CS6004 Cyber Forensics - UNIT V

CS6004 – CYBER FORENSICS
UNIT V
ANALYSIS AND VALIDATION

OUTLINE
 Validating Forensics Data
 Data Hiding Techniques
 Performing Remote Acquisition
 Network Forensics
 Email Investigations
 Cell Phone and Mobile Devices Forensics
2
PreparedbyR.Arthy,AP/IT,KCET

OBJECTIVES
 Determine what data to analyze in a computer forensics
investigation
 Explain tools used to validate data
 Explain common data-hiding techniques
 Describe methods of performing a remote acquisition
4

DETERMINING WHAT DATA TO COLLECT AND
ANALYZE
5

INTRODUCTION
 Examining and analyzing digital evidence depends on:
 Nature of the case
 Amount of data to process
 Search warrants and court orders
 Company policies
 Scope creep
 Investigation expands beyond the original description
 Right of full discovery of digital evidence
6

APPROACHING COMPUTER FORENSICS
CASES
 Some basic principles apply to almost all computer
forensics cases
 The approach you take depends largely on the specific type of
case you’re investigating
 Basic steps for all computer forensics investigations
 For target drives, use only recently wiped media that have
been reformatted
 And inspected for computer viruses
 Inventory the hardware on the suspect’s computer and note
the condition of the computer when seized
 Remove the original drive from the computer
 Check date and time values in the system’s CMOS
 Record how you acquired data from the suspect drive
 Process the data methodically and logically
7

[CONTD…]
 List all folders and files on the image or drive
 If possible, examine the contents of all data files in all folders
 Starting at the root directory of the volume partition
 For all password-protected files that might be related to the
investigation
 Make your best effort to recover file contents
 Identify the function of every executable (binary or .exe) file
that doesn’t match known hash values
 Maintain control of all evidence and findings, and document
everything as you progress through your examination
8

REFINING AND MODIFYING THE
INVESTIGATION PLAN
 Considerations
 Determine the scope of the investigation
 Determine what the case requires
 Whether you should collect all information
 What to do in case of scope creep
 The key is to start with a plan but remain flexible in the
face of new evidence
9

USING ACCESSDATA FORENSIC TOOLKIT TO
ANALYZE DATA
 Supported file systems: FAT12/16/32, NTFS, Ext2fs, and
Ext3fs
 FTK can analyze data from several sources, including image
files from other vendors
 FTK produces a case log file
 Searching for keywords
 Indexed search
 Live search
 Supports options and advanced searching techniques, such as
stemming
10

[CONTD…]
11

[CONTD…]
12

[CONTD…]
 Analyzes compressed
files
 You can generate
reports
 Using bookmarks
13

VALIDATING FORENSIC DATA
14

INTRODUCTION
 One of the most critical aspects of computer forensics
 Ensuring the integrity of data you collect is essential for
presenting evidence in court
 Most computer forensic tools provide automated hashing of
image files
 Computer forensics tools have some limitations in performing
hashing
 Learning how to use advanced hexadecimal editors is necessary to
ensure data integrity
15

VALIDATING WITH HEXADECIMAL EDITORS
 Advanced hexadecimal editors offer many features not
available in computer forensics tools
 Such as hashing specific files or sectors
 Hex Workshop provides several hashing algorithms
 Such as MD5 and SHA-1
 See Figures 9-4 through 9-6
 Hex Workshop also generates the hash value of selected
data sets in a file or sector
16

[CONTD…]
17

[CONTD…]
18

[CONTD...]
19

[CONTD…]
 Using hash values to discriminate data
 AccessData has a separate database, the Known File Filter
(KFF)
 Filters known program files from view, such as MSWord.exe, and
identifies known illegal files, such as child pornography
 KFF compares known file hash values to files on your
evidence drive or image files
 Periodically, AccessData updates these known file hash
values and posts an updated KFF
20

VALIDATING WITH COMPUTER FORENSICS
PROGRAMS
 Commercial computer forensics programs have built-in
validation features
 ProDiscover’s .eve files contain metadata that includes the
hash value
 Validation is done automatically
 Raw format image files (.dd extension) don’t contain metadata
 So you must validate raw format image files manually to ensure the
integrity of data
 In AccessData FTK Imager
 When you select the Expert Witness (.e01) or the SMART (.s01)
format
 Additional options for validating the acquisition are displayed
 Validation report lists MD5 and SHA-1 hash values 21

ADDRESSING DATA-HIDING TECHNIQUES
 File manipulation
 Filenames and extensions
 Hidden property
 Disk manipulation
 Hidden partitions
 Bad clusters
 Encryption
 Bit shifting
 Steganography
23

HIDING PARTITIONS
 Delete references to a partition using a disk editor
 Re-create links for accessing it
 Use disk-partitioning utilities
 GDisk
 PartitionMagic
 System Commander
 LILO
 Account for all disk space when analyzing a disk
24

[CONTD…]
25

MARKING BAD CLUSTERS
 Common with FAT systems
 Place sensitive information on free space
 Use a disk editor to mark space as a bad cluster
 To mark a good cluster as bad using Norton Disk Edit
 Type B in the FAT entry corresponding to that cluster
26

BIT-SHIFTING
 Old technique
 Shift bit patterns to alter byte values of data
 Make files look like binary executable code
 Tool
 Hex Workshop
27

[CONTD…]
28

[CONTD…]
29

[CONTD…]
30

USING STEGANOGRAPHY TO HIDE DATA
 Greek for “hidden writing”
 Steganography tools were created to protect copyrighted
material
 By inserting digital watermarks into a file
 Suspect can hide information on image or text document files
 Most steganography programs can insert only small amounts of
data into a file
 Very hard to spot without prior knowledge
 Tools: S-Tools, DPEnvelope, jpgx, and tte
31

EXAMINING ENCRYPTED FILES
 Prevent unauthorized access
 Employ a password or passphrase
 Recovering data is difficult without password
 Key escrow
 Designed to recover encrypted data if users forget their passphrases or if the
user key is corrupted after a system failure
 Cracking password
 Expert and powerful computers
 Persuade suspect to reveal password
32

RECOVERING PASSWORDS
 Techniques
 Dictionary attack
 Brute-force attack
 Password guessing based on suspect’s profile
 Tools
 AccessData PRTK
 Advanced Password Recovery Software Toolkit
 John the Ripper
 Using AccessData tools with passworded and encrypted files
 AccessData offers a tool called Password Recovery Toolkit (PRTK)
 Can create possible password lists from many sources
 Can create your own custom dictionary based on facts in the case
 Can create a suspect profile and use biographical information to
generate likely passwords 33

WORD LIST
 FTK finds all
stings in the data
and makes a Word
List from them
34

[CONTD…]
35

[CONTD…]
36

[CONTD…]
 Using AccessData tools with passworded and encrypted
files (continued)
 FTK can identify known encrypted files and those that seem
to be encrypted
 And export them
 You can then import these files into PRTK and attempt to
crack them
37

38

[CONTD…]
39

PERFORMING REMOTE
ACQUISITIONS

INTRODUCTION
 Remote acquisitions are handy when you need to image
the drive of a computer far away from your location
 Or when you don’t want a suspect to be aware of an ongoing
investigation
41

REMOTE ACQUISITIONS WITH RUNTIME
SOFTWARE
 Runtime Software offers the following shareware
programs for remote acquisitions:
 DiskExplorer for FAT
 DiskExplorer for NTFS
 HDHOST
 Preparing DiskExplorer and HDHOST for remote
acquisitions
 Requires the Runtime Software, a portable media device
(USB thumb drive or floppy disk), and two networked
computers
42

[CONTD…]
 Making a remote connection with DiskExplorer
 Requires running HDHOST on a suspect’s computer
 To establish a connection with HDHOST, the suspect’s
computer must be:
 Connected to the network
 Powered on
 Logged on to any user account with permission to run noninstalled
applications
 HDHOST can’t be run surreptitiously
 See Figures 9-18 through 9-24
43

44

[CONTD…]
45

[CONTD…]
46

[CONTD…]
47

[CONTD…]
48

[CONTD…]
49

[CONTD…]
50

[CONTD…]
 Making a remote acquisition with DiskExplorer
 After you have established a connection with DiskExplorer
from the acquisition workstation
 You can navigate through the suspect computer’s files and folders or
copy data
 The Runtime tools don’t generate a hash for acquisitions
51

[CONTD…]
52

OBJECTIVES
 Describe primary concerns in conducting forensic
examinations of virtual machines
 Describe the importance of network forensics
 Explain standard procedures for performing a live
acquisition
 Explain standard procedures for network forensics
 Describe the use of network tools
54

VIRTUAL MACHINES OVERVIEW
 Virtual machines are important in today’s networks.
 Investigators must know how to detect a virtual machine
installed on a host, acquire an image of a virtual
machine, and use virtual machines to examine malware.
 Check whether virtual machines are loaded on a host
computer.
 Clues that virtual machines have been installed or
uninstalled:
 Folders named "Virtual Machines" or "My Virtual Machines"
 Registry HKEY_CLASSES_ROOT shows file extensions
.VMX or .VMC registered
 VMware network adapte
55

VMWARE LICENSE REGISTRY KEY
 Retained even if VMware is uninstalled
56

IMAGING A VIRTUAL HARD DISK
 We have already covered that in the projects, including
using a virtual write-blocker
57

NETWORK FORENSICS OVERVIEW
58

INTRODUCTION
 Network forensics
 Systematic tracking of incoming and outgoing traffic
 To ascertain how an attack was carried out or how an event occurred
on a network
 Intruders leave trail behind
 Determine the cause of the abnormal traffic
 Internal bug
 Attackers
59

SECURING A NETWORK
 Layered network defense strategy
 Sets up layers of protection to hide the most valuable data at
the innermost part of the network
 Defense in depth (DiD)
 Similar approach developed by the NSA
 Modes of protection
 People (hiring and treatment)
 Technology (firewalls, IDSs, etc.)
 Operations (patches, updates)
 Testing networks is as important as testing servers
 You need to be up to date on the latest methods intruders
use to infiltrate networks
 As well as methods internal employees use to sabotage
networks`
60

PERFORMING LIVE ACQUISITIONS
61

INTRODUCTION
 Live acquisitions are especially useful when you’re dealing
with active network intrusions or attacks
 Live acquisitions done before taking a system offline are also
becoming a necessity
 Because attacks might leave footprints only in running processes or
RAM
 Live acquisitions don’t follow typical forensics procedures
 Order of volatility (OOV)
 How long a piece of information lasts on a system
62

[CONTD…]
 Steps
 Create or download a live-acquisition forensic CD
 Make sure you keep a log of all your actions
 A network drive is ideal as a place to send the information you
collect; an alternative is a USB disk
 Copy the physical memory (RAM)
 The next step varies: search for rootkits, check firmware, image the
drive over the network, or shut down for later static acquisition
 Be sure to get a forensic hash value of all files you recover during
the live acquisition
63

PERFORMING A LIVE ACQUISITION IN
WINDOWS
 Several tools are available to capture the RAM.
 Mantech Memory DD
 Win32dd
 winen.exe from Guidance Software
 BackTrack
64

[CONTD…]
65

DEVELOPING STANDARD PROCEDURES
FOR NETWORK FORENSICS
66

INTRODUCTION
 Long, tedious process
 Standard procedure
 Always use a standard installation image for systems on a
network
 Close any way in after an attack
 Attempt to retrieve all volatile data
 Acquire all compromised drives
 Compare files on the forensic image to the original
installation image
67

[CONTD…]
 Computer forensics
 Work from the image to find what has changed
 Network forensics
 Restore drives to understand attack
 Work on an isolated system
 Prevents malware from affecting other systems
68

REVIEWING NETWORK LOGS
 Record ingoing and outgoing traffic
 Network servers
 Routers
 Firewalls
 Tcpdump tool for examining network traffic
 Can generate top 10 lists
 Can identify patterns
 Attacks might include other companies
 Do not reveal information discovered about other companies
69

USING NETWORK TOOLS
70

USING NETWORK TOOLS
 Sysinternals
 A collection of free tools for examining Windows products
 Examples of the Sysinternals tools:
 RegMon shows Registry data in real time
 Process Explorer shows what is loaded
 Handle shows open files and processes using them
 Filemon shows file system activity
71

SYSINTERNALS
 Link Ch 11b
72

[CONTD…]
 Tools from PsTools suite created by Sysinternals
 PsExec runs processes remotely
 PsGetSid displays security identifier (SID)
 PsKill kills process by name or ID
 PsList lists details about a process
 PsLoggedOn shows who’s logged locally
 PsPasswd changes account passwords
 PsService controls and views services
 PsShutdown shuts down and restarts PCs
 PsSuspend suspends processes
73

USING UNIX/LINUX TOOLS
 Knoppix Security Tools Distribution (STD)
 Bootable Linux CD intended for computer and network
forensics
 Knoppix-STD tools
 Dcfldd, the U.S. DoD dd version
 memfetch forces a memory dump
 photorec grabs files from a digital camera
 snort, an intrusion detection system
 oinkmaster helps manage your snort rules
74

[CONTD…]
 Knoppix-STD tools (continued)
 john
 chntpw resets passwords on a Windows PC
 tcpdump and ethereal are packet sniffers
 With the Knoppix STD tools on a portable CD
 You can examine almost any network system
 BackTrack
 Contains more than 300 tools for network scanning, brute-
force attacks, Bluetooth and wireless networks, and more
 Includes forensics tools, such as Autopsy and Sleuth Kit
 Easy to use and frequently updated
75

USING PACKET SNIFFERS
 Packet sniffers
 Devices or software that monitor network traffic
 Most work at layer 2 or 3 of the OSI model
 Most tools follow the PCAP format
 Some packets can be identified by examining the flags in
their TCP headers
76

TCP HEADER
 From Wikipedia
77

TOOLS
 Tcpdump (command-line packet capture)
 Tethereal (command-line version of Ethereal)
 Wireshark (formerly Ethereal)
 Graphical packet capture analysis
 Snort (intrusion detection)
 Tcpslice
 Extracts information from one or more tcpdump files by time frame
 Tcpreplay (replays packets)
 Tcpdstat (near-realtime traffic statistics)
 Ngrep (pattern-matching for pcap captures)
 Etherape (views network traffic graphically)
 Netdude (GUI tool to analyze pcap files)
 Argus (analyzes packet flows)
78

EXAMINING THE HONEYNET PROJECT
 Attempt to thwart Internet and network hackers
 Provides information about attacks methods
 Objectives are awareness, information, and tools
 Distributed denial-of-service (DDoS) attacks
 A recent major threat
 Hundreds or even thousands of machines (zombies) can be
used
79

[CONTD…]
80

[CONTD…]
 Zero day attacks
 Another major threat
 Attackers look for holes in networks and OSs and exploit
these weaknesses before patches are available
 Honeypot
 Normal looking computer that lures attackers to it
 Honeywalls
 Monitor what’s happening to honeypots on your network and
record what attackers are doing
81

[CONTD…]
 Its legality has been questioned
 Cannot be used in court
 Can be used to learn about attacks
 Manuka Project
 Used the Honeynet Project’s principles
 To create a usable database for students to examine compromised
honeypots
 Honeynet Challenges
 You can try to ascertain what an attacker did and then post
your results online
82

OBJECTIVES
 Explain the role of e-mail in investigations
 Describe client and server roles in e-mail
 Describe tasks in investigating e-mail crimes and violations
 Explain the use of e-mail server logs
 Describe some available e-mail computer forensics tools
84

EXPLORING THE ROLE OF E-MAIL IN
INVESTIGATIONS
85

INTRODUCTION
 With the increase in e-mail scams and fraud attempts
with phishing or spoofing
 Investigators need to know how to examine and interpret the
unique content of e-mail messages
 Phishing e-mails are in HTML format
 Which allows creating links to text on a Web page
 One of the most noteworthy e-mail scams was 419, or
the Nigerian Scam
 Spoofing e-mail can be used to commit fraud
86

MUNSHANI V. SIGNAL LAKE VENTURE FUND
 Munshani received an email and altered it
 But he failed to alter the ESMTP numbers which
uniquely identify each message an SMTP server
transmits
 Comparing ESMTP numbers from the server and the
spoofed email revealed the fraud
87

EXPLORING THE ROLES OF THE
CLIENT AND SERVER IN E-MAIL
88

INTRODUCTION
 Send and receive e-mail in two environments
 Internet
 Controlled LAN, MAN, or WAN
 Client/server architecture
 Server OS and e-mail software differs from those on the
client side
 Protected accounts
 Require usernames and passwords
89

[CONTD…]
90

[CONTD…]
 Name conventions
 Corporate: john.smith@somecompany.com
 Public: whatever@hotmail.com
 Everything after @ belongs to the domain name
 Tracing corporate e-mails is easier
 Because accounts use standard names the administrator
establishes
91

INVESTIGATING E-MAIL CRIMES AND
VIOLATIONS
92

INTRODUCTION
 Similar to other types of investigations
 Goals
 Find who is behind the crime
 Collect the evidence
 Present your findings
 Build a case
 Depend on the city, state, or country
 Example: spam
 Always consult with an attorney
 Becoming commonplace
 Examples of crimes involving e-mails
 Narcotics trafficking
 Extortion
 Sexual harassment
 Child abductions and pornography 93

EXAMINING E-MAIL MESSAGES
 Access victim’s computer to recover the evidence
 Using the victim’s e-mail client
 Find and copy evidence in the e-mail
 Access protected or encrypted material
 Print e-mails
 Guide victim on the phone
 Open and copy e-mail including headers
 Sometimes you will deal with deleted e-mails
94

[CONTD…]
 Copying an e-mail message
 Before you start an e-mail investigation
 You need to copy and print the e-mail involved in the crime or policy
violation
 You might also want to forward the message as an attachment
to another e-mail address
 With many GUI e-mail programs, you can copy an e-
mail by dragging it to a storage medium
 Or by saving it in a different location
95

[CONTD…]
96

VIEWING E-MAIL HEADERS
 Learn how to find e-mail headers
 GUI clients
 Command-line clients
 Web-based clients
 After you open e-mail headers, copy and paste them into a
text document
 So that you can read them with a text editor
 Headers contain useful information
 Unique identifying numbers, IP address of sending server, and
sending time
97

[CONTD…]
 Outlook
 Open the Message Options dialog box
 Copy headers
 Paste them to any text editor
 Outlook Express
 Open the message Properties dialog box
 Select Message Source
 Copy and paste the headers to any text editor
98

EMAIL HEADERS IN GMAIL
 Click “Reply” drop-down arrow, “Show
original”
99

[CONTD…]
100

EXAMINING E-MAIL HEADERS
 Gather supporting evidence and track suspect
 Return path
 Recipient’s e-mail address
 Type of sending e-mail service
 IP address of sending server
 Name of the e-mail server
 Unique message number
 Date and time e-mail was sent
 Attachment files information
 See link Ch 12b for an example—tracing the source of spam
101

EXAMINING ADDITIONAL E-MAIL FILES
 E-mail messages are saved on the client side or left at the
server
 Microsoft Outlook uses .pst and .ost files
 Most e-mail programs also include an electronic address book
 In Web-based e-mail
 Messages are displayed and saved as Web pages in the browser’s
cache folders
 Many Web-based e-mail providers also offer instant messaging
(IM) services
102

TRACING AN E-MAIL MESSAGE
 Contact the administrator responsible for the sending server
 Finding domain name’s point of contact
 www.arin.net
 www.internic.com
 www.freeality.com
 www.google.com
 Find suspect’s contact information
 Verify your findings by checking network e-mail logs against
e-mail addresses
103

USING NETWORK E-MAIL LOGS
 Router logs
 Record all incoming and outgoing traffic
 Have rules to allow or disallow traffic
 You can resolve the path a transmitted e-mail has taken
 Firewall logs
 Filter e-mail traffic
 Verify whether the e-mail passed through
 You can use any text editor or specialized tools
104

[CONTD…]
105

UNDERSTANDING E-MAIL SERVERS
106

INTRODUCTION
 Computer loaded with software that uses e-mail protocols for
its services
 And maintains logs you can examine and use in your investigation
 E-mail storage
 Database
 Flat file
 Logs
 Default or manual
 Continuous and circular
107

[CONTD…]
 Log information
 E-mail content
 Sending IP address
 Receiving and reading date and time
 System-specific information
 Contact suspect’s network e-mail administrator as soon
as possible
 Servers can recover deleted e-mails
 Similar to deletion of files on a hard drive
108

[CONTD…]
109

EXAMINING UNIX E-MAIL SERVER LOGS
 /etc/sendmail.cf
 Configuration information for Sendmail
 /etc/syslog.conf
 Specifies how and which events Sendmail logs
 /var/log/maillog
 SMTP and POP3 communications
 IP address and time stamp
 Check UNIX man pages for more information
110

[CONTD…]
111

[CONTD…]
112

EXAMINING MICROSOFT E-MAIL SERVER
LOGS
 Microsoft Exchange Server (Exchange)
 Uses a database
 Based on Microsoft Extensible Storage Engine
 Messaging Application Programming Interface (MAPI)
 A Microsoft system that enables different e- mail applications
to work together
 The “Information Store” is made of tw0 files
 Database files *.edb
 Responsible for MAPI information
 Database files *.stm
 Responsible for non-MAPI information
113

[CONTD…]
 Administrators can recover lost or deleted emails from
these files:
 Transaction log
 Keep track of e-mail databases
 Checkpoints
 Marks the place in the transaction log where the last backup was
made
 Other useful files
 Temporary files
 E-mail communication logs
 res#.log
 Tracking.log
 Tracks messages
114

[CONTD…]
115

[CONTD…]
 Troubleshooting or diagnostic log
 Logs events
 Use Windows Event Viewer
 Open the Event Properties dialog box for more details about
an event
116

[CONTD…]
117

[CONTD…]
118

EXAMINING NOVELL GROUPWISE E-MAIL
LOGS
 Up to 25 databases for e-mail users
 Stored on the Ofuser directory object
 Referenced by a username, an unique identifier, and .db
extension
 Shares resources with e-mail server databases
 Mailboxes organizations
 Permanent index files
 QuickFinder
119

[CONTD…]
 Folder and file structure can be complex
 It uses Novell directory structure
 Guardian
 Directory of every database
 Tracks changes in the GroupWise environment
 Considered a single point of failure
 Log files
 GroupWise generates log files (.log extension) maintained in
a standard log format in GroupWise folders
120

USING SPECIALIZED E-MAIL
FORENSICS TOOLS
121

USING SPECIALIZED E-MAIL FORENSICS
TOOLS
 Tools include:
 AccessData’s Forensic Toolkit (FTK)
 ProDiscover Basic
 FINALeMAIL
 Sawmill-GroupWise
 DBXtract
 Fookes Aid4Mail and MailBag Assistant
 Paraben E-Mail Examiner
 Ontrack Easy Recovery EmailRepair
 R-Tools R-Mail
122

[CONTD…]
 Tools allow you to find:
 E-mail database files
 Personal e-mail files
 Offline storage files
 Log files
 Advantage
 Do not need to know how e-mail servers and clients work
 FINALeMAIL
 Scans e-mail database files
 Recovers deleted e-mails
 Searches computer for other files associated with e-mail
123

[CONTD…]
124

[CONTD…]
125

USING ACCESSDATA FTK TO RECOVER
E-MAIL
 FTK
 Can index data on a disk image or an entire drive for faster data
retrieval
 Filters and finds files specific to e-mail clients and servers
 To recover e-mail from Outlook and Outlook Express
 AccessData integrated dtSearch
 dtSearch builds a b-tree index of all text data in a drive, an image file, or a
group of files
126

[CONTD…]
127

[CONTD…]
128

[CONTD…]
129

USING A HEXADECIMAL EDITOR TO CARVE
E-MAIL MESSAGES
 Very few vendors have products for analyzing e-mail in
systems other than Microsoft
 mbox format
 Stores e-mails in flat plaintext files
 Multipurpose Internet Mail Extensions (MIME)
format
 Used by vendor-unique e-mail file systems, such as Microsoft
.pst or .ost
 Example: carve e-mail messages from Evolution
130

131

132

USING A HEXADECIMAL EDITOR TO CARVE E-
MAIL MESSAGES (CONTINUED)
133

[CONTD…]
134

RECOVERING DELETED OUTLOOK FILES
 Microsoft's Inbox Repair Tool (scanpst)
 Link Ch 12d
 EnCase
 Advanced Outlook Repair from DataNumen, Inc.
 Link Ch 12e
135

CELL PHONE AND MOBILE
DEVICE FORENSICS

OBJECTIVES
 Explain the basic concepts of mobile device forensics
 Describe procedures for acquiring data from cell phones
and mobile devices
137

UNDERSTANDING MOBILE DEVICE
FORENSICS
138

DATA ON IPHONES
 Screenshots of every map viewed
 iPhone photos have GPS location data embedded
 Apps store browsing history
 iPhone stores everything you type, like a keylogger
 Link Ch 13a
 iPhone also stores screenshots after each action, in order
to create an aesthetically pleasing shrinking effect (link
Ch 13b)
139

BANKING ON IPHONES
 Link Ch 13c
140

UNDERSTANDING MOBILE DEVICE
FORENSICS
 People store a wealth of information on cell phones
 People don’t think about securing their cell phones
 Items stored on cell phones:
 Incoming, outgoing, and missed calls
 Text and Short Message Service (SMS) messages
 E-mail
 Instant-messaging (IM) logs
 Web pages
 Pictures
141

[CONTD…]
 Items stored on cell phones: (continued)
 Personal calendars
 Address books
 Music files
 Voice recordings
 Investigating cell phones and mobile devices is one of
the most challenging tasks in digital forensics
142

MOBILE PHONE BASICS
 Mobile phone technology has advanced rapidly
 Three generations of mobile phones:
 Analog
 Digital personal communications service (PCS)
 Third-generation (3G)
 3G offers increased bandwidth
 Several digital networks are used in the mobile phone
industry
143

[CONTD…]
144

4G NETWORKS
 Orthogonal Frequency Division Multiplexing ( OFDM)
 Uses power more efficiently, and is more immune to
interference
 Mobile WiMAX
 Used by Sprint, will support speeds up to 12 Mbps
 Ultra Mobile Broadband ( UTMS)
 Also known as CDMA2000 EV- DO
 Will support speeds up to 100 Mbps
 Multiple Input Multiple Output (MIMO)
 Will support speeds up to 312 Mbps
 Long Term Evolution (LTE)
 Will support up to 144 Mbps
145

 Main components used for communication:
 Base transceiver station (BTS)
 Cell phone tower and associated equipment
 Base station controller (BSC)
 Hardware & software that controls the BTS
 Mobile switching center (MSC)
 Routes calls
 Has a database of subscribers with account and location data
[CONTD…]
146

INSIDE MOBILE DEVICES
 Mobile devices can range from simple phones to small
computers
 Also called smart phones
 Hardware components
 Microprocessor, ROM, RAM, a digital signal processor, a
radio module, a microphone and speaker, hardware interfaces,
and an LCD display
 Most basic phones have a proprietary OS
 Although smart phones use stripped-down versions of PC
operating systems
147

[CONTD…]
 Phones store system data in electronically erasable
programmable read-only memory (EEPROM)
 Enables service providers to reprogram phones without
having to physically access memory chips
 OS is stored in ROM
 Nonvolatile memory
148

SIM CARD
(FROM WIKIPEDIA)
149

[CONTD…]
 Subscriber identity module (SIM) cards
 Found most commonly in GSM devices
 Microprocessor and from 16 KB to 4 MB EEPROM
 Sometimes even more, up go 1 GB EEPROM
 GSM refers to mobile phones as “mobile stations” and
divides a station into two parts:
 The SIM card and the mobile equipment (ME)
 SIM cards come in two sizes
 Portability of information makes SIM cards versatile
150

[CONTD…]
 Subscriber identity module (SIM) cards (continued)
 Additional SIM card purposes:
 Identifies the subscriber to the network
 Stores personal information
 Stores address books and messages
 Stores service-related information
151

INSIDE PDAS
 Personal digital assistants (PDAs)
 Can be separate devices from mobile phones
 Most users carry them instead of a laptop
 PDAs house a microprocessor, flash ROM, RAM, and various
hardware components
 The amount of information on a PDA varies depending on the
model
 Usually, you can retrieve a user’s calendar, address book, Web
access, and other items
152

[CONTD…]
 Peripheral memory cards are used with PDAs
 Compact Flash (CF)
 MultiMedia Card (MMC)
 Secure Digital (SD)
 Most PDAs synchronize with a computer
 Built-in slots for that purpose
153

UNDERSTANDING ACQUISITION
PROCEDURES FOR CELL PHONES AND
MOBILE DEVICES
154

UNDERSTANDING ACQUISITION PROCEDURES
FOR CELL PHONES AND MOBILE DEVICES
 The main concerns with mobile devices are loss of power and
synchronization with PCs
 All mobile devices have volatile memory
 Making sure they don’t lose power before you can retrieve RAM
data is critical
 Mobile device attached to a PC via a cable or cradle/docking
station should be disconnected from the PC immediately
 Depending on the warrant or subpoena, the time of seizure
might be relevant
155

[CONTD…]
 Messages might be received on the mobile device after
seizure
 Isolate the device from incoming signals with one of the
following options:
 Place the device in a paint can
 Use the Paraben Wireless StrongHold Bag
 Use eight layers of antistatic bags to block the signal
 The drawback to using these isolating options is that the
mobile device is put into roaming mode
 Which accelerates battery drainage
156

[CONTD…]
 Check these areas in the forensics lab :
 Internal memory
 SIM card
 Removable or external memory cards
 System server
 Checking system servers requires a search warrant or
subpoena
 SIM card file system is a hierarchical structure
157

[CONTD…]
 MF: root of the system
 DF: directory files
 EF: elementary data
158

[CONTD…]
 Information that can be retrieved:
 Service-related data, such as identifiers for the SIM card and
the subscriber
 Call data, such as numbers dialed
 Message information
 Location information
 If power has been lost, PINs or other access codes might
be required to view files
159

MOBILE FORENSICS EQUIPMENT
 Mobile forensics is a new science
 Biggest challenge is dealing with constantly changing
models of cell phones
 When you’re acquiring evidence, generally you’re
performing two tasks:
 Acting as though you’re a PC synchronizing with the device
(to download data)
 Reading the SIM card
 First step is to identify the mobile device
160

[CONTD…]
 Make sure you have installed the mobile device software
on your forensic workstation
 Attach the phone to its power supply and connect the
correct cables
 After you’ve connected the device
 Start the forensics program and begin downloading the
available information
161

[CONTD…]
 SIM card readers
 A combination hardware/software device used to access the
SIM card
 You need to be in a forensics lab equipped with appropriate
antistatic devices
 General procedure is as follows:
 Remove the back panel of the device
 Remove the battery
 Under the battery, remove the SIM card from holder
 Insert the SIM card into the card reader
162

[CONTD…]
 SIM card readers (continued)
 A variety of SIM card readers are on the market
 Some are forensically sound and some are not
 Documenting messages that haven’t been read yet is critical
 Use a tool that takes pictures of each screen
 Blackberries may require special hardware
163

IPHONE FORENSICS
 MacLockPick II
 Uses backup files
 It can’t recover deleted files
 MDBackUp Extract
 Analyzes the iTunes mobile sync backup directory
164

IPHONE SPY
 Link Ch 13d
165

MOBILE FORENSICS TOOLS
 Paraben Software Device Seizure Toolbox
 Contains cables, SIM card readers, and more
 Data Pilot
 Similar to Paraben
 BitPim
 Can view data on many phones, but it's not intended for forensics
 MOBILedit!
 Has a write-blocker
 SIMCon
 Reads files on SIM cards
 Recoveres deleted text messages
 Archives files with MD5 and SHA-1 hashes
 Software tools differ in the items they display and the level of detail166

167

168

[CONTD…]
169

CS6004 Cyber Forensics - UNIT V

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to CS6004 Cyber Forensics - UNIT V

Similar to CS6004 Cyber Forensics - UNIT V (20)

More from ArthyR3

More from ArthyR3 (20)

Recently uploaded

Recently uploaded (20)

CS6004 Cyber Forensics - UNIT V