Advanced Techniques in

Forensic Examination of Smartphones

(C) Oxygen Software, 2000-2010 http://www.oxygen-forensic.com

2010

Smartphones market growth

Data provided by FutureSource Consulting

Smartphones market is growing even while general mobile phones market falling

(C) Oxygen Software, 2000-2010 http://www.oxygen-forensic.com

(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com

Smartphone is a small PC

(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com

Smartphone as: Cell phone

* - Usually these features are not utilized by smartphones

(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com

Smartphone as: Address book

(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com

Smartphone as: Planner

(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com

Smartphone as: Messenger

(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com

Smartphone as: GPS navigator

* - Available in EXIF header for many new models** - Available in smartphones with Nokia LifeBlog application installed

(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com

Smartphone as: Web client

* - Available for some IM clients

(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com

Smartphone as: PC

There are 2 standard ways to get forensic information from smartphones: logical and physical analysis

(C) Oxygen Software, 2000-2010 http://www.oxygen-forensic.com

Standard extraction methods

(C) Oxygen Software, 2000-2010 http://www.oxygen-forensic.com

Logical analysis for smartphones

1) The information extracted by all logical protocols is only the top of the iceberg2) All logical protocols were developed for data synchronization

1) The information extracted by all logical protocols is only the top of the iceberg2) All logical protocols were developed for data synchronization

General phone information

Contacts*

Calendar

Notes

Calls history

Messages*

Files*

Settings*

Bookmarks

* - Available data set is restricted and depends highly on manufacturer implementation

Caller groups

Custom field labels

Speed dials

Messages from custom folders

Event log

Deleted messages information

Service center timestamps

GPS information

Location tagged data

Web browser data

IM client data

3rd party apps

(C) Oxygen Software, 2000-2010 http://www.oxygen-forensic.com

Physical analysis for smartphones

How to deal with gigabytes

of that?

How to deal with gigabytes

of that?

(C) Oxygen Software, 2000-2010 http://www.oxygen-forensic.com

Standard extraction methods: Summary

In 2002 Oxygen Software invented the 3rd way - analysis using a special agent application working inside smartphone OS

(C) Oxygen Software, 2000-2010 http://www.oxygen-forensic.com

How to extract data without a headache?

* - Agent can extract all the information available for native OS applications

(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com

Agent application usageGeneral phone information & SIM card dataContacts with all fields and custom field labelsCaller groups & Speed dialsEvent LogCalendar eventsTasks & NotesMessages from standard and custom foldersDeleted messages informationService center timestampCamera snapshots, video clips and voice recordsFile systemGPS & Location tagged informationWeb browser cache & bookmarksIM clients data3rd party applications with their information

- Protected operating system

files

- Memory dump

(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com

Afraid of writing to device?Comparison of phone content changes when performing

analysis using different approaches

* - Extra sync add-ons installation may be needed to extract some additional information (e.g. MMS)** - Agent does not generate any log files

Unlike Agent, SyncML server is not a forensically designed app and is out of full control from examiner. In addition - it makes more data modifications than Agent.

Unlike Agent, SyncML server is not a forensically designed app and is out of full control from examiner. In addition - it makes more data modifications than Agent.

(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com

SummarySmartphones is a considerable part of mobile device marketFutureSource Consulting forecasts that, between 2008 and 2013, annual sales of smartphones will rise by 95% to over 300 million. It will be around 37% of all new mobile phones, up from 13% in 2008.

Smartphones store much more important forensic information than plain cell phonesBeing a multiple-in-one device and having OS with open API smartphones are turning into small PCs with big memory sizes, wide set of preinstalled applications and huge number of available 3rd party applications.

Standard extraction methods are less effective for smartphonesAll logical protocols were developed for sync purposes, thus they can only extract a top of the iceberg. Physical analysis of gigabyte hex dumps takes a lot of time.

Agent application usage is the golden meanThe Agent application approach, introduced by Oxygen Software in 2002, almost achieves the completeness of data extracted by physical methods. At the same time it works via standard cables and adaptors and allows to present the extracted data in readable and user-friendly format that is more peculiar to logical analysis.

Oxygen Forensic Suite 2010www.oxygen-forensic.com

Oxygen Forensics for iPhonewww.iphone-forensics.com

+44 (0) 20 8133 8450 (UK)+1 877 9-OXYGEN (USA)

Oxygen Forensic Suite and Oxygen Forensic Suite 2010 a the trademarks of Oxygen Software.

Oxygen Software LLC was founded in year 2000 and since that time our business is a PC-to-mobile communication.

(C) Oxygen Software, 2000-2010http://www.oxygen-forensic.com

Interested in more details?

£499 Standard

£899 Professional