0% found this document useful (0 votes)
10 views84 pages

Unit I to V

The document provides an overview of digital forensics, detailing its definition, historical context, and the phases involved in the digital forensics process, including identification, collection, examination, analysis, and presentation of digital evidence. It emphasizes the importance of maintaining evidence integrity and adhering to established forensic principles while addressing the challenges posed by evolving cybercrime. Additionally, it discusses the roles of forensic scientists and the significance of digital evidence in both criminal and private law contexts.

Uploaded by

ABIRAMI A
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
10 views84 pages

Unit I to V

The document provides an overview of digital forensics, detailing its definition, historical context, and the phases involved in the digital forensics process, including identification, collection, examination, analysis, and presentation of digital evidence. It emphasizes the importance of maintaining evidence integrity and adhering to established forensic principles while addressing the challenges posed by evolving cybercrime. Additionally, it discusses the roles of forensic scientists and the significance of digital evidence in both criminal and private law contexts.

Uploaded by

ABIRAMI A
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 84

UNIT I

INTRODUCTION TO DIGITAL FORENSICS

Syllabus:
Forensic Science – Digital Forensics – Digital Evidence – The Digital Forensics Process –
Introduction – The Identification Phase – The Collection Phase – The Examination Phase – The
Analysis Phase – The Presentation Phase

1. Forensic Science :

Definition of Forensic Science:

● Forensic science is the application of scientific methods to establish factual answers to


legal problems. It involves the analysis of evidence collected from crime scenes to
provide objective information for use in the legal system.

History of Forensic Science:

● Forensic science emerged as a distinct discipline during the 19th and early 20th centuries.
● Pioneers like Mathieu Orfila, Alphonse Bertillon, Francis Galton, Hans Gross, Alberts S.
Osborn, Leone Lattes, and Edmond Locard made significant contributions to its
development.
● Their work in toxicology, anthropometry, fingerprinting, document examination, blood
analysis, and crime scene investigation laid the foundation for modern forensic
techniques.

Locard's Exchange Principle:

● Edmond Locard's exchange principle asserts that whenever someone or something comes
into contact with another person or object, there is an exchange of materials between
them.
● This principle underpins much of forensic science, as it suggests that evidence can be
transferred between individuals, objects, or locations during a criminal act, providing
valuable clues for investigators.

Crime Reconstruction:

● Crime reconstruction involves piecing together the sequence of events surrounding a


crime using scientific methods and evidence.

1
● By analyzing physical evidence, witness statements, and other relevant information,
investigators can reconstruct the actions and events leading up to and following the
commission of a crime.
● Crime scene reconstruction helps investigators understand how and why a crime
occurred, aiding in the identification of suspects and the presentation of evidence in
court.

Investigations:

● Investigations are systematic inquiries conducted to gather information and evidence


about a crime or incident.
● The 5WH formula (who, where, what, when, why, and how) is commonly used to guide
investigations and ensure that all relevant aspects of a case are considered.
● Investigators employ various techniques, such as interviews, surveillance, forensic
analysis, and data collection, to uncover facts and establish the truth.

Evidence Dynamics:

● Evidence dynamics refer to the changes and interactions that occur with physical or
digital evidence over time.
● These dynamics can include additions, alterations, relocations, contamination, or
destruction of evidence, whether intentional or unintentional.
● Understanding evidence dynamics is essential for preserving the integrity of evidence and
accurately interpreting its significance in an investigation or legal proceeding.

2. Digital Forensics :

Definition of Digital Forensics:

● Digital forensics involves the use of scientifically derived methods for the preservation,
collection, analysis, and interpretation of digital evidence from various sources. Its
primary aim is to reconstruct criminal events or anticipate unauthorized actions that
disrupt planned operations.

Specialized Fields within Digital Forensics:

● Terms like network forensics, device forensics, and Internet forensics are used to denote
specialized areas within digital forensics, reflecting the diverse range of digital sources
and technologies involved.

2
● The ubiquity of digital technology in society has elevated the importance of digital
forensics, as evidenced by its increasing relevance in legal cases involving mobile
devices, financial transactions, emails, Internet activities, and GPS systems.

Digital Archaeology and Digital Geology:

● Digital archaeology refers to traces of human behavior in computer systems, while digital
geology pertains to traces generated by the inherent processes of computer systems
themselves.
● Understanding both digital archaeology and digital geology is crucial for interpreting
digital evidence accurately and comprehensively.

Responsibilities of Forensic Scientists in Digital Forensics:

● Forensic scientists play a vital role in establishing factual answers to legal problems
through the rigorous processing and analysis of digital evidence.
● This responsibility necessitates adherence to strict standards and procedures to ensure the
integrity of the investigation and the reliability of its conclusions.

Crimes and Incidents:

● Digital forensics is applicable in both criminal law and private law contexts, serving as a
crucial tool for law enforcement agencies investigating crimes and organizations
addressing incidents such as policy violations.
● Incidents in digital forensics encompass digital events or sequences of events, with the
scene of the incident analogous to a traditional crime scene.

Digital Devices, Media, and Objects:

● Digital forensics distinguishes between digital devices (e.g., laptops, smartphones),


digital media (e.g., hard drives, memory), and digital objects (discrete collections of
digital data).
● Forensic analysts primarily work with digital objects, which are collections of digital data
derived from digital media.

Forensic Soundness and Fundamental Principles:

● Forensic soundness in digital forensics entails adherence to established principles,


standards, and processes throughout the investigation.
● Two fundamental principles, evidence integrity and chain of custody, are paramount in
ensuring the reliability and credibility of digital forensic analysis.

Crime Reconstruction in Digital Forensics:

3
● Crime reconstruction in digital forensics involves a five-step process for event-based
reconstruction, including evidence examination, role classification, event construction
and testing, event sequencing, and hypothesis testing.
● This method can be applied using physical or virtual testbeds to simulate experiments and
validate hypotheses in digital forensic investigations.

3. Digital Evidence:

Definition of Digital Evidence:

● Digital evidence encompasses any digital data containing reliable information that can
either support or refute hypotheses regarding an incident or crime.

Layers of Abstraction:

● Digital evidence analysis often involves navigating through layers of abstraction, where
higher layers conceal implementation details to reduce complexity.
● Forensic analysts must be capable of analyzing data at various layers of abstraction to
extract relevant evidence effectively.

Metadata:

● Metadata, or data about data, is a valuable source of evidence in digital forensics,


providing crucial information about data objects.
● It includes details such as the time of creation, geographical location, and device
information, which can be instrumental in solving cases.

Error, Uncertainty, and Loss:

● Understanding and addressing error, uncertainty, and loss are essential for forensic
scientists, as they can significantly impact the interpretation of digital evidence.
● Factors like timestamp inaccuracies, geographical location uncertainties, and data
ownership complexities must be carefully considered to avoid misinterpretation.

Real-World Example: Online Bank Fraud (SpyEye Case):

● The SpyEye case serves as a comprehensive real-world example of online bank fraud,
illustrating the complexity and scale of such cybercrimes.
● The case involved the creation and distribution of malware infecting millions of
computers worldwide, compromising numerous bank accounts and causing substantial
financial losses.
● It highlights the multi-layered nature of cybercrime investigations, involving
4
collaboration between law enforcement agencies and cybersecurity experts to combat
sophisticated criminal operations.

4. The Digital Forensics Process:

The digital forensic process outlined in this textbook provides a normative framework for
conducting digital forensics investigations. It draws upon the structure of traditional physical
forensics investigations while encompassing all necessary phases. These phases span from the
initial notification of an incident through the reporting stage to the final presentation of findings.
Adherence to a defined process is crucial for identifying digital objects that reflect relevant facts,
whether in criminal or civil courts of law, or in corporate and private investigations. This process
functions as a component of a quality assurance system for digital forensics.

The process is delineated into five consecutive but iterative phases, each serving a distinct
purpose:

1. Identification of Potential Evidence Sources: In this phase, potential evidence sources


are identified from digital devices involved in the investigation.
2. Collection of Digital Raw Data: Once potential evidence sources are identified, digital
raw data is collected by copying the source in a forensically sound manner.
3. Examination of Raw Data: The raw data is examined in this phase, where it is
organized and structured to facilitate processing and comprehension.
4. Analysis: The analysis phase aims to gain a deeper understanding of the data and identify
digital objects that serve as evidence to be presented in court or to relevant entities.
5. Reporting and Presentation: Finally, the findings of the analysis are reported and
presented to the appropriate stakeholders, whether in court or within the investigative
entity.

While the process is described as a step-by-step progression, it is acknowledged that multiple


iterations of several phases may be necessary. This iterative approach allows for thorough
5
examination and analysis of the digital evidence, ensuring comprehensive investigative
outcomes.

5. Introduction:

Evolution of Cybercrime:

● Over the past decade, cybercrime has undergone significant evolution driven by factors
such as technologically adept attackers, advanced technology, and strong incentives.
● Cybercriminals now execute sophisticated attacks exploiting extensive digital networks
and numerous endpoints simultaneously, leading to data breaches and disclosures.
● The prevalence of cybercrime underscores the necessity for well-defined forensic
investigation processes and appropriate tools to investigate incidents effectively.

Challenges in Digital Forensics:

● The uncertainties associated with digital evidence, stemming from both accidental and
deliberate factors, must be addressed in forensic investigations.
● Example 2.1 illustrates the complexities involved in determining the origin and
authenticity of digital evidence, highlighting the challenges investigators face.

Adapting to Technological Advancements:

● The dynamic nature of the digital landscape necessitates continual adaptation of digital
forensics practices.
● While cybercrimes may evolve in complexity, the tools available to investigators also
advance, aiding in the investigation process.

2.1.1 Why Do We Need a Process?


● The forensic process provides a structured approach to investigating digital evidence
from any device capable of storing or processing digital data.
● Digital forensics processes must adapt traditional investigation practices to effectively
gather and manage digital evidence, supporting end-to-end criminal investigations.

Universal Application of the Process:

● The digital forensics process is universally applicable to investigations involving various


digital devices and technologies, including computer forensics, mobile forensics, and
Internet forensics.
● It facilitates the identification of evidence crucial for answering key investigative
questions.

6
Principles of a Forensics Process:

● A forensically sound process adheres to established principles, standards, and processes


in digital forensics.
● Evaluation of forensic tools' trustworthiness is essential, with initiatives like the NIST's
project aimed at creating criteria for evaluating forensics tools.

2.1.3 Finding the Digital Evidence:

● Digital evidence, defined in alignment with Carrier and Spafford (2004a, 2004c),
encompasses any digital data supporting or refuting hypotheses about incidents or crimes.
● The digital forensics process involves identifying potential evidence sources, collecting
digital raw data, examining and analyzing the data, and presenting findings to courts or
relevant entities.

Iterative Nature of the Process:

● The digital forensics process is iterative, often requiring multiple iterations for different
potential evidence sources.
● Each source undergoes collection, examination, and analysis phases, with simultaneous
analysis of data from multiple sources to establish correlations and form conclusive
evidence.

The Identification Phase :

The Identification Phase

Incidents come to light through various means such as complaints, alerts, or other indicators. The
identification phase, as defined in Definition 2.1, serves as the cornerstone for all subsequent
phases or activities during a digital investigation. It helps determine which evidence or objects to
focus on, leading to the formation of a hypothesis about the event or crime.

Preparations and Deployment of Tools and Resources Effective planning is essential to ensure
the efficiency and success of an investigation, regardless of its nature. This section emphasizes
the importance of proper preparation before an incident occurs. It highlights the need for a
well-trained investigative team and access to necessary resources and tools. Additionally,
guidelines for establishing a forensics laboratory and evaluating forensic tools' integrity and
7
compliance with evidence standards are discussed.

The First Responder The first responder, typically a police officer in criminal cases, plays a
crucial role in handling potential evidence, including digital devices, at the scene of an incident.
Standard operating procedures (SOPs) are essential to guide evidence identification activities and
maintain evidence integrity. Example 2.2 underscores the importance of adhering to proper
procedures to avoid compromising evidence, as demonstrated by a real-life case.

At the Scene of the Incident Understanding the characteristics of a digital crime scene and
ensuring proper preservation of evidence are key aspects discussed in this section. Whether in a
private home or a corporate setting, identifying and securing potential evidence sources is
crucial. The section also emphasizes the need for meticulous documentation throughout the
investigation process.

Dealing with Live and Dead Systems Differentiating between live and dead systems is vital in
digital forensics investigations. Special precautions must be taken to prevent data loss or
alteration, whether a system is powered on or off. Considerations for preserving evidence
integrity and minimizing the risk of unintended changes are discussed.

Chain of Custody Maintaining the chain of custody is paramount for ensuring the admissibility
of evidence in legal proceedings. Proper documentation of handling procedures, including who
handled the evidence, when and how it was acquired, and any changes made, is essential. The
section stresses the importance of integrity checks and timestamps to support the chain of
custody and mitigate the risk of evidence exclusion from a case.

6. The Collection Phase :

Introduction

The collection phase in digital forensics involves acquiring relevant data from electronic devices
using forensically sound methods. This phase is crucial for obtaining evidence for a forensic
investigation.

8
Key Points

1. Purpose of Collection Phase: The collection phase involves making a digital copy of
data using approved methods to ensure forensic soundness.
2. Metadata: Metadata about the case should be tied to potential evidence, including case
details, timestamps, and location information.
3. Example Case: The SpyEye online banking fraud case illustrates the variety of potential
evidence sources, including victim computers, bank records, malware evidence, server
logs, and network monitoring data.
4. Sources of Digital Evidence: Digital evidence can be found in various sources such as
hard drives, flash drives, memory, smartphones, computer networks, and the Internet.
5. Physical Location of Systems: In cases where systems cannot be moved, data must be
collected at their physical location.
6. Multiple Evidence Sources: Digital evidence is often distributed across multiple devices
and locations.
7. Evidence Reconstruction: Media storing data may be damaged intentionally or
unintentionally, requiring data recovery techniques.
8. Evidence Integrity: Maintaining evidence integrity is critical, achieved through
measures like write blockers and cryptographic hashes.
9. Order of Volatility: Prioritizing data collection based on the volatility of data sources
helps preserve critical evidence.
10. Dual-Tool Verification: Using multiple forensic tools to verify results enhances
confidence in the integrity of collected evidence.
11. Remote Acquisition: Remote forensic acquisition allows for faster investigation but
presents challenges such as data transmission over networks and reduced trust.
12. Global Cooperation: In multinational cases, collaboration between forensic units from
different countries is essential for successful investigations.

Conclusion

The collection phase is a fundamental step in digital forensics, involving the acquisition of data
from various sources using approved methods. Ensuring evidence integrity, prioritizing data
collection, and leveraging global cooperation are essential for successful investigations.

9
7. The Examination Phase :

The Examination Phase in digital forensics is a critical step in the process, where collected data
is carefully examined and prepared for analysis. Let's break down some key points from the text:

1. Purpose: The examination phase aims to retrieve relevant potential digital evidence from
collected data sources.
2. Preparation and Extraction: This phase involves preparing and extracting potential
digital evidence from the collected data sources. Digital forensics tools are often used to
automate these tasks, but manual examination is also important for experienced forensic
investigators.
3. Triage: Triage is crucial when dealing with large volumes of data, helping to identify the
most relevant data quickly based on the severity of the case and available resources.
4. Data Examination Techniques: Various techniques such as file hashing, keyword
searches, and metadata extraction are employed to structure and organize data for
analysis.
5. Forensic File Formats: Different file formats are used to store collected data, each with
its own impact on forensic analysis effectiveness. Formats like EnCase, SMART, AFF,
and Prodiscover add more information and flexibility to extracted data.
6. Data Recovery: Even deleted files can often be recovered from storage areas,
highlighting the importance of documenting actions to maintain evidence integrity.
7. Data Reduction and Filtering:

Techniques like hash lookup and known file databases help filter out irrelevant files,
reducing the total amount of data for analysis.
10
8. Timestamps: Recording correct timestamps aids in correlating data across multiple
sources, though adjustments may be needed for time zone differences.
9. Compression, Encryption, and Obfuscation: Compressed and encrypted files must be
handled appropriately during examination, which may involve decompression or
decryption. Obfuscation techniques like steganography add complexity to forensic
analysis.
10. Data and File Carving:

Tools and techniques are used to parse and carve unstructured and raw binary data,
helping to recover potentially valuable evidence from collected data sources.

11. Automation: Automation plays a significant role in the examination phase, reducing the
manual workload and improving efficiency through tasks such as file parsing and string
searches.

By following these steps and employing various techniques and tools, forensic investigators can
effectively examine and prepare digital evidence for further analysis and investigation.

8. The Analysis Phase :

The Analysis Phase in digital forensics is where forensic investigators delve deep into the
collected data to determine the digital evidence that supports or refutes a hypothesis regarding a
crime, incident, or event. Here's a breakdown of key points from the text:

11
1. Purpose: The analysis phase involves processing information to determine the facts
about an event, the significance of the evidence, and the person(s) responsible.
2. Techniques Used: Techniques such as statistical methods, manual analysis, data format
understanding, data mining, and timelining are employed during analysis. Computational
methods and machine learning are also applied for automating analysis tasks and
recognizing patterns.
3. Iterative Process: The analysis phase is iterative, with investigators forming and testing
hypotheses about the case, often requiring the collection of additional data objects until
the results are sufficient for the investigation's purpose.
4. Layers of Abstraction: Different layers of data interpretation exist, such as what
end-user applications see, what the operating system sees, and what is stored in bits and
bytes on the storage device. Understanding these layers is crucial for accurate analysis.
5. Evidence Types: The type of evidence depends on the nature of the crime. Examples
include email communications, malicious applications, and data related to cybercrimes or
physical crimes.
6. String and Keyword Searches: String and keyword searches simplify analysis, allowing
investigators to search for specific information relevant to the case, such as names,
addresses, or sensitive data like Social Security or credit card numbers.
7. Anti-Forensics: Anti-forensics techniques are used to make forensic analysis more
challenging. Examples include computer media wiping, encryption, obfuscation, and
steganography.
8. Automated Analysis: Automation plays a significant role in analyzing large data
volumes and obfuscated malware. Computational forensics methods, data mining, and
forensic analytics are employed to identify and analyze relevant evidence.
9. Timelining of Events: Timelining helps in understanding the sequence of events,
especially useful in criminal investigations. File and system logs, along with physical and
digital events, contribute to creating timelines.
10. Graphs and Visual Representations: Graphs and visual representations help in
understanding relationships between data objects, individuals, and network interactions,
aiding in investigative analysis.

12
11. Link Analysis:

12. Link analysis is used to identify and visualize relationships among interconnected
objects, providing insights into complex networks of data. It's valuable in various
domains, including digital forensics, law enforcement, and intelligence.

By employing these techniques and tools, forensic investigators can effectively analyze digital
evidence to uncover crucial insights and facts about a case, helping to support or refute
hypotheses and identify responsible parties.

9. The Presentation Phase :

The Presentation Phase in digital forensics involves sharing the results of the analysis phase
through reports with interested parties, such as a court of law or corporate management. Here's a
breakdown of key points from the text:

13
1. Purpose: The presentation phase is about documenting and presenting the results of the
investigation, based on objective findings with a sufficient level of certainty. It involves
summarizing findings and describing all actions taken during the investigation in a clear
and understandable manner.
2. Final Reports: The final report should include relevant case management information,
such as roles and tasks assigned, executive summaries of information sources and
evidence, forensic acquisition and analysis details reflecting chain of custody and
evidence integrity, visualizations, tools used, and findings. While digital forensics tools
have reporting functionality, the investigator must ensure that the report is understandable
to a third party and sufficiently documents reproducibility.
3. Presentation of Evidence: Visual aids such as diagrams, graphics, and timelines are
valuable for presenting complex information in an accessible way. Visualizations help
identify patterns and information that may not be immediately obvious from text alone.
4. Chain of Custody: Documenting the chain of custody is crucial for maintaining the
integrity of the evidence presented in court. It ensures that all activities conducted during
the investigation are documented and can be verified. Failure to document the chain of
custody could compromise the trust in the authenticity and integrity of the evidence in
court.
5. Final Presentation: The documented evidence, methods used, and expert testimony form
the basis of the final presentation to a court of law or corporate audience, depending on
the context of the investigation.

14
UNIT II
DIGITAL CRIME AND INVESTIGATION

Syllabus:
Digital Crime – Substantive Criminal Law – General Conditions – Offenses – Investigation
Methods for Collecting Digital Evidence – International Cooperation to Collect Digital Evidence

1. Digital Crime – Substantive Criminal Law:

The Cybercrime Convention categorizes criminal offenses into four main groups:

1. Offenses against Confidentiality, Integrity, and Availability of Computer Data and


Systems (Articles 2-6): These include unauthorized access, interception of data, data
interference, system interference, and misuse of devices.
2. Computer-related Offenses (Articles 7 and 8): This category covers computer-related
forgery and fraud, involving the creation, alteration, or suppression of computer data with
fraudulent intent.
3. Content-related Offenses (Article 9): Offenses related to child sexual abuse material,
encompassing the creation, distribution, or possession of pornographic material involving
minors.
4. Infringements of Copyright and Related Rights (Article 10): Violations involving
unauthorized use or distribution of copyrighted works and related rights.

Additionally, the Convention addresses aiding, abetting, and attempt to commit offenses (Article
11) and corporate liability (Article 12), holding legal entities accountable for committing
offenses.

Article 13 mandates that crimes must be punishable by effective, proportionate, and dissuasive
sanctions, including deprivation of liberty. The national legal provisions prescribe maximum
penalties for each offense, ensuring consistency in sentencing practices. However, actual
punishment may vary between jurisdictions due to differences in legal principles, social and
cultural traditions. To address disparities, some jurisdictions develop sentencing guidelines or
appoint advisory bodies to suggest standard rates for certain offenses.

3. General Condition:

Conditions for Criminal Liability: A Summary

To secure a conviction for a criminal offense, certain conditions must be met, encompassing both
objective and subjective elements:
15
1. Objective Conditions of the Offense:
○ The act must be defined as criminal by law, specifying its scope and parameters.
○ This includes the "When, Where, and How" aspects of the offense.
2. Subjective Conditions of Intent:
○ The individual must have acted with intent (dolus), signifying awareness and
volition.
○ Intent is inferred from words like knowingly, intentionally, or forsett.
○ It must cover all objective conditions and pertains to the "Why" aspect of the
offense.
3. Criminal Capability:
○ The individual must meet age and mental capacity requirements determined by
law.
○ Primarily addresses the "Who" aspect of the offense.
4. Absence of Legal Justifications:
○ No circumstances should render an otherwise criminal act lawful, such as
emergency situations.
○ Concerns the "When, Where, How, and Why" of the offense.
5. Moment of Committing the Act:
○ All conditions must be fulfilled by the perpetrator at the time of committing the
crime.
○ Time frame ranges from split-second actions to prolonged behaviors.
6. Subjective Condition and Interpretations:
○ Unintentional actions do not lead to criminal liability.
○ Good intentions do not negate criminal intent.
○ Error regarding relevant facts negates intent.
○ Proof of intent is crucial for establishing liability.
7. Attempt, Aiding, and Abetting:
○ Attempt requires action with intent to complete the crime.
○ Aiding and abetting involve intentionally assisting or encouraging the main
perpetrator.
○ Organized crime liability can extend beyond direct involvement.
8. Individual Judgment and Punishment:
○ Each suspect is judged based on their actions and intent.
○ Punishment is individually determined but tends to be uniform for similar
offenses.
9. Legal Application and Jurisdictional Variations:
○ Legal provisions vary across jurisdictions, impacting the elements required for
conviction.
○ Evidence must align with the specific legal requirements of the jurisdiction trying
the case.

Understanding and applying these conditions systematically is essential for building a case and
16
ensuring the proper adjudication of criminal offenses.

4. Offenses:

The Cybercrime Convention aims to address offenses against the confidentiality, integrity, and
availability of computer data and systems. Here's a summary of key points regarding these
offenses:

1. Focus on Data Protection: The convention prioritizes the protection of computer data
rather than physical equipment. Computer data is broadly defined to include any
representation of facts, information, or concepts processed by a computer system.
2. Definition of Computer Data and System: Computer data encompasses user-generated
content and program files, while a computer system includes any device or group of
interconnected devices that automatically process data.
3. Illegal Access and Interception: Offenses such as illegal access and interception are
addressed by the convention. Illegal access refers to gaining unauthorized access to a
computer system, often by circumventing security measures. Illegal interception involves
capturing non-public transmissions of computer data without authorization.
4. Security Measures: National legislation may require offenses to involve the
infringement of security measures for them to be considered illegal access.
Circumvention of security measures can occur through password intrusion or exploiting
system vulnerabilities.
5. Protection of Communication: Illegal interception protects private communications,
whether they occur between different systems or within a computer system itself. This
includes safeguarding against keystroke loggers and other methods used to intercept
sensitive information.
6. Protection Levels: Articles 2 and 3 of the convention provide different levels of
protection. Article 2 protects against illegal access to computer systems, while Article 3
protects against the interception of non-public data during transmission.
7. Completion of Offenses: An offense under Article 2 is completed once access has been
gained, whereas an offense under Article 3 is completed when interception succeeds.
Both articles may apply to successive steps of criminal activity, along with Article 5,
which covers system interference.
8. Information Fencing: While Articles 2 and 3 do not directly protect property rights to
data, the concept of information fencing has developed in national legal systems.
Information fencing involves dealing unlawfully with stolen or copied data, especially if
it has economic value.
9. Password Intrusion vs. Identity Theft: Password intrusion differs from identity theft, as
it involves breaching computer security rather than interfering with the right to private
life. The immediate victim of password intrusion is the owner of the password, not a third
party defrauded by identity theft.
10. Interference with Security Measures: There is debate over whether automatic
17
circumvention of security measures, such as CAPTCHA, constitutes illegal access. The
interpretation may depend on technical hindrances, contractual conditions, and social
norms within national legal rules.
11. Definition of Access: "Access" is interpreted to imply control over a computer system or
user account. Sending emails or files to a system is not considered access unless it is done
without right, such as through a Trojan attachment.
12. Data and System Interference: Articles 4 and 5 of the convention address damaging,
deletion, alteration, or suppression of computer data (Article 4) and serious hindrance to
the functioning of a computer system (Article 5). These offenses supplement traditional
vandalism provisions and cover actions such as DDOS attacks and insertion of malware.

Article 4 - Data Interference:

● Article 4 covers any interference with computer data, but if the interference affects the
computer system itself, it might be considered vandalism under traditional provisions or
serious hindrance under Article 5.
● Examples of actions covered by Article 4 include deleting a user registry on a cloud
service, changing passwords, replacing files with defacing web pages, or encrypting files
for extortion.
● If the hindrance to the system's functioning is not serious, traditional vandalism
provisions may apply instead of Article 5.
● Article 4 primarily deals with interference with user-generated content, such as Word
files and PowerPoint presentations.

Article 5 - System Interference:

● Article 5 addresses serious hindrance to the functioning of a computer system, such as


DDOS attacks or insertion of malware that slows down or stops the system.
● Malware, including logical bombs, spyware, and backdoors, can interfere with system
functioning, and the critical point for completion of the offense is when the malware is
inserted.
● With the integration of technology and enterprises, distinguishing between system
functioning and enterprise operations becomes challenging, leading to legal complexities.

Article 6 - Misuse of Devices:

● Article 6 addresses the production, sale, procurement, import, distribution, or making


available of devices or data primarily designed for committing offenses mentioned in
Articles 2-5.
● There's no obligation to criminalize if the motive is other than committing these offenses.
● The provision covers physical devices (e.g., keystroke loggers) and computer programs
(e.g., malware) designed for illegal purposes.
● Possession of such items is optional but may be included in national legislation.

18
● The difference between physical and informational items affects the interpretation of
dealing with passwords or similar data. Technical assistance for password cracking or
sharing passwords with others falls under the provision.

5. Investigation Methods for Collecting Digital Evidence :

In the context of criminal procedure and digital forensic investigations, several key points are
worth noting:

1. Collection of Digital Evidence:

● The main aim of a criminal investigation is to collect evidence to identify suspects and
prove or disprove alleged crimes.
● Each investigative step must be justified based on the nature of the crime and specific
circumstances, preventing arbitrary interference and waste of resources.
● The principle of relevancy applies to every investigative method, including digital
evidence collection.

2. Digital Forensic Process:

● Digital investigations should adhere to the digital forensic process to ensure forensic
soundness, evidence integrity, and chain of custody.
● The digital forensic process must fit into the framework of procedural criminal law,
considering relevancy, legality, and the right to a fair trial.

3. Search and Seizure of Digital Evidence:

● Search involves looking for evidence, while seizure means taking control over it.
● In the digital forensic process, the distinction between search and seizure might not be
apparent; legal definitions are determined by conditions in procedural law.
● In a scenario where police seize a suspect's laptop, the crucial point in time determines
whether the data is seized or not.
● Seizure triggers the suspect's legal right to challenge it, potentially leading to the return of
the seized material if a court deems it irrelevant.
● Tension can arise between the digital forensic process and legal rules, especially
regarding when data is considered seized and subject to challenge.

4. Terminology and Misunderstandings:

● Terms like "securing data" may have different meanings in multidisciplinary teams,
leading to misunderstandings, especially regarding breaches of procedure.
● Whether a deviation from the digital forensic process affects the admissibility of evidence

19
depends on national legal rules and principles of fair trial.

Transborder Access to Stored Computer Data Where Publicly Available:

● According to the Cybercrime Convention's Article 32(a), a party can access publicly
available stored computer data without authorization from another party, regardless of its
geographical location.
● "Publicly available (open source) stored computer data" refers to data accessible to the
public, such as information on websites or services that anyone can access without
restrictions.
● Law enforcement officials can subscribe to or register for services available to the public
to access data for investigative purposes.
● The term "stored" excludes real-time methods like interception, and the data must be
publicly available.
● There might be ambiguity in interpreting the term "stored" in the context of dynamic
technical developments, but it should be understood in light of the convention's purpose
and national legal rules.
● The convention neither authorizes nor prohibits the use of fake identities for undercover
operations, but international cooperation procedures can be utilized to organize and
coordinate such operations.

Online Undercover Operations:


● The Cybercrime Convention doesn't explicitly address undercover operations, but its
international cooperation procedures can facilitate such activities.
● Online undercover operations involve activities like identifying, viewing, and
downloading copyright-infringing materials, opening premium accounts on websites for
analysis, and performing network analysis.
● For instance, the FBI conducted undercover operations against the Mega Sites to gather
evidence of copyright infringement and analyze their operations from a customer
perspective.

Scope and Safeguards of Investigation Methods:

● The Cybercrime Convention outlines investigation methods such as preservation and


production order, search and seizure, and real-time collection of traffic data and
interception of content data.
● These methods must be implemented in national procedural legislation for specific
criminal investigations or proceedings and are suspicion-based.
● Bulk collection from digital sources falls outside the convention's scope, as it requires
probable cause and justification based on external facts.
● The scope of the methods includes criminal offenses established by the convention, other
offenses committed using a computer system, and the collection of electronic evidence of
any criminal offense.
20
● Safeguards include adherence to procedural principles of legality and proportionality,
judicial or independent supervision, grounds justifying application, and limitation of
scope and duration.
● Control measures are relative to the invasiveness of the method; for example, interception
may be applied to serious offenses punishable by imprisonment for 10 years or more,
while seizure can be applied to all criminal offenses.
● Technological advancements challenge traditional notions of invasiveness, requiring
ongoing assessment of proportionality.
● Considerations relating to third parties impacted by investigations are essential, but no
single rule addresses the varied situations. Awareness of third-party rights,
responsibilities, and legitimate interests is crucial.
● Examples illustrate the impact of investigation methods on third parties, such as the
seizure of Megaupload.com affecting millions of users and the balancing of rights in the
analysis of seized computer files.

Search and Seizure (Article 19):

● Article 19 of the Cybercrime Convention regulates search and seizure, emphasizing the
need to confine these methods within the territory.
● The provision outlines the authority to search computer systems, storage media, and seize
computer data, including the power to make copies, maintain data integrity, and render
data inaccessible or remove it from accessed systems.
● Distinctions are made between physical equipment and computer data, with both subject
to search and seizure.
● Digital devices and storage media may be seized during a house search and must be
documented to maintain the chain of custody.
● Once data relevant to the investigation is secured, seizure of equipment must be lifted,
unless other reasons justify its retention.
● Legal provisions must permit the securing of computer data as evidence independent of
the digital equipment.
● Questions arise regarding when data is seized, the obligation to seize data through
copying, routine application of hash analysis, and the need for separate permissions for
searching digital devices seized for evidentiary purposes.
● The Convention obligates parties to empower criminal investigators to order individuals
with knowledge of computer systems to provide login information, but the extent of this
obligation regarding decryption is unclear.
● Physical coercion to obtain access data requires a separate legal basis and is not currently
provided for in Norwegian procedural law.

Production Order:

● Article 18 of the Cybercrime Convention allows for the use of production orders to
access digital evidence held by third parties cooperating with law enforcement agencies.
21
● These orders apply to both historical and future data.
● Production orders may be necessary even if the third party is cooperative due to legal
duties of confidentiality, data protection rules, or commercial preferences.
● The suitability of a production order depends on the accessibility of the data; if data is
readily accessible, seizure may be more practical.
● Subscriber data, such as identity data about subscribers to e-commerce services, can be
subject to production orders.
● National legislation determines the procedures for production orders and the grounds for
issuing them.
● Expedited preservation orders (Articles 16 and 17) are used to preserve stored data or
traffic data when immediate seizure is not possible.
● Real-time investigation methods (Articles 20 and 21) allow for the collection or recording
of traffic data or content data of specified communications in real-time, subject to
suspicion-based limitations and specific communication addresses.
● These methods may involve technical means such as IMSI catching, silent SMS, or bulk
data collection from mobile base stations.
● Nations may cooperate in joint investigations, allowing for the direct transfer of real-time
data streams between states.

6. International Cooperation to Collect Digital Evidence :

International Cooperation in Collecting Digital Evidence

Principle of Sovereignty:

● Law enforcement agencies' power is limited to their nation's territory.


● Accessing evidence in another state without permission violates that state's sovereignty.

Securing Evidence Abroad:

● Requesting assistance from the state where evidence is located is necessary to avoid
sovereignty violations.

Narrowing Focus:

● Various procedures exist for international cooperation against crime.


● Focus here is on procedures for collecting evidence through coercive measures.
● Not required for collecting information from publicly available Internet sites.

Mutual Legal Assistance vs. Police Cooperation:

● Mutual legal assistance procedures used when obtaining evidence through coercive

22
measures.
● Police cooperation useful in preparing for such requests.
● Involves requesting state (seeking assistance) and requested state (receiving request).

Definition of Digital Evidence:

● Audio or video-recorded testimony not considered digital evidence.


● Digital evidence includes objects collected through computer surveillance or interception
of electronic communications.
● Information in police registries not considered digital evidence; governed by data
protection rules for international exchanges.

Transborder Access to Digital Evidence


Accessibility vs. Geographical Localization:

● Global communication networks and cloud services make digital evidence technically
accessible globally.
● Criteria for international cooperation may shift from territorial localization to
controllability of computer data.

Article 32(b) of the Cybercrime Convention:

● Allows a party to access stored computer data in another party with lawful and voluntary
consent.
● Challenges exist in determining the exact location of stored data and obtaining lawful and
voluntary consent.

Mutual Legal Assistance

Basic Principles and Formal Steps:

● No obligation for a nation state to provide assistance in securing digital evidence without
a cooperation treaty.
● Requesting state must demonstrate reciprocity and legal basis for the requested
assistance.
● Formal request must describe the crime, cite relevant legal provisions, and demonstrate
legal permission.

International Conventions Concerning Mutual Legal Assistance:

● Cybercrime Convention obligates parties to assist each other in collecting digital


evidence.
● Dual criminality principle applies, but some flexibility exists regarding offenses'
classification.
● EU and other international conventions supplement mutual legal assistance efforts,
23
facilitating cooperation in criminal matters.

EU's Role:

● EU conventions and agreements with non-member states enhance mutual legal assistance
and cooperation in criminal matters.
● Eurojust system facilitates practical cooperation procedures among prosecutors and
courts within the EU.

Nordic Cooperation:
● Nordic countries have a history of close cooperation, reducing bureaucracy and
increasing efficiency.
● Different procedures apply once a non-Nordic state is involved in cooperation efforts.

International Police Cooperation and Joint Investigation Teams

Informal Cooperation:

● Traditionally, police officers cooperated informally through channels like Interpol or


direct phone calls.
● Liaison officers stationed abroad may also assist in cooperation efforts.
● Europol and its European Cybercrime Center (EC3) play a significant role in combating
organized crime, including cybercrimes.

Formal Procedures for Cooperation:

● Formal procedures of mutual legal assistance are necessary to support requests for
coercive methods.
● Informal assistance from foreign police officers may help explore options before formal
requests.

Subscriber Data Disclosure:

● In some jurisdictions, subscriber data may be directly disclosed to criminal investigators


in the police, facilitating cooperation.
● Routine procedures for police cooperation observe data protection rules applicable to
international police cooperation.

Schengen Information System (SIS):

● Within the EU, the SIS enables rapid assistance and information transfer, managed by
National Central Bureaus of Schengen member states.

Consultations and Joint Investigation Teams (JITs):

24
● Meetings (consultations) are held to identify practical steps for lawfully obtaining
evidence abroad.
● Europol and Eurojust support the setup of JITs in Europe, consisting of law enforcement
representatives from at least two states.
● JITs receive support from Europol and Eurojust in terms of tactical, technical, and legal
advice, as well as practical assistance.

25
UNIT III
DIGITAL FORENSIC READINESS
Syllabus:
Introduction – Law Enforcement versus Enterprise Digital Forensic Readiness – Rationale for
Digital Forensic Readiness – Frameworks, Standards and Methodologies – Enterprise Digital
Forensic Readiness – Challenges in Digital Forensics

1. Introduction:

Introduction: Television series often glamorize digital forensics, portraying it as exciting and
straightforward. However, real-life digital investigations are much more complex and require
substantial preparation. This chapter explores the concept of digital forensic readiness, which
involves preparing for efficient and effective digital investigations.

Definition: Digital forensic readiness involves being prepared to conduct digital investigations
and present evidence effectively, whether to auditors, legal advisors, or in court. It aims to
reconstruct incidents and find evidence that supports or refutes claims.

Key Points:

1. Efficient Investigations: Ideally, all digital devices would be seized, and all data
analyzed to quickly draw conclusions. However, limited resources and time necessitate
focusing on the most valuable artifacts for the specific incident.
2. Objectives: J. Tan outlines two primary objectives:
○ Maximizing the usefulness of incident evidence data.
○ Minimizing the cost of forensics during an incident response.

Definition Summary: Digital forensic readiness is defined as the ability to perform digital
investigations with minimal cost while maximizing the usefulness of evidence.

By focusing on these principles, organizations can be better prepared to handle digital


investigations efficiently and effectively.

2. Law Enforcement versus Enterprise Digital Forensic Readiness :


Overview: Digital investigations are commonly associated with law enforcement, but enterprises
are increasingly applying digital forensics for various internal purposes. This has given rise to a
subarea known as enterprise digital forensics.

Law Enforcement:

● Conducts digital investigations primarily for criminal cases.


26
● Collects and analyzes digital evidence to be presented in court.
● Forensic principles and methodologies must be strictly followed to ensure evidence is
admissible.

Enterprise:

● Uses digital forensics to investigate incidents, ensure compliance, support disciplinary


actions, and more.
● May perform initial investigations before involving law enforcement.
● Evidence gathered may be used internally or in court if criminal activity is discovered.
● Must ensure business continuity and minimize disruptions during investigations.
● Follows forensic principles to maintain the integrity and usefulness of evidence.

Definition 4.2: Enterprise Digital Forensic Readiness

● The ability to conduct digital investigations in an enterprise with minimal cost and
disruption to business operations while maximizing the usefulness of evidence.

Key Points:

● Enterprises need to balance investigation with ongoing business operations.


● Different laws and regulations may apply to private investigators and forensic
professionals in enterprises compared to law enforcement.
● Terms like enterprise forensic readiness, computer forensic readiness, and corporate
forensics are synonymous with digital forensic readiness in an enterprise context.

This distinction highlights the need for both law enforcement and enterprises to be prepared for
digital investigations, though their approaches and priorities may differ.

3. Rationale for Digital Forensic Readiness :

Digital forensic readiness ensures efficient and effective digital investigations by minimizing
costs and maximizing the usefulness of collected digital evidence.

4.4.1 Cost
● Minimizing Costs: Digital forensic readiness aims to reduce the costs associated
with investigations, including time, effort, equipment, and other direct expenses.
● Resource Management: Unlike TV portrayals, real-life investigations often involve
multiple concurrent cases, requiring efficient resource management.
● Cost Components: Costs include the hours spent on investigation, fees, equipment, and
other related expenses. For example, a two-hour intrusion can lead to 40 hours of forensic

27
analysis.
● Case Examples:
○ New Zealand hacker: 417 hours of investigation costing $27,800.
○ Russian hacker: 9 months of investigation costing $100,000.
● Indirect Costs: Disruption to business operations and the need for legal counseling also
add to the costs.
● Cost-Benefit Analysis: Enterprises often use cost-benefit analysis to decide whether to
pursue legal action or involve law enforcement based on the cost versus the potential
benefits or compensation.

4.4.2 Usefulness of Digital Evidence

● Maximizing Usefulness: Useful digital evidence must be relevant, sufficient, and


have evidentiary weight in a court of law.
● Existence of Evidence: Digital evidence can be transient and easily destroyed, requiring
timely and appropriate collection methods.
● Example: Improper handling by IT support can destroy potential evidence, complicating
forensic investigations.
● Evidentiary Weight: Evidence must be trustworthy, relevant, sufficient, and valid.
○ Relevance: Evidence must help prove or disprove elements of the incident.
○ Sufficiency: There must be enough evidence to thoroughly examine the incident.
○ Trustworthiness: Evidence must be accurate, authentic, and reliably collected.
○ Validity: Evidence must be collected in a forensically sound manner to be
admissible in court.
● Examples of Evidence Handling Issues:
○ Legal Assistant Incident: Improper handling led to changes in 192 files.
○ Surveillance Footage: Missing critical footage impacted the investigation.
○ Armando Angulo Case: Evidence storage costs led to case dismissal.
○ Evidence Eliminator Case: Attempted deletion of evidence led to case dismissal.
○ Julie Amero Case: Misunderstanding of digital evidence led to wrongful
conviction, later overturned due to proper forensic analysis.
● Forensically Sound Collection: Proper procedures, tools, and processes are essential for
collecting and preserving digital evidence.
Digital forensic readiness involves preparation and planning to ensure that digital evidence can
be efficiently collected, preserved, and used effectively in investigations, whether for internal
enterprise purposes or legal proceedings.

4. Frameworks, Standards and Methodologies :

Digital forensic readiness lacks a universally accepted approach. Various standards, frameworks,
and methodologies have been proposed by standardization bodies, organizations, and

28
researchers, reflecting the evolving nature of this discipline.

4.5.1 Standards

ISO/IEC 27037

● Defines digital evidence and its governance principles: relevance, reliability, and
sufficiency.
● Outlines general requirements for handling digital evidence, emphasizing auditability,
justifiability, and either repeatability or reproducibility.
● Details initial processes for handling digital evidence: identification, collection,
acquisition, and preservation.

ISO/IEC 17025

● Sets requirements for forensic laboratories, focusing on both management and technical
aspects.
● Emphasizes technical requirements related to methodology, equipment handling,
sampling, and quality assurance.

NIST SP 800-86

● Discusses phases of the digital forensic process: collection, examination, analysis, and
reporting.
● Provides general recommendations and detailed technical guidelines for evidence
collection and examination from various sources.

4.5.2 Guidelines

IOCE

Guidelines

● Developed by the International Organization on Computer Evidence.


● Provide high-level descriptions and specific principles for digital forensic examination
procedures.
● Focus on preserving evidence integrity and maintaining the chain of custody.

SWGDE Guidelines

● Developed by the Scientific Working Group on Digital Evidence.


● Address common errors in digital forensic tools: incompleteness, inaccuracy, and
misinterpretation.
● Discuss error mitigation techniques, including tool testing, verification, procedures, and
29
peer reviews.

ENFSI Guidelines

● Published by the European Network of Forensic Science Institutes.


● Offer a Best Practice Manual for the Forensic Examination of Digital Technology.
● Include guidance on procedures, quality principles, training processes, and approaches
for forensic laboratories.

4.5.3 Research

Rowlingson’s Ten-Step Process (2004)

● Builds on forensic readiness objectives.


● Proposes a ten-step framework focusing on business context, risk alignment, business
continuity, and incident response.
● Offers a comprehensive description of steps without delving into specific policies or
tools.

Grobler et al.’s Forensic Readiness Framework (2010)

● Introduces comprehensive digital evidence that carries evidentiary weight.


● Proposes a framework grouping forensic readiness activities into dimensions.
● Emphasizes the need for organizations to be aware of risks and legal requirements when
collecting evidence.

Endicott-Popovsky et al.’s Forensic Readiness Framework (2007)

● Presents a multi-layer framework for network forensics.


● First layer: theoretical base covering information security governance and embedding
forensics in information assurance.
● Second layer: "3R" strategy model (resistance, recognition, recovery) and a fourth R -
redress (accountability in court).
● Third layer: information systems development life cycle with forensic capabilities like
chain of custody procedures.
5. Enterprise Digital Forensic Readiness :

Enterprises are complex entities that need to maintain smooth operations. When an incident
occurs, swift action is crucial, making prior planning and preparation essential for digital
forensic readiness.

4.7.1 Legal Aspects

30
● Jurisdictional Compliance: Enterprises must adhere to local laws and regulations for
collecting, analyzing, and presenting digital evidence. This is particularly challenging for
international organizations.
● Cybercrime Types: Identifying relevant cybercrime types helps determine when digital
evidence is required.
● Key Legal Questions: Enterprises should address scenarios for due diligence,
admissibility of digital evidence, permissible data collection, and requirements for
evidence handling.

Example: SpyEye Online Banking Fraud

● Incident Scenario: Involves crimes such as computer intrusion and unlawful dealings.
● Data Retention vs. Privacy: Conflicting requirements (e.g., 90-day data retention vs.
30-day privacy regulation) highlight the need for careful compliance management.

4.7.2 Policy, Processes, and Procedures

● Evidence Management Practices: Enterprises should follow generally accepted


practices and align digital forensic policies with existing frameworks.
● Risk-Based Approach: Integrating digital forensics within the information security
framework involves assessing risks and choosing appropriate risk-handling measures,
focusing on confidentiality, integrity, and availability.

Example: SpyEye Online Banking Fraud Risk Scenario

● Risk Scenario: Unauthorized transactions lead to financial losses and reputational


damage.
● Risk Assessment: Helps prioritize incidents based on potential impact, guiding the
decision between restoring operations and conducting full-scale investigations.
● Incident Response vs. Digital Forensics: Incident response aims to restore operations
quickly, while digital forensics focuses on evidence preservation, potentially delaying
restoration. Balancing these goals is crucial for minimal business disruption.
4.7.2.3 Policy

● Policy Framework: Should include purpose, scope, legal requirements, alignment


with other enterprise frameworks, and relationships with other policies.
● High-Level Policy: Supported by subpolicies, guidelines, and procedures, or integrated
into other enterprise policies like incident response or information security.

4.7.2.4 Processes and Procedures

● Digital Forensic Readiness Process:


1. Identify relevant laws and regulations.
31
2. Perform or obtain risk assessments.
3. Identify incident scenarios requiring digital evidence.
4. Integrate digital forensics with existing frameworks.
5. Define or update digital forensic policies.
6. Set policies for outsourcing and third-party use.
7. Define subpolicies and procedures.
8. Establish organizational structure.
9. Specify roles, responsibilities, and required skills.
10. Conduct operational and awareness training.
11. Prepare tools and infrastructure.
12. Evaluate process effectiveness and quality.
● Key Considerations: Evidence handling, monitoring, privacy protection, incident
escalation, specific investigation types, external reporting, third-party involvement,
laboratory preparation, training, and competency requirements.

Guidance from Standards: Standards like ISO/IEC 27037 can help define policies, procedures,
and routines for digital forensic readiness.

6. Challenges in Digital Forensics :

Key Challenge:

● Handling vast amounts of unstructured data with inherent uncertainties and errors.
● Each phase of the digital forensics process is time and resource-intensive, often
exceeding available resources.

Solutions:

● Leveraging big data, automation, and computational methods to enhance efficiency.


Phases Supported by Computational Methods:

1. Identification Phase: Intelligent detection and identification methods.


2. Collection Phase: Automated remote evidence acquisition tools with evidence integrity
assurance.
3. Examination Phase: Automated data recovery and reduction.
4. Analysis Phase: Computational methods and machine learning to identify patterns.
5. Presentation Phase: Visualization tools and automated report generation.

Computational Forensics

Definition:

32
● Application of computational methods to forensics, involving modeling, simulation, and
computer-based analysis and recognition.

Objectives:

1. In-depth understanding of forensic disciplines.


2. Evaluation of scientific methods.
3. Systematic forensic approach using computer science, applied mathematics, and
statistics.

Objectives and Applications

1. Large-Scale Investigations:

● Managing large data volumes from diverse sources using computational methods.
● Example: Automatic identification of malware traces and network traffic analysis using
link-mining techniques and Neuro-Fuzzy (NF) algorithms.

2. Automation:

● Reducing manual efforts and enhancing quality through comprehensive automation.


● Examples: Forensic reconstruction of computer intrusions, geolocation of IP addresses
using triangulation.

3. Analysis:

● Strengthening evidence analysis through computational methods.


● Examples: Identification and extraction of cryptographic keys from volatile memory,
approximate hash-based matching for data similarity, intrusion detection through
correlation feature selection.
4. Forensic Soundness:

● Ensuring evidence integrity and chain of custody in computational methods.


● Implementing comprehensive testing for forensic tools to prevent unintentional mistakes
and intentional tampering.

Evolving Field: Digital forensics is constantly evolving due to the increasing complexity of
technologies. The Testimon Forensics Group outlines several key research areas to address
current challenges.

Key Research Areas:

1. Large-Scale Investigations:
○ Focus: Automatic searching through vast amounts of electronic storage both
within closed systems and on the Internet (including the dark net).
33
○ Challenge: Efficiently managing and analyzing terabytes of data.
2. Internet and Cloud Forensics:
○ Focus: Rapid acquisition, correlation, and analysis of evidence from the Internet
and cloud services.
○ Challenge: Developing new tools and methods, and educating law enforcement
and practitioners.
3. Embedded Systems and IoT:
○ Focus: Forensic analysis of mobile devices and other embedded systems,
including both hardware and software.
○ Challenge: Proprietary technology, device-specific hardware, customized data
acquisition, and decoding binary data.
4. Cross-Media Search and Data Integration:
○ Focus: Accessing and integrating data from diverse sources, with an emphasis on
data enrichment from Internet sources.
○ Challenge: Effective cross-media search technologies.
5. Encrypted Evidence:
○ Focus: Developing algorithms to analyze encrypted evidence and cryptographic
credentials.
○ Challenge: Overcoming encryption barriers to access and interpret evidence.
6. Computational Intelligence:
○ Focus: Advanced computing technologies for more objective evidence analysis
and decision-making.
○ Challenge: Implementing computational intelligence to enhance accuracy and
efficiency.
7. Attribution and Profiling:
○ Focus: Methods and tools for digital perpetrator attribution and profiling,
visualizing criminal relationships, and geographical mapping of evidence.
○ Challenge: Accurate identification and profiling of digital criminals.

Summary

Digital forensics is a rapidly advancing field, continuously introducing new information


technologies and novel ways of exploiting these technologies. Researchers and practitioners must
constantly develop their creative and analytical skills to address new technical challenges.
Successful research in digital forensics should illuminate emerging problems while rigorously
maintaining the principles of chain of custody and evidence integrity.

34
UNIT IV
iOS FORENSICS
Syllabus:
Mobile Hardware and Operating Systems - iOS Fundamentals – Jailbreaking – File System –
Hardware – iPhone Security – iOS Forensics – Procedures and Processes – Tools – Oxygen
Forensics – MobilEdit – iCloud

1. Mobile Hardware and Operating Systems :

Mobile Device Hardware


1. System on a Chip (SoC):
• SoCs integrate many functions (CPU, memory, secondary storage, GPU, Wi-Fi, etc.) into
a single integrated circuit.
• Commonly found in mobile phones, unlike PCs which use separate components on a
motherboard.
• SoCs may include multiple processor cores and a digital signal processor (DSP) for
converting digital signals to analog.
2. Central Processing Unit (CPU):
• The CPU in mobile devices is integrated within the SoC.
• Essential for executing instructions and performing calculations.
3. Digital Signal Processor (DSP):
• Converts digital signals to analog for communication.
• Handles complex mathematical operations for signal compression and filtering.
4. Antennas:

• Vital for cellular communication, used to radiate and receive electromagnetic (EM)
waves.
• Types of Antennas:
• Omnidirectional: Radiates EM waves in all directions.
• Directional: Radiates EM waves in a specific direction.
35
• Dipole Antenna:
• Consists of two conductors with a feedline in between.
• Variations include short dipole antennas, which are shorter than half the
wavelength of the transmission.
5. Antenna Characteristics:

• Radiation Pattern: The plot showing radio wave strengths at different angles.

• Directivity: The ability of an antenna to focus energy in a particular direction.

• Gain: Measures the intensity of radiation in a given direction compared to an isotropic


antenna (dBi), dipole antenna (dBd), etc.
• Efficiency: No antenna is 100% efficient; inefficiency can lead to power loss as heat,
affecting battery life and causing overheating.
6. Antenna Regions:

• Reactive Near-Field (Inductive Near-Field): Closest to the antenna, where magnetic


induction occurs.

• Radiating Near-Field (Fresnel Region): Intermediate region where the radiation starts
to spread out.
• Far Field (Fraunhofer Region): Farther from the antenna, where radiated power
decreases with distance squared.
Importance for Forensic Examiners
• Understanding Limits of Tools:
• Tools like Cellebrite, Mobile Edit, Oxygen, etc., have limitations.
• A thorough knowledge of mobile hardware and operating systems helps in
understanding these limits and when to go beyond the tools for manual evidence
collection.
• Knowledge Application:
• Forensic examiners must understand all aspects of the device being examined,
including hardware (SoC, CPU, DSP, antennas) and software (operating systems).
• This foundational knowledge is crucial for accurate and thorough forensic
analysis.
Free-Space Path Loss
1. Free-Space Path Loss:

• Definition: The loss of signal strength that occurs even without interference, proportional

36
to the square of the distance and the square of the frequency of the radio signal.
• Simplified Formula: space path lossFree space path loss=(λ4πd)2 Where:
• d = distance between transmitter and receiver (meters)
• λ = signal wavelength (meters)
• f = signal frequency (Hertz)
• c = speed of light in a vacuum (meters/seconds)
2. Friis Transmission Formula:

• Formula: PtPr=((4πd)2DtDrλ2) Where:


• Pr = power received
• Pt = power transmitted
• Dr = directivity of the receiving antenna
• Dt = directivity of the transmitting antenna
• d = distance between antennas
• λ = wavelength of the transmission
3. Historical Context:
• The Friis transmission formula, developed by Harald T. Friis in 1946, forms the basis for
understanding free-space path loss.
Digital Signal Processing (DSP)
1. Discrete Cosine Transform (DCT):

• Definition: Expresses a sequence of data points as a sum of cosine functions oscillating


at different frequencies.
• Formula: Xk=∑n=0N−1xncos[Nπ(n+21)k] Where:
• N = number of data points
• xn = input data points
• Xk = transformed data points
2. Fourier Transform:

• Definition: Decomposes a function of time into its constituent frequencies.

• Formula: f^(ξ)=∫−∞∞f(x)e−2πixξdx Where:


• f^ = Fourier transform of f
• ξ = frequency variable
• x = time variable
• e = Euler's number (approx. 2.71828)
3. Fast Fourier Transform (FFT):

37
• Definition: A fast algorithm to compute the Fourier transform, used in DSP to convert
signals between time and frequency domains efficiently.
• Importance: Facilitates the processing of digital signals in mobile devices.

Key Concepts for Forensic Examiners


• Understanding Free-Space Path Loss:
• Knowledge of signal loss mechanisms helps in assessing communication
reliability and signal integrity in forensic investigations.
• Importance of DSP:
• DSPs are crucial in converting digital data to analog signals and vice versa,
impacting how data is transmitted and received in mobile devices.
• Familiarity with DCT and Fourier transform mathematics helps in understanding
the underlying processes in digital signal processing.
SIM Cards Overview for Exam
1. Introduction to SIM Cards:

• Definition: A SIM (Subscriber Identity Module) card is a circuit that stores the
International Mobile Subscriber Identity (IMSI), which identifies the phone.

• Key Functions:
• Stores unique serial number (ICCID)
• Contains IMSI
• Holds security authentication and ciphering information
• Includes network information, accessible services, and two passwords (PIN and

38
PUK)
2. Historical Background:

• Origin: First SIM cards were specified by the European Telecommunications Standards
Institute and manufactured by Giesecke & Devrient.
• First Use: Sold to Radiolinja, a Finnish network operator, in 1991.

• Standards: Initially specified in ETSI TS 11.11, now governed by the 3GPP.

3. Pre-SIM Era:
• NAM (Number Assignment Module): Used before SIM cards, stored telephone
number, IMSI, and Electronic Serial Number, and was a permanent chip in the device.
4. SIM Card Components:

• Supply Voltage: C1 (1.8, 3, 5 volts DC)

• Reset Signal: C2

• Clock Signal: C3 (1 to 5 MHz, external)

• Ground: C5

• Programming Voltage: C6

• Input/Output Baud Rate: C7 (clock frequency/372)

• Reserved for SIM Communication: C8

5. ISO/IEC 7816 Standard:


• Parts Overview:
• Part 1: Physical characteristics

• Part 2: Dimensions and location of contacts

• Part 3: Electrical interface and transmission protocols

• Part 4: Organization, security, and commands for interchange

• Part 5: Registration of application providers

• Part 6: Interindustry data elements for interchange

• Part 7: Interindustry commands for Structured Card Query Language (SCQL)


39
• Part 8: Commands and mechanisms for security operations

• Part 9: Commands for card management

• Part 10: Electronic signals and answer to reset for synchronous cards

• Part 11: Personal verification through biometric methods


• Part 12: USB electrical interface and operating procedures

• Part 13: Commands for application management in a multi-application


environment
• Part 15: Cryptographic information application

6. Data Stored on a SIM Card:

• ICCID: Integrated Circuit Card Identification, crucial for forensics.


• Structure:
• Issuer Identification Number (IIN): 7 digits (includes country code and
issuer)
• Individual Account Identification Number: Variable length
• Check Digit: Final digit
• IMSI: International Mobile Subscriber Identity
• Structure:
• Mobile Country Code (MCC): First 3 digits
• Mobile Network Code (MNC): Next 2-3 digits
• Mobile Subscriber Identification Number (MSIN): Remaining digits, total
length < 15 digits
• Location Area Identity (LAI):
• Consists of MCC, MNC, and Location Area Code (LAC)
7. SIM Card Formats:

• Mini SIM (2FF): 25 mm x 15 mm x 0.76 mm (common)

• Micro SIM (3FF): 12 mm x 15 mm x 0.76 mm

• Nano SIM (4FF): 8.8 mm x 12.3 mm x 0.67 mm

8. File System on SIM Card:


• Structure:
• MF (Master File): Root of the file system
40
• DF (Dedicated Files): Subordinate directory files

• EF (Elementary Files): Contain data


SIM Card Formats Overview

SIM Card Format Introduced Length Width Thickness


Full-size (1FF) 1991 85.6 mm / 3.37 in 53.98 mm / 2.125 in 0.76 mm / 0.030 in

Mini-SIM (2FF) 1996 25 mm / 0.98 in 15 mm / 0.59 in 0.76 mm / 0.030 in


Micro-SIM (3FF) 2003 15 mm / 0.59 in 12 mm / 0.47 in 0.76 mm / 0.030 in
Nano-SIM (4FF) 2012 12.3 mm / 0.48 in 8.8 mm / 0.35 in 0.67 mm / 0.026 in
Embedded-SIM (eSIM) 2010 N/A N/A N/A
Central Processing Unit (CPU) Overview
Essential Functions of a CPU:
1. Fetch Instructions: Retrieves instructions from memory.
2. Interpret Instructions: Determines the required action.
3. Fetch Data: Gathers data needed for execution (from memory or I/O).
4. Process Data: Performs arithmetic, logic operations, or data movements.
5. Write Data: Stores results back to memory or I/O.
CPU Components:

• Control Unit: Directs the operation of the processor.

• Arithmetic Logic Unit (ALU): Performs mathematical operations using binary logic.

• Memory Management Unit (MMU): Translates logical addresses to physical memory


addresses.
• Address Generation Unit: Calculates addresses for CPU to access main memory.

• Registers: Small, fast memory locations within the CPU for temporary data storage.

• Data Registers: Hold data.

• Address Registers: Hold memory addresses.

• Floating Point Registers: Store decimal numbers.

• General Purpose Registers: Versatile registers for various uses.

ARM Architecture in Mobile Devices:

41
• ARM (Advanced RISC Machine): A specific architecture for CPUs, based on RISC
(Reduced Instruction Set Computer) principles.

• RISC: Emphasizes a reduced amount of work per instruction, typically achieving


one instruction per clock cycle.
Example: ARM v8-A Architecture:

• 64-bit Addresses: Utilizes 64-bit address space.

• 31 General Purpose Registers: Each 64 bits in size.

• 32-bit Instructions: Majority of instructions are 32-bit.

• Double-Precision Floating Point Support: Allows for high-precision calculations.

• Hardware Acceleration for Cryptography: Enhances security operations through faster


processing.
Summary:

• CPU's Role: Acts as the "brains" of the device, performing data processing.

• Key Functions: Fetching, interpreting, processing, and writing data.

• Components: Include control units, ALUs, MMUs, and various types of registers.

• Mobile CPU Architecture: Often uses ARM, a type of RISC architecture, optimized for
efficient instruction execution.
• ARM v8-A Features: 64-bit addressing, numerous general-purpose registers,
double-precision floating point support, and cryptographic acceleration.
Jammers

• Function: Disrupt cellular communication by transmitting on the same frequency as the


target device.
• Legality: Illegal in many countries (e.g., USA, EU, India, Canada, UK).

• US Law: Violations of 47 USC 301, 302(a), and 333 can lead to fines up to $11,000 per
offense, imprisonment up to one year, and equipment seizure.
• Exceptions: Some countries allow law enforcement use or legal ownership but illegal
use.

42
IMSI Catchers

• Example: StingRay.

• Function: Mimics a cell phone tower to intercept communications.

• Modes: Passive (analyzes traffic) and active (emulates a cell tower).


• Capabilities in Active Mode:
• Extracting IMSI numbers.
• Altering signal power.
• Downgrading to less secure protocols.
• Intercepting communications and metadata.
• Locating devices.
• Countermeasures: Various apps (e.g., Cell Spy Catcher) aim to detect IMSI catchers.

Software Defined Radio (SDR)

• Concept: Implements radio functions in software rather than hardware.


• Components:
• Analog RF receiver/transmitter (200 MHz to multi-gigahertz).
• High-speed A/D and D/A converters (25 to 210 M samples/second).
• High-speed front-end signal processing (DDC, mix + filter + decimate).
• Protocol-specific processing (e.g., W-CDMA, OFDM).
• Data communications interface (general-purpose ARM or PowerPC processors
with RTOS).
• Software Communications Architecture: Defines open standards for SDR
implementation.
• Cognitive Radio (CR): Can dynamically adjust to the best wireless channels to avoid
interference, first proposed by Joseph Mitola III in 1998.
Table: Radio Types
Tier Name Description
0 Hardware Radio (HR) I mp le m e nt e d using hardware components. Cannot be modified
Software Controlled Only control functions are implemented in software: interconnects,
1 Radio (SCR)
power levels, etc.
2 Software Defined Software control of a variety of modulation techniques, wideband or

43
Tier Name Description
Radio (SDR) narrow-band operation, security functions, etc.
Ideal Software Radio Programmability extends to the entire system with analog conversion
3 (ISR)
only at the antenna.
Ultimate Software
4 Radio (USR)
Defined for comparison purposes only.

2. iOS Fundamentals:

iOS Operating System for Mobile Forensics:

Importance in Mobile Forensics

• Common Use: iOS is prevalent, making it crucial in mobile forensics.

• Understanding Needed: To perform digital forensic examinations effectively, especially


for circumventing security.

44
Operating System Fundamentals

• Purpose: Controls, manages, and communicates with system hardware and software.

• Abstraction: Allows programmers to write apps for iOS without dealing with hardware
specifics.
• Framework: Provides essential functions for applications, like file access and memory
allocation.
Key Concepts

• Kernel: The core of the operating system, loaded early in the boot process.

• Access: Few forensic tools can access data in kernel space. JTAG is an exception
but rarely holds significant evidence.
• File System: Organizes raw data into files and directories.

• Storage: Data is stored as sectors on hard drives or cells on SSDs.

• Example: NTFS for Microsoft, APFS for iPhone and iPad.

iOS Characteristics

• Multi-tasking: Supports performing multiple tasks simultaneously.

• Single vs. Multi-user: Supports single-user for general-purpose devices; some OS


support multiple users.
• Embedded Systems: Designed for devices with specific functions, typically with limited
capabilities.
Key Points ;

• Understanding OS: Essential for managing resources and facilitating communication


with hardware.
• Kernel Role: Central to OS operation but rarely accessed directly in forensics.

• File Systems: Important for organizing and accessing data on devices.

45
iOS Basics for Mobile Forensics

iOS Operating System Overview

• Devices: Used by iPhone, iPod, and iPad.

• Release: First released in 2007.

• Interface: Touch-based, with gestures like swipe, drag, pinch, tap.

• Origins: Derived from OS X; now known as MacOS for computers.

• Kernel: XNU kernel of Darwin, with versions evolving from iPhone OS 1.0 to iOS 14.

• Security: Uses 256-bit encryption and Address Space Layout Randomization (ASLR).

Security Enhancements

• iOS 14: Introduced a recording indicator for microphone or camera access.

iOS Architecture
• Four Layers:
1. Core OS Layer: Contains essential low-level processes like Bluetooth
framework, security services, and local authentication.
2. Core Services Layer: Includes services like address book, core location, cloud
kit, core motion, and healthkit. Apps frequently interact with this layer.
3. Media Layer: Manages multimedia functionalities, graphics, images, animation,
and 3D graphics (Metal API). Includes AV Kit and AV Foundation.
4. Cocoa Touch Layer: Handles user gestures and system commands, EventKit, and
MapKit. Widely used by app developers.

46
3. Jailbreaking :

Definition and Purpose

Jailbreaking is the process of escalating privileges on an iOS device to remove restrictions


imposed by Apple. This is analogous to rooting on Android devices, which will be explored in
detail in Chapter 4. Historically, jailbreaking was necessary for functions like using the iPhone as
a WiFi hotspot (tethering), but iOS now supports tethering natively. Despite this, users still
jailbreak their phones for various reasons, such as installing unapproved applications or
unlocking the phone from a specific carrier.

Jailbreaking Utilities

Several utilities have been developed to aid in jailbreaking iOS devices. Notable examples
include:

● Redsn0w
● unc0ver
● Absinthe
● Pangu

Risks and Considerations

Jailbreaking should be approached with caution due to the following risks:

1. Security Compromise: Jailbreaking circumvents built-in security mechanisms, making


the device more vulnerable to malware and other security threats.
2. Potential Damage: The process can cause significant harm to the iOS or filesystem,
potentially rendering the device unusable.

Conclusion

While jailbreaking can provide additional functionality and flexibility, it comes with substantial
risks, including security vulnerabilities and the possibility of damaging the device. Therefore,
users should carefully weigh these risks before deciding to jailbreak their iOS devices.

4. File System:

Introduction to APFS
Since macOS High Sierra (10.13), tvOS 10.2, and iOS 10.3, Apple has utilized the Apple File
System (APFS) for its products. Before APFS, Apple employed the HFS+ file system, which
itself replaced the older HFS (Hierarchical File System). APFS is designed to optimize
performance and reliability on solid-state drives (SSDs) and flash storage.

47
Key Features of APFS

1. 64-bit Inode Numbers:


○ APFS employs 64-bit inode numbers for tracking file portions. Inodes are data
structures that describe files or directories, containing metadata such as access
times, modification times, ownership, and permissions. This system allows APFS
to support a vast number of files, enhancing scalability.
2. Optimized for Modern Storage:
○ APFS is specifically engineered for solid-state storage and flash drives, making it
more efficient and faster than its predecessors on these types of storage media.
3. Partition Scheme:
○ APFS utilizes the GUID Partition Table (GPT) scheme, which uses globally
unique identifiers (GUIDs) for data blocks. This is a standard method for
organizing files on many modern systems, providing a robust framework for data
management.
4. Containers and Volumes:
○ The GPT scheme in APFS uses containers, which can house multiple volumes.
Each APFS volume supports snapshots—read-only instances of the file system at
a specific point in time. These snapshots are invaluable for recovering from
system failures and preserving data integrity.
5. Compression Algorithms:
○ APFS supports three Lempel-Ziv compression algorithms: LZFSE (Lempel-Ziv
Finite State Entropy), LZVN, and Deflate. These algorithms reduce storage space
by replacing repeated data elements with a single copy and reference pairs,
improving storage efficiency.

Impact on Digital Forensics

APFS includes several features that directly affect digital forensics:

1. Full Disk Encryption:


○ APFS supports multiple encryption modes, which can complicate forensic
analysis:
■ No encryption
■ Single key encryption
■ Multi-key encryption, where each file is encrypted with a unique key
○ Although encryption presents significant challenges, it is not always an
insurmountable barrier. Forensic examiners can sometimes exploit flaws in the
implementation or use advanced techniques to bypass encryption, as will be
discussed in Chapter 10 on Anti-Forensics.
2. Snapshots:
○ APFS supports snapshots, which are read-only instances of the file system at a
specific time. These snapshots can be critical in forensic investigations,
48
preserving evidence even if a suspect attempts to delete it. Snapshots enable
forensic experts to recover data that might otherwise be lost.

Example Utility: 3uTools

Figure 3.3 illustrates 3uTools, a comprehensive utility for iOS devices. This tool can aid in
various aspects of iOS management and forensic analysis, including data backup, firmware
management, and jailbreaking, providing a practical interface for interacting with iOS devices.

Conclusion

APFS represents a significant advancement in Apple's file system technology, providing robust
features optimized for modern storage while introducing new challenges and opportunities for
digital forensics. Understanding APFS's structure and capabilities is essential for forensic
examiners dealing with Apple devices.

5. Hardware :

Evolution of the iPhone Touchscreen

Early Touchscreens:

1. Initial Screen Specifications:


○ Size: The first iPhone models featured a 3.5-inch liquid crystal display (LCD).
○ Resolution: The initial iPhone had a resolution of 320×480 pixels.
2. Improvements Over Time:
○ Size: Later models, such as the iPhone XS Max and iPhone 11 Pro Max, saw an
increase in screen size to 6.5 inches.
○ Resolution: The resolution improved significantly, with the iPhone 4S boasting
640×960 pixels. This model also introduced an in-plane switching (IPS) LCD,
enhancing viewing angles and color accuracy.

Transition to OLED:
1. Introduction of OLED:
○ The iPhone X was the first model to feature an Organic Light Emitting Diode
(OLED) display, which offers superior image quality compared to LCDs.
2. Types of OLED:
○ PMOLED (Passive Matrix OLED): Controls each row sequentially.
○ AMOLED (Active Matrix OLED): Controls each individual pixel, resulting in
better resolution and image quality.
3. OLED Variations:
○ Bottom vs. Top-Oriented: Refers to the direction light exits the device.
Bottom-oriented OLEDs pass light through the bottom electrode and substrate,
49
while top-oriented OLEDs emit light through the lid added during manufacturing.
○ Stacked OLEDs: Feature red, green, and blue subpixels stacked vertically instead
of side by side, enhancing color accuracy and brightness.

Advanced Display Technologies:

1. 3D Touch:
○ Introduced with the iPhone 6s, 3D Touch could recognize different levels of
pressure applied to the screen, enabling varied haptic feedback and interaction.
2. Haptic Touch:
○ Replacing 3D Touch with the iPhone 11, Haptic Touch does not detect pressure
differences but rather the duration of touch. This provides tactile feedback based
on how long the screen is pressed.

Security Enhancements:

1. Secure Enclave:
○ iPhones have incorporated a coprocessor named Secure Enclave, dedicated to
handling cryptographic keys and biometric information, like fingerprints and
facial recognition data. This coprocessor operates with its own secure boot
process, ensuring enhanced security for sensitive operations.

Summary:

The iPhone's touchscreen has evolved from a simple 3.5-inch LCD to advanced OLED displays
with varying sizes and superior resolution. Each iteration has brought improvements in visual
quality and interactivity, including innovations like 3D Touch and Haptic Touch. Additionally,
security features like the Secure Enclave coprocessor have enhanced the protection of biometric
data, making the iPhone both a powerful and secure device.

6. Phone Security :

Security Features of the iPhone: An Overview for Forensic Examiners

When conducting a forensic examination of an iPhone, the security measures implemented by


Apple are of paramount interest. Understanding these measures is crucial for forensic examiners
who may encounter obstacles such as locked devices or encrypted data. This section provides a
comprehensive overview of the key security features found in iPhones.

Encryption and Cryptographic Processing Cryptographic Processor:

50
● iPhones feature a dedicated cryptographic processor where encryption keys are stored.
● iPhones use AES (Advanced Encryption Standard) with a 256-bit key for encryption,
providing robust security. This encryption is enforced and cannot be disabled.

High-Profile Case Example:

● The FBI's inability to access the iPhone of the San Bernardino shooter in 2015
underscores the strength of iPhone encryption. Despite legal pressure, Apple could not or
would not unlock the device.

GrayKey Tool:

● While iPhone encryption is strong, tools like GrayKey have been developed to potentially
bypass some security measures. More details on such tools are discussed in Chapter 10.

Passcodes and Biometric Security

Passcodes:

● Modern iPhones support extended passcodes up to 10 digits, enhancing security.

Facial Recognition:

● Introduced with the iPhone X, Face ID leverages the Secure Neural Engine, which is
integrated into the Secure Enclave. It uses an infrared sensor, dot projector, and
illuminator to create a detailed 3D map of the user's face. Face ID adapts to changes in
the user's appearance, such as glasses or facial hair.

Secure Enclave

Introduction and Integration:


● The Secure Enclave is a critical security subsystem integrated into Apple’s System on a
Chip (SoC) since the iPhone 6s. It ensures that sensitive data remains secure even if the
main processor is compromised.
● The Secure Enclave is isolated from the main processor and includes its own AES
encryption engine.

Key Features:

● Unique Cryptographic Key: Each device has a unique root cryptographic key
embedded during manufacturing.
● User ID (UID) and Group ID (GID): A randomly generated UID is fused into the SoC,
and a GID is common to all devices using the same SoC.
● Dedicated Memory Protection: Operations are executed in a protected memory region.
Data written to this region is encrypted using AES and a Cipher-Based Message
51
Authentication Code (CMAC) for integrity.

Boot Process Security:

● Secure Boot Monitor: Starting with the A13 chip, the Secure Enclave includes a boot
monitor to ensure the integrity of the OS being booted.
● System Coprocessor Integrity Protection (SCIP): Ensures that only legitimate Secure
Enclave Boot ROM is executed.

Evolution of iPhone Processors and Security:

SoC Memory Protection Chip Details Cryptography Engine


A8 Encryption and authentication 64-bit, 1.4 GHz AES Engine
A9 Encryption and authentication 64-bit ARM, 1.85 GHz DPA protection, PKA
A10 Encryption, authentication, replay 64-bit ARM, four cores DPA protection, OS-Bound
prevention (2.34 GHz) Keys
A11 Encryption, authentication, replay 64-bit ARM, four cores DPA protection, OS-Bound
prevention (2.39 GHz) Keys
A12 Encryption, authentication, replay 64-bit ARM, quad core (2.49 DPA protection, OS-Bound
prevention GHz) Keys
A13 Encryption, authentication, replay 64-bit ARM, six core (2.65 DPA protection, OS-Bound
prevention GHz), four-core GPU Keys, Secure Boot Monitor
A14 Encryption, authentication, replay 64-bit ARM, six core DPA protection, OS-Bound
prevention (Firestorm/Icestorm), 16- Keys, Secure Boot Monitor
core neural engine

Conclusion

The iPhone's comprehensive security framework, including strong encryption, biometric security,
and the Secure Enclave, poses significant challenges for forensic examiners. Understanding these
features is essential for devising strategies to access and analyze data on locked or encrypted
iPhones. As technologies evolve, so do the methods for securing and potentially bypassing these
security measures, which are further explored in specialized chapters such as Chapter 10 on
countermeasures and tools like GrayKey.

7. iOS Forensics :

iOS Forensics: An Overview of Techniques and Tools

Forensic analysis of iOS devices incorporates standard mobile forensics practices and general
forensics principles but also requires specialized techniques and tools. This section provides a
foundational understanding of iOS forensics, emphasizing the importance of both traditional and
advanced methodologies.
52
Importance of Mobile Device Forensics

Mobile devices, including iPhones, are ubiquitous and central to modern life. They store vast
amounts of personal data, making them crucial in various types of investigations. The pervasive
nature of these devices means they often contain valuable evidence, such as:

● Call history
● Emails, texts, and other messages
● Photos and videos
● Phone information
● Global positioning system (GPS) data
● Network information

Types of Evidence and Their Significance Call History:

● Provides information about who the user has communicated with and for how long.
● Can offer supporting evidence and general intelligence about the suspect’s activities.
● Critical in cases like cyberstalking, where patterns of contact can be crucial.

Messages and Emails:

● Includes text messages, emails, and data from various chat apps (e.g., Snapchat,
WhatsApp, Signal).
● Forensic tools may retrieve data from many, but not all, of these apps. Advanced
techniques, such as SQLite forensics, may be necessary for extracting data from app
databases.

Photos and Videos:

● Can provide direct evidence of crimes (e.g., child pornography, illegal activities).
● Criminals often have incriminating photos or videos on their devices, which can be
crucial for investigations.

Phone Information:

● Essential to document detailed phone information, including model number, IMEI


number, serial number of the SIM card, and operating system details.
● Comprehensive documentation aids in establishing the phone’s identity and its relevance
to the investigation.

GPS Information:

● Modern phones use true GPS, providing accurate location data.


● GPS data can corroborate or refute alibis, place suspects at crime scenes, and provide
crucial evidence in various cases, including contentious divorces.
53
Network Information:

● Includes data on Wi-Fi hotspots the phone has connected to, which can indicate the
phone’s location over time.
● Useful in cases like stalking, where frequent connections to Wi-Fi networks near a
victim’s location can be significant.
Specialized Techniques and Tools NIST Standards:

● National Institute of Standards and Technology (NIST) provides guidelines and standards
for mobile device forensics.
● Adhering to these standards ensures the reliability and validity of forensic methods and
results.

Forensic Tools:

● Several tools are essential for iOS forensics, including GrayKey, which may help bypass
certain security measures.
● Understanding the capabilities and limitations of each tool is crucial for effective forensic
analysis.

Security Challenges in iOS Forensics

Encryption:

● iPhones use AES 256-bit encryption, which is robust and difficult to breach.
● Encryption is enforced when the phone is locked, making data extraction challenging
without the passcode or biometric access.

Secure Enclave:

● A dedicated security subsystem integrated into Apple’s SoC since the iPhone 6s.
● Isolates sensitive data from the main processor, using a unique cryptographic key and
AES encryption to protect data integrity and confidentiality.

Boot Process Security:

● Secure Boot Monitor and System Coprocessor Integrity Protection (SCIP) ensure only
legitimate code is executed during boot, enhancing the security of the device’s operating
system.

Conclusion

The forensic examination of iOS devices requires a comprehensive understanding of both


traditional mobile forensics and specialized techniques tailored to Apple’s security features. By
leveraging the appropriate tools and adhering to established standards, forensic examiners can
54
effectively extract and analyze the valuable data stored on iPhones, providing critical evidence in
a wide range of investigations.

8. Procedures and Processes :

Forensic Procedures in iOS Forensics

Forensic examination of mobile devices, including iOS devices, requires adherence to strict
standards and procedures to ensure the integrity of the evidence. The following outlines key
forensic procedures, standards, and techniques specific to mobile forensics, with a focus on iOS
devices.

General Forensic Procedures Airplane Mode:

● Purpose: Prevent remote access and changes to the device during examination.
● Procedure: Enable airplane mode immediately to isolate the device from all networks.

Minimal Alteration:

● Objective: Make as few changes as possible to the device during the forensic process to
maintain the integrity of the evidence.

Standards and Guidelines

Scientific Working Group on Digital Evidence (SWGDE):

● Resource: Provides guidance on various digital forensics topics, including mobile


device forensics.
● Website: SWGDE

Mobile Forensics Pyramid:

● Levels of Extraction:
1. Manual: Direct interaction with the device.
2. Logical: Extraction of a portion of the file system.
3. File System: Full file system access.
4. Physical (Non-Invasive): Physical data acquisition without opening the device.
5. Physical (Invasive): Physical data acquisition requiring device disassembly.
6. Chip-Off: Removal and analysis of the memory chip.
7. MicroRead: High-power microscope analysis of memory cells.

National Institute of Standards and Technology (NIST):

● Guideline: NIST SP 800-101, Guidelines on Mobile Device Forensics.

55
● CFTT Program: Computer Forensics Tool Testing Program to validate forensic tools.
● Website: CFTT

Reporting Standards:

● NIST Guidelines for Reports:


○ List of items examined (serial number, make, model).
○ Examiner's identity and signature.
○ Equipment and setup used.
○ Steps taken during the examination.
○ Supporting materials (printouts, digital copies, chain of custody).
○ Detailed findings and data analysis.
○ Report conclusions.
● Department of Justice (DOJ):
○ Emphasizes comprehensive and accurate documentation of findings and analysis.
● SANS Institute:
○ Recommends including case summary, forensic acquisition details, steps taken,
and analysis results.
● Federal Rule of Civil Procedure 26(a)(2)(B)(i):
○ Requires expert reports to contain the basis and reasons for all opinions
expressed, ensuring reproducibility of forensic findings.

iOS Specific Procedures Preventing Data Alteration:

● Auto-Sync Prevention: Ensure the iPhone does not synchronize with the
forensic workstation.
● Documentation: Thoroughly document all interactions with the device to maintain a
clear chain of custody.

Windows PC Precautions:

● Registry Modification: On a Windows forensic workstation, modify the Registry key to


prevent writing to the iOS device.
○ Registry Path:
HKEY_LOCAL_MACHINE\System\CurrentControlset\StorageDev
icePolicies
○ Value: Set to 0×00000001 and restart the computer.

Summary
Adhering to established forensic procedures and guidelines is crucial for maintaining the
integrity of the evidence extracted from mobile devices, particularly iOS devices. This involves
using standardized methods for data extraction, ensuring minimal alteration to the device, and
thoroughly documenting the forensic process. By following these procedures, forensic examiners
56
can ensure that their findings are accurate, reliable, and admissible in court.

9. Tools :

Tools for iOS Forensics

In the realm of iOS forensics, various tools are used to extract and analyze data from iPhones and
other iOS devices. Each tool has its unique features, strengths, and limitations. Here are some of
the most notable tools used in iOS forensics:

Cellebrite Overview:

● Reputation: Widely used and respected, especially by federal law enforcement.


● Cost: Approximately $10,000 for a license, making it the most expensive forensic tool.
● Training: Requires formal training to use effectively.

Key Products:

1. Cellebrite UFED: Universal Forensic Extraction Device.


2. Cellebrite Physical Analyzer: For detailed data analysis.
3. Cellebrite UFED Cloud: Extracts data from cloud services.
4. Cellebrite Premium: Advanced extraction capabilities.
5. Cellebrite Blacklight: Specialized in macOS and iOS investigations.
6. Cellebrite Commander: Manages and controls multiple UFED devices.

Pros:

● Comprehensive and robust toolset.


● Extensive support and research backing.

Cons:

● High cost.
● Requires extensive training and expertise.

iMazing
Overview:

● Purpose: Initially designed as an iOS device manager, not specifically for forensics.
● Cost: $49.99 for a lifetime license for up to 3 devices, or $59.99 per year for unlimited
devices.
● Accessibility: User-friendly interface, suitable for basic forensic investigations.

Capabilities:
57
● Data Retrieval: Gathers call logs, messages, photos, and more.
● Export Options: Can export data to PDF, Excel, CSV, or text files.

Pros:

● Affordable and easy to use.


● Sufficient for basic forensic investigations.

Cons:

● Lacks advanced features like breaking encryption or recovering deleted files.

iMyFone D-Back Overview:

● Purpose: Designed to recover data specifically from iOS devices.


● Cost: $49.95 per year, $69.95 for a lifetime license for up to 5 devices, or $299.95 for
unlimited devices.

Capabilities:

● Data Recovery: Recovers deleted data and supports data extraction from iTunes and
iCloud backups.
● User Interface: Intuitive and easy to navigate.

Pros:

● Effective in recovering deleted data.


● Supports iTunes and iCloud backup extraction.

Cons:

● May require credentials for iCloud data extraction.


● Limited to data recovery features.
Dr. Fone Overview:

● Purpose: Used for mobile device recovery and data transfer.


● Cost: Full version priced at $139.95.

Capabilities:

● Data Viewing: Allows viewing of SMS messages and phone numbers.


● File System Access: Enables access to the phone’s file system.
● Data Transfer: Supports copying data to a forensic workstation.

Pros:
58
● Inexpensive and supports both iOS and Android devices.
● User-friendly interface with essential forensic capabilities.

Cons:

● Limited advanced forensic features.


● More suited for data recovery and transfer rather than in-depth analysis.

Summary

When choosing tools for iOS forensics, it's essential to consider the specific needs of your
investigation, the budget available, and the level of expertise required to operate the tools. While
Cellebrite offers a comprehensive and robust toolset suitable for advanced investigations, tools
like iMazing, iMyFone D-Back, and Dr. Fone provide affordable and user-friendly alternatives
for basic forensic tasks. Each tool has its own set of features and limitations, making it crucial to
evaluate them based on the forensic requirements of each case.

10. Oxygen Forensics :

Oxygen Forensics

Overview:

● Reputation: Known for its user-friendly interface and robust features.


● Cost: Approximately $7,000 per license.
● Website: Oxygen Forensics
● Products: Previously offered Detective and Analyst versions, now only the Detective
version is available.

Key Features:

1. User-Friendly Interface:
○ Ease of Use: The initial connection with a mobile device is facilitated via a
wizard, making the tool accessible even for those with less technical expertise.
○ Extraction Process: The wizard guides the user through the extraction process
step-by-step, ensuring a smooth and efficient workflow.
2. Comprehensive Data Extraction:
○ Data Types: Oxygen Forensics can extract a wide range of data, including call
logs, messages, contacts, and app data.
○ User Interface: The extracted data is presented in a clear and easily navigable
interface, allowing forensic examiners to quickly locate and analyze the
information they need.
59
3. Geolocation Mapping:
○ Timeline Events: One of the standout features is the ability to place timeline
events on a map, aiding in the visualization of movements and activities over
time.
○ Figure 5.13: This feature enhances the forensic analysis by providing a
geographical context to the data.

Pros:

● Ease of Use: The wizard-based setup and intuitive interface reduce the learning curve.
● Comprehensive Features: Offers more capabilities than basic tools like Dr. Fone,
though not as extensive as Cellebrite.
● Geolocation Mapping: Provides valuable insights through its mapping feature.

Cons:

● Cost: At $7,000 per license, it is a significant investment, though still less expensive than
Cellebrite.
● Feature Set: While it has many features, it lacks some of the advanced capabilities found
in more expensive tools like Cellebrite.

Summary

Oxygen Forensics offers a balanced solution for digital forensics professionals, combining ease
of use with a robust feature set. It stands out for its user-friendly interface, guided setup process,
and the ability to map timeline events geographically. While it is a more affordable option than
Cellebrite, it still requires a substantial investment. Given the high cost of forensic tools, it is
advisable to seek recommendations from colleagues and industry experts to ensure the best fit for
your forensic lab's needs.

11. MobilEdit :

Overview:

● Reputation: Known for its affordability and professional-level features.


● Cost: Forensic Express Standard is $1,500 per license. Forensic Express Pro pricing is
available on request.
● Website: MobilEdit Forensic Express

Key Features:

1. Case Management:
○ Case Details: Allows the examiner to enter case-specific details, helping manage
60
complex caseloads.
○ Figure 5.15: The case information screen assists in organizing and documenting
case details efficiently.
2. Reporting Formats:
○ Multiple Formats: Offers various report formats including HTML and PDF.
○ User-Friendly Reports: HTML reports are easy to navigate, while PDF reports
are suitable for submission to third parties, such as attorneys.
○ Figure 5.17: Shows an example of an HTML report with navigable links on the
left.
3. Device Compatibility:
○ Cross-Platform: Compatible with both Apple and Android devices, making it
versatile for different types of mobile devices.

Pros:

● Affordable: Relatively low-priced compared to other forensic tools.


● User-Friendly: Intuitive interface and easy-to-use reporting features.
● Cross-Platform Compatibility: Works with most mobile devices.

Cons:

● Feature Limitations: May lack some advanced features found in higher-priced tools.

Axiom by Magnet Forensics


Overview:

● Reputation: Known for its versatility and comprehensive feature set.


● Cost: Approximately $7,000, but exact pricing requires contact with a salesperson.
● Website: Magnet Forensics

Key Features:

1. Versatility:
○ Multi-Platform Support: Can be used to forensically examine both mobile
devices and PCs, making it highly versatile.
○ Cloud Solution: Offers a cloud-based solution, expanding its capabilities.
2. User Interface:
○ Case Information Management: Provides a detailed case information screen to
keep track of investigations.
○ Figure 5.18: Shows the basic case information screen.
3. Data Extraction:
○ Wide Range of Data: Capable of extracting a vast array of data from mobile
devices, including information from numerous apps.
○ Figure 5.20: Demonstrates the extensive data retrieval capabilities.
61
Pros:

● Comprehensive Features: Robust feature set suitable for professional forensic


examinations.
● Versatile: Can handle both mobile and PC forensic investigations.

Cons:

● Cost: Higher cost may be prohibitive for some users.

Reincubate

Overview:

● Reputation: Known for offering various affordable iOS apps.


● Website: Reincubate

Key Features:

1. iOS Backup Extraction:


○ Backup Analysis: Can extract data from iPhone backups, useful when direct
phone access is not possible.
○ Figure 5.21: Shows data retrieved from a backup.

Pros:

● Low Priced: Affordable options for extracting data from iOS backups.
● Useful for Backup Analysis: Effective when phone security prevents direct data access.

Cons:

● Limited Forensic Capabilities: Not designed specifically for comprehensive forensic


analysis.

UltData

Overview:

● Reputation: Known for its ability to recover data from iTunes backups and live devices.
● Website: UltData

Key Features:

1. Data Recovery:
○ Multiple Sources: Can recover data from local iTunes backups, iCloud, and live
devices.
62
○ Figure 5.22: Shows the interface for selecting the data recovery source.
2. Comprehensive Data Retrieval:
○ Diverse Data Types: Retrieves messages, call history, contacts, Safari history,
voicemail, and data from apps like WhatsApp, WeChat, and Line.
○ Figure 5.23: Displays the data retrieved from an iTunes backup.
3. Voicemail Recovery:
○ Old Voicemails: Capable of recovering old voicemails even from a phone with
transferred SIM cards.
○ Figure 5.24: Demonstrates recovery of a voicemail from 3 years ago.

Pros:

● User-Friendly: Intuitive interface that is easy to navigate.


● Low Priced: Affordable compared to professional-grade forensic tools.
● Effective Backup Analysis: Excellent for extracting and analyzing backup files.

Cons:
● Limited Advanced Features: May not offer the full range of features required for
comprehensive forensic investigations.

12. iCloud :

iCloud Forensics

Overview:

● Relevance: iCloud is a critical source of data for forensic investigations, especially when
physical access to an iPhone is not possible.
● User Base: As of 2018, 850 million customers back up their data to iCloud.

Key Features:

1. Data Accessibility:
○ Remote Access: Data stored in iCloud can be retrieved remotely without physical
access to the iPhone.
○ Account Credentials: Access requires the Apple ID and password. These
credentials can sometimes be extracted from the user's computer.
2. Types of Data Stored in iCloud:
○ Backups: Comprehensive device backups that include app data, settings,
messages, and more.
○ Photos and Videos: Media files uploaded to iCloud Photos.
○ Documents: Files stored in iCloud Drive.
63
○ Messages: iMessages and SMS/MMS backed up or stored in iCloud.
○ Contacts and Calendars: Synced contacts and calendar events.
○ Notes and Reminders: Synced notes and reminders.
3. Forensic Tools and Techniques:
○ Credential Recovery: Tools and techniques to recover or crack Apple ID
credentials from a suspect's computer.
○ Data Extraction: Specialized software to access and download data from iCloud
once credentials are obtained.

Steps to Access iCloud Data:

1. Identify Apple ID and Password:


○ From the User’s Computer: Use forensic tools to extract stored passwords or
keychain data from a suspect's computer.
○ Social Engineering: Obtain information through questioning or other
investigative techniques.
2. Login to iCloud:
○ Use the obtained credentials to log in to iCloud via the web interface or forensic
software designed for iCloud extraction.
3. Download Data:
○ Backups: Download and analyze iPhone backups stored in iCloud.
○ Photos and Videos: Access and download photos and videos.
○ Messages: Retrieve and analyze messages.
○ Documents: Access documents stored in iCloud Drive.
4. Analysis:
○ Use forensic tools to analyze the downloaded data, looking for evidence such as
messages, call logs, media files, and other relevant information.

Tools for iCloud Forensics:

1. Cellebrite: Known for its comprehensive forensic capabilities, including iCloud data
extraction.
2. Elcomsoft Phone Breaker: Specifically designed for extracting data from iCloud
backups and accounts.
3. Oxygen Forensics: Includes features for iCloud data extraction and analysis.
4. Dr. Fone: Can also extract data from iCloud, though it is more limited compared to
dedicated forensic tools.
5. iMyPhone D-Back: Useful for recovering data from iCloud, including backups.

Pros and Cons of Using iCloud for Forensics:

Pros:

64
● Remote Access: Ability to access data without physical access to the device.
● Comprehensive Data: iCloud backups can include a wide range of data types.
● Widespread Use: High likelihood of finding relevant data due to the large user base.

Cons:

● Credential Dependency: Requires Apple ID and password to access data.


● Encryption and Security: iCloud data is encrypted, and some data may be inaccessible
without additional keys.
● Legal and Ethical Concerns: Ensure proper legal authorization before accessing a
suspect’s iCloud account.
Conclusion: iCloud can be a valuable source of forensic data, providing access to backups and
synced information from a suspect's iPhone. The effectiveness of this approach hinges on
obtaining the necessary credentials and using appropriate forensic tools to extract and analyze
the data.

65
UNIT V

ANDROID FORENSICS

Syllabus:
Android basics – Key Codes – ADB – Rooting Android – Boot Process – File Systems –
Security – Tools – Android Forensics – Forensic Procedures – ADB – Android Only Tools –
Dual Use Tools – Oxygen Forensics – MobilEdit – Android App Decompiling.

1. Android basics :

Android is a very common operating system. It is obviously found on Android phones, but it is also
found in smart TVs, automobiles, and some IoT devices. It is clearly quite important to understand the
Android operating system in some depth.
The Android operating system is a Linux-based operating system, and it is completely open source. If
you have a programming and operating systems background, you may find it useful to examine the
Android source code from

Android was first released in 2003 and is the creation of Rich Miner,
Andy Rubin, and Nick Sears. Google acquired Android in 2005, but still
keeps the code open source. The versions of Android have been named
after sweets:
• Version 1.5 Cupcake
• Version 1.6 Donut, etc…
The differences between Android versions typically involve new features rather than radical
changes, allowing familiarity with version 7.0 (Nougat) to suffice for forensic examination on
version 9.0 (Pie). Android's open-source nature means vendors may modify the OS, including
partition layouts, but common partitions are usually present across devices.

66
Key Partitions:

1. Boot Loader: Necessary for hardware initialization and loading the kernel, not
usually forensically relevant.
2. Boot: Contains bootup information, generally not forensically important.
3. Recovery: Boots the phone into a recovery console; rarely holds forensically relevant
data but useful for recovery mode.
4. Userdata: Most relevant for forensic investigations, containing user data and app data,
including many SQLite databases.
5. Cache: Stores frequently accessed data and recovery logs, can contain important
forensic data that users might be unaware of.
6. System: Not typically important for forensics.

Key Directories:

● /acct: User accounting data.


● /cache: Frequently accessed data, forensically interesting.
● /data: App data, crucial for forensic analysis.
● /mnt: Mount point for file systems, indicating internal and external storage.

Date/Time Formats in Android:

● UNIX (from Jan 1, 1970)


● GPS (from Jan 6, 1980)
● AOL (some Motorola devices, from Jan 1,

1980) Online converters for date/time formats

include:

● Unix Timestamp Converter


● Timestamp Online
● Online Conversion

2. Key Codes:

Specialized Key Codes for Android Diagnostics and Forensics

Android phones have numerous keycodes that can be used to retrieve useful information or
perform specific functions. While some codes are universal across all Android models, others
may be specific to particular devices. These codes are valuable for diagnostics and forensic
investigations.
67
Universal Diagnostic and Forensic Key Codes:

● Diagnostic configuration: *#9090#


● Battery Status: *#0228#
● System dump mode: *#9900#
● Testing Menu: *#*#4636#*#*
● Display Info about device: *#*#4636#*#*
● Factory Restore: *#*#7780#*#*
● Camera Information: *#*#34971539#*#*
● Completely Wipe device, install stock firmware: *2767*3855#
● Quick GPS Test: *#*#1472365#*#*
● Wi-Fi Mac Address: *#*#232338#*#*
● RAM version: *#*#3264#*#*
● Bluetooth test: *#*#232331#*#*
● Displays IMEI number: *#06#
● Remove Google account setting: *#*#7780#*#*
● Toggle always-on display on or off: *#99#
● Log test settings: *#800#
● Engineering switch test mode: *#801#
● GPS TTFF (Time-To-First-Fix) test mode: *#802#
● Engineering Wi-Fi setting: *#803#
● Automatic disconnect test mode: *#804#
● Engineering bluetooth test mode: *#805#
● Engineering aging test mode: *#806#
● Engineering automatic test mode: *#807#
● Enter engineering mic echo test mode: *#809#
● Automatically searches for available TDSCDMA carriers: *#814#
● Automatically searches for available WCDMA carriers: *#824#
● Automatically searches for available LTE carriers: *#834#
● Automatically searches for available GSM carriers: *#844#
● Test photograph RGB (Red, Green, & Blue tint): *#900#
● LCD display test: *#*#0*#*#*
● Packet loopback: *#*#0283#*#*
● Melody test: *#*#0289#*#*
● Proximity sensor test: *#*#0588#*#*
● Melody test: *#*#0673#*#*
● Test for vibration and backlight functionality: *#*#0842#*#*
● Advanced GPS testing: *#*#1575#*#*
● Touch screen test: *#*#2664#*#*
● Checks for root: *#*#7668#*#*
● Bluetooth test: *#*#232331#*#*

These codes can be highly useful for performing diagnostics or extracting information during forensic
68
examinations. For model-specific codes, a search for "Secret codes for [model name] phones" can
provide additional insights.

3. ADB:

Android Debugging Bridge (ADB) Overview

Download and Components:

● ADB can be downloaded from here.


● ADB has three main components:
1. Client: Sends commands from the development machine.
2. Daemon (adbd): Runs commands on the device as a background process.
3. Server: Manages communication between the client and the daemon, running
on port 5037.

Starting ADB:

The client checks for an existing server process; if none exists, it starts one. To list connected
devices, use: adb devices

If a device doesn't show as attached, ensure developer mode is enabled and troubleshoot by
restarting the ADB service: adb kill-server , adb start-server

ADB Shell:

● The adb shell command opens a shell on the Android device, allowing the use
of Linux commands like pstree, ps, ls, netstat, and lsof.
● To exit the shell, type exit.

To list all system binaries, use: ls /system/bin


Common ADB Commands:
69
Pull files: adb pull <remote> <local>
Create a backup:adb backup -apk -all -f backup.ab
Restore a backup:adb restore backup.ab
Reboot device:
adb reboot
adb reboot recovery
adb reboot
bootloader
Dumpsys (retrieve system information): adb shell dumpsys <service>
List packages: adb shell pm list packages
Dump state: adb shell dumpstate >
state.txt Print serial number: adb get-
serialno
Install/Uninstall apps:adb shell install <apk>, adb shell uninstall <name>
Additional Commands: adb help
These commands, along with specialized key codes, provide extensive diagnostic and forensic
capabilities for analyzing Android devices.

4. Rooting Android:

Rooting an Android phone allows you to gain complete root access, similar to an administrator
in Linux. However, it voids the phone's warranty and has become more challenging with newer
models.

Steps to Root an Android Phone:

1. Carrier Unlock:
○ Contact your carrier to unlock the phone if the contract is paid off.
2. OEM Unlock:
○ Enable OEM Unlock in the developer settings.
○ Use ADB (Android Debug Bridge) to reboot into the bootloader by typing adb
reboot bootloader.
○ Attempt OEM unlock with fastboot oem unlock.
○ If this fails, request an unlock code from the phone's manufacturer.
3. Check OEM Unlock Status:
○ In the bootloader mode, check the status with fastboot oem device-info.
4. Rooting with Magisk:
○ After OEM unlock, use tools like Magisk to install a rooted image.
○ Push the new image to the system using adb push.
5. Install TWRP Recovery:

70
○ Download the TWRP image from TWRP.
○ Place the TWRP image in the "ADB and Fastboot" folder.
○ Check device connection with adb devices.
○ Reboot into the bootloader with adb reboot bootloader.
○ Use the phone screen to select "Apply Update from ADB Sideload."
○ Flash the recovery image with fastboot flash recovery twrp.img.
Key Points:

● Rooting modern phones is often difficult and prone to failure.


● Ensure sufficient space for new images.
● Each step may vary or fail depending on the phone model and Android version.

Remember, the specific steps and success rates depend on the phone's model and Android version.

Boot Process:

Android Boot Process:

The Android boot process involves several key steps from powering on the device to loading
the operating system.

1. Initial Power-On:
○ Pre-Power State: The CPU is in a state with no initializations.
○ Power On: Execution starts with the boot ROM code, specific to the device's CPU.
71
2. Boot ROM Code Execution:
○ Step A: Initializes device hardware and detects boot media.
○ Step B: Copies the initial boot loader to internal RAM and transfers execution to it.
3. Bootloader Execution:
○ +Initial Program Load (IPL):
■ Step A: Detects and sets up external RAM.
○ Second Program Load (SPL):
■ Step B: Copies SPL to RAM and shifts execution to it.
■ Step C: SPL loads the Linux kernel from boot media to RAM.
4. Kernel Initialization:
○ The Linux kernel is central to the Android OS, handling process and
memory management and enforcing security.
○ Version Variations: Different Android versions use different Linux kernel
versions, which manufacturers may alter.
5. Root Filesystem Mounting:
○ Step A: With memory management units and caches initialized, the system uses
virtual memory and launches user space processes.
○ Step B: The kernel looks for and launches the init process from the root
filesystem (rootfs), the initial user space process.
6. Initramfs Handling:
○ Basic Initramfs: A compressed archive used for booting the kernel,
unpacked into a RAM-based disk.
○ Mounting: The RAM-based disk serves as the initial root filesystem.

This process ensures that the device transitions from a powered-off state to a fully functional
operating system, ready for user interaction.

File Systems:

Android File Systems:

Android uses various file systems to organize files on storage devices. The major file systems
include F2FS, JFFS2, and YAFFS.

72
F2FS (Flash-Friendly File System)

● Node Structure:
○ Inode: Contains 923 data block indices, 2 direct node pointers, 2 indirect node
pointers, and 1 double indirect node pointer.
○ Direct Node: Contains 1018 data block indices.
○ Indirect Node: Contains 1018 node block indices.
● Volume Division:
○ Superblock (SB): At the beginning of the partition, with a backup copy.
○ Checkpoint (CP): Contains system information, active segments, and orphaned inodes.
○ Segment Information Table (SIT): Block count and bitmap of main area blocks.
○ Node Address Table (NAT): Addresses for nodes.
○ Segment Summary Area (SSA): Information about node block ownership.
○ Main Area: File and directory data.

JFFS2 (Journaling Flash File System version 2)

● Nodes:
○ Inodes
○ Dirent Nodes (directory entries)
● Features:
○ Journaling: Logs changes to the file system to enable rollback or recreation in
case of failure.
○ Garbage Collection: Frees up blocks that were not released properly, similar to
memory garbage collection in programming.

YAFFS (Yet Another Flash File System)

● Data Writing: Written as an entire page (chunk) including file metadata and data.
● Object ID: Each new file gets a unique object ID.
● Data Structure: Uses a tree structure for physical location of chunks/pages.
● Version 2: Default AOSP flash file system for kernel version 2.6.32. Not supported
in newer kernel versions, though some vendors may still use YAFFS2.
73
These file systems ensure efficient organization and management of files on Android devices,
each with unique features catering to different needs of the operating system.

Security:

Android Security :

Android's security features vary across different manufacturers and models but include robust
cryptographic and application isolation measures.

Cryptography
● Adiantum:

○ Introduced by Google in February 2019 for devices without hardware-


accelerated AES support, particularly low-end devices.
○ Combines the ChaCha cipher, AES ciphers, and the Poly1305 cryptographic
message authentication code (MAC).
○ ChaCha is a variant of the Salsa stream cipher.

74
● Salsa Cipher:

○ Proven robust, with studies such as the 2013 Mouha and Preneel proof
indicating 15 rounds of Salsa20 offer 128-bit security against differential
cryptanalysis.

Application Security

● User-Based Protection Model:


○ Android isolates applications using the Linux user-based protection model.
○ Each app is assigned a unique User ID (UID) and runs as a separate process,
effectively sandboxing each app to prevent unauthorized data access between
apps.
● SELinux (Security-Enhanced Linux):
○ Available since Android version 4.2.
○ Imposes mandatory access control, ensuring apps operate in isolated
environments, thereby limiting the potential impact of malicious apps.
These security measures enhance Android's ability to protect user data and maintain system
integrity across a diverse range of devices.

Tools:

Various tools are available for managing and modifying Android phones, some specific to
manufacturers and others more general. These tools range from flashing firmware to deep code
inspection.

Manufacturer-Specific Tools

75
1. Odin3:
○ Usage: Flash images onto Samsung phones, including stock/custom firmware
and root packages.
○ Download: Samsung Odin
○ Purpose: Created for Samsung's internal use in service centers and factories.
○ Note: Always use the latest version.
2. SamFirm:
○ Usage: Flash different images onto Samsung devices.
○ Download: SamFirm Tool
○ Purpose: Another Samsung-specific flashing tool.

General Tools

1. Android Flash Tool:


○ Usage: Flash images via a website.
○ Website: Android Flash Tool
○ Requirement: Works only with the Chrome browser.
○ Advantage: Simple to use.
2. SPFlash Tool:
○ Usage: Flash images onto various Android phones, primarily MediaTek devices.
○ Download: SPFlash Tool
○ Note: Compatibility varies across models and Android versions.

Risks and Considerations

● These tools can be used to recover bricked phones or bypass phone security.
● They vary in efficacy depending on the phone model and Android version.
● There is a risk of permanently bricking your phone when using these tools.

Deep Code Analysis

● Android Open Source:


○ The source code is available for viewing and searching.
○ Website: Android Code Search
○ Useful for those with programming knowledge in C++ and Java.
○ Enables a deep understanding of Android’s functionality and potential vulnerabilities.

Understanding and utilizing these tools requires careful consideration and a solid understanding
of their functions and potential risks.

76
Android Forensics:

Android forensics encompasses approaches, techniques, and tools to extract valuable evidence
from Android devices. Key points include:

1. Importance of Mobile Forensics:


○ Mobile devices, particularly Android phones, are ubiquitous and hold
significant evidence relevant to various investigations.
2. Recoverable Data:
○ Call history: Reveals communication patterns.
○ Messages: Texts, emails, and messages from various chat apps.
○ Photos and videos: Direct evidence of crimes.
○ Phone information: Model, IMEI, serial number, OS, etc.
○ GPS information: Determines suspect location, provides alibi, crucial in various cases.
○ Network information: Wi-Fi hotspots, usage patterns, proximity to specific locations.
3. Tools and Techniques:
○ Android Debug Bridge (ADB): Often used for device interaction and data extraction.
○ Forensic tools: Various free or low-cost tools like MSDownload, Odin3,
SamFirm, etc., for flashing firmware and retrieving data.
○ SQLite Forensics: Extraction of data from app databases directly.
4. Global Positioning System (GPS) Data:
○ Significant in establishing suspect location and alibi.
○ Modern phones use true GPS for accurate location data.
○ Wi-Fi usage improves GPS accuracy by triangulation of signal strength.
77
5. Network Information:
○ Stored Wi-Fi hotspots provide insight into device movements and patterns.
○ Crucial in cases like stalking, where proximity to specific locations is relevant.
6. Overall Importance:
○ Regardless of make or model, mobile devices hold invaluable data
crucial for investigations.
○ Due to the integration of mobile devices in our lives, they serve as a
repository of extensive and diverse information.

Understanding and effectively utilizing these forensic techniques and tools are essential for
extracting pertinent evidence from Android devices in various investigative scenarios.

Forensic Procedures:

Forensic procedures in mobile device forensics adhere to standards and guidelines set by
organizations like the Scientific Working Group on Digital Evidence (SWGDE) and the United
States National Institute of Standards and Technology (NIST). Key points include:

1. Airplane Mode:
○ Essential to prevent remote access during examinations and minimize
changes to the device.
2. Mobile Forensics Pyramid:
○ Defines levels of forensic examination, ranging from manual to chip-off
methods, with each level requiring specific skills and providing varying
degrees of data access.
3. Tool Selection:
○ Choose tools and methods based on forensic needs, ensuring adequacy
for the investigation.
○ NIST-sponsored CFTT provides guidance on selecting validated tools.
4. Report Writing Guidelines:
○ Include descriptive list of submitted items, examiner identity, equipment used,
steps taken during examination, findings, supporting materials, details of relevant
programs, and techniques used to hide or mask data.
○ Reports should be detailed, providing a roadmap of the investigation for
verification by other forensic examiners.
○ Guidelines from organizations like the Department of Justice and the SANS
Institute emphasize accuracy, completeness, and adherence to legal
standards.
5. Documentation:
○ Maintain accurate records throughout the examination process.
○ Detailed documentation is crucial for transparency, verification, and
78
admissibility of evidence in legal proceedings.
Following standardized procedures and guidelines ensures the integrity and reliability of forensic
examinations, facilitating thorough analysis and interpretation of digital evidence.

ADB :

Android Debugging Bridge (ADB) for Forensic:

Android Debugging Bridge (ADB) serves as a crucial tool for conducting forensic examinations
on Android devices. Here's a summary of its key functionalities and commands:

1. Server Initialization:
○ ADB client checks for an existing server process. If none exists, it initiates one,
binding to TCP port 5037 to listen for commands.
2. Device Listing:
○ Initial step involves listing all connected devices to the computer with ADB installed.
3. Backup Creation:
○ adb backup -all -f backup: Command to create a backup of all user-accessible
data on the device.
○ Backup file serves as a safeguard against accidental alterations to the device
during investigation.
4. Forensic Examination Commands:
○ adb shell: Enter the device's Linux shell for examination.
○ ls: List contents of directories on the device.
○ su ls: Access system directories on rooted devices.
79
○ Specific directories to explore:
■ /data: Contains user data, including contacts, SMS, and installed applications.
■ /cache: Stores frequently accessed data and app components.
■ /misc: Holds miscellaneous system settings.
■ /mnt: Displays information about SD card(s).
5. Information Retrieval Commands:
○ Retrieve device-specific information using commands like getprop.
○ Example commands include ro.product.model, ro.build.version.release, etc.
6. Additional Shell Commands:
○ Utilize variations of ls command for detailed exploration.
○ Explore processes using ps command, with options like -A, -E, etc.
○ Check network status using netstat command.
7. Package Listing Commands:
○ pm list packages: Lists installed packages, with variations like -f, -d, -e, etc.
8. Data Extraction:
○ Explore /sdcard/ directory for images, videos, and other data.
○ Use adb pull command to extract desired files or directories to the forensic machine.

Utilizing ADB for forensic examinations provides investigators with access to crucial data stored
on Android devices, aiding in the analysis and interpretation of digital evidence.

Android Only Tools:

Android Forensics Tools Overview

Here's a summary of the Android forensics tools covered in this section, along with their features
and download links:

1. All-In-One Tool:
○ Available at: AndroidFileHost
○ Features a user-friendly GUI for ADB functionalities.
○ Allows for easy access to ADB commands without memorization.
○ Supports functions like bootloader unlock, fastboot mode, etc.
2. Android Tools:
○ Available at: SourceForge
○ Offers a versatile GUI for ADB commands.
○ Allows launching a shell console for Linux commands.
○ Includes tabs for ADB commands, fastboot commands, and advanced
features like working with ADB backup files.
3. Autopsy:
○ Available at: Autopsy
80
○ Primarily designed for PC forensics but can analyze mobile phone images.
○ Extracts information from Android phone images.
○ Provides analysis of call logs, contacts, messages, GPS track points, etc.
4. BitPim:
○ Available at: SourceForge
○ Limited in the phones it can recognize.
○ Offers a user-friendly interface with a comprehensive help file.
○ Useful for extracting data from compatible phones.
5. OSAF (Open-Source Android Forensics):
○ Available at: SourceForge
○ Ubuntu Linux-based virtual machine pre-loaded with various Android forensics tools.
○ Provides easy access to a range of forensic analysis tools.
○ Default password: forensics.

These tools offer a range of functionalities for Android forensics, from basic ADB commands to
comprehensive analysis and extraction of data from Android devices. They are essential for
conducting forensic examinations effectively and efficiently.

Dual Use Tools :

Dual Use Tools Forensics

1. Cellebrite:
○ Widely used in law enforcement and well-respected in the industry.
○ Offers a range of tools including UFED, Physical Analyzer, UFED Cloud,
Premium, Blacklight, and Commander.
○ Known for its robustness and effectiveness, but comes with a high cost.
○ Requires formal training and extensive knowledge to use effectively.
2. Dr. Fone:
○ A tool for mobile device recovery and data transfer.
○ Works with both iPhone and Android devices.
○ Affordable, with a full version priced at $139.95.
○ Provides features for viewing SMS messages, accessing the file system, and
copying data to a forensics workstation.

These tools offer varying levels of functionality and cost, catering to different needs and
budgets in the realm of mobile device forensics. While Cellebrite is known for its
comprehensive capabilities and professional-grade features, Dr. Fone provides a more
accessible option for those with limited resources.

81
Oxygen Forensics:

Oxygen Forensics is recognized for its user-friendly interface, making it accessible for forensic
investigators. Here's a summary of its key features:

● Ease of Use: Oxygen Forensics employs a wizard for initial device connection,
simplifying the extraction process.
● Variants: Previously, Oxygen offered both Detective and Analyst versions, but now
only the Detective version is available.
● Interface: The wizard facilitates smooth navigation through extraction steps, ensuring
logical access for Android devices to avoid rooting issues.
● Results Presentation: Extracted data is neatly organized, offering easy access to
events, phone books, messages, and other relevant information.
● Compatibility: While it may not boast all the features of tools like Cellebrite, Oxygen
Forensics still provides comprehensive data extraction and analysis capabilities.
● Cost: Priced at approximately $7000 per license, Oxygen Forensics offers a reasonable
option for professional forensic labs.
● Recommendations: When choosing forensic tools, it's advised to seek
recommendations from colleagues rather than relying solely on vendor marketing
information.

Overall, Oxygen Forensics stands as a robust tool with an intuitive interface, making it a valuable
addition to forensic labs.

MobilEdit:

MobileEdit Forensic Express is a cost-effective forensic tool offering professional-level


features. Here's a summary of its key aspects:
82
● Product Variants: MobileEdit recommends the Forensic Express version for robust
forensic examinations. There are different pricing tiers, with Forensic Express
Standard priced at $1500 per license. Contacting their sales department is necessary to
obtain pricing details for Forensic Express Pro.
● Interface: Upon launching the software, users may need to download specific drivers
for their Android models to ensure proper device recognition. Once connected,
examiners can input case details for efficient case management.
● Reporting Options: MobileEdit offers various reporting formats, enhancing user-
friendliness. Examiners can choose from multiple formats, including HTML and PDF.
The HTML report format enables easy navigation by clicking on links within the
report.
● Compatibility: MobileEdit supports both Apple and Android phones, making it
versatile for use across various mobile devices.
● Affordability: With its reasonable pricing and comprehensive features, MobileEdit
stands as an affordable option for forensic examinations.

Overall, MobileEdit Forensic Express presents a user-friendly and cost-effective solution for
forensic investigations across a wide range of mobile devices.

Android App Decompiling :

Understanding the apps installed on a mobile device is crucial in forensic investigations,


especially when determining if malicious activity or illegal content is involved. Android app
decompilation provides a way to inspect app functionalities and code, aiding in such
examinations.

83
Online Decompilers:

● Java Decompilers: Websites like javadecompilers.com offer online tools for


decompiling Android APK files. Users can upload the APK file, and upon completion,
download the decompiled source code for analysis.

Android Studio:

● Decompilation with Android Studio: Android Studio, a popular IDE for Android
development, provides built-in tools for decompiling and debugging apps. Users can
initiate the decompilation process from the main screen, guiding them through selecting
the APK file for decompilation.

Other Decompilers:
● Alternative Options: Various other online decompilers are available, such as
decompileandroid.com and apkdecompilers.com. While the specific decompiler used
may vary, the primary focus lies in analyzing the decompiled code.

Analysis:

● Programming Skills: Analyzing decompiled code requires at least basic


programming knowledge, as most Android apps are written in Java or Kotlin. While
expertise isn't necessary, understanding programming concepts aids in interpreting
the code.
● Consultation: For in-depth analysis, consulting with a programmer or forensic expert
may be necessary, especially if complexities arise during code interpretation.

By utilizing Android app decompilation tools and understanding the decompiled code, forensic
examiners can gain insights into app functionalities and potentially uncover evidence relevant to
investigations.

84

You might also like