Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE,...
-
Upload
evan-haylock -
Category
Documents
-
view
216 -
download
2
Transcript of Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE,...
![Page 1: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/1.jpg)
Cellphone and Mobile Device Forensics
An update on concepts
Presented by Peter L. Fryer ACE, CFE, CISA, MPSC
![Page 2: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/2.jpg)
Pencils Out Please!
Find the evidenceFind the evidence
![Page 3: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/3.jpg)
Abstract – Mobile device forensic analysis is the current area in which the extraction, analysis and review of data collected from mobile devices is addressed.
Current analysis trends include but are not limited to evidence collection, behaviour analysis and the detection of malware/ spyware on mobile devices.
This presentation will provide clarity on forensic techniques and malware detection .
![Page 4: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/4.jpg)
Problem Statement
Mobile devices form part of the battlefield on Internet based crime.
Mobile devices now form an integral part of society and manages how we interact with our community.
![Page 5: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/5.jpg)
Nomophobia
Nomophobia - Nomophobia is the fear of being out of mobile phone contact.
53% of users polled became anxious when their phones had no signal, low battery or was off.The average distance that polled users where during the day from their handset rarely exceeded 1.5m
Source - wikipedia
![Page 6: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/6.jpg)
Mobile Device ForensicsWidely used since 2002Effective court tested methodologyCollection, extraction and analysis of data on mobile devices
![Page 7: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/7.jpg)
THEN
![Page 8: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/8.jpg)
NOW
![Page 9: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/9.jpg)
Cell Phones – what is out there?
GSM – 4 Operators - 41 million subscribers in South Africa (approx. 87% of the population)
Worldwide: Approx 5 + Billion Subscribers (including 3G, WCDMA, HSPDA)
source: gsmworld.com
GSM Network Operators: Vodacom (largest provider approx. 21 million subscribers)
MTN – Mobile Telephone Networks Cell-C
Telkom – 8.ta
![Page 10: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/10.jpg)
Concept – Cellphone Forensics
![Page 11: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/11.jpg)
Windows Apple
Linux
COMPUTER FORENSICS – Operating Systems
![Page 12: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/12.jpg)
MOBILE – Operating Systems
![Page 13: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/13.jpg)
What information can we expect in a mobile phone handset?
Contacts
Calls (dialled, missed, received)
Text Messages
Multimedia Messages
Drafts
Pictures, Audio and Video Images
E-mail, Browser History,
Tasks / Notes / Calendars
Application Files
Maps, GPS Locations visited
Time & Dates
![Page 14: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/14.jpg)
Extraction MethodologiesCable, Bluetooth (pairing) and IRChip Off - volatileRecovery of logical data as well as deleted informationDeleted data includes:– SMS– Call logs– Files– Systems Files
![Page 15: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/15.jpg)
Data CacheWiFi connections, Internet Usage, Keyboard Cache and App Usage
![Page 16: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/16.jpg)
WiFi ConnectionsApplication Name Longitude Latitude Time Type
Consolidated Database (Apple) Wi-Fi MAC=0:21:4:a0:b9:d8 18.84172952 -34.114995122011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=94:44:52:f:77:19 18.84171432 -34.114984982011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:60:b3:a4:64:87 18.84170436 -34.114963822011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:19:cb:3c:b8:3c 18.84180319 -34.115011812011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:19:70:14:12:14 18.84193527 -34.114993092011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:4:ed:b9:33:13 18.84194082 -34.114684872011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=d8:5d:4c:b2:3:c8 18.84307813 -34.114101292011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:4:ed:da:6f:a2 18.84195852 -34.11341192011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:30:a:eb:2d:bf 18.84289234 -34.113678812011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:13:f7:3e:5a:60 18.84248417 -34.113207572011/09/01 06:51:58 PM UTC (Device) Wi-Fi
Consolidated Database (Apple) Wi-Fi MAC=0:60:b3:4f:34:30 18.84235602 -34.113016242011/09/01 06:51:58 PM UTC (Device) Wi-Fi
![Page 17: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/17.jpg)
GPS Co-ordinates
![Page 18: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/18.jpg)
Internet UsageApplication Web Address Page Title
Access Count Accessed
Safari (Apple) http://www.beeld.com/Sport/Rugby 2 2011/09/07 05:44:38 AM UTC (Device)Safari (Apple) http://www.beeld.com/Suid-Afrika 2 2011/09/07 05:35:08 AM UTC (Device)Safari (Apple)
http://www.beeld.com/Sport/Rugby/Die-Bok-spel-gevaar-Wallis-20110904
Dié Bok spel gevaar – Wallis: Beeld: Sport: Rugby 1 2011/09/06 06:05:17 AM UTC (Device)
Safari (Apple) http://192.168.65.54/?screenWidth=768 Enigma PDA Web Interface 1 2011/09/06 05:25:51 PM UTC (Device)Safari (Apple) http://www.rapport.co.za/ Rapport 1 2011/09/06 06:07:54 AM UTC (Device)Safari (Apple) http://192.168.65.54/ Enigma Web Interface 1 2011/09/06 05:25:50 PM UTC (Device)Safari (Apple) http://www.rapport.co.za/Suid-Afrika 1 2011/09/06 06:25:00 AM UTC (Device)Safari (Apple)
http://www.beeld.com/Suid-Afrika/Nuus/1-sterf-2-erg-beseer-in-kettingbotsing-op-N1-20110905
1 sterf, 2 erg beseer in kettingbotsing op N1: Beeld: Suid-Afrika: Nuus 1 2011/09/06 05:57:46 AM UTC (Device)
Safari (Apple)
http://www.beeld.com/Suid-Afrika/Nuus/Van-geskors-tot-in-ander-hoe-pos-20110905
Van geskors tot in ander hoë pos: Beeld: Suid-Afrika: Nuus 1 2011/09/06 05:55:35 AM UTC (Device)
Safari (Apple)
http://www.beeld.com/Suid-Afrika/Nuus/Pil-soos-Simply-Slim-nou-te-kry-20110905
Pil ‘soos Simply Slim’ nou te kry: Beeld: Suid-Afrika: Nuus 1 2011/09/06 05:52:56 AM UTC (Device)
Safari (Apple)
http://www.beeld.com/Wereld/Nuus/Mugabe-sterf-in-2013-20110904
Mugabe ‘sterf in 2013’: Beeld: Wêreld: Nuus 1 2011/09/06 06:01:28 AM UTC (Device)
Safari (Apple) http://www.beeld.com/Wereld 1 2011/09/06 06:01:18 AM UTC (Device)Safari (Apple)
http://www.beeld.com/Suid-Afrika/Nuus/Mandela-ongeluk-Moord-klag-verander-20110905
Mandela-ongeluk: Moord-klag verander: Beeld: Suid-Afrika: Nuus 1 2011/09/06 06:00:12 AM UTC (Device)
Safari (Apple) http://192.168.65.54:16001/ CCcam info pages 1 2011/09/06 05:26:16 PM UTC (Device)Safari (Apple)
http://www.beeld.com/Suid-Afrika/Nuus/Bloedwater-versuur-die-lewe-van-sakemanne-20110906
Bloedwater versuur die lewe van sakemanne: Beeld: Suid-Afrika: Nuus 1 2011/09/07 05:39:32 AM UTC (Device)
![Page 19: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/19.jpg)
Keyboard CacheText
KikisystemscomrexmaxloadmaxcommmaratonmyadslmytvmotogponsoljullejKpklkmkkiipllljkkllkkkkkkjnjjjbbbhgmkanskxhhmtukllkkpkkklkjkjgegeegumtreegbvgggggvvzapasscodeqqxqqnsnnnmnnnbggvbbvvvrvvvxzbvbeeldvbvbbabsa
Password
![Page 20: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/20.jpg)
App UsageApplication: com.apple.mobilesafari Application: com.iber4.dodgemcarsTime: 2011/08/14 UTC (Device) Time: 2011/08/16 UTC (Device)Duration: 00:08:18 Duration: 00:00:00Access Count: 9 Access Count: 8
Application: com.iber4.dodgemcars Application: com.hackulo.us.installousTime: 2011/08/18 UTC (Device) Time: 2011/08/21 UTC (Device)Duration: 00:00:00 Duration: 00:33:25Access Count: 9 Access Count: 8
Application: com.hackulo.us.installous Application: com.apple.mobileipod-VideoPlayerTime: 2011/08/15 UTC (Device) Time: 2011/08/15 UTC (Device)Duration: 00:50:08 Duration: 01:07:05Access Count: 9 Access Count: 8
Application: com.RockingPocketGames.iFishingSE Application: com.outfit7.talkingbirdipadTime: 2011/08/21 UTC (Device) Time: 2011/09/03 UTC (Device)Duration: 00:56:59 Duration: 00:30:26Access Count: 8 Access Count: 7
Application: com.ea.candcra.inc Application: com.hackulo.us.installousTime: 2011/08/13 UTC (Device) Time: 2011/08/28 UTC (Device)Duration: 00:17:33 Duration: 00:19:27Access Count: 8 Access Count: 7
Application: com.apple.Preferences Application: com.hackulo.us.installousTime: 2011/08/08 UTC (Device) Time: 2011/08/22 UTC (Device)Duration: 00:00:49 Duration: 01:11:07Access Count: 8 Access Count: 7
Application: com.compumasterltd.poolrebelTime: 2011/08/25 UTC (Device)Duration: 00:34:07Access Count: 7
![Page 21: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/21.jpg)
Fun Fone Facts
![Page 22: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/22.jpg)
Physical Recovery
8GB of useful data retrieved using “chip off” techniques
![Page 23: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/23.jpg)
Concept – Malware/ Spyware
![Page 24: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/24.jpg)
Mobile Device VulnerabilitiesMobile Phones have three vulnerabilities
1. Interception2. Monitoring3. Command and Control
![Page 25: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/25.jpg)
InterceptionNetworkOff air (passive)Spyware
![Page 26: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/26.jpg)
MonitorApp usageMalware/ SpywareCollection
![Page 27: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/27.jpg)
Command and ControlDeploy as a BOTEscalate user privilegesPremium service subscription
![Page 28: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/28.jpg)
Malware – what we know
Majority of malware deploymentsinclude social engineering
Deployment on two levelsLevel I
Physical deployment
Level IISocial engineering (phishing)
![Page 29: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/29.jpg)
Deployment
Physical Access– Flash disk– Link to web download– Override user privileges
Social Engineering– Refer to web download (games, banking app)– Spoofed login to collect credentials
![Page 30: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/30.jpg)
![Page 31: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/31.jpg)
Malware
Malware – Designed to exploit security– Trigger data costs (premium SMS/ data services)– Accelerate user privileges– Phones act BOTS for malicious attacks– Allows for remote control of device
![Page 32: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/32.jpg)
Spyware
Spyware– Deployed to compromise user created
information– Covert interception and monitoring– Collect communications and data– Collect credentials (two factor authentication)• OTP• Password Reset Info
![Page 33: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/33.jpg)
Detection of Malware and Spyware
Behaviour analysis of deviceData usage trackingApp identification and loggingDeploy content management toolsEnforce local security policiesSystem file analysis
![Page 34: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/34.jpg)
Challenges for infosec practitioners
Mobile devices fall into the BYOD class– Behind firewall deployment of threats
Mobile devices differ drastically– No single tool to manage and audit devices
No single detection methodology– Multi platform approach to detection (expensive)
Difficult to monitor (form part of a closed network)– Devices not part of local network
No alert functionality on Mobile device– Apps installed as trusted
![Page 35: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/35.jpg)
What we need to know
• Consult the experts
![Page 36: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/36.jpg)
Defence Strategy
Review user privilegesInstall only trusted appsMaintain physical security of deviceReview data usageNo “rooting” or “jailbreaking”
![Page 37: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/37.jpg)
Research - spyware
Applications and software purchasedFile system analysedDeployed to several phones– Sony Ericsson– Samsung– Blackberry– Nokia
![Page 38: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/38.jpg)
Spyware Tested/ Reviewed
Killer Mobile – Tra v4.1Eblaster Mobile editionMobileSpy IESpy BubbleCell-Tracker Pro
![Page 39: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/39.jpg)
ObservationsTools effective for capturing mainly text based dataSlows device response to user promptsBattery drain extensiveVisual triggers– Data usage– Device activity– BB Log
![Page 40: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/40.jpg)
Concept Overview
Cellphone and Mobile Devices are to be included as primary evidence sources Reliable evidence recovery from mobile devicesDetection methodologies exist for spyware and malware deploymentsAccredited experts available locally
![Page 41: Cellphone and Mobile Device Forensics An update on concepts Presented by Peter L. Fryer ACE, CFE, CISA, MPSC.](https://reader036.fdocuments.in/reader036/viewer/2022062803/56649c935503460f9494f86a/html5/thumbnails/41.jpg)
FAQ
Is my phone bugged?How am I tracked by using my cellphone?Can I tell if my phone is bugged?Can you recover deleted messages and data from my phone?What is the safest phone in terms of defence against spyware?