Tutorial 1. Introduction to Mobile Forensics
of the online course "Advanced Smartphone Forensics"
Mobile Forensics is a branch of Digital Forensics and it is about the acquisition and the analysis of mobile devices to recover digital evidences of investigative interest.
When we talk about Mobile Forensics generally, we use the term “Forensically Sound”, commonly used in the forensic community to define the application of methods and techniques, which respect the international guidelines for acquisition, and examination of mobile devices. The principles for the correct application of Forensically Sound techniques assume the primary purpose, which is the preservation and the possibility of non-contamination of the state of things.
All the phases, from the acquisition to forensics analysis of the mobile device, have to totally avoid non-alteration of the examined device. This process is not easy at all, particularly in mobile devices.
The continuous evolution of mobile devices technology, allows the commercialization of new mobile phones, which creates new digital investigations problems.
Hardware and software for these type of mobile device analysis are numerous, but none is able to give an integrated solution for the acquisition and the forensic analysis of all smartphones.
Furthermore, mobile devices are able to contain plenty of digital information, almost like a computer, so not only a call log or SMS messages as old mobile phones. Many of the digital information in a smartphone is reliant on applications installed on it, which evolve in such a variety that analysis software are not able to support them completely.
Often the data acquisition from a mobile device is not compatible with some parameters, which define a Forensically Sound method.
In other words to have access to the mobile device it is necessary to use communication vectors, bootloader and other agents which are installed in the memory to enable the communication between the mobile phone and the instrument that we use for the acquisition and so it is not possible to use a write blocking option.
Often we resort on modify the device configuration for acquisition, but this operation risks to invalidate the evidence in the Court, even though all the techniques are always well-documented. As much as possible it is always fundamental to respect the international guidelines on mobile forensic to ensure the evidence integrity and the repeatability of the forensic process.
A fundamental aspect on device preservation at the crime scene is evidence collection on site; that is the preservation of the device found turned on, safeguarding it from Wi-Fi signals, telecommunication systems, GPS signals and keeping the battery on charge. This is required to avoid its shutdown and the loss of important information such as a PIN.
The shutdown could entail a later PIN bypass or even a data loss because of passwords or cryptography. It is also fundamental to immediately provide electromagnetic isolation using faraday bags; devices or cases, which allows isolating the mobile device, darken from radio signals.
Figure 1.0 – Faraday bag
A practical example of a device found in to a crime scene and, not isolated, it can be the complete remote wiping.
Figure 1.1 – Remote wiping command of an IPhone
The production process of the forensic evidence is divided in five main phase: the seizure, the identification, the acquisition and the examination or analysis. Once the data is extracted from a device, different methods of analysis are used based on the underlying case. As each investigation is distinct, it is not possible to have a single definitive procedures for all cases.
Each one of these steps has a basic role in the process of digital evidence production. The international standard are fed by many studies and publications that try to define the best practices and the guidelines for procedures and methods for the digital forensic, such as lots of publications and NIST guidelines.
Although the most recent ISO 27037 certification “Guidelines for identification, collection and/or acquisition and preservation of digital evidence” released in 2012 it is not specific for mobile forensic, it concerns the ISO/IEC standard. This standard mostly defines methods and techniques in digital forensic investigations, which is accepted in many Courts.
However, the overall process can be broken into four phases as shown in the diagram Following:
Below will be elucidated the two first steps involved in the production of a forensic evidence. In the next lessons will be explained in detail the remaining three steps.
Handling the device during seizure is one of the important steps while performing forensic analysis. It is important, for device seizure on the crime scene, to document with pictures, writing the “where and when”, mobile condition, if it was damaged, turned on or switched off, picture of the display if switched on, document the event of memory cards.
It is necessary to seizure cables, chargers, SIM card data or any papers or notes which may contain access codes that can also be deduced from the personal papers of the criminals whose devices were confiscated. Statistically many users use password similar on date of birth, celebrations, names, number plates and other personal information to remind themselves of passwords. Look for PIN and password can save much time later to investigators.
On the crime scene, it is fundamental to use proper techniques to protect the device from communicating with other devices, which may be phone calls, SMS, Wi-Fi Hotspot interferences, Bluetooth, GPS and many more. It is necessary to place the device into a Faraday bag and if it is possible add the use of a jammer, to avoid the alteration of the original state of the device. A phone call, an SMS, an email may overwrite the previous ones during the evidence collection phase if the phone was not isolated.
MOBILE DEVICE ISOLATION TECHNIQUES
Faraday’s bag – The immediate use of a Faraday bag is essential in case finding a turned-on mobile phone. It is important to isolate the mobile phone keeping it on charge with an emergency battery which will allow you to arrive to the lab safely. It is also important for the power cord to be isolated because it may allow the mobile to receive communications. There are different types of Faraday bags on sale that go from simple bags isolated from radio signals (which I do not recommend) to real isolation boxes which allow more efficiency. They are made up of silver/copper/nickel with RoHS double layer conductors. A Faraday bag can be a great solution to isolate the seizure mobile device
Figure 1.4 – Faraday bag pro
Jamming – The jammers are devices, also known as radio jammers, used to block the use of mobile phones sending radio waves with the same frequency used by mobile phones. This causes an interference, which inhibits the communication between mobiles and BTS, paralyzing every phone activity in its range of action.
Most mobile phones, encounter this disturbance merely as a lack of network connection. In case of mobile evidence collection jammer devices are used to block radio communications from GSM/UMTS/LTE. Obviously, the use of a jammer in these circumstances must be limited to a power that is less (<1W), otherwise it can disturb every telephone network around. The use is illegal in some countries and it is often allowed only to police forces.
Figure 1.5 – Jammer GSM -UMTS – LTE
Airplane mode – The airplane mode is one of the options that can be used to protect the mobile collected into the crime scene to avoid in and out radio transmission. It is a risky option because it is necessary to interact with the mobile phone, and possible only if the phone is not protected with Passcode. To activate iOS on this option, from iOS7 with display locked, airplane mode can be set sliding the dock upward. To set the mode aereoplane in the Android OS:
Click the menu button on the phone to open the menu.
Select "Settings" at the bottom of the menu that comes up
Under "Wireless & Networks", tap on "More"
Look for the "Airplane mode" option at the top of the settings screen. Tap on it to put a "check mark" on the box beside it
Wait for the on button to turn blue. This tells you that the mode is active and your transmissions are now off.
Figure 1.6 – Airplane mode iOS 7/8 activation
The technical methods of protection devices, we mentioned in the previous paragraphs, they should be used more attention for Android devices, compared to Apple devices. As they are sequestered, it takes attention to be sure that our actions will not cause any change of data on the device. In the meantime, it is necessary to use every and each opportunity that might help the following analysis.
Some of the settings it is necessary to modify in this situation are:
Enable stay awake setting: by activating this option and putting the device on charge (it can be used an emergency charger), it allows keeping the device active and with unlocking setting. On Android devices can be found in Settings | Development, as shown in the following screenshot:
Figure 1.7 – Enable USB Debugging Android OS 4.2
Activation of debug USB: the activation of this option allows a major access on the device with Android Debug Bridge (ADB) connection. This option will be a great tool for the forensic examiner during the extraction data process. On Android devices, this option can be found in Settings | Development:
Figure 1.8 – Enable USB Debugging Android OS
In next Android versions, from 4.2, the development settings are hidden by default setting. For the activation, Settings | About phone and tap Build number seven times.
Figure 1.9 – Enable USB Debugging Android OS 4.2
Before the analysis of an iPhone it is necessary to identify the hardware type and which firmware is installed on. Easier it is to check the rear of the device’s shell, where it is impressed:
Figure 2.0 – Hardware number iPhone
About the firmware version, it is possible to check that by accessing on iPhone menu - Settings/General/About/Version:
Figure 2.1 – firmware version iPhone
A good alternative to get lots of information from an iPhone is the use of libimobiledevice ( http://www.libimobiledevice.org ), currently released in 1.2 version, are a good alternative to communicate with Apple devices among which iPhone, iPad, iPod Touch, Apple TV. They do not need Jailbreak, and they allow reading device’s information, backup and restore and similar options on the logical file system acquisition. They can be downloaded and used in Linux environment, are integrated in live distro Santoku (https://santoku-linux.com/).
In this practical exercise, we get information from an Apple iPhone Smartphone:
Step one – Download to web site https://santoku-linux.com/, the santoku live distro – named santoku_0.5.iso -, burn it in DVD-ROM and start with boot.
Step two - Running libimobiledevice, navigate to Santoku –> Device Forensics –> lib-iMobile
Figure 2.2 – Running lib-iMobile on Santoku
Step three - This should open a terminal window and list the commands available in the libimobiledevice tool.
Figure 2.3 – list command available on the libimobiledevice tool
Step four - At this point, you can connect your iOS device to Santoku. If you are using a VM, make sure the USB device is “attached” to the VM and not the host.
Figure 2.4 – iPhone connected to Santoku
Step five: You can easily check the connectivity between your iPhone and Santoku by type this command in a terminal window:
The command gives all the information you see in the picture, including the devicename, UDID, the hardware model and many more.
Figure 2.5 – result of the idevice_id –s command
If you want to see only the iPhone’s UDID run the command:
This should return the UDID of your phone.
Figure 2.6 – result of the idevice_id –l command
To get information from an Android device is easy.
Go on menu Settings/About Phone/Software and Hardware information, as shown in the screenshot:
Figure 2.7 – Android Settings –About Phone
In this case, we use a Host Windows and Android Software Development Kit. The Android Software Development Kit (SDK) helps developers build, test, and debug applications to run on Android. It includes software libraries, APIs, emulator, reference material, and many other tools. These tools not only help create Android applications but also provide documentation and utilities that help significantly in forensic analysis of Android devices. Having sound knowledge of the Android SDK can help you understand the particulars of a device. This, in turn, will help you during an investigation. During forensic examination, the SDK helps us connect the device and access the data present on the device.
The method to get the serial number of an Android device is the following:
Step one – Download from web site the SDK package: https://developer.android.com/sdk/download.html?v=archives/android-sdk-windows-1.6_r1.zip
Step two – Create a folder called ANDROIDSDK and unzip the zip file you downloaded
Step three – Connect your Android device via USB cable
Step four – In the command prompt Windows, browse on the ANDROIDSDK folder, tools, and we run adb device command
Step five – If all work properly, a list of linked devices will appear with a serial number, if not present on devices’ list, check that the proper work of the driver and USB debugging enabled.
Figure 2.8 – Windows Command Prompt – adb devices
References, Bibliography, Sources and Suggested Reading
NIST (National Institute of Standards and Technology) - NIST Special Publication 800-101 Revision 1 Guidelines on Mobile Device Forensics.
Learning iOS Forensics – M. Epifani, P. Stirparo – (Packtpub 2015) ISBN 978-1-78355-351-8.
Android Forensics – Andrew Hoog (Syngress, 2011) ISBN- 978-1-59749-651-3.
Practical Mobile Forensics, Satish Bommisetty, Rohit Tamma, Heather Mahalik (Packtpub 2014) ISBN 139781783288311.