Midterm Exam Flashcards
What is Digital Forensics?
A branch of forensic science focusing on the recovery and investigation of raw data residing in electronic or digital devices.
Forensically Sound
Original Evidence has not been modified.
Difficult on mobile devices.
Procedures have to be tested, validated, and documented.
3 Main Categories of Mobile Forensics
Seizure.
Acquisition.
Examination/Analysis.
Biggest Challenges to Mobile Forensics
Data can be accessed, stored, and synchronized across multiple devices.
Difficulties in Obtaining Mobile Data: Devices
Hardware/OS differences.
Generic state of device.
Dynamic nature of devices.
Alteration of data/device.
Difficulties in Obtaining Mobile Data: Remote Access
Wipes and resets.
Communication shielding.
Difficulties in Obtaining Mobile Data: Resources
Lack of resources.
Lack of available tools.
Legal issues.
Difficulties in Obtaining Mobile Data: Security
Security features.
Anti-forensics techniques.
Passcode recovery.
Malicious programs.
Mobile Evidence Extraction Process: About
Extractions of each mobile device may differ.
A consistent examination process should be followed.
There is no well established standard process.
All methods used should be tested, validated, and
documented.
Mobile Evidence Extraction Process: Steps
Intake. Identification. Preparation. Isolation. Processing. Verification. Document and Reporting. Presentation. Archive.
Mobile Evidence Extraction Process: Intake
Starting phase.
Documents ownership information and the type of
incident the mobile device was involved in.
Outlines the type of data or information needed.
Developing specific objectives for each examination is the critical part of this phase.
Mobile Evidence Extraction Process: Identification
Legal authority. Goals of the examination. Make, model, and identifying information of device. Removable and external data storage. Other sources of potential evidence.
Mobile Evidence Extraction Process: Preparation
Research appropriate methods and tools to be
used on the particular mobile device.
Mobile Evidence Extraction Process: Steps: Isolation
Isolation before acquisition and examination of the device is important.
Multiple methods of isolation possible.
Some methods are more preferred than others.
Mobile Evidence Extraction Process: Processing
The phone should be acquired using a tested method
that is repeatable and as forensically sound as possible.
Physical acquisitions are most preferred.
Least amount of changes to the device.
File system or logical extractions next best methods.
Mobile Evidence Extraction Process: Verification
Verify the data in the extraction is accurate by comparing to data on the mobile device:
Comparing extracted data to the handset.
Using multiple tools and comparing results.
Using hash values.
Mobile Evidence Extraction Process: Documents and Reporting
Documentation should be done throughout the
examination process.
After examination is complete, peer-review results.
Mobile Evidence Extraction Process: Presentation
Information extracted and documented should be
able to be clearly presented.
Findings should be clear, concise, and repeatable
Some tools include features that can help explain
findings across multiple devices.
Mobile Evidence Extraction Process: Archive
Preserving extracted data is important.
Retained in a usable format.
Remember court cases can go on for years.
Digital forensics tools are always advancing.
4 Main Types of Operating Systems
Google Android.
Apple iOS.
RIM Blackberry.
Windows.
5 Levels of Mobile Forensics Tools
Manual Extraction. Logical Analysis. Hex Dump. Chip-off. Micro-Read.
3 Data Acquisition Methods
Manual.
Logical.
Physical.
5 General Rules of Evidence for Digital Evidence
Admissible. Authentic. Complete. Reliable. Believable.
Leading Operating System for Smart Phones
Android.
Easiest Way to Identify iDevice Hardware
Observing the model number displayed on the back of the device.
What is the iOS Filed System Built on?
HSF Plus.
HSF.
What are the 2 Partitions of the File System? iOS
System.
Data.
What was the Original iPhone OS Originally Called?
Alpine?
What was the Original iPhone OS Originally Called?
OS X.
Are all iOS versions supported by all iDevices.
No.
What is Jailbreaking?
Removing limitations by Apple’s mobile operating system through software and hardware exploits.
Biggest reason is for to install unapproved apps.
3 Modes iOS Devices are Capable of Running in
Normal.
Recovery.
DFU.
iOS Recovery Mode
If one step in the boot-up process is unable to load
or verify the next step.
Required to perform upgrades or restore the iDevice.
iOS Normal Mode
The normal mode the phone boots into.
iOS Normal Mode
When an iDevice is switched on and booted into its operating system.
2 Types of Memory in iOS Devices
RAM.
NAND flash memory.
Custom Ramdisk Method: iOS
Gains access to file system by loading a custom
ramdisk into memory and exploiting a weakness
in the boot process while the device is in DFU mode.
Custom ramdisk contains the forensic tools necessary
to dump the file system.
Loading a custom ramdisk does not alter the user
data.
Only works for iPhone 4 and older.
Where is the passcode stored since iOS 4?
Not on the device in any format.
Where is the passcode stored since iOS 4?
Not on the device in any format.
Previously stored directly in the keychain.
What are the actual iOS files encrypted with?
Actual files on the file system are encrypted with data protection class keys.
What does jailbreaking allow examiners to do? iOS
Allows physical acquisitions on devices that are not
vulnerable to the Boot ROM exploit must be jailbroken.
Install tools that would not normally be on the device.
Problem: makes changes to devices that may damage evidence or render it inadmissible in court.
Logical acquisition should be considered first.
What was introduced in iOS 6 that prevents examiners from patching the kernal code directly?
Kernal Address Space Layout Randomization.
Kernal Address Space Protection.
What is a computer that an iDevice is backed up to called?
The host computer.
Where are the iOS pairing records stored by a Windows computer?
/var/root/Library/Lockdown/pair_records/directory.
Pairing records are stored as a plist file with a filename representing the unique identifier given to the computer.
Windows - %AllUserProfile%\Apple\Lockdown.
Where are the iOS pairing records stored by a Mac OS X computer?
Mac OS X - /private/var/db/lockdown.
40-Character Hex String that Corresponds to iOS Backup Files?
It matches the UDID of the device.
4 Data Files Contained in iOS Backup Directory?
info. plist
manifest. plist
status. plist
manifest. mbdb
iOS info.plist
This file stores details about the backed up device: ICCID. Last backup date. IMEI. Phone number. Installed Apps. Product type and production version. Serial number. iTunes version. Device’s UDID.
iOS manifest.plist
Describes the contents of the backup: Applications. Date. IsEncrypted. Lockdown. WasPasscodeSet. Backup Keybag
iOS manifest.plist
Describes the contents of the backup: Applications. Date. IsEncrypted. Lockdown. WasPasscodeSet. Backup Keybag.
iOS status.plist
The status.plist file stores details about the backup status:
Backup state.
Date.
IsFullBackup.
iOS manifest.mbdb
Contains records about all other files in the backup.directory.
Is a complete backup created every time a user backs up their iOS device?
First backup is a complete backup.
Subsequent backups only files that are modified.
Number of File Backup Domain Categories in iOS
12.
What domain is the Addressbook database in iOS?
HomeDomain.
What do you need to know in order to extract an iCloud backup?
Apple ID and password.
2 Timestamps on iPhone?
Unix.
MAC.
Unix Time on iOS
Unix timestamps are the number of seconds that offsets the Unix epoch time starting from January 1, 1970.
MAC Time on iOS
Mac absolute time is the number of seconds that offsets the Unix epoch time starting from January 1, 2001.
SQLite Database File Extensions
.db, .sqlitedb, or no extension.
Important Database Files in iOS
Addressbook/Addressbook Images. Call History. SMS Messages/SMS Spotlight. Calendar Events. Emails. Photos Metadata. GPS. Voicemail/Voicemail Directory. Notes. Safari bookmarks/Safari web cache. Web application cache.
Important plist Domain Files in iOS
HomeDomain plist files.
RootDomain plist files.
WirelessDomain list files.
SystemPreferences plist files.
What information is in the WirelessDoman file?
WirelessDomain plist files contain useful information about the SIM card last used in the device.
Other important files in iOS?
Cookies. Keyboard cache. Photos/wallpaper/snapshots. Recordings. Downloaded applications.
Can deleted SQLite databases be recovered?
Yes,SQLite databases store the deleted records within the database itself.
Elcomsoft iOS Forensic Toolkit Features
Supported by both MAC OS X and Windows.
Physical and logical extractions.
Password recovery attacks.
Extract device keys to decrypt raw disk image and keychain items.
Logs and records every step of investigation.
Elcomsoft iOS Forensic Toolkit Downsides
Does not provide options to analyze acquired data or recover the deleted data.
Supports most iOS devices, but some must be jailbroken.
Does not support all iOS devices.
Oxygen Features
Allows fully automated forensic acquisition and analysis.
Supports a lot of devices.
Can recover deleted data from databases.
Import a backup/image file obtained using a different tool for analysis.
Password recovery from keychain.
Timeline.
Oxygen Downsides
Windows only.
Does not support physical acquisitions.
Some logicals need to be jailbroken.
Cellebrite Features
Supports physical, logical, and file system acquisitions.
Extracts device keys required to decrypt raw disk images and keychain items.
Reveals device passwords if possible.
Supports passcode recovery attacks.
Advanced analysis and decoding of extracted application data.
Which tools run on Windows?
Forensic Toolkit.
Oxygen.
Cellebrite.
Which tools run on Mac OS X?
Forensic Toolkit.
Disadvantages of Open Source Tools
They often do not go through rigorous amounts of testing and validation and may miss data that could be manually extracted by the examiner.