State of art of mobile forensics

Download State of art of mobile forensics

Post on 06-May-2015




0 download

Embed Size (px)


<ul><li>1.ANDROID FORENSICSMOBILE VOl.2NO.4STEP BY STEP ANALYSIS OF FACEBOOK AND TWITTER DATA ON ANDROID DEVICES EMULATION DETECTION TECHNIQUES FOR ANDROID ANDROID FORENSICS A CASE STUDY OF THE NAXUS S VIRTUAL DEVICE APPROACH TO EXTRACTING DATA USING HARDWARE AND SOFTWARE MECHANISMS POTENTIAL IDENTITY THEFT OVER APPLES iOS DEVICES CELLEBRITE A STANDARD IN MOBILE FORENSICS HOW TO ADDRESS END USER RISK AGREEMENT FOR BYOD Issue 03/2013 (8) April</li></ul><p>2. STATE_OF_ART OF MOBILE FORENSICS Comparative research of techniques on BlackBerry OS (incl. PlayBook) and Android OS by Yury ChemerkinAt present, the BlackBerry holds the palm of insufficient security examination despite of existing approaches more than Android (because Android was not developed to be secured) but all security techniques implemented in these mobile devices are indecisive argument on security. It means its argument to the forensics. All security agencies are facing with dealing with mobiles forensics repeatedly.What you will learn: Whats the difference between similar mobile OS based on different kernels (BB OS, Playbook OS) Hows differ the Android forensics from BlackBerryWhat you should know: Basic knowledge on forensics Android &amp; BlackBerry Basic knowledge on classic forensics techniques and live forensics (live monitoring) techniques22Forensics tools may give incredible opportunity to gain all kind of data but there are too many slight objections. Until companies go in only one of ways classic forensics or live monitoring (DLP or else) it fails, because of limited cases and therefore forensics field need more effective synthesis of mechanism.IntroductionMobile device forensics is relating to recovery of digital evidence or data from a mobile device. The memory type, custom interface and proprietary nature of mobile devices require a different forensic process compared to other forensics. Mobile extraction techniques tend to be unique less especially throughout logical acquisition. This level manages with known data types for any user and this data set rarely differsamong of iOS, Android or BlackBerry. Data set often contains the following items such as messages (SMS/ MMS/Email/IM), social network data, contacts, calendar, phone logs, wallet and other financial application data, media data (Audio/Photos/Videos) and other data even file structure, browser data (web history as a timeline and bookmarks), and shared folders. Nowadays mobile devices provide amount of features to integrate all possible communications following aggregation with data on BlackBerry as well as Android. The native and third party applications often connect to the email, maps IM messenger and social statutes. They keep users connected and do far more. The BlackBerry apps environment is known is wide-bind and amazing than Android. On another hand, An- 3. STATE_OF_ART OF MOBILE FORENSICS droid has enough not only third-party applications that is very different but also hundreds variations depend on manufacturer. As opposed to the BlackBerry PlayBook is on QNX OS offers implemented modern technologies take away from real development. All above brings in the zoo-world of mobile phones and highlights issues of misusing security techniques in development area. New special skills that forensics experts required rarely based on experience only. Each year the classic forensics techniques face on a huge problem while live forensics (or live monitoring) gives new opportunities to manipulate with data. Sometimes, company IT Policy or OS vision may be helpful to be sure that no triggers will break investigation. Physical approach is trust but nonoperability, while logical is more dangerous because of synchronization process via network, cellular, and OTA. There are too many cases when it cannot afford not to use prevent methods or tools to simplify the classic forensics. This paper describes technical problems encountered by forensics as well as different live solutions maybe useful and those became right way with vendors development.ApproachThere are several techniques are pertaining to mobile forensic: Physical acquisition technique is a bit-by-bit copy of an entire physical stories, doing a full physical copy (i.e., all the bits in memory, not just the files) of the entire memory store on the device. Logical acquisition technique is a bit-by-bit copy of logical storage objects (e.g., directories and files). Using commercially available forensic software tools (as extend previous) which, as time passes, are becoming increasingly more capable and sophisticated. Backup this technique is relatively easy, and it allows a significant amount of user-created data (photographs, songs, and emails, texts) to be preserved. Manual acquisition technique is user interface utilizing to get pictures of data from the screen, simply manipulating the phone (by navigating through the email, photographs, or contacts list, for example) while videotaping and/or photographing the results. As the manual acquisition has no difference among mobile devices, so it would be missed as well as physical acquisition aimed to gain deleted data without relying on the file system itself. Logical techniques highlights easy and fast data extracting, "simple" data type (format) or SQL-based type (format). www.eForensicsMag.comPotential Data as EvidencePotential attack vector can be various, however, the most popular of them are: Table 1. Extractable dataTypeOS BlackBerry BlackBerry Smarpthone PlaybookAddress Book+-Calendar Events+-Call History+-Browser history and bookmarks++Process Management+-Memos and Tasks+-Screen-shots++Camera-shots++Videocamera-shots++Clipboard++Location tracking (cell, wifi, + gps, bluetooth)+SMS/MMS/Emails/IM+-Saved Messages+-Pictures, Videos, Voice notes, and other files++File and Folder structure++IMs+-Passwords++Clipboard++Network IsolantionOne of the main ongoing considerations for analysts is preventing the device from any network changes that is achievable for PlayBook sometimes, which has not cellular connection, but only a network connection (Wi-Fi, 4G). As mentioned early it might bring in new data. However, any interaction with the devices like plugging and unplugging the device will modify them. The first idea is dismounting encryption or preventing of blocking to examine the device while it is running. PlayBook as another else device is difficult to analyze forensically without negative affecting because of storage cannot be easily removed, storage is only internal and there no external storage like SD-card as it is for BlackBerry smartphone. The worst case in forensics is remote wiping initiated or data added/overwritten outside control from any triggers often SMS or incoming call is impossible through BlackBerry Bridge even: SMS for 23 4. BlackBerry Bridge simply didnt developed and incoming call notification cannot be caught as well as all Bridges events throughout API. Nevertheless, forensics experts still have to prevent a connection. A powerful way airplane mode (or the same named in different way) helps. Android problem to stop network communications is awful GUI and forensics officer should press and hold the Power off button and select Airplane mode at first (if this hotkey will work) or then press Menu (from the home screen), Settings, finally, the Wireless option which is generally near the top. Its only to disable cellular network while to block wireless connection like Bluetooth or Wi-Fi he have to walk out home screen to the settings that have upset because time is counting and no one can be sure if setting GUI is the same among devices. BlackBerry allows do it very quickly by clicking on tray on home screen.Push-TechnologyBlackBerry (smartphone) was primary engineered for email and come with a built-in mobile phone providing access to the email from anywhere. It is always on and participating in wireless push technology and does not require any kind of desktop synchronization like the others. BlackBerry PlayBook is an add-on for BlackBerry smartphone only, because BlackBerry Bridge accesses mail, calendaring and contacts directly from a tethered BlackBerry phone. PlayBook does not have neither push technology for email/ calendar/else (only IMAP4 and POP3 except MS Exchange link) nor BIS except BlackBerry Mobile Fusion that managed non-blackberry smartphone devices and BES existed in company. In addition, email and social accounts may broke and ask user reenter his password that may help to discard pushing data. It means the PlayBook is not all always on there is rarely types of information can be pushed to it following overwriting or deletion. Similar to the PlayBook, Android gives a time to change network state. For example, only main email box folders maybe changed via IMAP or Exchange because PlayBook or Android need a time or manually update-button pressing to retrieve new data from Internet. As opposed to smartphone, PlayBook and Android was made filled by stand-alone applications that might use internet connect in standby mode or when applications swiped down; by default, PlayBook has option to restrict activity in this state. The PlayBook address-book application has Facebook, Twitter and LinkedIn connections, but synchronizing has never happened before user runs application and waits until it is done. Sometimes it takes one minute even or more. 24Password ProtectionBlackBerry devices come with password protection and attempt limit (by defaults five out ten, min three out ten; PlayBook may differ from five to ten where ten is often for PlayBook device and five is for BlackBerry Desktop Software and plugged PlayBook). If it is exceed, device will wipe then (factory resetting). All data stored on external memory will keep because thats not part of the factory configuration if talking about smartphone not PlayBook, which has not external storage. The ability to circumvent the pass code on an Android device is becoming more important as they are utilized frequently and do not allow data extraction in most cases as well as for BlackBerry. There are three types of pass codes on Android. pattern lock as default on the initial Android devices when users are accessing the device should draw a pattern on the locked phone. pass code is the simple personal identification number (PIN) which is commonly found on other mobile devices. full alphanumeric code thats more secure than PIN. If the device screen is active, it should be checked to change existing short period (from less than a minute up to about 1 hour).Password Extraction and ByspassingBlackBerry Accessing encrypted information stored in password-protected backups it possible via Elcomsoft products that offer to restore the original password of backup and device. The toolkit allows eligible customers acquiring bit-to-bit images of devices file systems, extracting phone secrets (pass codes, passwords, and encryption keys) and decrypting the file system dump. It also reads BlackBerry Wallet data and Password Keeper data. The recovery of BlackBerry password is possible only if the user-selectable Device Password security option is enabled to encrypt media card data. Android As Android devices used the pattern lock for pass code protection instead of a numeric or alphanumeric code, theres an interesting option that a clean touch screen is primarily, but touch screen marked with fingerprint and fingerprints directed a good solution to bypass pattern lock. Therefore, it is possible to determine the pattern lock of a device by enhancing photographs of the devices screen [6]. Android has so-called Password and Pattern Lock Protection. Password Lock can contain characters, numbers, and special marks while the first 5. STATE_OF_ART OF MOBILE FORENSICS of them looks like a number set of gestures that must be performed to unlock device where is allowed to choose at least four of nine points in tendigit set. Directions between them will be stored in file /data/system/gesture.key on internal storage as hashed sequence of byte via SHA-1. Password Locks file is stored in file /data/system/pc.key on internal storage as hashed sequence of byte via SHA-1 too. It works only if the device is already rooted and has USB Debugging mode ON. Live techniques (or spyware) Security researcher Thomas Cannon [6] developed a technique that allows a screen lock bypass by installing directly an app through the new webbased Android Market. The procedure is quite simple really. Android sends out a number of broadcast messages that an application can receive, such as SMS received. An application has to register its receiver to receive broadcast messages. Once application launched it is just calling the disableKeyguard() method in KeyguardManager. This is a legitimate API to enable applications to disable the screen lock e.g. an incoming phone call is detected. Similar techniques for BlackBerry were discussed [1], [4], [5]: default feature to show password without asterisks that's a possible to screen-capture. If screenshot API isnt disable it works (by defaults its allowed) scaled preview for typed character through virtual keyboard. It works too and maybe screenshooted. As further consideration agent may XOR two screenshots and extract preview of pressed key as well as typed text. stealing password during synchronization from BlackBerry Desktop Software. It works because of security issues of Windows API. Moreover, it works not only to grab device password but backup password too. redrawing fake-window to catch typed password on device. Some social engineering aspect to announce something is crashed and lock the device, please unlock by re-entering a password The last two techniques (stealing and redrawing) work on PlayBook as well. Moreover, developers must have a swipe-down event listeners else application will not be closed or minimized until battery discharges.Classic ForensicsGathering Logs and Dumps The main evidence procedure violates the forensic method by requiring to record logs kept and dump. It is possible to view some debug log on the device www.eForensicsMag.compressing hotkeys on BlackBerry smartphone, while Android and Playbook did not provide the same feature, or throughout SDK Tools. BlackBerry Smartphone The BlackBerry SDK tools or BBSAK Allow to extract BlackBerry event logs to the text file via USB. Two tools named javeloader.exe and loader.exe allow to extract not only events logs but also dump of device, all executable modules (.cod file), with dependence modules, screenshots, device info. The first of them needs PIN and Password while the second does not [1]. BlackBerry PlayBook All SDK provided by RIM, e.g. Adobe Air SDK has a tool blackberry-connect is just a wrapper for Connect.jar. But before connect RSA key-pair should be generated by ssh-keygen -t rsa -b 4096 and Dev Mode option enabled. Then should be typed target ip (often for USB), device password and ssh key as parameters. This tools extracts...</p>


View more >