Digital forensics Computer and mobile forensic
- 1. Computer and Mobile Forensic Lecture 12 1
- 2. Background • Cyber activity has become a significant portion of everyday life of general public. • Thus, the scope of crime investigation has also been broadened. • As the society has become more and more dependent on computer and computer networks. The computers and networks may become targets of crime activities, such as burglar, destruction, intelligence, or even cyber war. 2
- 3. Forensic Science • The functions of the forensic scientist ▫ Analysis of physical evidence ▫ Provision of expert testimony ▫ Furnishes training in the proper recognition, collection, and preservation of physical evidence. 3
- 4. Computer (or Cyber) Forensics • Definition: ▫ Preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis using well- defined methodologies and procedures. • Methodology: ▫ Acquire the evidence without altering or damaging the original. ▫ Authenticate that the recovered evidence is the same as the original seized. ▫ Analyze the data without modifying it. 4
- 5. Types of Computer Forensic • Disk Forensics: It deals with extracting raw data from primary or secondary storage of device by searching active, deleted or modified files • Network Forensics: It is the sub-branch of computer forensic that involve monitoring and analyzing the computer network traffic. • Database Forensic: It deals with study and examination of database and their related metadata. • Malware Forensic: It deals with the identification of suspicious code and studying viruses, worms etc. • Email Forensics: It deals with emails and their recovery and analysis including deleted emails, calendars and contacts. • Memory Forensics: Deals with collecting data from system memory(system register, cache ,ram) in raw form and then analyzing it for further investigation. • Mobile Phone Forensics: It mainly deals with examination and analysis of phones and smart phones helps to retrieve contacts, call logs, incoming and outgoing sms etc.… and data present in it. 5
- 6. Network Forensics The study of network traffic to search for truth in civil, criminal, and administrative matters to protect users and resources from exploitation, invasion of privacy, and any other crime fostered by the continual expansion of network connectivity. 6
- 7. 114/02/28 Jau-Hwang Wang Central Police University, Taiwan 7
- 8. Category of Digital Evidence • Hardware • Software ▫ Data ▫ Programs 8
- 9. Digital Evidence • Definition ▫ Digital data that can establish that a crime has been committed or can provide a link between a crime and its victim or a crime and its perpetrator ▫ Categories Text Audio Image Video 9
- 10. Where Evidence Resides • Computer systems ▫ Logical file system File system Files, directories and folders, FAT, Clusters, Partitions, Sectors Random Access memory Physical storage media ▫ Slack space space allocated to file but not actually used due to internal fragmentation. ▫ Unallocated space 10
- 11. Where Evidence Resides (continued) • Computer networks. ▫ Application Layer ▫ Transportation Layer ▫ Network Layer ▫ Data Link Layer 11
- 12. Evidence on Application Layer • Web pages, Online documents. • E-Mail messages. • News group archives. • Archive files. • Chat room archives. • … 12
- 13. Challenges of Computer Forensics (continued) • How to collect the specific, probative, and case-related information from very large groups of files? ▫ Link analysis ▫ Visualization • Enabling techniques for lead discovery from very large groups of files: ▫ Text mining ▫ Data mining ▫ Intelligent information retrieval 13
- 14. Challenges of Computer Forensics (continued) • Computer forensics must also adapt quickly to new products and innovations with valid and reliable examination and analysis techniques. 14
- 15. Understanding Mobile Device Forensics • People store a wealth of information on cell phones ▫ People don’t think about securing their cell phones • Items stored on cell phones: ▫ Incoming, outgoing, and missed calls ▫ Text and Short Message Service (SMS) messages ▫ E-mail ▫ Instant-messaging (IM) logs ▫ Web pages ▫ Pictures
- 16. Understanding Mobile Device Forensics (continued) • Items stored on cell phones: (continued) ▫ Personal calendars ▫ Address books ▫ Music files ▫ Voice recordings • Investigating cell phones and mobile devices is one of the most challenging tasks in digital forensics
- 17. Inside Mobile Devices • Mobile devices can range from simple phones to small computers ▫ Also called smart phones • Hardware components ▫ Microprocessor, ROM, RAM, a digital signal processor, a radio module, a microphone and speaker, hardware interfaces, and an LCD display • Most basic phones have a proprietary OS ▫ Although smart phones use stripped-down versions of PC operating systems
- 18. Inside Mobile Devices (continued) • Phones store system data in electronically erasable programmable read-only memory (EEPROM) ▫ Enables service providers to reprogram phones without having to physically access memory chips • OS is stored in ROM ▫ Nonvolatile memory
- 19. SIM Card
- 20. Inside Mobile Devices (continued) • Subscriber identity module (SIM) cards ▫ Additional SIM card purposes: Identifies the subscriber to the network Stores personal information Stores address books and messages Stores service-related information
- 21. Understanding Acquisition Procedures for Cell Phones and Mobile Devices • Check these areas in the forensics lab : ▫ Internal memory ▫ SIM card ▫ Removable or external memory cards ▫ System server • Checking system servers requires a search warrant or subpoena • SIM card file system is a hierarchical structure
- 22. • MF: root of the system • DF: directory files • EF: elementary data
- 23. Understanding Acquisition Procedures for Cell Phones and Mobile Devices • Information that can be retrieved: ▫ Service-related data, such as identifiers for the SIM card and the subscriber ▫ Call data, such as numbers dialed ▫ Message information ▫ Location information • If power has been lost, PINs or other access codes might be required to view files
- 24. Mobile Forensics Equipment • Mobile forensics is a new science • Biggest challenge is dealing with constantly changing models of cell phones • When you’re acquiring evidence, generally you’re performing two tasks: ▫ Acting as though you’re a PC synchronizing with the device (to download data) ▫ Reading the SIM card • First step is to identify the mobile device
- 25. Mobile Forensics Equipment (continued) • Make sure you have installed the mobile device software on your forensic workstation • Attach the phone to its power supply and connect the correct cables • After you’ve connected the device ▫ Start the forensics program and begin downloading the available information
- 26. Mobile Forensics Equipment (continued) • SIM card readers ▫ A combination hardware/software device used to access the SIM card ▫ You need to be in a forensics lab equipped with appropriate antistatic devices ▫ General procedure is as follows: Remove the back panel of the device Remove the battery Under the battery, remove the SIM card from holder Insert the SIM card into the card reader
- 27. Mobile Forensics Equipment (continued) • SIM card readers (continued) ▫ A variety of SIM card readers are on the market Some are forensically sound and some are not ▫ Documenting messages that haven’t been read yet is critical Use a tool that takes pictures of each screen
- 28. iPhone Forensics • MacLockPick II ▫ Uses backup files ▫ It can’t recover deleted files • MDBackUp Extract ▫ Analyzes the iTunes mobile sync backup directory
- 29. Mobile Forensics Tools • Paraben Software Device Seizure Toolbox ▫ Contains cables, SIM card readers, and more • Data Pilot ▫ Similar to Paraben • BitPim ▫ Can view data on many phones, but it's not intended for forensics • MOBILedit! ▫ Has a write-blocker
- 30. Mobile Forensics Tools • SIMCon ▫ Reads files on SIM cards ▫ Recoveres deleted text messages ▫ Archives files with MD5 and SHA-1 hashes • Software tools differ in the items they display and the level of detail