Week 3 - Mobile Forensics

Question 1

Extraction Methods

Answer 1

In forensics, the best extraction choice is often the type of acquisition that provides the examiner with the greatest amount of evidence

Technologies usually support several types of acquisitions that you can use to extract the greatest amount of evidence for an examination.

Examiners can recover more information with file system and physical extractions than with a logical extraction.

These extraction types provide additional information about a handset. such as the file system and possibly hidden or deleted information.

Question 2

Android SDK

Answer 2

Primary tool used to build, test, and debug Android applications.

Question 3

Android Debugging Bridge

Answer 3

A built-in protocol within the Android operating system.

Enables developers to connect to an Android- based device and perform low-level commands used for development.

Forensics utilities can also use this protocol to extract data from Android devices.

When USB Debugging is enabled on devices, there is high likelihood that a physical or file system extraction will be successful on almost any Android device.

Question 4

USB Debugging

Answer 4

Used to enable communication between the Android device and a workstation on which the Android SDK is installed.

Forensics utilities can also use this protocol to extract data from Android devices.

If enabled, this option will trigger the device to run the adb daemon.

Question 5

adb daemon (adbd)

Answer 5

Run in the background to continuously
look for a USB connection.

The daemon will usually run under a non-privileged shell user account.

On rooted phones, however, it will run under root.

Question 6

adb client

Answer 6

Once started, it first checks if the daemon is already running.

Communicates with local adbd over port 5037.

Question 7

Forensic Recovery Partition

Answer 7

Physical extraction method while the device is in recovery mode.

UFED replaces the device’s original recovery partition with a custom forensic recovery partition.

The original recovery partition on the Android device can be considered as an alternative boot partition that may also change the user data, while Cellebrite’s recovery partition should not affect any of the user data.

This extraction method bypasses the user lock from a number of Samsung Android devices and is forensically sound.

Question 8

Android Backup

Answer 8

Extraction method that communicates with a connected Android device and enables you to extract data from that device.

The data that is extracted is dependent on the device’s specific characteristics. The UFED ______ supports Android version 4.1 and later.

May provide less data than other methods, therefore, you should use this feature when other file system methods (e.g.: ADB) are not successful, or when other file system methods are not available for the device (e.g.: if the android version is not supported).

Question 9

Android Backup APK Downgrade

Answer 9

Method extracts application data using Android backup.

During the process, the selected application version (*.apk file) is temporarily downgraded to an earlier version, so that data can be extracted.

The current version is then restored at the end of the extraction process.

Risk relating to downgrading, only use as a last resort.

Question 10

Partial File System

Answer 10

Performs a partial file system extraction.

It bypasses any user lock and is forensically sound.

If the device is already unlocked, you should use other extraction methods.

In some cases, this method can extract data from memory, however the recommended method here would be to read the memory card with an external memory card reader.

Question 11

Boot Loader

Answer 11

Used during the phone’s power-up stage.

Used to boot the device with a custom piece of code that directly accesses the internal flash memory.

When the device boots, the boot loader code is run on the device and the device boots into a controlled environment.

With UFED, the examiner may see a Cellebrite logo on the device, ensuring the examiner that the boot loader has successfully loaded into RAM on the device.

Question 12

ADB (Rooted)

Answer 12

Used for Android devices that have been rooted.

Can be used when the physical extraction method is not supported.

Note: Although rooted devices are supported, it is not recommended to root a device for extraction.

Question 13

Physical Extraction

Answer 13

Gives the user the ability to capture a bit-by-bit copy of the entire flash memory.

When using UFED, the file extension will be a binary (.bin) file.

When performing , UFED creates a single Hex extraction file for each flash memory chip, or address range utilised by the mobile device.

If several flash memory chips are installed in the mobile device, the extraction will usually create a binary file for each flash chip.

In some cases, multiple binary files will be created based upon the address ranges extracted.

Question 14

Physical Extraction: Data

Answer 14

Captures the following
information from a mobile device:
* User data
* File system data
* Deleted data (unallocated space)
* Location data
* Hidden system data

With a physical image, examiners can use additional features in UFED Physical Analyzer to locate (carve) information from unallocated space.

Question 15

Physical Extraction: Boot Loader

Answer 15

A common method used to physically extract binary files from mobile phones is through the ‘rescue’ or ‘download’ mode.

Operating in this mode, mobile phones are designed to allow the insertion of a small piece of code, called a _______, into the RAM during start-up in order to allow flashing of firmware.

They are often not ‘read-only’ devices, except for the UFED.

UFED will not continue its regular booting procedure into the OS, then executing forensically sound ‘read only’ actions,.

Question 16

Boot Loader: UFED

Answer 16

For most devices, Cellebrite’s proprietary boot loader can bypass security mechanisms, even if the device is locked, without jailbreaking, rooting or flashing the device.

Because the boot loader only contains code used to read the various memory chips on the device, and does not write to the memory chips at any stage during or after the extraction process, the data extraction and passcode-bypass processes are considered forensically sound.

UFED inserts special Boot Loader in device RAM. Disk level commands sent to dump entire memory chips including unallocated space containing previously deleted content, without leaving a footprint

Question 17

Physical Extraction: Software Clients

Answer 17

During this process, software clients can be uploaded to the device to enable temporary rooting and facilitate extraction.

Some newer devices don’t have a built-in functionality to upload boot loaders

Following the extraction, however, the software client must be uninstalled and the device boots as usual, non-rooted.

It attempts to exploit a weakness in the
phone’s implementation.

Since it is installed, it makes an alteration, so document here.

Question 18

Software Clients: UFED

Answer 18

Cellebrite’s UFED removes software automatically by default.

In ‘covert mode’, it also renames the software client name from ‘Cellebrite.sis/exe’ to ‘AAA.sis/exe’ to help obscure it further.

UFED installs a tiny piece of code (a client) on the memory chip. Disk level commands sent to dump entire memory chips including unallocated space containing previously deleted content.

Question 19

File System Extraction

Answer 19

Extract the file system from the mobile device, returns folders as Zip, IPD, BBB, Tar.

While these are comparable to the API used in logical methods, they use different sets of built-in protocols, depending on the OS.

With iOS/Android/BlackBerry, it may be necessary to rely on device backup files to make hidden files and other data that is not readily accessible through the phone’s API available.

Can view permissions.

Potentially contains hidden system files.

Question 20

File System Extraction: Process

Answer 20

The device responds with requested files.

The extracted files are put into a folder structure and may contain hidden or deleted information resident in certain files.

Question 21

File System Extraction: Data Contents

Answer 21

The extracted data folder contains:

• The zipped archive of the device file system
• The .ufd file (containing the system extraction information used by the UFED Physical Analyzer application).
• The associated backup files, depending on make and model of the device being investigated.

Question 22

Logical Extraction

Answer 22

Logical extraction of data is performed, for the most part, through a designated API available from the device vendor, using a GUI.

Limited to the content the vendor has made available through its API.

Question 23

Logical Extraction: Process

Answer 23

Using the UFED device, for example, a relevant vendor API is loaded to the device.

The UFED then makes read-only API calls to request data from the phone.

The phone replies to valid API requests to extract designated content items.

Question 24

Logical Extraction Report

Answer 24

Extracted data is put into a folder which contains the following information:

• The .ufd or .ufdx file (containing the extraction information used by the UFED application).
• The logical extraction report.
• The extracted data.

Note: By default the logical extraction creates an HTML report. This HTML report lists the HASH values for the different folders containing the data.