4. OBJECTIVES
Determine what data to analyze in a computer forensics
investigation
Explain tools used to validate data
Explain common data-hiding techniques
Describe methods of performing a remote acquisition
4
PreparedbyR.Arthy,AP/IT,KCET
6. INTRODUCTION
Examining and analyzing digital evidence depends on:
Nature of the case
Amount of data to process
Search warrants and court orders
Company policies
Scope creep
Investigation expands beyond the original description
Right of full discovery of digital evidence
6
PreparedbyR.Arthy,AP/IT,KCET
7. APPROACHING COMPUTER FORENSICS
CASES
Some basic principles apply to almost all computer
forensics cases
The approach you take depends largely on the specific type of
case you’re investigating
Basic steps for all computer forensics investigations
For target drives, use only recently wiped media that have
been reformatted
And inspected for computer viruses
Inventory the hardware on the suspect’s computer and note
the condition of the computer when seized
Remove the original drive from the computer
Check date and time values in the system’s CMOS
Record how you acquired data from the suspect drive
Process the data methodically and logically
7
PreparedbyR.Arthy,AP/IT,KCET
8. [CONTD…]
List all folders and files on the image or drive
If possible, examine the contents of all data files in all folders
Starting at the root directory of the volume partition
For all password-protected files that might be related to the
investigation
Make your best effort to recover file contents
Identify the function of every executable (binary or .exe) file
that doesn’t match known hash values
Maintain control of all evidence and findings, and document
everything as you progress through your examination
8
PreparedbyR.Arthy,AP/IT,KCET
9. REFINING AND MODIFYING THE
INVESTIGATION PLAN
Considerations
Determine the scope of the investigation
Determine what the case requires
Whether you should collect all information
What to do in case of scope creep
The key is to start with a plan but remain flexible in the
face of new evidence
9
PreparedbyR.Arthy,AP/IT,KCET
10. USING ACCESSDATA FORENSIC TOOLKIT TO
ANALYZE DATA
Supported file systems: FAT12/16/32, NTFS, Ext2fs, and
Ext3fs
FTK can analyze data from several sources, including image
files from other vendors
FTK produces a case log file
Searching for keywords
Indexed search
Live search
Supports options and advanced searching techniques, such as
stemming
10
PreparedbyR.Arthy,AP/IT,KCET
15. INTRODUCTION
One of the most critical aspects of computer forensics
Ensuring the integrity of data you collect is essential for
presenting evidence in court
Most computer forensic tools provide automated hashing of
image files
Computer forensics tools have some limitations in performing
hashing
Learning how to use advanced hexadecimal editors is necessary to
ensure data integrity
15
PreparedbyR.Arthy,AP/IT,KCET
16. VALIDATING WITH HEXADECIMAL EDITORS
Advanced hexadecimal editors offer many features not
available in computer forensics tools
Such as hashing specific files or sectors
Hex Workshop provides several hashing algorithms
Such as MD5 and SHA-1
See Figures 9-4 through 9-6
Hex Workshop also generates the hash value of selected
data sets in a file or sector
16
PreparedbyR.Arthy,AP/IT,KCET
20. [CONTD…]
Using hash values to discriminate data
AccessData has a separate database, the Known File Filter
(KFF)
Filters known program files from view, such as MSWord.exe, and
identifies known illegal files, such as child pornography
KFF compares known file hash values to files on your
evidence drive or image files
Periodically, AccessData updates these known file hash
values and posts an updated KFF
20
PreparedbyR.Arthy,AP/IT,KCET
21. VALIDATING WITH COMPUTER FORENSICS
PROGRAMS
Commercial computer forensics programs have built-in
validation features
ProDiscover’s .eve files contain metadata that includes the
hash value
Validation is done automatically
Raw format image files (.dd extension) don’t contain metadata
So you must validate raw format image files manually to ensure the
integrity of data
In AccessData FTK Imager
When you select the Expert Witness (.e01) or the SMART (.s01)
format
Additional options for validating the acquisition are displayed
Validation report lists MD5 and SHA-1 hash values 21
PreparedbyR.Arthy,AP/IT,KCET
23. ADDRESSING DATA-HIDING TECHNIQUES
File manipulation
Filenames and extensions
Hidden property
Disk manipulation
Hidden partitions
Bad clusters
Encryption
Bit shifting
Steganography
23
PreparedbyR.Arthy,AP/IT,KCET
24. HIDING PARTITIONS
Delete references to a partition using a disk editor
Re-create links for accessing it
Use disk-partitioning utilities
GDisk
PartitionMagic
System Commander
LILO
Account for all disk space when analyzing a disk
24
PreparedbyR.Arthy,AP/IT,KCET
26. MARKING BAD CLUSTERS
Common with FAT systems
Place sensitive information on free space
Use a disk editor to mark space as a bad cluster
To mark a good cluster as bad using Norton Disk Edit
Type B in the FAT entry corresponding to that cluster
26
PreparedbyR.Arthy,AP/IT,KCET
27. BIT-SHIFTING
Old technique
Shift bit patterns to alter byte values of data
Make files look like binary executable code
Tool
Hex Workshop
27
PreparedbyR.Arthy,AP/IT,KCET
31. USING STEGANOGRAPHY TO HIDE DATA
Greek for “hidden writing”
Steganography tools were created to protect copyrighted
material
By inserting digital watermarks into a file
Suspect can hide information on image or text document files
Most steganography programs can insert only small amounts of
data into a file
Very hard to spot without prior knowledge
Tools: S-Tools, DPEnvelope, jpgx, and tte
31
PreparedbyR.Arthy,AP/IT,KCET
32. EXAMINING ENCRYPTED FILES
Prevent unauthorized access
Employ a password or passphrase
Recovering data is difficult without password
Key escrow
Designed to recover encrypted data if users forget their passphrases or if the
user key is corrupted after a system failure
Cracking password
Expert and powerful computers
Persuade suspect to reveal password
32
PreparedbyR.Arthy,AP/IT,KCET
33. RECOVERING PASSWORDS
Techniques
Dictionary attack
Brute-force attack
Password guessing based on suspect’s profile
Tools
AccessData PRTK
Advanced Password Recovery Software Toolkit
John the Ripper
Using AccessData tools with passworded and encrypted files
AccessData offers a tool called Password Recovery Toolkit (PRTK)
Can create possible password lists from many sources
Can create your own custom dictionary based on facts in the case
Can create a suspect profile and use biographical information to
generate likely passwords 33
PreparedbyR.Arthy,AP/IT,KCET
34. WORD LIST
FTK finds all
stings in the data
and makes a Word
List from them
34
PreparedbyR.Arthy,AP/IT,KCET
37. [CONTD…]
Using AccessData tools with passworded and encrypted
files (continued)
FTK can identify known encrypted files and those that seem
to be encrypted
And export them
You can then import these files into PRTK and attempt to
crack them
37
PreparedbyR.Arthy,AP/IT,KCET
41. INTRODUCTION
Remote acquisitions are handy when you need to image
the drive of a computer far away from your location
Or when you don’t want a suspect to be aware of an ongoing
investigation
41
PreparedbyR.Arthy,AP/IT,KCET
42. REMOTE ACQUISITIONS WITH RUNTIME
SOFTWARE
Runtime Software offers the following shareware
programs for remote acquisitions:
DiskExplorer for FAT
DiskExplorer for NTFS
HDHOST
Preparing DiskExplorer and HDHOST for remote
acquisitions
Requires the Runtime Software, a portable media device
(USB thumb drive or floppy disk), and two networked
computers
42
PreparedbyR.Arthy,AP/IT,KCET
43. [CONTD…]
Making a remote connection with DiskExplorer
Requires running HDHOST on a suspect’s computer
To establish a connection with HDHOST, the suspect’s
computer must be:
Connected to the network
Powered on
Logged on to any user account with permission to run noninstalled
applications
HDHOST can’t be run surreptitiously
See Figures 9-18 through 9-24
43
PreparedbyR.Arthy,AP/IT,KCET
51. [CONTD…]
Making a remote acquisition with DiskExplorer
After you have established a connection with DiskExplorer
from the acquisition workstation
You can navigate through the suspect computer’s files and folders or
copy data
The Runtime tools don’t generate a hash for acquisitions
51
PreparedbyR.Arthy,AP/IT,KCET
54. OBJECTIVES
Describe primary concerns in conducting forensic
examinations of virtual machines
Describe the importance of network forensics
Explain standard procedures for performing a live
acquisition
Explain standard procedures for network forensics
Describe the use of network tools
54
PreparedbyR.Arthy,AP/IT,KCET
55. VIRTUAL MACHINES OVERVIEW
Virtual machines are important in today’s networks.
Investigators must know how to detect a virtual machine
installed on a host, acquire an image of a virtual
machine, and use virtual machines to examine malware.
Check whether virtual machines are loaded on a host
computer.
Clues that virtual machines have been installed or
uninstalled:
Folders named "Virtual Machines" or "My Virtual Machines"
Registry HKEY_CLASSES_ROOT shows file extensions
.VMX or .VMC registered
VMware network adapte
55
PreparedbyR.Arthy,AP/IT,KCET
56. VMWARE LICENSE REGISTRY KEY
Retained even if VMware is uninstalled
56
PreparedbyR.Arthy,AP/IT,KCET
57. IMAGING A VIRTUAL HARD DISK
We have already covered that in the projects, including
using a virtual write-blocker
57
PreparedbyR.Arthy,AP/IT,KCET
59. INTRODUCTION
Network forensics
Systematic tracking of incoming and outgoing traffic
To ascertain how an attack was carried out or how an event occurred
on a network
Intruders leave trail behind
Determine the cause of the abnormal traffic
Internal bug
Attackers
59
PreparedbyR.Arthy,AP/IT,KCET
60. SECURING A NETWORK
Layered network defense strategy
Sets up layers of protection to hide the most valuable data at
the innermost part of the network
Defense in depth (DiD)
Similar approach developed by the NSA
Modes of protection
People (hiring and treatment)
Technology (firewalls, IDSs, etc.)
Operations (patches, updates)
Testing networks is as important as testing servers
You need to be up to date on the latest methods intruders
use to infiltrate networks
As well as methods internal employees use to sabotage
networks`
60
PreparedbyR.Arthy,AP/IT,KCET
62. INTRODUCTION
Live acquisitions are especially useful when you’re dealing
with active network intrusions or attacks
Live acquisitions done before taking a system offline are also
becoming a necessity
Because attacks might leave footprints only in running processes or
RAM
Live acquisitions don’t follow typical forensics procedures
Order of volatility (OOV)
How long a piece of information lasts on a system
62
PreparedbyR.Arthy,AP/IT,KCET
63. [CONTD…]
Steps
Create or download a live-acquisition forensic CD
Make sure you keep a log of all your actions
A network drive is ideal as a place to send the information you
collect; an alternative is a USB disk
Copy the physical memory (RAM)
The next step varies: search for rootkits, check firmware, image the
drive over the network, or shut down for later static acquisition
Be sure to get a forensic hash value of all files you recover during
the live acquisition
63
PreparedbyR.Arthy,AP/IT,KCET
64. PERFORMING A LIVE ACQUISITION IN
WINDOWS
Several tools are available to capture the RAM.
Mantech Memory DD
Win32dd
winen.exe from Guidance Software
BackTrack
64
PreparedbyR.Arthy,AP/IT,KCET
67. INTRODUCTION
Long, tedious process
Standard procedure
Always use a standard installation image for systems on a
network
Close any way in after an attack
Attempt to retrieve all volatile data
Acquire all compromised drives
Compare files on the forensic image to the original
installation image
67
PreparedbyR.Arthy,AP/IT,KCET
68. [CONTD…]
Computer forensics
Work from the image to find what has changed
Network forensics
Restore drives to understand attack
Work on an isolated system
Prevents malware from affecting other systems
68
PreparedbyR.Arthy,AP/IT,KCET
69. REVIEWING NETWORK LOGS
Record ingoing and outgoing traffic
Network servers
Routers
Firewalls
Tcpdump tool for examining network traffic
Can generate top 10 lists
Can identify patterns
Attacks might include other companies
Do not reveal information discovered about other companies
69
PreparedbyR.Arthy,AP/IT,KCET
71. USING NETWORK TOOLS
Sysinternals
A collection of free tools for examining Windows products
Examples of the Sysinternals tools:
RegMon shows Registry data in real time
Process Explorer shows what is loaded
Handle shows open files and processes using them
Filemon shows file system activity
71
PreparedbyR.Arthy,AP/IT,KCET
73. [CONTD…]
Tools from PsTools suite created by Sysinternals
PsExec runs processes remotely
PsGetSid displays security identifier (SID)
PsKill kills process by name or ID
PsList lists details about a process
PsLoggedOn shows who’s logged locally
PsPasswd changes account passwords
PsService controls and views services
PsShutdown shuts down and restarts PCs
PsSuspend suspends processes
73
PreparedbyR.Arthy,AP/IT,KCET
74. USING UNIX/LINUX TOOLS
Knoppix Security Tools Distribution (STD)
Bootable Linux CD intended for computer and network
forensics
Knoppix-STD tools
Dcfldd, the U.S. DoD dd version
memfetch forces a memory dump
photorec grabs files from a digital camera
snort, an intrusion detection system
oinkmaster helps manage your snort rules
74
PreparedbyR.Arthy,AP/IT,KCET
75. [CONTD…]
Knoppix-STD tools (continued)
john
chntpw resets passwords on a Windows PC
tcpdump and ethereal are packet sniffers
With the Knoppix STD tools on a portable CD
You can examine almost any network system
BackTrack
Contains more than 300 tools for network scanning, brute-
force attacks, Bluetooth and wireless networks, and more
Includes forensics tools, such as Autopsy and Sleuth Kit
Easy to use and frequently updated
75
PreparedbyR.Arthy,AP/IT,KCET
76. USING PACKET SNIFFERS
Packet sniffers
Devices or software that monitor network traffic
Most work at layer 2 or 3 of the OSI model
Most tools follow the PCAP format
Some packets can be identified by examining the flags in
their TCP headers
76
PreparedbyR.Arthy,AP/IT,KCET
78. TOOLS
Tcpdump (command-line packet capture)
Tethereal (command-line version of Ethereal)
Wireshark (formerly Ethereal)
Graphical packet capture analysis
Snort (intrusion detection)
Tcpslice
Extracts information from one or more tcpdump files by time frame
Tcpreplay (replays packets)
Tcpdstat (near-realtime traffic statistics)
Ngrep (pattern-matching for pcap captures)
Etherape (views network traffic graphically)
Netdude (GUI tool to analyze pcap files)
Argus (analyzes packet flows)
78
PreparedbyR.Arthy,AP/IT,KCET
79. EXAMINING THE HONEYNET PROJECT
Attempt to thwart Internet and network hackers
Provides information about attacks methods
Objectives are awareness, information, and tools
Distributed denial-of-service (DDoS) attacks
A recent major threat
Hundreds or even thousands of machines (zombies) can be
used
79
PreparedbyR.Arthy,AP/IT,KCET
81. [CONTD…]
Zero day attacks
Another major threat
Attackers look for holes in networks and OSs and exploit
these weaknesses before patches are available
Honeypot
Normal looking computer that lures attackers to it
Honeywalls
Monitor what’s happening to honeypots on your network and
record what attackers are doing
81
PreparedbyR.Arthy,AP/IT,KCET
82. [CONTD…]
Its legality has been questioned
Cannot be used in court
Can be used to learn about attacks
Manuka Project
Used the Honeynet Project’s principles
To create a usable database for students to examine compromised
honeypots
Honeynet Challenges
You can try to ascertain what an attacker did and then post
your results online
82
PreparedbyR.Arthy,AP/IT,KCET
84. OBJECTIVES
Explain the role of e-mail in investigations
Describe client and server roles in e-mail
Describe tasks in investigating e-mail crimes and violations
Explain the use of e-mail server logs
Describe some available e-mail computer forensics tools
84
PreparedbyR.Arthy,AP/IT,KCET
85. EXPLORING THE ROLE OF E-MAIL IN
INVESTIGATIONS
85
PreparedbyR.Arthy,AP/IT,KCET
86. INTRODUCTION
With the increase in e-mail scams and fraud attempts
with phishing or spoofing
Investigators need to know how to examine and interpret the
unique content of e-mail messages
Phishing e-mails are in HTML format
Which allows creating links to text on a Web page
One of the most noteworthy e-mail scams was 419, or
the Nigerian Scam
Spoofing e-mail can be used to commit fraud
86
PreparedbyR.Arthy,AP/IT,KCET
87. MUNSHANI V. SIGNAL LAKE VENTURE FUND
Munshani received an email and altered it
But he failed to alter the ESMTP numbers which
uniquely identify each message an SMTP server
transmits
Comparing ESMTP numbers from the server and the
spoofed email revealed the fraud
87
PreparedbyR.Arthy,AP/IT,KCET
88. EXPLORING THE ROLES OF THE
CLIENT AND SERVER IN E-MAIL
88
PreparedbyR.Arthy,AP/IT,KCET
89. INTRODUCTION
Send and receive e-mail in two environments
Internet
Controlled LAN, MAN, or WAN
Client/server architecture
Server OS and e-mail software differs from those on the
client side
Protected accounts
Require usernames and passwords
89
PreparedbyR.Arthy,AP/IT,KCET
91. [CONTD…]
Name conventions
Corporate: john.smith@somecompany.com
Public: whatever@hotmail.com
Everything after @ belongs to the domain name
Tracing corporate e-mails is easier
Because accounts use standard names the administrator
establishes
91
PreparedbyR.Arthy,AP/IT,KCET
93. INTRODUCTION
Similar to other types of investigations
Goals
Find who is behind the crime
Collect the evidence
Present your findings
Build a case
Depend on the city, state, or country
Example: spam
Always consult with an attorney
Becoming commonplace
Examples of crimes involving e-mails
Narcotics trafficking
Extortion
Sexual harassment
Child abductions and pornography 93
PreparedbyR.Arthy,AP/IT,KCET
94. EXAMINING E-MAIL MESSAGES
Access victim’s computer to recover the evidence
Using the victim’s e-mail client
Find and copy evidence in the e-mail
Access protected or encrypted material
Print e-mails
Guide victim on the phone
Open and copy e-mail including headers
Sometimes you will deal with deleted e-mails
94
PreparedbyR.Arthy,AP/IT,KCET
95. [CONTD…]
Copying an e-mail message
Before you start an e-mail investigation
You need to copy and print the e-mail involved in the crime or policy
violation
You might also want to forward the message as an attachment
to another e-mail address
With many GUI e-mail programs, you can copy an e-
mail by dragging it to a storage medium
Or by saving it in a different location
95
PreparedbyR.Arthy,AP/IT,KCET
97. VIEWING E-MAIL HEADERS
Learn how to find e-mail headers
GUI clients
Command-line clients
Web-based clients
After you open e-mail headers, copy and paste them into a
text document
So that you can read them with a text editor
Headers contain useful information
Unique identifying numbers, IP address of sending server, and
sending time
97
PreparedbyR.Arthy,AP/IT,KCET
98. [CONTD…]
Outlook
Open the Message Options dialog box
Copy headers
Paste them to any text editor
Outlook Express
Open the message Properties dialog box
Select Message Source
Copy and paste the headers to any text editor
98
PreparedbyR.Arthy,AP/IT,KCET
101. EXAMINING E-MAIL HEADERS
Gather supporting evidence and track suspect
Return path
Recipient’s e-mail address
Type of sending e-mail service
IP address of sending server
Name of the e-mail server
Unique message number
Date and time e-mail was sent
Attachment files information
See link Ch 12b for an example—tracing the source of spam
101
PreparedbyR.Arthy,AP/IT,KCET
102. EXAMINING ADDITIONAL E-MAIL FILES
E-mail messages are saved on the client side or left at the
server
Microsoft Outlook uses .pst and .ost files
Most e-mail programs also include an electronic address book
In Web-based e-mail
Messages are displayed and saved as Web pages in the browser’s
cache folders
Many Web-based e-mail providers also offer instant messaging
(IM) services
102
PreparedbyR.Arthy,AP/IT,KCET
103. TRACING AN E-MAIL MESSAGE
Contact the administrator responsible for the sending server
Finding domain name’s point of contact
www.arin.net
www.internic.com
www.freeality.com
www.google.com
Find suspect’s contact information
Verify your findings by checking network e-mail logs against
e-mail addresses
103
PreparedbyR.Arthy,AP/IT,KCET
104. USING NETWORK E-MAIL LOGS
Router logs
Record all incoming and outgoing traffic
Have rules to allow or disallow traffic
You can resolve the path a transmitted e-mail has taken
Firewall logs
Filter e-mail traffic
Verify whether the e-mail passed through
You can use any text editor or specialized tools
104
PreparedbyR.Arthy,AP/IT,KCET
107. INTRODUCTION
Computer loaded with software that uses e-mail protocols for
its services
And maintains logs you can examine and use in your investigation
E-mail storage
Database
Flat file
Logs
Default or manual
Continuous and circular
107
PreparedbyR.Arthy,AP/IT,KCET
108. [CONTD…]
Log information
E-mail content
Sending IP address
Receiving and reading date and time
System-specific information
Contact suspect’s network e-mail administrator as soon
as possible
Servers can recover deleted e-mails
Similar to deletion of files on a hard drive
108
PreparedbyR.Arthy,AP/IT,KCET
110. EXAMINING UNIX E-MAIL SERVER LOGS
/etc/sendmail.cf
Configuration information for Sendmail
/etc/syslog.conf
Specifies how and which events Sendmail logs
/var/log/maillog
SMTP and POP3 communications
IP address and time stamp
Check UNIX man pages for more information
110
PreparedbyR.Arthy,AP/IT,KCET
113. EXAMINING MICROSOFT E-MAIL SERVER
LOGS
Microsoft Exchange Server (Exchange)
Uses a database
Based on Microsoft Extensible Storage Engine
Messaging Application Programming Interface (MAPI)
A Microsoft system that enables different e- mail applications
to work together
The “Information Store” is made of tw0 files
Database files *.edb
Responsible for MAPI information
Database files *.stm
Responsible for non-MAPI information
113
PreparedbyR.Arthy,AP/IT,KCET
114. [CONTD…]
Administrators can recover lost or deleted emails from
these files:
Transaction log
Keep track of e-mail databases
Checkpoints
Marks the place in the transaction log where the last backup was
made
Other useful files
Temporary files
E-mail communication logs
res#.log
Tracking.log
Tracks messages
114
PreparedbyR.Arthy,AP/IT,KCET
116. [CONTD…]
Troubleshooting or diagnostic log
Logs events
Use Windows Event Viewer
Open the Event Properties dialog box for more details about
an event
116
PreparedbyR.Arthy,AP/IT,KCET
119. EXAMINING NOVELL GROUPWISE E-MAIL
LOGS
Up to 25 databases for e-mail users
Stored on the Ofuser directory object
Referenced by a username, an unique identifier, and .db
extension
Shares resources with e-mail server databases
Mailboxes organizations
Permanent index files
QuickFinder
119
PreparedbyR.Arthy,AP/IT,KCET
120. [CONTD…]
Folder and file structure can be complex
It uses Novell directory structure
Guardian
Directory of every database
Tracks changes in the GroupWise environment
Considered a single point of failure
Log files
GroupWise generates log files (.log extension) maintained in
a standard log format in GroupWise folders
120
PreparedbyR.Arthy,AP/IT,KCET
123. [CONTD…]
Tools allow you to find:
E-mail database files
Personal e-mail files
Offline storage files
Log files
Advantage
Do not need to know how e-mail servers and clients work
FINALeMAIL
Scans e-mail database files
Recovers deleted e-mails
Searches computer for other files associated with e-mail
123
PreparedbyR.Arthy,AP/IT,KCET
126. USING ACCESSDATA FTK TO RECOVER
E-MAIL
FTK
Can index data on a disk image or an entire drive for faster data
retrieval
Filters and finds files specific to e-mail clients and servers
To recover e-mail from Outlook and Outlook Express
AccessData integrated dtSearch
dtSearch builds a b-tree index of all text data in a drive, an image file, or a
group of files
126
PreparedbyR.Arthy,AP/IT,KCET
130. USING A HEXADECIMAL EDITOR TO CARVE
E-MAIL MESSAGES
Very few vendors have products for analyzing e-mail in
systems other than Microsoft
mbox format
Stores e-mails in flat plaintext files
Multipurpose Internet Mail Extensions (MIME)
format
Used by vendor-unique e-mail file systems, such as Microsoft
.pst or .ost
Example: carve e-mail messages from Evolution
130
PreparedbyR.Arthy,AP/IT,KCET
135. RECOVERING DELETED OUTLOOK FILES
Microsoft's Inbox Repair Tool (scanpst)
Link Ch 12d
EnCase
Advanced Outlook Repair from DataNumen, Inc.
Link Ch 12e
135
PreparedbyR.Arthy,AP/IT,KCET
137. OBJECTIVES
Explain the basic concepts of mobile device forensics
Describe procedures for acquiring data from cell phones
and mobile devices
137
PreparedbyR.Arthy,AP/IT,KCET
139. DATA ON IPHONES
Screenshots of every map viewed
iPhone photos have GPS location data embedded
Apps store browsing history
iPhone stores everything you type, like a keylogger
Link Ch 13a
iPhone also stores screenshots after each action, in order
to create an aesthetically pleasing shrinking effect (link
Ch 13b)
139
PreparedbyR.Arthy,AP/IT,KCET
141. UNDERSTANDING MOBILE DEVICE
FORENSICS
People store a wealth of information on cell phones
People don’t think about securing their cell phones
Items stored on cell phones:
Incoming, outgoing, and missed calls
Text and Short Message Service (SMS) messages
E-mail
Instant-messaging (IM) logs
Web pages
Pictures
141
PreparedbyR.Arthy,AP/IT,KCET
142. [CONTD…]
Items stored on cell phones: (continued)
Personal calendars
Address books
Music files
Voice recordings
Investigating cell phones and mobile devices is one of
the most challenging tasks in digital forensics
142
PreparedbyR.Arthy,AP/IT,KCET
143. MOBILE PHONE BASICS
Mobile phone technology has advanced rapidly
Three generations of mobile phones:
Analog
Digital personal communications service (PCS)
Third-generation (3G)
3G offers increased bandwidth
Several digital networks are used in the mobile phone
industry
143
PreparedbyR.Arthy,AP/IT,KCET
145. 4G NETWORKS
Orthogonal Frequency Division Multiplexing ( OFDM)
Uses power more efficiently, and is more immune to
interference
Mobile WiMAX
Used by Sprint, will support speeds up to 12 Mbps
Ultra Mobile Broadband ( UTMS)
Also known as CDMA2000 EV- DO
Will support speeds up to 100 Mbps
Multiple Input Multiple Output (MIMO)
Will support speeds up to 312 Mbps
Long Term Evolution (LTE)
Will support up to 144 Mbps
145
PreparedbyR.Arthy,AP/IT,KCET
146. Main components used for communication:
Base transceiver station (BTS)
Cell phone tower and associated equipment
Base station controller (BSC)
Hardware & software that controls the BTS
Mobile switching center (MSC)
Routes calls
Has a database of subscribers with account and location data
[CONTD…]
146
PreparedbyR.Arthy,AP/IT,KCET
147. INSIDE MOBILE DEVICES
Mobile devices can range from simple phones to small
computers
Also called smart phones
Hardware components
Microprocessor, ROM, RAM, a digital signal processor, a
radio module, a microphone and speaker, hardware interfaces,
and an LCD display
Most basic phones have a proprietary OS
Although smart phones use stripped-down versions of PC
operating systems
147
PreparedbyR.Arthy,AP/IT,KCET
148. [CONTD…]
Phones store system data in electronically erasable
programmable read-only memory (EEPROM)
Enables service providers to reprogram phones without
having to physically access memory chips
OS is stored in ROM
Nonvolatile memory
148
PreparedbyR.Arthy,AP/IT,KCET
150. [CONTD…]
Subscriber identity module (SIM) cards
Found most commonly in GSM devices
Microprocessor and from 16 KB to 4 MB EEPROM
Sometimes even more, up go 1 GB EEPROM
GSM refers to mobile phones as “mobile stations” and
divides a station into two parts:
The SIM card and the mobile equipment (ME)
SIM cards come in two sizes
Portability of information makes SIM cards versatile
150
PreparedbyR.Arthy,AP/IT,KCET
151. [CONTD…]
Subscriber identity module (SIM) cards (continued)
Additional SIM card purposes:
Identifies the subscriber to the network
Stores personal information
Stores address books and messages
Stores service-related information
151
PreparedbyR.Arthy,AP/IT,KCET
152. INSIDE PDAS
Personal digital assistants (PDAs)
Can be separate devices from mobile phones
Most users carry them instead of a laptop
PDAs house a microprocessor, flash ROM, RAM, and various
hardware components
The amount of information on a PDA varies depending on the
model
Usually, you can retrieve a user’s calendar, address book, Web
access, and other items
152
PreparedbyR.Arthy,AP/IT,KCET
153. [CONTD…]
Peripheral memory cards are used with PDAs
Compact Flash (CF)
MultiMedia Card (MMC)
Secure Digital (SD)
Most PDAs synchronize with a computer
Built-in slots for that purpose
153
PreparedbyR.Arthy,AP/IT,KCET
155. UNDERSTANDING ACQUISITION PROCEDURES
FOR CELL PHONES AND MOBILE DEVICES
The main concerns with mobile devices are loss of power and
synchronization with PCs
All mobile devices have volatile memory
Making sure they don’t lose power before you can retrieve RAM
data is critical
Mobile device attached to a PC via a cable or cradle/docking
station should be disconnected from the PC immediately
Depending on the warrant or subpoena, the time of seizure
might be relevant
155
PreparedbyR.Arthy,AP/IT,KCET
156. [CONTD…]
Messages might be received on the mobile device after
seizure
Isolate the device from incoming signals with one of the
following options:
Place the device in a paint can
Use the Paraben Wireless StrongHold Bag
Use eight layers of antistatic bags to block the signal
The drawback to using these isolating options is that the
mobile device is put into roaming mode
Which accelerates battery drainage
156
PreparedbyR.Arthy,AP/IT,KCET
157. [CONTD…]
Check these areas in the forensics lab :
Internal memory
SIM card
Removable or external memory cards
System server
Checking system servers requires a search warrant or
subpoena
SIM card file system is a hierarchical structure
157
PreparedbyR.Arthy,AP/IT,KCET
158. [CONTD…]
MF: root of the system
DF: directory files
EF: elementary data
158
PreparedbyR.Arthy,AP/IT,KCET
159. [CONTD…]
Information that can be retrieved:
Service-related data, such as identifiers for the SIM card and
the subscriber
Call data, such as numbers dialed
Message information
Location information
If power has been lost, PINs or other access codes might
be required to view files
159
PreparedbyR.Arthy,AP/IT,KCET
160. MOBILE FORENSICS EQUIPMENT
Mobile forensics is a new science
Biggest challenge is dealing with constantly changing
models of cell phones
When you’re acquiring evidence, generally you’re
performing two tasks:
Acting as though you’re a PC synchronizing with the device
(to download data)
Reading the SIM card
First step is to identify the mobile device
160
PreparedbyR.Arthy,AP/IT,KCET
161. [CONTD…]
Make sure you have installed the mobile device software
on your forensic workstation
Attach the phone to its power supply and connect the
correct cables
After you’ve connected the device
Start the forensics program and begin downloading the
available information
161
PreparedbyR.Arthy,AP/IT,KCET
162. [CONTD…]
SIM card readers
A combination hardware/software device used to access the
SIM card
You need to be in a forensics lab equipped with appropriate
antistatic devices
General procedure is as follows:
Remove the back panel of the device
Remove the battery
Under the battery, remove the SIM card from holder
Insert the SIM card into the card reader
162
PreparedbyR.Arthy,AP/IT,KCET
163. [CONTD…]
SIM card readers (continued)
A variety of SIM card readers are on the market
Some are forensically sound and some are not
Documenting messages that haven’t been read yet is critical
Use a tool that takes pictures of each screen
Blackberries may require special hardware
163
PreparedbyR.Arthy,AP/IT,KCET
164. IPHONE FORENSICS
MacLockPick II
Uses backup files
It can’t recover deleted files
MDBackUp Extract
Analyzes the iTunes mobile sync backup directory
164
PreparedbyR.Arthy,AP/IT,KCET
166. MOBILE FORENSICS TOOLS
Paraben Software Device Seizure Toolbox
Contains cables, SIM card readers, and more
Data Pilot
Similar to Paraben
BitPim
Can view data on many phones, but it's not intended for forensics
MOBILedit!
Has a write-blocker
SIMCon
Reads files on SIM cards
Recoveres deleted text messages
Archives files with MD5 and SHA-1 hashes
Software tools differ in the items they display and the level of detail166
PreparedbyR.Arthy,AP/IT,KCET