Upload
hoangthien
View
229
Download
1
Embed Size (px)
Citation preview
Advanced Techniques in
Forensic Examination of Smartphones
2012
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Worldwide smartphone sales
36,3%
15,4%16,6%
25,3%
2,7%81M devices sold in 3Q 2010
Symbian
RIM
iPhone
Android
Windows Mobile
Source: Gartner (November 2011)
Smartphone market increased by 42% during just 1 year!
16,9%
11,0%
16,9%
52,5%
1,5%115M devices sold in 3Q 2011
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Top smartphone vendors - 2011
23,9%
17,8%
4,8%
3,9%2,9%2,7%
44,3%
440.5M devices sold in 3Q 2011
Nokia
Samsung
LG
Apple
RIM
HTC
Others
Source: Gartner (November 2011)
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphones
What information is stored on a modern
smartphone?
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Cell phone
Address book
Planner & Organizer
Messenger
Photo & Video camera
GPS navigator
Web & IM client
Platform for 3rd party apps
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphone is a small PC
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphone as: Cell phone
• IMEI/ESN/Serial number
• Hardware & Software revision
• Network informationBasic Information
• Incoming, outgoing, missed calls history
• Sent & received messages history
• GPRS & Wi-Fi sessions logEvent log
• IMSI
• Phone numbers*
• SMS messages*SIM card
* - Usually these features are not utilized by smartphones
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphone as: Address book
• First, middle, last name, nickname, joint name, company, department, job title
• Photo and personal ringing tone
• Phone numbers: general, mobile, fax, video, pager, VoIP, push-to-talk
• Postal addresses, Web pages and e-mails
• Different contact sources (Android)
• Number of calls (Android)
• Text notes
• Private info: birthday, spouse, children
• Custom field labels (Symbian, iPhone OS)
• Multiple fields of the same type
• Creation and last modification times (Symbian, iPhone OS)
Contacts information
• List of caller groups & belonging contactsCaller groups
• List of assigned speed dialsSpeed dials
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphone as: Planner
• Meetings, reminders and anniversaries
• Start date & time
• Finish date & time
• Alarm date & time
• Recurrence
• Last modification date & time
Calendar events
• Task description
• Deadline
• Priority
• Alarm date & time
• Completion date & time
Tasks
• Note text & dateNotes
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphone as: Messenger
• Text messages (SMS)
• Multimedia messages (MMS)
• E-mail messages with attached files
• BIO messages: vCard, vCal, configuration and others
• Beamed messages: files sent via Bluetooth, IR or USB
• Standard message folders
• Custom message folders
• Date & time
• Service center timestamp for incoming messages
• Information about deleted SMS messages (Symbian, iPhone OS)
Messaging system
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphone as: GPS navigator
• Last fixed GPS coordinates
• Search history
• Routes history
• Last displayed map
• Saved maps
• List of favorite places
GPS Navigator
• GPS coordinates in camera snapshots*
• Cell coordinates in camera snapshots*
• Cell coordinates for camera snapshots**
• Cell coordinates for video records**
• Cell coordinates for SMS messages**
Location tagger
* - Available in EXIF header for almost all models having GPS receiver** - Available in several Nokia smartphones and Sony Ericsson devices
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Smartphone as: Web client
• Web cache files
• Bookmarks
• Pages view history
• Last opened URLs
• Search history
• Cookies
Web browser
• IP, Login (UID, e-mail) and password*
• Contacts list
• Chat history
• Calls history
IM client
* - Available for some IM clients
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
• Camera snapshots
• Video clips
• Voice records
• Sounds and Podcasts
• Wi-Fi networks list
• Paired Bluetooth devices list
• Activated SIM cards list
• VPN profiles
Operating System apps
• List of installed applications
• Office documents
• Application logs & data files3rd party apps
Smartphone as: PC
Extraction
What data extraction methods are
available for mobile devices?
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
There are 2 standard ways to get forensic information from smartphones: logical and physical analysis
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Standard extraction methods
• Data extracted using common PC-to-mobile communication protocols: AT, OBEX, SyncML
• Smartphone connected to PC with a standard cable (or Bluetooth/IR adapter)
Logical analysis
• Data extracted using direct memory reading (hex dump)
• Smartphone (or its memory chip only) connected to special hardware
Physical analysis
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Logical analysis for smartphones
• General phone information
• Contacts (simple), calls*, SMS, settings*AT+
• General phone informationNokia FBUS
• General phone information
• Files*OBEX
• General phone information
• Contacts, calendar, notes, settings*, bookmarks, messages*
SyncML
1) The information extracted by all logical protocols is only the top of the iceberg2) All logical protocols were developed for data synchronization
General phone information
Contacts*
Calendar
Notes
Calls history
Messages*
Files*
Settings*
Bookmarks
* - Available data set is restricted and depends highly on manufacturer implementation
Caller groups
Custom field labels
Speed dials
Messages from custom folders
Event log
Deleted messages information
Service center timestamps
GPS information
Location tagged data
Web browser data
IM client data
3rd party apps
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Physical analysis for smartphones
What to do with gigabytes of
that?
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Standard extraction methods: Summary
Physical analysis
All information can be extracted
Hard to perform
Very hard to analyze
Expensive software, special hardware needed
Logical analysis
Few information can be extracted
Easy to perform
Easy to analyze
Affordable software, no special hardware needed
In 2002 Oxygen Software invented the 3rd way - analysis using a special agent application working inside smartphone OS
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
How to extract data without a headache?
Physical analysis
All information can be extracted
Hard to perform
Very hard to analyze
Expensive software, special hardware
needed
Analysis using Agent application
Most of the information can be
extracted*
Easy to perform
Easy to analyze
Affordable software, no special hardware
needed
Logical analysis
Few information can be extracted
Easy to perform
Easy to analyze
Affordable software, no special hardware
needed
* - Agent can extract all the information available for native OS applications
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Agent application usage
General phone information & SIM card data
Contacts with all fields and custom field labels
Caller groups & Speed dials
Event Log
Calendar events
Tasks & Notes
Messages from standard and custom folders
Deleted messages information
Service center timestamp
Camera snapshots, video clips and voice records
File system
GPS & Location tagged information
Web browser cache & bookmarks
IM clients data
3rd party applications with their information
- Protected operating system files
- Memory dump
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
Afraid of writing to device?Comparison of phone content changes when performing analysis using
different approaches
SyncML protocol usage
Setting up sync parameters
Installing extra sync add-ons*
Running SyncML server
SyncML server generates synchronization log files
Agent application usage
Loading Agent to device
Installing Agent
Running Agent
Uninstalling Agent**
* - Extra sync add-ons installation may be needed to extract some additional information (e.g. MMS)** - Agent does not generate any log files
Unlike Agent, SyncML server is not a forensically designed app and is out of full control from examiner. In addition - it makes more data modifications than Agent.
(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com
SummarySmartphones are a considerable part of mobile device marketFutureSource Consulting forecasts that, between 2008 and 2013, annual sales of smartphones will rise by 95% to over 300 million. It will be around 37% of all new mobile phones, up from 13% in 2008.
Smartphones store much more important forensic information than plain cell phonesBeing a multiple-in-one device and having OS with open API smartphones are turning into small PCs with big memory sizes, wide set of preinstalled applications and huge number of available 3rd party applications.
Standard extraction methods are less effective for smartphonesAll logical protocols were developed for sync purposes, thus they can only extract a top of the iceberg. Physical analysis of gigabyte hex dumps takes a lot of time.
Agent application usage is the golden meanThe Agent application approach, introduced by Oxygen Software in 2002, almost achieves the completeness of data extracted by physical methods. At the same time it works via standard cables and adaptors and presents the extracted data in a readable and user-friendly format that is more like a logical analysis.