Using network traffic to verify mobile device forensic artifacts
1. Using network traffic to verify
mobile device forensic artifacts
Songchai Duangpan 6136896
EGCO656 : MOBILE DEVICE FORENSICS
1
2. Using network traffic to verify mobile device
forensic artifacts
This research will present methods for checking device types through network behavior
checking. By using data transmission over the entire network Both when using and not using Our
approach, based on repetitive experiments, shows that the three major mobile operating system
vendors (such as Android, iOS, and Microsoft) reduce the network response of certain network
traffic. Sent to them (such as ICMP pings) (such as TCP / IP streaming) in different ways tends to
save battery power Therefore, it will affect the device network behavior and the way they handle
certain events.
2
3. Proceeding with the following steps to prove the
concept:
Proceeding with the following steps to prove the concept:
Proceeding with the following steps to prove the concept:
(1) ICMP packets are actively sent to (such as ping)
(2) Received passively by (Such as video streaming) Android, iOS, and Microsoft mobile devices
(3) Network traffic that has been analyzed
(4) Machine learning methods are trained to be seen in three operating systems.
Demonstrating that this method works well using network traffic This method is more flexible than
the method that uses only MAC addresses or other historical analysis methods
3
4. Introduction
4
Knowledge of the devices attached to networks is of ever increasing importance. In the event of an
incident, it is necessary to identify the devices involved and the role they may have played in the
incident. It has now become common for an attacker to target and make use of multiple networked
systems. Thus, mobile devices can either become the target, the originator, or the pivot point for a
network-based attack.
5. Introduction
digital forensics techniques involving networks often depend upon the extraction of data from one
or more target devices. Evidence of communications traffic can be gathered in the form of host
names and IP addresses stored in various log files, as well as DNS and ARP cache records. If memory
forensics are employed using analysis tools such as Volatility [10], then structures that may not be
available on disk can be gathered to reveal information such as the set of processes currently
listening to or writing to network sockets. This extraction normally requires access to the device in
question.
5
6. Introduction
We propose a method of device-type identification that does not require physical access to the mobile device.
Our detection technique does not rely on the data supplied by the device. Device behavior when subjected to
remote stimulation (i.e., ICMP pings) is examined. This approach allows us to differentiate among Android,
Windows, and iOS devices for verification purposes.
Our contributions are twofold:
(1)identification of unique network response behavior from iOS,Android, and Windows devices and
(2) demonstration that these unique responses can be captured actively or passively.
6
7. Motivation
Use of ICMP replies from Android mobile devices to detect the type of application being executed
due to the operating system throttling the CPU to save power. They conducted 200 experiments,
consisting of pinging an Android device 100 times,
calculated the average inter-packet spacing (IPS) for:
(1) an unloaded (i.e., CPU) device.
(2) a loaded device.
Then they plotted the results and illustrated that a threshold could be used to separate the
experiments that contains loaded devices and unloaded devices
7
8. RELATED WORK
8
Device identification is an important issue to network security and digital forensics. As
such, several different methods for fingerprinting devices have been proposed that take advantage
of different layers in the 802.11 protocol stack. In this section, we present an overview of several of
these techniques.
From investigating the identification problem by examining the physical layer properties of
the 802.11 card, they examined the possibility of transmitting the signal from the wireless card.
Profiles and differentiating network interface cards, even from the same vendor
9. Experimental Apparatus
The experiments in this section were designed to demonstrate the capability of our approach in
actively and passively discerning among three different types of mobile devices, iOS, Windows, and
Android.
9
10. 1. Experimental Setup
The experimental setup is a wireless network connected to three mobile devices and a laptop with
two network cards. Specifically, the experimental setup consists of:
• A laptop running Ubuntu 14.04.3 LTS (Trusty Tahr) with two network interface cards (NICs)
• NIC1 (internal LAN adapter) connects to Wi-Fi router through Ethernet interface
• NIC2 (internal Wi-Fi adapter) is placed into monitor mode
• iPhone 6S running iOS 9.1
• Samsung S6 Edge running Android 5.1
• Nokia Lumia 521 running Windows Phone 8.10
10
12. Experimental Procedure
Active Experiments
Active research is done by connecting each mobile device and laptop to a Wi-Fi network.
Then, laptops will ping mobile devices. Ten thousand times in an interval of 10 ms (ping –c 10000 -i
0.01 <IP Address>) and capture the ICMP response using Wireshark.
ping –c 10000 -i 0.01 192.138.1.102
12
13. PDF of ICMP replies for IPS
IOS Android Windows Phone
13
14. Experimental Procedure (Cont.)
Passive Experiments
Passive experiment, it will connect the mobile device to the wireless network and will open
10 videos of 10 - 15 minutes from YouTube and capture the ICMP response using Wireshark
Promiscuous mode.
14
15. PDF of TCP/IP passive packet capture
IOS Android Windows Phone
15
16. Assumptions and Limitations
In all of our experiments, we assume the following:
(1) the mobile device signal strength was excellent.
(2) the mobile devices were stationary.
(3) neither wireless network was congested.
(4) recent Android devices will perform similarly to the Samsung S6 Edge mobile device.
(5) Recent iOS devices will perform similarly to the iPhone 6s device.
Our method has one main limitation:
currently, it only discerns between iOS, Windows, and Android devices, but this is mitigated by the
fact that in 2016, these mobile OS make up the overwhelming majority of the total global
smartphone market.
16
17. Results and Analysis
1. Probability Distribution Characterization
In the active experiments, the probability distribution function (PDF) was calculated using
the inter-packet spacing (IPS) of the ICMP replies captured from pinging the mobile devices. The
PDFs in Active Experiments illustrate that the ICMP replies captured from the three different devices
all have different distributions. This implies that the devices exhibit different behavior; therefore, it
is likely that this data may be a good candidate for use with machine learning.
Similarly, in the passive experiments, the PDF was calculated using the IPS of TCP/IP
packets captured from streaming youtube.com videos. Since TCP/IP network traffic has intelligent
features, a method perfected was used to remove these contributions as described in Section V.B.2.
In the Passive Experiments, it is evident that the same three devices continue to exhibit different
behaviors when passive network traffic is captured. This strengthens the earlier assessment that
this data may be a good candidate for use with machine learning.
17
18. Results and Analysis
2. Machine Learning Application
18
In the confusion matrix in Table 1, there was significant packet loss resulting in ICMP
replies missing for each device. It was observed that for devices with an idle CPU and a 10 ms ping
interval that the iOS device experienced the heaviest packet loss (>20%), followed by the Windows
Phone device (15-20%), and the Android device (0-5%). This property has been demonstrated for
older Android and iOS devices. It is believed this behavior is repeatable across iOS devices.
Table 1 : Confusion Matrix for active ICMP experiments
19. Table 1 : Confusion Matrix for active ICMP
experiments
19
Table 2 represents the confusion matrix for passive packet capture experiments. The total number of
instances is higher in these experiments because packets were passively captured and there was no
packet loss.
Table 2 : Confusion Matrix for passive packet capture experiments
21. Summary and future work
In this research, there are detailed explanations of how to remotely fingerprint and classify
mobile devices as Android, Windows or iOS, as a technique that takes advantage of TCP / IP network
traffic or ICMP packets to Handle equipment Travel to show that large networks can measure
distances from a distance Android requires additional validation for iOS and Windows. We also
show how collected data can be used to create yourself. In the future, we want to investigate more
packet loss behavior of mobile devices and to remove some assumptions so that our algorithm can
use With mobile devices that are in other
21