radicalde ve lo pm e nt .

ne t

http://radicaldevelo pment.net/mo bile-digital-fo rensics-challenges/

Mobile Digital Forensics Challenges

T he world of digital f orensics has experienced transf ormation in recent years. With the mobile landscape changing with each passing day, it is critical that the f orensics f ield adapt promptly to all the challenges. T his post takes a closer look at mobile devices and the makeup of these devices, which includes hardware, memory, hard drives, and f inally the data, particularly in the way that data is volatile and accessible. Mobile devices present challenges in the area of network intrusion, malware, and data retention. T he reality is modern mobile devices are just as powerf ul as computers of years past and provide a high level of f unctionally. For example, audio, video, rich f iles, and voice communications, which are all easily shared, deleted, and modif ied across the mobile spectrum. Only when a comprehensive understanding of the mobile platf orm is taken into consideration can a digital f orensic analyst successf ully and properly conduct a conclusive investigation.

Mobile Digital Forensic Challenges

T he modern day challenge of f orensics when it comes to the mobile platf orm is the f act that data can be both accessed, stored, and synchronized across countless devices to also include cloud computing platf orms such as Google Docs. T his can of ten be a moving target when it comes to f orensics and requires much more ef f ort since the data is volatile and can quickly transf orm or even deleted remotely as well as the utter assortment of mobile devices, see f igure 1. Mobile devices are easily accessible by the public and f or the most part provide the same level of productivity as compared to a personal computer. Case in point, the use of a camera f or images or video may be manipulated and used f or illegitimate purposes (Wilson, Craggs, Robinson, Jones, & Brimble, 2012). Also mobile devices are of ten Fig ure 1: Typ e s o f Mo b ile De vic e s lost or stolen and the f act is that we would like to think privacy is acknowledged, but the f act is 50% of devices were accessed by unauthorized parties (Fox News, 2012). As the mobile technology stack continues to grow, the idea is one day, sooner than later, the f orensics world will be able to reduce the risks that are present modern day. Issue Power On/Of f Volatility Imaging Evidence Size Forensic Tools Personal Computers Low Risk Low Risk Low Risk Large Open Source and Proprietary High Risk High Risk High Risk Small Open Source Smartphones

Table 1: Personal Computers versus Smartphones Because mobile devices present unique challenges and risks as outlined in table 1 (Nena, & Anne, 2009), it is imperative to have a solid practice in place that allows f or proper f orensic analysis. T his includes understanding the challenges and how to not f all victim to those challenges, otherwise the credibility of the investigation is at risk itself . In terms of the priority of threats of when it comes to network intrusion, malware, and insider f ile deletions we can prioritize the f ollowing aspects of the mobile technology stack. 1. Hardware 2. Memory 3. Disk Drives 4. Data Digital f orensics when it is all said and done comes down to the preservation, recovery, and reporting of data that is stored on a device.

Hardware
To understand the challenges associated with mobile devices it is imperative to understand the architecture. T his can be dif f icult to say the least because the f act is that while the GSM architecture is a published standard, the reality is GSM and the associated protocols are understood by a small set of engineers (Welte, 2010). T he modern smartphone essentially utilizes a modem that encompasses three core f eatures that include handling of the GSM f requencies, analog data translation, and f inally digital data translation. When it comes to the area of security, there are widely accepted standard f eatures that each smartphone has but the reality is these same f eatures and not consistent (Welte, 2010). T he lack of consistency does not present a signif icant hurdle f or a f orensic analyst because f eatures such as the International Mobile Equipment Identif ier (IMEI), Subscriber Identity Module (SIM) card, and f irmware signatures can be of assistance during the investigation and any legal actions that may arise.

Internal and Flash Memory

Memory whether it is internal or removable f lash memory cards is an important component of the smartphones operation. T he protection of these components are extremely challenging because of storage options and loss or thef t risks (Daesung, Byungkwan, Yongwha, & Jin-Won, 2010). To complex matters, f lash memory is dif f icult to manage, has a short lif etime, and is portable. It does not take a great deal of ef f ort and time to access f lash memory by either a USB connection or a simple copy of the memorys contents.

Disk Drives
A typical smartphone does not have per say a typical hard drive but this device acts essentially like a portable hard drive because of the memory capacity and the hardware which when connected to a personal computer behaves like any other type drive. I would like to say that hardening of the device is easily accomplished, but the reality is the sof tware that drives smartphones dif f er strongly across the mobile spectrum. In addition, manuf acturers and end users are f acing major security problems that have never been seen previously.

Data
Face it, the entire idea of a smartphone is to be able to access and share data quickly and easily. However, with this f reedom comes inherit risks of modif ication, interception, and deletion of that same data. T he f act

is these same smartphones of ten access critical data and they have no f irewall or antivirus sof tware in place thus enhancing the security risks. Intrusion may be as simple as a lost device or more complex as a black hat capturing the data exchange while the smartphone is connected to public or protected Wi-Fi networks. T here are options available that assist in protecting data and these options include the use of a Virtual Private Network (VPN) and encryption (Munro, 2007).

Network Intrusion
T he f acts about network intrusion are painf ully obvious and an argument may be presented that while prevention is a team ef f ort, the f act is most people are complacent when it comes to security. I have to rank network intrusion as the highest priority because of the mobile device being both easily hidden and powerf ul. In addition, the reality is many Network Intrusion Detection Systems (NIDS) simply monitor and alert well known attacks and of ten overlook mobile devices. Once a mobile device is connected to a given network, the f act remains if the device is compromised, it can easily af f ect the network in a number of ways that is of ten detrimental to the company. Chung, Jacoby, and Davis (2010) present a compelling concept of intrusion with mobile devices that come down to something as simple as power consumption. Because a mobile devices power level increases when the wireless mode is enabled or when they send and receive data packets an IDS could potentially monitor and alert the Inf ormation Technology (IT ) staf f with any suspicious behavior, f igure 2 demonstrates a power comparison by technology with clearly shows how power consumption may be monitored. Chung et al. (2010) propose the use of what is called a battery-based intrusion detection (B-bid) system on the mobile devices themselves.

Fig ure 2: Ene rg y Us e Co mp aris o n

Malware
T he second greatest threat is malware. Malware by def inition is malicious sof tware that is installed without you knowledge or permission. Depending upon the point of view, many arguments were made against Carrier IQ and the f act the sof tware meet the def inition of malware because many consumers were not aware of this sof tware. In any case, Carrier IQ serves as a great example of what malware can accomplish. Carrier IQ was designed to allow providers to measure perf ormance and use with no visible impact to the device owner (Tsukayama, 2011), but the problem was unsuspecting users were not inf ormed of the sof tware, much less what data was or was not be collected and transmitted to the provider. Protection f rom malware can be an uphill battle because as more and more mobile devices are f looded into the market the growth of malware explodes. While there are mechanisms that protect f rom malware the f act is mobile device owners of ten are not compelled to install antivirus sof tware (Ortega, Fuentes, lvarez, Gonzalez-Abril, & Velasco, 2011). For a f orensic analyst malware presents a substantial problem because malware exploits vulnerabilities in code, which in turn af f ects hardware, data, f ile integrity, and network protocols. While malware presents challenges, Ortega et al. (2011) presents the idea of a monitoring module, which analyzes data transmissions. T his module as outlined provides the necessary monitoring and inspection of the data transf er to both allow and store decisions based upon the transmission. T he f act that the decision history is maintained provides great value to the area of digital f orensics as an audit trail. Keep in mind that because mobile operating systems and the hardware that they run on dif f er greatly, any type of monitoring system would have to adapt to the dif f erences across devices.

File Integrity
At this point one thing that should be painf ully obvious is the f act that mobile devices pose a very large threat. T hese devices are data centric and this same data could be harmf ul in the hands of the wrong individual. Consider f or a moment the ease of capturing pictures or videos. Furthermore, assume you turned on the evening news only to hear a report of a well-known politician in an unf lattering picture, it can happen. While image a video only represent one aspect of f ile integrity, I do believe it is extremely important because of ease of access. In f act, f rom a f orensic standpoint it is imperative to distinguish between any alterations to the media (Rocha, Scheirer, Boult, & Goldenstein, 2011). Protection and acquisition of data f rom mobile devices is of ten very simple. For example, most smartphones when connected to a PC simply show up as a disk drive. With Android devices, a f orensic analyst may utilize the Android Debug Bridge (adb) to acquire data.

Conclusion
Mobile devices have quickly become the norm and everyone f rom all walks of live have, which includes administrators, developers, secretaries, and yes even grandma and grandpa. Because of the wide range in the use base complicated with the verbose usage of mobile devices and a f alse sense of security, the threats are just as verbose as the devices themselves. Stop f or a moment and consider the challenges with malware, network intrusion, and f ile integrity when it comes to user behavior, see f igure 6. While each of these areas address a specif ic concern together they can immensely assist any digital f orensic investigation.

Ref erences
Chung, J., Jacoby, G., & Davis, N. (2010). Detecting network intrusion on mobile device by monitoring power consumption. Retrieved f rom http://www.ece.vt.edu Daesung, M., Byungkwan, P., Yongwha, C., & Jin-Won, P. (2010). Recovery of f lash memories f or reliable mobile storages. Mobile Inf ormation Systems, 6(2), 177-191. doi:10.3233/MIS-2010-0098 Fox News. (2012). Symantecs lost cell phone study conf irms the worst in people. Retrieved f rom http://www.f oxnews.com Munro, K. (2007). Kill deleted data f or good. SC Magazine: For IT Security Prof essionals. p. 19. Retrieved f rom http://www.haymarket.com Nena, L., & Anne, K. (2009). Forensics of computers and handheld devices identical or f raternal twins? Communications of the ACM, 52(6), 132-135. Retrieved f rom http://www.acm.org Ortega, J. A., Fuentes, D., lvarez, J. A., Gonzalez-Abril, L., & Velasco, F. (2011). A novel approach to trojan horse detection in mobile phones messaging and bluetooth services. KSII Transactions on Internet & Inf ormation Systems, 5(8), 1457-1471. doi:10.3837/tiis.2011.08.006 Rocha, A., Scheirer, W., Boult, T., & Goldenstein, S. (2011). Vision of the unseen: Current trends and challenges in digital image and video f orensics. ACM Computing Surveys, 43(4), 26.1-26.42. doi:10.1145/1978802.1978805 Tsukayama, H. (2011). What is Carrier IQ? Washington Post. Retrieved f rom http://www.washingtonpost.com Welte, H. (2010). Anatomy of contemporary GSM cellphone hardware. Retrieved f rom http://laf orge.gnumonks.org

Wilson, M., Craggs, D., Robinson, S., Jones, M., & Brimble, K. (2012). Pico-ing into the f uture of mobile projection and contexts. Personal & Ubiquitous Computing, 16(1), 39-52. doi:10.1007/s00779011-0376-2

Aut hor: St even Swaf f ord

Highly motivated inf ormation technology prof essional with 16+ years of experience. Working as a sof tware engineer Steven develops and maintains web based sof tware solutions. As a skilled prof essional he is f ocused on the design and creation of sof tware. Because communication skills are extremely important Steven continues to expand his knowledge in order to communicate clearly with all f acets of business. Recently Steven has been leading ef f orts to standardize sof tware development tools and technology, plans and coordinates web accessibility as applied to IT Solutions, and he is tackling application security in terms of best practices and implementation of the Security Development Lif e-cycle.