Introduction to Handheld Digital Forensics Created by DM Kaputa Ph.D.
New Certificate Fall 2009 • Computer Security & Investigations/Digital Forensics • Developed under the auspices of National Science Foundation/Advanced technological Education Grant # 802062 • Faculty members: Kaputa, Kuroski, Kowalski, Palombo & Gill
Some high-profile forensics cases • These cases probably would not have been solved, if not for the digital forensics investigations.
What is Handheld forensics? • Computer Forensics: • storage device requiring file system, device is “static”, • larger storage capacity (although this is changing) • Forensic:bit stream imaging • Handheld Forensics: • embedded systems, device is “active”, • smaller on board capacity (16 G) • Forensic: active memory imaging
Forensic Rules for PDA seizure • disconnect wireless connectivity • Keep power • Cables…gather • Unit is always changing, RAM main storage for files & apps acquire in lab • Fundamentals of forensic grade software • PDA OS: WinCE, RIM (Blackberry), Palm OS, embedded Linux, Symbian
Forensic rules for cell phone seizure • 1. disconnect wireless communication • 2. keep power or may need psswd • 3.gather cables & accessories • 4. acquire in lab • 5. use forensic grade software
HYBRIDS (combination of both) although most cell phones now are hybrids & beyond!!!!) ) • Windows pocket PC • I-phone • Googlephone • Linux • Blackberry • Most contain PDAs, GPS & camera, MP3 player
Quick Time Line • 1960s Bell labs develops electronics for cell phone technology • 1978 AMPS ..advanced mobile phone system debuts 1st commercial cellular network in Chicago • 1988 Cellular Technology Industry Assoc. created • 1991 TDMA also first GSM phone in Finland • 2001 Bell South leaves payphone business
Major Access Technologies for cell phones • AMPS…Advanced mobile phone service 1 G systems FDMA … analog standard • Frequency division multiple access • ****************************************** • DIGITAL CELLULAR NETWORKS • 1.TDMA time division multiple access (digital link technology) • Different time slot for each channel (6 slots) • 2 G SYSTEMS • 2. GSM Global Systems Mobile 1991 (replacing TDMA to 3 G)
GSM continued • Used TDMA air interface…8 time slots • Uses SIM card. removable thumb sized card, identifies user to network & stores information • 82% of the world’s phones available in over 168 countries • Next generation (UMTS) (universal mobile) enhancing GSM with CDMA air interface • AT & T service (Cingular,T-mobile)
Other common cellular networks • 3.Also IDEN network designed by Motorola • 4.And a digital version of original analog called D-AMPS digital advanced mobile phone service
CDMA developed about 1989 by Qualcomm • Code Division Multiple Access • Spread spectrum technology • Spreads digitized data over the entire bandwidth • 3 G SYSTEM • Always on data access • High data speeds • Live streaming video • Verizon & Sprint
4 G SYSTEM • 4 G systems • 100 Mbits while moving • 1 G while still • High quality audio/video
Intro to Cell Phone Forensics • Very popular devices today under GSM SIM & mobile equipment (ME) • CDMA phones (Verizon & Sprint) historically no SIM although RUIMs are gaining in popularity (removable user identity modules)
Introduction to SIM Card • What is SIM Card? • Subscriber Identity Module which • authenticates device to network • Stores names and phone numbers • Sends and Receives text messages • Stores network configuration info (IMSI)
SIM disadavantage • Unless SIM card lock is enabled…can steal SIM and rack up charges against you !!!
SIM Card continued • Useful for quick transfer of numbers and info from one phone to another
SIM advantages • Portability is main advantage • SIM can be swapped out to new phone • Stores contact info
What exactly is on SIM card? • Simple phone book • Last 10 outgoing numbers • SMS messages (short message system) aka text messages • IMSI
Paraben’s SIM Card Seizure • Last 10 outgoing phone numbers…….
Components continued • Outgoing SMS text messages
Components continued • Incoming SMS text messages
Components continued • IMSI….this is a network configuration number • International Mobile Subscriber Identity • OR • IMEI number • International Mobile Equipment Identity
Conclusions…forensically speaking • Can track deleted SMS……by analysis of unallocated space • Be cogniscent of what you send out in text messages…..!!!! • They could come back to haunt you.
Some Hand Held Forensic Toolkits • MOBILedit! Software Highly rated by NIST • BitPim Software CDMA open source • Device Manager, proprietary software by Paraben • Cellebrite Hardware used by LE • Next slide : Using Device Manager to attempt an acquisition of a cell phone
Mobile Malware or who said mobiles don’t have malware? • Phoenix • Facebook mobile • DroidDream • Plankton • Zitmo • Golddream A
1st Case Mobile malware • 2004 first mobile malware • By 2010…250% increase • 2011 Botnet enabled malware for Androids • From June 2010 to Jan 2011 Android malware increased by 400%
What does it do? • Disables phone • Remotely controls phone….can record phone conversations & store to phone’s SD card..can then upload to server controlled by hacker (drops a configuration file) • Steals valuable data
2011 iPad users hacked • Hackers pleads guilty to stealing data from 100,000 iPad users • Fake version of “Angry Birds” apps sent sensitive info about user to hacker to gain access to phone
What can we do? • Do NOT access banking sites over public Wi Fi connections • Do NOT leave “Wi Fi ad-hoc mode” on • Don’t download apps from 3rd party app repository !!! • Check permissions of every app you download • Run it through secure app that will scan it from market to device…….
Scanning for apps • Norton • Lookout • Bitdefender • NetQin • Also scan Facebook and Twitter!!!!