Advanced Techniques in Forensic Examination of Smartphones
advertisement
Advanced Techniques in Forensic Examination of Smartphones 2012 (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Worldwide smartphone sales 115M devices sold in 3Q 2011 81M devices sold in 3Q 2010 1,5% 2,7% 25,3% 16,9% 36,3% 11,0% Symbian RIM iPhone 52,5% Android Windows Mobile 16,6% 15,4% Source: Gartner (November 2011) Smartphone market increased by 42% during just 1 year! (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com 16,9% Top smartphone vendors - 2011 440.5M devices sold in 3Q 2011 23,9% Nokia 44,3% Samsung LG Apple 17,8% RIM HTC Others 2,7% 4,8% 2,9% 3,9% Source: Gartner (November 2011) (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphones What information is stored on a modern smartphone? (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone is a small PC Cell phone Address book Planner & Organizer Messenger Photo & Video camera GPS navigator Web & IM client Platform for 3rd party apps (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone as: Cell phone Basic Information • IMEI/ESN/Serial number • Hardware & Software revision • Network information Event log • Incoming, outgoing, missed calls history • Sent & received messages history • GPRS & Wi-Fi sessions log SIM card • IMSI • Phone numbers* • SMS messages* * - Usually these features are not utilized by smartphones (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone as: Address book Contacts information Caller groups Speed dials • First, middle, last name, nickname, joint name, company, department, job title • Photo and personal ringing tone • Phone numbers: general, mobile, fax, video, pager, VoIP, push-to-talk • Postal addresses, Web pages and e-mails • Different contact sources (Android) • Number of calls (Android) • Text notes • Private info: birthday, spouse, children • Custom field labels (Symbian, iPhone OS) • Multiple fields of the same type • Creation and last modification times (Symbian, iPhone OS) • List of caller groups & belonging contacts • List of assigned speed dials (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone as: Planner Calendar events • Meetings, reminders and anniversaries • Start date & time • Finish date & time • Alarm date & time • Recurrence • Last modification date & time Tasks • Task description • Deadline • Priority • Alarm date & time • Completion date & time Notes • Note text & date (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone as: Messenger Messaging system • Text messages (SMS) • Multimedia messages (MMS) • E-mail messages with attached files • BIO messages: vCard, vCal, configuration and others • Beamed messages: files sent via Bluetooth, IR or USB • Standard message folders • Custom message folders • Date & time • Service center timestamp for incoming messages • Information about deleted SMS messages (Symbian, iPhone OS) (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone as: GPS navigator GPS Navigator Location tagger • Last fixed GPS coordinates • Search history • Routes history • Last displayed map • Saved maps • List of favorite places • GPS coordinates in camera snapshots* • Cell coordinates in camera snapshots* • Cell coordinates for camera snapshots** • Cell coordinates for video records** • Cell coordinates for SMS messages** * - Available in EXIF header for almost all models having GPS receiver ** - Available in several Nokia smartphones and Sony Ericsson devices (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone as: Web client • Web cache files • Bookmarks • Pages view history • Last opened URLs • Search history • Cookies Web browser • IP, Login (UID, e-mail) and password* • Contacts list • Chat history • Calls history IM client * - Available for some IM clients (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Smartphone as: PC Operating System apps • Camera snapshots • Video clips • Voice records • Sounds and Podcasts • Wi-Fi networks list • Paired Bluetooth devices list • Activated SIM cards list • VPN profiles 3rd party apps • List of installed applications • Office documents • Application logs & data files (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Extraction What data extraction methods are available for mobile devices? (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Standard extraction methods There are 2 standard ways to get forensic information from smartphones: logical and physical analysis Logical analysis • Data extracted using common PC-to-mobile communication protocols: AT, OBEX, SyncML • Smartphone connected to PC with a standard cable (or Bluetooth/IR adapter) Physical analysis • Data extracted using direct memory reading (hex dump) • Smartphone (or its memory chip only) connected to special hardware (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Logical analysis for smartphones Caller groups Custom field labels AT+ Nokia FBUS • General phone information • Contacts (simple), calls*, SMS, settings* • General phone information General phone Speed dials information Messages from Contacts* custom folders Calendar Event log Deleted messages Notes information Calls history OBEX • General phone information • Files* Service center timestamps Messages* GPS information Files* Location tagged data SyncML • General phone information • Contacts, calendar, notes, settings*, bookmarks, messages* * - Available data set is restricted and depends highly on manufacturer implementation Settings* Web browser data Bookmarks IM client data 3rd party apps 1) The information extracted by all logical protocols is only the top of the iceberg 2) All logical protocols were developed for data synchronization (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Physical analysis for smartphones What to do with gigabytes of that? (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Standard extraction methods: Summary Logical analysis Physical analysis Few information can be extracted All information can be extracted Easy to perform Hard to perform Easy to analyze Very hard to analyze Affordable software, no special hardware needed Expensive software, special hardware needed (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com How to extract data without a headache? In 2002 Oxygen Software invented the 3rd way - analysis using a special agent application working inside smartphone OS Logical analysis Physical analysis Analysis using Agent application Few information can be extracted All information can be extracted Most of the information can be extracted* Easy to perform Hard to perform Easy to perform Easy to analyze Very hard to analyze Easy to analyze Affordable software, no special hardware needed Expensive software, special hardware needed Affordable software, no special hardware needed * - Agent can extract all the information available for native OS applications (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Agent application usage General phone information & SIM card data Contacts with all fields and custom field labels Caller groups & Speed dials Event Log Calendar events Tasks & Notes Messages from standard and custom folders Deleted messages information Service center timestamp Camera snapshots, video clips and voice records File system GPS & Location tagged information Web browser cache & bookmarks IM clients data 3rd party applications with their information (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com - Protected operating system files - Memory dump Afraid of writing to device? Comparison of phone content changes when performing analysis using different approaches SyncML protocol usage Agent application usage Setting up sync parameters Loading Agent to device Installing extra sync add-ons* Installing Agent Running SyncML server Running Agent SyncML server generates synchronization log files Uninstalling Agent** * - Extra sync add-ons installation may be needed to extract some additional information (e.g. MMS) ** - Agent does not generate any log files Unlike Agent, SyncML server is not a forensically designed app and is out of full control from examiner. In addition - it makes more data modifications than Agent. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com Summary Smartphones are a considerable part of mobile device market FutureSource Consulting forecasts that, between 2008 and 2013, annual sales of smartphones will rise by 95% to over 300 million. It will be around 37% of all new mobile phones, up from 13% in 2008. Smartphones store much more important forensic information than plain cell phones Being a multiple-in-one device and having OS with open API smartphones are turning into small PCs with big memory sizes, wide set of preinstalled applications and huge number of available 3rd party applications. Standard extraction methods are less effective for smartphones All logical protocols were developed for sync purposes, thus they can only extract a top of the iceberg. Physical analysis of gigabyte hex dumps takes a lot of time. Agent application usage is the golden mean The Agent application approach, introduced by Oxygen Software in 2002, almost achieves the completeness of data extracted by physical methods. At the same time it works via standard cables and adaptors and presents the extracted data in a readable and userfriendly format that is more like a logical analysis. (C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com
