mfa smartphones 2012

Advanced Techniques in

Forensic Examination of Smartphones

2012

(C) Oxygen Software, 2000-2012http://www.oxygen-forensic.com

Worldwide smartphone sales

32,3%

14,6%15,8%

30,5%

3,4% 2,0% 1,5%101M devices sold in 4Q 2010

Symbian

RIM

iOS

Android

Microsoft

Bada

Other

Source: Gartner (February 2012)

Smartphone market increased by 48,5% during just 1 year!

11,7%

8,8%

23,8%

50,9%

1,9% 2,1% 0,8%149M devices sold in 4Q 2011


Top smartphone vendors - 2011

18,9%

18,5%

17,9%10,9%

9,1%

24,6%

471.7M devices sold in 2011

Apple

Samsung

Nokia

RIM

HTC

Others

Source: Gartner (February 2012)


Smartphones

What information is stored on a modern smartphone?(C) Oxygen Software, 2000-2012

http://www.oxygen-forensic.com

Cell phone

Address book

Planner & Organizer

Messenger

Photo & Video camera

GPS navigator

Web & IM client

Platform for 3rd party apps


Smartphone is a small PC


Smartphone as: Cell phone

• IMEI/MEID/Serial number• Hardware & Software revision• Network information

Basic Information

• Incoming, outgoing, missed calls history

• Sent & received messages history• GPRS & Wi-Fi sessions log

Event log

• IMSI• Phone numbers*• SMS messages*

SIM card

* - Usually these features are not utilized by smartphones


Smartphone as: Address book• First, middle, last name, nickname, joint

name, company, department, job title• Photo and personal ringing tone• Phone numbers: general, mobile, fax,

video, pager, VoIP, push-to-talk• Postal addresses, Web pages and e-mails• Different contact sources (Android)• Number of calls (Android)• Text notes• Private info: birthday, spouse, children• Custom field labels (Symbian, iPhone OS)• Multiple fields of the same type• Creation and last modification times

(Symbian, iPhone OS)

Contacts information

• List of caller groups & belonging contactsCaller groups

• List of assigned speed dialsSpeed dials


Smartphone as: Planner• Meetings, reminders and

anniversaries• Start date & time• Finish date & time• Alarm date & time• Recurrence• Last modification date & time

Calendar events

• Task description• Deadline• Priority• Alarm date & time• Completion date & time

Tasks

• Note text & dateNotes


Smartphone as: Messenger

• Text messages (SMS)• Multimedia messages (MMS)• E-mail messages with attached

files• BIO messages: vCard, vCal,

configuration and others• Beamed messages: files sent via

Bluetooth, IR or USB• Standard message folders• Custom message folders• Date & time• Service center timestamp for

incoming messages• Information about deleted SMS

messages (Symbian, iPhone OS)

Messaging system


Smartphone as: GPS navigator• Last fixed GPS coordinates• Search history• Routes history• Last displayed map• Saved maps• List of favorite places

GPS Navigator

• GPS coordinates in camera snapshots*

• Cell coordinates in camera snapshots*

• Cell coordinates for camera snapshots**

• Cell coordinates for video records**• Cell coordinates for SMS messages**

Location tagger

* - Available in EXIF header for almost all models having GPS receiver** - Available in several Nokia smartphones and Sony Ericsson devices


Smartphone as: Web client

• Web cache files• Bookmarks• Pages view history• Last opened URLs• Search history• Cookies

Web browser

• IP, Login (UID, e-mail) and password*• Contacts list• Chat history• Calls history

IM client

* - Available for some IM clients


• Camera snapshots• Video clips• Voice records• Sounds and Podcasts• Wi-Fi networks list• Paired Bluetooth devices list• Activated SIM cards list• VPN profiles

Operating System apps

• List of installed applications• Office documents• Application logs & data files

3rd party apps

Smartphone as: PC

Extraction

What data extraction methods are available for mobile devices?


There are 2 standard ways to get forensic information from smartphones: logical and physical analysis

(C) Oxygen Software, 2000-2012 http://www.oxygen-forensic.com

Standard extraction methods

Logical analysis

• Data extracted using common PC-to-mobile communication protocols: AT, OBEX, SyncML

• Smartphone connected to PC with a standard cable (or Bluetooth/IR adapter)

Physical analysis

• Data extracted using direct memory reading (hex dump)

• Smartphone (or its memory chip only) connected to special hardware


Logical analysis for smartphones

AT+• General phone information• Contacts (simple), calls*, SMS,

settings*

Nokia FBUS • General phone information

OBEX• General phone information• Files*

SyncML• General phone information• Contacts, calendar, notes, settings*,

bookmarks, messages*

1) The information extracted by all logical protocols is only the top of the iceberg2) All logical protocols were developed for data synchronization

General phone information

Contacts*

Calendar

Notes

Calls history

Messages*

Files*

Settings*

Bookmarks

* - Available data set is restricted and depends highly on manufacturer implementation

Caller groups

Custom field labels

Speed dials

Messages from custom folders

Event log

Deleted messages information

Service center timestamps

GPS information

Location tagged data

Web browser data

IM client data

3rd party apps


Physical analysis for smartphones

What to do with gigabytes

of that?


Standard extraction methods: Summary

Physical analysis

All information can be extracted

Hard to perform

Very hard to analyze

Expensive software, special hardware needed

In 2002 Oxygen Software invented the 3rd way - analysis using a special agent application working inside smartphone OS


How to extract data without a headache?

Physical analysis

All information can be extracted

Hard to perform

Very hard to analyze

Expensive software, special hardware needed

* - Agent can extract all the information available for native OS applications


Agent application usage General phone information & SIM card data Contacts with all fields and custom field

labels Caller groups & Speed dials Event Log Calendar events Tasks & Notes Messages from standard and custom folders Deleted messages information Service center timestamp Camera snapshots, video clips and voice

records File system GPS & Location tagged information Web browser cache & bookmarks IM clients data 3rd party applications with their information

- Protected operating system

files

- Memory dump


Afraid of writing to device?Comparison of phone content changes when performing

analysis using different approaches

SyncML protocol usage

Setting up sync parameters

Installing extra sync add-ons*

Running SyncML server

SyncML server generates synchronization log files

Agent application usage

Loading Agent to device

Installing Agent

Running Agent

Uninstalling Agent**

* - Extra sync add-ons installation may be needed to extract some additional information (e.g. MMS)** - Agent does not generate any log files

Unlike Agent, SyncML server is not a forensically designed app and is out of full control from examiner. In addition - it makes more data modifications than Agent.


SummarySmartphones are a considerable part of mobile device marketFutureSource Consulting forecasts that, between 2008 and 2013, annual sales of smartphones will rise by 95% to over 300 million. It will be around 37% of all new mobile phones, up from 13% in 2008.

Smartphones store much more important forensic information than plain cell phonesBeing a multiple-in-one device and having OS with open API smartphones are turning into small PCs with big memory sizes, wide set of preinstalled applications and huge number of available 3rd party applications.

Standard extraction methods are less effective for smartphonesAll logical protocols were developed for sync purposes, thus they can only extract a top of the iceberg. Physical analysis of gigabyte hex dumps takes a lot of time.

Agent application usage is the golden meanThe Agent application approach, introduced by Oxygen Software in 2002, almost achieves the completeness of data extracted by physical methods. At the same time it works via standard cables and adaptors and presents the extracted data in a readable and user-friendly format that is more like a logical analysis.

mfa smartphones 2012

Technology

smartphones c oxygen

party apps c oxygen

text datec oxygen software

iphone osc oxygen software

im clientsc oxygen software

syncml smartphone

incoming messages information

smartphone market