Mfa smartphones 2012


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mfa smartphones 2012

  1. 1. Advanced Techniques in Forensic Examination of Smartphones 2012(C) Oxygen Software, 2000-2012
  2. 2. Worldwide smartphone sales 101M devices sold in 4Q 2010 149M devices sold in 4Q 2011 3,4% 2,0% 1,5% 2,1% 0,8% 1,9% 11,7% 32,3% 8,8% Symbian RIM30,5% iOS Android Microsoft Bada Other 50,9% 23,8% 15,8% 14,6% Source: Gartner (February 2012) Smartphone market increased by 48,5% during just 1 year! (C) Oxygen Software, 2000-2012
  3. 3. Top smartphone vendors - 2011 471.7M devices sold in 2011 24,6% 18,9% Apple Samsung Nokia 9,1% RIM 18,5% HTC Others 10,9% 17,9% Source: Gartner (February 2012) (C) Oxygen Software, 2000-2012
  4. 4. Smartphones What information is stored on a modern smartphone? (C) Oxygen Software, 2000-2012
  5. 5. Smartphone is a small PC Cell phone Address book Planner & Organizer Messenger Photo & Video camera GPS navigator Web & IM client Platform for 3rd party apps (C) Oxygen Software, 2000-2012
  6. 6. Smartphone as: Cell phone • IMEI/MEID/Serial numberBasic Information • Hardware & Software revision • Network information • Incoming, outgoing, missed calls history Event log • Sent & received messages history • GPRS & Wi-Fi sessions log • IMSI SIM card • Phone numbers* • SMS messages* * - Usually these features are not utilized by smartphones (C) Oxygen Software, 2000-2012
  7. 7. Smartphone as: Address book • First, middle, last name, nickname, joint name, company, department, job title • Photo and personal ringing tone • Phone numbers: general, mobile, fax, video, pager, VoIP, push-to-talk • Postal addresses, Web pages and e-mails Contacts • Different contact sources (Android)information • Number of calls (Android) • Text notes • Private info: birthday, spouse, children • Custom field labels (Symbian, iPhone OS) • Multiple fields of the same type • Creation and last modification times (Symbian, iPhone OS)Caller groups • List of caller groups & belonging contactsSpeed dials • List of assigned speed dials (C) Oxygen Software, 2000-2012
  8. 8. Smartphone as: Planner • Meetings, reminders and anniversaries • Start date & time • Finish date & timeCalendar events • Alarm date & time • Recurrence • Last modification date & time • Task description • Deadline Tasks • Priority • Alarm date & time • Completion date & time Notes • Note text & date (C) Oxygen Software, 2000-2012
  9. 9. Smartphone as: Messenger • Text messages (SMS) • Multimedia messages (MMS) • E-mail messages with attached files • BIO messages: vCard, vCal, configuration and others • Beamed messages: files sent viaMessaging Bluetooth, IR or USB system • Standard message folders • Custom message folders • Date & time • Service center timestamp for incoming messages • Information about deleted SMS messages (Symbian, iPhone OS) (C) Oxygen Software, 2000-2012
  10. 10. Smartphone as: GPS navigator • Last fixed GPS coordinates • Search history • Routes history GPS Navigator • Last displayed map • Saved maps • List of favorite places • GPS coordinates in camera snapshots* • Cell coordinates in camera snapshots* Location tagger • Cell coordinates for camera snapshots** • Cell coordinates for video records** • Cell coordinates for SMS messages*** - Available in EXIF header for almost all models having GPS receiver** - Available in several Nokia smartphones and Sony Ericsson devices (C) Oxygen Software, 2000-2012
  11. 11. Smartphone as: Web client • Web cache files • Bookmarks • Pages view history Web browser • Last opened URLs • Search history • Cookies • IP, Login (UID, e-mail) and password* • Contacts list IM client • Chat history • Calls history* - Available for some IM clients (C) Oxygen Software, 2000-2012
  12. 12. Smartphone as: PC • Camera snapshots • Video clips • Voice records Operating • Sounds and PodcastsSystem apps • Wi-Fi networks list • Paired Bluetooth devices list • Activated SIM cards list • VPN profiles • List of installed applications3rd party apps • Office documents • Application logs & data files (C) Oxygen Software, 2000-2012
  13. 13. Extraction What data extraction methods are available for mobile devices? (C) Oxygen Software, 2000-2012
  14. 14. Standard extraction methodsThere are 2 standard ways to get forensic information from smartphones: logical and physical analysis Logical analysis • Data extracted using common PC-to-mobile communication protocols: AT, OBEX, SyncML • Smartphone connected to PC with a standard cable (or Bluetooth/IR adapter) Physical analysis • Data extracted using direct memory reading (hex dump) • Smartphone (or its memory chip only) connected to special hardware (C) Oxygen Software, 2000-2012
  15. 15. Logical analysis for smartphones Caller groups Custom field labels • General phone information General phone AT+ • Contacts (simple), calls*, SMS, settings* Speed dials information Messages from Contacts* custom folders Calendar Event log Nokia FBUS • General phone information Deleted messages Notes information Calls history • General phone information Service center OBEX • Files* Messages* timestamps GPS information Files* Location tagged data • General phone information Settings* SyncML • Contacts, calendar, notes, settings*, bookmarks, Web browser data messages* Bookmarks IM client data 3rd party apps* - Available data set is restricted and depends highly on manufacturer implementation1) The information extracted by all logical protocols is only the top of the iceberg2) All logical protocols were developed for data synchronization (C) Oxygen Software, 2000-2012
  16. 16. Physical analysis for smartphones What to do with gigabytes of that? (C) Oxygen Software, 2000-2012
  17. 17. Standard extraction methods: Summary Logical analysis Physical analysis Few information can be All information can be extracted extracted Easy to perform Hard to perform Easy to analyze Very hard to analyze Affordable software, no Expensive software, special hardware needed special hardware needed (C) Oxygen Software, 2000-2012
  18. 18. How to extract data without a headache? In 2002 Oxygen Software invented the 3rd way - analysis using a special agent application working inside smartphone OS Analysis using Agent Logical analysis Physical analysis application Few information can All information can Most of the be extracted be extracted information can be extracted* Easy to perform Hard to perform Easy to perform Easy to analyze Very hard to analyze Easy to analyze Affordable Expensive software, Affordable software, software, no special special hardware no special hardware hardware needed needed needed * - Agent can extract all the information available for native OS applications (C) Oxygen Software, 2000-2012
  19. 19. Agent application usageGeneral phone information & SIM card dataContacts with all fields and custom field labelsCaller groups & Speed dialsEvent LogCalendar eventsTasks & NotesMessages from standard and custom folders - Protected operatingDeleted messages information system filesService center timestamp - Memory dumpCamera snapshots, video clips and voice recordsFile systemGPS & Location tagged informationWeb browser cache & bookmarksIM clients data3rd party applications with their information (C) Oxygen Software, 2000-2012
  20. 20. Afraid of writing to device?Comparison of phone content changes when performing analysis using different approaches SyncML protocol usage Agent application usage Setting up sync parameters Loading Agent to device Installing extra sync add-ons* Installing Agent Running SyncML server Running Agent SyncML server generates Uninstalling Agent** synchronization log files* - Extra sync add-ons installation may be needed to extract some additional information (e.g. MMS)** - Agent does not generate any log filesUnlike Agent, SyncML server is not a forensically designed app and is out of fullcontrol from examiner. In addition - it makes more data modifications than Agent. (C) Oxygen Software, 2000-2012
  21. 21. SummarySmartphones are a considerable part of mobile device marketFutureSource Consulting forecasts that, between 2008 and 2013, annual sales ofsmartphones will rise by 95% to over 300 million. It will be around 37% of all new mobilephones, up from 13% in 2008.Smartphones store much more important forensic information than plain cellphonesBeing a multiple-in-one device and having OS with open API smartphones are turning intosmall PCs with big memory sizes, wide set of preinstalled applications and huge number ofavailable 3rd party applications.Standard extraction methods are less effective for smartphonesAll logical protocols were developed for sync purposes, thus they can only extract a top ofthe iceberg. Physical analysis of gigabyte hex dumps takes a lot of time.Agent application usage is the golden meanThe Agent application approach, introduced by Oxygen Software in 2002, almost achievesthe completeness of data extracted by physical methods. At the same time it works viastandard cables and adaptors and presents the extracted data in a readable and user-friendly format that is more like a logical analysis. (C) Oxygen Software, 2000-2012