bills!• Detailed history of usage! – Date and duration of calls! – Numbers called! – SMS message sent (no content retained)!• NSP maintains detailed records! – Calling IMSI and IMEI! – Called IMSI and IMEI! – Location: ﬁrst and last cell! – Charging details!
Iphone Forensic with Jailbroken
Zdziarski Technique• Step by Step! SSH Connection • Jailbreak! • Forensic Acquisition! • SSH! • Create image by using dd command! • Transfer image using netcat! DD image via Netcat • Use scalpel to carving data!
iPhone Explorer Delete this file for bypass passcode
iPhone System path
What can be recovered ?
Iphone Forensic with iTune Backup files
SYNC and Backup• After activation, when the iPhone is connected to the computer a sync will be conducted!• The user can deﬁne what is to be Synced to include:! • Music! • Photos! • Ringtones! • Contacts & Calendars! • Podcasts! • Video! • Third party applications!• Third party applications can initiate the use of the iPhone as a ﬁle storage device!
SYNC and Backup• Backup data location! • Windows XP! • C:Documents and Settings(username)Application DataApple Computer MobileSyncBackup! • Windows 7! • C:Users(username)AppDataRoamingApple ComputerMobileSyncBackup! • Mac OS X! • /Users/(username)/Library/Application Support/MobileSync/Backup/!
SYNC and Backup• Backup folder ﬁles! • Many .mdbackup ﬁles! • The name of the ﬁle is the SHA1 hash when backed up from the iPhone and the data is seralized off the iPhone and stored as the backup ﬁle! • Status.plist! • Status of last sync! • Manifest.plist! • List of all ﬁles backed up, modiﬁcation time and hash signature! • Info.plist! • Information about the iPhone (Name, ICCID, IMEI, Number, Firmware version)!
.mdbackup files • Safari History & Bookmarks! • Photos (phone & synced iPhoto)! • Sent & Received SMS! • Calendar Events! • Notes! • Address Book Entries! • Call History! • Cookies! • Google Map History! • Email Account Settings! • YouTube Last Search, Last Viewed & Bookmarks data!