Intro To Samsung Knox
For this project, we decided to look into mobile device managers (MDMs). These are applications that companies can utilize in order to monitor company-issued mobile devices or manage ‘bring your own device’ (BYOD) programs. As a group we researched various MDMs and respectively chose particular managers we wanted to research. This blog post will be focusing on the Samsung Knox application.
Analysis
After setting up the Knox web portal and enrolling a rooted Galaxy S3 into the MDM, I began exploring its various functions and chose to focus on five that possess the most potential be the most useful in a forensic investigation.
Samsung Knox is great at parsing data and displaying basic information in a quick and easily accessible manner. Below we can see that general device information such as battery level, device name and model of phone are all displayed in the same area. This makes it easy to keep track of what devices the company has in its organization as well as provide an investigator with basic information about the device they might be working with.
Figure 1 — General Phone Information
Samsung Knox allows administrators to monitor network traffic on the mobile devices enrolled into the program. Along with viewing how much data is being sent/received (Figure 1), the company can also set network settings such as the use of a VPN or restrict the device to certain Wi-Fi networks (Figure 2). These features, amongst others, allow the company (and, by proxy, digital forensic investigators) to monitor traffic and determine whether the user is accessing restricted content or settings.
Figure 2 – Network Byte information
Figure 3 – Network Settings
Companies and investigators can also use the Log Call Information policy (Figure 3) to help determine if the user is making unauthorized calls. Investigators could also use this as a timeline-correlation utility. Due to not having a SIM card in the test phone, we were unable to show actual information for this section; however, it is still an important feature and was included nonetheless.
Figure 4 – Log Call Information
The most useful feature within Samsung Knox is the ability to monitor device activity. If the user downloads any applications (such as in the example below) or makes changes to the device, the company or investigator will be able to see that activity and will allow them to build timeline of user activity.
Figure 5 – Device Activity
Conclusion
We were ultimately unable to demonstrate that this MDM would prove useful as a forensic tool. That being said, if a company is using an MDM and an investigator is working a case where an employee has an MDM on their phone, the information an investigator could get from the MDM would be helpful in correlating timeline evidence. This pattern remained true across the other MDMs we tested.
Questions or comments? Please share with us in the comment section below! You can also reach out to ourTwitter and Facebook or email us at champforensics@gmail.com.