1. CoMmOpBuItLeEr
VOl.2NO.16
Windows Mobile ( )
TOUCH iOS
Android
STONE DOES MOBILE PHONE FORENSICS PLAY A ROLE
Issue 16/2013 (20) October ISSN 2300-6986
IN SOLVING TRADITIONAL CRIME?
iPhone Forensics – WHAT YOU NEED TO KNOW
WINDOWS PHONE 7/8 (WP7) – DIGITAL FORENSIC
INVESTIGATION PROCEDURE AND EVIDENCE
RECOVERY TECHNIQUES
BEST PRACTICES FOR A COLLECTION OF AN IOS
MOBILE DEVICE
NFC SECURITY AND DATA LEAK
2. FREE eBOOK DOWNLOAD
Encryption
KEy ManagEMEnt
SiMplifiEd
Learn the Fundamentals
What is encryption key management
and do i need it?
Key management best practices
How to meet compliance regulations
(pci-dSS, Hipaa/HitEcH, glBa/ffiEc,
etc.) with encryption key management
How encryption key management
works on every platform including
Microsoft SQl Server ‘08/’12, oracle,
and iBM i
DOWNLOAD THE eBOOK
townsendsecurity.com/eforensics
HACKERS DON’T BREAK ENCRYPTION.
THEY FIND YOUR KEYS.
www.townsendsecurity.com
4. 4
TEAM
Editors:
Sebastian Słomiński
sebastian.slominski@software.com.pl
Betatesters/Proofreaders:
James Fleit, Kishore P.V, m1ndl3ss.2012,
Owain Williams, Martin Baader, Luca Losio,
Dr DB Karron, A. Rosen, Alex Rams, Masa
Danilo
Senior Consultant/Publisher:
Paweł Marciniak
CEO: Ewa Dudzic
ewa.dudzic@software.com.pl
Production Director: Andrzej Kuca
andrzej.kuca@software.com.pl
Marketing Director: Joanna Kretowicz
jaonna.kretowicz@eforensicsmag.com
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@software.com.pl
DTP: Ireneusz Pogroszewski
Publisher: Hakin9 Media Sp. z o.o. SK
02-676 Warszawa, ul. Postępu 17D
Phone: 1 917 338 3631
www.eforensicsmag.com
DISCLAIMER!
The techniques described in our articles
may only be used in private, local net-works.
The editors hold no responsibility
for misuse of the presented techniques or
consequent data loss.
Dear Readers!
Since the theme of Mobile Forensics seems to be inexhaustible,
we are pleased to present you this new edition, which is called:
“TOUCH (iOS/Android/Windows Mobile 7/8) STONE”. We were
able to collect a very interesting and varied articles, which will be
beneficial for all of you. We decided to go further into the iPhone
forensics topic and add some information about iOS mobile foren-sics.
Also you will find few things about Windows Mobile. More-over,
you will notice the importance of mobile forensics in cyber-crimes
investigation processes. All in this single issue.
We would like to thank you for your trust you have bestowed to
our Magazine – we are doing our best to keep you pleased with
our work. You are invited to visiting our website, commenting and
sharing your opinion with us.
Only to remind you – you can follow us on Facebook, LinkedIn and
Twitter (@eForensics_Mag). Join eForensics friends and fans – we
would be more than happy to have you there!
Check thoroughly what you will find inside!
5. 08
18
24
30
36
42
48
iOS MOBILE DEVICE FORENSICS – FOR BEGINNERS
by NCIS Solutions Team
What we are hoping to do is give an overview to any new mobile device forensicators on how we
would run an iOS forensics task when delivering a service to a client on a particular handset. Simi-lar
techniques would also be used when exploiting media devices. For instance, if our ‘Red Team’ is
tasked by a client, to run a full security assessment at their residence or business address. The tech-niques
shown in this article can also be added and run for Android devices in the same way, as long
as you have the native cable of the mobile device you want to extract data from.
BEST PRACTICES FOR A COLECTION OF AN IOS MOBILE DEVICE
by Richard A. Rodney
As the use of iOS devices continues to proliferate in the business space, they present some unique chal-lenges
when data must be collected from them. Bring Your Own Device (or BYOD) policies in many or-ganizations
have further altered the landscape that computer forensic professionals must navigate.
UNDERSTAND RISKS OF ANDROID APPS (secroid.com)
by NetAgent Inc and NetAgent Co. Ltd.
When compared to paid apps, free Android apps are said to be about a hundred times more likely
to be downloaded, and so developers will oftentimes employ advertisements, or in-app billing
models, in order to generate profits. Ads in free apps are a growing risk among smartphone users,
with many able to amass various types of user information. What the user sees as simple advertise-ments
on a smartphone actually have the ability to see a user’s age, gender, location, phone model,
and other downloaded apps. The ads then proceed to collect as much information as they possibly
can before sending it anywhere ranging from America to Japan, China, or Korea.
NFC SECURITY AND DATA LEAK
by Eric Laurent-Ricard
Before trying to do some forensic on NFC devices, it is important to understand the mechanism
that make the whole thing work. The different kind of services offered by NFC phones compared to
contactless cards is important as well. Is the contactless payment secure enough and what will be
next enhancements?
WINDOWS PHONE 7/8 (WP7) – DIGITAL FORENSIC INVESTIGATION PROCEDURE
AND EVIDENCE RECOVERY TECHNIQUES
by Dr. Roffeh Ehud
One of the central problems involving technology and legal proceedings is the reliability of evi-dence
presented to the court. This question is made more relevant due to the fact that rapid tech-nological
changes make previous legal precedents irrelevant. In other words, the same technology
is no longer used to reinforce evidence as this is not the equivalent forensic tool used to extract
digital evidence from the new device. Furthermore, the same forensic tool that was evaluated in
the past and was found to be reliable with regard to the digital evidence it presents, must now un-dergo
far reaching change in order that it be capable of copping with new technologies. This leads
us to the issue as to whether the evidence presented to the court represents the actual events and/
or if is it possible to rely absolutely on the evidence.
APPLE GOES BIOMETRICS
by Cordny Nederkoorn
With the launch of IPhone 5S last September, Apple has entered the area of mobile fingerprinting
authentication. A bold way of using biometrics in authentication. This article will cover the finger-printing
technology behind Apple Touch ID and its relation with iOS7 regarding saving the data,
security and usability. Next to this the risks of using Touch ID will be discussed.
IPHONE FORENSICS – WHAT YOU NEED TO KNOW
by David Shelton
Client’s of Advanced Technology Investigations, LLC throughout North Carolina turn to us when
there is a possibility of evidence in the form of electronic data with cell phones, computers and
other digital devices that hold communication and media. We bring special skills in technology to
our Clients to ensure they have all the evidence possible from a team of experienced experts with
proven results, giving our Client’s the truth they deserve.
www.eForensicsMag.com 5
6. 6
HOW TO PERFORM SEARCHES, SEIZURES AND INCIDENT RESPONSES ON
iPHONES
by Deivison Pinheiro Franco and Nágila Magalhães Cardoso
iPhones collect and store a tremendous amount of evidence about a user’s activities. In many cases
one could argue more evidence is collected than the user may want. Locations, messages, contacts,
web surfing habits, notes, pictures and more are available on iPhones storage media, many with
time stamped data. With this forensic evidence available, and more business being conducted on
iPhones, forensic examiners need to be able to successfully and accurately acquire this evidence
when requested by authorized authority. By utilizing proven, existing forensic techniques along
with specialty tools mentioned in this paper, examiners can collect and present evidence from an
iPhone. This evidence can then produce a clear report of the activities performed on the device.
STEP BY STEP GUIDE FOR MOBILE FORENSIC ESPECIALY MESSENGER LIKE
WHATSAPP!! – TO TACKLE CYBER-CRIMES COMMITTED BY COMMUNICATION
MEDIUM LIKE MO BILE
by Omkar Prakash Joshi
Now a days, Mobile Forensics has raise in world because of cyber-crimes or other crimes using
electronic media such as mobile has been increasing. So in this I am going to introduce Forensics
Investigation or Forensic of Mobile Devices & In this mostly Android Based & iOS based devices.
Now a days in the world most of users are using android & iOS based mobile devices. So, if person
has committed crime using such mobile devices how we can investigate? What actually mobile fo-rensics
is? & the acquisition and analysis of data from devices. In this I am going to demonstrate on
Forensics techniques on mobile devices such as android & iOS.
DOES MOBILE PHONE FORENSICS PLAY A ROLE IN SOLVING TRADITIONAL
CRIME?
by Dr. Mukesh Sharma & Dr. Shailendra Jha
Solving a crime using Mobile Phone and SIM records may depend on proper call data records (CDR)
and mobile phone forensic (MPF) investigation. Important data may be retrieved depending on the
mobile phone mode and whether the electronic evidence within the mobile phone is retained and
able to be retrieved. A thorough examination of the data found on the mobile phone’s SIM/USIM,
integrated memory and any optional memory cards require in-depth knowledge, kept current with
the latest upgrades and advancements in technology. Available tools used in forensic examina-tions
of mobile phone devices and SIM cards have been compared. Two examples are exemplified
within two case studies of crimes, which have been solved on the basis on the forensics of call data
records from mobile phones.
MOBILE PHONES IN INVESTIGATION
by Satendra Kumar Yadav
Mobiles became a fundamental need now a days for communication as well as other cyber and
network related works including banking and shopping that has increased the vulnerability of the
information and attracted the hackers to commit cyber-frauds resulting increase in forensic cases
related to mobiles. In most of the crimes where mobile is involved that can be used as an evidence
for identification and isolation of clues to get investigative leads. Along with digital data, mobile
phone devices can also be used for the collection of other evidences like ear prints, sweat, saliva
and finger prints that can be used in investigation to find any association between crime and the
criminal. The present article presents a systematic process of collection of mobile from crime scene
and its investigation including the data retrieval or mining from memory cards or flash drives at-tached
to the computers for synchronization.
AT THE CRIME SCENE WITH DIGITAL EVIDENCE
by Jim Bolt
Today most individuals own some type of digital device that they carry everywhere with them.
Whether it is a cell phone, camera, tablet, laptop or a gaming console and they are all so important
when it comes to valuable digital evidence. The future is here and with this new age of technol-ogy
the Detective or Investigator must pay very close attention to what is at the scene of the crime.
One piece of digital evidence can make or break the case and it can be so important just to know
what to look for.
60
70
84
92
98
7. IN nipper SOME studio
CASES HAS VIRTUALLY
REMOVED
theNEED FOR a
MANUAL AUDIT
CISCO SYSTEMS INC.
Titania’s award winning Nipper Studio configuration
auditing tool is helping security consultants and end-user
organizations worldwide improve their network
security. Its reports are more detailed than those typically
produced by scanners, enabling you to maintain a higher
level of vulnerability analysis in the intervals between
penetration tests.
Now used in over 45 countries, Nipper Studio provides a
thorough, fast & cost effective way to securely audit over
100 different types of network device. The NSA, FBI, DoD
& U.S. Treasury already use it, so why not try it for free at
www.titania.com
www.titania.com
U P D A T E
NOW WITH
S T I G
AUDITING
8. 8
IOS MOBILE DEVICE
FORENSICS
FOR BEGINNERS
by NCIS Solutions Team
We were approached by e-forensics magazine and given the
opportunity of writing a piece about our experiences in iOS
forensics. What we are hoping to do is give an overview to
any new mobile device forensicators on how we would run
an iOS forensics task when delivering a service to a client on a
particular handset. Similar techniques would also be used when
exploiting media devices. For instance, if our ‘Red Team’ is tasked
by a client, to run a full security assessment at their residence or
business address. The techniques shown in this article can also
be added and run for Android devices in the same way, as long
as you have the native cable of the mobile device you want to
extract data from.
eForensics Magazine asked us here at NCIS Solutions to aim this ar-ticle
at the beginner. So what you are about to read will probably not
get the embers burning if you are an intermediate or advanced law
enforcement forensics analyst. However, if you are new to mobile device fo-rensics
or you and your business are looking to trial mobile device forensics
as a service to your clients, we hope that this article is interesting or at least
a little useful to you.
At the end of the article we will also touch on NCIS’s ‘zero app 30 project’,
which is soon to be released as a beta Android handset. This project may ap-peal
to the more advanced mobile device forensics analyst?
INTRODUCTION
So what is the hardest decision when looking at starting out solo in mobile
device forensics? For me, it was which company do we go too? Along with, is
the annual license costing worth the amount of mobile device forensic work
What you will learn:
• Considerations to take when de-veloping
a mobile device forensics
team
• An overview of how to extract data
from an iOS device
• What is achievable by using mul-tiple
mobile device forensics tools
• How to deliver a basic mobile de-vice
forensics product to clients
What you should know:
• An understanding of how basic
mobile device forensics works
9. IOS MOBILE DEVICE FORENSICS
FOR BEGINNERS
we will receive over the same period? In the military, budgets and workloads never entered our minds or
our remit; we were simply one of many operators. Running our own business was a whole different ball
game. Firstly, how much interest is out there for mobile device forensic work and are you going to pay
for an annual software license(s)? Especially when your first six months is spent demonstrating what is
possible for clients to achieve by employing your company as their mobile device forensic specialists?
This article will hopefully get you thinking about your approach to starting mobile device forensics, if
nothing else? Relationships and communication is the key to getting help. We have been rather fortu-nate;
in that two large mobile device forensic companies (Oxygen and UFED Cellebrite) were willing to
help me out for a minimum of 30 days.
For the example in this article, we are using an iPhone 4 running iOS 5.1. We are running Oxygen
Forensic Suite 2013 (www.oxygen-forensic.com) and UFED Cellebrite Physical Analyzer. However, this
is not an Oxygen Forensic Suite or UFED Cellebrite Physical Analyzer user guide for iOS forensics. If
this were tasking from a proposed client we would be looking at using multiple software and tools, such
as Oxygen and UFED Cellebrite and/or XRY. This is to make sure that no information is missed and so
that we can collaborate our results, giving the client the best possible visual findings. We have found
over time working with some obscenely talented ‘mobile device forensicators’ that the piece of kit used
is normally operator driven. We have been fortunate enough during our time to of used XRY, UFED Cel-lebrite,
Athena, Oxygen & Tarantula. The chosen equipment for a particular task usually came down to
which equipment the operator was most comfortable with, or which software gave the operator the best
displayed final visual results to pass on to their client.
Throughout this article there are certain procedures we have not mentioned such as being physically
forensically sound. In that we mean, we are not going to be employing a clean room, lab coat, facemask
or dust mask and latex gloves, as not to contaminate the device and other items, such as the SIM card.
Who you are performing the tasking for, the environment you are working in, and the time constraints that
have been placed on you will determine how physically forensically sound you are.
We are also, not going to show you SIM card extraction. There are a plethora of open source SIM card
extraction tools, though make sure you have a USB SIM card holder/reader to house the SIM card. If you
are using one of the big names equipment, such as XRY (www.msab.com) or UFED Cellebrite (www.cel-lebrite.
com), you will be in possession of a USB SIM card reader. As this article is aimed at the beginner
though we would advise using Todd Whiteman’s PySIM software. This is a great piece of software; it is
open source and is available to download from www.twhiteman.netfirms.com/pySIM.html.
Figure 1. PySIM download
As well as deciding on what equipment and technique we are going to use, we have to ask ourselves a
few more questions. What information are we looking for? What does our client want to see & achieve?
This should all be gained from meetings and briefings with your client, the person whom you are going
to deliver the final findings, presentation and executive summary too.
For my example we are wanting to find out what Internet Access Points the handset has been attached
too, what SMS messages have been sent from the device and what social media accounts are active on
www.eForensicsMag.com 9
10. 10
the handset if any? We also want to see the activity log of the device i.e. phone calls in and out, Whats
App & Viber usage etc. We shall also see if the software has extracted any geo location data from my
mobile device.
Figure 2. Oxygen Forensics Extractor connection options
• How are we going to connect to the device being investigated? In this case, it is our own iPhone 4.
We have the iPhone cable available to us as well so there is no need to use the Bluetooth option.
• If you have purchased a full product from one of the big companies you will find that there is an op-tion
to have an array of mobile phone cables with your purchase. You may find though that you
are seeing the same mobile device connectors, so purchase just the specific ones you require i.e.
iPhone 3G – 4S cable, iPhone 5 cable as well as a micro USB cable
Figure 3. Oxygen Forensics Extractor device identifier
• Once the device is connected, you will see this page informing you of the devices IMEI (International
Mobile Equipment Identifier). You may want to note this number down and use it as a client reference
11. IOS MOBILE DEVICE FORENSICS
FOR BEGINNERS
number. Or if you are working on multiple devices for the same client, use the IMEI to distinguish be-tween
devices later on in the investigation.
Figure 4. Oxygen Forensics Extractor Forensicator information
• Just before we start the software running, we have to fill out details about the case. The case num-ber,
who is the inspector/investigator/forensicator, who owns the device (client), any notes we may
have about the device, such as big dents or scratches, stickers on the back of the device etc. In the
screen shot above, you can see how we at NCIS Solutions fill out this information when using Ox-ygen
Forensic Suite 2013. Every information security and forensic investigation company will have
their own working practices for how to fill this information out.
Figure 5. Oxygen Forensics Extractor, extraction completion options
• As you are probably aware, the time taken to finish the extraction will depend on the size of the de-vice
you are extracting from. In this example our iPhone 4 is 8Gb and took 18 minutes to extract. It
will also depend on the computer you are running the software on. Again, in this example we are
running Microsoft Windows 7 Home Edition in a VM on an Apple MacBook Pro.
www.eForensicsMag.com 11
12. 12
Figure 6. Oxygen Forensic Suite 2013 front page
• Now we have extracted all the data from the device, we can start to analyze the device and build up
our findings and executive summary based on our clients’ initial brief.
• As you can see from the front page above, the Oxygen software is very easy on the eye and very in-tuitive
when navigating around our extracted device data. It can be safely said that both UFED Cel-lebrite
and XRY software is as easy to navigate around though it may take you some time to be-come
comfortable for different use of icons, naming of different tools that perform the same task etc.
So if we take our clients initial brief, we are looking to pull out text messages, social media, phone (GSM)
events and any geo location data. The next few slides will demonstrate what is available to the mobile
forensic investigator through using Oxygen Forensic Suite 2013.
Figure 7. Phone call data
13. IOS MOBILE DEVICE FORENSICS
FOR BEGINNERS
• We can see that there was a particular rise in messaging (other) activity in 2013 than 2012 to this
particular number. As well as individuals we could look at overall activity of the handset.
Figure 8. WiFi data
• This is our wifi data for July 2012. If you were at the Black Hat or DEF CON in 2012 then you will un-derstand
the pattern of our BSSID names, as they are names of hotel hotspots along the Las Vegas
strip. If the device has recorded the lat long, we can also export this data to Google Earth. Produc-ing
a pictorial representation of where the device has been is a definite must for clients, if the data is
available to you?
Figure 9. Social Media
• We could see from the front page that our iPhone had Twitter & LinkedIn installed. Here we can see
all attachments posted on Twitter. We can also take my Twitter and LinkedIn details to find my ac-count
front page online.
www.eForensicsMag.com 13
14. 14
Figure 10. Device Timeline
• This data shows us what significant events happened on the device in March/Apr 2012. We can see
that two pictures were taken with geo tags & a note was created regarding spear phishing when we
attended a social engineering course in London. (www.socialengineering.com)
Figure 11. Geo Tagged data
• From this slide you can see a snap shot of the geo tagged data extracted from my mobile device.
For those reading, unaware, this is a shot of London and the numerous tourist type trips one of the
NCIS Solution forensicators has taken over the past couple of years.
So what we have here is a timeline of activity of the device (my iPhone 4) over the past 24 months. We
began the article by stating that this isn’t an in depth look at iOS forensics, nor is it a Oxygen Forensics
Suite 2013 how-to piece.
15. IOS MOBILE DEVICE FORENSICS
FOR BEGINNERS
Below you will see a similar front page to the one we have from Oxygen but this time the software is
by UFED Cellebrite, as well as the returned geo tagged results gained from a UFED Cellebrite Physical
Analyzer extraction.
Figure 12. UFED Cellebrite Physical Analyzer summary
Figure 13. UFED Cellebrite Physical Analyzer summary and front page
• As you can clearly see the layout and methodology of how the results are presented to the forensi-cator
after extraction are very alike. You will notice this, no matter what mobile device software you
decide to use for your extractions. This is a positive as you move through your mobile device foren-sics
career. For example, moving employer who uses UFED Cellebrite instead of Oxygen or XRY.
You as the operator will be able to extract data and start analyzing results with minimum training on
the software.
The slide below is just another example of how similar different types of software are, helping you the
forensicator, quickly adapt to small visual changes if required.
www.eForensicsMag.com 15
16. 16
Figure 14. UFED Cellebrite Physical Analyzer Geo tagged data
• Instead of exporting to Google Earth this time we have simply, opened up the mapping tool within
UFED Physically Analyzer for a global perspective of the phones geographical use. From here you
can either zoom further in for more detail or export the data to Google Earth as we did when using
Oxygen Forensic Suite 2013.
As you develop your knowledge and experience you will become quicker and more comfortable with a
particular piece of software and find yourself turning to that software first. One lesson NCIS forensicators
have learnt over their time in mobile device forensics is, do not become over dependant on just one piece
of software. Have your favorite by all means but always try to use a minimum of two pieces of mobile de-vice
extraction software to maximize your results and give yourself the best possible executive summary
of your findings for your client.
That is all on mobile device forensics for beginners. Thank you for reading and we hope that it has been
an insight for beginners and for the more advanced, who maybe haven’t seen the Oxygen Forensic Suite
2013 or UFED Cellebrite Physical Analyzer before now?
IN SUMMARY
As I wrote earlier, here is a little piece on what we at NCIS Solutions are looking to do over the coming
months in regards to mobile device forensics, with an added twist.
Within NCIS, we have a very fun, out side of the box, Research & Development team. Our knowledge
and experience of media device forensics, information and personal security gives us a great platform to
work from. The team’s aim is to take current working practices or systems and evolve them, make them
better & simplify them. Our aim is NOT to re-invent the wheel!
In recent weeks we have been researching the use of FTK (Forensic Toolkit) on a .dd image of an An-droid
and/or iOS handset. This technique gives the forensicator, possibly by remote means, if we are
working from multiple locations, the ability to have a quick and dirty look at the folder structure of the
handset before deciding which, if any, specialist mobile forensic equipment should be used.
We are also experimenting at present with our zero app 30 project. We wanted to be able to protect
our client’s data on their Android handset remotely, if the handset is lost or more importantly stolen. The
’thinking’ mans thief, in our experience, would firstly turn off location services and then secondly, delete
any handset location apps such as ‘Find My iPhone’.
17. We believe that we have developed an Android phone that circum-vents
all of these issues if a client’s smart phone is lost or stolen.
The first of these handsets is hopefully going to be rolled out in
late November in beta form, with the first full version going live in
the New Year.
We would like to thank the Oxygen Forensic Suite 2013 team for
letting us use their Educational license when writing this article. We
would also like to thank Ron Serber and the UFED Cellebrite team
who also gave us access to their Physical Analyzer suite and their
support recently. It is very much appreciated. Finally, a big thank you
to the operators from NCIS Solutions involved in helping put this ar-ticle
together.
ABOUT THE AUTHOR
www.eForensicsMag.com
In our time working in the British Army, we
have been fortunate enough to work all over
the world with some incredible specialists,
including EOD ECM (Explosive Ordnance
Disposal Electronic Counter Measures) Op-erators,
Intelligence Analysts, Computer Net-work
Exploitation Operators and TME (Tacti-cal
Media Exploitation) Forensics Operators.
Since leaving, we have been working as a small group of ex UK and US military
operators from similar backgrounds, running NCIS (Network, Computer and Infor-mation
Security) Solutions.
With over 20 years combined military intelligence, government agency and special
forces experience, our aim is to deliver products and technology that is simple to
use but unique in its delivery. We also support vulnerable businesses and personal
users defend against persons and/or groups wishing to cause harm and disruption
to their equipment and infrastructure.
For any more information please visit us at www.ncis-solutions.com
[ GEEKED AT BIRTH ]
You can talk the talk.
Can you walk the walk?
[ IT’S IN YOUR DNA ]
LEARN:
Advancing Computer Science
Arti cial Life Programming
Digital Media
Digital Video
Enterprise Software Development
Game Art and Animation
Game Design
Game Programming
Human-Computer Interaction
Network Engineering
Network Security
Open Source Technologies
Robotics and Embedded Systems
Serious Game and Simulation
Strategic Technology Development
Technology Forensics
Technology Product Design
Technology Studies
Virtual Modeling and Design
Web and Social Media Technologies
www.uat.edu 877.UAT.GEEK
Please see www.uat.edu/fastfacts for the latest information about
degree program performance, placement and costs.
18. 18
BEST PRACTICES FOR
A COLECTION OF AN
IOS MOBILE DEVICE
by Richard A. Rodney
As the use of iOS devices continues to proliferate in the business
space, they present some unique challenges when data must be
collected from them. Bring Your Own Device (or BYOD) policies
in many organizations have further altered the landscape that
computer forensic professionals must navigate.
Of the many new challenges facing computer forensic and ediscovery
professionals, the proliferation of mobile devices, specifically Apple
iOS devices, presents professionals with new questions as to how
they should manage collections for these devices. The explosion of permis-sive
Bring-Your-Own-Device (“BYOD”) policies in businesses, coupled with
the rapid acceptance of non-Windows based (i.e. Apple) products in the busi-ness
space, has in short order changed the landscape for digital evidence
detection, collection and use forever.
Businesses must adapt to new technologies while mastering (and regulat-ing)
their own use of them. Lawyers, computer/mobile forensic technicians
and ediscovery practitioners must also adapt to new technologies, particu-larly
to the increasingly accepted mobile/cloud/BYOD based business envi-ronment,
and develop new strategies and methods for ensuring that digital
evidence is thoroughly, efficiently and defensibly collected and preserved. Ap-ple/
iOS devices are now present in the network architecture (at least through
BYOD) of most every major business in the country, and this article focuses
on considerations and best practices for collecting data from these devices
once they’ve been identified and access to them has been secured.
APPLE/iOS
Apple iOS devices in the form of the iPod, iPhone and iPad present some
unique challenges for the early stages of managing, preserving and collecting
What you will learn:
• The procedure to follow for per-forming
a forensic collection of an
apple iOS device such as iPod,
iPhone or iPad.
• What you should know prior to
performing a collection of an iOS
device.
• Some important items you can col-lect
from an iOS device.
• Methods of blocking mobile wire-less
signals.
What you should know:
• Familiarity with mobile operating
systems.
• Familiarity with Apple devices and
iOS versions.
• Familiarity with the concept of en-cryption.
19. BEST PRACTICES
FOR A COLECTION OF AN IOS MOBILE DEVICE
electronic files. There are two primary questions to answer when collecting data from any of these de-vices:
One, what is the precise model version of the device? Two, what is the precise operating system
(“OS”) running on the device, including the update history of the OS running on the device?
There are sometimes subtle and, often times, not so subtle differences between generations of iOS
devices and the year they are released. Apple has had a semi-annual release schedule for many of its
devices for a few years now. This means for example, that iPhone 3 and 3GS devices produced in the
same year are different and may require different processes and software to reliably collect from them.
Just as with the different model versions, different OS versions present their own different challenges
and solutions. Each version of iOS was designed to update and improve the user experience, but not all
users perform all updates. There are various reasons for this but regardless, you have to be aware of the
current version of iOS on the device you are about to collect from.
Apple/IOS devices feature various Pass code/pass lock encryption elements that must be disabled to
ensure an uninterrupted and successful collection. If devices are encrypted and users have not provided
security access, there are a variety of processes that can be used to gain root user access (also known
as jailbreaking) to achieve and maintain access to data on the device.
Figure 1. iPhone 5
Figure 2. iPad3
As mobile forensics and ediscovery are becoming more common place, it is a good idea to recognize
the roots of the discipline. As with most computer forensics tactics, mobile forensics was born of law en-forcement
and the intelligence communities varied needs to access content on mobile devices. From
there these disciplines have been adopted in the corporate and legal worlds for a variety of needs from
human resources matters to theft of intellectual property. One of the tried and true methods is screen
capture. Plug the mobile device into a projector, and do a print of the contents of each screen. This is an
effective if somewhat painstaking and methodical process. This method was more useful for early semi
smartphones and other cellular phones that had no access to the cloud and could store very little active
data. With most smartphones such as the iPhone and tablets such as the iPad, being as or more power-ful
than computers from 5 to 10 years ago, it is not an understatement to refer to most mobile devices as
mobile desktops. The project-a-phone method is not practical for most smartphones and absolutely not
for any tablets. To that end there have been several tools to come on the market to address collecting
and analyzing mobile devices. Without any implied preference, examples are: Cellebrite’s UFED device,
Accessdata’s Mobile Phone Examiner plus (MPE +), BlackBag Technologies Blacklight and Paraben’s
Device Seizure. There are many other tools but these are the ones I know through my own vetting pro-cess.
They all can be utilized effectively for collection and analysis of iOS devices.
Before we get into a step by step of what to do, as any mobile forensic professional will acknowledge,
seizure of a device is only as good as your ability to keep its contents unchanged. Mobile devices can
www.eForensicsMag.com 19
20. 20
be updated wirelessly via mobile data service or WiFi, so turn the antenna off. In fact, disable all wireless
services as soon as reasonable before collecting. Airplane mode is a good choice to stop all communi-cations
to the mobile device. Another method I have learned is wrapping the mobile device in aluminum
foil. This method is one I like to refer to as a poor man’s faraday box. A faraday box, or faraday bag or
room, utilizes material that effectively blocks all incoming and outgoing wireless signals for a device. Why
would you want to do so? Simply put if the mobile carrier sends out an update to the operating system or
an Information Technology technician pushes a firmware or software update to the device mid collection,
this can effectively change the files on the mobile device up to and including wiping existing files. This
would render the purpose of your collection fruitless.
COLECTING FROM AN iOS DEVICE
Now we’ve wrapped our brains around a few procedures and tools, let’s discuss a standard workflow for
collecting from an iOS device.
• First step, put the device airplane mode or find other means to block mobile data and WiFi signals
from reaching the device. I also recommend disabling the pass code device locking feature as soon
as you can.
• Second step, you will want to ensure the mobile device is charged. Collect the power cables, if you
can or have one handy, then Charge it up!
• Third step, while the device is being acquired, perform some social engineering. Find out what the
passwords are for the device, version of iOS, model of device (iPhone 4 or 4s, iPad 2 or 3, etc), year
it was released for sale, did the user create an encrypted ITunes backup?
• Fourth step, choose the appropriate tool for the collection. Consider what will be done with the files
after they are collected. Will analysis be performed for the purposes of establishing when and where
the phone was used? Will eDiscovery and data normalization be performed along in order to add
specific user create content for a legal review with documents from other sources?
The reality is that all the tools mentioned will work well. There may arise a scenario where more post-collection
work is required to fit one scenario versus another. Always go in to the process with as much
information as can be known or acquired.
While there are a few different approaches and variations to the process of collecting, what has been
presented is basic, repeatable and adaptable. With any computer forensic collection remain agile. Since
we are focusing on iOS here, let’s hone in on some core concepts mentioned earlier to make an effec-tive
collection. The simplest question that can hamper a collection by going unanswered is: “What is the
passcode to unlock the device?” There are few devices that can confound access more so than an iOS
device that is locked. Even to Jailbreak an iOS device, it must be unlocked first. One of the many exploits
to collect from an iOS device is to jailbreak the device. If the device cannot be accessed, jailbreaking
will not be impossible but certainly difficult. Next, consider the device itself and remember that different
versions of iOS devices in specific generations and within years of production have different make-ups.
Each can use different processors, have different iOS versions and the user may or may not have up-graded.
Another thing to consider: Is physical or logical access to the device needed? Physical access
is everything that has ever been stored or deleted on the device. Logical access is only to those items
currently considered “live” on the device. For example, iPad 3 currently can only be acquired via logi-cal
access by the leading tools (including Blackbag’s Blacklight which is an apple centric collection and
analysis tool). But all developers are working to solve this problem, which will allow them to get ready to
start all over for iPad 4. Regardless, consider what is needed and what may need to be considered ac-ceptable
for access.
21. BEST PRACTICES
FOR A COLECTION OF AN IOS MOBILE DEVICE
Figure 3. Encryption
KEY COLECTION CONSIDERATIONS
Another consideration that was mentioned earlier is whether or not the device is encrypted or has an
encrypted iTunes backup. I can tell you from personal experience, this situation can drive you mad. I
once performed a forensic collection of several mobile devices of which one subject had an iPhone and
another device. The person from whom I needed to collect the esi on their iPhone was cooperative but
had forget they had set an encrypted iTunes backup for their iPhone. A fact that they did not inform me
of because they did not recall they had done it. After several failed attempts to collect the device it oc-curred
to me ask if they had an encrypted iTunes back up. The user recalled that they did but could not
remember their password and was reasonably certain they had set it up on their home computer which
was a mac. The user agreed to try to access their device and unlock the encryption on their office com-puter
which they had synched to. After several attempts he recalled the password and we were able to
access the iPhone. The tool I used was able to collect the esi from has phone, where previously it sat in
a state of collection for roughly 8 to 10 hours on four different attempts to collect. I can only imagine what
these situations must be like for law enforcement or collections from less cooperative subjects; thank-fully,
so far I only have to imagine!
Something else to consider is the amount of storage the particular iOS device is capable of. Remem-ber
earlier, I referred to some mobile devices as mobile desktops? Well most people given the chance
will save everything they can locally. So a 64GB iOS device is great for the end user, not so much for the
collector.
Apple iOS devices are considered dense storage devices, or another way to view them is as a portable
hard disk drive with a user interface. At their core, they are storage devices and as such many things can
be saved to them like thousands of pictures, music files, movie files and documents. The storage capac-ity
of the device will determine how long the collection will take. Under the best of circumstances the time
to collect or harvest is nebulous. But having some idea up front if you are dealing with a large storage
capable device or not is extremely useful in planning the collection.
So, you have collected: What’s next? This goes back to the question: What is your end-game? Basic
and standard information will be available depending on the mobile carrier such as
• where the phone or tablet was last used.
• numbers called.
• WiFi networks connected to.
www.eForensicsMag.com 21
22. 22
With this information known, you can get granular and look at important electronic evidence artifacts.
Many are standard but some are apple/iOS only items like sqlite tables.
• Do you need to know what emails / text messages were sent and when?
• Do you need to know the location and time stamp of a stored picture or picture taken with camera?
• Is it important to know what applications were downloaded and used?
All that you need to know is there and available to varying degrees. If the user only set their email to store
the last 100 emails then that is all that is available. The point is once you have harvested the files from the
phone, you can lay out a very accurate map of the travels and activities of the phone user or disprove ac-tions
that they are assumed to have taken. Choose the right tool for your analysis and subsequent ediscov-ery
processing and review. Keep in mind that while iOS is very organized, there are a lot of files that may
be considered responsive to your analysis via standard keyword or live search. As most ediscovery and
review platforms are Microsoft based, you want to consider this as well for your overall strategy.
One thing I would advise, when practical, is to analyze and export your responsive esi using a Mac
computer. This is not always necessary and, in fact, it is a good idea to have multiple analysis tools, but
there are some files that are just better viewed and more accessible in a Mac environment.
IN SUMMARY
Collecting from an iOS device is difficult but not impossible. There are specific facts you need to know
about the device and its manufacture, and variations in the methods that must be used depending on
those facts. The keys for successful collection of data from Apple/IOS devices is the same as it is for any
collection: Know the device; know the user, know the purpose of the collection, know the data that is be-ing
targeted and know how to use (and have access to) the right tools to defensibly collect it.
ABOUT THE AUTHOR
Richard Rodney serves as the Chief Technology Officer for SiteLogic Technologies with its headquarters in
New York City. Richard has over 20 years in Litigation Support, ESI technologies and Computer Forensics.
Richard manages the Electronic Services and Project Management group for SiteLogic and serves as the
chief architect of technology related services with a concentration on consulting, forensic collections and
analysis, and processing. Richard is a certified forensic and mobile forensic examiner having achieved both
the ACE and AME certifications from Accessdata’s training group. Richard received his initial computer fo-rensics
training from instructors with the International Society of Forensic Computer Examiners CCE boot-camp
program. Richard has also been trained by instructors at Blackbag Technologies to perform collections
and analysis of Apple devices using their tools.
Richard is a devoted father of a daughter, who also enjoys reading, fitness activities, and movies. Richard
also enjoys learning about and using new technology. Richard is long time supporter of the New York “Foot-ball”
Giants team in the NFL, the New York Yankees in MLB and the New York Knicks in the NBA. Richard is a graduate of Lin-coln
University and Brooklyn Technical High School.
23. Organized By:
BOOK BY THE 31st DECEMBER 2013 AND RECEIVE UP TO 20% OFF REGISTRATION FEE
Cyber Intelligence Asia 2014
11th - 14th March 2014, Singapore
Esteemed Speaker Line-up:
• Major General Bunjerd Tientongdee, Deputy Director of Defense Information and Space
Technology Department (DIST), Ministry of Defence, Thailand
• Yurie Ito, Chair, Asia-Pacific Computer Emergency Response Team (APCERT)
• Phannarith Ou, Head, Cambodia Computer Emergency Response Team (CamCERT) Cambodia
• Budi Rahardjo, President, Indonesia Computer Emergency Response Team (ID-CERT), Indonesia
• Khamla Sounnalat, Deputy Head, Lao Computer Emergency Response Team (LaoCERT), Lao
• Philip Victor, Director, Centre for Policy International Cooperation, IMPACT
• Inspector Allan Cabanlong, Chief, Web Services and Cyber Security Division,
• Philippine National Police Force
• Serupepeli Neiko, Section Head, Cybercrime Division, Fiji Police Force
• Dr. Mingu Jumaan, Director, Sabah State Computer Services Department, Malaysia
• Jack YS Lin, Senior Security Analyst, Japan Computer Emergency Response Team (JPCERT), Japan
• Dr. Frank Law, President, High Technology Crime Investigation Association (HTCIA)
• Ammar Jafri, President, Pakistan Information Security Association (PISA)
• Andrey Komarov, Chief Technology Officer, CERT-GIB, Russian Law Enforcement Agency
• Senior Representative, Ministry of Internal Affairs, Russia
• Senior Representative, Infocomm Development Agency (IDA), Singapore
• Kiran Karnad, Staff Engineer, MiMOS, Malaysia
Reasons to attend:
Associated Workshops :
Largest international gathering of cyber security experts in
Strategic Co-operation amongst
ASEAN
CERT’s
Opportunity to network with the leading firms who
Led by: Asia-Pacific Computer
provide defences to cyber attacks
Emergency Response Team
Analyse the latest cyber security challenges and issues in
(APCERT)
the region
Discuss international cooperation to combat cyber-crime
Network with the leading decision makers in the
government's
Determine the latest cyber-crimes taking place in ASEAN
Gain a mix of policy, strategies and technical expertise in
one place
OWASP Top 3 - Injection, Session
Management and Cross Site
Scripting: Hands-on with Kali
Linux
Led by: MiMOS Malaysia
For more information visit – www.intelligence-sec.com
Book your place by:
Web: www.intelligence-sec.com I Email: events@intelligence-sec.com I Tel: +44(0)1582 346706
24. 24
UNDERSTAND RISKS
OF ANDROID APPS
secroid.com
by NetAgent Inc and NetAgent Co., Ltd.
When compared to paid apps, free Android apps are said to be
about a hundred times more likely to be downloaded, and so
developers will oftentimes employ advertisements, or in-app
billing models, in order to generate profits. Ads in free apps are
a growing risk among smartphone users, with many able to
amass various types of user information. What the user sees as
simple advertisements on a smartphone actually have the ability
to see a user’s age, gender, location, phone model, and other
downloaded apps. The ads then proceed to collect as much
information as they possibly can before sending it anywhere
ranging from America to Japan, China, or Korea.
Forensic investigations of malicious Android apps have two main goals:
finding an app’s users and finding an app’s developer.
The Global ID used by advertising modules is an effective means of track-ing
down users of an app. For most apps advertising to Android users, indi-vidual
users are distinguished by their Global IDs. The Global ID ties each in-stalled
client OS to a SIM whenever a contract with the phone carrier is made,
and thus it is not frequently changed by the user.
Figure 1. A Global ID’s MD5 hash value
What you will learn:
• Which factors determine risky be-havior
in smartphone apps.
• What software analyzes apps for
vulnerabilities in the code.
What you should know:
• Malicious software affects Android
users every day.
• Most malicious software is hidden
in free apps.
• Users need a way to determine
risks of apps.
25. UNDERSTAND RISKS OF ANDROID APPS
There are multiple methods of finding an app’s developer:
• Distributor’s Information Page
• Code sign
• Ad-ID
• Access URL
DISTRIBUTOR’S INFORMATION PAGE
The most basic method is to simply look for when an app is released on Google Play. Information on the
distributor, such as a link to the developer’s website, email address, or privacy policy will be published
under “Additional Information”. A developer can be trusted if this information is clearly stated, and other
apps by the developer can also be viewed at a glance.
Figure 2. A Distributor’s Additional Information
CODE SIGN
Each Android app has a self-signed certificate, which requires a code sign. The signature itself may not
be reliable, but since it was created by a user, there may be information related to the creator. Some
criminals may even use their real names.
Figure 3. Code Sign Example
AD-ID
Before sending to the advertiser, an app with an advertising module records either an advertisement ID
coming from the app, or an ID made from the app’s package name. If an advertisement ID is used, it can
be embedded in any of four places: the Manifest file, resource library, XML file contents, and the program
code. This can be quite complex, but because it is a source of income, it is likely to include bank account
information as well as other details.
Figure 4. Ad-ID Example
Figure 5. Captured Parameters of an Ad-ID
www.eForensicsMag.com 25
26. 26
ACCESS URL
Ad modules are likely to send information outside via a URL created by the app’s author. These URLs
often link to separate pages dedicated either to smartphones or PCs. If the app is running high-ticket af-filiate
ads, it will link to the affiliate’s site before jumping to the target site. The affiliate ID attached to the
URL can then be used to determine the ID of the ad publisher. If it isn’t being used to deliver money out-right,
the ID may be used to track users through Google Analytics.
Figure 6. In-app URL found in secroid
Figure 7. s72700, an affiliate ID
DYNAMIC ANALYSIS
The analysis of apps can be analyzed either dynamically or statically. Dynamic analysis refers to the
analysis of an app as it is running. There are multiple ways to do this – the most reliable method involves
the capture of packet traffic going through the device. Since it is difficult to manually test for each and ev-ery
function, some relevant information is used to test the overall operation. A client’s identifiers can only
be recognized if the hashes match with those obtained from the client beforehand.
STATIC ANALYSIS
Compared to dynamic analysis, static analysis of an Android app is relatively easy. Most Android apps
are installed not in their native environment, but in a process virtual machine known as “Dalvik”. Appli-cations
are commonly written in Java, and are compiled into Java bytecode when running on Java VM;
however, when Dalvik is used, Java bytecode becomes “Dalvik-compatible code”. Due to Dalvik being
based on Java, decompiling is simple.
One characteristic of static analysis is that everything about the entire app is uncovered. But on the
other hand, parts of the code which do not run may also be included, and there is no way of knowing for
sure whether they actually run or not. Android developers may also be using an obfuscating tool named
ProGuard, but the obfuscation does not affect accesses to the API, which can still be analyzed without
problems.
ANDROID APP PERMISSIONS
Android runs on a Linux kernel, and so the files, devices, and user access controls are all based on UNIX
systems. For each app executed within Dalvik VM, the executing user has already been predetermined,
and only the rights of that user can be granted. In order for Dalvik VM to access the API of the app in
question, it requires the permissions written in the app’s Manifest.xml file. Without the right permissions,
an error will be returned.
Permissions given to an app are granted at the time of installation, by clicking [OK] for each permission.
Up until now, this is how Google has provided Android with app security.
As the App Market has begun to pick up since then, numerous problems have arisen with this system.
The official market was only capable of determining whether credit card payments were settled. Inspect-ing
the apps themselves was left to “Bouncer”, an automated system which debuted in February 2012.
While it may have had some results, Bouncer did not meet user expectations, and it was inevitably pow-erless
to stop a great deal of information collected by malware from being made public.
HOW SECROID ANALYZES
In March 2012, Japan faced an outbreak of malicious apps. A total of about 50 million counts of personal
contact information were stolen, collected by 6 major criminal organizations. Three of these groups were
27. UNDERSTAND RISKS OF ANDROID APPS
arrested, thanks to information provided to news organizations and the police relating to the apps. From
the results of this incident, software has been developed in order to prevent further cases of informa-tion
theft due to apps on Android. This software, which checks apps for risks before they are installed, is
known as secroid.
Figure 8. secroid.com Home Page
Secroid.com is a free website which evaluates the potential risks of Android apps. Apps published on
Google Play can be searched, and their levels of risk will be shown. When evaluating risk levels, secroid
analyzes not just permissions, but the actual code, along with what information gets sent, and where and
to whom it is sent.
As of 2013/08/05, secroid.com has gathered information on 770,000 apps, covering about 90-95% of
all free apps published online.
The risks of apps can be displayed directly on Google Play instead of having to search on the web by
installing the optional SecroidSearch app beforehand.
www.eForensicsMag.com 27
28. 28
Figure 9. SecroidSearch app
https://play.google.com/store/apps/details?id=com.github.ymstmsys.secroidsearch
WHAT INFORMATION IS EVALUATED
Apps developed in a particular region tend to share individual traits. In general, featured ads in a smart-phone
app will send a client’s information to be distributed among ad servers in order to send ads specifi-cally
targeted to that user. To this end, advertisers will evaluate how often an app is run on a smartphone,
along with the duration it is run, or when it was last run. In addition, the client’s info is encrypted into a
hash table, with a different key sent for each advertiser.
Risks are determined either by matching code with that of previously recognized viruses, or by finding
any byte code which allows permission to access contact information, location, or client identification.
The main structure of the Android app, as well as code written by the developer, code added by Android
SDK, any third-party modules, resource files, signatures, and Manifest files are also identified. Code
written by the developer and third-party modules are especially taken into account, allowing secroid to
investigate where, and to whom, information is sent. Thus users are able to establish a privacy policy for
determining which apps are allowed to collect information.
Figure 10. An app’s library list
For advertising modules, the portions of code which access, hash, or encrypt any identifiers, or link to
any URLs are automatically extracted, and inspected, on a per-module basis.
29. UNDERSTAND RISKS OF ANDROID APPS
When URLs are included, a web crawler automatically archives the web page.
Table 1. Key features of malicious apps identified by secroid
Important Functions Viruses
Executable commands
Commands executed as root
Location Info GPS
Base Station
ID Info Line number*
Android_ID*
IMEI (device id)*
ICCID (SIM serial number)*
Wi-fi MAC address*
UUID
Module Types Advertisement
User Tracking
Crash Report
Framework
Image Library
Billing
SNS Messaging
Contact Info Read contact data
Telephone numbers
Display names
Email addresses
Account Info Google ID (Gmail address)
Amazon ID
Other accounts
Other Info Installed Application Lists
Use Notification Area
* Found in Global ID
SUMMARY
By evaluating the risks of Android apps with secroid, it is possible to produce a viable strategy for man-aging
mobile devices. Secroid can determine whether an app has access to a smartphone’s personal
contact list, location info, and more. For companies looking to implement BYOD, secroid is essential for
determining the criteria of which apps may, or may not, be installed on Android phones.
ABOUT THE AUTHOR
NetAgent Co., Ltd. is a Tokyo-based Japanese company which, since inaugurated in 2000, has increasingly
gained a reputation in computer and network security. Through developing various useful security products
and providing unique investigative services, NetAgent has focused on both preventative and backward inci-dence
measures against data breaches. Today they enjoy a highly loyal customer base, including govern-ment
agencies, financial sectors, telecom and other media companies, or large-scale manufacturers. Among
their many products and services includes secroid, a software which analyzes Android apps for potential security risks and re-ports
them in order to provide clear guidelines for mobile device management. NetAgent Inc. is a New York-based subsidiary
of NetAgent Co., Ltd. since 2012. They are currently dealing with introducing the product line to the North American market.
www.eForensicsMag.com 29
30. 30
NFC SECURITY AND
DATA LEAK
by Eric Laurent-Ricard
Before trying to do some forensic on NFC devices, it is important
to understand the mechanism that make the whole thing work.
The different kind of services offered by NFC phones compared
to contactless cards is important as well.
Is the contactless payment secure enough and what will be next
enhancements?
When someone hears about NFC (Near Field Communication), he often
thinks that it is a technology with specific hardware.
In fact NFC is a set of multiple standardized communication protocols be-tween
a RFID target and a smart device like smartphones or tablets with re-spect
to ISO 18092 protocol.
When it comes to payment smartcards, this not the NFC protocol which is
used but a specific protocol related to EMV (Europay, Mastercard and Visa)
mechanism. The exchange between the card and the target is very close to
the one defined by EMV for CHIPPIN smartcards working with contact.
This protocol is named EMV Contactless and used by Visa in Paywave and
by Mastercard in Paypass among others.
NFC and EMV Contactless are different implementation of the underlying
protocols, making them incompatible, but both protocols are using the same
basis layer named ISO 14443.
What you will learn:
• NFC is different from EMV Con-tactless
because of incompatibility
of underlying protocols.
• What can you do with a NFC
phone?
• EMV Contactless payments does
have weaknesses and personal
information can be stolen!
• Will it be important to do forensic
analysis of NFC devices?
What you should know:
• What are protocols and layers
31. NFC SECURITY AND DATA LEAK
Figure 1. NFC FORUM ARCHITECTURE [7]
Nevertheless, both structure that are writing the standards for these two systems (EMVco and NFC Fo-rum),
are now working together to target a point where both systems will be compatible.
Contactless systems and card are not always based on NFC:
For instance, the French transport system in Paris, called NAVIGO, is based on a different standard
named CALYPSO, which is quite secured and prevent any data leaking.
Figure 2. NAVIGO Card
DIFFERENT NFC MODES
NFC devices can work in various ways, as shown in Figure 1.
Passive mode
This is the card emulation mode for a smartphone working like EMV contactless with smartcards but not
yet in a compatible way.
www.eForensicsMag.com 31
32. 32
Figure 3. Paypass payment
Figure 4. NFC payment
Active mode
Reader/Writer mode make the system working like a POS with a device that can exchange actively and
ask a contactless card some information, or as a NFC tag reader.
Figure 5. Writing a NFC tag
Peer to Peer mode
This is the way to operate a direct exchange of data between two NFC phones, for instance to exchange
business card.
Figure 6. Exchanging data in P2P mode
33. NFC SECURITY AND DATA LEAK
NFC is communicating at a very small distance: 10cm compared to other communications modes
(Bluetooth, Wi-Fi, Zigbee, Beacon…), but with specific hardware you can access devices up to 1.5 m in
reader/writer mode.
APPLICATIONS AND SERVICES
Depending on each mode, NFC devices can be used for various services:
Marketing and loyalty are more dedicated to smartphone devices along with specific applications on
the phone.
Transportation and ticketing are used either with EMV contactless card, Calypso cards (Navigo) or with
smartphones.
Payment and money transfer are used both by EMV contactless and by NFC smartphones.
This last service is the one with more buzz around because of the amount of transaction it can gener-ate
and for today’s weakness as well:
CURRENT WEAKNESSES
The main weakness everyone is talking about can be found in the EMV contactless implementation of
the protocol because they wanted to keep simple compatibility with EMV contact process.
Thus the data exchange between the card and the targets are not encrypted, and when the contactless
reader access the card it can ask for a lot of information sent back in clear text.
These data include the followings:
• PAN number of the card
• Expiry date
• Magnetic stripe information
• Full name of the customer
• Historic of last operation done
But, at least, the CVV cannot be read!
So, someone with a NFC device in “active mode” (usb token, smartphone…) can gain access to these
data contained in the EMV contactless card.
An exploit has been done by Renaud Lifchitz, Security engineer at BT [1] and demonstrated at “Hackito
Ergo Sum” in April 2012, which shows the ability to read from these cards.
Personal information data leak is real with today’s implementation of contactless protocol on payment cards.
Nevertheless, transaction could not be made in place of the card, because the process for payment IS
secured and needs an access to crypto data secured in the chip itself.
But, there are anyway multiple risks due to this weakness:
• Copying the PAN, Expiry date and name of the card and use these information for online payment
where CVV is not required, can lead to great loss for the customer and/or merchant depending on
bank contracts and applicable laws in different countries.
• Cloning the magstripe on a new card so that it can be used where ChipPin POS are not current.
• Privacy: one can get personal information from the card and the way he is spending money, so pro-filing
is an option.
• The card can be blocked by thief attempts.
• PCI DSS compliance (EMV security requirements at merchant and bank facilities) would not be
achieved by merchant because of clear personal information issues.
www.eForensicsMag.com 33
34. 34
People will then prefer to protect their EMV contactless card with specific wallets which could protect
the access to their card information, but actual protection are not fully efficient, and probably only “mu-metal”
case could offer a real protection against all electromagnetic waves.
We don’t have to panic either, because the limitation in distance for using the card is protecting from a
misuse of the EMV contactless cards.
Besides, new versions of EMV contactless cards have been modified since November 2012 and do not
show anymore neither the name nor the history of the payments.
With the example of Calypso systems and the work ongoing between EMVco and NFC forum, the fu-ture
version of contactless card should include more security and exchange only encrypted data and in-clude
a specific PAN for contactless payment.
Another real risk, whether or not card security is implemented, is the lost of the card itself, in this case,
the thief can use it without a PIN code for small payments (less than 20€)!
A LEGAL QUESTION THEN ARISES
Let’s consider that security issues are solved in the near future, and that no data leaking is possible (1
year, 2 years?).
As we do not use a PIN code nor a signature to validate the transaction, will these payments be con-sidered
as online payments (card not present)?
If you read most bank contracts, you can make a denial of the payment if you did not sign or PIN it, and
then be reimbursed arguing someone else did it.
So will local contactless payment be analyzed by lawyers as remote payment or not? I think they will
have some work to do there…
FORENSIC ISSUES
After spending some time about security and data leak problems arising from contactless payment, let’s
talk a little about forensic (it was time to!). We have to consider two options:
EMV CONTACTLESS CARDS
First in criminal cases, we have to know whether or not the suspect had a contactless card, and then ask
the law enforcement forces to give it to us along with other hardware to analyze it.
Then we have to buy and mount a specific platform with NFC and Contactless readers to be able to
access data in the card.
We can use the basis of the program Renaud Lifchitz told us about and modify it to be a “forensic” tool
proving it will not alter the card itself.
From there we can have access to the history of payments done with the contactless card, which could
be useful for authorities to cross check this activity with some others or with specific locations where the
suspect could have been.
NFC SMARTPHONES
The smartphone analysis is often part of our work with well known tools eForensics magazine already
wrote about, and in more articles in the current issue.
We then have to verify about the presence of the NFC functionality; either by checking the applications
installed in the phone, or by testing its capabilities with the same kind of hardware we described earlier
for contactless cards.
Normally, the access to the payment function, even in NFC mode, should be protected by a specific
code to prevent from thieves to use this option.
35. NFC SECURITY AND DATA LEAK
So, if it is possible, it would be nice to have the police ask the suspect to give his code for this analysis.
Then most information will be available directly from the application, and mainly the history of pay-ments,
which, once again, could be useful.
If we don’t have the access code, then we can try to read from the NFC chip and check if the implemen-tation
of the protocol is as weak as today’s EMV contactless protocol, thus giving us the expected data.
Other NFC applications present in the smartphone can also be useful, especially loyalty programs or
tag checked if they are logged somewhere, so don’t forget to check every function you can find in this
kind of smartphone…
A FINAL WORD ON NFC
Following the NFC forum specification for smartphones, a Secure Element (SE) should be embedded in
the mobile phone, either on the SIM card or in another secure chip.
The problem arises when the MNO wants to be the Trusted Service Manager (TSM) and includes the
SE in the SIM: Banks do not want to have the MNO in the chain of custody and having to share their
revenue from the transactions!
On the other hand, mobile manufacturers are not willing to install another support in their phones to
activate the TSM operations through another secured chip.
This will lead to hard discussions between the various players in the process: issuers, acquirers, MNO
and TSM, and probably increase the cost of NFC transaction!
In the case of a NFC smartphone, the usability for contactless payment is not so obvious:
How will be managed software priorities when another application is taking most of the phone memory,
or when the user is called by someone or online? Will the payment process be interrupted or suspended?
If I want to protect he access to my payment application, I will probably include a code to access it, be-sides
the code I need to access my phone, and this will as long as paying with the standard POS with
ChipPin!
DREoFeEsRnE’tN sCeEcSu ArNityD wBoIBrLthIO aG 1R5AsP HwYaiting time to use CHIPPIN instead of a TAP?
[1] Renaud Lifchitz BT engineer paper: https://code.google.com/p/readnfccc/downloads/detail?name=hes2012-
bt-contactless-payments-insecurity.pdf
[2] EMV and NFC: Complementary Technologies that Deliver Secure Payments and ValueAdded Functional-ity:
http://www.smartcardalliance.org/resources/pdf/EMV_and_NFC_WP_102212.pdf
[3] EMV Co: EMV Contactless specifications: http://www.emvco.com/specifications.aspx?id=21
[4] PCI Security Standards Guidelines: https://www.pcisecuritystandards.org/documents/pci_dss_saq_instr_
guide_v2.0.pdf
[5] Swiss study on EMV compatible Mobile payment: http://www.abrantix.com/de-downloads.html?file=tl_
files/abrantix/download/whitepaper/Feasibility%20Study%20for%20a%20Smartphone%20App%20to%20
Make%20EMV-Compatible%20Payments%20via%20NFC%20Maeder%20Vogler.pdf
[6] GlobalPlatform specifications for NFC: http://www.globalplatform.org/specificationssystems.asp
[7] NFC Forum specifications: http://www.nfc-forum.org/resources/presentations/IET_presentation_NFC_Fo-rum_
John_Hillan_final.pdf
ABOUT THE AUTHOR
Forensic Expert, Phd in computer sciences, National Trusted Third Parties Member (FNTC), Vice-Chairman
EESTEL (Secured European Electronic Transactions Experts)
Member of various Expert witness companies (CNEJITA-CEESD-CIECAP), he owns a Phd in computer sci-ences,
and created in 1993, the first French commercial Internet service provider, sold to Qwest in 97.
Along with his business expertise of helping new startups (Business Models), he has been acting in non
profit professional organizations, mainly in the field of security, electronic signature, Trusted Third parties
and standardization.
Besides, he is a lecturer in Paris II University on Internet protocols, ID and security, forensic, cryptographic
technologies...
Often working with law enforcement agencies in computer forensics, he also works on payment and secured
cards along with contactless technologies.
www.eForensicsMag.com 35
36. 36
WINDOWS PHONE 7/8
(WP7)
DIGITAL FORENSIC INVESTIGATION PROCEDURE AND
EVIDENCE RECOVERY TECHNIQUES
by Dr. Roffeh Ehud, International Law Expert in Electronic Evidence
One of the central problems involving technology and legal
proceedings is the reliability of evidence presented to the court.
This question is made more relevant due to the fact that
rapid technological changes make previous legal precedents
irrelevant. In other words, the same technology is no longer used
to reinforce evidence as this is not the equivalent forensic tool
used to extract digital evidence from the new device.
Furthermore, the same forensic tool that was evaluated in the past and
was found to be reliable with regard to the digital evidence it presents,
must now undergo far reaching change in order that it be capable of
copping with new technologies. This leads us to the issue as to whether the
evidence presented to the court represents the actual events and/or if is it
possible to rely absolutely on the evidence.
It is imperative to realize that, even with regard to a technological forensic
tool that has successfully passed all tests regarding the credibility of digital
evidence collected from other devices, this does not constitute a guarantee
regarding the credibility of findings collected from modern devices.
Additionally, it must be understood that the difference between devices will
often result in variations in the manner that digital evidence must be dealt
with. It is recommended that the deeper device levels be investigated rather
than just the operating system level.
Additionally, it is essential that technological tools used in order to extract
electronic evidence from the mobile device also be examined. Furthermore,
the device should be examined to determine if it has been tested in the past,
under what circumstances and if the data collected was proven beyond all
doubt to be credible and reliable.
What you will learn:
• Overview of changes in WM8 re-garding
WM7
• Evidence recovery techniques
• Procedure of digital forensics in-vestigation
• Way of legal conservation for mo-bile
devices
What you should know:
• Basic information about Windows
Mobile Phone
• General idea of mobile forensics
37. WINDOWS PHONE 7/8 (WP7)
For these reasons and others, it is always advisable to obtain and examine additional hardware with
which the mobile device was synchronized, such as a laptop or work station.
In the eyes of the court, it is given that, in the event that no other equivalent data is presented which
asserts to the origin of the evidence, then it is advisable that the weight given to evidence collected from
a modern device be reduced.
INTRODUCTION
On the 27th of December 2012, the WP8 operating system was launched globally. This is the most recent
operating system marketed by Microsoft (MS) and replaces previous Microsoft operating systems such
and WP7, WP6 and earlier versions.
The WP8 system is a new program that is visually different and includes a number of additions that,
substantially, do not differ from WP7. Therefore I will focus on WP7 technology which introduced a differ-ent
technological model and resulted in a change in the management of digital evidence and its extrac-tion
from a mobile device.
As stated, we can view the WP7/8 operating systems as being totally different from their predecessors.
MS completely redesigned the operating system so that it is no longer based on the older WM model
and/or even earlier versions. WP7/8 will not operate on outdated hardware including some existing mo-bile
phones and older generation devices and will not allow the use of previous generation programs.
The system’s new design introduced many visual changes with the result that techniques used for
managing digital evidence which operated on older systems, will no longer operate on the new system.
The operating system includes a new user interface which utilizes a touch screen and on-screen virtual
keyboard. Instead of icons, the system uses a system known as “Tiles”. This is a dynamic design func-tion
that allows the user to design the user interface as they wish.
The operating system’s standard applications include an internet browser (Internet Explorer Mobile),
email (an Outlook Client which can use Hotmail, Yahoo Mail or Gmail), multimedia and music players,
video and pictures, Office and more.
As with competitors’ similar smart phone platforms, the MS operating system enables the installation of
third party applications such as music players, video clips, applications and more.
During an investigation involving digital evidence in a WM operating system, use is made of tools and
techniques for criminal identification with the aim of extracting data from the device in a legally safe and
secure manner.
During the first stage a simulation is run on the device being investigated which constitutes a legal, au-thentic
copy of the entire mobile device. Following this, the data collected is analyzed in order to identify
data relevant to the legal investigation.
One of the accepted data extraction methods is the connection of the device to a personal computer
(PC) using a USB connection. An alternative method involves physical access to the mobile device’s
memory. The WP7 system does connect to a PC with a USB connection. However, the mechanism which
communicates between the telephone and the PC has changed.
Essentially, the manner in which the mobile phone communicates with the PC could result in recog-nized
forensic tools used for the management and collection of digital evidence being unable to work on
the WP7 operating system.
With regard to direct access to the device’s memory, existing WM tools and techniques for criminal identifi-cation
allow for the extraction of data from the mobile device’s memory using the WP7 operating system. The
significance of this change is the manner in which data is stored in the device’s memory. In other words, it is
possible that it will be impossible to analysis the data extracted using existing tools and techniques.
www.eForensicsMag.com 37
38. 38
Tools that collect WM digital evidence by installing a program on the mobile device via a USB con-nection
to a PC do exist. After installation, the program transfers the contents of the mobile telephone’s
memory to the PC.
I wish to stress that installation of such a program on the telephone rather than an authentic copy made
from the device, raises serious questions regarding the digital data’s overall evidential reliability.
I would also point out that it may be impossible to install a program on the mobile device for two rea-sons.
First, communications between the WP7 system and the PC differ from previous systems and ex-isting
tools may be unable or fail to install the program on the mobile telephone. Secondly, I would remind
the reader that the WP7 system cannot run all older programs. Thus, even if the program is successfully
installed on the mobile phone, it may not operate as expected and required.
Additionally, I would point out that, as of the writing of this article, I have not come across any informa-tion
that proves, beyond any reasonable doubt, that such programs, when installed on a mobile tele-phone,
do not adversely affect the reliability of digital evidence that may be stored on the device.
In my opinion, there still exists a gap between tools for the identification and extraction of digital evi-dence
from mobile devices in general and tools for criminal identification on the WP7 system.
LEGAL CONSERVATION FOR MOBILE DEVICES
A forensic investigation involving digital evidence obtained from mobile devices in general and from WP7
based devices specifically, is made possible through the use of technologies that facilitate criminal iden-tification
(forensic tools) that are designed to examine and analyze mobile telephones’.
The same legal principles that apply to all computerized devices also apply to mobile devices in order
to allow others to verify electronic evidence. We should remember that the process’s purposes is es-tablished
from a legal point of view and is to document and verify that the evidence is indeed what it is
claimed to be and has not been altered or exchanged since the original data extraction. This is the cen-tral
problem with regard to new devices where accumulated experience is limited.
Those involved in the process must record their activities and procedures in order to provide transpar-ency
and support for learned abilities whilst also allowing third parties to evaluate and repeat the working
procedures. Additionally, data collected must be evaluated and documented in order that others be able
to verify that nothing has been altered since the original data was obtained.
Also any issues and failures encountered during the investigation and data collection process must be
documented. For example, failures resulting from the installation of an older program version on a new
device. From experience, the new operating system displays error messages and, until this point in time,
it has not yet been legally proven beyond any reasonable doubt that the device’s content has indeed
been preserved in its entirety.
In general, advanced techniques allow for the physical collection of data from a mobile phone. Whilst it
is true that physical access to the device will yield a larger amount of information, the danger of damage
to the device and its digital evidence is higher.
Furthermore, the physical method requires special, professional equipment alongside extensive knowl-edge
and a deep understanding of the device’s built in characteristics but does create a mirror image of
all the data stored on the mobile device, including erased data and data not allocated to a specific, de-fined
area.
Due to the pace of technological development and until it can be proven beyond any doubt that legal,
forensic investigation programs work in a logical and accepted manner and that evidence discovered on
a mobile telephone is preserved intact and in its original state, the physical method is, in most cases, the
preferred one.
The forensic, digital investigatory process changes significantly according to the importance of the in-vestigation,
policy guidelines and the individual situation and circumstances surrounding the investigation.
39. WINDOWS PHONE 7/8 (WP7)
The investigatory process is usually divided into four main segments which include collection, exami-nation,
analysis and presentation of the data. Together, these constitute the required digital evidence to
be presented to the court and will act as the factual foundation for legal conjecture. The correct execution
of the process, including documentation, allows the information to be presented as acceptable evidence
in the legal procedure.
IN SUMMARY
Guidelines regarding the investigation of mobile telephones and WM systems do exist. Their implemen-tation
changes with the organization, the investigation’s purpose and special circumstances.
Over time, legal models for dealing with Microsoft’s operating systems have been developed. Howev-er,
as with other technologies, the brief history of WM telephones and the conceptual changes between
older model operating systems and WP7 and WP8 have resulted in logical analytical systems lacking
the ability to prove their reliability.
WP7’s major changes and the fact that WP7 is incompatible with all previous WP operating systems have
made present forensic investigation tools and techniques unsuitable for use on a WP7 mobile phone.
One of the major changes that could influence digital investigations is the way in which the WP7 sys-tem
interfaces with the PC. WP digital forensic devices allow access to data in a logical and physical
manner whilst using ActiveSync/WMDC connections between the mobile device and the PC.
As opposed to older systems, WP7 uses Zune and not ActiveSync/WMDC. Therefore, existing devises
may not be capable of communicating with a WP7 device and/or the extraction of information in its en-tirety
may not be possible.
In the old model, WM systems install an ‘agent’ program on the mobile telephone. The “agent” collects
the data from the device’s memory and transmits it to the home base, the external, examining device.
I would point out that the WP7 system is incapable of running older WM applications. Furthermore,
even if the ‘agent’ is successfully installed, it may not operate and/or be unable to transmit data to an
external device.
With regard to legal issues, it has not been proven that the data is reliable and that it can be accepted
as original and reliable evidence.
Additionally, WP7 user the mobile telephone’s internal memory and its SD card thus creating a single
storage space. I would also point out that a number of methods for the physical extraction of data exist
one of which is the removal of the memory chip.
Since WP7 type systems use memory components in parallel there is a fear that physical removal
could erase and/or corrupt important data. Furthermore, I would also point out that we cannot predict
which files are stored on the device’s internal memory or on its SD card.
What is more, the WP7’s SD card is encoded and cannot be decoded by the user using standard meth-ods
used in previous generations of WM type operating systems.
The compression system used by the WP7 system is also different from previous WM systems. WP7 us-es
the TexFAT file system and XPH compression whilst WM uses the TFAT system and XPR compression.
The new WP7 system file system and compression method is not sufficiently known to the world of
digital investigations. It is still too early to clearly decide if evidence presented is indeed sufficiently reli-able
for the legal process.
Even if we use the physical process and obtain a complete copy of the WP7 device, existing devices
and techniques could fail to identify files and/or be unable to open them.
www.eForensicsMag.com 39
40. 40
Conclusion
In this article I have reviewed only the preliminary and basic points regarding lack of credibility and the
fear of unreliability of evidence retrieved from WP7 mobile telephones.
There are many issues which exhibit significant differences that harm the reliability of digital evidence
obtained from WP7 mobile telephones.
Furthermore, when when a technological solution capable of coping with the above mentioned issues
is found, developers of technology in general and of mobile technology specifically will continue the ‘cir-cle
of uncertainty’ due to the inability of forensic technologies to fully and decisively cope with the pace
of progress.
ABOUT THE AUTHOR
Over the past 15 years I have been working as an expert in the field of digital forensics. My fields of expertise
include a wide variety of hi-tech fields and issues such as: CCTV Forensic issues, Email Forensic, Internet
investigation, Websites, CRM systems, ERP systems, data base investigation, Mobiles Phones Forensic,
PDA’s and much more.
Additionally, I am a lecturer for B.A. students at the Criminology Faculty at the Bet Beryl College in Israel
where I teach electronic evidence, computer law and computer internet crime.
These courses are all based on my book “Digital evidence into practice – The combination between technol-ogy
and law” which I am completing at this point in time. The book addresses the areas of technology and
the law whilst comparing the legal systems of the United States, the United Kingdom and Israel.
I have also written a dozens of expert opinions which have been offered to the courts at all levels including
both criminal law and civil law. These opinions dealt with issues such as the internet, social networks such as Facebook, Twitter
and YouTube videos and more, sexual harassment, rape, murder cases, money launderings and internet gambling, code theft
and many issues of intellectual rights.
In addition, I have been appointed by Israeli courts on many occasions to act as a mediator and arbitrator for cases and issues
in the field of law and technology.
I have been involved in research into electronic signatures and my expert opinions in this matter were crucial in the acceptance
of the use of electronic signatures in the largest insurance companies in Israel. I hold four academic degrees in the field of tech-nology
and technology the law. I have also participated in numerous professional courses and am, at this moment, preparing
for the winter 2014, New York Bar Exam.
41. www.CyberThreatSummit.com
October 24th 2013
24 Hour
Global Follow The Sun
Virtual Summit
1,000+ Delegates
100 Countries
24 Time Zones
50+ Experts
1 Day
Free Registration
42. 42
Apple goes
biometrics
by Cordny Nederkoorn
With the launch of IPhone 5S last September, Apple has entered
the area of mobile fingerprinting authentication. A bold way of
using biometrics in authentication.
This article will cover the fingerprinting technology behind
Apple Touch ID and its relation with iOS7 regarding saving the
data, security and usability.
Next to this the risks of using Touch ID will be discussed.
When Apple bought Authentec, a developer of fingerprintsensors in
2012, everybody was anxious to see what Apple was going to do
with Authentec’s fingerprinting sensortechnology. Was it going to be
used for the iMacs or was it going to be a new feature for the new Apple
iPhone 5?
Well, on 10 September 2013 on the Apple iPhone Media event it was an-nounced
the new Apple IPhone 5S was going to be delivered with Touch ID.
Touch ID enables the iPhone 5S user to unlock their phone, but also make
purchases in iTunes, the App Store, or iBooks. So, Touch ID enables a user to
have access to four important products of Apple. Still, Apple doesn’t replace
the user’s passcode. If the iPhone 5S has been rebooted or has not been un-locked
for 48 hours the user still has to use the passcode, not it’s fingerprint
to unlock its iPhone 5S.
Regarding eforensics, this is important, because when an eforensics inves-tigator
unlocks an IPhone 5S for forensics investigation he/she can see if the
iPhone 5S has been used for the last 48 hours. When used, the iPhone 5S
will ask for a fingerprint. When not, a passcode will be asked. Well, assuming
the iPhone 5S user uses its fingerprint for unlocking.
OK, now back to Touch ID, beginning with the hardware.
What you will learn:
• Basic Information about how the
Apple iPhone 5S Touch ID-tech-nology
works
• Basic information on fingerprinting
technology
• Risks with using Apple iPhone 5S
Touch ID
• Possible methods for hacking
passwords
What you will not learn:
• How to hack Apple iPhone 5S digi-tally
• Detailed functionality Apple
iPhone 5S Touch ID
• Countermeasures hacking pass-words
43. Apple goes biometrics
Hardware
The Touch ID sensor is built into the home button (made of sapphire crystal against scratching), which
is surrounded by a steel detection ring. This ring is able to see if the user’s finger is there without touch-ing
it and will waken the sensor. For usability, the sensor can read the user’s finger in any direction (360
degrees).
It uses capacitative touch to detect the fingerprint, by ‘reading’ the sub-epidermal skin layer. This is
important, because this way only live tissue can be detected by Touch ID. This eliminates the risk of ac-cessing
the iPhone 5S through a chopped off finger or a fingerprint image (although the latter is already
spoofed, see further for more information)
Software
The fingerprint data is stored on the Secure Enclave of the Apple A7 processor on the IPhone 5S and not
stored on the Apple servers or iCloud.
But how is it possible to convert the fingerprint from your finger to data on the iPhone 5S?
Fingerprint matching is possible trough comparison of various features of the finger print pattern. These
features can be divided in two variants: patterns and minutia points resulting in ridges and valleys.
The next pictures show the visual characteristics of the two variants [1].
Figure 1. From left to right the different patterns: arch, loop and whorl
Figure 2. From left to right the different minutia: ridge ending, burcation and short ridge (dot) [2]
As already said, Touch ID uses capacitance to detect the user’s fingerprint.
An image of the fingerprint is created through 2 methods:
www.eForensicsMag.com 43
44. 44
1. Capacitive: The human skin has different layers. Two of these are the epidermal and the dermal lay-er.
Capacitance utilizes the difference in electrical conductivity between these layers: the epidermal layer
is in contrast to the dermal layer not electrically conductive. This way both the sensor array pixels (sensor
giving a small electrical charge) and the subepidermal skin layer can act as parallel-plate capacitor and
the epidermal (dead, non-conductive) skin layer as dielectric. The sensor array measures the capaci-tance
per pixel and because the fingerprint has ridges and valleys the capacitance will be different (due
to air gaps) on various spots giving a distinct capacitance value pattern per fingerprint.
2. Radio frequency (RF) [3]: another difference between the epidermal and subepidermal skin layer is
that the epidermal dead skin layer can’t be read by RF waves sent by the Touch ID sensor. The subepi-dermal
layer can be read, which gives a nice RF-map which is different per person’s fingerprint.
In fingerprint technology (this could be different at Apple) the sensor array data are reduced to a string
of numbers through encryption method one way hashing [4].
Figure 3. Simple representation One-way hashing with encryption method MD5 [5]
Figure 3 shows how one way hashing works.
Bluntly said, through one-way hashing it is possible to encrypt the sensor array data to a string of num-bers,
but you can’t reverse engineer the string to the arra data.
This encrypted data is then stored on the Secure Enclave of the Apple A7 processor as a data file con-taining
the string of numbers.
The next time the user uses its fingerprint to unlock the iPhone 5S the data gathered by the sensor and
encrypted by iOS software will be compared to the saved encrypted fingerprint data of the user and if
these are equal the iPhone 5S will be unlocked. If the data is not equal, the iPhone 5S stays unlocked.
Risks
Regarding the previous information the iPhone 5S seems to be quite secure with (un)locking using Touch
ID technology.
Is it possible to hack the iPhone 5S Touch ID technology?
As already said, don’t be afraid to get your fingers chopped off because criminals want access to your
iPhone 5S.
Touch ID works because of 2 methods: capacitance and RF (possibly), and both need a living subepi-dermal
skin layer of the user to activate the sensor and unlock the iPhone 5S.
At the time of writing this article, claims have been made Touch ID can be hacked with the use of a
high-resolution fingerprint picture, a laserprinter and some glue [6].
45. Apple goes biometrics
But this is a physical attack and not an attack on the encrypted data stored in the Secure Enclave. It’s
more fooling Touch ID than really hacking it.
Is it then possible through digital attacks?
To attack the iPhone 5S digitally it is required to have access to the Secure Enclave of the Apple A7
processor.
Mind you, Apple does not give 3rd party developers access to the Touch ID software, eliminating pos-sible
tampering.
Well, if the hacker could get hold of the encrypted (hashed) fingerprint data (method not known to me
yet) he has three possible attack mechanisms if he knows also the cryptographic hash-function used
(MD5 etc.):
• Brute force attack – Systematic check of all possible fingerprint data used as input or the hash func-tion
• Dictionary attack – Systematic check of words in a dictionary used as input for the hash function
• Rainbow attack – A table filled with a list of known input for the hash function and its known hashes;
this way the attacker gives the input and gets the correct hash.
The effectivity of these attacks will be very dependent on the cryptographic hash function used and will
only result (if successful) in gaining access to the iPhone Naturally it won’t give you the fingerprint of the
user, which will still be unknown to you.
Next to the prerequisite that you have to know the cryptographic hash used, you also have to have ac-cess
to the Secure Enclave. Are there no better alternatives?
Yes indeed! Well, as already said, a password/passcode still can be used to unlock the iPhone 5S (af-ter
48 hour nonuse or reboot).
And here the attacks described above can also be used.
The hacker only has to wait 48 hours (after 48 hours iPhone 5S goes from fingerprint to passcode au-thentication)
and the described attacks above can begin.
Another risk could be that the encryption software used by Apple contains a bug, encrypting the finger-print
data in a correct hash, resulting in false positives when encrypting. But is there a high chance this
happens because it has to occur for all numbers of the string?
False negatives could also play a role when the Touch ID process does incorrectly reject a registered
print. But Apple has a workaround for this by requiring a PIN at the time of fingerprint registration. But
wait a minute, this PIN can also be gathered by hacking if it is known where it is stored.
Therefore you can’t say Apple iPhone 5S uses 2-factor authentication. It only uses 1 authentication
mechanism at a time.
Conclusion
Through the use of Touch ID technology in its iPhone 5S Apple has entered the mobile biometrics area.
With fingerprinting technology (capacitive, RF) and encryption (one way hash), next to password tech-nology,
it has given the user a more secure use of its product the iPhone. By putting the data on the
iPhone itself (Secure enclave P7 processor), and not on servers or iCloud it narrows the area where a
hack on the iPhone 5S can take place.
Still, the iPhone 5S can be ‘Spoofed’ as seen by the high-resolution picture attempt. But, adding the
Touch ID technology has made it more difficult to hack the iPhone 5S.
As long as you use the Touch ID together with the passcode, although it still is 1-factor authentication.
www.eForensicsMag.com 45
46. 46
Better would be to make the iPhone 5S suitable for 2-factor authentication, where both your fingerprint
and a passcode are necessary to unlock your iPhone 5S.
But at least your fingerprint is not stored physically on the iPhone 5S.
References
[1] http://en.wikipedia.org/wiki/Fingerprint_recognition
[2] http://en.wikipedia.org/wiki/Fingerprint_recognition
[3] Only patented with Authentec, see http://www.daqs.org/patents/assignee/authentec-inc/, not documented
with Apple Touch ID
[4] http://www.aspencrypt.com/crypto101_hash.html
[5] http://www.gohacking.com/what-is-md5-hash/
[6] http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid
ABOUT THE AUTHOR
Cordny Nederkoorn is a Dutch software testengineer, employed by Eyefreight, a leading provider of Trans-port
Management System (TMS) technology.
On a personal level Cordny helps Kantara Initiative improving the quality of the specification and implemen-tation
of UMA (User-Managed Access), a web authorization protocol building on OAuth 2.0. He discusses
his work on different social media.
Blog: http://testingsaas.blogspot.com
twitter: http://www.twitter.com/testingsaas
facebook: http://www.facebook.com/TestingSaaS