Embed Size (px)
Citation preview
Obstacles & Opportunities in Mobile Forensic Collections
October 2, 2014
Evidence Collection in the Mobile Age
Trend: Mobile Device Ownership is Rising
© Elysium Digital 2014 2
Source: Pew Research Center (Internet & American Life Project)
3
Trend: Increasing Use of Smartphones
© Elysium Digital 2014
Source: Pew Research Center (Internet & American Life Project)
4
Trend: BYOD Popularity Increasing
© Elysium Digital 2014
Bring Your Own Device (BYOD) Support
Source: Good Technology Corporation. Good Technology’s 2nd Annual State of BYOD Report. (n=100)
5
Mobile: It is the Wild, Wild West of Tech
© Elysium Digital 2014
• Similar to early PC landscape– More Devices– More Varieties– More Connectivity– More Users
• Results in– Lack of Standards– Unsettled Marketplace
Image sources: www.securitypronews.com, www.gospotcheck.com
6
Types of Devices
© Elysium Digital 2014
Cellphones
Smartphones
Tablets
7
Agenda
© Elysium Digital 2014
• Traditional Computer Forensics• Mobile Collections Obstacles• Mobile Collections Opportunities• Other Issues• Quick Takeaways
8© Elysium Digital 2014
Traditional Computer Forensics
9
Traditional Computer Forensics:Non-volatile Storage
© Elysium Digital 2014
• Disk Drive & Solid State Drive (SSD)– “File” Abstraction – Blocks under the
abstraction
10
Traditional Computer Forensics: Files
© Elysium Digital 2014
• Files
• File-level operations
• Internal metadata
11
Traditional Computer Forensics: Filesystems
© Elysium Digital 2014
• Filesystem– Organizational system – Implemented in both storage structure & process– Examples: FAT, inodes
• Filesystem metadata– Creation time– Modification time– Access time
12
Traditional Computer Forensics: “Hidden” Data
© Elysium Digital 2014
• Block Reuse Principles– Conserve cycles– Conserve I/O traffic
• Breaking through the Abstraction– File slack– Deleted files
13© Elysium Digital 2014
Mobile Forensics: Obstacles
14
Mobile Forensics: Obstacles
© Elysium Digital 2014
• Designed for Loss / Theft• Modified by Carriers• Analysis software is less mature• Deleted data & metadata• Truncated email
15© Elysium Digital 2014
Mobile Forensics: Opportunities
16
Mobile Evidence Collection: Opportunities (1/3)
© Elysium Digital 2014
• Opportunities from Common Practices– Devices not centrally managed – Data policies not implemented– Data remains on old devices– Data is maintained in backups
17
Mobile Evidence Collection: Opportunities (2/3)
© Elysium Digital 2014
• Opportunities from Types of Data– Locational data available– Network connection information available
18
Mobile Evidence Collection: Opportunities (3/3)
© Elysium Digital 2014
• Opportunities yielded by the process– Broadening scope of discovery– Helping to find the “digital packrat”
19
Mobile Evidence Collection: Spoliation
© Elysium Digital 2014
• Devices viewed as a private, personal accessory• Spoliation 10x increase over laptops• Can yield obstacles and opportunities
20
Mobile Evidence Collection: Other Issues
© Elysium Digital 2014
• Cloud backups• Encrypted backups• Commingled personal data
21
Mobile Evidence Collection: Quick Takeaways (1/4)
© Elysium Digital 2014
Trends:– Mobile device usage increasing– Mobile evidence issues multiplying– Mobile evidence collection increasingly complex
Source: Pew Research Center (Internet & American Life Project)
Source: Good Technology Corp. 2nd Annual State of BYOD Report. (n=100)
22
Mobile Evidence Collection: Quick Takeaways (2/4)
© Elysium Digital 2014
Checklist: Collecting a Smartphone– Get the smartphone– Get it fast– Turn on airplane mode ASAP– Obtain charging device– Keep battery charged– Obtain password / unlock code– If Blackberry, have company/owner unlock it– Send device & charger to mobile forensics expert
23
Mobile Evidence Collection: Quick Takeaways (3/4)
© Elysium Digital 2014
Secure Confidential & Proprietary Data– Strong & enforced IT policy– Password protection or encryption– Watermarks, print banners, or hidden identifiers– Usage restrictions (print, copy, etc.)
24
Mobile Evidence Collection: Quick Takeaways (4/4)
© Elysium Digital 2014
Geographic information not limited to Carriers– XIF data records geographic location of pictures– Pictures themselves can document location– Network connections are tracked and can be mapped back to
geographic locations
25© Elysium Digital 2014
Q&A / Discussion
Have a matter involving mobile evidence collection? Ask.
Didn’t understand that? Ask.
Want more info? Ask.
Christian HicksPresident, Elysium Digital
617-621-3100 x100
