SlideShare a Scribd company logo

Mobile_Forensics- General Introduction & Software.pptx

G
gouriuplenchwar63

This ppt is related with mobile forensic science where there is general introduction mobile forensics and associated terms. Some information regarding software used in mobile forensics.

Education
1 of 25
Download to read offline
Content • Definition • Principle • Understanding Mobile Forensics • Inside Mobile Devices • Steps in mobile forensics process • Mobile Device Tool Classification System • Mobile Phone Data Preservation
Definition • Mobile forensics is the process of acquisition and analysis of electronically stored information to support or contest a premise in court proceedings and civil or criminal investigations.
Principle: • The purpose of mobile forensics is to extract digital evidence or relevant data from a mobile device while maintaining forensic integrity.
Understanding Mobile Forensics People store a wealth of information on cell phones and mobile devices. • People don’t think about securing their mobile devices.  Items stored on mobile devices: • Incoming, outgoing, and missed calls , contact lists • SMS , application based text, and multimedia messaging content, Instant-messaging (IM) logs, E-mail • Pictures, videos, and audio files and sometimes voice mail messages, Voice recordings • Internet browsing history, Web pages , web content, cookies, search history, analytics information • To-do lists, notes, calendar entries, User dictionary content, ringtones • Documents, spreadsheets, presentation files and other user-created data • Passwords, passcodes, swipe codes, user account credentials • Historical geolocation data, cell phone tower related location data, Wi-Fi connection information • Data from various installed apps • System files, usage logs, error messages • Deleted data from all of the above Investigating cell phones and mobile devices is one of the most challenging tasks in digital forensics
Inside Mobile Devices  IMEI and IMSI • International Mobile Equipment Identifier • International Mobile Subscriber Identifier  Also MEID (Mobile Equipment Identifier) or ESN (electronic serial number)  Phones store system data in electronically erasable programmable read-only memory (EEPROM) • Enables service providers to reprogram phones without having to physically access memory chips  OS is stored in ROM • Nonvolatile memory
Inside Mobile Devices  Subscriber Identity Module (SIM) cards • Found most commonly in GSM (Global System for Mobile Communications) devices • GSM refers to mobile phones as “mobile stations” and divides a station into two parts: • The SIM card and the mobile equipment (ME) • Portability of information makes SIM cards versatile • Integrated Circuit Card Identifier(ICCID) • Identifies the subscriber to the network Stores service-related information • PIN – unlock the device • PUK – reset the PIN • Wipes phone is incorrectly entered > 10 time • Cipher Algorithm
Steps in the Mobile Forensics Process 1. Seizure • Digital forensics operates on the principle that evidence should always be adequately preserved, processed, and admissible in a court of law. Some legal consideration go hand in hand with the confiscation of mobile devices. • There are two major risks concerning this phase of the mobile forensic process: Lock activation (by user/suspect/inadvertent third party) and Network / Cellular connection. • Network isolation is always advisable, and it could be achieved either through: Airplane mode • Mobile devices are often seized switched on and since the purpose of their confiscation is to preserve evidence, the best way to transport them is to attempt to keep them turned on to avoid a shutdown, which would inevitably alter files. Faraday bag • A Faraday box/bag and external power supply are common types of equipment for conducting mobile forensics. While the former is a container specifically designed to isolate mobile devices from network communications and, at the same time, help with the safe transportation of evidence to the laboratory, the latter, is a power source embedded inside the Faraday box/bag. Before putting the phone in the Faraday bag, disconnect it from the network, disable all network connections (Wi-Fi, GPS, Hotspots, etc.), and activate the flight mode to protect the integrity of the evidence. Turn the device off • may activate authentication codes , complicating acquisition and delaying examination.
2. Acquisition Identification + extraction • The goal of this phase is to retrieve data from the mobile device. A locked screen can be unlocked with the right PIN, password, pattern, or biometrics. According to a ruling by the Virginia Circuit Court, passcodes are protected, fingerprints not. Also, similar lock measures may exist on apps, images, SMSs, or messengers. Encryption, on the other hand, provides security on a software and/or hardware level that is often impossible to circumvent. • It is hard to be in control of data on mobile devices because the data is mobile as well. Once communications or files are sent from a smartphone, control is lost. Although there are different devices having the capability to store considerable amounts of data, the data in itself may physically be in another location. To give an example, data synchronization among devices and applications can take place directly but also via the cloud. • Services such as Apple’s iCloud and Microsoft’s One Drive are prevalent among mobile device users, which leave open the possibility for data acquisition from there. For that reason, investigators should be attentive to any indications that data may transcend the mobile device as a physical object, because such an occurrence may affect the collection and even preservation process. • Since data is constantly being synchronized, hardware and software may be able to bridge the data gap. Consider Uber – it has both an app and a fully functional website. All the information that can be accessed through the Uber app on a phone may be pulled off the Uber website instead, or even the Uber software program installed on a computer.
• After one identifies the data sources, the next step is to collect the information properly. There are certain unique challenges concerning gathering information in the context of mobile technology. Many mobile devices cannot be collected by creating an image and instead they may have to undergo a process called acquisition of data. • Thera are various protocols for collecting data from mobile devices as certain design specifications may only allow one type of acquisition. • The forensic examiner should make a use of SIM Card imagining – a procedure that recreates a replica image of the SIM Card content. As with other replicas, the original evidence will remain intact while the replica image is being used for analysis. All image files should be hashed to ensure data remains accurate and unchanged. • Check these areas in the forensics lab : • Internal memory • SIM card • Removable or external memory cards • System server
3. Examination and analysis • As the first step of every digital investigation involving a mobile device(s), the forensic expert needs to identify:  Type of the mobile device(s) – e.g., GPS, smartphone, tablet, etc.  Type of network – GSM, CDMA, and TDMA  Carrier  Service provider (Reverse Lookup) • The examiner may need to use numerous forensic tools to acquire and analyze data residing in the machine. Due to the sheer diversity of mobile devices, there is no one-size-fits-all solution regarding mobile forensic tools. Consequently, it is advisable to use more than one tool for examination. The most appropriate tool(s) is being chosen depending on the type and model of mobile device. • Timeline and link analysis available in many mobile forensic tools could tie each of the most significant events, from a forensic analyst’s point of view.
Manual Extraction • A manual extraction method involves viewing the data content stored on a mobile device. • Browses data using the mobile device’s touchscreen or keypad. • Information of interest discovered on the phone is photographically documented. • This process of manual extraction is simple and applicable to almost every phone. • Furthermore, manual extraction is long and involves an excellent chance of human error. • Popular tools for manual extractions include:  Project-A-Phone  Fernico ZRT  EDEC Eclipse • Disadvantage:  it is impossible to recover deleted information.  very time consuming  data on the device may be modified, deleted or overwritten throughout the examination.
Logical Extraction • A logical extraction of data from a mobile phone collects the files and folders contained on the device without any unallocated space. Typically, data collected via a logical extraction includes messaging, pictures, video, audio, contacts, application data, some location data, internet history, search history, social media, and more. • Connectivity between a mobile device and the forensics workstation a connection using: • Wired (e.g., USB or RS-232). • Wireless (e.g., IrDA, WiFi, or Bluetooth) • Following the connecting part, the computer sends command requests to the device, and the device sends back data from its memory. The majority of forensic tools support logical extraction. • Deleted data is rarely accessible. • The tools used for logical extraction include: • XRY Logical • Oxygen • Lantern • Cellebrite UFED
• File System Extraction • A file system extraction is an extension of a logical extraction. It collects much of the same data as a logical extraction along with additional file system data. During a file system extraction, the forensic tool accesses the internal memory of the mobile phone, which means that the forensic software can collect system files, logs, and database files from the device that a logical acquisition cannot. • Most applications store their data in database files on a mobile phone. Since a file system extraction recovers more of these database files, more deleted data like database files and data related to application usage on the device can be recovered.
JTAG Method • JTAG is a non-invasive form of physical acquisition that could extract data from a mobile device even when data was difficult to access through software avenues because the device is damaged, locked or encrypted. The device, however, must be at least partially functional (minor damages would not hinder this method). • The process involves connecting to the Test Access Ports (TAPs) on a device and instructing the processor to transfer raw data stored on connected memory chips. This is a standard feature that one could come across in many mobile phone models, which provides mobile phone manufactures a low-level interface outside the operating system. • Digital forensic investigators take an interest in JTAG, as it can, in theory, allow direct access to the mobile device’s memory without jeopardizing it. Despite that fact, it is a labor-intensive, time-consuming procedure, and it requires advance knowledge (not only of JTAG for the model of the phone under investigation but also of how to arrange anew the resulting binary composed of the phone’s memory structures).
Hex Dump • Similar to JTAG, Hex dump is another method for physical extraction of raw information in binary format stored in memory. • The forensic professionals connect the device to a digital forensic workstation and pushes the boot-loader into the device, that instructs the device to dump its memory to the computer. • Resulting image is fairly technical in binary format and it requires a person having the technical education to analyze it. • This method is cost-efficient and provides more information to the investigators, including the recovery of phone’s deleted files and unallocated space including location information, email, messages, videos, photos, audio, applications, and almost any other data contained on a mobile phone. • The common tools used for hex dump include: XACT Cellebrite UFED Touch 2 and Physical analyzer Pandora’s Box
Chip-Off • A process that refers to obtaining data straight from the mobile device’s memory chip. • According to the preparations, the chip is detached from the device and a chip reader or a second phone is used to extract data stored on the device and create its binary image under investigation. It should be noted that this method is technically challenging because of the wide variety of chip types existing on the mobile market. • Also, the chip-off process is expensive, training is required, and the examiner should procure specific hardware to conduct de-soldering and heating of the memory chip. Bits and bytes of raw information that is retrieved from the memory are yet to be parsed, decoded, and interpreted. Even the smallest mistake may lead to physical damages to the memory chip, which, in effect, would render the data impossible to retrieve. • This method is costly and needs an ample data of hardware. • The whole process consists of five stages:  Detect the memory chip typology of the device  Physical extraction of the chip (for example, by unwelding it)  Interfacing of the chip using reading/programming software  Reading and transferring data from the chip to a PC  Interpretation of the acquired data (using reverse engineering)
Chip-Off • The popular tools and equipment’s used for chip-off include:  iSeasamo Phone Opening Tool  Xytronic 988D Solder Rework Station  FEITA Digital inspection station  Chip Epoxy Glue Remover  Circuit Board Holder
Micro Read • A Micro Read involves recording the physical observation of the gates on a NAND or NOR chip with the use of an electron microscope. • It is used after all other acquisition techniques have been exhausted. • Successful acquisition requires a team of • experts • proper equipment • time • in-depth knowledge of proprietary information • This method refers to manually taking an all-around view through the lenses of an electron microscope and analyzing data seen on the memory chip, more specifically the physical gates on the chip. In a nutshell, micro read is a method that demands utmost level of expertise, it is costly and time-consuming, and is reserved for serious national security crises.
Mobile Phone Data Preservation The mobile phone's integrity and the data on it need to be established to ensure that evidence is admissible in court. • Chain of Custody Evidence preservation aims to protect digital evidence from modification. This protection begins by ensuring that first responders, investigators, crime scene technicians, digital forensic experts, or anyone else who touches the device handles it properly. A chain of custody must be maintained throughout the entire life cycle of a case.
•Mathematical Hashing Algorithm The forensic data collection process from the mobile device is better called a "forensics extraction," as data is extracted from the device instead of a perfect bit-for-bit copy of the evidence item. With the mobile phone powered on, the forensic software cannot access some areas of data. However, data that is inaccessible because the mobile device is powered on is usually of little to no value evidentiary. Following the forensic copying comes the hashing process. A mathematical algorithm is run against the copied data, producing a unique hash value. This hash value can be thought of as a digital fingerprint, uniquely identifying the copied evidence exactly as it exists at that point in time.
Tools Mobile Forensics tools that examine CDMA, GSM, SIM and GPS. • Cellebrite UFED • Paraben Device Seizure • Paraben Sticks (Data Recovery, Phone Recovery Stick, Porn Stick) • Secure View • FTK • EnCase • Oxygen Forensics
Mobile_Forensics- General Introduction & Software.pptx

Recommended

Phreaks
PhreaksPhreaks
PhreaksFanap
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Network Forensic
Network ForensicNetwork Forensic
Network ForensicSujeet Kumar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsShreya Singireddy
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Mobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniMobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniDr Raghu Khimani
 

Recommended

Phreaks
PhreaksPhreaks
PhreaksFanap
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
CS6004 Cyber Forensics
CS6004 Cyber ForensicsCS6004 Cyber Forensics
CS6004 Cyber ForensicsKathirvel Ayyaswamy
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Network Forensic
Network ForensicNetwork Forensic
Network ForensicSujeet Kumar
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsShreya Singireddy
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Mobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniMobile Phone Seizure Guide by Raghu Khimani
Mobile Phone Seizure Guide by Raghu KhimaniDr Raghu Khimani
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Lect 5 computer forensics
Lect 5 computer forensicsLect 5 computer forensics
Lect 5 computer forensicsKabul Education University
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensicsPrince Boonlia
 
Mobile and SIM Forensics
Mobile and SIM ForensicsMobile and SIM Forensics
Mobile and SIM ForensicsYugal Pathak
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
10 tk3193-ids
10 tk3193-ids10 tk3193-ids
10 tk3193-idsSetia Juli Irzal Ismail
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital ForensicsManik Bhola
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics toolSreekanth Narendran
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsMithileysh Sathiyanarayanan
 
Dark Web Forensics
Dark Web Forensics Dark Web Forensics
Dark Web Forensics Deepak Kumar (D3)
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools Jyothishmathi Institute of Technology and Science Karimnagar
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsyash sawarkar
 
Lect 1 computer forensics
Lect 1 computer forensicsLect 1 computer forensics
Lect 1 computer forensicsKabul Education University
 
Data recovery
Data recoveryData recovery
Data recoveryAbhinav Parihar
 
Computer Forensic
Computer ForensicComputer Forensic
Computer ForensicNovizul Evendi
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsParaben Corporation
 
ContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxrichardnorman90310
 

More Related Content

What's hot

cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Mobile and SIM Forensics
Mobile and SIM ForensicsMobile and SIM Forensics
Mobile and SIM ForensicsYugal Pathak
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensicsanupriti
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital ForensicsManik Bhola
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - NotesKranthi
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 

What's hot (20)

cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
Lect 5 computer forensics
Lect 5 computer forensicsLect 5 computer forensics
Lect 5 computer forensics
 
Browser forensics
Browser forensicsBrowser forensics
Browser forensics
 
Mobile and SIM Forensics
Mobile and SIM ForensicsMobile and SIM Forensics
Mobile and SIM Forensics
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
10 tk3193-ids
10 tk3193-ids10 tk3193-ids
10 tk3193-ids
 
Cloud-forensics
Cloud-forensicsCloud-forensics
Cloud-forensics
 
A brief Intro to Digital Forensics
A brief Intro to Digital ForensicsA brief Intro to Digital Forensics
A brief Intro to Digital Forensics
 
01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes01 Computer Forensics Fundamentals - Notes
01 Computer Forensics Fundamentals - Notes
 
Autopsy Digital forensics tool
Autopsy Digital forensics toolAutopsy Digital forensics tool
Autopsy Digital forensics tool
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Dark Web Forensics
Dark Web Forensics Dark Web Forensics
Dark Web Forensics
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Current Forensic Tools
Current Forensic Tools Current Forensic Tools
Current Forensic Tools
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
Digital forensics
Digital forensicsDigital forensics
Digital forensics
 
Lect 1 computer forensics
Lect 1 computer forensicsLect 1 computer forensics
Lect 1 computer forensics
 
Data recovery
Data recoveryData recovery
Data recovery
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 

Similar to Mobile_Forensics- General Introduction & Software.pptx

Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsParaben Corporation
 
ContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxrichardnorman90310
 
Conceptual Study of Mobile Forensics
Conceptual Study of Mobile ForensicsConceptual Study of Mobile Forensics
Conceptual Study of Mobile Forensicsijtsrd
 
Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...FORnSECSolutions
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsFORnSECSolutions
 
Internet of Things-ppt.pptx
Internet of Things-ppt.pptxInternet of Things-ppt.pptx
Internet of Things-ppt.pptxSaonDey3
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingAmbuj Kumar
 
Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_sameSkyler Lewis
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...NCCOMMS
 
Computer Forensics (1).pptx
Computer Forensics (1).pptxComputer Forensics (1).pptx
Computer Forensics (1).pptxGautam708801
 
New research directions in the area of
New research directions in the area ofNew research directions in the area of
New research directions in the area ofIJCNCJournal
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
Ch15 power point
Ch15 power pointCh15 power point
Ch15 power pointbodo-con
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortressSTO STRATEGY
 

Similar to Mobile_Forensics- General Introduction & Software.pptx (20)

Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic tools
 
ContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docxContentsMobile Forensic3Introduction3What It Is3How I.docx
ContentsMobile Forensic3Introduction3What It Is3How I.docx
 
Conceptual Study of Mobile Forensics
Conceptual Study of Mobile ForensicsConceptual Study of Mobile Forensics
Conceptual Study of Mobile Forensics
 
Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
 
Internet of Things-ppt.pptx
Internet of Things-ppt.pptxInternet of Things-ppt.pptx
Internet of Things-ppt.pptx
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
 
Why cant all_data_be_the_same
Why cant all_data_be_the_sameWhy cant all_data_be_the_same
Why cant all_data_be_the_same
 
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...
 
CYBERFORENSICS
CYBERFORENSICSCYBERFORENSICS
CYBERFORENSICS
 
Smart phone and mobile phone risks
Smart phone and mobile phone risksSmart phone and mobile phone risks
Smart phone and mobile phone risks
 
Computer Forensics (1).pptx
Computer Forensics (1).pptxComputer Forensics (1).pptx
Computer Forensics (1).pptx
 
Lect 6 computer forensics
Lect 6 computer forensicsLect 6 computer forensics
Lect 6 computer forensics
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditing
 
New research directions in the area of
New research directions in the area ofNew research directions in the area of
New research directions in the area of
 
Firewalls
FirewallsFirewalls
Firewalls
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Ch15 power point
Ch15 power pointCh15 power point
Ch15 power point
 
To get round to the heart of fortress
To get round to the heart of fortressTo get round to the heart of fortress
To get round to the heart of fortress
 
Mis
MisMis
Mis
 

Recently uploaded

ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...Marc Dusseiller Dusjagr
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...jaredbarbolino94
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxJiesonDelaCerna
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 
Blooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxBlooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxUnboundStockton
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitolTechU
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 

Recently uploaded (20)

ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
“Oh GOSH! Reflecting on Hackteria's Collaborative Practices in a Global Do-It...
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...Historical philosophical, theoretical, and legal foundations of special and i...
Historical philosophical, theoretical, and legal foundations of special and i...
 
CELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptxCELL CYCLE Division Science 8 quarter IV.pptx
CELL CYCLE Division Science 8 quarter IV.pptx
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
Blooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docxBlooming Together_ Growing a Community Garden Worksheet.docx
Blooming Together_ Growing a Community Garden Worksheet.docx
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Capitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptxCapitol Tech U Doctoral Presentation - April 2024.pptx
Capitol Tech U Doctoral Presentation - April 2024.pptx
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 

Mobile_Forensics- General Introduction & Software.pptx

  • 1.
  • 2. Content • Definition • Principle • Understanding Mobile Forensics • Inside Mobile Devices • Steps in mobile forensics process • Mobile Device Tool Classification System • Mobile Phone Data Preservation
  • 3. Definition • Mobile forensics is the process of acquisition and analysis of electronically stored information to support or contest a premise in court proceedings and civil or criminal investigations.
  • 4. Principle: • The purpose of mobile forensics is to extract digital evidence or relevant data from a mobile device while maintaining forensic integrity.
  • 5. Understanding Mobile Forensics People store a wealth of information on cell phones and mobile devices. • People don’t think about securing their mobile devices.  Items stored on mobile devices: • Incoming, outgoing, and missed calls , contact lists • SMS , application based text, and multimedia messaging content, Instant-messaging (IM) logs, E-mail • Pictures, videos, and audio files and sometimes voice mail messages, Voice recordings • Internet browsing history, Web pages , web content, cookies, search history, analytics information • To-do lists, notes, calendar entries, User dictionary content, ringtones • Documents, spreadsheets, presentation files and other user-created data • Passwords, passcodes, swipe codes, user account credentials • Historical geolocation data, cell phone tower related location data, Wi-Fi connection information • Data from various installed apps • System files, usage logs, error messages • Deleted data from all of the above Investigating cell phones and mobile devices is one of the most challenging tasks in digital forensics
  • 6. Inside Mobile Devices  IMEI and IMSI • International Mobile Equipment Identifier • International Mobile Subscriber Identifier  Also MEID (Mobile Equipment Identifier) or ESN (electronic serial number)  Phones store system data in electronically erasable programmable read-only memory (EEPROM) • Enables service providers to reprogram phones without having to physically access memory chips  OS is stored in ROM • Nonvolatile memory
  • 7. Inside Mobile Devices  Subscriber Identity Module (SIM) cards • Found most commonly in GSM (Global System for Mobile Communications) devices • GSM refers to mobile phones as “mobile stations” and divides a station into two parts: • The SIM card and the mobile equipment (ME) • Portability of information makes SIM cards versatile • Integrated Circuit Card Identifier(ICCID) • Identifies the subscriber to the network Stores service-related information • PIN – unlock the device • PUK – reset the PIN • Wipes phone is incorrectly entered > 10 time • Cipher Algorithm
  • 8. Steps in the Mobile Forensics Process 1. Seizure • Digital forensics operates on the principle that evidence should always be adequately preserved, processed, and admissible in a court of law. Some legal consideration go hand in hand with the confiscation of mobile devices. • There are two major risks concerning this phase of the mobile forensic process: Lock activation (by user/suspect/inadvertent third party) and Network / Cellular connection. • Network isolation is always advisable, and it could be achieved either through: Airplane mode • Mobile devices are often seized switched on and since the purpose of their confiscation is to preserve evidence, the best way to transport them is to attempt to keep them turned on to avoid a shutdown, which would inevitably alter files. Faraday bag • A Faraday box/bag and external power supply are common types of equipment for conducting mobile forensics. While the former is a container specifically designed to isolate mobile devices from network communications and, at the same time, help with the safe transportation of evidence to the laboratory, the latter, is a power source embedded inside the Faraday box/bag. Before putting the phone in the Faraday bag, disconnect it from the network, disable all network connections (Wi-Fi, GPS, Hotspots, etc.), and activate the flight mode to protect the integrity of the evidence. Turn the device off • may activate authentication codes , complicating acquisition and delaying examination.
  • 9. 2. Acquisition Identification + extraction • The goal of this phase is to retrieve data from the mobile device. A locked screen can be unlocked with the right PIN, password, pattern, or biometrics. According to a ruling by the Virginia Circuit Court, passcodes are protected, fingerprints not. Also, similar lock measures may exist on apps, images, SMSs, or messengers. Encryption, on the other hand, provides security on a software and/or hardware level that is often impossible to circumvent. • It is hard to be in control of data on mobile devices because the data is mobile as well. Once communications or files are sent from a smartphone, control is lost. Although there are different devices having the capability to store considerable amounts of data, the data in itself may physically be in another location. To give an example, data synchronization among devices and applications can take place directly but also via the cloud. • Services such as Apple’s iCloud and Microsoft’s One Drive are prevalent among mobile device users, which leave open the possibility for data acquisition from there. For that reason, investigators should be attentive to any indications that data may transcend the mobile device as a physical object, because such an occurrence may affect the collection and even preservation process. • Since data is constantly being synchronized, hardware and software may be able to bridge the data gap. Consider Uber – it has both an app and a fully functional website. All the information that can be accessed through the Uber app on a phone may be pulled off the Uber website instead, or even the Uber software program installed on a computer.
  • 10. • After one identifies the data sources, the next step is to collect the information properly. There are certain unique challenges concerning gathering information in the context of mobile technology. Many mobile devices cannot be collected by creating an image and instead they may have to undergo a process called acquisition of data. • Thera are various protocols for collecting data from mobile devices as certain design specifications may only allow one type of acquisition. • The forensic examiner should make a use of SIM Card imagining – a procedure that recreates a replica image of the SIM Card content. As with other replicas, the original evidence will remain intact while the replica image is being used for analysis. All image files should be hashed to ensure data remains accurate and unchanged. • Check these areas in the forensics lab : • Internal memory • SIM card • Removable or external memory cards • System server
  • 11. 3. Examination and analysis • As the first step of every digital investigation involving a mobile device(s), the forensic expert needs to identify:  Type of the mobile device(s) – e.g., GPS, smartphone, tablet, etc.  Type of network – GSM, CDMA, and TDMA  Carrier  Service provider (Reverse Lookup) • The examiner may need to use numerous forensic tools to acquire and analyze data residing in the machine. Due to the sheer diversity of mobile devices, there is no one-size-fits-all solution regarding mobile forensic tools. Consequently, it is advisable to use more than one tool for examination. The most appropriate tool(s) is being chosen depending on the type and model of mobile device. • Timeline and link analysis available in many mobile forensic tools could tie each of the most significant events, from a forensic analyst’s point of view.
  • 12.
  • 13. Manual Extraction • A manual extraction method involves viewing the data content stored on a mobile device. • Browses data using the mobile device’s touchscreen or keypad. • Information of interest discovered on the phone is photographically documented. • This process of manual extraction is simple and applicable to almost every phone. • Furthermore, manual extraction is long and involves an excellent chance of human error. • Popular tools for manual extractions include:  Project-A-Phone  Fernico ZRT  EDEC Eclipse • Disadvantage:  it is impossible to recover deleted information.  very time consuming  data on the device may be modified, deleted or overwritten throughout the examination.
  • 14.
  • 15. Logical Extraction • A logical extraction of data from a mobile phone collects the files and folders contained on the device without any unallocated space. Typically, data collected via a logical extraction includes messaging, pictures, video, audio, contacts, application data, some location data, internet history, search history, social media, and more. • Connectivity between a mobile device and the forensics workstation a connection using: • Wired (e.g., USB or RS-232). • Wireless (e.g., IrDA, WiFi, or Bluetooth) • Following the connecting part, the computer sends command requests to the device, and the device sends back data from its memory. The majority of forensic tools support logical extraction. • Deleted data is rarely accessible. • The tools used for logical extraction include: • XRY Logical • Oxygen • Lantern • Cellebrite UFED
  • 16. • File System Extraction • A file system extraction is an extension of a logical extraction. It collects much of the same data as a logical extraction along with additional file system data. During a file system extraction, the forensic tool accesses the internal memory of the mobile phone, which means that the forensic software can collect system files, logs, and database files from the device that a logical acquisition cannot. • Most applications store their data in database files on a mobile phone. Since a file system extraction recovers more of these database files, more deleted data like database files and data related to application usage on the device can be recovered.
  • 17. JTAG Method • JTAG is a non-invasive form of physical acquisition that could extract data from a mobile device even when data was difficult to access through software avenues because the device is damaged, locked or encrypted. The device, however, must be at least partially functional (minor damages would not hinder this method). • The process involves connecting to the Test Access Ports (TAPs) on a device and instructing the processor to transfer raw data stored on connected memory chips. This is a standard feature that one could come across in many mobile phone models, which provides mobile phone manufactures a low-level interface outside the operating system. • Digital forensic investigators take an interest in JTAG, as it can, in theory, allow direct access to the mobile device’s memory without jeopardizing it. Despite that fact, it is a labor-intensive, time-consuming procedure, and it requires advance knowledge (not only of JTAG for the model of the phone under investigation but also of how to arrange anew the resulting binary composed of the phone’s memory structures).
  • 18. Hex Dump • Similar to JTAG, Hex dump is another method for physical extraction of raw information in binary format stored in memory. • The forensic professionals connect the device to a digital forensic workstation and pushes the boot-loader into the device, that instructs the device to dump its memory to the computer. • Resulting image is fairly technical in binary format and it requires a person having the technical education to analyze it. • This method is cost-efficient and provides more information to the investigators, including the recovery of phone’s deleted files and unallocated space including location information, email, messages, videos, photos, audio, applications, and almost any other data contained on a mobile phone. • The common tools used for hex dump include: XACT Cellebrite UFED Touch 2 and Physical analyzer Pandora’s Box
  • 19. Chip-Off • A process that refers to obtaining data straight from the mobile device’s memory chip. • According to the preparations, the chip is detached from the device and a chip reader or a second phone is used to extract data stored on the device and create its binary image under investigation. It should be noted that this method is technically challenging because of the wide variety of chip types existing on the mobile market. • Also, the chip-off process is expensive, training is required, and the examiner should procure specific hardware to conduct de-soldering and heating of the memory chip. Bits and bytes of raw information that is retrieved from the memory are yet to be parsed, decoded, and interpreted. Even the smallest mistake may lead to physical damages to the memory chip, which, in effect, would render the data impossible to retrieve. • This method is costly and needs an ample data of hardware. • The whole process consists of five stages:  Detect the memory chip typology of the device  Physical extraction of the chip (for example, by unwelding it)  Interfacing of the chip using reading/programming software  Reading and transferring data from the chip to a PC  Interpretation of the acquired data (using reverse engineering)
  • 20. Chip-Off • The popular tools and equipment’s used for chip-off include:  iSeasamo Phone Opening Tool  Xytronic 988D Solder Rework Station  FEITA Digital inspection station  Chip Epoxy Glue Remover  Circuit Board Holder
  • 21. Micro Read • A Micro Read involves recording the physical observation of the gates on a NAND or NOR chip with the use of an electron microscope. • It is used after all other acquisition techniques have been exhausted. • Successful acquisition requires a team of • experts • proper equipment • time • in-depth knowledge of proprietary information • This method refers to manually taking an all-around view through the lenses of an electron microscope and analyzing data seen on the memory chip, more specifically the physical gates on the chip. In a nutshell, micro read is a method that demands utmost level of expertise, it is costly and time-consuming, and is reserved for serious national security crises.
  • 22. Mobile Phone Data Preservation The mobile phone's integrity and the data on it need to be established to ensure that evidence is admissible in court. • Chain of Custody Evidence preservation aims to protect digital evidence from modification. This protection begins by ensuring that first responders, investigators, crime scene technicians, digital forensic experts, or anyone else who touches the device handles it properly. A chain of custody must be maintained throughout the entire life cycle of a case.
  • 23. •Mathematical Hashing Algorithm The forensic data collection process from the mobile device is better called a "forensics extraction," as data is extracted from the device instead of a perfect bit-for-bit copy of the evidence item. With the mobile phone powered on, the forensic software cannot access some areas of data. However, data that is inaccessible because the mobile device is powered on is usually of little to no value evidentiary. Following the forensic copying comes the hashing process. A mathematical algorithm is run against the copied data, producing a unique hash value. This hash value can be thought of as a digital fingerprint, uniquely identifying the copied evidence exactly as it exists at that point in time.
  • 24. Tools Mobile Forensics tools that examine CDMA, GSM, SIM and GPS. • Cellebrite UFED • Paraben Device Seizure • Paraben Sticks (Data Recovery, Phone Recovery Stick, Porn Stick) • Secure View • FTK • EnCase • Oxygen Forensics