Week 2 - Mobile Forensics Flashcards
Wiping Process
Overwrites the data on the external device with a known character (e.g.: “0”, “#” etc.).
The investigator can choose or allow the default symbol from the program performing the wiping process.
Overwriting Data
During the wiping process, the investigator can also choose how many times to overwrite the (e.g.: 1, 3, 7 etc.)
Most forensic software suites do NOT have the ability to recover information that has been overwritten one time.
Sterilisation - Documentation
The forensic sterilization process assists the investigator when testifying in a courtroom and shows that the necessary steps were taken to eliminate any residual data and to prevent cross contamination of data.
The wiping and verification processes should be documented thoroughly.
Threat of Remote Wiping
Most smartphones have this capability that allows them to contact the service provider or use a third-party application to overwrite the information on the phone once it gets a WiFi or cellular signal.
Information can also be added to the device, or information within unallocated space can be overwritten if new SMS messages or calls come into the device after the time of seizure.
If powered on without proper shielding, the device may go into a cleansing or wiping process that can destroy the evidence.
Shielding Methods
Faraday Bags,
Faraday Boxes,
Faraday Tents,
Faraday Paint,
Aluminium Foil,
Arson Can,
Airplane Mode;
Off State
If you discover that the device is off, leave the device off to protect information.
If you turn the device on, you risk allowing automatic (remote) wipes, expose the phone to incoming text messages (which may delete old ones), and you will modify the phone’s location.
The phone will be altered, perhaps in such a manner that may lose critical evidence.
On State
If the device is on, you must consider the risks versus benefits of handling the device. Determine whether it is connected to a radio or WiFl network. Ask yourself the following:
- Does the device have a handset password on it?
- Is it a GSM phone?
- Does the SIM have a PIN code on it?
- 3 attempts for SIM pin number then use Personal Unlocking Key (PUK) code. * 10 attempts with PUK, then SIM is fried.
- Does the device have removable media such as an SD card or microSD card?
- The key difference for a device in the on state is that the investigator should also document information, applications, and settings of the device at the crime scene.
- Keep an external power source connected to the device while in storage to maintain the “on status” until an investigator is able to process the device.
Standby
If the device is in standby mode, you must consider the risks versus benefits of handling it. Your decision on how to handle the device will depend on the make, model and whether the device’s security features are enabled. If the device is PIN coded or password protected, you would not attempt to unlock it.
Physical Acquisition
Data acquisition using a physical technique acquires all the non-volatile memory that can be read.
The data is dumped bit by bit into a binary file which contains all the data and unallocated areas on the device and may contain deleted files.
Physical Acquisition via Chip-Off Extraction
The most low-level and potentially complex acquisition method for mobile devices. Involves reading the memory structures. This also requires special equipment and will destroy the mobile device when the memory chips are extracted from the electronic circuit board (ECB).
Physical Acquisition via Device Interface
Physical acquisition through software or hardware usually acquires all of the data on the device to include deleted information. This can be done using forensic tools or flasher boxes, producing a binary file that needs to be decoded for analysis.
Physical Acquisition via JTAG
A physical acquisition using the interface on the device’s electronic circuit board (ECB) to acquire a binary file that needs to be decoded for analysis. Special equipment is necessary for this technique
Manual Scroll Analysis
Examiner physically accesses the data on the device through the device interface. Only information seen through the interface is available. There is no automation and the examiner could accidentally change data on the device. The process is usually documented through photographs or videotape.
Logical Acquisition
Data acquisition using a logical technique that only acquires active files stored on the device, in the file system of the non-volatile memory.
Some examples of a logical acquisition include conducting a manual analysis of the mobile device, using forensic tools like XRY or the Cellebrite UFED touch, dumping the file system, or creating backup files using iTunes on an Apple iDevice.
Data Cable and Bluetooth
The most common automated method of accessing devices. Once you have access to the device, the acquisition tool must communicate with the handset.
Some mobile devices support standard AT command access, but this usually only provides access to a limited selection of data.
Many mobile devices have proprietary protocols and require manufacturer tools to execute code on the handset to acquire data.
