Loading...
FOUNDATIONAL FORENSIC TECHNIQUES FOR MOBILEDEVICESAND USE OF AVAILABLE TOOLS TO RECOVER DATA USING DIFFERENT APPROACHES. |
|||
Objectives of theresearch (What you want to investigate) |
|||
| The overall goal of this study is to look at the mobile devices using different tools like Susteen DataPilot Secure View and Paraben Device Seizure, mobiledit oxygen pho ne manager. and determine if they create and preserve a forensically sound case file. In second part I discuss the different opera ting systems using in mobile devices nowadays like IOS for iphone, RIM for blackberry, Symbian for mostly nokia or Android OS for different smartphones. For normal communication between mobile device an d PC, every OS has its own PC suite but for forensic point of view there are some special tools which are paid an d there are some free open source tools as well. In my rese arch I prefer to use these free open source tools. Anoth er technique to recover dev ice is to use hashing. Mob ile dev ice internal memory hash values ar e variable when per forming back-to-back acquisitions. Hash values ar e beneficial in providing examiners with th e ability to filter known data files, match data objects across platforms an d prove that data inte grity rem ains intact. Th e rese arch cond ucted at Purdue Univer sity compar ed known hash values with rep orted values for data obje cts popu lated onto mob ile devi ces us ing var ious data trans mission methods. While th e resu lts for th e majority of tests were uniform, th e hash values rep orted for data objects transferred via Multi media Mess aging Service (MMS) were va riable. Cell pho nes an d oth er han dheld devi ces int egrating cell pho ne abilities (e.g., Perso nal Digital Assistant (PDA) pho nes) ar e univ ersal. Rath er than just making cal ls, so me specific pho nes per mit us ers to make extra tas ks such as Multi-Media Messa ging Service (MMS) messaging, SMS (Short Message Service) messaging, IM (Instant Messaging), Web brow sing, elect ronic mail, an d simple PIM (Perso nal Inform ation Management) applic ations (e.g., pho ne an d date book). PDA pho nes, frequently mentioned to as smartpho nes, offer use rs by means of th e joi nt capab ilities of both a cell pho ne an d a PDA. In addition to sys tem services an d basic PIM applic ations, one can achi eve more exten sive appoint tment an d contact inform ation, review elec tronic docu ments, give a present ation, an d per form oth er tasks. All but th e most basic pho nes pro vide individ uals with so me ability to load addit ional applic ations, store an d pro cess perso nal an d sensitive inform ation indepe ndently of a desk top or note book comp uter, an d opti onally synch ronize th e resu lts at so me later time. As dig ital techn ology evolves, th e capabi lities of th ese devi ces continue to imp rove rap idly. When cell pho nes or oth er cel lular devi ces ar e involved in a crime or oth er incident, fore nsic examiners requ ire to ols that allow th e pro per retri eval an d spee dy examination of inform ation pres ent on th e dev ice. This rep ort gives an overvi ew of cur rent fore nsic softwar e, designed for acquis ition, exami nation, an d rep orting of data discovered on cellular han dheld devi ces, an d an understan ding of th eir capabilities an d limitations. As technology continues to per meate society an d mob ile compu ting be comes more prevalent, people will more heavily depend on applic ations such as e-mail, SMS (Short Message Service), MMS (Multi media Messaging Service) an d online tran sactions (i.e. bank, ins, etc); such devi ces pro vide a good sour ce of evidence for fore nsic investi gators to prove or disprove th e commi tment of cri mes or loc ation of suspects/ victims. Dig ital fore nsics for han dheld devi ces is starting now. Unlike tra ditional comp uters, two impor tant fa ctors that must be account ted for in a fore nsic inves tigation ar e th e state of th e dev ice at th e time of acquisition an d radio isolation. Tradi tional dig ital fore nsics with perso nal comp uters allows an investigator to per form a dead fore nsic data acquisition simply by disconnecting th e power sour ce to preserve th e current state of th e comp uter. That opti on is not available with mob ile fore nsics for fear of loss of evidence or security mechanisms, such as dev ice locks or passwords, being activated. Th e fact that various opera ting sys tems ar e used for different mob ile devi ces in current markets makes development of digital fore nsics tools for mob ile devi ces more complicated. This rese arch is being prop osed to survey avai lable digital fore nsics tools for capt uring e-evidence from mob ile devi ces an d meet th e deman d of e-evidence for cu rrent an d future’s crimes. This rese arch focuses on practi cal inves tigations for digital fore nsics tools that will help investi gators or stud ents obtain first-han d experiences in digital fore nsics for mob ile devi ces. Investi gators sho uld be able to per form th eir job more informed as a result of this case study. |
|||
Research Plan (Methodto be used in investigation) |
|||
| The purpose of this rep ort is to inform law enforce ement, incid ent response team mem bers, an d fore nsic examiners about th e capabilities of present day fore nsic softwar e tools that have th e ability to acquire inform ation from cell pho nes opera ting over CDMA (Code Division Multiple Access), TDMA (Time Divis ion Mult iple Access), GSM (Global Sys tem for Mob ile commun ications) networks an d run ning various opera ting sys tems, incl uding Symbian, Rese arch in Motion (RIM), An droid, IOS an d windows pho nes. My main focus will be an droid pho nes. An droid is a set of open sour ce softwar e elements specifical ly designed for MDs developed by Google; it incl udes th e Opera ting Sys tem (OS), a middlewar e an d a set of applic ations. Alth ough it has been designed an d developed for MDs (e.g., Smartpho nes), several laptop manu facturers plan to equip th eir products with An droid. At th e time of writing, less than 2% of Smartpho nes(Gartner Mob ile OS Shar e Forecast, 2009) runs An droid an d Ga rtner Inc. forecasts a 15% market shar e in 2012; in such case, An droid will be th e second OS, behind Sym bian, in terms of Smartpho ne’s market penetration. Furth ermore, if An droid will be hos ted on laptops, th e integration of Smartpho nes an d portable comp uter could be bo osted with th e natural sideeffects on th e market. An over view of each tool describes th e funct ional range an d facil ities for acqui ring an d anal yzing evidence con tained on cell pho nes an d PDA pho nes. Generic sce narios were devised to mirror situations that arise during a fore nsic exami nation of th ese devi ces an d th eir associated media. Th e scenarios ar e structured to re veal how selected tools react under var ious situa tions. Though generic sce narios were used in analy zing fore nsic tools, th e procedures ar e not intended to serve as a formal pro duct test or as a comprehensive evaluation. Addit ionally, no claims ar e made on th e comp arative benefits of one tool versus anoth er. Th e rep ort, instead, of fers a bro ad an d pro bing persp ective on th e state of th e art of present-day fore nsic softwar e tools for cell pho nes an d PDA pho nes. Alternatives to using a fore nsic softwar e tool for digital evidence recovery, such as desoldering an d remo ving mem ory from a dev ice to read out its con tents or us ing a built-in hardwar e test inter face to access memory, ar e outside th e scope of this rep ort. Th e variety of fore nsic toolk its for cell pho nes an d oth er han dheld devi ces is diverse. A considerable number of softwar e tools an d toolkits exist, but th e range of devi ces over which th ey operate is typical ly narr owed to dist inct plat forms for a manu facturer’s product line, a family of opera ting sys tems, or a type of hardwar e architecture. Moreover, th e tools requ ire that th e exam iner have full access to th e dev ice (i.e., th e dev ice is not protected by so me auth entication mech anism or th e examiner can satisfy any auth entication mech anism enco untered). While most too lkits support a full range of acqui sition, exami nation, an d rep orting functions, so me tools focus on a subset. Simil arly, different tools may be capable of using different interfaces (e.g., IrDA, Blue tooth, or serial cable) to acquire dev ice contents. Th e types of inform ation that tool can acquire can range wid ely an d include PIM (Perso nal Inform ation Management) data (e.g., pho ne book); logs of pho ne cal ls; SMS/EMS/MMS messages, email, an d IM content; URLs an d content of visited Web sites; audio, video, an d image content; SIM content; an d uni nterrupted image data. Inform ation present on a cell pho ne can vary dep ending on sev eral factors, incl uding th e following:
Acquisition thro ugh a cable interface generally yields supe rior acquisition resu lts than oth er dev ice interfaces. However, a wire less inter face such as infrar ed or Bluetooth can serve as a reasonable alternative when th e cor rect cable is not readily available. Regardless of th e interface used, one must be vigi lant ab out any fore nsic issues associated. Note too that th e ability to acquire th e contents of a resi dent SIM may not be sup orted by so me tools, parti cularly those stron gly oriented toward PDAs. Table 1 lists open-sour ce an d commercially available tools an d th e facil ities th ey pro vide for certain types of cell pho nes. |
Cite This Work
To export a reference to this article please select a referencing stye below:
