Police Technology Forum
Mobile devices and their implications for
forensic investigations in Australia
Dr Kim-Kwang Raymon...
How many of us do NOT have at least one smart
mobile device (e.g. Android, iOS – iPhone or iPad,
Windows and Blackberry)?
...
3
How many of us
READ / RESEARCH
the type of permissions apps
are asking for at the time of
installation?
4
Do you know what...
What do mobile apps have to do
with forensic investigations?
1.What is the best method of identifying app usage
on a smart...
Part I: Cloud Forensics
Part II: Mobile Device and
App Forensics
Part III: Data Reduction
Framework
• Potentially more difficult to acquire and analyse digital
evidence to the same standards as that currently expected
for ...
“little guidance exists on how to acquire and conduct forensics in a cloud environment”
(National Institute of Standards a...
Iterative
1. Commence (Scope)
Determine the scope of the investigation, the requirements and limitations, prepare
equipmen...
• The initial focus of our research has been in the area of
Storage as a Service (StaaS).
• Client analysis: Three popular...
System tray link RAM password
cleartext
DBAN
Dropbox Yes Yes No
Microsoft Skydrive Yes (but not full
access to an
account)...
Cloud forensics
Our recent book
For our new book entitled “Cloud Storage Forensics, 1st Edition”, please visit
http://stor...
• Examine other cloud services to determine
the best practices for forensic extraction and
analysis on these platforms as ...
Part I: Cloud Forensics
Part II: Mobile Device and
App Forensics
Part III: Data Reduction
Framework
• iOS Forensics
– Develop a practitioner-based iOS forensic technique to identify and
acquire deleted data from an HFS Plu...
Cloud and Mobile Forensics
Ongoing Work
• iOS Anti-Forensics
– “Concealment” technique to enhance the
security of non-protected (Class D) data that is
at rest on ...
Aim: To examine ten popular freely available Android VoIP apps to
determine whether voice and text communications using th...
VoIP Apps Text
communication
encrypted?
(Yes/No)
Cluster in Histogram
Analysis
Entropy Analysis Voice
communication
encryp...
Android VoIP
Apps
Encryption of
Text/ Voice
Communication Channel
w2w m2m m2w w2m
Skype
Text Y Y Y Y
Voice Y Y Y Y
Google
...
Windows event forensic process (WinEFP)
Do Q, Martini B, Looi J M J, Wang Y and Choo K-K R 2014. Windows Event Forensic Pr...
Mobile forensics : A rat race
Mobile forensics: A race not only to keep up with device (i.e. hardware) and
software (e.g. ...
Part I: Cloud Forensics
Part II: Mobile Device and
App Forensics
Part III: Data Reduction
Framework
Digitalisation of data
1. Increasing data volume and cost implications
2. Digital forensic practitioners, especially those...
Data reduction framework for digital forensic evidence
storage, intelligence, review and archive
Initial research with sam...
Dr. Kim-Kwang Raymond Choo
2009 Fulbright Scholar
Research Director, Cloud Security Alliance, Australia Chapter
Senior Lec...
Upcoming SlideShare
Loading in …5
×

Dr Raymond Choo, Cloud Security Alliance - Mobile devices and their implications for forensic investigations in Australia

1,600 views

Published on

Dr Raymond Choo, Research Director, Cloud Security Alliance and Senior Lecturer, School of Information Technology and Mathematical Sciences, University of South Australia delivered the presentation at the 2014 Police Technology Forum.

The Police Technology Forum 2014 seeks to address technology innovation, evolution and development within Australia’s law enforcement industry.

In two days, a panel of experts gather to examine opportunities, initiatives and issues facing organisations both in front line policing as well as in wider law enforcement industry, including transport, border protection and surveillance.

For more information about the event, please visit: http://www.informa.com.au/policetechforum

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,600
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
18
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Dr Raymond Choo, Cloud Security Alliance - Mobile devices and their implications for forensic investigations in Australia

  1. 1. Police Technology Forum Mobile devices and their implications for forensic investigations in Australia Dr Kim-Kwang Raymond Choo Information Assurance Research Group University of South Australia
  2. 2. How many of us do NOT have at least one smart mobile device (e.g. Android, iOS – iPhone or iPad, Windows and Blackberry)? Differences between a smart mobile device and a PC/”traditional” laptop? • Apps (other than a Windows 8 PC or laptop)? – What are the types of apps you have installed on your devices? Email, Cloud Storage (e.g. Dropbox), Social networking, VoIP, etc … ? Poll
  3. 3. 3
  4. 4. How many of us READ / RESEARCH the type of permissions apps are asking for at the time of installation? 4 Do you know what your apps have just requested for?
  5. 5. What do mobile apps have to do with forensic investigations? 1.What is the best method of identifying app usage on a smart mobile device? 2.Do you know what data / remnants remains on a smart mobile device after the user has used one or more apps? Mobile apps and forensic investigations
  6. 6. Part I: Cloud Forensics Part II: Mobile Device and App Forensics Part III: Data Reduction Framework
  7. 7. • Potentially more difficult to acquire and analyse digital evidence to the same standards as that currently expected for traditional server-based systems, such as • An exact and verifiable digital copy of the users’ data must be made; • Identifying and copying the contents of the RAM of the virtualised environment; • There must be provenance; • Evidence of intent must be proved; • Data must be analysed and processed in accordance with the prevailing rules of evidence; and • Evidence must be preserved and made available for examination by the defendant’s legal team. • Examination and analysis using digital forensics tools such as Encase®, FTK™ and XRY™ will need to be augmented by “translators” which convert popular cloud computing file formats into data files for processing. Challenges of cloud forensics
  8. 8. “little guidance exists on how to acquire and conduct forensics in a cloud environment” (National Institute of Standards and Technology 2011, p.64) “[c]urrently, guidelines and best practice guides on gathering digital evidence are rare and often outdated. There are no guidelines specific to evidence gathered in the cloud…” (Birk and Wegener 2011, p.9) “[m]ore research is required in the cyber domain, especially in cloud computing, to identify and categorize the unique aspects of where and how digital evidence can be found. End points such as mobile devices add complexity to this domain. Trace evidence can be found on servers, switches, routers, cell phones, etc” by previous Director of US Department of Defence Computer Forensics Laboratory and the previous Chief Scientist at US Air Force Research Laboratory Information Directorate (Zatyko & Bay 2012, p.15) Need for evidence-based digital forensic framework to guide investigations, which is • Flexible/generic enough to be able to work with future providers offering new services, yet • Be able to step an investigation through a formalized process to ensure information sources are identified and preserved. Challenges of cloud forensics
  9. 9. Iterative 1. Commence (Scope) Determine the scope of the investigation, the requirements and limitations, prepare equipment and expertise. 2. Identification and Preservation It is critical that preservation commences as soon as cloud computing use is discovered in a case, as such it is combined with identification in this model. 3. Collection The potential difficulties in collection of cloud computing data dictates the requirement for collection to be represented as a separate step. 4. Examination and Analysis Examination of the collected data allows the investigator to locate the evidence in the data, analysis transforms this data into evidence. 5. Reporting and Presentation This step relates to reporting and presenting evidence to court. As such this step will remain mostly unchanged. 6. Feedback and Complete This step relates to a review of the findings and a decision to finalise the case or expand the analysis. Adapted from Martini and Choo (2012) and Quick and Choo (2013); and appeared in Quick, Martini and Choo (2014) Our published cloud forensics framework
  10. 10. • The initial focus of our research has been in the area of Storage as a Service (StaaS). • Client analysis: Three popular public storage clients have been analysed across both PC and mobile devices. • Client and server analysis: One of the preeminent open source cloud storage products (ownCloud) has also been analysed. – Australia’s Academic and Research Network (with over one million end users from 38 Australian universities, CSIRO and other academic, research and education institutions) is deploying ownCloud as the basis for its CloudStor+ service. Cloud forensics
  11. 11. System tray link RAM password cleartext DBAN Dropbox Yes Yes No Microsoft Skydrive Yes (but not full access to an account) Yes No Google Drive Yes Yes (and also on HDD) No Eraser/CCleaner Configuration files Mobile Dropbox Remnants Yes (Old) / Encrypted (New) Browser Microsoft Skydrive Remnants Yes Browser Google Drive Remnants Yes Browser Cloud forensics A snapshot of our findings from the client analysis
  12. 12. Cloud forensics Our recent book For our new book entitled “Cloud Storage Forensics, 1st Edition”, please visit http://store.elsevier.com/product.jsp?isbn=9780124199705. The book’s forewords are written by Australia’s Chief Defence Scientist and the Chair of Electronic Evidence Specialist Advisory Group, Senior Managers of Australian and New Zealand Forensic Laboratories.
  13. 13. • Examine other cloud services to determine the best practices for forensic extraction and analysis on these platforms as there will most certainly be variation in the collection methods in each type of cloud platform and deployment model Cloud forensics Ongoing Work
  14. 14. Part I: Cloud Forensics Part II: Mobile Device and App Forensics Part III: Data Reduction Framework
  15. 15. • iOS Forensics – Develop a practitioner-based iOS forensic technique to identify and acquire deleted data from an HFS Plus volume in an iOS device. – The technique also allows forensic practitioners to verify the timestamps of the recovered image file. – iOS Forensics
  16. 16. Cloud and Mobile Forensics Ongoing Work
  17. 17. • iOS Anti-Forensics – “Concealment” technique to enhance the security of non-protected (Class D) data that is at rest on iOS devices, – “Deletion” technique to reinforce data deletion from iOS devices, and – “Insertion” technique to insert data into iOS devices surreptitiously that would be hard to pick up in a forensic investigation. iOS anti-forensics Ariffin A, D'Orazio C, Choo K-K R and Slay J 2013. iOS Forensics: How can we recover deleted image files with timestamp in a forensically sound manner?. In International Conference on Availability, Reliability and Security (ARES 2013) (pp. 375–382), University of Regensburg, Germany, 2 – 6 September 2013 D’Orazio C, Ariffin A and Choo K-K R 2014. iOS anti-forensics: How can we securely conceal, delete and insert data?. In 47th Annual Hawaii International Conference on System Sciences (HICSS 2014), pp. 4838–4847, 6–9 January 2014, IEEE Computer Society Press
  18. 18. Aim: To examine ten popular freely available Android VoIP apps to determine whether voice and text communications using these applications are encrypted. What this study is not about …  • Motivations: – VoIP and video chat from smart mobile devices are an increasingly popular choice for consumers. It is important to understand the limitations of these technologies. • App-to-app communication channel • Wi-Fi network to Wi-Fi network • Mobile data network to mobile data network • Mobile data network to Wi-Fi network • Wi-Fi network to mobile data network 18 VoIP apps
  19. 19. VoIP Apps Text communication encrypted? (Yes/No) Cluster in Histogram Analysis Entropy Analysis Voice communication encrypted? (Yes/No) Sample1 Sample2 Sample1 Sample 2 Skype Yes No No Steady Steady with sudden changes Yes Google Talk Yes No No Gradual change Gradual change Yes ICQ Yes Yes Yes Uneven Steady changes No Viber Yes Yes Yes High fluctuation High fluctuation No Nimbuzz Yes Yes Yes Steady changes Steady changes Yes Yahoo No (messages sent by user) Yes (messages received by user) No No High fluctuations in the beginning High fluctuation No Fring Yes Yes Yes High fluctuation High fluctuation No Vonage Yes Yes Yes Steady with few spikes Steady with few spikes No WeChat Yes Yes Yes Even and uneven Even and uneven No Tango Yes No No High fluctuation Steady changes Yes Android VoIP apps
  20. 20. Android VoIP Apps Encryption of Text/ Voice Communication Channel w2w m2m m2w w2m Skype Text Y Y Y Y Voice Y Y Y Y Google Hangout Text - Y Y Y Voice - Y Y Y ICQ Text Y Y Y Y Voice N N N N Viber Text Y Y Y Y Voice N N N N Nimbuzz Text Y Y Y Y Voice Y Y Y Y Yahoo Text N N N N Voice N N N N Fring Text Y N N N Voice N N N N Vonage Text Y N N N Voice N N N N Wechat Text Y Y Y Y Voice N N N N Tango Text Y Y Y Y Voice Y N N N These three VoIP apps might be silently turning off encryption whenever a mobile network is involved. Android VoIP apps Azfar A, Choo K-K R and Liu L 2014. A study of ten popular Android mobile VoIP applications: Are the communications encrypted?. In 47th Annual Hawaii International Conference on System Sciences (HICSS 2014), pp. 4858–4867, 6–9 January 2014, IEEE Computer Society Press
  21. 21. Windows event forensic process (WinEFP) Do Q, Martini B, Looi J M J, Wang Y and Choo K-K R 2014. Windows Event Forensic Process (WinEFP). In IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria, IFIP Advances in Information and Communication Technology, Springer-Verlag, 8 – 10 January [In press]
  22. 22. Mobile forensics : A rat race Mobile forensics: A race not only to keep up with device (i.e. hardware) and software (e.g. app and operating systems) releases by providers, but also from software and hardware modifications made by end users, particularly serious and organised criminals, to complicate or prevent the collection and analysis of digital evidence. • ‘Thousands of encrypted phones are believed to be in Australia and the officials say some of the phones are suspected of being used to send the most dangerous messages imaginable - those that lead to murder … [and] Police believe one of Australia's most violent outlaw bikers used uncrackable encrypted phones to order some of the shootings that have rocked Sydney’ (Australian Broadcasting Corporation 2014). • NSW Crime Commission’s 2012-2013 annual report stated that ‘[a]s in the last reporting period, criminal groups continue to exploit mobile-phone encryption methods. Some companies, which appear to be almost exclusive set-up to supply criminal networks, provide mobile-phones for around $2,200 … The Commission believes the phones are almost exclusively used by criminals and there are limited legitimate users for such heavily encrypted phones in the wider community’.
  23. 23. Part I: Cloud Forensics Part II: Mobile Device and App Forensics Part III: Data Reduction Framework
  24. 24. Digitalisation of data 1. Increasing data volume and cost implications 2. Digital forensic practitioners, especially those in government and law enforcement agencies, will continue to be under pressure to deliver more with less especially in today’s economic landscape. This gives rise to a variety of needs, including • a more efficient method of collecting and preserving evidence, • a capacity to triage evidence prior to conducting full analysis, • reduced data storage requirements, • an ability to conduct a review of information in a timely manner for intelligence, research and evidential purposes, • an ability to archive important data, • an ability to quickly retrieve and review archived data, and • a source of data to enable a review of current and historical cases (intelligence, research, and knowledge management).
  25. 25. Data reduction framework for digital forensic evidence storage, intelligence, review and archive Initial research with sample data from South Australia Police Electronic Crime Section and Digital Corpora forensic images using our proposed framework resulted in significant reduction in the storage requirements – the reduced subset is only 0.196% and 0.75% respectively of the original data volume. Quick D and Choo K-K R. Data reduction framework for digital forensic evidence storage, review and archive. Trends & Issues in Crime and Criminal Justice [In press, accepted 11 March 2014]
  26. 26. Dr. Kim-Kwang Raymond Choo 2009 Fulbright Scholar Research Director, Cloud Security Alliance, Australia Chapter Senior Lecturer, School of Information Technology & Mathematical Sciences, University of South Australia URL: https://sites.google.com/site/raymondchooau/ Email: raymond.choo@unisa.edu.au Google Scholar: http://scholar.google.de/citations?user=rRBNI6AAAAAJ&hl=de

×