CEIC 2015 Student Session Series: Mobile Forensics: Challenges in Obtaining, Analyzing and Applying EVIDENCE
Students from Champlain College and the Leahy Center for Digital Investigation (LCDI) attended multiple training sessions while at the Computer Enterprise Investigation Conference (CEIC) 2015. Students Kayla Williford and Mary Reilly present some highlights from the Mobile Forensics: Challenges in Obtaining, Analyzing and Applying Evidence session.
At CEIC 2015, there were a wide arrange of sessions each attendee could participate in. One that grabbed our interest was Mobile Forensics: Challenges in Obtaining, Analyzing and Applying Evidence. Oleg Davydov, CTO and Founder of Oxygen Forensics, discussed the challenges of analyzing mobile devices in the forensics field. Oxygen Forensics develops various tools to aid in data examination.
There are many mobile devices platforms on the market today, including iOS, Android, Blackberry, and Windows. With the wide variety of makes and models, mobile devices cannot be created equally. Each hold unique aspects that provide the user with a different experience; however, for forensic examiners, these functions can make investigations increasingly complex. There are three major hurdles working with mobile devices: data acquisition, the search for relevant and/or deleted data, and the analysis of that extracted data.
One major challenge with mobile device forensics is getting into the acquired mobile device. Before an investigator can acquire evidence in some cases, the device in question needs to be unlocked. Many users have their devices locked, or even encrypted, which allows for more security but makes it difficult for examiners to obtain access to the device’s data. If you are unable to get the password or PIN from the device’s user, there are other places to look for it. If the device in question is an Apple device that has been synced to a computer, an examiner may be able to find the PIN in a file backed up to that machine entitled “lockdown.plist.” Computer and cloud backups are a potentially valuable source for recovering passcodes. Other device OS’s may have vulnerabilities that allow screen locking to be bypassed, as was the case in a Chinese implementation of Android. Finally, there are other physical tools that will automatically brute-force guess a phone’s passcode, such as the MFC Unlock Tool and the IP Box, a tool we have previously used at the LCDI.
Assuming you can gain access to a device, your options for data acquisition are manifold and situationally determined. You could perform a live device acquisition or create a forensic image with a tool like Cellebrite. There’s also the option to examine backups of the device in question in the cloud or on a computer. For the especially bold, you could even attempt chip-off forensics.
Encryption is a major challenge to contend with in mobile forensics. You have the possibility of encountering not only encrypted memory dumps, but encrypted backups and app-specific encrypted databases. In many cases, use of account credentials may be the only way to decrypt this storage. Ideally, you would be able to acquire the credentials from a user, but if not, you may be fortunate enough to recover passwords from other memory or a keychain file.
Should you be able to acquire all of the data you were seeking, the biggest difficulty then becomes contending with the sheer volume of information you now have. Much of it may be redundant, and certainly plenty of it will be outside the scope of your examination. There is no simple solution to this; it’s a struggle universal to digital forensics. However, there are a number of tools available specifically for mobile device forensics that may be helpful in dealing with the bulk of data you have, reducing it to relevant information, and analyzing it efficiently. The presenter focused on analysis tools produced by Oxygen Forensics, but the way of approaching this issue depends on the situation and the preferences of the investigator. These are just some of the highlights discussed. Davydov went into depth on other points that are not in the scope of this blog post. This was a great informative session from Guidance Software!