trends in mobile device data and artifacts
DESCRIPTION
Data and artifacts from mobile devices reside in so many places that no single approach can yield everything. This session will review some of the latest observations on where artifacts and critical pieces of data can reside on the device, as well as the available tools and methodologies to extract and decode them.TRANSCRIPT
Trends in Mobile Devices Data and
ArtifactsInbar Ries, Senior Director, Forensics Products
June, 2014
Trends
Much More Data
• Variety• Amount • Initiator - user and device
New Data Management
• Multiple locations• Multiple types
Mobile Apps Dominate
Contacts – friends, favorites, groups
Call logs
Chats – messages, attachments
Emails
Location
Images
MalwareOver 2 Million Apps in App Store & Google Play
102 Billion downloads in 2013
Device Internal DataLocations
Media files metadata
User ID (e.g. Apple ID)
Tethering information
Cloud backup indication
Device power log (off/on)
Installed applications & usage
Application permissions
Locations
■Cell towers
■WiFi networks
■Applications location
■Media files
■Journeys taken from GPS
applications/devices
The Device Knows Where his Owner has been
■The location data is derived by the cell towers
and Wi-Fi hotspots the devices encountered
■The location service is enabled by default
■The data is stored in SQLite database for future use
■ Deleted data can be recovered
Locations in Android Devices
Location reporting is
available on devices running
Android 2.3 or higher
Locations in iOS Devices■iOS 4 and above
■Location accuracyLocation service uses a combination of cellular,Wi-Fi, Bluetooth, and GPS to determine your location.
■System location service■ iPhone will periodically send locations of where
you have purchased or used Apps in an anonymous and encrypted formto Apple
■ iPhone will keep track of places you have recentlybeen, as well as how often and when you visited them. This data is kept solely on your device
Location in Applications■User location per activity
■Friend’s locations
■Other people nearby
Locations from TomTom devices
The potential
Detailed location info including Lat/Lon and
timestamps
Data stored on the device
Encrypted triplog files
Internal & Confidential 13
Image carving
■File carving is a powerful tool for recovering files and fragments of files
■Recovery of images that have a full or partial or corrupted header■Quick scan ■Less false positive
■ Recovery of blocks of JPEG data without header information ■Longer duration■Much more results■More false positive
Media files■Video and image files■Where – Latitude and longitude■When - capture time ■Which camera - device make and model
■Device owner ■Other camera
■How the area looks like
Malware
■Mobile malware increasing by 1000% in the last year
■Mainly on Android and BlackBerry platforms
■2013 - 143K malicious programs targeting mobile devices were
detected
■Devices are affected by:
■A fake version of a real site
■ Infected legit app
■Unofficial websites where users can freely download apps
The Real Danger of Malware
■Stealing of
■Private information
■Bank account information and password
■Credit card numbers
■Company intellectual property
■Deleting data
■Forcing the use of premium content
■Bricking the device
Trends
Much More Data• Variety• Amount • Initiator - User and device
New Data Management• Multiple locations• Multiple types
SQLite Databases – Standard■SQLite database is already installed in many devices
including Android, Apple and Blackberry
■Multiple data types
■Text, date and time, numbers
■Files (image, audio, documents)
■ Deleted data can be recovered
SQLite Databases – Content■Applications data
■The data is per application and cannot be accessed by other applications
■Data: User profile, messages, locations, contacts, images and more
■Device native applications including SMS, MMS, contact
■Device internal usage■The amount of data that is saved but not exposed to the user is
massive■Data: configuration, cached information, locations and more
Logs■Logs can include errors but also valuable system
information
■Transactions status
■Device information
Configuration files■What can be found:
■Date, time and time zone configuration
■Applications permissions
■Tethering data - Hotspot name, password and
last activation time
■Location service status - on/off
■Configuration files:
■Apple – Plist, bplist
■Android – XML preference files
Thank Youwww.cellebrite.com