Cellphone and Mobile Device Forensics

An update on concepts

Presented by Peter L. Fryer ACE, CFE, CISA, MPSC

Pencils Out Please!

Find the evidenceFind the evidence

Abstract – Mobile device forensic analysis is the current area in which the extraction, analysis and review of data collected from mobile devices is addressed.

Current analysis trends include but are not limited to evidence collection, behaviour analysis and the detection of malware/ spyware on mobile devices.

This presentation will provide clarity on forensic techniques and malware detection .

Problem Statement

Mobile devices form part of the battlefield on Internet based crime.

Mobile devices now form an integral part of society and manages how we interact with our community.

Nomophobia

Nomophobia - Nomophobia is the fear of being out of mobile phone contact.

53% of users polled became anxious when their phones had no signal, low battery or was off.The average distance that polled users where during the day from their handset rarely exceeded 1.5m

Source - wikipedia

Mobile Device ForensicsWidely used since 2002Effective court tested methodologyCollection, extraction and analysis of data on mobile devices

THEN

NOW

Cell Phones – what is out there?

GSM – 4 Operators - 41 million subscribers in South Africa (approx. 87% of the population)

Worldwide: Approx 5 + Billion Subscribers (including 3G, WCDMA, HSPDA)

source: gsmworld.com

GSM Network Operators: Vodacom (largest provider approx. 21 million subscribers)

MTN – Mobile Telephone Networks Cell-C

Telkom – 8.ta

Concept – Cellphone Forensics

Windows Apple

Linux

COMPUTER FORENSICS – Operating Systems

MOBILE – Operating Systems

What information can we expect in a mobile phone handset?

Contacts

Calls (dialled, missed, received)

Text Messages

Multimedia Messages

Drafts

Pictures, Audio and Video Images

E-mail, Browser History,

Tasks / Notes / Calendars

Application Files

Maps, GPS Locations visited

Time & Dates

Extraction MethodologiesCable, Bluetooth (pairing) and IRChip Off - volatileRecovery of logical data as well as deleted informationDeleted data includes:– SMS– Call logs– Files– Systems Files

Data CacheWiFi connections, Internet Usage, Keyboard Cache and App Usage

WiFi ConnectionsApplication Name Longitude Latitude Time Type

Consolidated Database (Apple) Wi-Fi MAC=0:21:4:a0:b9:d8 18.84172952 -34.114995122011/09/01 06:51:58 PM UTC (Device) Wi-Fi

Consolidated Database (Apple) Wi-Fi MAC=94:44:52:f:77:19 18.84171432 -34.114984982011/09/01 06:51:58 PM UTC (Device) Wi-Fi

Consolidated Database (Apple) Wi-Fi MAC=0:60:b3:a4:64:87 18.84170436 -34.114963822011/09/01 06:51:58 PM UTC (Device) Wi-Fi

Consolidated Database (Apple) Wi-Fi MAC=0:19:cb:3c:b8:3c 18.84180319 -34.115011812011/09/01 06:51:58 PM UTC (Device) Wi-Fi

Consolidated Database (Apple) Wi-Fi MAC=0:19:70:14:12:14 18.84193527 -34.114993092011/09/01 06:51:58 PM UTC (Device) Wi-Fi

Consolidated Database (Apple) Wi-Fi MAC=0:4:ed:b9:33:13 18.84194082 -34.114684872011/09/01 06:51:58 PM UTC (Device) Wi-Fi

Consolidated Database (Apple) Wi-Fi MAC=d8:5d:4c:b2:3:c8 18.84307813 -34.114101292011/09/01 06:51:58 PM UTC (Device) Wi-Fi

Consolidated Database (Apple) Wi-Fi MAC=0:4:ed:da:6f:a2 18.84195852 -34.11341192011/09/01 06:51:58 PM UTC (Device) Wi-Fi

Consolidated Database (Apple) Wi-Fi MAC=0:30:a:eb:2d:bf 18.84289234 -34.113678812011/09/01 06:51:58 PM UTC (Device) Wi-Fi

Consolidated Database (Apple) Wi-Fi MAC=0:13:f7:3e:5a:60 18.84248417 -34.113207572011/09/01 06:51:58 PM UTC (Device) Wi-Fi

Consolidated Database (Apple) Wi-Fi MAC=0:60:b3:4f:34:30 18.84235602 -34.113016242011/09/01 06:51:58 PM UTC (Device) Wi-Fi

GPS Co-ordinates

Internet UsageApplication Web Address Page Title

Access Count Accessed

Safari (Apple) http://www.beeld.com/Sport/Rugby 2 2011/09/07 05:44:38 AM UTC (Device)Safari (Apple) http://www.beeld.com/Suid-Afrika 2 2011/09/07 05:35:08 AM UTC (Device)Safari (Apple)

http://www.beeld.com/Sport/Rugby/Die-Bok-spel-gevaar-Wallis-20110904

Dié Bok spel gevaar – Wallis: Beeld: Sport: Rugby 1 2011/09/06 06:05:17 AM UTC (Device)

Safari (Apple) http://192.168.65.54/?screenWidth=768 Enigma PDA Web Interface 1 2011/09/06 05:25:51 PM UTC (Device)Safari (Apple) http://www.rapport.co.za/ Rapport 1 2011/09/06 06:07:54 AM UTC (Device)Safari (Apple) http://192.168.65.54/ Enigma Web Interface 1 2011/09/06 05:25:50 PM UTC (Device)Safari (Apple) http://www.rapport.co.za/Suid-Afrika 1 2011/09/06 06:25:00 AM UTC (Device)Safari (Apple)

http://www.beeld.com/Suid-Afrika/Nuus/1-sterf-2-erg-beseer-in-kettingbotsing-op-N1-20110905

1 sterf, 2 erg beseer in kettingbotsing op N1: Beeld: Suid-Afrika: Nuus 1 2011/09/06 05:57:46 AM UTC (Device)

Safari (Apple)

http://www.beeld.com/Suid-Afrika/Nuus/Van-geskors-tot-in-ander-hoe-pos-20110905

Van geskors tot in ander hoë pos: Beeld: Suid-Afrika: Nuus 1 2011/09/06 05:55:35 AM UTC (Device)

Safari (Apple)

http://www.beeld.com/Suid-Afrika/Nuus/Pil-soos-Simply-Slim-nou-te-kry-20110905

Pil ‘soos Simply Slim’ nou te kry: Beeld: Suid-Afrika: Nuus 1 2011/09/06 05:52:56 AM UTC (Device)

Safari (Apple)

http://www.beeld.com/Wereld/Nuus/Mugabe-sterf-in-2013-20110904

Mugabe ‘sterf in 2013’: Beeld: Wêreld: Nuus 1 2011/09/06 06:01:28 AM UTC (Device)

Safari (Apple) http://www.beeld.com/Wereld 1 2011/09/06 06:01:18 AM UTC (Device)Safari (Apple)

http://www.beeld.com/Suid-Afrika/Nuus/Mandela-ongeluk-Moord-klag-verander-20110905

Mandela-ongeluk: Moord-klag verander: Beeld: Suid-Afrika: Nuus 1 2011/09/06 06:00:12 AM UTC (Device)

Safari (Apple) http://192.168.65.54:16001/ CCcam info pages 1 2011/09/06 05:26:16 PM UTC (Device)Safari (Apple)

http://www.beeld.com/Suid-Afrika/Nuus/Bloedwater-versuur-die-lewe-van-sakemanne-20110906

Bloedwater versuur die lewe van sakemanne: Beeld: Suid-Afrika: Nuus 1 2011/09/07 05:39:32 AM UTC (Device)

Keyboard CacheText

KikisystemscomrexmaxloadmaxcommmaratonmyadslmytvmotogponsoljullejKpklkmkkiipllljkkllkkkkkkjnjjjbbbhgmkanskxhhmtukllkkpkkklkjkjgegeegumtreegbvgggggvvzapasscodeqqxqqnsnnnmnnnbggvbbvvvrvvvxzbvbeeldvbvbbabsa

Password

App UsageApplication: com.apple.mobilesafari Application: com.iber4.dodgemcarsTime: 2011/08/14 UTC (Device) Time: 2011/08/16 UTC (Device)Duration: 00:08:18 Duration: 00:00:00Access Count: 9 Access Count: 8

Application: com.iber4.dodgemcars Application: com.hackulo.us.installousTime: 2011/08/18 UTC (Device) Time: 2011/08/21 UTC (Device)Duration: 00:00:00 Duration: 00:33:25Access Count: 9 Access Count: 8

Application: com.hackulo.us.installous Application: com.apple.mobileipod-VideoPlayerTime: 2011/08/15 UTC (Device) Time: 2011/08/15 UTC (Device)Duration: 00:50:08 Duration: 01:07:05Access Count: 9 Access Count: 8

Application: com.RockingPocketGames.iFishingSE Application: com.outfit7.talkingbirdipadTime: 2011/08/21 UTC (Device) Time: 2011/09/03 UTC (Device)Duration: 00:56:59 Duration: 00:30:26Access Count: 8 Access Count: 7

Application: com.ea.candcra.inc Application: com.hackulo.us.installousTime: 2011/08/13 UTC (Device) Time: 2011/08/28 UTC (Device)Duration: 00:17:33 Duration: 00:19:27Access Count: 8 Access Count: 7

Application: com.apple.Preferences Application: com.hackulo.us.installousTime: 2011/08/08 UTC (Device) Time: 2011/08/22 UTC (Device)Duration: 00:00:49 Duration: 01:11:07Access Count: 8 Access Count: 7

Application: com.compumasterltd.poolrebelTime: 2011/08/25 UTC (Device)Duration: 00:34:07Access Count: 7

Fun Fone Facts

Physical Recovery

8GB of useful data retrieved using “chip off” techniques

Concept – Malware/ Spyware

Mobile Device VulnerabilitiesMobile Phones have three vulnerabilities

1. Interception2. Monitoring3. Command and Control

InterceptionNetworkOff air (passive)Spyware

MonitorApp usageMalware/ SpywareCollection

Command and ControlDeploy as a BOTEscalate user privilegesPremium service subscription

Malware – what we know

Majority of malware deploymentsinclude social engineering

Deployment on two levelsLevel I

Physical deployment

Level IISocial engineering (phishing)

Deployment

Physical Access– Flash disk– Link to web download– Override user privileges

Social Engineering– Refer to web download (games, banking app)– Spoofed login to collect credentials

Malware

Malware – Designed to exploit security– Trigger data costs (premium SMS/ data services)– Accelerate user privileges– Phones act BOTS for malicious attacks– Allows for remote control of device

Spyware

Spyware– Deployed to compromise user created

information– Covert interception and monitoring– Collect communications and data– Collect credentials (two factor authentication)• OTP• Password Reset Info

Detection of Malware and Spyware

Behaviour analysis of deviceData usage trackingApp identification and loggingDeploy content management toolsEnforce local security policiesSystem file analysis

Challenges for infosec practitioners

Mobile devices fall into the BYOD class– Behind firewall deployment of threats

Mobile devices differ drastically– No single tool to manage and audit devices

No single detection methodology– Multi platform approach to detection (expensive)

Difficult to monitor (form part of a closed network)– Devices not part of local network

No alert functionality on Mobile device– Apps installed as trusted

What we need to know

• Consult the experts

Defence Strategy

Review user privilegesInstall only trusted appsMaintain physical security of deviceReview data usageNo “rooting” or “jailbreaking”

Research - spyware

Applications and software purchasedFile system analysedDeployed to several phones– Sony Ericsson– Samsung– Blackberry– Nokia

Spyware Tested/ Reviewed

Killer Mobile – Tra v4.1Eblaster Mobile editionMobileSpy IESpy BubbleCell-Tracker Pro

ObservationsTools effective for capturing mainly text based dataSlows device response to user promptsBattery drain extensiveVisual triggers– Data usage– Device activity– BB Log

Concept Overview

Cellphone and Mobile Devices are to be included as primary evidence sources Reliable evidence recovery from mobile devicesDetection methodologies exist for spyware and malware deploymentsAccredited experts available locally

FAQ

Is my phone bugged?How am I tracked by using my cellphone?Can I tell if my phone is bugged?Can you recover deleted messages and data from my phone?What is the safest phone in terms of defence against spyware?

Q & A

Thank you

Peter L. Fryerpeterfryer@riskdiversion.com

0827749960