A Platform Independent Investigative Process Model for Smartphones
Total Page:16
File Type:pdf, Size:1020Kb
A platform independent investigative process model for smartphones By Frances Chevonne Dancer A Dissertation Submitted to the Faculty of Mississippi State University in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy in Computer Science in the Department of Computer Science and Engineering Mississippi State, Mississippi December 2012 Copyright by Frances Chevonne Dancer 2012 A platform independent investigative process model for smartphones By Frances Chevonne Dancer Approved: _________________________________ ______________________________ David A. Dampier Rayford Vaughn Professor of Computer Science and William L. Giles Distinguished Engineering Professor of Computer Science and (Director of Dissertation) Engineering (Committee Member) _________________________________ ________________________________ J. Edward Swan II Yoginder Dandass Professor of Computer Science and Associate Professor of Computer Engineering Science and Engineering (Committee Member) (Committee Member) _________________________________ ________________________________ Edward Allen Sarah A. Rajala Associate Professor of Computer Dean of the Bagley College of Science and Engineering Engineering (Graduate Coordinator) Name: Frances Chevonne Dancer Date of Degree: December 15, 2012 Institution: Mississippi State University Major Field: Computer Science Major Professor: Dr. David A. Dampier Title of Study: A platform independent investigative process model for smartphones Pages of Study: 181 Candidate for Degree of Doctor of Philosophy A properly conducted forensic examination is one of the most fundamental aspects of a digital investigation. Examiners are obligated to obtain the skills necessary to use forensic tools and methodologies and rely on sound judgment when analyzing a digital device. Anytime during this process, the quality of the methods, skills, and expertise of the examiner may be challenged, thus, placing the forensic value of the evidence collected during the process in jeopardy. In order to combat the potential challenges posed as a result of the forensic examination process, the digital forensics community must ensure that suitable protocols are used throughout the analysis process. Currently, there is no standard methodology forensic examiners use to analyze a digital device. Examiners have made use of a model derived from the Digital Forensic Research Workshop in 2001 and the application of ad-hoc techniques has become routine. While these approaches may reveal potential data of evidentiary value when applying them to digital devices, their core purpose specifically involves the analysis of computers. It is not clear how effective these methods have been when examining other digital technologies, in particular Small Scale Digital Devices (SSDDs). Due to these mitigating factors, it is critical to develop standard scientifically sound methodologies in the area of digital forensics that allow us to evaluate various digital technologies while considering their distinctive characteristics. This research addresses these issues by introducing the concept of an extendable forensic process model applicable to smartphones regardless of platform. The model has been developed using the property of invariance to construct a core components list which serves as the foundation of the proposed methodology. This dissertation provides a description of the forensic process, the models currently used, the developed model, and experiments to show its usefulness. DEDICATION First and foremost, I would like to give thanks to my Lord and Savior Jesus Christ, for with Him all things are possible. This research is dedicated to my family and the late Mr. Earl Thomas. ii ACKNOWLEDGMENTS The author wishes to express gratitude to the many people for all of their support and guidance throughout this process. Beginning with my husband, Mr. Daniel Keith Lopez Dancer, I would like to say thank you for all of the support and encouragement you have given me throughout the years. You never made it seem as if I neglected my family obligations, even though I did at times. Next, I would like to thank my entire family; you all have been my rock since the beginning of this process and without you, this would never have come to fruition. Dr. Dave A. Dampier, I would like to tell you how much I really appreciate you for supporting and guiding me through my educational, professional, and personal challenges. I would also like to thank Dr’s Vaughn, Swan, and Dandass for serving as my committee members and offering invaluable advice regarding this research. This section would not be complete without thanking the following people: Dr. Gordon Skelton, Director of the Center for Defense Integrated Data and Chair of the Department of Computer Science at Jackson State University; Mr. Chris Staten, mentor, Dr. Peggy West, Instructor of Mathematics and Computer Science at Mississippi Gulf Coast Community College Jefferson Davis Campus and mentor; Dr. Ora Rawls, Security Officer at Jackson State University and mentor; Dr. Evelyn Leggette, Dean of Undergraduate Studies at Jackson State University and mentor. I would also like to thank all of my colleagues, past and present at the following state agencies: the Mississippi iii Department of Environmental Quality (MDEQ), Mississippi Gulf Coast Community College, Jackson State University, and the Center for Defense Integrated Data. iv TABLE OF CONTENTS Page DEDICATION .................................................................................................................... ii ACKNOWLEDGMENTS ................................................................................................. iii LIST OF TABLES ........................................................................................................... viii LIST OF FIGURES ........................................................................................................... xi I. INTRODUCTION ...................................................................................................1 1.1 Digital Forensics 3 1.1.1 Computer Crime vs. Digital Crime 5 1.1.2 Small Scale Digital Device Forensics 9 1.2 Digital Forensic Investigative Process 13 1.2.1 Documentation 15 1.2.2 Validation 16 1.2.3 Preservation 18 1.2.4 Identification 18 1.2.5 Collection 19 1.2.6 Analysis 22 1.2.7 Interpretation 24 1.2.8 Presentation 25 1.3 Motivation 26 1.4 The Initial Proposal Plan 30 1.4.1 Methodology and Key Elements 33 1.4.1.1 Review investigative process models and related computer forensics literature. 33 1.4.1.2 Identify candidate devices and obtain them for analysis. 33 1.4.1.3 Compare the characteristics of each device to identify the invariant properties. 33 1.4.1.4 Conduct experiments using the devices obtained. 34 1.4.1.5 Construct new process model for smartphones 34 1.4.1.6 Evaluate the potential effectiveness of the proposed model 35 1.4.1.7 Publish the findings. 35 1.4.2 Hypotheses 35 II. RELATED WORK ................................................................................................37 v 2.1 Digital Investigative Process Models 37 2.1.2 Objectives Based Approach 40 2.1.3 Physical Crime Scene Based Approach 44 2.1.4 Technology Specific Approach 49 2.1.5 Based on Information Flows 53 2.1.6 Cost-Effective Based Approach 55 2.1.7 Legal Approach 58 2.1.8 Technologically and Crime Independent Approach 63 2.2 Invariance 65 2.2.1 Invariants in Mathematics 65 2.2.2 Invariants in Computer Science 68 2.2.3 Applying Invariants to Digital Forensics 69 2.3 Smartphone OS Architectures 70 2.3.1 Linux 70 2.3.2 Windows 71 2.3.3 Palm 74 2.3.4 Symbian 76 2.3.5 RIM 77 2.3.6 Generic Hardware Architecture 79 III. PROPOSED MODEL ............................................................................................81 3.1 Invariance in Smartphone Forensics 81 3.2 PIFPM 85 IV. RESEARCH DESIGN ...........................................................................................94 4.1 Research Questions 94 4.1.1 Qualitative Case Study 97 4.1.2 Experimental Study Design 110 4.1.3 Experimental Analysis Results 115 4.1.4.1 Experiment 1: File Size Difference 115 4.1.4.2 Experiment 2: Average Change in File Content 128 4.1.4 Modified PIFPM 138 4.1.5 Qualitative Study Design 141 4.1.6 Qualitative Analysis Results 142 V. CONCLUSIONS..................................................................................................161 5.1 Contributions 161 5.2 Publications 163 5.3 Recommendations for Future Work 163 REFERENCES ................................................................................................................165 APPENDIX A: Pre Survey ..............................................................................................170 APPENDIX B: Post Survey .............................................................................................173 APPENDIX C: Qualitative Study Participant Form ........................................................176 vi APPENDIX D: Informed Consent Form .........................................................................178 vii LIST OF TABLES 2.1 DFRWS Framework ...................................................................................... 38 2.2 Levels of Proof .............................................................................................. 59 3.1 Omnia Specifications ..................................................................................... 82 3.2 Storm Specifications .....................................................................................