FOUNDATIONAL FORENSIC TECHNIQUES FOR MOBILEDEVICESAND USE OF AVAILABLE TOOLS TO RECOVER DATA USING DIFFERENT APPROACHES.
Objectives of theresearch (What you want to investigate)
The overall goal of this study is to look at the mobile devices using different tools like Susteen DataPilot Secure View and Paraben Device Seizure, mobiledit oxygen pho ne manager. and determine if they create and preserve a forensically sound case file.
In second part I discuss the different opera ting systems using in mobile devices nowadays like IOS for iphone, RIM for blackberry, Symbian for mostly nokia or Android OS for different smartphones. For normal communication between mobile device an d PC, every OS has its own PC suite but for forensic point of view there are some special tools which are paid an d there are some free open source tools as well. In my rese arch I prefer to use these free open source tools.
Anoth er technique to recover dev ice is to use hashing. Mob ile dev ice internal memory hash values ar e variable when per forming back-to-back acquisitions. Hash values ar e beneficial in providing examiners with th e ability to filter known data files, match data objects across platforms an d prove that data inte grity rem ains intact. Th e rese arch cond ucted at Purdue Univer sity compar ed known hash values with rep orted values for data obje cts popu lated onto mob ile devi ces us ing var ious data trans mission methods. While th e resu lts for th e majority of tests were uniform, th e hash values rep orted for data objects transferred via Multi media Mess aging Service (MMS) were va riable.
Cell pho nes an d oth er han dheld devi ces int egrating cell pho ne abilities (e.g., Perso nal Digital Assistant (PDA) pho nes) ar e univ ersal. Rath er than just making cal ls, so me specific pho nes per mit us ers to make extra tas ks such as Multi-Media Messa ging Service (MMS) messaging, SMS (Short Message Service) messaging, IM (Instant Messaging), Web brow sing, elect ronic mail, an d simple PIM (Perso nal Inform ation Management) applic ations (e.g., pho ne an d date book). PDA pho nes, frequently mentioned to as smartpho nes, offer use rs by means of th e joi nt capab ilities of both a cell pho ne an d a PDA. In addition to sys tem services an d basic PIM applic ations, one can achi eve more exten sive appoint tment an d contact inform ation, review elec tronic docu ments, give a present ation, an d per form oth er tasks.
All but th e most basic pho nes pro vide individ uals with so me ability to load addit ional applic ations, store an d pro cess perso nal an d sensitive inform ation indepe ndently of a desk top or note book comp uter, an d opti onally synch ronize th e resu lts at so me later time. As dig ital techn ology evolves, th e capabi lities of th ese devi ces continue to imp rove rap idly. When cell pho nes or oth er cel lular devi ces ar e involved in a crime or oth er incident, fore nsic examiners requ ire to ols that allow th e pro per retri eval an d spee dy examination of inform ation pres ent on th e dev ice. This rep ort gives an overvi ew of cur rent fore nsic softwar e, designed for acquis ition, exami nation, an d rep orting of data discovered on cellular han dheld devi ces, an d an understan ding of th eir capabilities an d limitations.
As technology continues to per meate society an d mob ile compu ting be comes more prevalent, people will more heavily depend on applic ations such as e-mail, SMS (Short Message Service), MMS (Multi media Messaging Service) an d online tran sactions (i.e. bank, ins, etc); such devi ces pro vide a good sour ce of evidence for fore nsic investi gators to prove or disprove th e commi tment of cri mes or loc ation of suspects/ victims. Dig ital fore nsics for han dheld devi ces is starting now. Unlike tra ditional comp uters, two impor tant fa ctors that must be account ted for in a fore nsic inves tigation ar e th e state of th e dev ice at th e time of acquisition an d radio isolation. Tradi tional dig ital fore nsics with perso nal comp uters allows an investigator to per form a dead fore nsic data acquisition simply by disconnecting th e power sour ce to preserve th e current state of th e comp uter. That opti on is not available with mob ile fore nsics for fear of loss of evidence or security mechanisms, such as dev ice locks or passwords, being activated. Th e fact that various opera ting sys tems ar e used for different mob ile devi ces in current markets makes development of digital fore nsics tools for mob ile devi ces more complicated.
This rese arch is being prop osed to survey avai lable digital fore nsics tools for capt uring e-evidence from mob ile devi ces an d meet th e deman d of e-evidence for cu rrent an d future's crimes. This rese arch focuses on practi cal inves tigations for digital fore nsics tools that will help investi gators or stud ents obtain first-han d experiences in digital fore nsics for mob ile devi ces. Investi gators sho uld be able to per form th eir job more informed as a result of this case study.
Research Plan (Methodto be used in investigation)
The purpose of this rep ort is to inform law enforce ement, incid ent response team mem bers, an d fore nsic examiners about th e capabilities of present day fore nsic softwar e tools that have th e ability to acquire inform ation from cell pho nes opera ting over CDMA (Code Division Multiple Access), TDMA (Time Divis ion Mult iple Access), GSM (Global Sys tem for Mob ile commun ications) networks an d run ning various opera ting sys tems, incl uding Symbian, Rese arch in Motion (RIM), An droid, IOS an d windows pho nes. My main focus will be an droid pho nes. An droid is a set of open sour ce softwar e elements specifical ly designed for MDs developed by Google; it incl udes th e Opera ting Sys tem (OS), a middlewar e an d a set of applic ations. Alth ough it has been designed an d developed for MDs (e.g., Smartpho nes), several laptop manu facturers plan to equip th eir products with An droid. At th e time of writing, less than 2% of Smartpho nes(Gartner Mob ile OS Shar e Forecast, 2009) runs An droid an d Ga rtner Inc. forecasts a 15% market shar e in 2012; in such case, An droid will be th e second OS, behind Sym bian, in terms of Smartpho ne's market penetration. Furth ermore, if An droid will be hos ted on laptops, th e integration of Smartpho nes an d portable comp uter could be bo osted with th e natural sideeffects on th e market.
An over view of each tool describes th e funct ional range an d facil ities for acqui ring an d anal yzing evidence con tained on cell pho nes an d PDA pho nes. Generic sce narios were devised to mirror situations that arise during a fore nsic exami nation of th ese devi ces an d th eir associated media. Th e scenarios ar e structured to re veal how selected tools react under var ious situa tions. Though generic sce narios were used in analy zing fore nsic tools, th e procedures ar e not intended to serve as a formal pro duct test or as a comprehensive evaluation. Addit ionally, no claims ar e made on th e comp arative benefits of one tool versus anoth er. Th e rep ort, instead, of fers a bro ad an d pro bing persp ective on th e state of th e art of present-day fore nsic softwar e tools for cell pho nes an d PDA pho nes. Alternatives to using a fore nsic softwar e tool for digital evidence recovery, such as desoldering an d remo ving mem ory from a dev ice to read out its con tents or us ing a built-in hardwar e test inter face to access memory, ar e outside th e scope of this rep ort.
Th e variety of fore nsic toolk its for cell pho nes an d oth er han dheld devi ces is diverse. A considerable number of softwar e tools an d toolkits exist, but th e range of devi ces over which th ey operate is typical ly narr owed to dist inct plat forms for a manu facturer's product line, a family of opera ting sys tems, or a type of hardwar e architecture. Moreover, th e tools requ ire that th e exam iner have full access to th e dev ice (i.e., th e dev ice is not protected by so me auth entication mech anism or th e examiner can satisfy any auth entication mech anism enco untered).
While most too lkits support a full range of acqui sition, exami nation, an d rep orting functions, so me tools focus on a subset. Simil arly, different tools may be capable of using different interfaces (e.g., IrDA, Blue tooth, or serial cable) to acquire dev ice contents. Th e types of inform ation that tool can acquire can range wid ely an d include PIM (Perso nal Inform ation Management) data (e.g., pho ne book); logs of pho ne cal ls; SMS/EMS/MMS messages, email, an d IM content; URLs an d content of visited Web sites; audio, video, an d image content; SIM content; an d uni nterrupted image data. Inform ation present on a cell pho ne can vary dep ending on sev eral factors, incl uding th e following:
Acquisition thro ugh a cable interface generally yields supe rior acquisition resu lts than oth er dev ice interfaces. However, a wire less inter face such as infrar ed or Bluetooth can serve as a reasonable alternative when th e cor rect cable is not readily available. Regardless of th e interface used, one must be vigi lant ab out any fore nsic issues associated. Note too that th e ability to acquire th e contents of a resi dent SIM may not be sup orted by so me tools, parti cularly those stron gly oriented toward PDAs. Table 1 lists open-sour ce an d commercially available tools an d th e facil ities th ey pro vide for certain types of cell pho nes.
Th e softwar e applic ations for mob ile fore nsics available today ar e not 100% fore nsical ly sound. Th e reason is that th ey use comman d an d response protocols that pro vide indirect access to memory (McCarthy, 2005; McCarthy & Slay, 2006). This means that th e fore nsic softwar e does not have direct access or low level access to data within th e pho ne's memory as it depends on th e mob ile pho ne's opera ting sys tem based comman d to retrieve data in th e memory. Th erefore in query ing th e opera ting sys tem, th e dev ice could be creating changes to th e memory of th e dev ice. So me comman d based mob ile fore nsics softwar e were not originally deve loped for fore nsic purposes an d th erefore th ey could unexpectedly write to th e mob ile pho ne dev ice's memory (Horenbeeck, 2007). So metimes fore nsic softwar e such as MOBLedit Fore nsic1 requ ires th e user to install addit ional softwar e on th e mob ile pho ne being examined. This is in direct violation of th e principles of electronic evidence as published by th e UK's Associ ation of Chief Police Officers (ACPO) Good Practice Guide for Comp uter based Electronic Evidence (ACPO, 2009) which states that “No action taken by law enforcement agencies or th eir agents should change data held on a comp uter or storage media which may sub sequently be relied upon in court.”
With th e increasing popularity an d techno logical advances of mob ile devi ces, new challenges arise for fore nsic examiners an d tool makers. Data recovered from mob ile devi ces has proven useful in solving incidents an d invest igating criminal activity. Cryptographic hash functions pro vide fore nsic examiners with th e ability to verify th e integrity of acquired data. Th e resulting hash value, a fixed-size bit string, is of ten used to identify known files an d illustrates that data has not been modified. Th e two most comm only used hash functions ar e MD5 an d SHA-1. Minimal rese arch has been per formed on how mob ile pho ne fore nsic tools rep ort hash values for individ ual data objects. Recent rese arch conducted at Purdue University explored th e hash resu lts rep orted by mob ile dev ice fore nsic tools for acquired graph ical images (e.g., .jpg, .bmp, .gif). While rese arch conducted shows consi stent behavior across mob ile fore nsic tools, th e following ar ea of concern illustrates th e need for fut ure rese arch: data objects trans ferred using Multimedia Messaging Service (MMS). My rese arch addresses issues surround ding mob ile fore nsic tools an d th e ability to use hash ing mecha nisms to validate th e integrity of acquired data objects. Th e docu ment is divided into th e foll owing chapters an d appendix:
_ Terminology: Defines terms used throughout th e docu ment.
_ Previous Rese arch: Pro vides a summa ry of ear lier rese arch per formed in this ar ea.
_ Methodology: Describes th e procedures used for cond ucting individ ual tests.
_ Resu lts: Illustrates th e final resu lts of tests cond ucted over each prescribed scenario.
_ Conclusions: Pro vides a summary of th e docu ment.
There are many tools now available that will help forensic teams to extract the exact information they required to make the case strong or find the targets. Tool like mobiledit: forensic is specifically design for mobile forensics and most importantly it support most of the devices of operating systems for smartphones available so far. MOBILedit! Forensic extracts all content and generates a forensic report ready for courtroom presentation. These tamper-proof, flawless reports are used in hundreds of courtrooms every day.
Cite This Dissertation
To export a reference to this article please select a referencing stye below: