Professional Documents
Culture Documents
Cyber Forensics Lab Indian Computer Emergency Response Team (CERT-In) Department of Information Technology Ministry of Communications & Information Technology Government of India New Delhi
23/03/2012 CERT-India 1
Agenda
Mobile Phone Basics Seizure of Mobile phone Mobile Phones Data Acquisition Mobile Forensic Toolkits / Equipments Forensic Analysis of Digital Evidence from Mobile Phones References
23/03/2012
CERT-India
23/03/2012
CERT-India
Users name & address Deleted messages Affairs Deleted Call records Contacts Employee dishonesty Frauds Theft Locked Phones
CERT-India 4
23/03/2012
CERT-India
Data storage Bluetooth / Infrared USB Short Messaging Service (SMS) Multimedia Messaging Service (MMS)
CERT-India
23/03/2012
CERT-India
Phone settings IMEI (GSM) / ESN (CDMA) Calendar information SMS / MMS Phonebook Contacts Call logs Date & Time Ring tones Applications
CERT-India 8
It provide the users network / mobile service provider information Language Settings Currency information (from call charge counters) Most recent location of the mobile phone. Phonebook Contacts SMS: Sent and received Call Logs dialled/received/missed
23/03/2012 CERT-India 9
SIM Card
Used most commonly in GSM devices / phones; now in CDMA too (called R-UIM card) Smart card; Size: Std (credit Card), Mini (mostly used now), Micro (smart phones iPhone, etc) Flash Memory - 16 KB to 4 MB Contains subscriber information, as stored by the service provider Can be transferred from one phone to another (if not locked) May contain address book, call history and text messages (SMS)
23/03/2012 CERT-India
10
23/03/2012
CERT-India
11
23/03/2012
CERT-India
12
23/03/2012
CERT-India
14
Memory Cards
Increasingly common in new handsets, digicams PC-compatible FAT file system widely adopted May contain pictures, movies, .mp3, .mp4, etc. Deleted data retrievable with established computer forensic techniques and tools like Foremost, Scalpel, PhotoRec, XACT, EnCase or FTK etc.
23/03/2012 CERT-India 15
Suspected mobile phones, if connected to a PC (via cable, bluetooth, or infrared) should be disconnected immediately from the PC Depending on the warrant, the time & date of seizure must be relevant
23/03/2012 CERT-India 16
23/03/2012
CERT-India
17
If mobile is switched off due to draining out of battery, PINs or other access codes may be required to retrieve data
23/03/2012
CERT-India
19
Mobile Phones
Basic Mobile Phones
Nokia, Samsung, LG, Sony Ericsson
Smart Phones
Blackberry, iPhone (Apple), Galaxy (Samsung)
20
23/03/2012
CERT-India
21
USB SIM Card Reader (for GSM) Digital Video Camera with desktop tripod Faradays Bag Jammer (10 m radius) MOBILedit! Forensic (Mobile Forensic s/w GSM, CDMA) BitPim (Mobile Forensic s/w CDMA)
23/03/2012 CERT-India 22
2. Isolation
3. Acquisition
4. Examination / Analysis
5. Documentation
23/03/2012
CERT-India
23
23/03/2012
CERT-India
24
What to Seize?
Communication Equipment (Mobile Phone) Power Adapter Accessories Communication cable Hands free audio set (if necessary) Desktop / Laptop PC to which the mobile phone is usually connected, if any
23/03/2012
CERT-India
25
23/03/2012
CERT-India
26
Isolation of the Mobile Phone from remote access & network; Why?
User can alter, change and delete / wipe phones data remotely using bluetooth, infrared connectivity or by calling it by other phone If remain connected to network: new calls & SMS will replace the oldest one (new in, oldest out)
23/03/2012
CERT-India
27
23/03/2012
CERT-India
28
23/03/2012
CERT-India
29
Basic Evidence
Phone Data Call Registers and SMS
MSISDN, Make, Model, IMEI, SIM No, IMSI Numbers dialled (handset) Calls Received Missed Calls Phone Book Text Messages stored on handset
23/03/2012
CERT-India
30
23/03/2012
CERT-India
31
23/03/2012
23/03/2012
CERT-India
33
Wireless connection
Infrared, bluetooth
23/03/2012
CERT-India
34
23/03/2012
CERT-India
37
23/03/2012
CERT-India
38
23/03/2012
CERT-India
39
Physical Extraction
Bit by bit copy of the entire physical flash memory Phones file system, firmware, unallocated data Costly & time consuming If the mobile forensic tool support the make & model of the mobile phone and it can be interfaced / connected with the mobile forensic workstation then carryout the physical extraction of the phones data Examine / analyse the parsed data from the physical extraction Carve out files (images, media, text) from the raw data
23/03/2012 CERT-India 40
23/03/2012
CERT-India
41
23/03/2012
CERT-India
42
Examining a system requires users written consent / search warrant ? SIM card have a hierarchical file system
23/03/2012
CERT-India
43
23/03/2012
CERT-India
44
Investigating cell phones and mobile devices is one of the most challenging tasks in digital forensics
23/03/2012
CERT-India
45
23/03/2012
CERT-India
46
Mobile phone forensics is more complex than Computer Forensics Difficulties with data preservations for mobile phones Wide variety of cables and connectors Battery based mobile digital device, power adapters for charging Unique File System
23/03/2012
CERT-India
47
23/03/2012
CERT-India
48
Make sure you have installed the mobile phone forensic tool on your forensic workstation Attach the phone to its power supply and connect it through the correct cable After youve connected the phone Start the mobile phone forensic tool and begin downloading the available information
23/03/2012
CERT-India
49
23/03/2012
CERT-India
51
Mobile forensics tools Device Seizure Toolbox (Paraben) BitPim (CDMA, freeware)
23/03/2012 CERT-India 52
Mobile forensics tools (continued) MOBILedit! SIMCon Software tools differ in the items they display and the level of details they capture or recover
23/03/2012
CERT-India
53
54
Tools available
Project-a-Phone ZRT (http://www.fernico.com/zrt.html)
Pros
Can work on every phone No cable needed and easy to use
Cons
Cant get deleted information No report generation; Time consuming Cant be used for keypad damaged, broken handsets, non-working mobile phones
23/03/2012 CERT-India
55
23/03/2012
CERT-India
56
Tools available
Lot of tools available; refer http://www.e-evidence.info
Pros
Fast, easy to use, lot of information available Consistent report format, actions are repeatable
Cons
Writing data to handset Lot of cables required for connecting the handsets to the mobile forensic workstation Cannot recover deleted files
23/03/2012 CERT-India
58
Tools available
UFS-3 (http://www.ufsexplorer.com/products.php#mobile) SmartClip (http://www.smart-clip.com/) COM Port Unibox; 187 Pcs GSM+CDMA Cables (http://www.ipmart.com/main/product/COM,Port,Unibox,With, 187,pcs,GSM,CDMA,Cable,in,Package,23718.php?prod=23 718)
Pros
Can recover deleted data. Extract data hidden from handset menus; inexpensive
Cons
Inconsistent report format and required data conversion Difficult to use; limited to specific manufacturer
23/03/2012 CERT-India
59
60
JTAG Interface
Goal: To test the assembled PCB Standardization of chip test : IEEE Standard 1149.1
The test uses TAP (Test Access Port) with Boundary-Scan Architecture
23/03/2012
CERT-India
62
For CDMA
23/03/2012
CERT-India
63
23/03/2012
CERT-India
64
QPST
Qualcomm Product Support Tool
QPST is a set of Windows tools designed to interface with, control, and test CDMA phones
23/03/2012
CERT-India
65
23/03/2012
CERT-India
66
23/03/2012
CERT-India
67
Documentation
Log all the activities in log book with date & time chronologically Time difference, if any, with the standard time must be recorded Have a digicam handy and photograph equipments, connectivity, handset and any relevant specific information identified When connected to a mobile forensic workstation for analysis, take screenshots of your relevant findings
23/03/2012 CERT-India 68
Conclusion
Its very important to acquire data as soon as possible after seizing the mobile phone All binary information in the memory including external memory cards must be acquired without changing the contents To analyze the binary information, we must know about file systems of the mobile phones
23/03/2012
CERT-India
69
Summary
People store a wealth of information on their cell phones Data can be retrieved from several different places in phones As with computers, proper search and seizure procedures must be followed for mobile devices
23/03/2012
CERT-India
70
References
Mobile Forensics : an Overview, Tools, Future trends and Challenges from Law Enforcement perspective by Ahmed and Dharaskar Mobile Forensics: Guidelines and Challenges in Data Preservation and Acquisition by Shivankar Raghav and Ashish Kumar Saxena
71
References (contd..)
http://www.mobileforensicsworld.org Mobile Phone Forensics: Challenges, Analysis and Tools Classification by Zareen and Baig Computer Forensics An Overview by Dorothy A. Lunn, SANS Institute; Course Contents : SANS SEC508
23/03/2012
CERT-India
72
23/03/2012
CERT-India
73
23/03/2012
CERT-India
74