Running Head: MOBILE DEVICE FORENSICS 1

Running head: MOBILE DEVICE FORENSICS 1

Mobile Device Forensics

By: Vicki Holzknecht

East Carolina University

Running head: MOBILE DEVICE FORENSICS 2

Abstract In 2015, Gartner expects personal computer shipments to be estimated at 268 million, on the other hand mobile device shipments is roughly around 2 billion shipments (Rivera, van der M., 2014). Businesses when adopting the Bring Your Own Device (BYOD) platform, face head on securing private information from prying eyes. However, disgruntled employees can erase videos, pictures, text messages, or corporate data that could be used as evidence to implicate the user for any wrongdoings. Retrieving any type of data, forensics experts use mobile forensic tools that are designed to penetrate and analyze deep into the heart of the mobile devices hardware and software, recovering data that was thought to be lost.

Keywords: Mobile Forensics, Extractions, Software Recovery Tools

Running head: MOBILE DEVICE FORENSICS 3

Mobile Device Forensics

Introduction

Mobile technology has come a long way since World War II, soldiers were shouldering a twenty- five pound phone that had spotty reception and was limited to a range of five miles (Meyers, 2011). Fast- forwarding to present day, mobile phones are so compact, they can now fit into shirt pockets, purses, and coverage is nationwide and even international depending on the carrier. The advancement of mobile technology has allowed employees to perform what was once considered office environment task, can now be completed while on the go such as making calls, e-mailing, instant messaging / text messaging, setting up calendar events, storing contacts, and working on presentations, etc. Mobile devices are interwoven into the consumer’s daily life whether it is personal or work usage. What consumers do not realize is the mobile devices are really just a treasure trove of data; law enforcement can use in a court of law. Digital evidence is found in eighty percent of today’s civil, criminal, and domestic prosecutions,

(Daniel, n.d.), this should not be a surprise when there is approximately 6.8 million mobile devices around the globe (Moshe, 2014). During a NIST Mobile Forensics Webcast Richard Ayers noted that 2.5 trillion text messages are sent per year (Ayers, 2014). Many users are under the assumption that once a text message is deleted or removed from a device it is non-retrievable. Paul Luehr part of a cybercrime expert team recently retrieved a years worth of text messages, even after the device had been erased

(Kaneshige, 2014).

Mobile Device Forensics Defined

The recovery of digital evidence using forensically sound and proven methods of acceptance is known as mobile device forensics (Barmpatsalou, Damopoulos, Kambourakis, Katos, 2013). Mobile forensics falls underneath the umbrella of the digital forensic sciences. Digital forensic science is defined as:

Running head: MOBILE DEVICE FORENSICS 4

“The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources… (Palmer, 2001).”

The National Institute of Standards and Technology published a revised document 800-101:

“Guidelines on Mobile Device Forensics” updating any information that is no longer prevalent to the field, because of continual changes in mobile technology (Ayers, Brothers, Jansen, 2014). The Guide on

Mobile Device Forensics is drafted to be a reference tool that forensic analysts could use to become acquainted with common mobile technologies, and common industry procedures. For evidence to not be dismissed in a court of law sound methods much be exercised (Tassone, Martini, Choo, Slay, 2013).

NIST clearly states, that the 800-101 guide is to be used explicitly as a reference manual, NOT to be misconstrued as a step-by-step model for lawful advice (Ayers, Brothers, Jansen, 2014).

Types of Data

According to a survey observing statistics from January to March in 2014 by a mobile measurement platform Flurry; American’s spend 162 minutes per day on their device (Soper, 2014); hence the amount of evidence that can be discovered and recovered. Table 1 below lists various sources that can be used as evidence for investigations:

Contacts Call log (Time Stamps, Incoming, Outgoing, and Missed Electronic Email Text Messages (MMS, SMS) Photos Internet Browsing Cache

GPS Coordinates Social Network Data (Facebook, Twitter, etc) Calendar Documents

Video/Audio Removable Media Cards

Instant Messengers Subscriber Identifiers (Skype, Facebook Chat)

Running head: MOBILE DEVICE FORENSICS 5

Equipment Gaming Data (Applications) Identifiers Table 1 Types of Evidence (Ayers, 2014)

Hardware Two of the most ubiquitous mobile operating systems used today are Android and iOS, both having conventional hardware architectural frameworks. Each device holds a microprocessor, memory

(ROM, RAM), liquid crystal display, keyboard, touchscreen capabilities and a digital signal processor

(Al-Zarouni, 2006) just to mention a few. Read Only Memory (ROM) and Random Access Memory

(RAM) is a key factor when collecting digital evidence off of a mobile device. Random Access Memory is temporary memory that stores information when performing a certain task; Read Only Memory, is the mobile devices internal memory (Gonzalez, Hung, Friedberg, 2011). RAM is volatile memory, meaning if the device battery depletes all the way, or the investigator inadvertently shutdowns the device, potential evidence (data) that was stashed in RAM is non-recoverable; it is the most difficult to accurately capture

(Ayers, Brothers, Jansen, 2014). The device being powered off does not affect non-volatile memory

ROM.

Subscriber Identity Modules, known as SIM cards is used to authenticate the mobile device to the carriers cellular network, and storing data about the users identity (Gonzalez, Hung, Friedburg, 2011).

There are several cellular networks, two that are used more so than others Code Division Multiple Access

(CDMA) and Global System for Mobile Communications (GSM) (Murray, n.d.). CDMA devices are assigned a 32 bit electronic serial number (ESN) or Mobile Equipment Identifier (MEID), embedded on a protected chip, identifying the manufacturer and the serial number (Ayers, Brothers, Jansen, 2014). A

GSM device uses the International Mobile Equipment Identity (IMEI), which is a 15-digit number that identifies the manufacturer, model and the country allowing the devices (Ayers, Brothers, Jansen, 2014).

If the device is turned on an examiner documenting every step made, can go onto an iOS device select

Settings, General, and then About to discover more device information that can be researched. Figures 2 and Figures 3 shows a screenshot of an iPhone 4 and an iPhone 6-device label:

Running head: MOBILE DEVICE FORENSICS 6

Figure 2 iPhone 4 Device Label (Holzknecht, 2015)

Figure 3 iPhone 6 Device Label (Holzknecht, 2015)

Forensic experts can use online databases such as International Numbering Plans1 to look up

IMEI’s if they are uncertain of manufacturer and or model of the device. Under a free account, a forensic expert can analyze up to twenty devices for approximately eight months. Figure 4 is an example of returned information from the International Numbering Plans analysis tool:

1 https://www.numberingplans.com

Running head: MOBILE DEVICE FORENSICS 7

Figure 4 iPhone 6 IMEI Lookup (Holzknecht, 2015)

Phone Scoop2 a collective database on mobile phones where specifications and device features can be found (Ayers, Brothers, Jansen, 2014). It is advisable to obtain current documentation or a user manual on the device before it is to be analyzed (SWGDE, 2013).

Extraction Levels

Research has shown, that using more than one tool to acquisition evidence can balance out each of the tools strengths and weaknesses (Barmpatsalou, Damopoulos, Kambourakis, Katos, 2013). What one tool may not discover, the other tool may penetrate deeper into the system retrieving valuable information. Tools available in general are third party. Sam Brothers originated the Mobile Device Tool

Classification pyramid back in 2007 (Ayers, 2014). The pyramid shows the different levels of acquisitions that can be accomplished using mobile forensic tools; going up the classification structure

2 http://www.phonescoop.com/phones

Running head: MOBILE DEVICE FORENSICS 8 requires more training, analyses periods are longer, invasive, and it gets technical, sometimes involving the removal of a chip (Brothers, 2014). Going down the classification structure the procedure is less invasive, analysis times are quicker, not a lot of technical training involved (Brothers, 2014). Table 2 is a visual representation of the different classification levels for tools (bottom to top approach):

Micro Read Physical Extraction Chip-Off Physical Extraction Hex Dumping Physical Extraction Logical Extraction

Manual Extraction Table 2 Extraction Classification (Brothers, 2014)

Manual Extraction also known, as hand jamming is the process of physically looking at the device, this is considered one of the easiest extraction levels when there is small amount of data involved

(Brothers 2014). During the manual extraction level document steps taken using a camera, or a video recorder when sorting through the devices using the screen and keyboard to unearth evidence (Ayers,

2014). This method is popular with the police departments. In some cases, mobile users will voluntarily hand over their device to the police for a quick glance at text messages, e-mails, calendars, social applications (Facebook, Twitter), call logs (Brothers, 2014); to see if there is any probable cause to seize the device for an in-depth investigation.

There are a couple of tools that can be used for manual extraction, ZRT 2 and Project-A-Phone

(Brothers, 2014). Project a Phone3 is a cataloging system that takes 8 Mega Pixel photos and 720p video; with software that generates reports, cost is around $400. ZRT 2 is another camera that is good for

Optical Character Recognition within pictures, also has the capability to take videos, generates reports works with almost every phone; the price is around $3,800 (Brothers, 2014), ZRT 3 is now available.

3 http://www.project-a-phone.com/icd-8000.html

Running head: MOBILE DEVICE FORENSICS 9

Logical Extraction involves connecting the device through a data cable to a computer; the computer software then sends a command to the mobile device, and the mobile device responds accordingly, (Ayers, 2014), using AT commands (Casey, Turnbull, 2011). Some possible AT commands are at+xlog=0 gives the firmware version and at+cpbr which is SIM phonebook read (Rivers, 2012). AT

Commands are considered a weak approach because investigators cannot extract deleted information

(Willassen, 2005). A couple of tool extractions that can be used at level two are Oxygen Forensics

Extractor, and ACESO Kiosk. Oxygen Forensics Extractor4 analyzes, geological coordinates from photos, collecting user data from over 550 applications, device logs, and passwords to accounts that the device user owns, and Wi-Fi hotspots, et cetera, price requires a quote request. The ACESO Kiosk5 can be used with any technical skill levels, the forensic analyst inserts the device extracting metadata, providing timestamps, geo-tagging the model and make of device, retrieving data off of SIM and memory cards, storing all the data gathered in an AES encrypted format and a comprehensive report.

The next three tier levels are through procedures of physical extractions. The third level is through methods of Hex Dumping (Barmpatsalou, Damopoulos, Kambourakis, Katos, 2013), requiring connectivity (Wi-Fi, wired, et cetera) between mobile device and digital forensic workstation (Ayers,

Brothers, Jansen, 2014). Hex Dumping forces a boot loader onto the device dumping the information that is harvested on the protected parts of the memory (RAM) (Brothers, 2014). Forensic analyst use a flasher box connecting the device data port to the digital forensic workstation, then the device is placed in a diagnostic mode, where the analyst can send commands and the flasher box “captures’ section(s) of the memory transporting the data back to the workstation (Ayers, Brothers, Jansen, 2014). Cellebrite’s UFED

Touch Ultimate is the most popular tool used in the United States (Brothers, 2014). The Touch Ultimate6 performs both logical and physical extraction and decoding; also for Android devices the Touch Ultimate

4 http://www.oxygen-forensic.com/en/products/oxygen-forensic-extractor/for-mobile-devices

5 http://www.radio-tactics.com/products/law/aceso-kiosk

6http://www.cellebrite.com/Media/Default/Files/UFED%20Touch%20data%20sheet.pdf

Running head: MOBILE DEVICE FORENSICS 10 can bypass security features such as pattern lock, and pin (Cellebrite, 2015), price range is around $4500

(Brothers, 2014). XRY Office7 is an all-in-one packaged tool that performs logical and physical extractions of data; it can read and clone SIM cards, produce a combined live and delete report, and provides a hex viewer to examine the data. XRY is widely used in the United Kingdom, and price tag is around $4000 (Brothers, 2014).

The fourth classification tier level is chip-off. Chip-Off is the removal of the chip from the device, so the analyst can create a binary image of the chip (Ayers, Brothers, Jansen, 2014). The copy of the chip can then be read in another device or through an EEPROM reader (Brothers, 2014). UP-828

Programmer8 by TEELtechnologies supports different Android and Blackberry flash chip technologies, the beginning price is $2012, if further adapters are required for newer phone support it is a $670 investment. The Netherlands Forensic Institute developed NFI Memory Toolkit9; it is a universal kit that examines the memory retrieving phone numbers, text messages, browser history even when the device is damaged and / or protected.

The last level in the tool classification module is Micro Read. Micro Read is using an electron microscope to examine NAND and NOR chips; at this level it should only be performed during a high profile case, there are no Micro Read tools available (Ayers, Brothers, Jansen, 2014). “NOR chips store operating system code, drivers for the device, system libraries; NAND memory comprises of graphics, audio, video and other useful files” (Ayers, Brothers, Jansen, 2014).

The table below defines some of the pros and cons of each level in the classification tier.

7 https://www.msab.com/products/office/

8 http://www.teeltech.com/mobile-device-forensic-tools/up-828-programmer/

9https://www.forensicinstitute.nl/products_and_services/forensic_products/memory_toolkit/

Running head: MOBILE DEVICE FORENSICS 11

Pros Cons

Manual Fast, work on almost all devices, no cables Not all data is retrieved, error prone, needed broken buttons, time consuming

Logical Fast, easy, gather lots of valuable information, Possible data change, cables, minimal report printout access to log files

Hex Dumping Extract data that was hidden in menus of the Data needs to be converted, some tools device, retrieve deleted data, bypass passwords from hacker community, customized (methods vary for bypassing passwords since cables, manufacturer support is limited, there are different security mechanisms lacking source code available) Chip Off Extract ALL data from device memory, more of Reporting is lacking, hard to use, a holistic approach, training is available possible chip damage, customized cable harnesses needed, lacking source code Micro Read Extract and verify all data from memory, best More time consuming than other levels, picture of what is going on in the device expensive, requires high level of technical experience, hard to understand extracted data Table 3 Classification Levels Pros and Cons (Brothers, 2014)

The main difference between physical and logical extractions, physical is a bit-by-bit copy of all of the

flash memory including the unallocated space; logical extraction is viewing the file structure and

directories through flash memory (Mooij, 2010).

Documentation

Documenting evidence should begin upon arrival of the scene. Preserving the data in its original

condition is key (Casey, Turnbull, 2011); the integrity of the evidence is only beneficial in court using

standard method(s) to acquire the evidence (Bennett, 2011). Documenting evidence is not only of how

the data was extracted through software tools, but also a timestamp of when the device was seized, battery

level, applications showing on the display, physical state of device, any original cables (Dixon, n.d.).

When involved in digital evidence case, a couple of defensible practices need to occur, chain of custody

and verifying evidence (Daniel, n.d.). Proper documentation of the chain of custody allows the court to

see who has handled the evidence. Verifying the evidence allows others to validate data has not been

altered, and steps that were originally taken, could be repeated, returning equivalent results. (Casey,

Running head: MOBILE DEVICE FORENSICS 12

Turnbull, 2011). Any blunders made during the process, i.e. the battery drained shutting off the device; this needs to be noted somewhere because potential evidence that was stored in RAM while the device was on it now completely gone.

Forensic Mishaps

Turning off the device can be a regrettable action; a security lock feature could be activated such as a pin code, drawing a pattern, and a biometric feature (finger print, facial scan). Integrity of the device is important, Faraday isolator bags / cages block out radio waves (Admin, 2012); preventing network access to the device. Also, placing the device in airplane mode limits access to the cell towers (SWGDE,

2013). Network access to the device can cause an alteration of current data (incoming calls, messages); also remote wipe features could be initiated inhibiting evidence that may be crucial to the investigation

(Casey, Turnbull, 2011). Any mishandlings or loss of data could threaten the investigation (Ayers,

Brothers, Jansen, 2014). There are times when data is retrieved from the device while it is sitting in a cradle connected to a machine, this too can alter potential evidence (Casey, Turnbull, 2011), if something happens during synchronization processing. Neglecting evidence is possible during examination; an application for Android and iOS that is known for peer-to-peer messaging using elliptic curve encryption is Wickr10. An investigator could assume that the Wickr is an application for designing wicker baskets, thus overlooking text-messaging evidence that could have been the smoking gun in the case.

Education and Training

Reading reference guides, and HOWTOs can only go so far; proper hands-on training should be a pre-requisite before entering into a live forensics acquisition environment solo. Training would also benefit situations where personnel (crime scene technicians, patrol officers, agents) who have been delegated the responsibility of analyzing the devices having pessimistic attitudes:

10 https://wickr.com/how-wickr-works/

Running head: MOBILE DEVICE FORENSICS 13

• Afraid of destroying digital evidence

• Afraid of misreading the digital evidence

• Digital evidence does not that big of a sway in court verdicts

• No technical background (Miller, 2015).

Nationally recognized, Champlain College offers a Baccalaureate program in Computer and

Mobile Forensics encoding a skill set that students need to be successful in this growing area allowing them to work alongside of law enforcement in live digital investigation cases (Champlain College, 2015).

There is hands-on and online training available through the SANS Internet Storm Center for

Advanced Smartphone Forensics covering topics on how to bypass locks, detecting malicious software, and performing forensics on two of the top mobile platforms that users are on today Android and iOS

(SANS, 2015). InfoSec Institute offers a boot camp training course where 60% of the training is hands- on; learning how to read sqlite data stores, recovering keyboard caches, breaking the devices encryption keys, and other useful skills to carryout investigations on devices (InfoSec, n.d.).

Conclusion

Mobile Forensics is a relatively new, and a difficult field to tackle. The changes in mobile technology are a major headache for digital evidence analyst who has to constantly keep up with current mobile developments. So much data is accumulated on a mobile device, that it becomes a gold mind for evidence. Software tools have been developed for manually, logically, and physically acquisition data from the devices memory chips, call logs, text messages, SIM cards, file system, et cetera. Documentation can go along way in a court of law; the analyst will need to justify the method(s) used for collecting evidence (Gonzalez, Hung, Friedberg, 2011). Becoming a successful mobile forensic analyst requires extensive training in the diverse field, an open mind, and who can think on their toes when necessary..

Running head: MOBILE DEVICE FORENSICS 14

References

Admin. (2012). How a faraday bag works. Retrieved from http://forensicstore.com/how-a-faraday-bag-works/

Ayers, R. (2014). Mobile forensics tool testing at NIST. Retrieved from http://www.nist.gov/forensics/nist-

mobile-forensics-webcast.cfm

Ayers, R., Brothers, S. & Jansen, W. (2014). Guidelines on mobile forensic devices. Retrieved from

http://dx.doi.org.jproxy.lib.ecu.edu/10.6028/NIST.SP.800-101r1

Barmpatsalou, K., Damopoulos, D., Kambourakis, G., & Katos, V. (2013). A critical review of 7 years of mobile

device forensics. Digital Investigation, 10(4), 323-349. doi:http://dx.doi.org/10.1016/j.diin.2013.10.003

Bennett, W. D. (2011). The challeneges facing computer forensic investigators in obtaining information from

mobile devices for use in criminal investigation . Retrieved from

http://articles.forensicfocus.com/2011/08/22/the-challenges-facing-computer-forensics-investigators-in-

obtaining-information-from-mobile-devices-for-use-in-criminal-investigations/

Brome, R., & Zeman, E. (2015). Phone scoop. Retrieved from http://www.phonescoop.com/phones/

Brothers, S. (2014). Acquisition techniques: Mobile foresnics A to Z. Retrieved from

http://www.nist.gov/forensics/nist-mobile-forensics-webcast.cfm

Casey, E., & Turnbull, B. (2011). Digital evidence on mobile device. Digital evidence and computer crime (3rd

ed., pp. 1) Elsevier Inc.

Cellebrite. (2015). UFED touch. Retrieved from

http://www.cellebrite.com/Media/Default/Files/UFED%20Touch%20data%20sheet.pdf

Champlain College. (2015). Computer and digital forensics. Retrieved from http://www.champlain.edu/computer-

forensics/computer-and-digital-forensics-major

Daniel, L.Digital forensics for attorneys: An overview of digital forensics. Retrieved from

https://sog.adobeconnect.com/p69493734/

Running head: MOBILE DEVICE FORENSICS 15

Dixon, E.Best practices in mobile forensic investigations. Retrieved from

http://www.evidencemagazine.com/index.php?option=com_content&task=view&id=659

Friedberg, S., Gonzalez, J. & Hung, J. (2011). Mobile device forensics: A brave new world? Retrieved from

http://www.strozfriedberg.com/files/Publication/224ca0f8-5101-4e1b-938a-

4d4b128ad5ed/Presentation/PublicationAttachment/ef4a28ad-ff7d-4014-aea8-

80505789b86c/Mobile%20Device%20Forensics_%20A%20Brave%20New%20World.pdf

Infosec Institute.Mobile computer forensics. Retrieved from http://www.infosecinstitute.com/courses/mobile-

computer-forensics.html#pricing

International Numbering Plans. (2015). Retrieved from https://www.numberingplans.com.

Kaneshige, T. (2014). Think deleted text messages are gone forever? think again. Retrieved from

http://www.cio.com/article/2378005/byod/byod-think-deleted-text-messages-are-gone-forever-think-

again.html?page=2

Meyers, J. (2011). Watch the incredible 70-year evolution of the cell phone. Retrieved from

http://www.businessinsider.com/complete-visual-history-of-cell-phones-2011-5

Miller, C. M. (2015). Fear of mobile device evidence collection? Law Enforcement Technology, 42(2), 8-10.

Retrieved from http://search.ebscohost.com/login.aspx?direct=true&db=i3h&AN=101065797&site=ehost-

live

Mooij, B. (2010). Data extraction from a physical dump. Retrieved from

http://www.forensicmag.com/articles/2010/09/data-extraction-physical-dump

Moshe-Ben, Y. (2014). Digital detection. Retrieved from

http://www.cellebrite.com/collateral/AR_Digital%20Detection_Forensic%20Investigator_NOV2014.pdf

MSAB. (2015). XRY office. Retrieved from https://www.msab.com/products/office/

Murray, D. J.Guide to computer forensics and investigations. Retrieved from

http://mgt.buffalo.edu/departments/mss/djmurray/mgs410/ch13.ppt

Running head: MOBILE DEVICE FORENSICS 16

Netherlands Forensic Institute.NFI memory tool kit. Retrieved from

https://www.forensicinstitute.nl/products_and_services/forensic_products/memory_toolkit/

Oxygen Forensics.Oxygen forensic extractor. Retrieved from http://www.oxygen-

forensic.com/en/products/oxygen-forensic-extractor/for-mobile-devices

Palmer, G. (2001). A roadmap to digital forensics research. Retrieved from http://www.dfrws.org/2001/dfrws-rm-

final.pdf paraben corporation. (2015). Project-A-phone ICD-8000 . Retrieved from http://www.project-a-phone.com/icd-

8000.html

Radio Tactics. (2015). Phone and device forensics. Retrieved from http://www.radio-

tactics.com/products/law/aceso-kiosk

Rivera, J., & van der, M. R. (2014). Gartner says worldwide traditional PC, tablet, ultramobile and mobile phone

shipments on pace to grow 7.6% in 2014 . Retrieved from ttp://www.gartner.com/newsroom/id/2645115

Rivers, A. (2012). Find any AT command for iPhone baseband using my list . Retrieved from

http://letsunlockiphone.guru/iphone-at-baseband-command-list/

SANS. (2015). FOR585: Advanced smartphone forensics. Retrieved from http://www.sans.org/course/advanced-

smartphone-mobile-device-forensics#results

Soper, T. (2014). Study: Americans spend 162 minutes on their mobile device per day, mostly with apps .

Retrieved from http://www.geekwire.com/2014/flurry-report-mobile-phones-162-minutes/

SWGDE. (2013). Best practices for mobile phone forensics. Retrieved from

https://www.swgde.org/documents/Current%20Documents/2013-02-

11%20SWGDE%20Best%20Practices%20for%20Mobile%20Phone%20Forensics%20V2-0

Tassone, C., Martini, B., Kim-Kwang, R. C., & Slay, J. (2013). Mobile device forensics: A snapshot. Trends &

Issues in Crime & Criminal Justice, (460), 1-7. Retrieved from

http://search.ebscohost.com/login.aspx?direct=true&db=i3h&AN=90116161&site=ehost-live

Running head: MOBILE DEVICE FORENSICS 17

Teel, B. (2014). UP-828 programmer. Retrieved from http://www.teeltech.com/mobile-device-forensic-tools/up-

828-programmer/

Wickr. (2015). How wickr works. Retrieved from https://wickr.com/how-wickr-works/

Willassen, S. (2005). Forensic analysis of mobile phone internal memory. In M. Pollitt, & S. Shenoi (Eds.), (pp.

191-204) Springer US. doi:10.1007/0-387-31163-7_16

Zarouni-Al, M. (2006). Mobile handset forensic evidence: A challenge for law enforcement. Edith Cowan

University. (4th)