Introduction to Mobile

Forensics Dr. Darren Hayes

Pace University

Definition

• Computer Forensics is the scientific practice of using

digital data in an investigation

• Mobile Forensics is scientific practice of using digital

data, created by a mobile device, in an investigation

What is the Goal?

• To Prove

• Control

• Ownership

• Intent

Popular Myths

• Computer Forensics is a Part of Security

• Computer Forensics is the Examination of Computers

• Computer Forensics is used to Solve Computer Crimes

• Computer Forensics is about Recovering Deleted Files

Scope of Mobile Forensics

Importance

• Always On

• Personal

• Voice & Data

• Multimedia

• Internet

• Tracking

• GPS

What’s Different?

• Communication through Embedded Chip

• Different File System

• Different Information

• Call Logs

• Text Messages

• Active Memory Storage

• Smaller Onboard Capacity

• Locational Data

History

• 1875 – Alexander Graham Bell Transmits Sounds

• 1876 – “Mr. Watson, come here! I want to see you!”

• 1885 – AT&T Founded

• 1919 – First Rotary Telephone

• 1946 – Area Codes Established

• 1961 – Touch Tone Released to the Public

• 1963 – Push-button Telephone

History

• 1973 – First Handheld Cellphone Call

• 1982 – Caller ID

• 1984 – New AT&T Formed

• 1991 – GSM Created

History

• Radio Common Carrier

• 1960s – 1980s

• Dr. Martin Cooper, Motorola, 1973

• 2.2 lbs Phone – First Handheld Mobile

• Wall Street (1987)

History

• 1983 – DynaTAC Cellphone Released by Motorola

• 1 lb

• 9.5 Inches Tall

• 10 Hours to Charge

• 60 Mins. Talk Time

• $3,995

History

• Push-to-talk (1993)

• Motorola StarTAC (1996)

• RIM BlackBerry (1999)

• Two-way Pager

• Motorola RAZR (2003)

History – Mobile Forensics

• Hardware Cellebrite Universal Memory Exchanger

(UME)

• Wireless Retailers

• Software Personal Investigations

• Cheating Spouses

Statistics (Source: CTIA)

1995

• Subscribers: 28.1 million

• Call Minutes: 31.5 billion

2011

• Subscribers: 327.6 million

• Call Minutes: 2.2 trillion (6 billion Call Mins. per Day)

• Text Msgs: 5.7 billion per Day

• Cell Towers: 250,000

• 29.7% of Households are Wireless Only

Case Studies

iPhone

• Higinio O. Ochoa

• Aged 30

• Linux Administrator

• Accused of Being a Part of CabinCr3w

• Arrested by FBI

• EXIF Data from iPhone

• Melbourne, Australia

• Led Investigators to Ochoa’s Facebook Page

Michael Jackson Murder

Investigation

Conrad Murray Trial

• Conrad Murray Recorded Jackson’s Last Words on

iPhone

• Judge Ruled that 4-Minute Audio File Was Admissible

Stolen iPhone

Stolen iPhone

• April 2012 – iPhone Stolen on Disney Wonder Cruise

• Victim – Katy McCaffrey

• Photos Automatically Uploaded to iCloud Photo Stream

Account

• Photos of “Nelson” & Co-workers Uploaded to

McCaffrey’s Facebook & Sent to Disney

Times Square Shooting

Time Square Shooting

• August 18, 2012 – Knife-wielding Man Runs through

Time Square

• NYPD Runs after Suspect: Darrius Kennedy, 51

• Bystanders Run Alongside Police with Cellphone

Cameras Recording Action

• Suspect Shot Dead by Police

• Videos Uploaded to YouTube, Facebook, News Networks

• Smartphones Seized by Police

Smartphone Intelligence

• Precrime creeps closer to reality, with predictive

smartphone location tracking

• http://www.extremetech.com/computing/134422-precrime-

creeps-closer-to-reality-with-predictive-smartphone-

location-tracking

• Localscope App

• http://www.cynapse.com/localscope

Law Enforcement

Assistance

• Brooklyn Quality of Life App

• http://www.cbsnews.com/8301-504083_162-57492217-

504083/new-smartphone-application-allows-people-to-

report-crimes-to-authorities/

• FBI Child ID App

• http://www.fbi.gov/news/news_blog/the-child-id-app-on-

android

Forensics on Your

Smartphone

• Forensic Computer Examiner Quick Reference Guide

App

• International Association of Computer Investigative

Specialists (IACIS)

Cellular Network

• Cellular Network – Group of Cells

• Cell – Geographic Area

• Cell Site – Tower or Antenna

Cell Sites

• Cell Tower

• Radio Mast

• Often has 3 Sectors

• 200 Feet High

• Often Used by Multiple

Carriers

• Transmits/Receives Radio

Signals

• Encrypts/Decrypts Traffic

Antenna Panel

Rec

eiver

Tra

nsm

itte

r

Rec

eiv

er

Mobile Station

• Mobile Equipment (Handset)

• Security Identity Module (SIM)

• GSM Networks

• IMEI Identifies Mobile Equipment on GSM Cellular

Network

Practical – Locate IMEI

• Power On Cellphone

• On Keypad, Type *#06#

Practical

• Open Browser

• URL: www.antennasearch.com

• Type: 1600 Pennsylvania Ave NW

• Type: Washington, DC

• Type: 20006

Cell Site Analysis (CSA)

• Call & Mapping Analysis

• http://www.cellanalyst.com/

• Using Cell Site Analysis Evidence in Criminal Trials

• http://www.justice.gov/usao/eousa/foia_reading_room/usab

5906.pdf

• Request Data in Parsed Excel Format

• Request Keys to Tower Codes

• Free Mapping

• http://batchgeo.com/

Carrier Evidence

• Subscriber Records

• Call Detail Records (CDR)

• Phone Numbers Called/Received

• Duration

• Dates

• Times

• Cell Sites

• Quadrant

Mobile Station (GSM)

• Mobile Equipment (Handset)

• Subscriber Identity Module (SIM)

• International Mobile Equipment Identity (IMEI)

• Analysis of IMEI: www.numberingplans.com &

trackimei.com

• Dial *#06# on Cellphone

• Type Allocation Code (TAC) – Initial 6 to 8 Digits of IMEI

• http://www.nobbi.com/tacquery.php

Mobile Station (CDMA)

• Mobile Equipment (Handset)

• Electronic Serial Number (ESN)

• 2005: Mobile Equipment Identifier (MEID)

• www.meidconverter.com

• Subsidy Lock (SPC) – Confines User to One Network

Mobile Station

• Mobile Equipment (ME)

• FCC-ID

• Federal Communication Commission (FCC)

• http://transition.fcc.gov/oet/ea/fccid/

• www.phonescoop.com

• www.gsmarena.com

GSM

• SIM Card

• Identifies Subscriber on a Network

• Contains IMSI

SIM

• GSM & iDEN (Motorola)

• Swapped Out with Unlocked Phones

• International Mobile Subscriber Identity (IMSI)

• Mobile Country Code (MCC)

• First 3 Digits of IMSI

• Mobile Network Code (MNC)

• Next 2 to 3 Digits

• Mobile Subscriber Identity Number (MSIN)

• Last 10 Digits

SIM

• Integrated Circuit Card ID (ICCID)

• 19 to 20 Digits

• Printed on SIM

• Major Industry Identifier (MII)

• First 2 Digits

• www.numberingplans.com

CDMA

• Code Division Multiple Access (CDMA)

• Developed during WWII

• Patented by Qualcomm

• Users Share a Band of Frequencies

• Verizon & Sprint

• No SIM

• Same Phone Model: GSM or CDMA

• Motorola RAZR

CDMA

• Code Division Multiple Access (CDMA)

• Spread-Spectrum Communications Protocol

• Wide Band Width

• Multiplexing Techniques

• Fiber Optic

• Verizon

• Sprint

• CDMA2000 – 3G

Mobile Phone Network

Operators

• Mobile Network Operator (MNO)

• Owns an RF Spectrum License

• 4 Carriers

• AT&T/Cingular (GSM)

• T-Mobile (GSM)

• Verizon (CDMA)

• Sprint/Nextel (CDMA)

Mobile Phone Network

Operators

• Mobile Virtual Network Operator (MVNO)

• Provides Mobile Phone Service

• No Licensed Frequency of Radio Spectrum

• Purchase Minutes of Use (MOU)

• Do Not Own SIM Cards

• Example: Virgin Mobile USA (Sprint Nextel)

• 100+ Carriers

Satelite Phones

• 90% of the World has No Cellular Coverage

• Solution Satelite Phones

• DeLorme

Operating Systems

• Apple

• iOS

• Google

• Android

• Nokia

• Symbian

• Samsung

• Bada

• Research In Motion

• RIM OS

• Microsoft

• Windows 7

Statistics (Gartner)

• 2011: Tablet Sales – 60 Million Units Worldwide

• 2012: Tablet Sales – 119 Million Units Worldwide

Tablet Sales Projections

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

160,000

180,000

2011 2012 2013 2016

iOS Android Microsoft

Statistics (Gartner)

• Q1: 2012 – 419 Million Mobile Phone Units Sold

Statistics (Gartner)

0.00

20,000.00

40,000.00

60,000.00

80,000.00

100,000.00

120,000.00

1Q 2011 1Q 2012

Samsung

• Samsung Galaxy S III

• 2012 Estimated Sales 30+ Million Units

Google Nexus

• January 2010 – Nexus One (N1) Released

• Developed by HTC

• Unlocked

• Sold Directly by Google

• Nexus S

• Developed by Samsung

• WiFi Hotspot Capability

• Internet Calling

• Near Field Communication (NFC)

• Galaxy Nexus Coming Soon with Jelly Bean 4.1

Near Field

Communication (NFC)

• Close Proximity Radio Communication

• Based on RFID Standards

• Formed by Sony, Nokia, Philips

• Google Wallet

• Credit Cards

• Loyalty Cards

• MasterCard PayPass

• Public Transportation Ticketing

Near Field

Communication (NFC)

• Usage:

• Payment System

• Social Media

• Hotel Keys

Q1 – 2012 OS Market Share

56.6% 23.1%

8.7%

7.0% 2.7% 1.9%

Android iOS

Symbian Research In Motion

Bada Microsoft

Android

• Networks:

• GSM

• iDEN

• CDMA

• Devices:

• Smartphones

• Tablets

• eReaders

• App Market

• 700,000+

Android Devices

• Samsung, LG, Motorola, etc.

• Samsung Galaxy Tab

• Amazon Kindle

Evidence

• Cache.wifi

• Captures WiFi Connections

• Do Not Need to Connect to Record

• Can Be Mapped

• Fb.db

• Facebook

• Contacts

• Chat Logs

• Messages

• Photos

• Searches

Evidence

• Emailprovider.db

• Path:

/data/data/com.android.email/databases/EmailProvider.db

• Exchange Login & Password in Plaintext

• HostAuth

• Gmail Login & Password in Plaintext

Evidence

• Da_destination.db

• Turn-by-Turn Navigation

• .WAV Files Stored

Evidence

• SMS& MMS

• Path: /data/data/com.android.providers.telephony

• Contains:

• Sender & Recipient

• Read Status

• Pictures

• Audio/Video

• MMS

• Path: /data/data/com.android.mms

Device Security

• PIN-Protect

• Numeric

• Password

• Alpha/Numeric/Character

• Pattern Lock

• Gesture

Security

• gesture.key

• Pattern-Lock Protection

• Finger Swipe

• Path: data/system/gesture.key

• Encrypted with SHA-1 Hash Algorithm

• Decrypt with Online Tools or Rainbow Tables

Security

• pc.key

• Password Protection

• Path: data/system/pc.key

• Decrypt with Brute Force or Dictionary Attack

• Most Difficult to Break

Security

• PIN

• Maximum of 8 Digits

• After Unsuccessful Attempts Enter Gmail Login &

Password

Questions