Week 7 - Logical / File System Examination Flashcards
Best to revise this topic reading the handouts which have examples on
Before examination what must you do?
Mobile Device Research:
- Identify device (not always easy if damged or new / unknown model)
- Identify capabilities of device (in order to understand what possible types of data it stores & what options there are for interfacing with it to acquire data)
- Examination tool information (often hold databases re device types, connections and interfaces as well as what type of data is held)
- Online sources (forums & websites may assist in gathering additional info like user manuals and items like replacement batteries)
- Once the above is establish we can determine examination tool strategy
List some good online resources re devive info
- GSM Arena
– http://www.gsmarena.com/ - Phonescoop
– http://www.phonescoop.com/ - Phonearena
– http://www.phonearena.com/
(these 3 are all excellent resources for device info)
There is an old knowledge base = website site now no longer available except via way back machine - good for old devices called cellphone knowledge base (cpkb)
- IMEI Information Sites
– GSMA device check
– Numberingplans.com
– IMEI.info
– imeidata.net
What information may be relevant on these sites (e.g phone scoop)?
- Operating System (to determine types of examination available, & what data may be available. Also indentifies different types of network transcievers inside the device such as GSM, or CDMA or LTE as well as FFF or nano UICC, as well as indicating connection ports / cable connections required for that system.
- battery spec (useful if replacing or charging)
- Processor details (assists in determining compatible tools)
- Storage options (may help determine the length of the examination - how much data can be stored)
- the info summary tab may give important info re the features such as if biometrics are available.
The site also gives links to other useful data like manuals and hardware info. Images of the device are always available to allow visual comparison to identiify the device is correct and not a clone or imitation.
Other sites like GSM Arena also give GPS information and if the camera can geo tag.
Logical & File System Tools
- Numerous different types of tools
- Some have disappeared over time
- New ones appear on a frequent basis
- Some are device specific
- Others are generic
- Some perform better at decoding certain models
- Continuous updates - rate of change of devices / hardware / software
- Maintaining proficiency - difficult task needs continuous review due to dynamically changing field.
- Cost
- Some are Commercial / some are Open source. Open source likely to be less frequently updated or supported - requires community support.
Likely more than one tool may be needed to meet your needs.
Remember use of term ‘support’ - used as a marketing term, it might be supported but it might not be proficient & gathering all of the available data.
Logical/File System Techniques
Logical examinations are usualy conducted via the the API (Application Programming Interface) used by the tool to allow the device OS to communicate with other applications. Launches read only version of the API
* May provide limited data if restricted by device / OS or application vendors or if data is stored in non standard folders.
* Connects via cable or wireless (BT or Wifi) methods
File system examination uses proprietary commands. Can be device or OS specific. The aim is to acquire and decode the file system of the device - Provides additional info to logical examinations like databases
* May require multiple examination methods in order to acquire & decode maximum data *use APK downgrade with caution in case of loss of data)
* Can provide some deleted data from databases
* Device may need to be jailbroken (Apple) /rooted (Android) using specific software
Examination Tool Validation
Examination Tool Validation
- Tool validation - a topic that evokes much discussion in the community. Required to ensure that you have confidence in the tools, that they are fit for purpose. Validation can be achieved by a combination of methods - some examples below.
– Evaluation reports. Such as NIST (USA) has released assesment reports on various tools incl accuracy of tools run on test devices. But versions of tools update so regularly (due to device development), so these updates to devices sometimes remove functionality of tools (where security patching often prevents access to data) - so the tool version has often changed since the NIST testing - so use with caution when diferent versions are involved - particularly when encryption is involved.
– Test devices. Use same make model and same OS and same versions of apps. Needs signif budget to acquire devices and time to up and downgrade applications and OS.
– Compare with other tools (dual tool verification). Some tools perform better than others depending on the data of interest. With general standard data it’s likely that most tools will acquire & decode similarly but may be differeneces in how the data is reported.
– Compare the acquired / decoded data with network CDR (if available). Can be useful to validate time / date or number details.
– Compare with app records (if available). Useful where application records are required. can compare and validate against records from the applications themselves (like CDR)
But there is no one tool that will meet all requirements.
SIM/UICC Examination Tools - Potential Data that can be obtained
Potentional data that can be obtained from SIM UICC:
Network
OS
Logical Connectivity - whether it has connection by:
Cable
Bluetooth
Infrared
and what is the ecommended media connector
Contacts, calls, SMS (from SIM and storage), pictures, videos, audio, files, MMS, email, calendar, tasks, notes, memory card
Other info given in an example report:
Deleted SMS are supported, call lists are not avilable on USIM partitions, last dialled calls do not show time or date, EMS is shown with text & pictures exl audio & animations
SIM / UICC Readers
There are many SIM UICC Readers.
Many are read only in terms of acce. Small hardware devices. Allow acquisition of data on the SIM / UICC.
Can be Integrated into tool
Or Standalone tool
May act as the interface for the clone SIM function
SIM / UICC Data - SMS messages
Status of incoming messages can be:
- unread (not accessed yet)
- read (has been accessed)
- or deleted (has been accessed & deleted).
When an unread SIM is accessed through the acquisition process the status will change to read.
If a status of a message in place (index) number 2 for example has been deleted it is no longer visible on that SIM or UICC and that slot is free to have a new incoming SMS saved to it which will overwrite.
What are AT commands?
AT commands (Attention commands) are a set of instructions used to communicate with modems and mobile devices, including GSM and LTE devices. AT commands serve as a low-level interface for interacting with mobile devices.
However there are access limitations: Not all mobile devices allow unrestricted access to AT commands, especially modern smartphones with enhanced security.
PLUS even if the device responds to AT commands, data may be encrypted or protected by additional layers of security
There can be standard AT commands and Propprietry AT commands.
Mobile device manufacturers often implement additional, proprietary AT commands that are specific to their devices. These commands may allow deeper interaction with the device’s hardware or software, enabling forensic examiners to extract additional or hidden data
List some AT commands and what they do
Used to access information from a live mobile device. If the device manufacturer allows a reply from this command then this content is decoded and listed in the report. It is at the manufacturers deescrition to decide what commands a device will reply to.
- AT Checks device is responsive
- AT+CGMI Request ME manufacturer identification MI Model Identification)
- AT+CGMM Request ME model identification (MM Mobile Model)
- AT+CGMR Request ME revision identification (software version)
- AT+CGSN Request ME IMEI (SN = Serial No.)
- AT+CIMI Request IMSI
- AT+CNUM Request MSISDN
- AT+CPBR Read Phonebook Entries (PB = Phonebook)
File System Examination
In order to perform a file system examination it may be necessary for perform a number of different actions.
Dependant on device and OS versions. Low end devices may not require any actions but Android and Apple devices will require various actions.
An Android example:
In this example there are 3 different file system examinations that may be required: DB, Android Back-up and Android back-up APK downgrade.
If the device has not been rooted / jailbroken then special tools will be required to conduct a file system examination (e.g Cellbrite Premium)
- ADB. In order to do an ADB examination you need the verify apps to be disabled in internal settings and USB debugging turned on (in addition to requiring a method to bypass any screen lock if needed).
What is ADB examination in an android device?
ADB (Android Debug Bridge) examination is a method used in forensic analysis of Android devices to extract and analyze data via the ADB interface.
ADB is a versatile command-line tool that allows communication between a computer and an Android device for various tasks, such as debugging applications, transferring files, and more. In forensic investigations, ADB can be used to gather evidence without needing advanced rooting techniques, particularly from devices that have developer options and USB debugging enabled
File System Acquisition - Chipset Exploitation
The increase of file based encryption means it is common to need to use the mobile device to decrypt data while it is being acquired.
File system aqcisition is usually best way to acquire encrypted data.
How complete the File system acquisitions will be is influenced by a number of factors including make, model, OS version, security patch version.
In most cases the device mst be capable of being powered on and in AFU mode (or having the relevant codes to place it in this status).
Often hardware or software exploits will be used. These have been developed for either specific manufacturers or OS chipset vulnerabilities.
So one specific type of chipset may be used across multiple device types and one tool may exploit the vulnerabilities in this chipset so that tool will work on any device that has that chipset.
BUT often these vulerabilities get patched by the manufactureres of software developers so the usefullness of the tool can change quickly - have limited lifespan
Selective File System
Due to that quantitiy of data and the intrusion involved / time invovled / cost to obtain all the available data on a device - it is becoming more common to be selective in relation to what data is required.
Different jurisdictions will have different rules on what is proportionate / necessary to obtain.
This means most tool vendors provide the function of more selective file system acquisition.
- may require the device to be jailbroken or rooted to achieve the level of data access required
