A Little on Mobile Forensics

A Little on Mobile Forensics

From the advent of the first portable phone, the DynaTAC 8000x (DYNamic Adaptic Total Area Coverage) and the first 20 minute call to the first car phone developed in 1984, to the release of the MicroTAC in 1989, we have been enthralled with phone communication and its ability to bring people together in new and exciting ways.  

For some, the understanding of the inner workings of phones even created a subculture of its own, but not much is ever really mentioned about how cellular networks run or how mobile forensics itself works.  

When looking at phone images, I've found that one of the best tools around is actually Google Earth. You can look up coordinates, gain valuable information about locations, and in some cases, you can trace entire pathways an individual using the phone went to.

What if you need more information about the phone itself? You have an old phone you purchased on eBay (great place to get old phones you can experiment with) and you have no idea what you're dealing with? In that case, I would say to check out Phone Scoop and GSM Arena.  You can also try IFixIt if you'd like to see how to repair said phone.

I will not go into all the technical details (there is a ton frankly) when it comes to analysis but I will go over a few basic tools professionals use and the different layers forensics dives into.

The Collection Pyramid was developed by the Sam Brothers of US Customs and Border Protection and outlines the tool classification that is visually represented from the most invasive to least invasive methods of obtaining information. Keep in mind that level 5 is more or less hypothetical in some senses of its definitions.

Level 1: Manual Extraction

Manual extraction involves capturing stored information through photography and documents, and the manual manipulation of the device in order to obtain information.

Level 2: Logical Analysis

Logical extraction occurs when you use a built in device to transfer data like a USB, Wi-Fi, IrDa, or BT.  The connections made with the device also have software that can communicate with various protocols. This type of collection is usually offered by most examiners and vendors

Level 3: HEX Dumping/JTAG

This method uploads specialized software into volatile memory and bypasses built-in security features created to prevent this from happening.  The custom apps installed, try to act as the original ROM and examiners can access files using commands and procedures used by mobile device. By using JTAG TAPs in a device, an examiner has access to flash memory basically.

This is a pretty invasive process since the device is disassembled and leads can be soldered to TAPs on a circuit board, but it also means the output can gain an examiner access that circumvents password security to obtain partition information on user storage areas.

Level 4: Chip-Off
Chip-offs involve the physical removal of the device's flash memory.  An examiner has to disassemble the device and remove the memory from the circuit board before placing it into a specialized component that can read it.

Memory module adapters are specific to the type of flash memory and configuration the device has and the bin file that's produced has to be interpreted by software that specializes in decoding this type of file.

This is also a pretty invasive and delicate process because it's extremely labor intensive and expensive to do.  Once the device is disassembled at the chip level it also becomes inoperable.

Level 5: Micro

A flash memory medium that is read by an electron microscope. This is pretty theoretical and hasn't been conducted publicly. Basically, you read and count electrons that occupy a cell on a flash memory chip.

If there are electrons present, a 1 would be present and if they weren't a 0 would (normally referred to as gating).  After a manual combining of the bin data, it would be translated into raw data and interpreted.

Pretty interesting eh? So what are some tools used in the field and what types of analysis do they do?

Well, here's a list:

Keep in mind, the list in the first category is mostly for learning purposes, since most of the licenses for these tools can run up to $10K PER seat.

BlackLight: (Logical/FS)
UFED 4PC: (Logical/FS/Physical/Non-Invasive/Invasive)
Device Seizure: (Logical/FS/Physical/Non-Invasive/Invasive)
EnCase: (Logical/FS/Physical Non-Invasive)
Lantern: (Logical/FS/Physical Non-Invasive)
MOBILedit Forensic: (Logical/FS)
MPE+: (Logical/FS/Physical/Non-Invasive/Invasive)
Oxygen: (Logical/FS/Physical/Non-Invasive/Invasive)
Secure View: (Logical)
XRY: (Logical/FS/Physical/Non-Invasive/Invasive)

Open Source Tools:
Plist Editor
Santoku: Suite for mobile investigations, malware analysis
OSAF: Open Source Android Forensic Toolkit Malware analysis on Androids

iOS Devices:
iPBA2: iPhone-Backup-Analyzer-2: Can decode iPhone backups up to iOS 6.x

Now that you've got a few tools to play with, perhaps consider getting a junker old phone off of eBay and start experimenting with some of the software available. :)