Introduction
This project will focus on the various features and forensic value of Mobile Device Managers (MDM). These are applications that companies commonly use to monitor and control multiple devices. These applications are increasing in popularity among company provided devices or bring your own device (BYOD).
After completing research on multiple MDMs, the Mobile Device Management team began assessing three main MDMs: MobileIron, Samsung Knox and IBM MaaS360. Our goal was to determine whether or not a forensic investigator could use an MDM to recover any forensic artifacts without having a physical device. In order to accomplish this task, each team member deployed an MDM and gave it an acquired mobile device to manage. I chose to research IBM’s MDM, MaaS360 and set it up with a Nexus 5. Once we had our MDMs running, we generated data on the mobile devices, and used the MDMs’ cloud portals to view the information that was stored there.
Analysis
During the last few weeks, the Mobile Device Management group has focused on generating data on our mobile devices and using Cellebrite to perform a physical extraction to see if any forensic artifacts are left behind by our MDMs. It turned out that there were no useful forensic artifacts left behind by the devices, so we decided to focus our efforts on the capabilities of the MDMs. Our new goal became to determine if forensic investigators could use the features of the MDMs to help aid a digital investigation.
MaaS360 has the ability to easily locate any devices added from the cloud portal’s quick start menu. The user simply needs to choose the device they wish to locate, and click the “Locate” option. This will bring up an image of a map with the devices location pinpointed, along with an exact address. These addresses are stored in then stored in a database. [Figure 1]
Figure 1 – Location Details
MaaS360 also has the ability to lock a device, change its passcodes or wipe it entirely. A forensic examiner could use these features if a device has been stolen and they want to protect the data on the device from being tampered with or exposed. If the investigator wanted to delve in even deeper, they could change the security policy on a specific device. Editing or creating a policy offers the user a lot of advanced options. From here, a digital investigator could keep the device from factory resetting and stop the installation of any new apps or widgets to protect the integrity of the device. [Figures 2 & 3]
Figure 2 – Policies Setup
Figure 3 – Wiping a Device
A forensic examiner could use MaaS360 to view the network information of a device to see what networks the device has been connected to in case they are trying to locate it or discover where it has been. They could also stop the device from connecting out to the Internet. In the policy settings, there is a field labeled “Network Restrictions” that will allow the examiner to make it so the device can only dial out for emergency calls, disable SMS and MMS, and keep the user from adding any new Wi-Fi networks. In the “Wi-Fi” settings you can also set up a specific Wi-Fi profile for the phone, and stop the user from being able to change the Wi-Fi settings. Finally, the investigator could disallow data network, which would keep the device from connecting out altogether. All of these options would be useful if they want to keep the device secure. [Figures 4 & 5]
Figure 4 – Setting up Wi-Fi Profile
Figure 5 – Setting up Network Settings
MaaS360 also gives you the option to see a list of all the apps that are installed on the phone, along with detailed information such as the version, application size, data size, whether or not it is managed, the application type, and the application install location. There is also an App ID associated with all of the apps, which would allow a forensic examiner to see where the app is located if they wanted to review data from it in SQL. There is also an option to remove apps if they were not already preinstalled on the device. A forensic examiner could see if any new apps were installed on a device, and get a list of the running services if they are trying to understand what the device is being used for. [Figure 6]
Figure 6 – Installed Applications
Finally, MaaS360 can be used to view the browsing history of the device,The browsing history data will show you the domain, URL category, number of visits to the site, the user named used, and when the first and last visits were. This information would be important if an investigator needed to discover what the device might be being used for, or to know if the owner is looking at any suspicious website. [Figure 7]
Figure 7 – Browser History
Conclusion
The Mobile Device Management team was not able to use an MDM to recover forensic artifacts from the physical device, but we managed to discover important capabilities the MDMs had that could help aid a digital investigation. For MaaS360, I found that the password settings, application information, location information, and network settings would be the most useful aspects of my MDM for a digital investigator. All of these could be used to give an examiner a better idea of what is happening with device, or keep the data on the device secure, by locking the phone for example. The location data is especially useful if they want to track down the device if it was stolen to locate the suspect. Our team found that the three MDMs have similar capabilities, with a few differences here and there, but they could all be used for forensic purposes.
Questions or comments? Please share with us in the comment section below! You can also reach out to ourTwitter and Facebook or email us at champforensics@gmail.com.