Mobile Forensics

Hi and welcome to everyday digital forensics. I'm your host just on you, he said. And today, in this mantra, will go over mobile forensics, and the first section will briefly review this concept. General guidelines, some tools and the investigation process surrounding the area of mobile forensics. Mobile forensics is a branch of digital forensics. You'll see some similarities between the two, but they do eventually branch off into their own. In States, Video will discuss Dejan Troll evidence on a mobile device. The definition of mobile forensics process. The differences between a smartphone and a feature phone data location on a mobile device. The accusation process of a mobile device.

‍

Preserving the digital evidence and challenges and represented in mobile forensics. A lot of the information in this video was taken from the journal Ah cited below So mobile device digital evidence from the article itself. It says that digital evidence is a series of binary digit numbers on transmission or stored and information files on electronic device. Digital evidence file formats include video, audio images and anything else digital. A digital evidence is copied with unlimited differences. It could be easily modified. It's hard to identify the original copy, and the evidence itself is integrated with data verification. You'll see a lot more in this as we go into this module without technical processing, digital evidence cannot easily be understood. What is the mobile forensics process? According to N i s T definition of a process, it has five steps.

‍

One is the preservation. This is preserving the data, the accusation process, which is pulling the image from the device itself. We ever examination, process, analysis, process and, of course, reporting. Can you call where you've seen a similar forensics process? Of course, since mobile forensics is, Aziz said, a branch of digital forensics, the process of investigation remains very similar. So before we can actually talk about digital forensics on a mobile device, we need to understand that there's several different types of mobile devices, especially the phone. We have both smartphone and a feature phone to break it all down.

‍

A smartphone is possibly a phone that you have. You have your and your age of BlackBerry's, your IOS, your Windows phones. While feature phone is very similar to the foot phones, or maybe the phones your grand parents have because of technology is too much for them. So what's the technical differences between a smartphone and a feature phone? As faras Hardware goes, your smartphone has PC like capabilities, higher video resolutions for gaining and videos at an integrated keyboard and touchscreen. It also has high speed data, including the four G light Well feature Phone has very limited processor speeds and memory cake capacity. Many of them don't support cards, not voice, and put GPS, WiFi nor touch rain. Both smartphones and feature phones have phone books, candor, reminder list, but the one on the smartphone is more enhance. On Android side, you have widgets. You have notifications, reminders, conductivity to your Google account and so on. The's features aren't really seen in a feature phone.

‍

Ah, feature phone is more of a flip phone or very basic phone. It's Colonel is very limited, and there must be an understanding that the same amount of data bold from a future phone is even different from that you can pull from a smartphone. Ah, feature phone has been shown to have more restrictions, so as far a software off a feature phone is, it's a closed OS. It has minimum applications, or P. I AM, which is personal information management. So personal information management applications are your calling, messaging, chat and email. These Softwares and the future phone is also very limited. The software first smartphone are like I said, PC capabilities. So you have applications video. Call email for the different types of servers. Direct http even https on, of course, known operating systems Now within ah phone, you have different memory locations.

‍

You have volatile memory, and you have non volatile memory. Volatile memory there is is your read only memory. You're wrong. It's more of a persistent data. And within a mobile device, you see two types of flash memory then, and nor Volta. Memory is used for dynamic storage, and its contents are lost when the power's drains. While you're non volatile, memory is persistence as its contents are not affected by loss of power or overriding when it's reboot. Going into the different fresh memories of non volatile, non volatile memory, you have nan flash memory, which offers higher memory storage capabilities. However, it is less stable.It only allows sequential access. Contains graphics, audio, video and other user files. It also provides the examiner with the most useful information because it may leave multiple copies of transaction space files. Thes transaction based files are your database and your log files. You're nor is faster every time store right time, then you're not in memory. It's nearly immune to corruption or bad blocks while lying random access to any memory as a 2014 which is the time that the article was written that third generation smartphones Onley contains a man and a ram memory.

‍

Due to the requirements of high transaction speeds, greater storage density and the work cost. Our next side is media data locations so great we know about the volatile and the non volatile memory within a smartphone. Where can we find these piece of evidence? So there's several different pieces of media that must be preserved during the chain of custody. You have your SIM card, which is your just subscriber identity module, your internal men marine module, additional modules for service such as GPS, Bluetooth and your memory guards. Your SIM card contains a wide range of user and sim card data. This includes user contacts, address books, SMS text message. The last number you dialed is network information owner, phone numbers, prescribers I D and the serial number and integrated circuit card I D. For that SIM card. The SIM cards used for data storage. You can save your phone contents and things of that nature when you have a device and you're performing digital evidence and examine shirt, acquire that SIM card on Lee. After acquiring the data on the device, make an image of the device AH choir Lydia that you need.

‍

Make a copy of that image and then pull out the SIM card because you may actually lose access. Wants us in card. And there's data that might be lost in the process of you removing it. Accessing the SIM card before imaging device requires that the battery gets her moods, and doing so can reset date and time stamps of messages. So if you take up a card before actually imaging it, put it back and then do your accusation your time Samsung will change, and those your evidence is not relevance. You have your memory cards that range from three to, um, megabits to eight gigabits and size and contain file systems such as affect. Foul system examiners should preserve the media in the same fashion that a hard disk is done using the same forensics, hardware and software. Both SIMA member carts should be right protected during accusation process to prevent modification or deletion of this data, the examiners go should be to preserve completely the internal memory of the device.

‍

So going into the interment, memory evidence pertaining to GPS device stored internally can be captured during the preservation of that devices. Internal memory examiners should also be aware that a GPS device, maybe a module installed into the handhelds. So this may not just be something that's with the phone itself or the mobile device, but could be something additional additional port or additional hardware that was installed in device. Now we have the accusation of mobile data. The accusation has the same two options as, ah, hard disk Within digital forensics. You have your physical accusation urological accusation. Thanks to the multiple manufacturers, there's various software and hardware configurations. Just think of the differences between the iPhone and Android for so in a physical accusation you're capturing on an A K space, you're identifying deleted Faust fragments that may rely on the device. You're trying to recover deleted data such as text messages, emails, voicemails and pictures with a logical accusation you may not be able to actually acquired complete to needed data.

‍

If a forensic tool allows a user to do a logical accusation, only the digital investigator may not be able to actually just acquire it. There's restrictions within some of the tools you're ableto recover user activity data such as call logs, active contents, conjure entries. And most tools may only be able to prive a logical image moving over to preserving the mobile device. Digital evidence, workstations or software may not have the necessary drivers to establish connections with the mobile device. You may require custom software for particular models, and you have to install an agent to communicate with the forensic source. The best method is score Analysis. In the event of accusation fails. Thanks to know during the preservation is thes cryptographic hashing. You have MD five and Charl one Chuck. Some algorithms ah, hash value just computes a string of numbers for a digital file, and hash is used for verification during the accusation process. Another topic within the preservation is validating a hash algorithm.

‍

While it is possible to cause two fouls toe have a matching values. It's very complicated. Unknown hash value cannot be produced to a target file. So as most things, there's a challenge within mobile forensics. For one, there's several different models of mobile devices, operating systems and manufacturers. There's such a difference between the iPhone one and the iPhone in Robin. In between, the iPhone itself has different models. Has different connections. Think of for those iPhone users? How many different cables have you had to get over the years? You also have version specific device drivers. There may be conflicts due to specific devices that may conflict with your own systems. You have a live network signal as well. With these devices so alive networks and no has to be blocked, since a May result in battery being drink quickly. A mobile device in itself is volatile, so due to the nature of its volatility, data on them keeps changing constantly.

‍

So there's also the security codes and start up. This could be a pin, a biometric authentication or something that restricts a device from accessing the main home page. So, for security measures, a device may ask for these codes when you shut down and report them Although there are techniques to get past this most of times, it's better off just asking the device honor in a criminal investigation. You may come into a point where you don't have the option of asking a device owner. Therefore, your move over to some of the techniques physical damage to the phone at this day and age does not provide commercial forensic solutions to extract data. Sofa phones, physically damaged, may not be able to extract data.

‍

You have your different identification devices for investigation purposes. Identifying your personal identification number, which is a pin or the purse, the phone on Lockie, your pulque and a headset and memory card. Passwords can be difficult and very time consuming. Another issue with this is all available. Training are varies, vendor specific, and you see this when we cover a friend's ex software. We also have unready memos and messages. So one during an accusation or the analysis of the data, you must take note of the status of unopened emails and messages as mentioned earlier. Mobile devices or a very volatile are very volatile nature. You may see emails and messages coming in, and all of a sudden, there marches, red record in access by an investigator and record access by an outside source moving on.

‍

So last four, we have remote access. We have remote access. Data on the device can be remotely destroyed or change, so it's best to be shielded in a lab environment you have memory associated with a SIM card. With the SIM card deleted, evidence can only be acquired using physical accusation. You have your M and P, your mobile number portability, which might result in in by identification with your subscriber. And the last one is a universal Flasher, your U. F s three, which can be used to change the mobile devices I. M. E. I. Thus providing improper identification to a mobile device. Today's lecture covered a lot of topics and regards to mobile forensics. We talked about a mobile friends ex David Digital evidence, a mobile forensics investigation process, the difference between smartphone and a feature phone data located on a mobile device.

‍

The acquisition process preserving digital evidence on a mobile device and challenges presented in mobile forensics. So in this module, our next video Wilk review the structure of enjoy death. Then we'll examine some of the available mobile forensics tools out there for use. Discuss Andrew Forensics. Based on the discuss, Andrew. Forensic space on the N I S T standard and guidelines create an android image off of an old tablet that I found somewhere and examine that image to see what kind of information is available. So I hope you enjoyed today's video and I'll catch you on the next one.