Computer Forensics Is the Scientific Practice of Using Digital Data in an Investigation

Introduction to Mobile Forensics Dr. Darren Hayes Pace University • Computer Forensics is the scientific practice of using digital data in an investigation

• Mobile Forensics is scientific practice of using digital data, created by a mobile device, in an investigation

Definition • To Prove • Control • Ownership • Intent

What is the Goal? • Computer Forensics is a Part of Security • Computer Forensics is the Examination of Computers • Computer Forensics is used to Solve Computer Crimes • Computer Forensics is about Recovering Deleted Files

Popular Myths Scope of Mobile Forensics • Always On • Personal • Voice & Data • Multimedia • Internet • Tracking • GPS

Importance • Communication through Embedded Chip • Different File System • Different Information • Call Logs • Text Messages • Active Memory Storage • Smaller Onboard Capacity • Locational Data

What’s Different? • 1875 – Alexander Graham Bell Transmits Sounds • 1876 – “Mr. Watson, come here! I want to see you!” • 1885 – AT&T Founded • 1919 – First Rotary Telephone • 1946 – Area Codes Established • 1961 – Touch Tone Released to the Public • 1963 – Push-button Telephone

History • 1973 – First Handheld Cellphone Call • 1982 – Caller ID • 1984 – New AT&T Formed • 1991 – GSM Created

History • Radio Common Carrier • 1960s – 1980s

• Dr. Martin Cooper, Motorola, 1973 • 2.2 lbs Phone – First Handheld Mobile

• Wall Street (1987)

History • 1983 – DynaTAC Cellphone Released by Motorola • 1 lb • 9.5 Inches Tall • 10 Hours to Charge • 60 Mins. Talk Time • $3,995

History • Push-to-talk (1993) • Motorola StarTAC (1996) • RIM BlackBerry (1999) • Two-way Pager • Motorola RAZR (2003)

History • Hardware  Cellebrite Universal Memory Exchanger (UME) • Wireless Retailers • Software  Personal Investigations • Cheating Spouses

History – Mobile Forensics 1995 • Subscribers: 28.1 million • Call Minutes: 31.5 billion 2011 • Subscribers: 327.6 million • Call Minutes: 2.2 trillion (6 billion Call Mins. per Day) • Text Msgs: 5.7 billion per Day • Cell Towers: 250,000 • 29.7% of Households are Wireless Only Statistics (Source: CTIA) Case Studies • Higinio O. Ochoa • Aged 30 • Linux Administrator • Accused of Being a Part of CabinCr3w • Arrested by FBI • EXIF Data from iPhone • Melbourne, Australia • Led Investigators to Ochoa’s Facebook Page iPhone Michael Jackson Murder Investigation • Conrad Murray Recorded Jackson’s Last Words on iPhone • Judge Ruled that 4-Minute Audio File Was Admissible

Conrad Murray Trial Stolen iPhone • April 2012 – iPhone Stolen on Disney Wonder Cruise • Victim – Katy McCaffrey • Photos Automatically Uploaded to iCloud Photo Stream Account • Photos of “Nelson” & Co-workers Uploaded to McCaffrey’s Facebook & Sent to Disney

Stolen iPhone Times Square Shooting • August 18, 2012 – Knife-wielding Man Runs through Time Square • NYPD Runs after Suspect: Darrius Kennedy, 51 • Bystanders Run Alongside Police with Cellphone Cameras Recording Action • Suspect Shot Dead by Police • Videos Uploaded to YouTube, Facebook, News Networks • Smartphones Seized by Police

Time Square Shooting • Precrime creeps closer to reality, with predictive smartphone location tracking • http://www.extremetech.com/computing/134422-precrime- creeps-closer-to-reality-with-predictive-smartphone- location-tracking • Localscope App • http://www.cynapse.com/localscope

Smartphone Intelligence • Brooklyn Quality of Life App • http://www.cbsnews.com/8301-504083_162-57492217- 504083/new-smartphone-application-allows-people-to- report-crimes-to-authorities/ • FBI Child ID App • http://www.fbi.gov/news/news_blog/the-child-id-app-on- android

Law Enforcement Assistance • Forensic Computer Examiner Quick Reference Guide App • International Association of Computer Investigative Specialists (IACIS)

Forensics on Your Smartphone • Cellular Network – Group of Cells • Cell – Geographic Area • Cell Site – Tower or Antenna

Cellular Network • Cell Tower Carriers • Radio Mast • Transmits/Receives Radio • Often has 3 Sectors Signals • 200 Feet High • Encrypts/Decrypts Traffic • Often Used by Multiple Cell Sites

Receiver Receiver Transmitter

Antenna Panel • Mobile Equipment (Handset) • Security Identity Module (SIM) • GSM Networks • IMEI Identifies Mobile Equipment on GSM Cellular Network

Mobile Station • Power On Cellphone • On Keypad, Type *#06#

Practical – Locate IMEI • Open Browser • URL: www.antennasearch.com • Type: 1600 Pennsylvania Ave NW • Type: Washington, DC • Type: 20006

Practical • Call & Mapping Analysis • http://www.cellanalyst.com/ • Using Cell Site Analysis Evidence in Criminal Trials • http://www.justice.gov/usao/eousa/foia_reading_room/usab 5906.pdf • Request Data in Parsed Excel Format • Request Keys to Tower Codes • Free Mapping • http://batchgeo.com/

Cell Site Analysis (CSA) • Subscriber Records • Call Detail Records (CDR) • Phone Numbers Called/Received • Duration • Dates • Times • Cell Sites • Quadrant

Carrier Evidence • Mobile Equipment (Handset) • Subscriber Identity Module (SIM) • International Mobile Equipment Identity (IMEI) • Analysis of IMEI: www.numberingplans.com & trackimei.com • Dial *#06# on Cellphone • Type Allocation Code (TAC) – Initial 6 to 8 Digits of IMEI • http://www.nobbi.com/tacquery.php

Mobile Station (GSM) • Mobile Equipment (Handset) • Electronic Serial Number (ESN) • 2005: Mobile Equipment Identifier (MEID) • www.meidconverter.com • Subsidy Lock (SPC) – Confines User to One Network

Mobile Station (CDMA) • Mobile Equipment (ME) • FCC-ID • Federal Communication Commission (FCC) • http://transition.fcc.gov/oet/ea/fccid/ • www.phonescoop.com • www.gsmarena.com

Mobile Station • SIM Card • Identifies Subscriber on a Network • Contains IMSI

GSM • GSM & iDEN (Motorola) • Swapped Out with Unlocked Phones • International Mobile Subscriber Identity (IMSI) • Mobile Country Code (MCC) • First 3 Digits of IMSI • Mobile Network Code (MNC) • Next 2 to 3 Digits • Mobile Subscriber Identity Number (MSIN) • Last 10 Digits

SIM • Integrated Circuit Card ID (ICCID) • 19 to 20 Digits • Printed on SIM • Major Industry Identifier (MII) • First 2 Digits • www.numberingplans.com

SIM • Code Division Multiple Access (CDMA) • Developed during WWII • Patented by Qualcomm • Users Share a Band of Frequencies • Verizon & Sprint • No SIM • Same Phone Model: GSM or CDMA • Motorola RAZR

CDMA • Code Division Multiple Access (CDMA) • Spread-Spectrum Communications Protocol • Wide Band Width • Multiplexing Techniques • Fiber Optic • Verizon • Sprint • CDMA2000 – 3G

CDMA • Mobile Network Operator (MNO) • Owns an RF Spectrum License • 4 Carriers • AT&T/Cingular (GSM) • T-Mobile (GSM) • Verizon (CDMA) • Sprint/Nextel (CDMA)

Mobile Phone Network Operators • Mobile Virtual Network Operator (MVNO) • Provides Mobile Phone Service • No Licensed Frequency of Radio Spectrum • Purchase Minutes of Use (MOU) • Do Not Own SIM Cards • Example: Virgin Mobile USA (Sprint Nextel) • 100+ Carriers

Mobile Phone Network Operators • 90% of the World has No Cellular Coverage • Solution  Satelite Phones • DeLorme

Satelite Phones • Apple • iOS • Google • Android • Nokia • Symbian • Samsung • Bada • Research In Motion • RIM OS • Microsoft • Windows 7 Operating Systems • 2011: Tablet Sales – 60 Million Units Worldwide • 2012: Tablet Sales – 119 Million Units Worldwide

Statistics (Gartner) 180,000 160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 2011 2012 2013 2016 iOS Android Microsoft Tablet Sales Projections • Q1: 2012 – 419 Million Mobile Phone Units Sold

Statistics (Gartner) 120,000.00

100,000.00

80,000.00

60,000.00

40,000.00

20,000.00

0.00

1Q 2011 1Q 2012 Statistics (Gartner) • Samsung Galaxy S III • 2012 Estimated Sales  30+ Million Units

Samsung • January 2010 – Nexus One (N1) Released • Developed by HTC • Unlocked • Sold Directly by Google • Nexus S • Developed by Samsung • WiFi Hotspot Capability • Internet Calling • Near Field Communication (NFC) • Galaxy Nexus Coming Soon with Jelly Bean 4.1

Google Nexus • Close Proximity Radio Communication • Based on RFID Standards • Formed by Sony, Nokia, Philips • Google Wallet • Credit Cards • Loyalty Cards • MasterCard PayPass • Public Transportation Ticketing Near Field Communication (NFC) • Usage: • Payment System • Social Media • Hotel Keys

Near Field Communication (NFC) 7.0% 2.7% 1.9% 8.7%

23.1% 56.6%

Android iOS Symbian Research In Motion Bada Microsoft Q1 – 2012 OS Market Share • Networks: • GSM • iDEN • CDMA • Devices: • Smartphones • Tablets • eReaders • App Market • 700,000+ Android • Samsung, LG, Motorola, etc. • Samsung Galaxy Tab • Amazon Kindle

Android Devices • Cache.wifi • Captures WiFi Connections • Do Not Need to Connect to Record • Can Be Mapped • Fb.db • Facebook • Contacts • Chat Logs • Messages • Photos • Searches Evidence • Emailprovider.db • Path: /data/data/com.android.email/databases/EmailProvider.db • Exchange Login & Password in Plaintext • HostAuth • Gmail Login & Password in Plaintext

Evidence • Da_destination.db • Turn-by-Turn Navigation • .WAV Files Stored

Evidence • SMS& MMS • Path: /data/data/com.android.providers.telephony • Contains: • Sender & Recipient • Read Status • Pictures • Audio/Video • MMS • Path: /data/data/com.android.mms

Evidence • PIN-Protect • Numeric • Password • Alpha/Numeric/Character • Pattern Lock • Gesture

Device Security • gesture.key • Pattern-Lock Protection • Finger Swipe • Path: data/system/gesture.key • Encrypted with SHA-1 Hash Algorithm • Decrypt with Online Tools or Rainbow Tables

Security • pc.key • Password Protection • Path: data/system/pc.key • Decrypt with Brute Force or Dictionary Attack • Most Difficult to Break

Security • PIN • Maximum of 8 Digits • After Unsuccessful Attempts  Enter Gmail Login & Password

Security Questions