Trends in Mobile Device Data and Artifacts


Published on

Data and artifacts from mobile devices reside in so many places that no single approach can yield everything. This session will review some of the latest observations on where artifacts and critical pieces of data can reside on the device, as well as the available tools and methodologies to extract and decode them.

Published in: Mobile, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This is an example of location database
  • Trends in Mobile Device Data and Artifacts

    1. 1. Trends in Mobile Devices Data and Artifacts Inbar Ries, Senior Director, Forensics Products June, 2014
    2. 2. Trends Much More Data • Variety • Amount • Initiator - user and device New Data Management • Multiple locations • Multiple types
    3. 3. Mobile Apps Dominate Contacts – friends, favorites, groups Call logs Chats – messages, attachments Emails Location Images Malware Over 2 Million Apps in App Store & Google Play 102 Billion downloads in 2013
    4. 4. Device Internal Data Locations Media files metadata User ID (e.g. Apple ID) Tethering information Cloud backup indication Device power log (off/on) Installed applications & usage Application permissions
    5. 5. Locations ■Cell towers ■WiFi networks ■Applications location ■Media files ■Journeys taken from GPS applications/devices
    6. 6. The Device Knows Where his Owner has been ■The location data is derived by the cell towers and Wi-Fi hotspots the devices encountered ■The location service is enabled by default ■The data is stored in SQLite database for future use ■ Deleted data can be recovered
    7. 7. Locations in Android Devices Location reporting is available on devices running Android 2.3 or higher
    8. 8. Locations in iOS Devices ■iOS 4 and above ■Location accuracy Location service uses a combination of cellular, Wi-Fi, Bluetooth, and GPS to determine your location. ■System location service ■ iPhone will periodically send locations of where you have purchased or used Apps in an anonymous and encrypted form to Apple ■ iPhone will keep track of places you have recently been, as well as how often and when you visited them. This data is kept solely on your device
    9. 9. Location in Applications ■User location per activity ■Friend’s locations ■Other people nearby
    10. 10. Locations from TomTom devices The potential Detailed location info including Lat/Lon and timestamps Data stored on the device Encrypted triplog files
    11. 11. Image carving ■File carving is a powerful tool for recovering files and fragments of files ■Recovery of images that have a full or partial or corrupted header ■ Quick scan ■ Less false positive ■ Recovery of blocks of JPEG data without header information ■ Longer duration ■ Much more results ■ More false positive Internal & Confidential 13
    12. 12. Media files ■ Video and image files ■ Where – Latitude and longitude ■ When - capture time ■ Which camera - device make and model ■ Device owner ■ Other camera ■ How the area looks like
    13. 13. Malware ■Mobile malware increasing by 1000% in the last year ■Mainly on Android and BlackBerry platforms ■2013 - 143K malicious programs targeting mobile devices were detected ■Devices are affected by: ■ A fake version of a real site ■ Infected legit app ■ Unofficial websites where users can freely download apps
    14. 14. The Real Danger of Malware ■ Stealing of ■ Private information ■ Bank account information and password ■ Credit card numbers ■ Company intellectual property ■ Deleting data ■ Forcing the use of premium content ■ Bricking the device
    15. 15. Trends Much More Data • Variety • Amount • Initiator - User and device New Data Management • Multiple locations • Multiple types
    16. 16. SQLite Databases – Standard ■SQLite database is already installed in many devices including Android, Apple and Blackberry ■Multiple data types ■ Text, date and time, numbers ■ Files (image, audio, documents) ■ Deleted data can be recovered
    17. 17. SQLite Databases – Content ■Applications data ■ The data is per application and cannot be accessed by other applications ■ Data: User profile, messages, locations, contacts, images and more ■Device native applications including SMS, MMS, contact ■Device internal usage ■ The amount of data that is saved but not exposed to the user is massive ■Data: configuration, cached information, locations and more
    18. 18. Logs ■Logs can include errors but also valuable system information ■Transactions status ■Device information
    19. 19. Configuration files ■What can be found: ■ Date, time and time zone configuration ■ Applications permissions ■ Tethering data - Hotspot name, password and last activation time ■ Location service status - on/off ■Configuration files: ■ Apple – Plist, bplist ■ Android – XML preference files
    20. 20. Thank You