Upload
osborn-ferguson
View
220
Download
5
Tags:
Embed Size (px)
Citation preview
Advanced Techniques in
Forensic Examination of Smartphones
(C) Oxygen Software, 2000-2010 http://www.oxygen-forensic.com
2010
Smartphones market growth
Data provided by FutureSource Consulting
Smartphones market is growing even while general mobile phones market falling
(C) Oxygen Software, 2000-2010 http://www.oxygen-forensic.com
(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com
Smartphone is a small PC
(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com
Smartphone as: Cell phone
* - Usually these features are not utilized by smartphones
(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com
Smartphone as: Address book
(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com
Smartphone as: Planner
(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com
Smartphone as: Messenger
(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com
Smartphone as: GPS navigator
* - Available in EXIF header for many new models** - Available in smartphones with Nokia LifeBlog application installed
(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com
Smartphone as: Web client
* - Available for some IM clients
(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com
Smartphone as: PC
There are 2 standard ways to get forensic information from smartphones: logical and physical analysis
(C) Oxygen Software, 2000-2010 http://www.oxygen-forensic.com
Standard extraction methods
(C) Oxygen Software, 2000-2010 http://www.oxygen-forensic.com
Logical analysis for smartphones
1) The information extracted by all logical protocols is only the top of the iceberg2) All logical protocols were developed for data synchronization
1) The information extracted by all logical protocols is only the top of the iceberg2) All logical protocols were developed for data synchronization
General phone information
Contacts*
Calendar
Notes
Calls history
Messages*
Files*
Settings*
Bookmarks
* - Available data set is restricted and depends highly on manufacturer implementation
Caller groups
Custom field labels
Speed dials
Messages from custom folders
Event log
Deleted messages information
Service center timestamps
GPS information
Location tagged data
Web browser data
IM client data
3rd party apps
(C) Oxygen Software, 2000-2010 http://www.oxygen-forensic.com
Physical analysis for smartphones
How to deal with gigabytes
of that?
How to deal with gigabytes
of that?
(C) Oxygen Software, 2000-2010 http://www.oxygen-forensic.com
Standard extraction methods: Summary
In 2002 Oxygen Software invented the 3rd way - analysis using a special agent application working inside smartphone OS
(C) Oxygen Software, 2000-2010 http://www.oxygen-forensic.com
How to extract data without a headache?
* - Agent can extract all the information available for native OS applications
(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com
Agent application usageGeneral phone information & SIM card dataContacts with all fields and custom field labelsCaller groups & Speed dialsEvent LogCalendar eventsTasks & NotesMessages from standard and custom foldersDeleted messages informationService center timestampCamera snapshots, video clips and voice recordsFile systemGPS & Location tagged informationWeb browser cache & bookmarksIM clients data3rd party applications with their information
- Protected operating system
files
- Memory dump
(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com
Afraid of writing to device?Comparison of phone content changes when performing
analysis using different approaches
* - Extra sync add-ons installation may be needed to extract some additional information (e.g. MMS)** - Agent does not generate any log files
Unlike Agent, SyncML server is not a forensically designed app and is out of full control from examiner. In addition - it makes more data modifications than Agent.
Unlike Agent, SyncML server is not a forensically designed app and is out of full control from examiner. In addition - it makes more data modifications than Agent.
(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com
SummarySmartphones is a considerable part of mobile device marketFutureSource Consulting forecasts that, between 2008 and 2013, annual sales of smartphones will rise by 95% to over 300 million. It will be around 37% of all new mobile phones, up from 13% in 2008.
Smartphones store much more important forensic information than plain cell phonesBeing a multiple-in-one device and having OS with open API smartphones are turning into small PCs with big memory sizes, wide set of preinstalled applications and huge number of available 3rd party applications.
Standard extraction methods are less effective for smartphonesAll logical protocols were developed for sync purposes, thus they can only extract a top of the iceberg. Physical analysis of gigabyte hex dumps takes a lot of time.
Agent application usage is the golden meanThe Agent application approach, introduced by Oxygen Software in 2002, almost achieves the completeness of data extracted by physical methods. At the same time it works via standard cables and adaptors and allows to present the extracted data in readable and user-friendly format that is more peculiar to logical analysis.
Oxygen Forensic Suite 2010www.oxygen-forensic.com
Oxygen Forensics for iPhonewww.iphone-forensics.com
+44 (0) 20 8133 8450 (UK)+1 877 9-OXYGEN (USA)
Oxygen Forensic Suite and Oxygen Forensic Suite 2010 a the trademarks of Oxygen Software.
Oxygen Software LLC was founded in year 2000 and since that time our business is a PC-to-mobile communication.
(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com
Interested in more details?
£499 Standard
£899 Professional