Trends in Mobile Devices Data and
ArtifactsInbar Ries, Senior Director, Forensics Products
June, 2014
Trends
Much More Data
• Variety• Amount • Initiator - user and device
New Data Management
• Multiple locations• Multiple types
Mobile Apps Dominate
Contacts – friends, favorites, groups
Call logs
Chats – messages, attachments
Emails
Location
Images
MalwareOver 2 Million Apps in App Store & Google Play
102 Billion downloads in 2013
Device Internal DataLocations
Media files metadata
User ID (e.g. Apple ID)
Tethering information
Cloud backup indication
Device power log (off/on)
Installed applications & usage
Application permissions
Locations
■Cell towers
■WiFi networks
■Applications location
■Media files
■Journeys taken from GPS
applications/devices
The Device Knows Where his Owner has been
■The location data is derived by the cell towers
and Wi-Fi hotspots the devices encountered
■The location service is enabled by default
■The data is stored in SQLite database for future use
■ Deleted data can be recovered
Locations in Android Devices
Location reporting is
available on devices running
Android 2.3 or higher
Locations in iOS Devices■iOS 4 and above
■Location accuracyLocation service uses a combination of cellular,Wi-Fi, Bluetooth, and GPS to determine your location.
■System location service■ iPhone will periodically send locations of where
you have purchased or used Apps in an anonymous and encrypted formto Apple
■ iPhone will keep track of places you have recentlybeen, as well as how often and when you visited them. This data is kept solely on your device
Location in Applications■User location per activity
■Friend’s locations
■Other people nearby
Locations from TomTom devices
The potential
Detailed location info including Lat/Lon and
timestamps
Data stored on the device
Encrypted triplog files
Internal & Confidential 13
Image carving
■File carving is a powerful tool for recovering files and fragments of files
■Recovery of images that have a full or partial or corrupted header■Quick scan ■Less false positive
■ Recovery of blocks of JPEG data without header information ■Longer duration■Much more results■More false positive
Media files■Video and image files■Where – Latitude and longitude■When - capture time ■Which camera - device make and model
■Device owner ■Other camera
■How the area looks like
Malware
■Mobile malware increasing by 1000% in the last year
■Mainly on Android and BlackBerry platforms
■2013 - 143K malicious programs targeting mobile devices were
detected
■Devices are affected by:
■A fake version of a real site
■ Infected legit app
■Unofficial websites where users can freely download apps
The Real Danger of Malware
■Stealing of
■Private information
■Bank account information and password
■Credit card numbers
■Company intellectual property
■Deleting data
■Forcing the use of premium content
■Bricking the device
Trends
Much More Data• Variety• Amount • Initiator - User and device
New Data Management• Multiple locations• Multiple types
SQLite Databases – Standard■SQLite database is already installed in many devices
including Android, Apple and Blackberry
■Multiple data types
■Text, date and time, numbers
■Files (image, audio, documents)
■ Deleted data can be recovered
SQLite Databases – Content■Applications data
■The data is per application and cannot be accessed by other applications
■Data: User profile, messages, locations, contacts, images and more
■Device native applications including SMS, MMS, contact
■Device internal usage■The amount of data that is saved but not exposed to the user is
massive■Data: configuration, cached information, locations and more
Logs■Logs can include errors but also valuable system
information
■Transactions status
■Device information
Configuration files■What can be found:
■Date, time and time zone configuration
■Applications permissions
■Tethering data - Hotspot name, password and
last activation time
■Location service status - on/off
■Configuration files:
■Apple – Plist, bplist
■Android – XML preference files
Thank Youwww.cellebrite.com