Trends in Mobile Devices Data and

ArtifactsInbar Ries, Senior Director, Forensics Products

June, 2014

Trends

Much More Data

• Variety• Amount • Initiator - user and device

New Data Management

• Multiple locations• Multiple types

Mobile Apps Dominate

Contacts – friends, favorites, groups

Call logs

Chats – messages, attachments

Emails

Location

Images

MalwareOver 2 Million Apps in App Store & Google Play

102 Billion downloads in 2013

Device Internal DataLocations

Media files metadata

User ID (e.g. Apple ID)

Tethering information

Cloud backup indication

Device power log (off/on)

Installed applications & usage

Application permissions

Locations

■Cell towers

■WiFi networks

■Applications location

■Media files

■Journeys taken from GPS

applications/devices

The Device Knows Where his Owner has been

■The location data is derived by the cell towers

and Wi-Fi hotspots the devices encountered

■The location service is enabled by default

■The data is stored in SQLite database for future use

■ Deleted data can be recovered

Locations in Android Devices

Location reporting is

available on devices running

Android 2.3 or higher

Locations in iOS Devices■iOS 4 and above

■Location accuracyLocation service uses a combination of cellular,Wi-Fi, Bluetooth, and GPS to determine your location.

■System location service■ iPhone will periodically send locations of where

you have purchased or used Apps in an anonymous and encrypted formto Apple

■ iPhone will keep track of places you have recentlybeen, as well as how often and when you visited them. This data is kept solely on your device

Location in Applications■User location per activity

■Friend’s locations

■Other people nearby

Locations from TomTom devices

The potential

Detailed location info including Lat/Lon and

timestamps

Data stored on the device

Encrypted triplog files

Internal & Confidential 13

Image carving

■File carving is a powerful tool for recovering files and fragments of files

■Recovery of images that have a full or partial or corrupted header■Quick scan ■Less false positive

■ Recovery of blocks of JPEG data without header information ■Longer duration■Much more results■More false positive

Media files■Video and image files■Where – Latitude and longitude■When - capture time ■Which camera - device make and model

■Device owner ■Other camera

■How the area looks like

Malware

■Mobile malware increasing by 1000% in the last year

■Mainly on Android and BlackBerry platforms

■2013 - 143K malicious programs targeting mobile devices were

detected

■Devices are affected by:

■A fake version of a real site

■ Infected legit app

■Unofficial websites where users can freely download apps

The Real Danger of Malware

■Stealing of

■Private information

■Bank account information and password

■Credit card numbers

■Company intellectual property

■Deleting data

■Forcing the use of premium content

■Bricking the device

Trends

Much More Data• Variety• Amount • Initiator - User and device

New Data Management• Multiple locations• Multiple types

SQLite Databases – Standard■SQLite database is already installed in many devices

including Android, Apple and Blackberry

■Multiple data types

■Text, date and time, numbers

■Files (image, audio, documents)

■ Deleted data can be recovered

SQLite Databases – Content■Applications data

■The data is per application and cannot be accessed by other applications

■Data: User profile, messages, locations, contacts, images and more

■Device native applications including SMS, MMS, contact

■Device internal usage■The amount of data that is saved but not exposed to the user is

massive■Data: configuration, cached information, locations and more

Logs■Logs can include errors but also valuable system

information

■Transactions status

■Device information

Configuration files■What can be found:

■Date, time and time zone configuration

■Applications permissions

■Tethering data - Hotspot name, password and

last activation time

■Location service status - on/off

■Configuration files:

■Apple – Plist, bplist

■Android – XML preference files

Thank Youwww.cellebrite.com