Advanced Techniques in

Forensic Examination of Smartphones

2012

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Worldwide smartphone sales

36,3%

15,4%16,6%

25,3%

2,7%81M devices sold in 3Q 2010

Symbian

RIM

iPhone

Android

Windows Mobile

Source: Gartner (November 2011)

Smartphone market increased by 42% during just 1 year!

16,9%

11,0%

16,9%

52,5%

1,5%115M devices sold in 3Q 2011

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Top smartphone vendors - 2011

23,9%

17,8%

4,8%

3,9%2,9%2,7%

44,3%

440.5M devices sold in 3Q 2011

Nokia

Samsung

LG

Apple

RIM

HTC

Others

Source: Gartner (November 2011)

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Smartphones

What information is stored on a modern

smartphone?

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Cell phone

Address book

Planner & Organizer

Messenger

Photo & Video camera

GPS navigator

Web & IM client

Platform for 3rd party apps

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Smartphone is a small PC

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Smartphone as: Cell phone

• IMEI/ESN/Serial number

• Hardware & Software revision

• Network informationBasic Information

• Incoming, outgoing, missed calls history

• Sent & received messages history

• GPRS & Wi-Fi sessions logEvent log

• IMSI

• Phone numbers*

• SMS messages*SIM card

* - Usually these features are not utilized by smartphones

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Smartphone as: Address book

• First, middle, last name, nickname, joint name, company, department, job title

• Photo and personal ringing tone

• Phone numbers: general, mobile, fax, video, pager, VoIP, push-to-talk

• Postal addresses, Web pages and e-mails

• Different contact sources (Android)

• Number of calls (Android)

• Text notes

• Private info: birthday, spouse, children

• Custom field labels (Symbian, iPhone OS)

• Multiple fields of the same type

• Creation and last modification times (Symbian, iPhone OS)

Contacts information

• List of caller groups & belonging contactsCaller groups

• List of assigned speed dialsSpeed dials

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Smartphone as: Planner

• Meetings, reminders and anniversaries

• Start date & time

• Finish date & time

• Alarm date & time

• Recurrence

• Last modification date & time

Calendar events

• Task description

• Deadline

• Priority

• Alarm date & time

• Completion date & time

Tasks

• Note text & dateNotes

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Smartphone as: Messenger

• Text messages (SMS)

• Multimedia messages (MMS)

• E-mail messages with attached files

• BIO messages: vCard, vCal, configuration and others

• Beamed messages: files sent via Bluetooth, IR or USB

• Standard message folders

• Custom message folders

• Date & time

• Service center timestamp for incoming messages

• Information about deleted SMS messages (Symbian, iPhone OS)

Messaging system

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Smartphone as: GPS navigator

• Last fixed GPS coordinates

• Search history

• Routes history

• Last displayed map

• Saved maps

• List of favorite places

GPS Navigator

• GPS coordinates in camera snapshots*

• Cell coordinates in camera snapshots*

• Cell coordinates for camera snapshots**

• Cell coordinates for video records**

• Cell coordinates for SMS messages**

Location tagger

* - Available in EXIF header for almost all models having GPS receiver** - Available in several Nokia smartphones and Sony Ericsson devices

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Smartphone as: Web client

• Web cache files

• Bookmarks

• Pages view history

• Last opened URLs

• Search history

• Cookies

Web browser

• IP, Login (UID, e-mail) and password*

• Contacts list

• Chat history

• Calls history

IM client

* - Available for some IM clients

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

• Camera snapshots

• Video clips

• Voice records

• Sounds and Podcasts

• Wi-Fi networks list

• Paired Bluetooth devices list

• Activated SIM cards list

• VPN profiles

Operating System apps

• List of installed applications

• Office documents

• Application logs & data files3rd party apps

Smartphone as: PC

Extraction

What data extraction methods are

available for mobile devices?

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

There are 2 standard ways to get forensic information from smartphones: logical and physical analysis

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Standard extraction methods

• Data extracted using common PC-to-mobile communication protocols: AT, OBEX, SyncML

• Smartphone connected to PC with a standard cable (or Bluetooth/IR adapter)

Logical analysis

• Data extracted using direct memory reading (hex dump)

• Smartphone (or its memory chip only) connected to special hardware

Physical analysis

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Logical analysis for smartphones

• General phone information

• Contacts (simple), calls*, SMS, settings*AT+

• General phone informationNokia FBUS

• General phone information

• Files*OBEX

• General phone information

• Contacts, calendar, notes, settings*, bookmarks, messages*

SyncML

1) The information extracted by all logical protocols is only the top of the iceberg2) All logical protocols were developed for data synchronization

General phone information

Contacts*

Calendar

Notes

Calls history

Messages*

Files*

Settings*

Bookmarks

* - Available data set is restricted and depends highly on manufacturer implementation

Caller groups

Custom field labels

Speed dials

Messages from custom folders

Event log

Deleted messages information

Service center timestamps

GPS information

Location tagged data

Web browser data

IM client data

3rd party apps

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Physical analysis for smartphones

What to do with gigabytes of

that?

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Standard extraction methods: Summary

Physical analysis

All information can be extracted

Hard to perform

Very hard to analyze

Expensive software, special hardware needed

Logical analysis

Few information can be extracted

Easy to perform

Easy to analyze

Affordable software, no special hardware needed

In 2002 Oxygen Software invented the 3rd way - analysis using a special agent application working inside smartphone OS

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

How to extract data without a headache?

Physical analysis

All information can be extracted

Hard to perform

Very hard to analyze

Expensive software, special hardware

needed

Analysis using Agent application

Most of the information can be

extracted*

Easy to perform

Easy to analyze

Affordable software, no special hardware

needed

Logical analysis

Few information can be extracted

Easy to perform

Easy to analyze

Affordable software, no special hardware

needed

* - Agent can extract all the information available for native OS applications

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Agent application usage

General phone information & SIM card data

Contacts with all fields and custom field labels

Caller groups & Speed dials

Event Log

Calendar events

Tasks & Notes

Messages from standard and custom folders

Deleted messages information

Service center timestamp

Camera snapshots, video clips and voice records

File system

GPS & Location tagged information

Web browser cache & bookmarks

IM clients data

3rd party applications with their information

- Protected operating system files

- Memory dump

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Afraid of writing to device?Comparison of phone content changes when performing analysis using

different approaches

SyncML protocol usage

Setting up sync parameters

Installing extra sync add-ons*

Running SyncML server

SyncML server generates synchronization log files

Agent application usage

Loading Agent to device

Installing Agent

Running Agent

Uninstalling Agent**

* - Extra sync add-ons installation may be needed to extract some additional information (e.g. MMS)** - Agent does not generate any log files

Unlike Agent, SyncML server is not a forensically designed app and is out of full control from examiner. In addition - it makes more data modifications than Agent.

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

SummarySmartphones are a considerable part of mobile device marketFutureSource Consulting forecasts that, between 2008 and 2013, annual sales of smartphones will rise by 95% to over 300 million. It will be around 37% of all new mobile phones, up from 13% in 2008.

Smartphones store much more important forensic information than plain cell phonesBeing a multiple-in-one device and having OS with open API smartphones are turning into small PCs with big memory sizes, wide set of preinstalled applications and huge number of available 3rd party applications.

Standard extraction methods are less effective for smartphonesAll logical protocols were developed for sync purposes, thus they can only extract a top of the iceberg. Physical analysis of gigabyte hex dumps takes a lot of time.

Agent application usage is the golden meanThe Agent application approach, introduced by Oxygen Software in 2002, almost achieves the completeness of data extracted by physical methods. At the same time it works via standard cables and adaptors and presents the extracted data in a readable and user-friendly format that is more like a logical analysis.