Introduction to Mobile Forensics Dr. Darren Hayes Pace University • Computer Forensics is the scientific practice of using digital data in an investigation • Mobile Forensics is scientific practice of using digital data, created by a mobile device, in an investigation Definition • To Prove • Control • Ownership • Intent What is the Goal? • Computer Forensics is a Part of Security • Computer Forensics is the Examination of Computers • Computer Forensics is used to Solve Computer Crimes • Computer Forensics is about Recovering Deleted Files Popular Myths Scope of Mobile Forensics • Always On • Personal • Voice & Data • Multimedia • Internet • Tracking • GPS Importance • Communication through Embedded Chip • Different File System • Different Information • Call Logs • Text Messages • Active Memory Storage • Smaller Onboard Capacity • Locational Data What’s Different? • 1875 – Alexander Graham Bell Transmits Sounds • 1876 – “Mr. Watson, come here! I want to see you!” • 1885 – AT&T Founded • 1919 – First Rotary Telephone • 1946 – Area Codes Established • 1961 – Touch Tone Released to the Public • 1963 – Push-button Telephone History • 1973 – First Handheld Cellphone Call • 1982 – Caller ID • 1984 – New AT&T Formed • 1991 – GSM Created History • Radio Common Carrier • 1960s – 1980s • Dr. Martin Cooper, Motorola, 1973 • 2.2 lbs Phone – First Handheld Mobile • Wall Street (1987) History • 1983 – DynaTAC Cellphone Released by Motorola • 1 lb • 9.5 Inches Tall • 10 Hours to Charge • 60 Mins. Talk Time • $3,995 History • Push-to-talk (1993) • Motorola StarTAC (1996) • RIM BlackBerry (1999) • Two-way Pager • Motorola RAZR (2003) History • Hardware Cellebrite Universal Memory Exchanger (UME) • Wireless Retailers • Software Personal Investigations • Cheating Spouses History – Mobile Forensics 1995 • Subscribers: 28.1 million • Call Minutes: 31.5 billion 2011 • Subscribers: 327.6 million • Call Minutes: 2.2 trillion (6 billion Call Mins. per Day) • Text Msgs: 5.7 billion per Day • Cell Towers: 250,000 • 29.7% of Households are Wireless Only Statistics (Source: CTIA) Case Studies • Higinio O. Ochoa • Aged 30 • Linux Administrator • Accused of Being a Part of CabinCr3w • Arrested by FBI • EXIF Data from iPhone • Melbourne, Australia • Led Investigators to Ochoa’s Facebook Page iPhone Michael Jackson Murder Investigation • Conrad Murray Recorded Jackson’s Last Words on iPhone • Judge Ruled that 4-Minute Audio File Was Admissible Conrad Murray Trial Stolen iPhone • April 2012 – iPhone Stolen on Disney Wonder Cruise • Victim – Katy McCaffrey • Photos Automatically Uploaded to iCloud Photo Stream Account • Photos of “Nelson” & Co-workers Uploaded to McCaffrey’s Facebook & Sent to Disney Stolen iPhone Times Square Shooting • August 18, 2012 – Knife-wielding Man Runs through Time Square • NYPD Runs after Suspect: Darrius Kennedy, 51 • Bystanders Run Alongside Police with Cellphone Cameras Recording Action • Suspect Shot Dead by Police • Videos Uploaded to YouTube, Facebook, News Networks • Smartphones Seized by Police Time Square Shooting • Precrime creeps closer to reality, with predictive smartphone location tracking • http://www.extremetech.com/computing/134422-precrime- creeps-closer-to-reality-with-predictive-smartphone- location-tracking • Localscope App • http://www.cynapse.com/localscope Smartphone Intelligence • Brooklyn Quality of Life App • http://www.cbsnews.com/8301-504083_162-57492217- 504083/new-smartphone-application-allows-people-to- report-crimes-to-authorities/ • FBI Child ID App • http://www.fbi.gov/news/news_blog/the-child-id-app-on- android Law Enforcement Assistance • Forensic Computer Examiner Quick Reference Guide App • International Association of Computer Investigative Specialists (IACIS) Forensics on Your Smartphone • Cellular Network – Group of Cells • Cell – Geographic Area • Cell Site – Tower or Antenna Cellular Network • Cell Tower Carriers • Radio Mast • Transmits/Receives Radio • Often has 3 Sectors Signals • 200 Feet High • Encrypts/Decrypts Traffic • Often Used by Multiple Cell Sites Antenna Panel Receiver Transmitter Receiver • Mobile Equipment (Handset) • Security Identity Module (SIM) • GSM Networks • IMEI Identifies Mobile Equipment on GSM Cellular Network Mobile Station • Power On Cellphone • On Keypad, Type *#06# Practical – Locate IMEI • Open Browser • URL: www.antennasearch.com • Type: 1600 Pennsylvania Ave NW • Type: Washington, DC • Type: 20006 Practical • Call & Mapping Analysis • http://www.cellanalyst.com/ • Using Cell Site Analysis Evidence in Criminal Trials • http://www.justice.gov/usao/eousa/foia_reading_room/usab 5906.pdf • Request Data in Parsed Excel Format • Request Keys to Tower Codes • Free Mapping • http://batchgeo.com/ Cell Site Analysis (CSA) • Subscriber Records • Call Detail Records (CDR) • Phone Numbers Called/Received • Duration • Dates • Times • Cell Sites • Quadrant Carrier Evidence • Mobile Equipment (Handset) • Subscriber Identity Module (SIM) • International Mobile Equipment Identity (IMEI) • Analysis of IMEI: www.numberingplans.com & trackimei.com • Dial *#06# on Cellphone • Type Allocation Code (TAC) – Initial 6 to 8 Digits of IMEI • http://www.nobbi.com/tacquery.php Mobile Station (GSM) • Mobile Equipment (Handset) • Electronic Serial Number (ESN) • 2005: Mobile Equipment Identifier (MEID) • www.meidconverter.com • Subsidy Lock (SPC) – Confines User to One Network Mobile Station (CDMA) • Mobile Equipment (ME) • FCC-ID • Federal Communication Commission (FCC) • http://transition.fcc.gov/oet/ea/fccid/ • www.phonescoop.com • www.gsmarena.com Mobile Station • SIM Card • Identifies Subscriber on a Network • Contains IMSI GSM • GSM & iDEN (Motorola) • Swapped Out with Unlocked Phones • International Mobile Subscriber Identity (IMSI) • Mobile Country Code (MCC) • First 3 Digits of IMSI • Mobile Network Code (MNC) • Next 2 to 3 Digits • Mobile Subscriber Identity Number (MSIN) • Last 10 Digits SIM • Integrated Circuit Card ID (ICCID) • 19 to 20 Digits • Printed on SIM • Major Industry Identifier (MII) • First 2 Digits • www.numberingplans.com SIM • Code Division Multiple Access (CDMA) • Developed during WWII • Patented by Qualcomm • Users Share a Band of Frequencies • Verizon & Sprint • No SIM • Same Phone Model: GSM or CDMA • Motorola RAZR CDMA • Code Division Multiple Access (CDMA) • Spread-Spectrum Communications Protocol • Wide Band Width • Multiplexing Techniques • Fiber Optic • Verizon • Sprint • CDMA2000 – 3G CDMA • Mobile Network Operator (MNO) • Owns an RF Spectrum License • 4 Carriers • AT&T/Cingular (GSM) • T-Mobile (GSM) • Verizon (CDMA) • Sprint/Nextel (CDMA) Mobile Phone Network Operators • Mobile Virtual Network Operator (MVNO) • Provides Mobile Phone Service • No Licensed Frequency of Radio Spectrum • Purchase Minutes of Use (MOU) • Do Not Own SIM Cards • Example: Virgin Mobile USA (Sprint Nextel) • 100+ Carriers Mobile Phone Network Operators • 90% of the World has No Cellular Coverage • Solution Satelite Phones • DeLorme Satelite Phones • Apple • iOS • Google • Android • Nokia • Symbian • Samsung • Bada • Research In Motion • RIM OS • Microsoft • Windows 7 Operating Systems • 2011: Tablet Sales – 60 Million Units Worldwide • 2012: Tablet Sales – 119 Million Units Worldwide Statistics (Gartner) 180,000 160,000 140,000 120,000 100,000 80,000 60,000 40,000 20,000 0 2011 2012 2013 2016 iOS Android Microsoft Tablet Sales Projections • Q1: 2012 – 419 Million Mobile Phone Units Sold Statistics (Gartner) 120,000.00 100,000.00 80,000.00 60,000.00 40,000.00 20,000.00 0.00 1Q 2011 1Q 2012 Statistics (Gartner) • Samsung Galaxy S III • 2012 Estimated Sales 30+ Million Units Samsung • January 2010 – Nexus One (N1) Released • Developed by HTC • Unlocked • Sold Directly by Google • Nexus S • Developed by Samsung • WiFi Hotspot Capability • Internet Calling • Near Field Communication (NFC) • Galaxy Nexus Coming Soon with Jelly Bean 4.1 Google Nexus • Close Proximity Radio Communication • Based on RFID Standards • Formed by Sony, Nokia, Philips • Google Wallet • Credit Cards • Loyalty Cards • MasterCard PayPass • Public Transportation Ticketing Near Field Communication (NFC) • Usage: • Payment System • Social Media • Hotel Keys Near Field Communication (NFC) 7.0% 2.7% 1.9% 8.7% 23.1% 56.6% Android iOS Symbian Research In Motion Bada Microsoft Q1 – 2012 OS Market Share • Networks: • GSM • iDEN • CDMA • Devices: • Smartphones • Tablets • eReaders • App Market • 700,000+ Android • Samsung, LG, Motorola, etc. • Samsung Galaxy Tab • Amazon Kindle Android Devices • Cache.wifi • Captures WiFi Connections • Do Not Need to Connect to Record • Can Be Mapped • Fb.db • Facebook • Contacts • Chat Logs • Messages • Photos • Searches Evidence • Emailprovider.db • Path: /data/data/com.android.email/databases/EmailProvider.db • Exchange Login & Password in Plaintext • HostAuth • Gmail Login & Password in Plaintext Evidence • Da_destination.db • Turn-by-Turn Navigation • .WAV Files Stored Evidence • SMS& MMS • Path: /data/data/com.android.providers.telephony • Contains: • Sender & Recipient • Read Status • Pictures • Audio/Video • MMS • Path: /data/data/com.android.mms Evidence • PIN-Protect • Numeric • Password • Alpha/Numeric/Character • Pattern Lock • Gesture Device Security • gesture.key • Pattern-Lock Protection • Finger Swipe • Path: data/system/gesture.key • Encrypted with SHA-1 Hash Algorithm • Decrypt with Online Tools or Rainbow Tables Security • pc.key • Password Protection • Path: data/system/pc.key • Decrypt with Brute Force or Dictionary Attack • Most Difficult to Break Security • PIN • Maximum of 8 Digits • After Unsuccessful Attempts Enter Gmail Login & Password Security Questions .