Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1
Mobile Device Investigations:
From Android to iPhone and Back
February 2017
2
Agenda
Introduction to Mobile Forensics
Mobile device 101
Different types of mobile devices
Preservation of data on mobile devices
Demonstration
Reporting and extracting
Demonstration
Searching and filtering
Demonstration
Preservation of data on mobile
Reporting and extracting
Searching and filtering
3
PearCo: Professional Personnel Recruitment
PearCo specializes in temporary employment services and is the industry leader due to its web-based infrastructure. PearCo’s website allows large companies to quickly find eager-to-work temporary employees.
PearCo’s CFO, Tyler Mueller, was discovered using PearCo’s recruitment services.Mr. Mueller and Carmen Fitz, PearCo’s CMO, meet once a month with a board of directors, but rarely outside of that meeting as the company is purely web-based.
As of late, Ms. Fitz has made complaints to PearCo’s HR department as she has received suggestive text messages from an unknown number. She has her suspicions that Mr. Mueller is behind the screen, as the mystery texter ends their messages with the same clever quote that is on Mr. Mueller’s work emails.
PearCo’s board of directors wants to learn more about the issue, and is willing to hand over Mr. Mueller’s and Ms. Fitz’ individual phones and laptops, which are company owned, to investigate the claims.
Hypothetical: Workplace Harassment Investigation
How can mobile forensics help?
4
Where to Start in an Investigation?
KNOWN
Follow the path
UNKNOWN
Time period when the text
messages were sento Carrier of the specific
number
o Content from Ms. Fitz’
deleted messages
o Whether or not photos
were sent
5
Mobile Device 101
Mobile devices store data in various applications in their operating systems
Consider the disparate nature of mobile data at the outset
Mobile devices offer a
variety of texting
options, including SMS,
MMS, Face Time,
Messenger, and
iMessage, among
others.
Each of these
messaging options
store content in
different locations on
the mobile device and
function in a slightly
different manner.
6
Mobile Device TypesA mobile ecosystem is growing and diversifying
International
• Different power considerations
• Subscription connectivity (texting apps)
Legacy
• Flip phones
• Old PDAs
Uncommon
• Pre-Paid phones aka “Burner phones”
Mainstream
• Android
• Apple
• Samsung
Cables and connectors:
We have binders and binders
of cords in order to access the
more complicated devices
Devices of the past could only manage a few
tasks, now phones are more agile than most
computers—all of that evidence may need to
be collected
7
Preservation of Data
Where is the data you are backing up?
• Requires phone in hand to administer forensics
Logical/Physical
• Whether on a laptop or removable media (external hard drive)
Backups
• Remote access, and is typically iTunes which requires a password
Cloud
8
Accessing Mobile Data
Collection from mobile devices generally requires an onsite collection
from a forensic collections engineer
Authorized, physical access to devices is typically necessary
Extraction attempts, including attempts to
recover deleted content, require
passwords, PIN numbers, or swipe
patterns to gain access to the device
The device is recommended to be
unencrypted and free from any mobile
device management software that would
prevent access to the device
Although these barriers may stunt
forensics, there are tools to get around
some encryptions
9
Preservation Demo
Preservation of mobile data
Reporting and extracting
Searching and filtering
10
Reporting and Extracting
Mobile devices are like a collection of databases that work together to present
data to the users
There is a disconnect between what you see when you have a phone in your
hand and what the report looks like after the extraction
Forensic tools have attempted to present the data in a human way through excel,
pdfs, html, or extraction into discreet files like a text thread into a text file
Forensics experts and attorneys need to understand the demands of both
binary data reports and the juries or judges who will view the evidence
What’s next?
11
Reporting and Extracting
Deleted data, lost cause?
Generally speaking, when a text message is deleted, the data may still be accessible on the device for a short time
Recovery is limited to the data that remains in the mobile device databases
The amount that is recoverable varies greatly by device and depends on the software that is used to attempt the recovery
There are a number of ways data can be unattainable:
Factory resets on a mobile phone
Destroyed phone
Remote wipe Some applications can erase data
after the phone has been confiscated
Faraday bags or putting the phone on airplane mode can block remote signals being sent to the phone
12
Reporting and Extracting Demo
Preservation of data on mobile
Reporting and extracting
Searching and filtering
13
Searching and Filtering
What was the export choice and why did you make it?
Native file and excel must work in tandem to coordinate high responsiveness
Addressing the needs of the investigation
ExcelNative files Great for early case review as an inventory is
given
Filtering makes it easy to work with the entirety of the information on the device that is recoverable
But if you do a discovery project with an excel file, you are taking everything together and it may be difficult to gauge responsiveness
Great for processing to review because the conversation threads are together as one thread remains intact as a separate file
Must load things to review so you can do the relationship searches, then look to the excel to authenticate
But family relationships are not kept for example: An mage with a text, as a family is responsive, however in native extraction that family relationship isn’t intact because of the MMS/SMS distinction
Responsiveness
14
Searching and Filtering Demo
Preservation of data on mobile
Reporting and extracting
Searching and filtering
15
Questions?
16
Jason Bergerson
Technological professional with over
20 years of experience performing
data recoveries, collections, forensic
analyses, expert reports and testimony
in hundreds of cases and on
thousands of pieces of media
Contact:[email protected]
Website: http://www.ediscovery.com/consulting/jason
-bergerson/
Director, Consulting Operations, Kroll Ontrack