MobileForensics

advertisement
IST 454: Computer and Cyber Forensics
Mobile Forensics
Introduction
Mobile devices, are more affordable and commonplace in the workplace. They provide highly
mobile data storage in addition to computational and networking capabilities for managing
appointments and contact information, reviewing documents, communicating via electronic mail,
and performing other tasks. Individuals can store and process personal and sensitive information
independently of a desktop or notebook computer, and optionally synchronize the results at some
later time. As digital technology evolves, the capabilities of these devices also continues to
improve rapidly, taking advantage of new forms of removable media, faster processors that
consume less power, touch screens with higher pixel resolution, and other components designed
specifically for mobile devices. More and more handheld devices are involved in crimes or
incidents; therefore, how to properly acquire, retrieve, and examine information present on the
mobile devices become a major concern for digital forensics.
Objectives

Become familiar with the process of synchronizing data between a handheld device and
an investigating computer.

Use software for mobile forensic analysis.

Explore the capabilities and limitations of a mobile forensic toolkit.
Remember to read the report requirements at the end of this document to see what is necessary to
hand into the instructor.
This lab is to be completed as a team. The report is to be written as a team.
Configuration

A virtual forensic computer will be used for this exercise.

A virtual Mobile Phone will be used as the suspect handheld device.

The Microsoft Active Sync will be used to synchronize data between the virtual mobile
phone and the forensic computer. The tool has been properly installed on the forensic
computer.

A demo version of the PDA forensics tool will be used to conduct the investigation. You
need to follow the instructions and download the tool from the virtual server and install it.

Five testing files in different formats have been created and stored in the virtual machine
for use in this lab. Please use these files for learning and practice.

The following instructions shows the real world scenario of mobile forensic analysis.
1
Testing Data Files:
1. Note File: Meeting August 1
2. Graphic Files: DC400.gif;
rfid-tag-key-fob.jpg
3. Word File: RFID Life Cycle.doc
4. Text File: Team.txt
Instructions
Three tasks outlined below need to be completed.
Task 1 – Connect Virtual Mobile Phone
 Step 1. Click “Start -> All programs -> Windows mobile 6 SDK -> Standalone Emulator
Images -> US English -> Standard”, to launch the virtual mobile phone.
2

Step 2. Wait until the mobile phone fully starts up (The phone’s screen will show the time
and day). Click “dvcemumanager” on the desktop. Then, follow the figure below; right click
the item under “others”, and select “Cradle” to connect the mobile device.
Task 2 - Synchronize Data between Mobile Device and Computer.
Sub-Task 1: Use the ActiveSyn utility

Step 1: The “Microsoft Active Sync” will launch automatically. If not, activate Microsoft
ActiveSync ... from Start and then Program menu. If it asks to setup partnership, click
“cancel” to get into the “Guest Partnership”.

Step 2: Browse the ActiveSync tool to become familiar with the mobile device version of
“Explore.” Click on “Explore”.
3

Step 3: Copy the five testing files from your VM desktop “My Documents\ Labs\ Mobile
Forensics\Testing” folder to the mobile device as dictated below. Perform the following
tasks, observe and record the response of the devices.
- Store the Note File, Meeting August 1, under “Templates” folder.
- Store the other four files in the “My Pictures” folder
Q2.1: What are the major differences between “Standard” and “Guest” partnerships? Why it is
more appropriate to use Guest partnership to acquire data from a handheld device?
Q2.2: What happens when you copied files from a PC to a mobile device? Why is there a need
to do so?
Sub-Task 2: Become familiar with the Pocket PC.

Step 1: Play the virtual Pocket PC Menu and learn how to use it. Explore “Start”, “File
Explorer”, and verify the successful copy of these files.

Step 2: Learn how to add, copy and delete files in a mobile device:
- Delete the file, DC400.gif, from the “My Pictures” folder
- Delete the file, Team.txt, from the “My Pictures” folder
- Create a contact in the mobile device (Hint: Click “Start” and then “Contacts”)
Task 3: Mobile Forensics
Sub-task 1: Download and install mobile device forensics software.

Step 1: Make sure that the mobile device, ActiveSyn and the forensic computer are still
connected (synchronized)

Step 2: Connect the Server, by clicking Start->Run->enter \\192.168.0.3. Download and
install “PocketPCForensicDemo”. This file is in the “public” folder > “software tools.”
Sub-task 2: Mobile device forensics software.
The mobile device forensic software will generate a report for your analysis.

Step 1: Launch the software “Data Doctor Forensic Software”. Click on “Start” button.
4

Step 2: Fill in the information table, and then click “Next”.

Step3: Select all the options, “Files”, Database, OS Registry, and “Phone Informations”. And
save the reports to the desktop for your analysis.

Step 4: Click “Analyze,” and wait for it to finish the analysis process.

Step 5: Select “Generate report of selected fields” and select “All”, and then generate a
HTML format report. Click “Save” to save the reports to the desktop for your analysis.
5
Q3.1: Analyze the report. What information can you get from the report?
Q3.2: What is the limitation of this program?
Q3.3: Indicate three other popular mobile device forensics softwares and discuss their
differences.
Team Report:
The group report is to show what you did in the project. Clearly state your results of this project.
You are expected to hand in a report in the following format:
 A cover page (including project title) with team name and team members
 A table of contents with page numbers
 Use double-spaced typing for convenient grading
 Number pages. Font size 12, Single column
 Save the Microsoft Word document with the team name in the title. Upload the document
into the appropriate ANGEL dropbox.
The report should have the following sections. Each section should cover all the topics described
below. Take screenshots if it is necessary.
Section I: Answer the 5 questions embedded throughout the document.
 Q2.1, Q2.2 (page 4)
 Q3.1, Q3.2, Q3.3 (page 6)
Section II: Provide screenshots of the following items:
6


Screenshot 1 - Task 2 – Subtask 2 – Step 1 – Take a screenshot of the successful transfer
of the 4 files you transferred into the mobile phone under “My Pictures.”
Screenshot 2 – Task 3 – Subtask 2 – Step 5 – Include a copy of the generated report.
Grading Rubric:
This project has a number of specific requirements. The requirement for each section is
documented in the above project instruction “Team Report.” Whether you will get credit depends
on the following situations:
 You will get full credit on one item, if it is correctly reported as required and well written.
 You will get half credit on one item, if it is reported as required but there is something
definitely wrong.
 You will not get any credit for one item, if it is not reported.
The credit for each section is as follows.
1. Section I: 5 Questions (75%):
 Each item is worth 15%
2. Section II: 2 Screenshots (25%)
 Item 1 is worth 10%
 Item 2 is worth 15%
Note
This is a team project. Be sure to include the names of all the teammates and all their email
addresses in the report. The report should be turned in before class on the specified due date.
Late submissions will be issued a grade deduction especially if permission is not obtained from
the instructor. The instructor reserves the right to grant or reject extra time for report completion.
References1

Rick Ayers and Wayne Jansen, “PDA Forensic Tools: An Overview and Analysis,” IR 7100,
NIST. http://www.csrc.nist.gov/publications/nistir/nistir-7100-PDAForensics.pdf

Wayne Jansen and Rick Ayers, “Guidelines on PDA Forensics,” Special Publication 800-72,
NIST. http://csrc.nist.gov/publications/nistpubs/800-72/sp800-72.pdf

Rick Ayers, Wayne Jansen, Nicolas Cilleros, and Ronan Daniellou, “Cell Phone Forensic
Tools: An Overview and Analysis,” IR 7250, NIST.
http://csrc.nist.gov/publications/nistir/nistir-7250.pdf

Wayne Jansen and Rick Ayers, “Guidelines on Cell Phone Forensics,” Special Publication
800-101 (Draft), NIST. http://csrc.nist.gov/publications/drafts/Draft-SP800-101.pdf

Mobile Phone Forensics & PDA Forensics Links. http://www.forensics.nl/mobile-pdaforensics.

Pocket PC Forensic Software. http://www.datadoctor.in/data-recovery-software/pocket-pcforensic.html
1
All references are available in the Lab 9 folder of Angel
7
Download